From mac3iii at gmail.com Wed Nov 1 01:10:45 2017 From: mac3iii at gmail.com (murphy) Date: Tue, 31 Oct 2017 20:10:45 -0400 Subject: GnuPG public key vulnerability? Message-ID: I got a signed notification from facebook (good signature, enigmail) that claims my GnuPG generated public key has a "recently disclosed vulnerability".? This is the full text: We have detected that the OpenPGP key on your Facebook profile may be susceptible to attacks due to a recently disclosed vulnerability.? We recommend that you revoke and replace your public key immediately to minimize the risk to your encrypted communications.? You can update your public key by visiting your Security and Login settings.? To help reduce the risk of your key being attacked, we have set the privacy of your potentially vulnerable public key on your profile to "Only Me" to limit further distribution.? We will continue to encrypt your notification emails using this OpenPGP public key. This is doubly weird since the private/public key was generated on a Yubikey-4 nano and it is safe at home.? Does anyone know what this may be about? Facebook public key (it is valid, see: https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302/): pub?? rsa4096 2015-05-17 [SC] [expires: 2018-05-17] ???????? 31A70953D8D590BA1FAB37762F3898CEDEE958CF uid?????????? [? full? ] Facebook, Inc. sub?? rsa4096 2017-07-24 [S] [expires: 2018-02-19] My public key is uploaded to keyservers and is: pub?? rsa4096 2016-10-17 [SC] [expires: 2018-10-17] ???????? D89A29A3E1DA59DFBF516EA73E450D1BCF78C26B uid?????????? [ultimate] orange uid?????????? [ultimate] Murphy Chesney (facebook communication) sub?? rsa4096 2016-10-17 [A] [expires: 2018-10-17] sub?? rsa2048 2016-10-17 [E] [expires: 2018-10-17] Murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From frase at frase.id.au Wed Nov 1 03:00:36 2017 From: frase at frase.id.au (Fraser Tweedale) Date: Wed, 1 Nov 2017 12:00:36 +1000 Subject: GnuPG public key vulnerability? In-Reply-To: References: Message-ID: <20171101020034.GG1295@bacardi.hollandpark.frase.id.au> On Tue, Oct 31, 2017 at 08:10:45PM -0400, murphy wrote: > I got a signed notification from facebook (good signature, enigmail) > that claims my GnuPG generated public key has a "recently disclosed > vulnerability".? This is the full text: > > We have detected that the OpenPGP key on your Facebook profile may be > susceptible to attacks due to a recently disclosed vulnerability.? We > recommend that you revoke and replace your public key immediately to > minimize the risk to your encrypted communications.? You can update your > public key by visiting your Security and Login settings.? To help reduce > the risk of your key being attacked, we have set the privacy of your > potentially vulnerable public key on your profile to "Only Me" to limit > further distribution.? We will continue to encrypt your notification > emails using this OpenPGP public key. > > This is doubly weird since the private/public key was generated on a > Yubikey-4 nano and it is safe at home.? Does anyone know what this may > be about? > Some versions of the YubiKey 4 were affected by the ROCA vulnerability, which caused weak keys to be generated. https://www.yubico.com/support/security-advisories/ysa-2017-01/ https://crocs.fi.muni.cz/public/papers/rsa_ccs17 I would say that is what the email is about. Cheers, Fraser -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From fulanoperez at cryptolab.net Wed Nov 1 05:34:43 2017 From: fulanoperez at cryptolab.net (Fulano Diego Perez) Date: Wed, 1 Nov 2017 15:34:43 +1100 Subject: permission denied searching keys WAS: [gpg 2.2.x devuan jessie no TOFU TLS] In-Reply-To: <417718a0-a866-9fc0-0057-efb93b15d435@cryptolab.net> References: <7bd82df4-b18c-8734-3251-bbb7eaba2bf4@cryptolab.net> <87mv4c4zgt.fsf@wheatstone.g10code.de> <417718a0-a866-9fc0-0057-efb93b15d435@cryptolab.net> Message-ID: later: im not sure what to do now most functionality seems ok except for searching/importing keys from keyservers i can see my local pub/pri keyrings Fulano Diego Perez: > > > Werner Koch: >> On Thu, 26 Oct 2017 16:00, fulanoperez at cryptolab.net said: >> >>> checking for LIBGNUTLS... no >> >> The minimal requirement is GNUTLS 3.0 - please check that you have the >> 3.x -dev package installed. You should also consult config.log to check >> why GNUTLS was not found. >> >> >> Salam-Shalom, >> >> Werner > > installing pkg-config found them ! $ gpg -vvv --keyserver jirk5u4osbsr34t5.onion --search-keys sexypgp gpg: using character set 'utf-8' gpg: error searching keyserver: Operation not permitted gpg: keyserver search failed: Operation not permitted $ gpgconf --check-programs gpg:OpenPGP:/usr/local/bin/gpg:1:1: gpg-agent:Private Keys:/usr/local/bin/gpg-agent:1:1: scdaemon:Smartcards:/usr/local/libexec/scdaemon:1:1: gpgsm:S/MIME:/usr/local/bin/gpgsm:1:1: dirmngr:Network:/usr/local/bin/dirmngr:1:1: pinentry:Passphrase Entry:/usr/local/bin/pinentry:1:1: $ ls -la /usr/local/bin/ drwxrwsr-x 2 root staff 4096 Oct 30 17:39 . drwxrwsr-x 11 root staff 4096 Oct 28 02:12 .. lrwxrwxrwx 1 root staff 3 Oct 26 00:02 captoinfo -> tic -rwxr-xr-x 1 root staff 90200 Oct 26 00:02 clear -rwxr-xr-x 1 root staff 2407640 Oct 30 17:39 dirmngr -rwxr-xr-x 1 root staff 481760 Oct 30 17:39 dirmngr-client -rwxr-xr-x 1 root staff 34744 Oct 25 23:45 dumpsexp -rwxr-xr-x 1 root staff 4216344 Oct 30 17:39 gpg -rwxr-xr-x 1 root staff 1667432 Oct 30 17:39 gpg-agent -rwxr-xr-x 1 root staff 591960 Oct 30 17:39 gpgconf -rwxr-xr-x 1 root staff 674176 Oct 30 17:39 gpg-connect-agent -rwxr-xr-x 1 root staff 81640 Oct 25 23:11 gpg-error -rwxr-xr-x 1 root staff 2201 Oct 25 23:11 gpg-error-config -rwxr-xr-x 1 root staff 92800 Oct 30 17:39 gpgparsemail -rwxr-xr-x 1 root staff 837064 Oct 30 17:39 gpgscm -rwxr-xr-x 1 root staff 2163056 Oct 30 17:39 gpgsm -rwxr-xr-x 1 root staff 671016 Oct 30 17:39 gpgtar -rwxr-xr-x 1 root staff 2053392 Oct 30 17:39 gpgv -rwxr-xr-x 1 root staff 43720 Oct 25 23:45 hmac256 -rwxr-xr-x 1 root staff 234984 Oct 26 00:02 infocmp lrwxrwxrwx 1 root staff 3 Oct 26 00:02 infotocap -> tic -rwxr-xr-x 1 root staff 799952 Oct 30 17:39 kbxutil -rwxr-xr-x 1 root staff 2647 Oct 25 23:47 ksba-config -rwxr-xr-x 1 root staff 2522 Oct 25 23:48 libassuan-config -rwxr-xr-x 1 root staff 4003 Oct 25 23:45 libgcrypt-config -rwxr-xr-x 1 root staff 51256 Oct 25 23:45 mpicalc -rwxr-xr-x 1 root staff 6016 Oct 26 00:02 ncurses6-config -rwxr-xr-x 1 root staff 3108 Oct 25 22:58 npth-config lrwxrwxrwx 1 root staff 14 Oct 30 17:32 pinentry -> pinentry-gtk-2 -rwxr-xr-x 1 root staff 466328 Oct 30 17:32 pinentry-curses -rwxr-xr-x 1 root staff 556120 Oct 30 17:32 pinentry-gtk-2 lrwxrwxrwx 1 root staff 4 Oct 26 00:02 reset -> tset -rwxr-xr-x 1 root staff 107384 Oct 26 00:02 tabs -rwxr-xr-x 1 root staff 265896 Oct 26 00:02 tic -rwxr-xr-x 1 root staff 161352 Oct 26 00:02 toe -rwxr-xr-x 1 root staff 107872 Oct 26 00:02 tput -rwxr-xr-x 1 root staff 96184 Oct 26 00:02 tset -rwxr-xr-x 1 root staff 41248 Oct 30 17:39 watchgnupg dirmngr.conf: use-tor keyserver hkp://jirk5u4osbsr34t5.onion any advice to proceed ? From gnupg at jmillican.co.uk Wed Nov 1 04:05:17 2017 From: gnupg at jmillican.co.uk (Jonathan Millican) Date: Wed, 1 Nov 2017 03:05:17 +0000 Subject: GnuPG public key vulnerability? In-Reply-To: References: Message-ID: Hi Murphy, This email refers to the ROCA vulnerability (https://crocs.fi.muni.cz/ public/papers/rsa_ccs17), which affects a number of hardware devices including some versions of the Yubikey 4-nano (https://www.yubico.com/ keycheck/). I believe Yubico are offering to replace affected Yubikeys. One aspect of this vulnerability is that RSA public keys can be very easily checked to determine if they are vulnerable - so at Facebook, we checked the public keys that have been uploaded to people's profiles, and notified people whose keys are affected. Unfortunately it seems like you were one of the unlucky ones! Details here: https://www.facebook.com/ protectthegraph/posts/1954548564785285. Hope that helps, Jon On 1 November 2017 at 00:10, murphy wrote: > I got a signed notification from facebook (good signature, enigmail) > that claims my GnuPG generated public key has a "recently disclosed > vulnerability". This is the full text: > > We have detected that the OpenPGP key on your Facebook profile may be > susceptible to attacks due to a recently disclosed vulnerability. We > recommend that you revoke and replace your public key immediately to > minimize the risk to your encrypted communications. You can update your > public key by visiting your Security and Login settings. To help reduce > the risk of your key being attacked, we have set the privacy of your > potentially vulnerable public key on your profile to "Only Me" to limit > further distribution. We will continue to encrypt your notification > emails using this OpenPGP public key. > > This is doubly weird since the private/public key was generated on a > Yubikey-4 nano and it is safe at home. Does anyone know what this may > be about? > > Facebook public key (it is valid, see: > https://www.facebook.com/notes/protect-the-graph/ > securing-email-communications-from-facebook/1611941762379302/): > > pub rsa4096 2015-05-17 [SC] [expires: 2018-05-17] > 31A70953D8D590BA1FAB37762F3898CEDEE958CF > uid [ full ] Facebook, Inc. > sub rsa4096 2017-07-24 [S] [expires: 2018-02-19] > > My public key is uploaded to keyservers and is: > > pub rsa4096 2016-10-17 [SC] [expires: 2018-10-17] > D89A29A3E1DA59DFBF516EA73E450D1BCF78C26B > uid [ultimate] orange > uid [ultimate] Murphy Chesney (facebook communication) > > sub rsa4096 2016-10-17 [A] [expires: 2018-10-17] > sub rsa2048 2016-10-17 [E] [expires: 2018-10-17] > > Murphy > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fulanoperez at cryptolab.net Wed Nov 1 05:46:16 2017 From: fulanoperez at cryptolab.net (Fulano Diego Perez) Date: Wed, 1 Nov 2017 15:46:16 +1100 Subject: devuan jessie gpg 2.2.x thunderbird/apparmor/enigmail rules Message-ID: <278504ce-d74d-dc08-fa7c-e141b3b8a017@cryptolab.net> any suggestions to complete apparmor rules to enable all functionality for a /usr/local gpg install with thunderbird/gpg/enigmail ? currently appended rules below to the default thunderbird profile allow mostly all functionality except i cannot enable the commented out rules otherwise enigmail does not detect gnupg and fails to start as soon i comment out, enigmail fails... i think my previous email with problems with dirmngr could be related and if those are debugged, could help here below allows most thunderbird/enigmail functionality except importing keyserver keys /etc/apparmor.d/local/usr.bin.thunderbird: /usr/local/bin/gpg Cx -> gpg, /usr/local/bin/gpg-error Cx -> gpg, #/usr/local/bin/dirmngr Cx -> gpg, /usr/local/bin/gpg-agent Cx -> gpg, /usr/local/bin/gpgconf Cx -> gpg, /usr/local/bin/gpg-connect-agent Cx -> gpg, #/proc/**/fd/ r, owner @{HOME}/.gnupg/tofu.db rwk, #owner @{HOME}/.gnupg/tofu.db-journal rwk, /usr/local/bin/gpg mr, /usr/local/bin/gpg-error mr, #/usr/local/bin/dirmngr mr, /usr/local/bin/gpg-agent mr, /usr/local/bin/gpgconf mr, /usr/local/bin/gpg-connect-agent mr, /usr/lib/gnupg/gpgkeys_* ix, /usr/local/lib/** mr, this profile still logs below possible problems: [51155.130813] audit: type=1400 audit(1509507779.968:128572837): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [51155.139191] audit: type=1400 audit(1509507779.976:128572838): apparmor="DENIED" operation="mknod" profile="thunderbird//gpg" name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 [51161.198110] audit: type=1400 audit(1509507786.040:128572839): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/proc/20077/fd/" pid=20077 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [51161.198390] audit: type=1400 audit(1509507786.040:128572840): apparmor="DENIED" operation="exec" profile="thunderbird//gpg" name="/usr/local/bin/dirmngr" pid=20077 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 [51177.540706] audit: type=1400 audit(1509507802.392:128572841): apparmor="DENIED" operation="open" profile="thunderbird//gpg" name="/proc/20080/fd/" pid=20080 comm="gpg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 [51177.541002] audit: type=1400 audit(1509507802.392:128572842): apparmor="DENIED" operation="exec" profile="thunderbird//gpg" name="/usr/local/bin/dirmngr" pid=20080 comm="gpg" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 From dshaw at jabberwocky.com Wed Nov 1 04:29:24 2017 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 31 Oct 2017 23:29:24 -0400 Subject: GnuPG public key vulnerability? In-Reply-To: References: Message-ID: <59E0B283-D1CA-47E0-9E35-BA0F50C5514F@jabberwocky.com> On Oct 31, 2017, at 8:10 PM, murphy wrote: > > I got a signed notification from facebook (good signature, enigmail) > that claims my GnuPG generated public key has a "recently disclosed > vulnerability". This is the full text: > > We have detected that the OpenPGP key on your Facebook profile may be > susceptible to attacks due to a recently disclosed vulnerability. We > recommend that you revoke and replace your public key immediately to > minimize the risk to your encrypted communications. You can update your > public key by visiting your Security and Login settings. To help reduce > the risk of your key being attacked, we have set the privacy of your > potentially vulnerable public key on your profile to "Only Me" to limit > further distribution. We will continue to encrypt your notification > emails using this OpenPGP public key. > > This is doubly weird since the private/public key was generated on a > Yubikey-4 nano and it is safe at home. Does anyone know what this may > be about? Yes. Recently, a flaw in the firmware for some Infineon hardware crypto was found. RSA keys that were generated with this faulty firmware are not nearly as strong as their key length would imply. You mention a Yubikey 4 nano, and unfortunately, that is one of the devices that used Infineon components. In the case of a Yubikey and OpenPGP, if you generate the key *on* a vulnerable Yubikey, you may have a problem. If you generate the OpenPGP key elsewhere and *import* the key to your Yubikey, you are not affected. The Yubico people have a site up to check your device serial number to see if it is vulnerable and are offering a replacement program. See https://www.yubico.com/keycheck/ There has been some discussion of the implications of this vulnerability on this list. Search the list archives for "ROCA" to see more. The original paper is at https://crocs.fi.muni.cz/public/papers/rsa_ccs17 David From johan.ho at gmail.com Wed Nov 1 10:52:43 2017 From: johan.ho at gmail.com (Johan Ho) Date: Wed, 1 Nov 2017 10:52:43 +0100 Subject: cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down? Message-ID: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com> I tried to look up the "keysigning party howto" on the GnuPG website (https://gnupg.org/documentation/howtos.html), but apparently www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the language links there don't work. I tried a few days ago and today, but it still doesn't work. Anyone know the status of that server and whether it might get fixed? Johan Ho From kloecker at kde.org Wed Nov 1 22:37:44 2017 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 01 Nov 2017 22:37:44 +0100 Subject: cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down? In-Reply-To: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com> References: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com> Message-ID: <2228562.iyPU8pELWJ@thufir> On Mittwoch, 1. November 2017 10:52:43 CET Johan Ho wrote: > I tried to look up the "keysigning party howto" on the GnuPG website > (https://gnupg.org/documentation/howtos.html), but apparently > www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the > language links there don't work. > > I tried a few days ago and today, but it still doesn't work. Luckily, there's archive.org and it has archived the howto: https://web.archive.org/web/*/www.cryptnet.net/fdp/crypto/keysigning_party/en/ keysigning_party.html Regards, Ingo From ramsdenj at riseup.net Thu Nov 2 03:55:07 2017 From: ramsdenj at riseup.net (John Ramsden) Date: Wed, 01 Nov 2017 19:55:07 -0700 Subject: GPG Subkey decryption Message-ID: <1509591307.4120812.1158843272.2D704309@riseup.net> I think I may be misunderstanding how I'm supposed to be decrypting with a subkey. From what I thought, the public key should be the same on a subkey as it is on a primary key. I see the same public key when I list them on my machine which stores the primary key and the machine that stores the subkey. I want to send a message to the public key and be able to decrypt it on any machine where I have any subkey of the primary key. I'm encrypting from my primary key and using my public key from the same key as the recipient. Do I have to define multiple recipients based on all the subkeys? If so where do I find the public key for these subkeys that are supposed to be the recipient? When I'm on the machine that holds the sub key and I attempt to decrypt I get the message: > gpg: decryption failed: No secret key -- John From thomas at glanzmann.de Thu Nov 2 14:41:23 2017 From: thomas at glanzmann.de (Thomas Glanzmann) Date: Thu, 2 Nov 2017 14:41:23 +0100 Subject: Decrypt RSA encrypted secret by using gpg authentication key stored on yubikey Message-ID: <20171102134123.GA4753@glanzmann.de> Hello, I have a yubikey that I use as gpg smartcard. On that yubikey I have an authentication subkey. I uploaded the pubkey to AWS cloud. When I create a Windows instance they use that pubkey to encrypt a password using RSA to my privkey. Since my privkey is stored on the smartcard, I can't use openssl to decrypt it. So I'm looking of the equivalent of: base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem Only that my key is not on the file system but the authentication key stored on my gpg card. Cheers, Thomas References: https://docs.aws.amazon.com/cli/latest/reference/ec2/get-password-data.html#examples https://serverfault.com/questions/603984/windows-password-wont-decrypt-on-aws-ec2-even-with-the-correct-private-key From psusi at ubuntu.com Thu Nov 2 16:58:08 2017 From: psusi at ubuntu.com (Phil Susi) Date: Thu, 2 Nov 2017 11:58:08 -0400 Subject: Why does import refuse to merge a new subkey? Message-ID: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com> Whenever my subkeys expire and I have to generate a new one, I try to import the keys on my less secure machines and gpg stupidly refuses to update the already existing key with the new subkey. I have to delete the key, then import to get the new subkey into the keyring. Why is this? From rehevkor5 at gmail.com Thu Nov 2 18:56:21 2017 From: rehevkor5 at gmail.com (Shannon C) Date: Thu, 2 Nov 2017 12:56:21 -0500 Subject: GnuPG public key vulnerability? Message-ID: > > so at Facebook, we checked > the public keys that have been uploaded to people's profiles, and notified > people whose keys are affected Jon, FYI your detection logic seems a bit overzealous, because (last time I checked) it detects revoked ROCA-vulnerable subkeys as making the whole public key unacceptable, even if the private key is not affected by ROCA. According to the responses on this thread https://lists.gnupg.org/pipermail/gnupg-users/2017-October/059417.html ROCA-affected subkeys have no effect on the validity of the private key or other subkeys, so if they're revoked everything should be ok. Rejecting public keys in this way is problematic for two reasons I can think of: 1. It confuses people because it implies that there's something wrong with your whole key even though the problem is only with a subkey. And it implies that revoking the subkey doesn't solve the problem. 2. It will force people to do extra work to remove their subkeys before exporting their public key for upload to Facebook. This is annoying to do and might lead to people deleting their subkeys from their local keyring permanently, which is probably a bad idea. I'm not certain, but I think keybase might be getting this wrong too. -Shannon -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Thu Nov 2 20:04:31 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 2 Nov 2017 20:04:31 +0100 Subject: Why does import refuse to merge a new subkey? In-Reply-To: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com> References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com> Message-ID: <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com> On 02/11/17 16:58, Phil Susi wrote: > Why is this? What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4 and 2.0, but my 2.1.18 allows me to add secret subkeys through --import. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From psusi at ubuntu.com Thu Nov 2 20:37:08 2017 From: psusi at ubuntu.com (Phil Susi) Date: Thu, 2 Nov 2017 15:37:08 -0400 Subject: Why does import refuse to merge a new subkey? In-Reply-To: <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com> References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com> <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com> Message-ID: <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com> On 11/2/2017 3:04 PM, Peter Lebbing wrote: > On 02/11/17 16:58, Phil Susi wrote: >> Why is this? > > What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4 > and 2.0, but my 2.1.18 allows me to add secret subkeys through --import. Looks like I've still got 1.4.20 on one machine ( when I usually forget to run gpg2 instead of just gpg ) but 2.0.28 on another also did it I'm pretty sure. I guess I'll try again and make sure to use a recent gpg2. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Thu Nov 2 20:46:29 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 2 Nov 2017 20:46:29 +0100 Subject: Why does import refuse to merge a new subkey? In-Reply-To: <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com> References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com> <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com> <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com> Message-ID: <0cc28025-407d-dcc5-691f-2e97cec9e344@digitalbrains.com> On 02/11/17 20:37, Phil Susi wrote: > [..] but 2.0.28 on another also did it I'm pretty sure. Yes, I'm pretty sure of that as well. 2.0 can't update secret keys; it was introduced with 2.1 or somewhere during 2.1. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From 2017-r3sgs86x8e-lists-groups at riseup.net Fri Nov 3 01:16:48 2017 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Fri, 3 Nov 2017 00:16:48 +0000 Subject: GPG Subkey decryption In-Reply-To: <1509591307.4120812.1158843272.2D704309@riseup.net> References: <1509591307.4120812.1158843272.2D704309@riseup.net> Message-ID: <797795066.20171103001648@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thursday 2 November 2017 at 2:55:07 AM, in , John Ramsden wrote:- > I think I may be misunderstanding how I'm supposed to > be decrypting with > a subkey. From what I thought, the public key should > be the same on a > subkey as it is on a primary key. I see the same > public key when I list > them on my machine which stores the primary key and > the machine that > stores the subkey. You possibly mean you see the same user-id? The primary key is a public key with a corresponding private key. Each subkey is a public key with a corresponding private key. Each subkey is bound to the primary key by a key binding signature > I want to send a message to the public key and be > able to decrypt it on > any machine where I have any subkey of the primary > key. I'm encrypting > from my primary key and using my public key from the > same key as the > recipient. Do I have to define multiple recipients > based on all the > subkeys? If so where do I find the public key for > these subkeys that are > supposed to be the recipient? GnuPG usually encrypts to the newest available encryption-capable subkey. Or to the primary key if it is encryption-capable and there are no encryption-capable subkeys. If you wish to specify the primary key or a specific subkey you can list as a recipient the (sub)key-id followed by an exclamation mark. Something like gpg -ear 0x1CAC08E8DEFAFDFE! -r 0xEAC88A2823F99DEC! - -- Best regards MFPA Hard work never killed anyone, but why take a risk? -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWfu1cl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +nYcAP0RoVdNwIbIQIyasmZ7l5Kv5lCZ2ytWFmAfVH08H+JwqgD/fvMS6No8GHAo rNxeuIfAsdQhxbQBRjFcA2tXZOm+4Q6JApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCWfu1cl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/yLDEACp7Io19utgvWKkOgGAMO1PDqDf eE4vUs5D1pUs1E15W7ks0JUz5PDseakeYmSixGXw+wY769EE/vapmhOR7KG/AGRI 4NSuvkOZRdlDpDoownT5gFWBpdbw8kWWSBCdp4AdW9Ao8rwsTuwycyu5YvtIk6V0 6zDHfYEb2AfSgD7x6APHaPT7JqdLqHWlOJNKGRyd0EmSWm0S22lr2DIBEkq4oDOm OO1FFBllFCsHqMtRiFxQjHT5pSItBpgbJMmb3y8kLn73yoCGFxzzQeUxGeNbvQI6 J05bkug7nmWRFdYCfEBgoGd3Z9yIaPubglSeafkQa+aVi6NUfsWcSU4DxyP1zVw6 WUMIKmu6MXOktJb4w8MQNFgg3eEtHTIwX/ZNLreY5MfckyKTj/teTC8+7cuSZsJy sSueVQQYb1AtjM7w/yqo+5UuGWIVRPYp2GLctYy2kSboBr1t0+WNUsnmaXFzp4au K+NZzzSUxWrzCOLSytPmeOh4B1bGGpwP7kxqSEYSiMLzguNao1qnMHCWMSHmA/dg gKcZIYMQdXrIv7ujYzJo3TQyQvX66OuU4xf0AnnH+OgckWX06d3QhnnxQNeCaW0q 465Gic8CqHug1PEKhP40L0otbMi3G6Tfzk9rhJ5ojDhHDjwXiDP/+pg9bjwVOCYK /m57uaSJyoWcpjmXvA== =S6D+ -----END PGP SIGNATURE----- From robbat2 at gentoo.org Fri Nov 3 06:20:21 2017 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Fri, 3 Nov 2017 05:20:21 +0000 Subject: Efficent batch fetching with verification? Message-ID: What's a reasonably efficient way to fetch a lot of keys, by fingerprint, from keyserver pools with HKPS? Presently, the code is effectively this: ...cat-list-of-fingerprints... | xargs gpg --recv This has the downside of causing many execs. As an alternate, it was suggested that I could do manual HTTP fetches for each of the fingerprints, then verify the keyserver returned only the correct keys. This however, still runs into the problem of calling gpg many times. gpgme does an exec behind the scenes, for each call, so I'm wondering what other solutions are out there. Most useful would be feeding a list of fingerprints to --recv via a file descriptor, or feeding entire commands to a long-running GPG instance (but Assuan doesn't support RECV). The Assuan part echos a much older request of mine, that more operations should be available via Assuan, to efficiently sign or verify many files. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robbat2 at gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1113 bytes Desc: Digital signature URL: From peter at digitalbrains.com Fri Nov 3 12:50:06 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 3 Nov 2017 12:50:06 +0100 Subject: Efficent batch fetching with verification? In-Reply-To: References: Message-ID: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com> On 03/11/17 06:20, Robin H. Johnson wrote: > Presently, the code is effectively this: > ...cat-list-of-fingerprints... | xargs gpg --recv > > This has the downside of causing many exec I just tried this and a list of 1319 fingerprints caused one single call to "gpg --recv FPR1 FPR2 FPR3 ... FPR1319". I don't understand why my gpg is then doing trust database calculations every so many keys, so what I ended up doing was: $ cat list-of-fingerprints | xargs strace -ff -o gpgtrace -e trace=process gpg --no-auto-check-trustdb --recv And this ran happily until killed by me, fetching and updating keys, with just a single execve, no spawns. Anyway, I didn't look any further, but what is exec'ing much here then? Which version of GnuPG are you using? I'm using the Debian stretch provided 2.1.18 with a systemd supervised dirmngr. I can't readily think of which process would be starting often here... am I completey forgetting about something? :-) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Nov 3 20:17:38 2017 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 Nov 2017 20:17:38 +0100 Subject: Efficent batch fetching with verification? In-Reply-To: (Robin H. Johnson's message of "Fri, 3 Nov 2017 05:20:21 +0000") References: Message-ID: <87zi83rx2l.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2017 06:20, robbat2 at gentoo.org said: > Presently, the code is effectively this: > ...cat-list-of-fingerprints... | xargs gpg --recv > > This has the downside of causing many execs. Right after a clean startup of your user session you will see these execs: 1. xargs execs gpg 2. gpg execs gpg-agent 3. gpg execs dirmngr If xargs needs to exec another gpg you won't see new execs for gpg-agent or dirmngr. And the startup time of gpg can be neglecated compared to the latency of the keyservers. Or may it be that you are using gpg 1.4 or 2.0? Those invoke keyserver helpers and that may very well be one exec per supplied fingerprint. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From robbat2 at gentoo.org Fri Nov 3 21:06:13 2017 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Fri, 3 Nov 2017 20:06:13 +0000 Subject: Efficent batch fetching with verification? In-Reply-To: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com> References: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com> Message-ID: On Fri, Nov 03, 2017 at 12:50:06PM +0100, Peter Lebbing wrote: > On 03/11/17 06:20, Robin H. Johnson wrote: > > Presently, the code is effectively this: > > ...cat-list-of-fingerprints... | xargs gpg --recv > > > > This has the downside of causing many exec ... > Anyway, I didn't look any further, but what is exec'ing much here then? > Which version of GnuPG are you using? I'm using the Debian stretch > provided 2.1.18 with a systemd supervised dirmngr. I can't readily think > of which process would be starting often here... am I completey > forgetting about something? :-) You missed xargs itself, this mostly centers around the command-line length limit. I can get in about ~3200 fingerprints per GPG call. GnuPG 2.2.1, findutils/xargs 4.6.0. Thanks for the idea of --no-auto-check-trustdb, I did miss that and it helps for speedups. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robbat2 at gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1113 bytes Desc: Digital signature URL: From robbat2 at gentoo.org Sat Nov 4 06:06:59 2017 From: robbat2 at gentoo.org (Robin H. Johnson) Date: Sat, 4 Nov 2017 05:06:59 +0000 Subject: Efficent batch fetching with verification? In-Reply-To: <87zi83rx2l.fsf@wheatstone.g10code.de> References: <87zi83rx2l.fsf@wheatstone.g10code.de> Message-ID: On Fri, Nov 03, 2017 at 08:17:38PM +0100, Werner Koch wrote: > On Fri, 3 Nov 2017 06:20, robbat2 at gentoo.org said: > > > Presently, the code is effectively this: > > ...cat-list-of-fingerprints... | xargs gpg --recv > > > > This has the downside of causing many execs. > > Right after a clean startup of your user session you will > see these execs: > > 1. xargs execs gpg > 2. gpg execs gpg-agent > 3. gpg execs dirmngr > > If xargs needs to exec another gpg you won't see new execs for gpg-agent > or dirmngr. And the startup time of gpg can be neglecated compared to > the latency of the keyservers. > > Or may it be that you are using gpg 1.4 or 2.0? Those invoke keyserver > helpers and that may very well be one exec per supplied fingerprint. Yes, the older versions do perform much worse, but even with gnupg2.2, each exec of gpg is still at least 100ms, which adds up over time. Part this may be having a huge keyring present (50k+ keys). -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robbat2 at gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1113 bytes Desc: Digital signature URL: From peter at digitalbrains.com Sat Nov 4 11:45:22 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 4 Nov 2017 11:45:22 +0100 Subject: Efficent batch fetching with verification? In-Reply-To: References: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com> Message-ID: On 03/11/17 21:06, Robin H. Johnson wrote: > You missed xargs itself, Actually, I did not :-). > this mostly centers around the command-line > length limit. I can get in about ~3200 fingerprints per GPG call. I asked "what is exec'ing much". I don't see one exec every 3200 fingerprints as overhead at all. In your other reply, you say the 100 ms exec overhead for these 3200 keyserver fetches is significant. But I see a lot of round trips to the keyserver; I didn't check the docs, but it must not be fetching many keys in every HKP request. Perhaps even just a single key per request. That is 3200 round trips to a remote server. And then the data will be checked: this means running expensive asymmetric crypto. So how long does this one gpg with 3200 key fetches run for you, as wall time, and as cpu time? TBH, I'm having a hard time believing the starting up of gpg.exe is relevant. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sat Nov 4 19:15:47 2017 From: wk at gnupg.org (Werner Koch) Date: Sat, 04 Nov 2017 19:15:47 +0100 Subject: Efficent batch fetching with verification? In-Reply-To: (Robin H. Johnson's message of "Sat, 4 Nov 2017 05:06:59 +0000") References: <87zi83rx2l.fsf@wheatstone.g10code.de> Message-ID: <87d14xsyek.fsf@wheatstone.g10code.de> On Sat, 4 Nov 2017 06:06, robbat2 at gentoo.org said: > Yes, the older versions do perform much worse, but even with gnupg2.2, > each exec of gpg is still at least 100ms, which adds up over time. I doubt that, let's see: $ time sh -c 'seq 1 1 | xargs -n 1 gpg --version >/dev/null' real 0m0.010s user 0m0.004s sys 0m0.004s $ time sh -c 'seq 1 100 | xargs -n 1 gpg --version >/dev/null' real 0m0.361s user 0m0.068s sys 0m0.024s This is less than 4ms per exec. So you problem is for sure not the fork/exec. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From seby2kt14 at gmail.com Sun Nov 5 02:15:14 2017 From: seby2kt14 at gmail.com (Seby) Date: Sat, 4 Nov 2017 22:15:14 -0300 Subject: Cannot control GnuPG from shell (IPC parameter error) Message-ID: Hello, I have a script that interacts with GnuPG in an automated / unattended way, but it cannot control the keyring. I keep getting this: gpg: key generation failed: IPC parameter error I am running 2.3.0-beta82. I tried to search for this error and I could only find clues that lead to gpg-agent, but # gpg-agent --help doesn't allow me to disable it. What is the good approach here? Thanks in advance. From olalereabass at outlook.com Sat Nov 4 15:01:02 2017 From: olalereabass at outlook.com (olalereabass at outlook.com) Date: Sat, 4 Nov 2017 14:01:02 +0000 Subject: Request for assistance Message-ID: Dear sir/ma, I hereby humbly seek your assistance with respect to the file decryption. I installed GPG4WIN version 2.0.4 and the Open PGP certificate was successfully with a 40-charater fingerprint. "My Certificates" were also created. While attempting to use Kleopatra (which showed my certificate) to decrypt/verify a tgz.gpg file, it continually gave me results in the Decrypt/ Verify Files window showing (1) All operations completed at 100% (2) Decryption failed. Consequently, kind bail me out to know what has gone wrong and the possible ways out to decrypt my files. Thanks for your anticipated response. Regards. Olalere Abass -- Sent from Outlook Email App for Android -------------- next part -------------- An HTML attachment was scrubbed... URL: From knaack.h at gmx.de Sun Nov 5 18:47:07 2017 From: knaack.h at gmx.de (Hartmut Knaack) Date: Sun, 5 Nov 2017 18:47:07 +0100 Subject: gpg-agent/pinentry: How to verify calling application In-Reply-To: <980c339a-5fde-7022-f51e-d6c00fedf6c9@gmx.de> References: <980c339a-5fde-7022-f51e-d6c00fedf6c9@gmx.de> Message-ID: <448944b6-b942-042d-1ea6-6a438652e933@gmx.de> Hartmut Knaack wrote on 15.07.2017 16:02: > Hi, > on my machine running Linux and a recent KDE/Plasma, pinentry-qt > occasionally starts right after logging in and asks for my passphrase. > Is there any way to track down, which process asks gpg-agent for my private > key? Preferably, I would like pinentry to inform, which process actually is > the source of the key request. > Thanks > > Hartmut > Hi, I just wanted to report back on my issue. So, I actually ran the KWallet configuration program (kwalletmanager5) and found the main switch in the properties-menu to disable KWallet in my user account. It has been some months now, and I have never been annoyed by randomly popping up pinentry ever since. Thanks for the help to guide me into the right direction. Hartmut From gniibe at fsij.org Mon Nov 6 00:56:37 2017 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 06 Nov 2017 08:56:37 +0900 Subject: Cannot control GnuPG from shell (IPC parameter error) In-Reply-To: References: Message-ID: <87wp342say.fsf@iwagami.gniibe.org> Seby wrote: > I am running 2.3.0-beta82. I tried to search for this error and I > could only find clues that lead to gpg-agent, but # gpg-agent --help > doesn't allow me to disable it. What is the good approach here? Please update your installation. IIUC, you are talking about (old version of) gpg4win, which is based on GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like ECC. -- From seby2kt14 at gmail.com Mon Nov 6 01:39:43 2017 From: seby2kt14 at gmail.com (Seby) Date: Sun, 5 Nov 2017 21:39:43 -0300 Subject: Cannot control GnuPG from shell (IPC parameter error) In-Reply-To: <87wp342say.fsf@iwagami.gniibe.org> References: <87wp342say.fsf@iwagami.gniibe.org> Message-ID: Hello, "NIIBE Yutaka" wrote: Seby wrote: > I am running 2.3.0-beta82. I tried to search for this error and I > could only find clues that lead to gpg-agent, but # gpg-agent --help > doesn't allow me to disable it. What is the good approach here? Please update your installation. IIUC, you are talking about (old version of) gpg4win, which is based on GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like ECC. I am running on linux (Debian) and i am on git master (2.3.0-beta82) and it complains: WARNING: server 'gpg-agent' is older than us (2.1.8 < 2.3.0-beta82) And then: IPC parameter error. When trying to pass a batch from shell. I don't know if the warning causes the second fatal error but probably. -------------- next part -------------- An HTML attachment was scrubbed... URL: From seby2kt14 at gmail.com Mon Nov 6 01:59:04 2017 From: seby2kt14 at gmail.com (Seby) Date: Mon, 6 Nov 2017 00:59:04 +0000 Subject: Cannot control GnuPG from shell (IPC parameter error) In-Reply-To: References: <87wp342say.fsf@iwagami.gniibe.org> Message-ID: Fixed the problem by killing the PID of gpg-agent and also by correcting a typo in my syntax that was having a permission problem. I am now 100% confident that the version mismatch warning between gpg-agent and gpg is just a warning, it was not the cause of the problem, the typo in the syntax bares the fault. Thank you. Seby wrote: > Hello, > > "NIIBE Yutaka" wrote: > > Seby wrote: >> I am running 2.3.0-beta82. I tried to search for this error and I >> could only find clues that lead to gpg-agent, but # gpg-agent --help >> doesn't allow me to disable it. What is the good approach here? > > Please update your installation. > > IIUC, you are talking about (old version of) gpg4win, which is based on > GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like > ECC. > > > I am running on linux (Debian) and i am on git master (2.3.0-beta82) and it > complains: > WARNING: server 'gpg-agent' is older than us (2.1.8 < 2.3.0-beta82) > > And then: > IPC parameter error. > > When trying to pass a batch from shell. > > I don't know if the warning causes the second fatal error but probably. From ryan at splintermail.com Mon Nov 6 03:08:24 2017 From: ryan at splintermail.com (Ryan Beethe) Date: Sun, 5 Nov 2017 20:08:24 -0600 Subject: Request for assistance In-Reply-To: References: Message-ID: Hi Olalere, Three things: 1) Why are you using such and old version of GPG4WIN? Version 2.0.4 is from 2010... 2) What did Kleopatra say when the decryption failed? It should say, "Decryption Failed: xyz", where "xyz" is the reason. It is easier to help if you give the full failure message. 3) Also, you should check the recipient of the message. When you try to decrypt the file with Kleopatra, Kleopatra should say: Recipient: (40-character fingerprint) and you should make sure that recipient is the same 40-character fingerprint for the certificate you created. Ryan On Sat, Nov 04, 2017 at 02:01:02PM +0000, olalereabass at outlook.com wrote: > Dear sir/ma, > I hereby humbly seek your assistance with respect to the file decryption. > I installed GPG4WIN version 2.0.4 and the Open PGP certificate was > successfully with a 40-charater fingerprint. "My Certificates" were also > created. While attempting to use Kleopatra (which showed my certificate) to > decrypt/verify a tgz.gpg file, it continually gave me results in the Decrypt/ > Verify Files window showing (1) All operations completed at 100% (2) > Decryption failed. > Consequently, kind bail me out to know what has gone wrong and the possible > ways out to decrypt my files. > Thanks for your anticipated response. > Regards. > Olalere Abass > > -- > Sent from Outlook Email App for Android > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From t at crp.to Mon Nov 6 16:28:28 2017 From: t at crp.to (Tim Steiner) Date: Mon, 6 Nov 2017 15:28:28 +0000 (UTC) Subject: New smart card / token alternative References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> Message-ID: <1247832004.2932812.1509982108841@mail.yahoo.com> We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required. We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me" With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo We are interested to hear feedback on this approach from the community. Tim Steiner CISSP-ISSAP, C|EH, OSCP, PMP Email: T at crp.to CryptoTrust | crp.to From vedaal at nym.hush.com Mon Nov 6 23:26:47 2017 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 06 Nov 2017 17:26:47 -0500 Subject: New smart card / token alternative In-Reply-To: <1247832004.2932812.1509982108841@mail.yahoo.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> Message-ID: <20171106222647.85FF6E034E@smtp.hushmail.com> On 11/6/2017 at 4:55 PM, "Tim Steiner" wrote: \We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required. We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me" With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo We are interested to hear feedback on this approach from the community. ===== Using this on anything except your own computer, or laptop, is problematic, as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted. Can it be made to work with Tails/Tor which uses GunPG ? (The 'insecure' browser on Tails not involving Tor, is a Firefox variant. If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger. But even so, there are problems with using it on an 'unknown' computer : https://tails.boum.org/doc/about/warning/index.en.html#index2h1 vedaal From ssmeenk at freshdot.net Mon Nov 6 22:49:26 2017 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Mon, 6 Nov 2017 22:49:26 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access Message-ID: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> Hi! Some time ago in March i was asking about the way the pinentry works and i have not yet been able to get this working properly. I have this vim macro that automatically decrypts and encrypts files named .gpg. I use this in a terminal through SSH on my server and it basically pipes a buffer through 'gpg -qd' and 'gpg -ae'. Recently upgraded that server, and now this does not work anymore. GPG just exists stating 'No secret key' while running that exact command on the shell pops up the pinentry thingy and works fine. Another situation (still) is my PC at work. It has my X session running mostly always. I access it through SSH too with the same user account and like to work there, but i can't do anything with GPG on a remotely connected shell to this machine: The pinentry will consistently pop up on the X display on that machine instead of the controlling tty (my ssh) requesting the decryption. I've had varying success with exporting GPG_TTY and updatestartuptty, usually having to restart gpg-agent. To try and keep this workable i ended up wrapping gpg in a script that sets GPG_TTY, kills all gpg-agent, starts it, runs gpg... Then when a tool is not using the wrapper this results in pinentry plopping up on terminals where i did not expect them, but it is the terminal i last used the wrapper in. It's rather cumbersome and very dodgy at least. How do others deal with this? Or is everyone using GPG solely in GUI environments nowadays? ;) Any insights welcome! Sorry for the ranty mail. I'm a nice guy. Really. Rgds, Sndr. -- | Rookworst zonder 'r' is ook worst! | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 From ryan at splintermail.com Tue Nov 7 01:11:56 2017 From: ryan at splintermail.com (Ryan Beethe) Date: Mon, 6 Nov 2017 18:11:56 -0600 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> Message-ID: Hi Sander, I also was frustrated with how GPG pinentry worked by default. In particular, I *almost* always want to use the ncurses pinentry, unless through a key shortcut my window manager tries to call gpg (for my password manager). But if I want to encrypt a file with mutt, I don't want a popup! I hate popups! What I did was write a custom pinentry wrapper, which I call rpinentry. It just dispaches either the curses-based pinentry or a gui pinentry based on the environment variable PINENTRY_USER_DATA which is read by gpg and passed to the pinentry program, for jobs like this: #!/bin/sh if [ "$PINENTRY_USER_DATA" == "terminal" ] ; then # always use the terminal if one is handy /usr/bin/pinentry-curses else # otherwise DISPLAY info is passed on command line, just forward it /usr/bin/pinentry-qt "$@" fi Then in ~/.gnupg/gpg-agent.conf I set it to be my default pinentry program: pinentry-program /path/to/rpinentry In my ~/.bashrc I have the following two lines: export PINENTRY_USER_DATA="terminal" export GPG_TTY=$(tty) Then in the config file for my window manager, I have the equivalent of: export PINENTRY_USER_DATA=qt So this covers all of my bases. If I do something that calls GPG from a terminal, I get a curses-based pinentry prompt, because each individual terminal has PINENTRY_USER_DATA set to "terminal" and GPG_TTY set properly as soon as it is opened, thanks to my ~/.bashrc. If my window manager does something which calls GPG (just my password manager, really), then when the window manager spawns gpg it passes PINENTRY_USER_DATA set to "qt" and I get a gui popup. I think my setup might be almost a drop-in fix for your gpg-over-ssh issue, although you will have to figure out where to set the environment variable for your particular window manager. Ryan From seby2kt14 at gmail.com Tue Nov 7 00:12:16 2017 From: seby2kt14 at gmail.com (Seby) Date: Mon, 6 Nov 2017 23:12:16 +0000 Subject: New smart card / token alternative In-Reply-To: References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> Message-ID: Hello, "Tim Steiner" wrote: We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required. We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me" With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey- quantum-future-ready-encryption-for-everyo We are interested to hear feedback on this approach from the community. Tim Steiner CISSP-ISSAP, C|EH, OSCP, PMP Email: T at crp.to CryptoTrust | crp.to Your product provides a false sense of security. Educating users that is is somehow safe is a terrible mistake. Telling users it is safe to plug in any computer and encrypt decrypt stuff is a terrible idea. How was your budget distributed? What hardware and firmware do you use what security audit have you done? Even if the things in second paragraph are fixed first paragraph still stands. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkk at spth.de Tue Nov 7 08:29:57 2017 From: pkk at spth.de (Philipp Klaus Krause) Date: Tue, 7 Nov 2017 08:29:57 +0100 Subject: New smart card / token alternative In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> Message-ID: Am 06.11.2017 um 23:26 schrieb vedaal at nym.hush.com: > > > On 11/6/2017 at 4:55 PM, "Tim Steiner" wrote: > > \We have been working on a project to build a direct interface for > PGP/GPG usage using U2F for web apps and browser extensions. This is > similar to existing smart cards and tokens but no software install is > required. > > We set out to solve this problem -"Man, I really wish I could read > this PGP message, or send this message, or open this file, or sign > this file, but I don't have my laptop with me" > > With this solution you can keep the key offline, carry it with you > and it works even on a computer where you can't install software - > https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo > > We are interested to hear feedback on this approach from the > community. > > ===== > > Using this on anything except your own computer, or laptop, is > problematic, as the 'host' computer can have a key-logger or screen > capturer, and copy the decrypted plaintext, or the plaintext to be > encrypted. I have often been insituations, where I had access to a friend's computer, and you trust the friend and their computer skills enough to handle a message on their computer. A typical scenario might even be a sending a signed message where the contents are intentionally known to that friend. While I tend to carry my laptop with me often, not everyone does. Philipp From wk at gnupg.org Tue Nov 7 11:45:31 2017 From: wk at gnupg.org (Werner Koch) Date: Tue, 07 Nov 2017 11:45:31 +0100 Subject: [Announce] GnuPG 2.2.2 released Message-ID: <87375qmkok.fsf@wheatstone.g10code.de> Hello! We are is pleased to announce the availability of a new GnuPG release: version 2.2.2. This is a maintenance release; see below for a list of fixed bugs. About GnuPG =========== The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. As an Universal Crypto Engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.2 =================================== * gpg: Avoid duplicate key imports by concurrently running gpg processes. [#3446] * gpg: Fix creating on-disk subkey with on-card primary key. [#3280] * gpg: Fix validity retrieval for multiple keyrings. [Debian#878812] * gpg: Fix --dry-run and import option show-only for secret keys. * gpg: Print "sec" or "sbb" for secret keys with import option import-show. [#3431] * gpg: Make import less verbose. [#3397] * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new parameter "Subkey-Grip" to unattended key generation. [#3478] * gpg: Improve "factory-reset" command for OpenPGP cards. [#3286] * gpg: Ease switching Gnuk tokens into ECC mode by using the magic keysize value 25519. * gpgsm: Fix --with-colon listing in crt records for fields > 12. * gpgsm: Do not expect X.509 keyids to be unique. [#1644] * agent: Fix stucked Pinentry when using --max-passphrase-days. [#3190] * agent: New option --s2k-count. [#3276 (workaround)] * dirmngr: Do not follow https-to-http redirects. [#3436] * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds. [#3487] * gpgconf: Ignore non-installed components for commands --apply-profile and --apply-defaults. [#3313] * Add configure option --enable-werror. [#2423] Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.2 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2 (6394k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe (3807k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new Gpg4win 3.0 installer featuring this version of GnuPG will be available soon. In the meantime you may install this version on top of an installed Gpg4win 3.0 version. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.2.tar.bz2 you would use this command: gpg --verify gnupg-2.2.2.tar.bz2.sig gnupg-2.2.2.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.2.tar.bz2, you run the command like this: sha1sum gnupg-2.2.2.tar.bz2 and check that the output matches the next line: efa00fc20295b1cafe467359107ea170258870e2 gnupg-2.2.2.tar.bz2 19224023f5a7750743d042b0bfbd5e44fbc9aeb2 gnupg-w32-2.2.2_20171107.exe 0bb69eb774f8c39b8092b5615a19e656bb681084 gnupg-w32-2.2.2_20171107.tar.xz Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Norwegian, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details availabale only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and one contractor. Both work exclusivly on GnuPG and closely related software like Libgcrypt, GPGME, and GPA. We are planning to extend our team again. Right now we are looking for an admin for our bug tracker; see We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and with financial support. Happy hacking, Gniibe and Werner p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these five keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) rsa3072/4B092E28 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Tue Nov 7 12:14:59 2017 From: wk at gnupg.org (Werner Koch) Date: Tue, 07 Nov 2017 12:14:59 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> (Sander Smeenk via Gnupg-users's message of "Mon, 6 Nov 2017 22:49:26 +0100") References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> Message-ID: <87d14ul4r0.fsf@wheatstone.g10code.de> On Mon, 6 Nov 2017 22:49, gnupg-users at gnupg.org said: > It's rather cumbersome and very dodgy at least. How do others deal with > this? Or is everyone using GPG solely in GUI environments nowadays? ;) If I want to test the curses Pinentry I simply run DISPLAY= gpg ... and get the curses pinentry even when using an xterm (which is my usual environment). For example you could start mutt the same way DISPLAY= mutt and you get the curses. Drawback is that you won't get an image viewer either. Instead of using the envvar you could also invoke gpg like gpg --display=none .... which sets the display to none and pinentry will fallback to curses. Using "none" is not really correct but --display requires an option and does not like an empty string. It is also possible to write a pinentry which depends on the actual program invoking gpg: gpg-agent tells pinentry the pid of the process invoking gpg; e.g. OPTION owner=9798 wheatstone The current develppment version of Pinentry uses this info on Linux to to show the process name in the titlebar. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ssmeenk at freshdot.net Tue Nov 7 14:42:35 2017 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Tue, 7 Nov 2017 14:42:35 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> Message-ID: <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> Quoting Ryan Beethe (ryan at splintermail.com): > I think my setup might be almost a drop-in fix for your gpg-over-ssh > issue, although you will have to figure out where to set the > environment variable for your particular window manager. Thanks for your tips and tricks. It's the less bodgy version of the "wrapper" i wrote. I've adapted them to my system and it seems this is actually working for the remote-ssh-on-a-system-running-X issue. However; i still can't use 'gpg -qd' in vim like so: | augroup GPGEncrypted | au! | au BufReadPre,FileReadPre *.asc,*.gpg set viminfo= | au BufReadPre,FileReadPre *.asc,*.gpg set noswapfile | au BufReadPre,FileReadPre *.asc,*.gpg set bin | au BufReadPre,FileReadPre *.asc,*.gpg let ch_save = &ch|set ch=2 | au BufReadPost,FileReadPost *.asc,*.gpg '[,']!gpg -qd 2> /dev/null | au BufReadPost,FileReadPost *.asc,*.gpg set nobin | au BufReadPost,FileReadPost *.asc,*.gpg let &ch = ch_save|unlet ch_save | au BufReadPost,FileReadPost *.asc,*.gpg execute ":doautocmd BufReadPost " . expand("%:r") | au BufReadPost,FileReadPost *.asc,*.gpg set ff=unix | au BufWritePre,FileWritePre *.asc,*.gpg '[,']!gpg -ae 2>/dev/null | au BufWritePost,FileWritePost *.asc,*.gpg u | augroup END It seems pinentry(-curses) doesn't want to start from within vim. Do you also have any brilliant ideas there? Rgds, Sndr. -- | Cat, n.: Lapwarmer with built-in buzzer. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 From ssmeenk at freshdot.net Tue Nov 7 14:45:56 2017 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Tue, 7 Nov 2017 14:45:56 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <87d14ul4r0.fsf@wheatstone.g10code.de> References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <87d14ul4r0.fsf@wheatstone.g10code.de> Message-ID: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> Quoting Werner Koch (wk at gnupg.org): > > It's rather cumbersome and very dodgy at least. How do others deal with > > this? Or is everyone using GPG solely in GUI environments nowadays? ;) > The current develppment version of Pinentry uses this info on Linux to > to show the process name in the titlebar. Thanks for your insights and continued efforts to keep our data safe! Could you elaborate on the 'why' part of this enforced pinentry usage with GnuPG? It wasn't mandatory in 1.x, now it's forced on us. Where did that come from? What problem did it solve? Thanks again, -Sndr. -- | Bakers trade bread recipes on a knead to know basis. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From listofactor at mail.ru Tue Nov 7 15:58:49 2017 From: listofactor at mail.ru (listo factor) Date: Tue, 7 Nov 2017 14:58:49 +0000 Subject: New smart card / token alternative In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> Message-ID: <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> On 11/06/2017 10:26 PM, vedaal at nym.hush.com wrote: > > On 11/6/2017 at 4:55 PM, "Tim Steiner" wrote: > > With this solution you can keep the key offline, carry it with you and it > works even on a computer where you can't install software... > > We are interested to hear feedback on this approach from the community. > >> ===== >> >> Using this on anything except your own computer, or laptop, is problematic... ===== This is a mantra from another, more gentle time. Today, there is a whole class of real-world use cases where the protection of the user demands that it not be known to the adversary he or she is communicating with someone, as much - or even more - than it is required that the content of the communication is kept confidential. If the connection between the user and the computer is transient, there may well be many instances where the adversary will not be able to identify the user, even if he manages to learn the content, and where the content, without the identity of the communicator, is of very limited value to the adversary. It therefore appears to me this is a worthwhile project, provided, like always, *and for any crypto*, the user understands his or her threat model. From mac3iii at gmail.com Tue Nov 7 16:29:09 2017 From: mac3iii at gmail.com (murphy) Date: Tue, 7 Nov 2017 10:29:09 -0500 Subject: GnuPG 2.2.2 speedo swdb.lst Message-ID: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com> Hi Werner - I had trouble compiling GnuPG on my Raspberry Pi with error: make -f /home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk UPD_SWDB=1 TARGETOS=native WHAT=release WITH_GUI=0 all make[1]: Entering directory '/home/pi/Downloads/gnupg-2.2.2' gpgv: Signature made Thu 21 Sep 2017 03:51:24 AM EDT gpgv:??????????????? using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpgv: Good signature from "Werner Koch (dist sig)" GnuPG version in swdb.lst is less than this version! ? This version: 2.2.2 ? SWDB version: 2.2.1 /home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk:272: *** Error getting GnuPG software version database.? Stop. make[1]: Leaving directory '/home/pi/Downloads/gnupg-2.2.2' build-aux/speedo.mk:72: recipe for target 'native' failed make: *** [native] Error 2 $ cat swdb.lst gnupg22_ver 2.2.1 gnupg22_date 2017-09-19 Does this need to be updated to 2.2.2 ? Thanks for your attention! Murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Tue Nov 7 18:05:53 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 7 Nov 2017 18:05:53 +0100 Subject: New smart card / token alternative In-Reply-To: <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> Message-ID: <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> On 07/11/17 15:58, listo factor via Gnupg-users wrote: > If the connection between the user and the computer > is transient, there may well be many instances where the adversary > will not be able to identify the user, even if he manages to learn > the content, and where the content, without the identity of the > communicator, is of very limited value to the adversary. I'm not commenting on the rest of this topic, but let me pick this one thing out. How exactly can the identity ever be unknown when we're talking about stuff encrypted to an OpenPGP public key or signed by one? That's a completely unique identifier! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From ryan at splintermail.com Tue Nov 7 19:59:23 2017 From: ryan at splintermail.com (Ryan Beethe) Date: Tue, 7 Nov 2017 12:59:23 -0600 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> Message-ID: Well... it happens that when I copy your script to my archlinux machine, everything works fine. It also happens that when I copy your script into my ubuntu machine, I had to change both references of `gpg` to `gpg2`, since in ubuntu gpg is not the same program as gpg2. I also would find it convenient to add a `--default-recipient-self` to the `gpg2 -ea` line, but maybe that's just me. If the same change works for you, perhaps you have an "alias gpg=gpg2" in your ~/.bashrc, causing your shell to behave differently that vim? Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and I have never had problems. Then in my ~/.vimrc, I just had to set: let GPGUsePipes=1 let GPGDefaultRecipients=['my.email at address.com'] Ryan From wk at gnupg.org Tue Nov 7 21:04:34 2017 From: wk at gnupg.org (Werner Koch) Date: Tue, 07 Nov 2017 21:04:34 +0100 Subject: GnuPG 2.2.2 speedo swdb.lst In-Reply-To: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com> (murphy's message of "Tue, 7 Nov 2017 10:29:09 -0500") References: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com> Message-ID: <87inelj1nx.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2017 16:29, mac3iii at gmail.com said: > $ cat swdb.lst > gnupg22_ver 2.2.1 > gnupg22_date 2017-09-19 Oh sorry. I only generated the new swdb.lst but forgot the "make upload". Done now. Thanks, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From timothy.steiner at yahoo.com Tue Nov 7 18:15:36 2017 From: timothy.steiner at yahoo.com (timothy.steiner at yahoo.com) Date: Tue, 7 Nov 2017 17:15:36 +0000 (UTC) Subject: New smart card / token alternative In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> Message-ID: <539981193.3830304.1510074936643@mail.yahoo.com> If you are using something like Tails you would probably just install the GPG agent. Tails allows installing additional software -?https://tails.boum.org/doc/advanced_topics/additional_software/index.en.html. U2F is available in the new version of Firefox being released later this year so if that is included in future Tails release then there would be in-browser support in Tails. The risk mentioned with a key-logger/screen capture is the same for all smart cards/tokens, and really all methods of composing a message on a computer. The risk would even apply to Tails if say the user installed malicious software or browsed to a site that exploited a browser vulnerability. On Monday, November 6, 2017, 5:26:51 PM EST, wrote: On 11/6/2017 at 4:55 PM, "Tim Steiner" wrote: \We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required. We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me" With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo We are interested to hear feedback on this approach from the community. ===== Using this on anything except your own computer, or laptop, is problematic, as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted. Can it be made to work with Tails/Tor which uses GunPG ? (The? 'insecure' browser on Tails not involving Tor, is a Firefox variant.? If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger. But even so, there are problems with using it on an 'unknown' computer : https://tails.boum.org/doc/about/warning/index.en.html#index2h1 vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From dank at kegel.com Tue Nov 7 23:09:10 2017 From: dank at kegel.com (Dan Kegel) Date: Tue, 7 Nov 2017 14:09:10 -0800 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <87d14ul4r0.fsf@wheatstone.g10code.de> <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> Message-ID: On Tue, Nov 7, 2017 at 5:45 AM, Sander Smeenk via Gnupg-users wrote: > Could you elaborate on the 'why' part of this enforced pinentry usage > with GnuPG? It wasn't mandatory in 1.x, now it's forced on us. > > Where did that come from? > What problem did it solve? I'm curious, too. It sure makes scripting hard. - Dan From ssmeenk at freshdot.net Wed Nov 8 10:50:45 2017 From: ssmeenk at freshdot.net (Sander Smeenk) Date: Wed, 8 Nov 2017 10:50:45 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> Message-ID: <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net> Quoting Ryan Beethe (ryan at splintermail.com): > Well... it happens that when I copy your script to my archlinux > machine, everything works fine. Are you sure your key wasn't already unlocked in the gpg-agent? > It also happens that when I copy your script into my ubuntu machine, I > had to change both references of `gpg` to `gpg2`, [ .. ] Yes, thanks for that hint but it is not my case. I made the deliberate step and now only use GnuPG 2.x > Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and > I have never had problems. Then in my ~/.vimrc, I just had to set: > let GPGUsePipes=1 > let GPGDefaultRecipients=['my.email at address.com'] Wow! Quite some code for decrypting a file! I'll give it a shot after i learn how to use that beast. Rgds, Sndr. -- | It?s hard to explain puns to kleptomaniacs | because they always take things literally. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 From ryan at splintermail.com Wed Nov 8 12:28:44 2017 From: ryan at splintermail.com (Ryan Beethe) Date: Wed, 8 Nov 2017 05:28:44 -0600 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net> References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net> Message-ID: On Wed, Nov 08, 2017 at 10:50:45AM +0100, Sander Smeenk via Gnupg-users wrote: > Quoting Ryan Beethe (ryan at splintermail.com): > > > Well... it happens that when I copy your script to my archlinux > > machine, everything works fine. > > Are you sure your key wasn't already unlocked in the gpg-agent? Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was prompted with a pinentry prompt each time. > > Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and > > I have never had problems. Then in my ~/.vimrc, I just had to set: > > let GPGUsePipes=1 > > let GPGDefaultRecipients=['my.email at address.com'] > > Wow! Quite some code for decrypting a file! > I'll give it a shot after i learn how to use that beast. Hm... now that I think about it I think the pinentry prompt has been broken in my vim with that plugin for some time (due to improper handling of stderr from the looks of it). It just hasn't bothered me because I almost never use vim until after I have entered the gpg password for something else. So it might be worth a shot but I can't make any promises. Ryan From vedaal at nym.hush.com Wed Nov 8 16:27:08 2017 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 08 Nov 2017 10:27:08 -0500 Subject: New smart card / token alternative In-Reply-To: <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> Message-ID: <20171108152708.841BCC0536@smtp.hushmail.com> On 11/7/2017 at 12:10 PM, "Peter Lebbing" wrote: >How exactly can the identity ever be unknown when we're talking >about stuff encrypted to an OpenPGP public key or signed by one? That's a >completely unique identifier! ===== Well, if someone were really *crazy enough* he could send the PGP encrypted message using --throw-keyid to all email sites listed on PGP keyservers ... (i hope no one is *that* crazy ... ;-) ) or, more practically, just post anonymously to a blog or website, using --throw-keyid, with a pre-arranged understanding that the sender and receiver post to and check certain websites This could be facilitated by Tails/Tor, although there are still some vulnerabilities: https://tails.boum.org/doc/about/warning/index.en.html#index2h1 vedaal From peter at digitalbrains.com Wed Nov 8 16:45:27 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 8 Nov 2017 16:45:27 +0100 Subject: New smart card / token alternative In-Reply-To: <20171108152708.841BCC0536@smtp.hushmail.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> <20171108152708.841BCC0536@smtp.hushmail.com> Message-ID: <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com> On 08/11/17 16:27, vedaal at nym.hush.com wrote: > or, more practically, just post anonymously to a blog or website, > using --throw-keyid, with a pre-arranged understanding that the > sender and receiver post to and check certain websites I did not phrase it properly, leading to a misunderstanding. We are talking about using a smartcard on a compromised computer. I reasoned from the OpenPGP Card specification[1]. You can simply ask the smartcard for the public key; the actual cryptographic public key. So as an attacker with control over the computer, you see that someone succesfully decrypts a document using his OpenPGP card. You ask the smartcard for the public key that was used to encrypt the document, and you have a fully unique identifier for the key that was used. HTH, Peter. [1] It isn't clear to me whether this project is actually adhering to the OpenPGP card specification, though, I didn't check. I realised this only later. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From listofactor at mail.ru Thu Nov 9 00:39:06 2017 From: listofactor at mail.ru (listo factor) Date: Wed, 8 Nov 2017 23:39:06 +0000 Subject: New smart card / token alternative In-Reply-To: <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> <20171108152708.841BCC0536@smtp.hushmail.com> <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com> Message-ID: <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru> On 11/08/2017 03:45 PM, Peter Lebbing wrote: > On 08/11/17 16:27, vedaal at nym.hush.com wrote: >> or, more practically, just post anonymously to a blog or website, >> using --throw-keyid, with a pre-arranged understanding that the >> sender and receiver post to and check certain websites > > I did not phrase it properly, leading to a misunderstanding. > > We are talking about using a smartcard on a compromised computer. I > reasoned from the OpenPGP Card specification[1]. You can simply ask the > smartcard for the public key; the actual cryptographic public key. > > So as an attacker with control over the computer, you see that someone > succesfully decrypts a document using his OpenPGP card. You ask the > smartcard for the public key that was used to encrypt the document, and > you have a fully unique identifier for the key that was used. there are many real-world use cases where the recipient does not mind that an adversary knows he is receiving encrypted communication, as long as the content is secure, but where the sender can be exposed to various levels of unpleasantness if the adversary can find out he is communicating with a specific recipient, using encryption. The ownership of a device such as one discussed in this thread is trivial to conceal, especially when compared to a computer equipped to participate in encrypted communications. Real-life threat-models are much more varied than what Alice, Bob and Eve would have us believe. From wk at gnupg.org Thu Nov 9 09:01:45 2017 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Nov 2017 09:01:45 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: (Ryan Beethe's message of "Wed, 8 Nov 2017 05:28:44 -0600") References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <20171107134235.fey372sbiggnhjv2@dot.freshdot.net> <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net> Message-ID: <871sl7j2xi.fsf@wheatstone.g10code.de> On Wed, 8 Nov 2017 12:28, ryan at splintermail.com said: > Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was > prompted with a pinentry prompt each time. [ Please use "pkill -HUP gpg-agent" and never ever killall - which has, aehm, funny effects on other Unices. ] gpgconf --reload gpg-agent is the suggest way to reload the gpg-agent configuraion and flush the caches. > Hm... now that I think about it I think the pinentry prompt has been > broken in my vim with that plugin for some time (due to improper Not sure what your problem is but nevertheless here this hint: When calling gpg you should watch the status fd (commonly stderr, "--status-fd 2") for a line [GNUPG:] PINENTRY_LAUNCHED and set a flag to redraw your screen after gpg returned. The other approach would be to write an vim-internal pinentry in the same way the pinentry-emacs pinentry works. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Nov 9 09:24:46 2017 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Nov 2017 09:24:46 +0100 Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access In-Reply-To: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> (Sander Smeenk via Gnupg-users's message of "Tue, 7 Nov 2017 14:45:56 +0100") References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> <87d14ul4r0.fsf@wheatstone.g10code.de> <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> Message-ID: <87wp2zhnap.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2017 14:45, gnupg-users at gnupg.org said: > Could you elaborate on the 'why' part of this enforced pinentry usage > with GnuPG? It wasn't mandatory in 1.x, now it's forced on us. It is definitely not new. GnuPG 1.9 was released 14 years ago (it was renamed to 2.0 2.0 11 years ago). It has been used at quite some places right away from that time on. The new thing with 2.0 was the modularized system: The private keys were only managed and accessible by gpg-agent and gpgsm (gpg for S/MIME) used it this way. Unfortunately it took until the summer of 2010 before I was able to port gpg to use the same system as gpgsm and let gpg-agent handle the private keys. (Before that gpg used gpg-agent only for passphrase caching.) Not having to care about private keys in gpg allowed us to remove a lot of semi-duplicated code from gpg. This instantly fixed the long standing import/merging of secret key bugs. For an architectural point of view gpg-agent can be viewed as a token which can be accessed only via a well defined API. gpg does not take precautions against leaking secret keys. The actual code to do secret key operations (decrypt, signing) is done only at one place so that gpg and gpgsm, and other possible crypto protocols share the same code. Smartcard access is unified - gpg, gpgsm, and ssh can use the same smartcard. gpg-agent can be theoretically be run under a different account. gpg-agent can actually be run on a remote machine, so that you don't need to have a secret key on a server but delegate that work to a desktop box or even a box which is used as a HSM. The drawback is that application don't need to handle passphrases anymore. However, I would call that a huge benefit because applications are relieved from handling the sensitive passphrase and can let another process (pinentry) do that on demand from gpg-agent. On X this works very well, with curses it is more complicated and needs some adjustments (or hitting Ctrl-L). On Windows it was easy as well but later got complicated due to new Windows security measurements so that there is a small chance that the pinentry won't pop up but blonk only in the taskbar. While preparing for the 2.1 release, we decided to add a loopback mode to gpg-agent/gpg/gpgsm so that instead of writing one's own loopback pinentry it is in most cases possible to keep on using existing code which expects to handle the passphrase. Adding --pinentry-mode=loopback to the gpg invocation does this. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From peter at digitalbrains.com Thu Nov 9 12:52:22 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 9 Nov 2017 12:52:22 +0100 Subject: New smart card / token alternative In-Reply-To: <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru> References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com> <1247832004.2932812.1509982108841@mail.yahoo.com> <20171106222647.85FF6E034E@smtp.hushmail.com> <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru> <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> <20171108152708.841BCC0536@smtp.hushmail.com> <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com> <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru> Message-ID: On 09/11/17 00:39, listo factor via Gnupg-users wrote: > Real-life threat-models are much more varied than what Alice, Bob > and Eve would have us believe. Hey, note that I'm not advocating against this proposed new alternative; it sounds like you think I do. I explicitly said I'm not commenting on it. I currently don't have the time to invest. (I didn't understand the relevance of the part of your reply I snipped at all, though. I must be overlooking a bit of context. But let's just end that line of discussion, I merely wanted to quickly point out what I said about unique identifiers and don't have the time to look at it more.) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From cderr at simons-rock.edu Fri Nov 10 06:27:22 2017 From: cderr at simons-rock.edu (charlie derr) Date: Fri, 10 Nov 2017 00:27:22 -0500 Subject: a bunch of questions Message-ID: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> Please forgive me for piling several questions into a single post. If anyone wants to just answer a subset, I'll still be very happy to read your advice. I believe that the key I'm signing this message with is 2048 bits and will expire next year. If I've got either of those details wrong, please correct my error(s). I would like to generate a new key (which never expires) and begin to transition to using it. Mostly I sign messages, but occasionally I receive encrypted messages from friends. I hope that in the future I will use gnupg more. What size key do you recommend I create in order to be future proof (for the rest of my life -- I'm in my early 50s)? I believe that the master key for the subkey I'm currently using will also expire next year. How would I go about confirming/refuting that assumption? I currently use gnupg with two different email accounts (this one and a gmail address) and I use different mail clients for each: thunderbird with enigmail here and claws-mail (and whatever debian gnupg plugin is appropriate for claws) with gmail. How can I set things up so that I can switch back and forth between two keys (for signing) until this one expires in 2018? I'm on debian 9 stretch on two different computers with this setup. ?? thanks so very much in advance for any answers (or pointers to appropriate documentation), ????????? ~c -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x31A9367F.asc Type: application/pgp-keys Size: 3074 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Fri Nov 10 07:42:31 2017 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 10 Nov 2017 01:42:31 -0500 Subject: a bunch of questions In-Reply-To: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> Message-ID: <8d17ce49-255a-918a-1f79-1e57de40a2d3@sixdemonbag.org> > I believe that the key I'm signing this message with is 2048 bits and > will expire next year. If I've got either of those details wrong, please > correct my error(s). No. There's no expiration date on your certificate, and it's a 4096-bit RSA keypair. > What size key do you recommend I create in order to be future proof (for > the rest of my life -- I'm in my early 50s)? I personally think it's unlikely 4096-bit RSA keys will be broken in the next twenty years. Over that timeframe, RSA-4096 is probably stronger than elliptical curve cryptography: we might (*might*) have quantum computers large enough to tackle ECC by 2040, but RSA-4096 would require a far larger quantum computer. > I believe that the master key for the subkey I'm currently using will > also expire next year. How would I go about confirming/refuting that > assumption? quorra:~ rjh$ gpg --edit-key "Charlie Derr" pub rsa4096/BB8B3D7331A9367F created: 2010-12-16 expires: never usage: SCA trust: unknown validity: unknown sub rsa4096/F44E4BC7C1F121DD created: 2010-12-16 expires: never usage: E [ unknown] (1). Charlie Derr > I currently use gnupg with two different email accounts (this one and a > gmail address) and I use different mail clients for each: thunderbird > with enigmail here and claws-mail (and whatever debian gnupg plugin is > appropriate for claws) with gmail. How can I set things up so that I can > switch back and forth between two keys (for signing) until this one > expires in 2018? I don't use Claws, so I can't answer that; but Thunderbird+Enigmail allows you to use whichever key you wish -- just set it up according to the instructions on the Enigmail webpage. If the instructions there are unclear or confusing, I'm happy to help you with it further. From fa-ml at ariis.it Fri Nov 10 09:50:38 2017 From: fa-ml at ariis.it (Francesco Ariis) Date: Fri, 10 Nov 2017 09:50:38 +0100 Subject: a bunch of questions In-Reply-To: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> Message-ID: <20171110085038.yguqnonmgz72wb2h@x60s.casa> On Fri, Nov 10, 2017 at 12:27:22AM -0500, charlie derr wrote: > I believe that the key I'm signing this message with is 2048 bits and > will expire next year. If I've got either of those details wrong, please > correct my error(s). [...] Hello Charlie, I see no expiration date on your key (4096, not 2048). Maybe *did* input an expiration date and then forgot to upload the key again to a key-server? A general word on expiry dates: you can always modify them as you go (that's what I do), they are not set in stone? So why are they useful? Because this way you can encourage your friends/workmates to refresh your keys every now and then, getting all the new subkeys/revocations/etc. Any reasonable client (I use mutt) should allow you to switch keys, but since the one you are using is 4096 (very strong!), if it is not compromised you could use this for the rest of your life. Does this address your questions? From peter at digitalbrains.com Fri Nov 10 12:20:36 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 10 Nov 2017 12:20:36 +0100 Subject: a bunch of questions In-Reply-To: <20171110085038.yguqnonmgz72wb2h@x60s.casa> References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu> <20171110085038.yguqnonmgz72wb2h@x60s.casa> Message-ID: On 10/11/17 09:50, Francesco Ariis wrote: > A general word on expiry dates: you can always modify them as you > go (that's what I do), they are not set in stone? Well, this depends on your threat model. If I can control what one of your peers sees, I could strip the self-signatures that change the expiry date, only keeping the ones that I agree with. So if you have a self-signature from 16 Dec 2010 that says the key does not expire, and a self-signature from 10 Nov 2017 that says the key expires in two years, I could manipulate it such that the second self-signature never reaches this peer but everything still verifies. Then the manipulated peer thinks the key will never expire, and I can "keep the key going" forever. If however you only ever extend the expiry dates, an attacker could only fake your still valid key to be expired, rather than the more troublesome case of faking your expired key to be still valid. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From Cathy.Smith at pnnl.gov Tue Nov 14 22:08:30 2017 From: Cathy.Smith at pnnl.gov (Smith, Cathy) Date: Tue, 14 Nov 2017 21:08:30 +0000 Subject: question about determining the key length Message-ID: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> Hello Is there a way to determine the key length and the type of key (RSA or other) used when generating the keyring? I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated. Even on an Ubuntu box using gpg2, the -list-secret-keys option does not print out that information. Thank you. Cathy -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.smith at pnnl.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Nov 14 23:54:00 2017 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 14 Nov 2017 17:54:00 -0500 Subject: question about determining the key length In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> Message-ID: <1cd2cda3-a4e3-b7b4-bcf2-1e113aa4f974@sixdemonbag.org> > Is there a way to determine the key length and the type of key (RSA or > other) used when generating? the keyring? There seems to be a misunderstanding here. A keyring is just a collection of certificates (which used to be called "keys"). Each individual certificate will have various subkeys of different algorithms, but the keyring *as a whole* has no algorithm nor bit length. To get a detailed look at an individual key, try --list-key. (Which should really be "--list-certificate". We're changing our language very slowly.) E.g.: quorra:~ rjh$ gpg --list-key b44427c7 pub rsa3072/1DCBDC01B44427C7 2015-07-16 [SC] CC11BE7CBBED77B120F37B011DCBDC01B44427C7 uid [ultimate] Robert J. Hansen uid [ultimate] Robert J. Hansen uid [ultimate] Robert J. Hansen sub rsa3072/DC0F82625FA6AADE 2015-07-16 [E] sub ed25519/A83CAE94D3DC3873 2017-04-05 [S] sub cv25519/AA24CC81B8AED08B 2017-04-05 [E] The primary subkey is RSA-3072, made on July 16, 2015. There are three other subkeys: an RSA-3072 useful for encryption (same date), an Edwards-25519 key useful for signing (dating April 5, 2017); and an ECC-25519 key useful for encryption (April 5, 2017). From vedaal at nym.hush.com Wed Nov 15 00:17:25 2017 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 14 Nov 2017 18:17:25 -0500 Subject: question about determining the key length In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> Message-ID: <20171114231726.0DA63C0536@smtp.hushmail.com> On 11/14/2017 at 5:46 PM, "Cathy Smith" wrote: Is there a way to determine the key length and the type of key (RSA or other) used when generating the keyring? I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated. Even on an Ubuntu box using gpg2, the ?list-secret-keys option does not print out that information. ===== To find the details about a key generated some time ago, export the key in .asc form and do: gpg --list-packets keyname.asc To see all the information about the key as it is being generated, use the options of --expert --verbose --verbose The full command would then be: gpg --expert --verbose --verbose --gen-key vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From marioxcc.MT at yandex.com Wed Nov 15 00:17:26 2017 From: marioxcc.MT at yandex.com (=?UTF-8?Q?Mario_Castel=c3=a1n_Castro?=) Date: Tue, 14 Nov 2017 17:17:26 -0600 Subject: question about determining the key length In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> Message-ID: On 14/11/17 15:08, Smith, Cathy wrote: > Is there a way to determine the key length and the type of key (RSA or other) used when generating the keyring? I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated. Even on an Ubuntu box using gpg2, the -list-secret-keys option does not print out that information. Gnu PG 1.4.5 was released in 2006. You should not use software so old, especially cryptographic software. In that time, a lot of _known_ bugs accumulate in nearly all pieces of software, including security vulnerabilities. Using ?--list-keys? should display the information you want. It works that way since as far as I have used it, and definitely including 2.0. ??? mario at svetlana [0] [/home/mario/hacking/hol] $ gpg --list-keys 'mario' pub rsa3072/0642D919 2017-08-02 [SC] [expires: 2020-08-01] E053A25BCC302BBB2DADEC033003BEC50642D919 uid [ultimate] Mario Castel?n Castro sub secp256k1/B92640D9 2017-08-02 [S] [expires: 2020-08-01] sub secp256k1/69F40765 2017-08-02 [E] [expires: 2020-08-01] ??? Here ?rsa3072? and ?secp256k1? are the key types. The RSA main key is 3072 bits long, as the string suggests. Some key types are fixed size (for example, secp256k1 is always 256 bits long). If you are still unable to find the key type, paste the output of ?gpg --list-keys ? (where is something used to narrow the results. e.g.: the holder e-mail or part of his name). > Cathy L. Smith > IT Engineer > > Pacific Northwest National Laboratory > Operated by Battelle for the > U.S. Department of Energy Well, then I feel very fortunate to NOT to live in the US. ? -- Do not eat animals; respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Wed Nov 15 09:06:32 2017 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 15 Nov 2017 09:06:32 +0100 Subject: Using the OpenPGP Card on Unix && Win7 Message-ID: <20171115080632.GA2621@c720-r314251> Hello, I'm using the OpenPGP Card on Unix (FreeBSD) and on my Ubuntu mobile phone (see https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html) mostly for storing credentials with the password manager 'pass' and using them from the browser, and as well for signing mails. At work I have to use a Win7 desktop and OutLook for the company mails and FreeBSD with GnuPG must run in a Vbox, which works fine with the OpenPGP Card too. I'd like to use the same Card with OutLook (please don't blame me :-)) and have already installed gpg4win-3.0.0.exe which seems to work together with OutLook. Before digging into all the details by my own and esp. because in Windows I'm only a DAU(*), is there some step by step guide to configure the OpenPGP Card in Windows and using the files from the GNUPGHOME on FreeBSD in Windows? Thanks matthias DAU(*): This is German spelled for "D?mmster Anzunehmender User" (the most stupid imaginable user) -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From seby2kt14 at gmail.com Wed Nov 15 09:25:26 2017 From: seby2kt14 at gmail.com (Seby) Date: Wed, 15 Nov 2017 08:25:26 +0000 Subject: question about determining the key length In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov> Message-ID: Hello Cathy, On Nov 15, 2017 00:40, "Smith, Cathy" wrote: Hello Is there a way to determine the key length and the type of key (RSA or other) used when generating the keyring? I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated. Even on an Ubuntu box using gpg2, the ?list-secret-keys option does not print out that information. Thank you. Cathy -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: *cathy.smith at pnnl.gov * gpg -K or gpg --list-keys or gpg --list-secret-keys should all print the information you are interested in. In my example the primary key is rsa3072 and encryption subkey is rsa4096. You can see this info before creation date if the key. Note that gnupg older 1.x does not support ecc, only rsa/rsa and rsa/dsa. ~# gpg --list-secret-keys sec rsa3072 2017-11-15 [SC] 8275276834C8F08567185C92FB3157AB136ED940 uid [ultimate] Test Test ssb rsa4096 2017-11-15 [E] This is gnupg 2.2. How does it look at your side? Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Nov 15 12:19:30 2017 From: wk at gnupg.org (Werner Koch) Date: Wed, 15 Nov 2017 12:19:30 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171115080632.GA2621@c720-r314251> (Matthias Apitz's message of "Wed, 15 Nov 2017 09:06:32 +0100") References: <20171115080632.GA2621@c720-r314251> Message-ID: <87mv3n6b7h.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2017 09:06, guru at unixarea.de said: > Before digging into all the details by my own and esp. because in Windows I'm only a > DAU(*), is there some step by step guide to configure the OpenPGP Card in > Windows and using the files from the GNUPGHOME on FreeBSD in Windows? Actually you could copy the entire GNUPGHOME to the respective Windows directory. The name of the lock files and some temporary files are different but that does matter. "gpg --version" (or "gpgconf --list-dirs") shows you the standard home directory on Windows. If you only want to copy some keys, you can use the same procedure you would use between Unix boxes. Kleopatra's card manager is pretty basics. If you don't like it you can use the one in gpa (which can optionally be installed), or just resort to the command line. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jonathan at emitting.com Wed Nov 15 19:26:52 2017 From: jonathan at emitting.com (Jonathan) Date: Wed, 15 Nov 2017 10:26:52 -0800 Subject: Help with error please Message-ID: An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Nov 16 12:43:05 2017 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Nov 2017 12:43:05 +0100 Subject: Help with error please In-Reply-To: (jonathan@emitting.com's message of "Wed, 15 Nov 2017 10:26:52 -0800") References: Message-ID: <87zi7mxxdi.fsf@wheatstone.g10code.de> On Wed, 15 Nov 2017 19:26, jonathan at emitting.com said: > Provided object is too short This a bug in gpgsm on Windows when there are no keys. We are currently testing a a new revision of gpg4win which will solve the problem. As a workaround you may start GPA on the command line: gpa --disable-x509 after you create an OpenPGP key, the X.509 keys should work again. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From guru at unixarea.de Thu Nov 16 13:56:34 2017 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 16 Nov 2017 13:56:34 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <87mv3n6b7h.fsf@wheatstone.g10code.de> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> Message-ID: <20171116125634.GA3841@c720-r314251> El d?a mi?rcoles, noviembre 15, 2017 a las 12:19:30p. m. +0100, Werner Koch escribi?: > On Wed, 15 Nov 2017 09:06, guru at unixarea.de said: > > > Before digging into all the details by my own and esp. because in Windows I'm only a > > DAU(*), is there some step by step guide to configure the OpenPGP Card in > > Windows and using the files from the GNUPGHOME on FreeBSD in Windows? > > Actually you could copy the entire GNUPGHOME to the respective Windows > directory. The name of the lock files and some temporary files are > different but that does matter. "gpg --version" (or "gpgconf > --list-dirs") shows you the standard home directory on Windows. > > If you only want to copy some keys, you can use the same procedure you > would use between Unix boxes. > > Kleopatra's card manager is pretty basics. If you don't like it you can > use the one in gpa (which can optionally be installed), or just resort > to the command line. I copied over GNUPGHOME and gpa and OutLook can see/use the pub key. To get access to the Card, I need some driver in Win7. Do you know any reliable place to fetch from. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From jeandavid8 at verizon.net Thu Nov 16 14:55:31 2017 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Thu, 16 Nov 2017 08:55:31 -0500 Subject: your message could not,be delivered to one or more recipients. Message-ID: This is the mail system at host omr-m007e.mx.aol.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : host kerckhoffs.g10code.com[217.69.77.222] said: 451-204.29.186.9 is not yet authorized to deliver mail from 451 to . Please try later. (in reply to RCPT TO command) _____ Reporting-MTA: dns; omr-m007e.mx.aol.com X-Outbound-Mail-Relay-Queue-ID: 58F77380004C X-Outbound-Mail-Relay-Sender: rfc822; jeandavid8 at verizon.net Arrival-Date: Wed, 15 Nov 2017 09:01:43 -0500 (EST) Final-Recipient: rfc822; gnupg-users at gnupg.org Original-Recipient: rfc822;gnupg-users at gnupg.org Action: failed Status: 4.0.0 Remote-MTA: dns; kerckhoffs.g10code.com Diagnostic-Code: smtp; 451-204.29.186.9 is not yet authorized to deliver mail from 451 to . Please try later. __________ >From where does it get port 451? My SMTP port is 465 204.29.186.9 is my ISP for e-mail: AOL. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 08:40:01 up 1 day, 15:55, 2 users, load average: 4.81, 4.90, 4.72 From peter at digitalbrains.com Thu Nov 16 16:22:30 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Nov 2017 16:22:30 +0100 Subject: your message could not,be delivered to one or more recipients. In-Reply-To: References: Message-ID: On 16/11/17 14:55, Jean-David Beyer wrote: > From where does it get port 451? My SMTP port is 465 > 204.29.186.9 is my ISP for e-mail: AOL. It's probably not a port. Note that the port 465 you are using to submit mail has nothing to do with how mail is delivered from there on. Port 465 is never used between mail servers[1]. It's probably SMTP status code 451, which is a temporary error message inviting the sending server to try again at a later time. Combined with the error message, I'm inclined to think it's a greylisting system on the receiving server. But apparently your ISP's mail server has given up on trying to deliver it and bounced it to you. Either your ISP is giving up too soon, or the receiving server is holding it off for too long. The latter might be because of a configuration error. The mail I'm replying to got through, though. I have to admit the formatting of the message with the 451 code was pretty odd, "deliver mail from 451 " like the 451 is somehow part of the address. Weird. HTH, Peter. [1] Unless someone explicitly configures two mail servers to chat to each other on that port because... well, because they wanted to do that. A mail server can be configured to inscribe your mail on a stone with a chisel if you configure it to do so, but that doesn't mean it's a normal thing to do. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Nov 16 19:23:03 2017 From: wk at gnupg.org (Werner Koch) Date: Thu, 16 Nov 2017 19:23:03 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171116125634.GA3841@c720-r314251> (Matthias Apitz's message of "Thu, 16 Nov 2017 13:56:34 +0100") References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> Message-ID: <87tvxuw0ag.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2017 13:56, guru at unixarea.de said: > I copied over GNUPGHOME and gpa and OutLook can see/use the pub key. To > get access to the Card, I need some driver in Win7. Do you know any > reliable place to fetch from. Usually the Windows hardware detection (a menu item like "Install new hardware", ot a small icon in the taskbar) can locate all common reader types and their drivers. It not, you need to check the website of the reder's vendor. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From w at uter.be Thu Nov 16 17:56:34 2017 From: w at uter.be (Wouter Verhelst) Date: Thu, 16 Nov 2017 17:56:34 +0100 Subject: your message could not,be delivered to one or more recipients. In-Reply-To: References: Message-ID: <20171116165634.w3g6m65rxcyjpo2i@grep.be> On Thu, Nov 16, 2017 at 04:22:30PM +0100, Peter Lebbing wrote: > On 16/11/17 14:55, Jean-David Beyer wrote: > > From where does it get port 451? My SMTP port is 465 > > 204.29.186.9 is my ISP for e-mail: AOL. > > It's probably not a port. Note that the port 465 you are using to submit > mail has nothing to do with how mail is delivered from there on. Port > 465 is never used between mail servers[1]. > > It's probably SMTP status code 451, which is a temporary error message > inviting the sending server to try again at a later time. Combined with > the error message, I'm inclined to think it's a greylisting system on > the receiving server. But apparently your ISP's mail server has given up > on trying to deliver it and bounced it to you. Either your ISP is giving > up too soon, or the receiving server is holding it off for too long. The > latter might be because of a configuration error. Alternatively, AOL might be trying to send the mail from a different server every time. If the receiving server does implement graylisting, then every time it sees a new IP address, sends it a 4xx status, and waits for it to reappear. Only when it does reappear the IP address is new, so it graylists again. Rince, repeat. -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab From mkesper at schokokeks.org Thu Nov 16 10:36:27 2017 From: mkesper at schokokeks.org (Michael Kesper) Date: Thu, 16 Nov 2017 10:36:27 +0100 Subject: Help with error please In-Reply-To: References: Message-ID: Hello Jonathan, On 15.11.2017 19:26, Jonathan wrote: > Just installed GPA/Kleopatra.? Whenever I start up GPA I get 3 windows > pop-up: People can only help you if you provide all the necessary details. Most important: - Used Operating System (and version) - GPA/Kleopatra version (from where did you get it?) Best wishes Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 691 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Nov 17 09:09:10 2017 From: wk at gnupg.org (Werner Koch) Date: Fri, 17 Nov 2017 09:09:10 +0100 Subject: your message could not,be delivered to one or more recipients. In-Reply-To: <20171116165634.w3g6m65rxcyjpo2i@grep.be> (Wouter Verhelst's message of "Thu, 16 Nov 2017 17:56:34 +0100") References: <20171116165634.w3g6m65rxcyjpo2i@grep.be> Message-ID: <87d14hwcm1.fsf@wheatstone.g10code.de> On Thu, 16 Nov 2017 17:56, w at uter.be said: > Alternatively, AOL might be trying to send the mail from a different Very likely - greylistd comes with a list of whitelisted AOL server pools. 204.29.186.0/24 is not yet in this list - I added it to the local installations. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From jeandavid8 at verizon.net Fri Nov 17 14:57:59 2017 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri, 17 Nov 2017 08:57:59 -0500 Subject: your message could not,be delivered to one or more recipients. In-Reply-To: <87d14hwcm1.fsf@wheatstone.g10code.de> References: <20171116165634.w3g6m65rxcyjpo2i@grep.be> <87d14hwcm1.fsf@wheatstone.g10code.de> Message-ID: <16be7aac-4dd9-12d4-adad-d14016530936@verizon.net> On 11/17/2017 03:09 AM, Werner Koch wrote: > On Thu, 16 Nov 2017 17:56, w at uter.be said: > >> Alternatively, AOL might be trying to send the mail from a different > > Very likely - greylistd comes with a list of whitelisted AOL server > pools. 204.29.186.0/24 is not yet in this list - I added it to the > local installations. > > > Salam-Shalom, > > Werner > Thank you. I used to use Verizon as my SMTP provider, but when they bought AOL, they discontinued serving e-mail and transferred everything to AOL's servers. I usually have no trouble posting to gnupg-users at gnupg.org but that one did not go through. Yesterday, I did a whois on 204.29.186.9 and it came up as AOL, but AOL for the .ru area (it came up with other areas where presumably AOL serves). But today there seems to be only the main entry in Dulles, VA. If someone had been messing with the DNS, no wonder gnupg.org would be suspicious. Right now everything looks OK. $ dig -x 204.29.186.9 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 204.29.186.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63531 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;9.186.29.204.in-addr.arpa. IN PTR ;; ANSWER SECTION: 9.186.29.204.in-addr.arpa. 300 IN PTR omr-m007e.mx.aol.com. ;; AUTHORITY SECTION: 186.29.204.in-addr.arpa. 3600 IN NS dns-07.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-02.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-01.ns.aol.com. 186.29.204.in-addr.arpa. 3600 IN NS dns-06.ns.aol.com. ;; ADDITIONAL SECTION: dns-01.ns.aol.com. 126866 IN A 64.12.51.132 dns-02.ns.aol.com. 126866 IN A 205.188.157.232 dns-07.ns.aol.com. 126866 IN A 64.236.1.107 dns-06.ns.aol.com. 126866 IN A 207.200.73.80 ;; Query time: 123 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Nov 17 08:53:27 2017 ;; MSG SIZE rcvd: 228 -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 08:35:01 up 2 days, 15:50, 2 users, load average: 4.42, 4.27, 4.14 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Sat Nov 18 10:47:27 2017 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 18 Nov 2017 10:47:27 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171117150925.GA3957@c720-r314251> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> Message-ID: <20171118094727.GA2422@c720-r314251> El d?a jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch escribi?: > Usually the Windows hardware detection (a menu item like "Install new > hardware", ot a small icon in the taskbar) can locate all common reader > types and their drivers. It not, you need to check the website of the > reder's vendor. Hi, It seems that the USB token is fine, but the Card is not (see http://www.unixarea.de/SnipToolPlusImg.jpg ) I installed some driver and after this the the problem symbol (!) is away, but neither GPA nor Kleopatra can use the Card. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From guru at unixarea.de Fri Nov 17 16:09:25 2017 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 17 Nov 2017 16:09:25 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <87tvxuw0ag.fsf@wheatstone.g10code.de> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> Message-ID: <20171117150925.GA3957@c720-r314251> El d?a jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch escribi?: > Usually the Windows hardware detection (a menu item like "Install new > hardware", ot a small icon in the taskbar) can locate all common reader > types and their drivers. It not, you need to check the website of the > reder's vendor. Hi, It seems that the USB token is fine, but the Card is not (see attachment). I installed some driver and after this the the problem symbol is away, but neither GPA nor Kleopatra can use the Card. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: SnipToolPlusImg.jpg Type: image/jpeg Size: 87667 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From raysatiro at yahoo.com Sat Nov 18 21:36:20 2017 From: raysatiro at yahoo.com (Ray Satiro) Date: Sat, 18 Nov 2017 15:36:20 -0500 Subject: Getting more verbose details of a key Message-ID: I would like to know why --list-key (or --list-keys) doesn't always show subkeys and their expiration dates. gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 To reproduce: cd foo set GNUPGHOME=. gpg --import CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA.asc gpg --list-key CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA pub?? rsa4096 2010-02-16 [SC] ????? CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA uid?????????? [ unknown] Brad King uid?????????? [ unknown] Brad King [EMAIL REMOVED] uid?????????? [ unknown] [jpeg image of size 4005] Notice no subkeys w/ expiration, and yet: gpg -a --export CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA | gpg gpg: WARNING: no command supplied.? Trying to guess what you mean ... pub?? rsa4096 2010-02-16 [SC] ????? CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA uid?????????? Brad King uid?????????? Brad King [EMAIL REMOVED] uid?????????? [jpeg image of size 4005] sub?? rsa4096 2010-02-16 [E] [expired: 2017-08-12] sub?? rsa4096 2015-08-13 [S] [expired: 2017-08-12] Is that a bug? Also, is that the best way to get key details? I seem to recall there was a way to list a key and all its subkeys in more detail with sub key fingerprints and expiration? How can I do that? I know of --with-colons but it's not a human readable format. -------------- next part -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBEt7AhsBEADQuTs3bHgYUBT8W5hFgWiY5gRpgVHv428dzABCQ7AIaAlyvAD+ g+tFl8YMez9/aY7xPeOcWGbv+wrMjXeEsq8JnN7L4r4C/g9eNmdWkXe/6xHt9m3k 0VUBpO5mhr0YGQX70SOVSJaZ+eV/kjxTEVYQ7bUOMM66lmX9MHd3PAARhw+woDES TbrLA6jHqFPYSeVJR3iiVYDflAWOv1DZmGDoUDIblhxqhKeqv8ZJ+dil39mQDkEO eCqP9sqpxcTmE4FGvEIzVaBYhEBZGlb1LqFTgPVL82a6hp+61OgLfpyRLtP5F84Q 4DHSlny08T91NkMOzz4JTajRHMv1lyKIcMRwvem7jRp5rsZmEHCvK8MmBTBsSbsT rDrG8UKfofGSEzFi1Ac0HPlY1+lrYpNlOo+fnZQJ01RNrsxfKchXnn4R6IbuECTM GXXATA0BvcyZdGB5cV3j/ikHZSc4DlzYSa1Ip3UWEF68e8qpgwD5z3c3vp4TMVwj hSwJBZ7u0KbAo2GFkyQ7C+P36O0fiAcKHOMRg948hF4kDFSJR3lx+KMfCd7w+uOt upOVgpkNrdV5tgQouUyRE+sDtS9FJ1NCzlgtZ5ZZ9q+96nH1kwKSaupAHD3FkRWo 2iv6NWTulbyWVV+RzQ7VD5F8u7UHej+j5Z3iWH9t2UIQcYz0BFOLo2YKdwARAQAB tAlCcmFkIEtpbmeJAjkEEwEIACMFAlXM06MCGwMHCwkIBwMCAQYVCAIJCgsEFgID AQIeAQIXgAAKCRDsj+86e/tO2q0VD/9fxsXBjiFoXWAqTPTbJmHocY8EGNrLgnFK JXfbflWipN5CKzQ3VANhNH3u88xHcEA3a1TQZ2wn0i5dSAE2mw99Qs49gO2clU6/ +Ct3D1cWZTYxUtWYv4Tx9F9IRiOcDzmZ948hkkZixgoaSnJNIYNn+F6L1/MwQOKW yrsSN/VfejMrf2+ym3Q3DPEJJrM6f1dNUa+kURkqPOf8WH02KOf2IVh91V/XxhQO 7zDM/dIybKg7dyC/5l8c+P/uCuOYzyu3oUmvc9sXHP0goRZ/V7bq9oC26+gD1hap QyxdXTeXXOYmrVCo6NC31iSRrw6xpZWKW9K6qqJ2rljffYdwTWdd5Tz8nxtWQZu1 Pj8aF+bgtaFBAtzPed5JTD6oqgwe9IPXXHBkMKvL/dA554cwAN6FYB5Oxqz4EIo2 kQ79/AYayHv7BVdQySH356S/ZDIW9ogDVNOlwIv5KlQ+LnSWd8PxM7Exm4pWdwCL E9Cb6dulFdqhtjgVS181s4YqRWhsCzpyKU3ouD/hWCmMq4XFFX6yUt9Rlyt4b22M oVrsvOEa3eFuBJESwMV/XN+p7Q306NP03yK7dR9T72t0Ct1GYsB+gat/w6gz823X 6vZeGSoqb3ge5adPt+tutdUme33dU3oL6hnnf2fRg3pDUvBPDvw4RFRwOLYkzZ/n HzCMIyoKHbQhQnJhZCBLaW5nIDxicmFkLmtpbmdAa2l0d2FyZS5jb20+iEYEEBEC AAYFAkt8TQYACgkQzgRsaX1BF72XNQCfa+D91ZuaHxBkpXgveRTbSXOUgicAn2t3 bYTFMSMF9yANDCjgzNC7c5U3iEYEEBEIAAYFAk/Z7D0ACgkQjRFFY3XAJMi7swCg mXh6sc0RikAKmyHqCESap0MZTnIAnRPwMmV3pXWo5Jqdan0B0JVjj6KOiQEcBBAB AgAGBQJMWDfnAAoJEAeJsEDfjLbXE6gIAJAVM1PZPAsvNLNnP2wkI9f2FmOxLRx5 D7g3e/qVD9M/2D3Fz2JvE9n7R98bE8i9ddS7MrTrtenneet/W3nxLLwATFeHKdnQ BqQcPgsKe6ph6VP1iDbDkrkcIyEATHKbg31liK5GSstyfHQ9oearak4AUOykLPns Jh4smE98y9DyWWmMo1mLL9T5snFVGuZXoU0w35nCvRzwKMVsqibnygvCQ/O0sS4p 4mTRDRbo0hWoKFIhE1lgAc3inDxF3WKXXKwhNICLAMLG2nuNLS7gn5nvvCMjRxtG nTXjcdPrPH9rEpYwS5+bTLDgNd4YiB+S1VDvx/LdTXBotf5+XuD29SOJAhwEEAEC AAYFAkvgHswACgkQUN86iZIJyrJ47BAAg8mYVuLseU8q72I3POWIDo8RNtoYaD9H mQQMOYjLbAEVj/btw3DO8pmlwM9Digg+H/gWT2/HAfpNbhW0mStwXK8GhwfecGlW wfGbwca6kF95WPME8y36DKdi2CZpxdMMMw3J5QojdaXjrFnDdP08QobD0qrcjwMf FZcVOSiTYoSl8X7VUPsw2K+G17FxMOzpNBSMdg4r9bf9OHakHYbk/PzV7se8C0cb GayiMT2/qiGGCECmGja56PUG49bBY7YE/J4tYwum/gac7m+IqkwwxsK2MCl2xSBX j4Y0yl7NjvJxYJ3E24qtWHVCghPHdqlXLg9IzutJxSBFrULQk6WW1L+eCl0qfaPW iaHoKKr37QcmW/AaHQ3EE/T00ukbGg7B0/9oUer8i5bnN+p6T5xxzMNsWaOIdrAy qt+akK1dbsmWwxntVBFJkBg6/Hi9ixozLwNI3ElJfR4WCyGbJmYZBLC2+eagHPIa MQmidFRjO6TOwPGfP5OiJuazjySjfA6od0oziVC0QLYk8IKcfhCfdpZVn6xuHOej RpiTnyNbK3PAYZORtI4QPiQnayvOJc5MplRj9q3EuWKTJ84WIcNQ6SAswVh/IN+X /XSB5Y1qmLx0v0tkhevjgyHDRd5TTvs0GsxJWklVyGKmq83LP+0WrvaUQhdu1/Od L1UC9ZcgYU2JAhwEEAECAAYFAk8+tOUACgkQ4FEfp7gXTVJ8qRAAh+ADwiIJbHCE E45Bm8oOR3ZZw2dTMNVldinFGxVgi5dHzaZYO04UO9Zlq0CZtcs7QfQqxG18cufG T/237n19EWljAY7EhiDRDjmmalLxCz9nsktLy+Nw4Gc5tLKG6UNLhYWoOSOjQnFU 0RXkZLbH2unRMmi8qFs+vCSch8EywQXplH3AjXOG+IDkBxINN+RM/UosImobgA2N KjSAdsgeqY8SmiXPNaGpx8NTjcOKEEhG7d2KemZ/o8efncJ5eQNlLUQiPAWG6iBL /CzIv0Rbkbh5VVTsoY1mfm3+OtFUd1o9Ow4xozpmIi9lgi8oc7GlQm4KGw2+WJjk L1EN1eB0hXxMKP1DHhAPAiAZ6qWecWAc3XOI6wxDf0ilHq2qqavrz+oCDYMqC6hQ 2GQ2I4MjM0bnMx/y3KMH32K8LYcB4mB+avEj6xbSKR6BIWb8VR5mpBdSMDfK/DwQ Ok10QhUJBwzNsM9Vyc/xz1BzfDty4fGDNa2ZwHJkmzWK2zolElrVZXzuwAQnnf9g J3GOccuPxMiVTHlGJymUpgH7sgEOd9QhpCbDiTdBR9C6q7Yj72J1SN1JX+QPs9MM ywa6/j33c5yBhq8F+Q6HJV2251Qd2kvtZbW84dMWmoPSCc6VAUt8Ph4dPYPiFVzO mA3/phgIdnymJRcdxAHlrB9UtYw3yKuJAhwEEAECAAYFAk9wwQMACgkQx1Y6F0zo YM2hCBAAiityKnwvSBfE/IAlMqQEyy1xu5wSyO61aYmebH+beiLMkwj9sxyVJCRe 70krNJa8IRW1neN9wFbIg+spVpUhycC5TMCnz2wUsmqTRo4QAjiwe3hnrJicxqLE FMi01BnQHON5lEj4D5SHr53fkOW/5cTwIsR6qE6yTAXmmH4lf75oC8ps+veJYnnL lzynJ3SaRT6v17QG/GImwNcwT91/1CnPnSBr7MI+mrX/QDJwDaM9Swn4iLZGzJeP fhKcls4tTtLPJ/iZ0ZGpjNl/dfqjOGrWGe8zoBI9+1LR2ikC9Feum9qk/0OJRAcS Sc/SHBCMSWjantkBpqR6D5YmM2KN5wQb3fP4YuKQBIVP6fX5zgkzxY8x7I7R6wnB F5MT6rv1cYuRf03TKb3hes8gCQ2u9mFaiDJPootq0XDbsQmmg4mdt+2B0fzHV2ay fV/nwkfm9oYBfTVvLsNy07xWn3JQqriV0XfURR2/9VNAYn7W8TzU/uDeMNqYV1tm XWYZZ/cE/njMo4kJVncJCtOU/+ZfvazB5LsCz7givz7oXh1fiK6FOXHAZCx9d+nI /VTlfosL3LWDNoUR6AA/eXTH/SLM33foO6+162ofVDGpnGNnrXcGFFMQDX1wa9Ga iTC179NARGSVgfSY/jQo0jN3JvRlzGIQI1JbRceaTJUEIpCaQqqJAhwEEAEIAAYF Ak5yDSIACgkQprFq9VfgLVe9IxAA3wS26SvyVUn+NjDwS1yxb2Zne3fA4VyWY06G GegrGMp7V9FXHNJvU7K6ncPccN407edW/ITQfd5l2LD0eqQiA0O7JLbZaFe0nWX5 e9VlI2jmM0q/OPqsIf+1Lcgn2ci0JbuTAsRxpwd1Sd/mP7/EgTGa+baico2B8TFW d062biTSrHc6XsBikWlEgaYrt21ads8ltnhiBDfrcvJp3wWRYlMVEU3+4w9VtFp4 luhPC9s5Re2nxe7bzxBRlK35Y1We9P7RNWSEuxpV3INSuXNzOQKwWcy9qH9GjIRZ Cr1w4p34pvRo7iX3rrdpIDFgiM4ot8h5leyRBN0mM4Z3+Lks88lFk1LBRYXkQqyF peCYvHeDA1Lpx2oGmYWDJKWoqAWPhPqXrdOerefPHCeYTuIKExJiqB7uYncuMzpU CKNMQ8DsYF+YJGiJfl9uv24hHHjdPIQQrS9OLt8wxon4cLBebhl5A4ae+tOR4aIG oJaLkuLL7SCBSez1xdJZmzsmyH5/PhAn7XC8Q6A914NBUXybtxCgwbucTiReU/Nh qQDicWEg6ZFj2SRXz1HkLNnlG2z4h5H6dOEj4Xy7RI2Cu/gmjIV0pttzIhhpMIHI st96OnOUugDRfSwLOFVPSJet9JkWm+QGvN3U0ltyosX7W85PDSJPLlch71BocIiW ny07i4SJAhwEEAEIAAYFAk5yDSIACgkQprFq9VfgLVe9IxAA3wS26SvyVUn+NjDw S1yxb2Zne3fA4VyWY06GGegrGMp7V9FXHNJvU7K6ncPccN407edW/ITQfd5l2LD0 eqQiA0O7JLbZaFe0nWX5e9VlI2jmM0q/OPqsIf+1Lcgn2ci0JbuTAsRxpwd1Sd/m P7/EgTGa+baico2B8TFWd062biTSrHc6XsBikWlEgaYrt21ads8ltnhiBDfrcvJp 3wWRYlNl3viuVN3gDtzknffxY/N5PNwquvA2fucVueBEIW2gAf7RNWSEuxpV3INS uXNzOQKwWcy9qH9GjIRZCr1w4p34pvRo7iX3rrdpIDFgiM4ot8h5leyRBN0mM4Z3 +Lks88lFk1LBRYXkQqyFpeCYvHeDA1Lpx2oGmYWDJKWoqAWPhPqXrdOerefPHCeY TuIKExJiqB7uYncuMzpUCKNMQ8DsYF+YJGiJfl9uv24hHHjdPIQQrS9OLt8wxon4 cLBebhl5A4ae+tOR4aIGoJaLkuLL7SCBSez1xdJZmzsmyH5/PhAn7XC8Q6A914NB UXybtxCgwbucTiReU/NhqQDicWEg6ZFj2SRXz1HkLNnlG2z4h5H6dOEj4Xy7RI2C u/gmjIV0pttzIhhpMIHIst96OnOUugDRfSwLOFVPSJet9JkWm+QGvN3U0ltyosX7 W85PDSJPLlch71BocIiWny07i4SJAhwEEAEIAAYFAk/Z7pYACgkQot4jUGLaM/qS XxAAm9PSJbp8g8on+58DZQjCJcDhOnk5g22zvxD3LBLBKONYXL13IKUBHnMjV1PU IPvwC0Lc4PaomKrhBRvjzNgzNzCQjOE2MHo2XFIcazeM9QZyYRFJ1DrrTyHHbDjG Cbg2w6CvYQMvVSmiobtrO0E4DbqO6wzngKU5dbDEinxCACttE/c1qCpm163yIgpA FMRKkj73VTHC7HLr7pjMU9lvcyUq+RGH0BckSUUSdWKek9i7fZohRcUPua/kgt7r C3BeFtqA++Nnv2P1+MNyODOW0KCXVzk6/QyG58nkV1qEkkFknZU3ERuYYdz7wcAs o4Lo6dJBV7rX3SJsspFADV4gD6Q4ZpnUgyldq/Ygpwsu7NmZRp9zXgP/iwT3c4Eh Y9S9LI66t9sm+wU1WiZfPmBvlpXrgMWN1IWicZElSsardqPF1XCHcCqzc6INkT9L dXd7PTfKsNx0VK2ZwMsOCKdfwlruw+34IZObc4qw8Q1i0KhMfx24zK7epY+icL5z arh5TNYJUhaPI6/+XlmL2EQhQEqlBR8vl1ZvdbSxLy2q6MtMkvvTdp/Z8VA0dFWh zvQZ848kvh6QOahMAF/6dWXXSW/ueU4eyDfThQcYYmsLRLia3NPw0sBPseW5uthJ 5+oEDw2g/yI68x7yuuUzzm/U0e7rABCPAoCNQNg9sAJRepaJAhwEEAEKAAYFAk8U dFAACgkQARvS29cq0O+d8xAAh///XNmntoPTpoj7QSvS+D1Ore8xHODbg3l6RHuI +lmw46JWK0+OGFScVxqZdZAFxOOOKtMxfRD6kZXsdG486kQrAY0DRD6KET9yhNvx vkClp/ZEeymtjvrDN8ofsgCd0n2f/jTeAabpAPs8xYDT9e5KYmm5EZkqbslab+i1 7OUW+cCW7FDsbTOogIwdMGHmVJ5CVCZCxaK6RbzBgEQtSMHuosd9fS4SN+SCK1gy ApPRCT0tvG2VYBGgIqmO3OD5Tb9bvA787j7Wxc7/Q1VVj0v9kWmOxJOK0mz711Uz pCbuUg3peyYwIW7AKjzGWmUtlh4F9IHMUPxZvI7EG7hMhQ11yHmr8p0LQw7NCkSP cr0Vru+HfP5nObrIFh4VliJ5qQaf7aCqughBrCYhUaPmAcEq9zfZs8/GODkjBnbX 1NAORRaprsxVNWvYpXLE7Rozv3j0f7ohxaLaOJkyIPACp8som7gDwBlXTzLzuptW Cu4e9g1D/avQ3qz30ThmVdBvNdfh/45SCUBXi8a1kZT39ruzE9W4HsVVKgs6AgQD tbGCqu6WvXiK9rvdlEtGlwmlo4xEKaWrQE/JtVwn7KeEqRCbSWk0TGuFagNO5kXe 7de/1XyCyYFu6CSokpgBUJWELc7iYCSz/AztalmofHOGm5k635rEWyqTicEN/51I SR6JAjgEEwECACIFAkt7AhsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ EOyP7zp7+07aY4QP/iYt7VkirBynOVWbzacvPhiYBQ9JK7mm1E5o3oJeshOEQqzA yJKyhJGmsi5sISVHjWhWVzdZcV0Jpuv1gUjebOZ44QFC8VIPeP+5Euf6LyjANp1U F3OMTr1xb4zpHaNHF9Mmm+ICuH/p9VmtjcZIg5nrbVyOqhzG39CQbKImO8KYwcS6 5j/ne0dhtYAE5+d5KBO0REHP/AGwkOlu5LIoWvriJEYZTJ9rKGV7RnEGGWjFtSGp RL5lPl85c5QG/BWtaEFpjM937THJKrVEwffkSjKvtEliZ4R4D/khD/0BQCtYKvfO nh599EuFf+5Sp8Xhyk5If5qKyDfpRg1GI4qbHzIvJ+jUKfKkgQAu0ppSNFWgXqC3 uYFicBlK8S1nuUMriNH3hG6uWQ8hKYa75JFKMyMMDoNyRNXMvANARSqgS7xjLk0Y cpYWJLwiDQ4R0bafHFuzOy0n0hiyZV+bPLO0pe73PYeWs3ofh4AxochZ2gXHte5k 3+pWPfNtfT0etHcdIj9DLLg65UpbJ5q7yoA1JsDQyoxtQM0B3k1lotNmfOv4CKF4 v9Ul2NPFKRlnGUOPLSpzGZ9bu4ecamoy5RRSQI73+NjkYvmxOkVjK3QjLim+v6xi ZydW8irK3H8i0jSu3m3ejHYOfTgFkS6StoPiFdcJ4A62m+uNooB8IFQXmAKc0c74 zvYBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEBAJYAlgAA/+EAFkV4aWYA AE1NACoAAAAIAAAAAAAA//4AHFNvZnR3YXJlOiBNaWNyb3NvZnQgT2ZmaWNl/9sA QwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERgh GBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4e Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAlgB4 AwEiAAIRAQMRAf/EABwAAAAHAQEAAAAAAAAAAAAAAAABAgQFBgcDCP/EADgQAAED AwIEAwYFAwQDAAAAAAECAwQABRESIQYxQVEHE2EUInGBkaEVMkJisVLB0RYjJPAI M+H/xAAaAQACAwEBAAAAAAAAAAAAAAACAwEEBQAG/8QAJBEAAgICAgMAAQUAAAAA AAAAAAECEQMhBBIiMUEyEzNRcfD/2gAMAwEAAhEDEQA/APRoFHjGDR4owCaAYxOO veiIxXXAG+aIp2z2riKOY2G1GnOd6OiB9aF+zqFkDFFtyqOuF6tkDIlzWm1DmnOS PkKgJfHtuQrEVlyQOisgA/CglmhH8mEscn6LgOVA8qpcfjxhSsSIK2x1wrJHy6/K rHbLvAuQHsslCyRnTyV9KGOeE9RZLxyitoeqFFSlDNJFMIBSF9a6DGcGkFJB57dK 44SnlQpQOKFQcOT8KNIxR4+dACmEBKwBQ5AGhjeuFwktRIbkh1WENjJ9fShbJI/i K+W+xwVzJ76W2x0zuT2FZBxH4kz7u6tqEowooJwWl++oep/xTTxHem364t75Or3E fpSKhnrImHbytSv97oQNh3FZmbl9l4l/FxvrGbk5pStT8l0I1YKlq5/WnKLmGQVt vOLQkbK1DSc9OWPvUN+GLedU6ScJIwVDIJ7elPGITg0uBlKDnBT5YOfrtVN5I/yW o4pFptN7afWhpZGo/myKc+2KakJ8t1bbgPuY5EVXolr1Tm3nmloSjfUkn3T3FSC4 vtV1LcbVoJ5AYx61SyTSdxGxxW6Zp3DPFY1tw7ivdY9xajk9OdXNKgoZBBFYuAtl YjSuQGW3U/3/AJq+8EXRxbQt8twLUgZacH6h2rW4PNc/CZm8nj9NotdGcUnPICjr Usp0ERQoE7bUKizhyjO9GCc7ij5UVNOBg1SfFi7/AIXa2EjfzFk4HM4Gw+pFXesi 8fnSJNtaCsHy1kAepAz9qr53WNjMKuaK5aXFSgZDwyrGkHHKnzjIkDQrJB7VG8P4 EADrU5BG4Ku9Ysq9GzFJDOLw+sEhtGxHOpu28NI8tKVoGeaSOhqYtpRpGTUrFSnm OXShjx0/YTyUQAsCygDUhsdQE0RtSYaDpwv101Y3lYO3OmElROdRNIngUQoTZW5L AdQptQ36elQDkiTZ5kV1hxxJS7gpJylQz9jVslN4c1cqqPHCkoS0oJ21AKxSYdoy TOyJS9m0WqSmZb2ZCRjWnPwNOwKhuC8nh+Pkk8/5qbFepxycoJswJKm0FihRihRk DiixvQxRijtkAFYj46NyhxlCW6CIy4ulsgbZCjqFbhjfFYr/AOQExD95t7DalJVE CtZztleMUjPXTY3An30RVtb0MggggjIqbip/JttUDBJatjS1k/kCvjRQ71clZ9ng lw9AvYVkuNs10y+W5pR2FTLSVIQByrOoPGj8dwtz7U+0RzUj3hVptPEDdyQFsKJ9 CMGmKKTObbJrC1KJPKuEhrbnuahL1xMq3qKPZ1uL6ISOdV9XFl7lZLUeNHCeZcdB pWTGp7WyVa9louAIawedUjjtQbt6F7ZK9qkxc7k4tAWhDravzqSoc6juOo6nbWy6 j9LwB+e1Ut99jPhrHAK/M4djHtVhIxvVV8M5CXLElhSFJcbCSrV1yP8A5Vs5jAr0 XHd44mFlTU2mIoUZGBQpws6UKLI6mhqxypgNi+Q/msz8S7O3MucjzEJV57SdGf6u WftWlZ22qq+IEBclqLJRkBtZSpQ5pzjB+1JzxuBZ4s+uT+yjtxGclhac6EgCoCZZ Zsia5/yy2yUlLaEqKN8bHI596sa14nLUd8bGpWEyl/AKAcjbasxtxlpGpGNxKPbe GFxYrjb0pMqSspKV5WdAxvsSc5O/+KnbalEO+tNtDAKAFDfBUOtWiQ0mOwopQNQH aqkgqVc0uhW+vn2ocuSUntDMWJJUSV9t6JlwcBOlRawjIyM/DrUFO4Rh3EteeVRn Gk6SEN5Dm+cknNWZ9z/noXyIA3qbaQHUA5GaTxs0ouSROXEmlZWrPw2xEuCpTa1p QobtckD4J6Ud+isSFpYUQhIdQrOOxFT0shvZKsVFKQ27cG/OGUYJIO/IHFInalsJ RS2ywcEgIkTUIHuApAP1q1JIwQarPArSvJlPfoW4EpPfHWrLj0rb4n7S/wB9MTkN PLIPV7tCk6aFWRIZNFn1ouQoZpwqxQWRSH2m5LC2Hk6kLGCKME0Y23rmjkzKrxHM S7y46VFQbWQCeZHOlW+5piqC3To096k+N2PZuI1ukHRIQlSfiBg/x96ZNwW5UfzU 48xAOKyZpxyNG1hyXBWdXbol9CnFBQGNgdiarkKRHRMQXkuIQFfm5jc86QH5ibqu 2TWUa9OppaVYDg7DPX51LR4fkrUiTClNcxqLJUNue4zUfpdnssLIkdLjcYLzjbUN K3CRp2H3Jp65NdhtoWjUtIABA502YjM5DURiUvrlLJA+pwKYmVPnXJNvgsBDKMF9 5Ss6R2GOZ+e1VljcJtxJc1KNP2Sf4h7UMpOSe9cVIUt9lClHKlAHHrXcQRGbJ1e8 Tk+poogMq8R2kbkLSPvVfOrkgJz8GaNborMKGiPHGEpHzJ704BzsaCRgUMb5r0KS SpGKEo+tCgqhUkHM0XKhQJp4kMGldNqQNqUM42qDiueIkdK7D7Tpy6w4kpPcE4I/ 72qj2i5lKggEAKON6mvEniVtF5hcMsrSVvJU7I7gJHuj6kGqbc2jCcD4/wDU5uT/ AEq71mcuXno1OGvDZMcRw0zEJdSrSsbpWOhrtwpeLjGc8iVKczg6VOp1J3Oc5/zX CyXBmZHDbpBUNiPWpJq3eahQbyPWk48lOi8knGmrO1+vD74QyJrhUjHux0YCiOpJ +J9KRYI6Y0VRwlPVXx+NG1ay2ffdWfnXK9zWYsYR21AZ5+g6mq2bJuwtKHVKhvc7 jqWEo5k6UDuas/h/aF6zcJAyBsgnqepqhKK022TdlpOGmlqZQTjkCc/OtQ4AurF1 4bYcaGlTX+24jqkjvRcSCyZE5fCny5OMEl9LCUfCkKT0POlUSjk9jW0ZogjGN6FE o5UTQrjjmaOk03nzolvjqkTJLTDSRkqWrAqwJ9jqofijiK2cPwFvzpTSHfLUppkr Gt0gcgOdULjLxdYt6izZoAkE7JfeXpST3CeePU4rF+JrzPuvESbrcZ3tLruEHOyW +wSOicYoLC6smX71JkcTW++S1Z85ThfWeQKj/A/tWnPR25tuCSMhSftWKy9czhxT TagPZV5WcbkhR2+is/KtG8Kr81crP+HuOhUmIAnc7qR0P9qoZsfbZpYZ0qGLrdwt ExTjCS42DunqBUvA45LCQlbStXUVMXSEpRDrKd+ooQ4drnpUh+K0XkjJCkjNV1Fo tdrIyXx0HG8NMK1HlmuFnjzrxL9pmApbPJB/V6fCpxVsgML0x4bSVftSMipCBHSy 3qO2B06UjJHYcZaIHjyYxBsfsy1BJkqSwMfu2P2zXbwiuTsTjOZbkqKo0hIUBnO+ Bg/QgfKqdxpcV3PiOB5CPNhMuFSiCMZTuD88fx3qCg3Ry38QR7hFnuxnmXCpvRgh QCsb56acbU7jY+rv6yryJqSo9anlXNdZ9wd4oW+6JSzdPJiOk6Q62vLZPqOafv8A Gr+hbbraXGlpWhQyFJOQa0k0/RntNAoUKFSQZx4geKdo4dzDt6fxK4HI0tnLbZ/c r+wrFr7e77e5irjdZy3VHdLTRwlI/pxXHh2Q1LiPeZAWClehWDz3Tgnry1UxjXFA tzqEMrDuSlWdsbH+4FC8jbGLHStD2525MjhpMt8q853S6Sk7Jxox0/eaauRYYghJ cQ0pS0hSircJ9zJ5+nalOsLf4RCg6vUloJJ35hzf7AUzchtrthWskq8oHc8z73+B Qwv6wp1rQq2qXDnvQLg2W2pA0r/eMYJHxG1O+GZSrFfES2kBDLTymSvfCwD7wPbn n6VErdfebhuPuh1pxKmylR7E4I7Hfn6V3djrYQC+8XGHQEKcCveAznf19aNoFSo9 B2uVGuUJMiO6lxtY2IrjKgr80Psr0OJ6isP4C4rmcN3ZrzFFcFZ8t9vVkHsoDoa3 uDKj3KG3LgOB1pf1HoR0NV546LEMnb0HCjlKMLOTjcnrUR4g3Rq18MyVeboUtPlp I55Pb1xmp+OhzHvjGKyXxJuzN/vMe3wtTkWMpSnHRyKh29NsZ+NJWLtIbLLSKTYZ chqROkpdGh1pbaUFWcHbBx6f2p9OtSY8i3PyXCnWdS+2g6SAfkd6j7JFbjeQFqI8 x1KQSemoZNP+IWWnZ8P3+YJPvd0oA/jNPk13VFaP4Oxzb4DC2ruIT/lPJT5iCFZB xnbrzyKneFuKOIrDb21wZ/ugailSdSCeyknp8MGoGxxow4mkDzClDrZOyhySoK/h Jpohq4xWZEVb+XGlKQe4xvkfLNdG1L2S6a2b7wN4nxrq22zf4f4XJUQA4k6mV+ue afn9aFYY1PnucNpkMMpW4ghLqwf0jAOOx94fQ0KNZG70LcEvpBcNcYQ4ol/8eSrK wscuYQv17kU0PEUJ2TKjoakIDjy/e0gkDPxoUKOEV2YLk+qH1vukb/TMhkOSuShk oHcn+r0psxdLZ7EEOmcpWgjIQkcsfu9TQoVC9ky+HIzrevh0hr2tt6O8SlRAIUkk bHfbmaMXOAlgun2xenBUk4wTv0ztyH3oUKlHfThOvEB1aS208lDjYSpJQOeNiN/+ 4qzcBcfO2C8+WpUh6KUpU43pB1JOO5/MMjfr1oUKJq1sCMmpaNA8Q/Ea3/6ZcZgs 3BlyUNGspQClOMnkrqNvnWYRr9bWIgwiWp144UChOkAJ5fm32WofQ0KFKqloc27R zeuFqNztpcRNKA8jWkacYyCQN/U09uV2si77CdMeWEIYAKdIwSCQNtXYDrQoUElT R1iUz7ML1GfSzNSFpUlQBT+pJHU+tHxFfoLNxDsVMvQ42orStKeZUoZ2PYj6UKFQ tyQTbURvwfeYxjTmVqkYU7hKfLSQEqSoK/Vz5UKFCpmkpshO4o//2YhGBBARAgAG BQJLfE0GAAoJEM4EbGl9QRe9BBYAnR0UKbO9WdXrRDi0mXU7qKY7jUz8AKCL5+Rg 22Qnmsc1uLeW47Kj5M+FjohGBBARCAAGBQJP2ew9AAoJEI0RRWN1wCTISiAAoKtK wgULtBatb8nMtS09Iv1al4gtAJ0UrZG3hJd8W0itBHnwLxxKwxLOeokBHAQQAQIA BgUCTFg35wAKCRAHibBA34y2118eB/9xt0gcYts4ihEi2dkm83wLRjlTCw4RT4ZI Hm+imiFRexIuo8b45p/HXZXf0hw+p41VhJNt8wuJOL/eMwQ3VFN+ZWHyVLQv8hIz kR2VwPJ++ugeJUIAQem5NC888befJ2S5783104NCbId7vSvhFinrTLWg8tO3Ytzk XSzv7/hm4C4tZtdY4hys+7S5r7ouXYIeLP0720kiVhQfIWefEXmAsRpl7HQnzSuq HCptTMH0GN0O94XbCFcPXINxInY9G17M+SBk1bjh8aMOnFDfJnrI/VY3t0C51PJJ X3uaQ71DwIsILH5hEoYF8Zuy6MB20nlrC9unNtvy3+ZAzGwOQkFtiQIcBBABAgAG BQJL4B7UAAoJEFDfOomSCcqyQjcP/1cs1LLSEzoAMR807WTFrtlfRO1dd//UvMoF pfzO9ptAlkVc+sUeUZ/7r7tDBQteBjMYR6gBdShTXmxnsII5byaCZmAuCA+SobbG XU3rF9l41Dc9xubB+xIcbljR9D5OghN+iiWY05eEO2CoaMxp97vrJtiZ6RcksG54 OzXbrH9lgIh5qXBBV0O+3a+yk7XmI1mMsHdPlD+LGPTTLzBvZ9rWITKlCoh5T12Y pkPJgk11i1pUuiPB4u4lM241XbXtfflweew7CSRMvvjGz+QhDVPKrFnA3GZP434Z 4Iw4F0m96q09cBtpOnBWxoPcjZAHncwnk6kEF57abyGZlw8ppmhoPGmjeWuL/f87 KDaP3ZVnoUdWWrrVaH6VdqT53Pekau6mWfZZOpLDExBq7McTXlzAgBMBokd8eHCK I52+cIYC6O9PamPt9DQsHAkXDn21IRzVcSEn/EwP/n5McdwTkl+XoO77OkDZnf1l x67fc3zsrpmGK9/zG1u+Wf1M+l3GoGRe2AK6BqGCMpzp08ChzRaMMRahiwaRxrLA ll13npCSXuEmxd+Tqwo4Jcy+uRu1lRbOm6abYPYF+Mh1kdUtr+jmHkhKFQYermtn 3b5hHSgW6hzlRtDZvhl7s8hl9JS8s26aBRKyVuLhen10kiWm3KtupZHQcoeT82HH mpou3w3ViQIcBBABAgAGBQJPPrT0AAoJEOBRH6e4F01SmKYP/0eHSx9cKsAWi5mX KwRumiM9vi5TbJ+g9cg5X6eHqnKgz1SviRIstGUrY8BLAVdnsbHneSTiUpIoHp/1 x9ryK/MAjzqn/Nler5VUgIaMmgrDkufYdibTm9njYX/iJz1wbxJpSYgY55lN2eD4 IhmRTgYf75ncAFifQ+jbE+PigHODxYx31twoPYTVjWSVBlpeYSBgxZnW/0VwHfnI TuEhDLpRj5Ol9jk3QpYLdVqQ7zmMZPpRHQHHOSXHwqH2FUVWjPwLjWXO4AV3NArx lw5W5uaDB3oIV+fdAbNe7mx9lp6eQM9W1Mo4H7aqrBIx1trpym0O6iw1DSgnf73D DhY/zaqXHqGkrkDSPd5cjFQ0HFpXvEtpLx20SG0qKH+VXX/a5uUt5D30cKrpuKfl GRZ9nVNYKFEIgpKaJdcKHZfj+xCcS8CFqVorlsl96RRNQ9cjwC21kNKmy7R6PyaA +k85EUmjAwH60gxvKZ1XEXxioxxRWbLcHkzFUDfIC1Rh070NZ0jeB44LpLtMGbGi J546/J4CbGRwReoU6lPEm7sHr+6LesG11MfzUc0JDQicRhpo9KqQVCoYJyZZ8dJ8 I8DptPwnGEsWqEtWlv6q/r0ifKfnP7CCCuO8NmxLj8SJagvrO5iflE/W6bh+K9oX SkkU74zQ2gy84NtlgBXd1qjze8nDiQIcBBABAgAGBQJPcMFHAAoJEMdWOhdM6GDN 27kQAJ4vE3cjoYxqDRIUxE5RVkYXl7IkL1UCxHcsJdtezQ2cS0GbsHQCYnBZLTwO N5p2UWSDgCVe1BuKaKdFnA/ZglYjLdTTgibF/6MEaL/YpQTBeGINi8sKawrWgPJ7 Is8El5m3SeQC2IGikcKDyyjN/PL7am9teJvb1cI2weLE8Rr5kW10X7RIrQn4Nh+H hRbhtsBH2trB7TwvXHAN7goh13kkTfkFz0MMiuFnyGR47JNf3A7Tgla1dspr9rBR Ju7qxsrfh4tHAHpXhC6mlXvpJhFbWxn1gFlObHlyS5fniS/eNd6Gu9zomqZa3i1F tB2GYMAKH+yR/mTimS7VwVO3EUg/xUZms7cfrBZcd/RVC7PUrLXJxFm0qCdQQ5dZ 3Vx/zzFYObQSviZxqJQNe5o0OmGmrHtZoqNGacxwnEeYcyvkoYApr3jFRosNWoXI Z3jpyDjrETKi7qXNCL+28mo98WZ/qiWwvZh6snWdzGu4nFSomaL3AXPafsJWslk3 HWGjynP85ciCmyF6atSTzmI+lYvb+UZdVOVN/+TgK8xbZdzAfCb1mOeFE4yQdO3D aKOxkMOX2bQMtY6VywYHh9QZ33TQFaV1+eNgoAlxr9VLtlxrUjZEuNwjpAH80sl5 9FfwjmiGQ6mSul/nbpPAB4DRXWxtm3aKSlgktCb4SxWw9vsOiQIcBBABCAAGBQJO cg0pAAoJEKaxavVX4C1XS+kQAK8ynedkQlA74tMDboaSF+oWoxBV5Ba6k1huUBQ1 /GmnkL2bHAoRReow52ktXwBWlLq0lDGxLdQa156KUTEH/j250n5DKMXGm1+RXhAf wWWSQt7M9niCBREYllIQAKDAUfk9jcUj78HiNsfNK/neXA1DJzYRFLqRWvGXVxU3 mAd6EVfiXtp4KFwtGM92QD+UYviT9Mf3CwpVLS9HmOWM0sr6xVgYOKJIxxZ+/Pv6 QY9+26m+8ig/hD7/yZnbiTr932oZZo/r8CyqLHdSzbHR7vtZLJGcUSafxWnAaN0U LlG8yxMcca77zOipeiQnGFyBMsH8Mk+ZYZmhbUwb9Ah+tkSUMt1mDNV1B1xp6mHw FwXYyahejSdlP1MqQiM9EctpVQmMt4sX8R35TTx+DxoMNRj4FFCnZEiwLgc9GcSk WhcGrATs7gPbpvmTAvxwsmiHrUHofuCt8MyFNDP6n0KNkW528GiFQX/FdEGuiUJt 9W59aLqBbomaMmZIxNGg+p8PCp6dNIcQDhth8KAbFzKHtKkCiEPpilM7vRQ7LkiV qIlAlWEuMW/fdEPnGDcl7E8YeCPeJFr/UrwNYsmHvABjRR5HDEWa0mRxyAsjQ0N8 oy1ZSWhAiUZoJRecQKlf8ME6Fg1CsYPk3z8VSTO4uGk9xvT7IOMBtNBR2Leb8RjJ V6jLiQIcBBABCAAGBQJP2e6WAAoJEKLeI1Bi2jP6p6kQAIG85BBgEdJ7MiVmaO7h OP5brt6ZL6E1pPpeJ7kkrX10jBaK2b0+2zuWGXN7xTNHLv9UOJn/RZmCUH2+nC27 1u/rIvbO0UDfOS39yHWuX1oEljdoO2JWNJ3bLh5/njN8qycw0IFHL+T0FNwNAfcb sVAofR/gJtPEEsNRQnby73Zzqu/FzdLrNF7gHVG3kEPkW+ogNGFxvVEMEff1Oofk V+ngS3oPEzxBtV7Qu1Af/ScK8a3f9FrwI/0TxraA2lgMEG7yMonTopJfO/HIfqBS mKC6C1d0m9vfeSublZT/dPIfFqCIwVlwI8Y/8YKvKD0NRI6SStvXhbRbttfQj4o4 d/YLee/2TV7w89H4gZRV3ByX3qlT0qz4ApEbHCXFmkm77+HwLanbfpWe0IlS2/67 FgqHKhErtz05jCtTRmFfwaqEtw5Gf/zBF6NcIjBPj1FlWCq7H4/6eZARoRDOsvf8 H+Y4zzdXG6vojMo8EI1h76kUDasd+6EIFVywrzeD2zNf6b0hTnleKu9F+cw1qOVN bhaqm1DIlTGHbl+gQ97rHcO9HMajTcpLPIL58ErDKdhqqBMmrQbxjKGLwRHgzZBK CgL+Cn37faK5w/NUlVmU/rnr2G7cjGscQLxaboEM4wZzyNvUkRtgQjYtkGCFGjUy io5pdmSkbgmgXAbvUUpvju0AiQIcBBABCgAGBQJPFHRUAAoJEAEb0tvXKtDvMXwP +QGvUax7Q1oVT5GoDGdqJ74mqLnnJy0lYS+ulGBuMmvFomwCVsEQP9ZisQgfpSTi lW9o10zOMYKKicT92kl7o3eqMgQ3gb5WUcwiISIG/3zRFVgXWbY2+eL4WMeU/smT vJlJNf4PzfG+TtcUWXte3CJ4fAxMCm4M0WvPtBMkuo0ZFr6YkPsLyK7dUsyoHeWL 3nPNooHpL0w0oHoxcXnksQR0u3gbD6aV4XOQn5qjdf2Mjb3S0XuNyxqtqcGa3FVP sMIJjGA0Mj7ZD9g1IjnSmBtx7M1SYXy/Z9HMxNxO2aqdMeGvBBeoIrVsqdG1ATNy wm6cG3Vsr9ZZJEZDV7DMXWtqojn4ooNtkQm4Se4TRX+XU7A32gf2x9WFPK8Uruki eillwhW4f2Qxnx5YXQ5awZrA1J8F3L2uXLrf8kNtMgaElZOeI2piKOe8ONOONg2t k5hIOMNXeK92IazAlmFmotRt4V7k4XBFlAvvIlFDEjqhNRcYL8ikVACvybdnZNPW E21YrphffT6qaz5qheP+J04EZWiIMQk2TfSGUVtMrXeG12LbxzbREfuyVUVe2WyL EjOW68mXA3Ha0Xyx7+iczsUoWMr/oP0i669xJ3x6xq44N4mx5sc5peIxseOtHO4u LCKVcIZTykmF7COV5EmDPmUztGC6jhLcFF+CzPkmfFrPiQI4BBMBAgAiBQJLewSZ AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDsj+86e/tO2n2PD/wMEkPi ffHxstfOINXKpUsz10j3G1IDrY+6KzkMNOp7Oz3v1hWZugnFCcNrp2Bhdm1mWTpn HHrQzkroE/jS7xZo2klKsDqPvIZmOawgZKqaBXSKOMsRyaP+exMMj9Sx5aTfpct1 B/PVfUJw9BQaoors0GBxT8HXtIZnbVr0HXnvO6KeZixy3uQgqRCIEvGaPCCE8UBl 0rY4bFgD6tZWwBAnIZEvsRr7h9HKvku4dy5v1gu//0IUklhb3b0rEXfQAKHpUMX0 8hwib30DnUIrhnHIUuAv1pEDFyZIkfxn0Gd74HYr9ZrPX52mYlLroUsvDWh0UfHn A2zRgOHHfTjP7h78JeAL8fp9HprrsYuiBAldAeOhMBFA6nSz5IYa4EGvBf7nyKcy mLTKTGRAe0pkXFBEWUvfLGSY58A8VKiRo5CwPQgUeqzXlEUBXib7hUgt4291zwKk 4on/0ijX0lOdrEKMxCLlWFaETyTSxHrHt+rQpZCzDXzNCMxfzt98egN0xIlj7xlk XFlvNYynjxqWJnJNtL3HZVWZeLev/4yf33FE+hq0ud9ik52kITOZHdC/tYYW/l4O 0sxrfB238wjDY7w9vDv3h+5ju77KrlzjqahWleFdstad1SLMGP58IbZA/+L771bZ rvxEIB5nsccVjqKBEHsVW2tWEXl08aWBdkIgQbkCDQRLewIbARAA2zPPUQrdBHFC NqOg1UxRceXslFcpJengQbl6No6I9pz1cFK/g7uTJD2ph9nooXIEkUaI8ftqFCic wJYYFY1lJmdSq16udIgHF6i2sqIkWp5c37puySCHzim0ANI44SvG0zkH0R5FUKZR Zzy3lEmBa3CUCWMajOQ25AYyjzL1sZ2tsAf5GxZrXnmJ2y88dYSDnpecKJx0tqy+ 8qv7fI6GSZyPvX1yLse8rJBidYcc/P2BWLlIKxPn5R9Zf3hL3NCDIqCboroidwGt lv85bQ8VLp6GjrzmXmOf5eSZfiNceuPLQA26uee6BBB+pbdXAk0Dx8fEkZjPEgO1 0sUxIZoyRNSBwmd0JGbI3fl+JeNi1RHcamgThSkajtYhl25o1FpEBQRtYwZg2dAt 6bN6TfJOUVHfeBBZbCXeTPnVH4TLHSpE2aw4NLwyvT6ugJVvIdyeIqRC45SpFA7X JMSYXt066yFdnizwtiRNQhQQ88Yrxw+7XaWszQuR1CoyZBr/kOZRowLJL62+4JdL U+dM2b/gQJAHDhmUnpWTx7nkfjXLVLFUji0EPJ3sessCiLaiJj61luwg1eW4Cd/V o0oHyCo7cQsTn91Io/zI4X3ZtmRbiyrpC9HFxCVKmKcnhrS7nv949w/2f1hXYrTb Xs0hr1SzE2cbJtrt9f5PPxW8RZpzYWcAEQEAAYkCJQQYAQIADwIbDAUCV59h9gUJ DhQTzQAKCRDsj+86e/tO2suCD/9XtxLYG/93JeePAx4twuj7t9p+wP2/quUBP+l+ Ww+5+q6/B1vdgBvShnIAnUZjpMEh2HmYrAJucDaSMJE07RPz6jDEz1iaGDBg8Nvk vbllNlh8azh2gTom4VkrmuSiLpATeXiYU4OEuEsQgs3xbhdC8cyJye7nvUpJmRSW LeUa04qm65/kE7c3upT9uwHRBzRmFnOxY7zBPdOyqglOwdWYWR0gEaO6fwfYEQXj DDEq6VxONmUXnJxiuGOMr5gQyXmjxYHG2xN+dcLJBvMP/9Zir7jXBeKIgSrVdtrg SDfzTeW/eZUR37IGBPjUswAMz1v91qHckU8ilg+EIy4LPkyYaJE9HUTRxThM+SdX 0yd5XhlqBj9ds4R1WfxBTTMu1czTmhOQosTlat+5wch/9T5qIInuegq5fhLIxAC+ TtNhpN3QB+FOeEYk8VKfPEPx2Rigk7ByUxLMmDTrRmvcT/6E2DbxsZWIo6CtZzqX CQY0cIpcFGWVsYA2HxiWYBFUK+ieSB1J59EwtLuDOBOVrBe2n9ewk2KCR4/81BmW EMXkii6Sbs9sZgx4KDV9qRMBNfmWN5POrdwY0qSp3Z4JrwPKLpCj5HpbJL3krvkl pxzvzYngd2aNMmMJAwqyG594dZH710eytgSFjX4ne2RM5VGwLU+0lrxHdmd+TgX1 WugElrkCDQRVzNJfARAAto8dasB5UD8z2mcqu0ajLjGe5WnUt/CI3ohZiQ5hbBqw X6ORhLS+cjkkF3UPoDMfeiwAUbdg4cHfA3H3HQBs0AI+f4wcBe1kutODLUSnx39V eVySR+W+Na9qGJA2mJXHKO64zClsUk4mdrlAAXf8PPUxv1WAi9ZH8GL5AI68WYv8 tJP9AmcHuQUm2zkA/yaaIn9KuJwfD7ESsOVZgqcGp4eXsHcSFzXq15Mq0KTFAKM2 NKBl/pYxnyNiDJ8Rg3KQUstG3yQ1GVJIwOzF3/ehebg5KWy/cWANo2vgVgiWZedw aWrFXDggSdq6cT4hxr64EHfeonyvfnaT2ptDNFmGhZCIf8VS43B4BpfOJJOiLTCh il0+G/0IihNjO5fBZAApQAQjcBD0/BUS2rz6GvdnM2e5IWLy1mPFY7bqnwZ2cF93 gEOuGlFKQY6nCwkA3ds0ICTbX0zkLpO24Jk5wO95YI0r72zaBRk816hcj2IZJiUn y2ekhpg8H2OyZSpS7lVMyKAydfzOVy3vsIm6sQ/3a+2Rn+vaHHt2Hx/+HHMjHWux Tg3ALBLwpDn9z4BFzifG7Do2qFcwnN6DHfo5tsR+snqDowOnJiBCKPrVdtIk6snS nEJzy+pkakXGnj3jDzHzkfWHD3yZuQ/W5dRHP+nnBqGY2Hrkr9brKhpG4jC7o8sA EQEAAYkEQwQYAQgADwIbAgUCV59iEAUJA8JDqgIpwV0gBBkBCAAGBQJVzNJfAAoJ EC0s7xA0khaEF5gQAKe9pvu/QvOZcvpu9SuKiGidtzNjzzt3TQ5HKHK67NwRq5H+ gJ1/lobkCbEpTskSKHEM8gnJOvm0IBsu771butt43lYhduv1g7r9cSa6zOInboGl +oBfaBJvFZYv+FcZ6FkRHP3WoekhsfMkWEBBESU3EyXiHKpL3yf+P2ONMGza04s1 dDRxdMxnGmPyBGhWNlpNp+YuWpNK7tqRsXdjL9TiXt5WSm6qiE0CvbCJ6ia//2eQ oA6ZFQtF18yFLbCP1p3QmB1JY7zHS6EwaeDehjhqZsxPXbfv5ZuhSPqEAsRkYG2m 1LyFDXO2zDDfpYnWS/4/84zNRscaiDHUI/40pqooq61FTrmIiZiwgLTes5p4tykZ 4lhG7zf2tNK3ydrZQzrLeerMqGTegeZZYuYS0VYche+c/EI4GzJU8R6piBaM8ixq Ce07f+bwTdqC/TZgub2i6/kXY17ZlV9Pe51/DTXfdgkKplyrO2Y8+92SNw53HiWo 2PQaGCEB7uv8k+PNuJ7evnQw5r57tXPK5U46ZHmOBkfaC6JckYu5rUbSrRMX5e6a Rc8/41itN2O9QC3W/3kQBED4A1gME47lIZG41xUoYBVYqk1skvBxVDZ6PeesDdbE VU2tVkPZYzgHzRvAjVu+i050x8Uk9EiBozCUwNZo2uQyAScRVjD+X+4J7/GgCRDs j+86e/tO2iXDD/dJeTbkC+Za7lIetPFPv6gK9L7SOcNks7h8GwSD+NznFoOHCPsf u9SKkzhkSoAxmUfcNzPwZ3qj7bFDphyDywMbXtASsTdmZlGqyxYGHiXS01KsZa0r hlD3z0UTNSYhZ6sOPKeU6XM6lp8wIfaVEfS+mxVIb6PoWoB4yeTM+Xs6b6ZB/K3z rZtTz+G52pseFZKsg+RN2zxFqLmZSQc+mVsPTjADO3sSJBV3/n87WHIUYZD9iJYJ JPyAH54Ao2rV8n8PdBGsg+HgeW6vvn3CzeTXidE1x+HauggfzT6FRilGBNikldg+ jk6+wpCgh2jRdcG7wKMedHWwc32S26SzLXLcfZWZT/vDe1tvJyFJ8l2la5JLChvL 6gHBMunZw1RV63LzOpaZZ04/YcEbesKETYxR/1XZTaZBb2H49DtftuHMtLpfMON3 Ew1J9Uq/5wES4Bu6CWkHKI1CcMzdvFYto0JqwYla3O6uYNJDxIKNEz3xBHFv8LRA 5uJ1NZhxtXqmTKBOVIcAPQO9T0d4572LoPsfVrtFa0lvtfoarRyn+4QeuqQuHxjx EnFBcbiQkZFOJH1l2YGdW+gVAPtp5wmqZ6oS5B4UkjSTjr+bLEiCCT1JDURsHFF/ T2EL9GEVFLVFthqmgoNyi4Yy9JvLdZCZP38cOoooqGX75p9N3QcEGohP =dgPr -----END PGP PUBLIC KEY BLOCK----- From 2017-r3sgs86x8e-lists-groups at riseup.net Sun Nov 19 01:03:38 2017 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sun, 19 Nov 2017 00:03:38 +0000 Subject: Getting more verbose details of a key In-Reply-To: References: Message-ID: <1581232046.20171119000338@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 18 November 2017 at 8:36:20 PM, in , Ray Satiro via Gnupg-users wrote:- > Also, is that the best way to get key > details? I seem to > recall there was a way to list a key and all its > subkeys in more detail > with sub key fingerprints and expiration? How can I > do that? I know of > --with-colons but it's not a human readable format. I seem to get the creation and expiry dates and usage flags by default:- gpg --no-options --list-keys 0xACE56971D555DAA5 pub rsa4096 2017-08-05 [C] [expires: 2018-06-16] 7910C45F89FC8CC2CBD24AB0ACE56971D555DAA5 uid [ unknown] 0xACE56971D555DAA5 sub rsa4096 2017-08-05 [S] [expires: 2017-12-16] sub rsa4096 2017-08-05 [E] [expires: 2017-12-16] sub ed25519 2017-08-05 [S] [expires: 2017-12-16] sub cv25519 2017-08-05 [E] [expires: 2017-12-16] But there are options to get more output (which will probably wrap horribly in this email):- gpg --no-options --with-fingerprint --with-subkey-fingerprint --with- keygrip --keyid-format 0xLONG --list-keys 0xACE56971D555DAA5 pub rsa4096/0xACE56971D555DAA5 2017-08-05 [C] [expires: 2018-06-16] Key fingerprint = 7910 C45F 89FC 8CC2 CBD2 4AB0 ACE5 6971 D555 DAA5 Keygrip = 9F115F0D0FC92E983F27D7331E7ABEBB4EFB20D8 uid [ unknown] 0xACE56971D555DAA5 sub rsa4096/0x130DF516112FC0FF 2017-08-05 [S] [expires: 2017-12-16] Key fingerprint = 525F A928 9F17 798D B33B 2728 130D F516 112F C0FF Keygrip = EC8686A74101CF30518E152DC36272F00693DB21 sub rsa4096/0x1CAC08E8DEFAFDFE 2017-08-05 [E] [expires: 2017-12-16] Key fingerprint = 95F9 4462 F81E DEB5 27E8 4D5A 1CAC 08E8 DEFA FDFE Keygrip = CEB8C7FBC9B61D2D844E4DEE6C80CA76767D6503 sub ed25519/0xE0E2DEE1D6C8EEFA 2017-08-05 [S] [expires: 2017-12-16] Key fingerprint = 960C 8628 D592 FF8C DE8B B0BF E0E2 DEE1 D6C8 EEFA Keygrip = 9BB73B4ACED2CD1693C989B634B8F7E99884F786 sub cv25519/0xEAC88A2823F99DEC 2017-08-05 [E] [expires: 2017-12-16] Key fingerprint = 3ABC A084 4547 9C02 1A9A DB13 EAC8 8A28 23F9 9DEC Keygrip = D89391EAED4F9D523EDB8937BAD5B6849C5DAEDF - -- Best regards MFPA What's another word for synonym? -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWhDKP18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +uuiAP0bUnryHdQqFiOVzNLvYB5o2nJB/52VdFdnDXFRcN852AD5AdWX5yYjA4Cu R9rIE3Fu+iB2V5aIJaXEpxyrW+R0GgeJApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCWhDKP18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/7biEACoMqKo2zoKP/uonbu9kJMZW6QS dtr/L08LLaR4lQoML5fg790xYUF2LaLVY5Qqw/v4z4dbdMThLE4ApIwIXfapzNYd IKzeX+Z/kNrFJBswhaUuG/3PGY1SBCujGCg07eEXP9xzEnAgzOhkaZfPzzkODB5K dUINf5vUqmL/5YZfjN4G2UW6Ligqy9WD4H4PoPMtfb5ib7XH4xG1DAZanjDoUCAq /uTGzzI9MebQgx2ijqyqlX3SWSBd8kZrk/HfcOa+Bh1dP68PD2/WaKjpL9w7MvWM j22v4Ut1QO3JkMeAeNCg2MiAmSSUo8j1ysSAYm0c+JEHajwiaPqzXdocii4nEN9E lXVAXFwvTmpGU1CgI1pY5h8EYq6709UHFOgchLX0gbacAL8YKCtqTZL55VRALPms UQKNfHFYPFM8ZusCuo2EDr6gptsgBsT16/SL+ilEPRO6X+OvOYtIU5i0g6F/LYol kh8mG0SCvg9w+4g0zXjOFNIfbRT3S9bzEgQTd5FqhNVzmCsOU+mk65YE+jJEpDDQ vUj1hh/rk0zSNa9wpNvynvs/bU666SZKR9hHKNbW0G/rclq+adXpcy6RbDwjpPTl +X5SYp7UsCfpPdajLbzcA9/83qiBMBHxXI+UlM0n2IUTjjnwNqRIVwiwMSGT6XYb XP8vMLeACMPwvJ3F0w== =SvDu -----END PGP SIGNATURE----- From peter at digitalbrains.com Sun Nov 19 15:10:52 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 19 Nov 2017 15:10:52 +0100 Subject: Getting more verbose details of a key In-Reply-To: References: Message-ID: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> On 18/11/17 21:36, Ray Satiro via Gnupg-users wrote: > sub?? rsa4096 2010-02-16 [E] [expired: 2017-08-12] > sub?? rsa4096 2015-08-13 [S] [expired: 2017-08-12] Well, there's your problem. GnuPG by default does not show *expired* subkeys. Use --list-options show-unusable-subkeys to do that. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Sun Nov 19 15:20:16 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 19 Nov 2017 15:20:16 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171117150925.GA3957@c720-r314251> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> Message-ID: On 17/11/17 16:09, Matthias Apitz wrote: > It seems that the USB token is fine, but the Card is not (see > attachment). I don't use Windows myself, but AFAIK, this is normal and not a problem. AFAIK, the exclamation mark triangle on the smartcard means that the OS has no driver to work with that specific smartcard. But GnuPG communicates directly with the smartcard; the "driver" so to speak is inside GnuPG. In fact, if you found another OS-level driver that is happy to work with your smartcard, you are probably /creating/ an issue since it will keep a lock on the smartcard so GnuPG no longer can get access to it. While shared access to a smartcard is not impossible per se, often you'll find that programs want exclusive access, and you can't use two programs with the same smartcard at the same time. An exclamation mark triangle on the /reader/ would probably indicate an issue, but an exclamation mark triangle on the /smartcard/ is probably for the best. Still, I've only used different types of smartcards on Windows, and only very sporadically, so I don't think I can be of much further help. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Mon Nov 20 08:56:12 2017 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 20 Nov 2017 08:56:12 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> Message-ID: <20171120075612.GA2475@c720-r314251> El d?a domingo, noviembre 19, 2017 a las 03:20:16p. m. +0100, Peter Lebbing escribi?: > On 17/11/17 16:09, Matthias Apitz wrote: > > It seems that the USB token is fine, but the Card is not (see > > attachment). > > I don't use Windows myself, but AFAIK, this is normal and not a problem. > > AFAIK, the exclamation mark triangle on the smartcard means that the OS > has no driver to work with that specific smartcard. But GnuPG > communicates directly with the smartcard; the "driver" so to speak is > inside GnuPG. In fact, if you found another OS-level driver that is > happy to work with your smartcard, you are probably /creating/ an issue > since it will keep a lock on the smartcard so GnuPG no longer can get > access to it. While shared access to a smartcard is not impossible per > se, often you'll find that programs want exclusive access, and you can't > use two programs with the same smartcard at the same time. > > An exclamation mark triangle on the /reader/ would probably indicate an > issue, but an exclamation mark triangle on the /smartcard/ is probably > for the best. > > Still, I've only used different types of smartcards on Windows, and only > very sporadically, so I don't think I can be of much further help. Hello, Thanks for your feedback, Peter. I killed a running SmartCard Service on Win7 and tested GnuPG on a Cygwin command line. It says: $ uname -a CYGWIN_NT-6.1 APITZM-LTOH 2.7.0(0.306/5/3) 2017-02-12 13:18 x86_64 Cygwin $ gpg --version gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Users/apitzm/AppData/Roaming/gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ gpg --card-status --debug-all --debug-level guru gpg: reading options from 'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf' gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_0x000000d8 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_0x000000d8 -> RESET gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> OPTION ttytype=xterm gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> GETINFO version gpg: DBG: chan_0x000000d8 <- D 2.2.1 gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> OPTION allow-pinentry-notify gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> SCD GETINFO version gpg: DBG: chan_0x000000d8 <- D 2.2.1 gpg: DBG: chan_0x000000d8 <- OK gpg: DBG: chan_0x000000d8 -> SCD SERIALNO openpgp gpg: DBG: chan_0x000000d8 <- ERR 100696144 No such device gpg: selecting openpgp failed: No such device gpg: OpenPGP card not available: No such device gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks It does not make any difference, if I also start the scdaemon with $ scdaemon --daemon & or not. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From wk at gnupg.org Mon Nov 20 08:56:24 2017 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Nov 2017 08:56:24 +0100 Subject: Getting more verbose details of a key In-Reply-To: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> (Peter Lebbing's message of "Sun, 19 Nov 2017 15:10:52 +0100") References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> Message-ID: <87ine5v0wn.fsf@wheatstone.g10code.de> On Sun, 19 Nov 2017 15:10, peter at digitalbrains.com said: > GnuPG by default does not show *expired* subkeys. Use --list-options > show-unusable-subkeys to do that. Let me also add that using gpg without any command (as in "...|gpg") is deprecated because the output you see is more of a debug message than a weel defined output. This is also the reason why you see the expired keys with that command. To view a key wityhout first importing it you can do: gpg --import-options show-only --import (Suggestions for the name of a shortcut command are welcome) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From me at wadadli.me Mon Nov 20 11:45:00 2017 From: me at wadadli.me (Michael S Singh) Date: Mon, 20 Nov 2017 10:45:00 +0000 Subject: Dead link for the Mutt-GnuPG HOWTO Message-ID: Hi all, I was just skimming through the HOWTOs section and noticed that the link for the guide on using Mutt and GnuPG doesn't load, instead Firefox is saying Secure Connection Failed: An error occurred during a connection to codesorcery.net. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG -- Sincerely Michael S Singh, M: 914-266-0601 W: www.wadadli.me F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38 -------------- next part -------------- A non-text attachment was scrubbed... Name: me.vcf Type: text/x-vcard Size: 351 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Mon Nov 20 15:07:44 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 20 Nov 2017 15:07:44 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171120075612.GA2475@c720-r314251> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> Message-ID: <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com> On 20/11/17 08:56, Matthias Apitz wrote: > I killed a running SmartCard Service on Win7 and tested GnuPG on a > Cygwin command line. Involving Cygwin is yet another non-trivial hurdle to take. I think it's best if you get it working on Windows first, and only then try to involve another layer in the form of Cygwin. You can see what happens when you use gpg.exe from the Windows command prompt. If that works out, see what happens in the GUI manager(s) included with gpg4win-3.0.0.exe. Assuming it does include GUI software :-). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Nov 20 17:00:05 2017 From: wk at gnupg.org (Werner Koch) Date: Mon, 20 Nov 2017 17:00:05 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171120075612.GA2475@c720-r314251> (Matthias Apitz's message of "Mon, 20 Nov 2017 08:56:12 +0100") References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> Message-ID: <87lgj1os8q.fsf@wheatstone.g10code.de> On Mon, 20 Nov 2017 08:56, guru at unixarea.de said: > I killed a running SmartCard Service on Win7 and tested GnuPG on a > Cygwin command line. It says: Cygwin - I would not suggest to use this. We have no idea on whether the RNG does what we want it to do. The IPC mechanism and descriptor/handle passing may have surprising effects . There is a new gnupg 2.2.3 installer available, I better use that > $ gpg --card-status --debug-all --debug-level guru Smartcard access is done by scdaemon. Thus you have to modify or create scdaemon.conf: log-file tcp://192.168.x.y:42042 verbose debug ipc,cardio The tcp line is what I use to debug on Windows. On my Unix box I run watchgnupg --time-only --tcp 42042 so that I can work with the logs without resorting to strange Windows tools. After changing scdaemon.conf you should kill scdaemon; gpg-agent will start it as neede. Tetsing with gpg is okay, but you can also use gpg-connect-agent and then enter scd help to see all commands supported by scdameon. The "scd " prefix simply routes the rest of the command to scdaemon. scd help serialno shows you help for scdaemon's "serialno" command. scd serialno and runs the command which select the "best" appliication on the current card. If the OpenPGP card does not work, try you banking card - there is a simple application for the "Geldkarte" included. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From guru at unixarea.de Mon Nov 20 20:09:29 2017 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 20 Nov 2017 20:09:29 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com> Message-ID: <20171120190929.GA2527@c720-r314251> El d?a lunes, noviembre 20, 2017 a las 03:07:44p. m. +0100, Peter Lebbing escribi?: > On 20/11/17 08:56, Matthias Apitz wrote: > > I killed a running SmartCard Service on Win7 and tested GnuPG on a > > Cygwin command line. > > Involving Cygwin is yet another non-trivial hurdle to take. I think it's > best if you get it working on Windows first, and only then try to > involve another layer in the form of Cygwin. > > You can see what happens when you use gpg.exe from the Windows command > prompt. If that works out, see what happens in the GUI manager(s) > included with gpg4win-3.0.0.exe. Assuming it does include GUI software :-). This gives the same output as from Cygwin: C:\Users\apitzm\vb\GnuPG\bin>gpg.exe --card-status --debug-all --debug-level guru gpg: Optionen werden aus 'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf' gelesen gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_0x000000d0 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_0x000000d0 -> RESET gpg: DBG: chan_0x000000d0 <- OK gpg: DBG: chan_0x000000d0 -> GETINFO version gpg: DBG: chan_0x000000d0 <- D 2.2.1 gpg: DBG: chan_0x000000d0 <- OK gpg: DBG: chan_0x000000d0 -> OPTION allow-pinentry-notify gpg: DBG: chan_0x000000d0 <- OK gpg: DBG: chan_0x000000d0 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_0x000000d0 <- OK gpg: DBG: chan_0x000000d0 -> SCD GETINFO version gpg: DBG: chan_0x000000d0 <- D 2.2.1 gpg: DBG: chan_0x000000d0 <- OK gpg: DBG: chan_0x000000d0 -> SCD SERIALNO openpgp gpg: DBG: chan_0x000000d0 <- ERR 100696144 No such device gpg: selecting openpgp failed: No such device gpg: OpenPGP Karte ist nicht vorhanden: No such device gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks C:\Users\apitzm\vb\GnuPG\bin> I saw the next mail from Werner, and will try to follow this. Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From w at uter.be Tue Nov 21 01:47:45 2017 From: w at uter.be (Wouter Verhelst) Date: Tue, 21 Nov 2017 01:47:45 +0100 Subject: Getting more verbose details of a key In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de> References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> <87ine5v0wn.fsf@wheatstone.g10code.de> Message-ID: <20171121004745.b42vf6pukf2okkm6@grep.be> On Mon, Nov 20, 2017 at 08:56:24AM +0100, Werner Koch wrote: > On Sun, 19 Nov 2017 15:10, peter at digitalbrains.com said: > > > GnuPG by default does not show *expired* subkeys. Use --list-options > > show-unusable-subkeys to do that. > > Let me also add that using gpg without any command (as in "...|gpg") is > deprecated because the output you see is more of a debug message than a > weel defined output. This is also the reason why you see the expired > keys with that command. > > To view a key wityhout first importing it you can do: > > gpg --import-options show-only --import > > (Suggestions for the name of a shortcut command are welcome) --display-input --decode-input --parse-input I'd focus on the word "input" there, and add a verb that doesn't imply something is being written somewhere. -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab From wk at gnupg.org Tue Nov 21 08:51:58 2017 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Nov 2017 08:51:58 +0100 Subject: [Announce] GnuPG 2.2.3 released Message-ID: <87bmjwkr1d.fsf@wheatstone.g10code.de> Hello! We are is pleased to announce the availability of a new GnuPG release: version 2.2.3. This is a maintenance release; see below for a list of fixed bugs. About GnuPG =========== The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. As an Universal Crypto Engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.3 =================================== * gpgsm: Fix initial keybox creation on Windows. [#3507] * dirmngr: Fix crash in case of a CRL loading error. [#3510] * Fix the name of the Windows registry key. [Git#4f5afaf1fd] * gpgtar: Fix wrong behaviour of --set-filename. [#3500] * gpg: Silence AKL retrieval messages. [#3504] * agent: Use clock or clock_gettime for calibration. [#3056] * agent: Improve robustness of the shutdown pending state. [Git#7ffedfab89] Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.3 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.3.tar.bz2 (6393k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.3.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.3_20171120.exe (3806k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.3_20171120.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new Gpg4win 3.0 installer featuring this version of GnuPG will be available soon. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.3.tar.bz2 you would use this command: gpg --verify gnupg-2.2.3.tar.bz2.sig gnupg-2.2.3.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.3.tar.bz2, you run the command like this: sha1sum gnupg-2.2.3.tar.bz2 and check that the output matches the next line: 68ed37d363166b5bd79971537484148eb8f2958c gnupg-2.2.3.tar.bz2 9914e93d5ac50b4e542b4320e1e130dc1552e24b gnupg-w32-2.2.3_20171120.exe 74d3d9565b4baa5627932b20af557645d7915e77 gnupg-w32-2.2.3_20171120.tar.xz Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Norwegian, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details availabale only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and one contractor. Both work exclusivly on GnuPG and closely related software like Libgcrypt, GPGME, and GPA. We are planning to extend our team again. Right now we are looking for an admin for our bug tracker; see We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and with financial support. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From guru at unixarea.de Tue Nov 21 09:15:07 2017 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 21 Nov 2017 09:15:07 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <87lgj1os8q.fsf@wheatstone.g10code.de> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> <87lgj1os8q.fsf@wheatstone.g10code.de> Message-ID: <20171121081507.GA2467@c720-r314251> Hello, Thanks, Werner, for the helping hand. I did so to capture the log of the scdaemon. But did not used the nice trick of TCP, because I did not wanted to have the VM up and running and blocking the OpenPGP Card on USB. I run all the GnuPG commands from the DOS cmd shell, only the tail of the scdaemon.log was done in Cygwin. The scdaemon.conf used was: $ cat /cygdrive/c/Users/apitzm/AppData/Roaming/gnupg/scdaemon.conf log-file scdaemon.log debug-level guru debug-all debug-log-tid card-timeout 30 The produced log is: $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log 2017-11-21 08:24:04 scdaemon[3868.1] Es wird auf Socket `C:\Users\apitzm\AppData\Roaming\gnupg\S.scdaemon' geh?rt 2017-11-21 08:24:04 scdaemon[3868.2] Handhabungsroutine f?r fd -1 gestartet 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK GNU Privacy Guard's Smartcard server ready 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- GETINFO socket_name 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> D C:\Users\apitzm\AppData\Roaming\gnupg\S.scdaemon 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- OPTION event-signal=f0 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null) 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0' 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0' 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1' 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0' 2017-11-21 08:24:04 scdaemon[3868.2] detected reader '' 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc] 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0 2017-11-21 08:24:04 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069) 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0 2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0 2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader) 2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device 2017-11-21 08:24:23 scdaemon[3868.2] DBG: chan_0x000000b0 <- RESTART 2017-11-21 08:24:23 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:26:07 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno 2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null) 2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0' 2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0' 2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1' 2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0' 2017-11-21 08:26:07 scdaemon[3868.2] detected reader '' 2017-11-21 08:26:07 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc] 2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0 2017-11-21 08:26:07 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069) 2017-11-21 08:26:07 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008 2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0 2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0 2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0 2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader) 2017-11-21 08:26:07 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 <- help 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # NOP 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # CANCEL 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # OPTION 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # BYE 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # AUTH 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RESET 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # END 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # HELP 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SERIALNO [--demand=] [] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # LEARN [--force] [--keypairinfo] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # READCERT | 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # READKEY [--advanced] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SETDATA [--append] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5]] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKAUTH 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKDECRYPT 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # INPUT 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # OUTPUT 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GETATTR 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SETATTR 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # WRITECERT 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # WRITEKEY [--force] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GENKEY [--force] [--timestamp=] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RANDOM 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PASSWD [--reset] [--nullpin] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # CHECKPIN 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # LOCK [--wait] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # UNLOCK 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GETINFO 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RESTART 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # DISCONNECT 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # APDU [--[dump-]atr] [--more] [--exlen[=N]] [hexstring] 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # KILLSCD 2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x000000b0 <- restart 2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x000000b0 <- RESTART 2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK 2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno 2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null) 2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0' 2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0' 2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1' 2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0' 2017-11-21 08:29:15 scdaemon[3868.2] detected reader '' 2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc] 2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0 2017-11-21 08:29:15 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069) 2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected 2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008 2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0 2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0 2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0 2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader) 2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi? la Guerra. May 8, 1945: Who does not celebrate lost the War. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From gniibe at fsij.org Tue Nov 21 10:50:18 2017 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 21 Nov 2017 18:50:18 +0900 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171121081507.GA2467@c720-r314251> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> <87lgj1os8q.fsf@wheatstone.g10code.de> <20171121081507.GA2467@c720-r314251> Message-ID: <87lgj06jvp.fsf@fsij.org> Matthias Apitz wrote: > The produced log is: > > $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log [...] > 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null) > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0' > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0' > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1' > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0' > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader '' > 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected You have five card readers (the last one looks strange, though). GnuPG's scdaemon select the first one as default. IIUC, you want to use 'Identiv uTrust 3512 SAM slot Token 0'. In .gnupg/scdaemon.conf, you should have something like: =================== reader-port "Identiv uTrust 3512 SAM slot Token" =================== ... to select the token. -- From peter at digitalbrains.com Tue Nov 21 14:01:51 2017 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 21 Nov 2017 14:01:51 +0100 Subject: Getting more verbose details of a key In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de> References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> <87ine5v0wn.fsf@wheatstone.g10code.de> Message-ID: On 20/11/17 08:56, Werner Koch wrote: > (Suggestions for the name of a shortcut command are welcome) How about just --show? It was suggested in an unfriendly manner at LWN[1], but apart from the unfriendliness, I do think it makes sense. It does imply that it works for more than just keys, though. I wonder if that is a bad thing. Wouldn't a command that just shows the contents of a file without processing it make sense? It could show all that --import-options show-only shows for keys, or show recipients for encrypted files, signers for signed files (no verification), etcetera. A less techy version of --list-only --list-packets. Peter. [1] -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Tue Nov 21 15:59:21 2017 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 21 Nov 2017 15:59:21 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <87lgj06jvp.fsf@fsij.org> References: <20171115080632.GA2621@c720-r314251> <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> <87lgj1os8q.fsf@wheatstone.g10code.de> <20171121081507.GA2467@c720-r314251> <87lgj06jvp.fsf@fsij.org> Message-ID: <20171121145921.GA2874@c720-r314251> El d?a martes, noviembre 21, 2017 a las 06:50:18p. m. +0900, NIIBE Yutaka escribi?: > Matthias Apitz wrote: > > The produced log is: > > > > $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log > [...] > > 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null) > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0' > > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader '' > > 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected > > You have five card readers (the last one looks strange, though). > > GnuPG's scdaemon select the first one as default. IIUC, you want to use > 'Identiv uTrust 3512 SAM slot Token 0'. > > In .gnupg/scdaemon.conf, you should have something like: > =================== > reader-port "Identiv uTrust 3512 SAM slot Token" > =================== > > ... to select the token. Thanks! Adding the above line to GNUPGHOME/scdaemon.conf makes it all work, even the GPA and other GUI tools. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From dustincr at hotmail.com Tue Nov 21 17:40:17 2017 From: dustincr at hotmail.com (Dustin Rogers) Date: Tue, 21 Nov 2017 16:40:17 +0000 Subject: Which gnupg2-smime should I use for this build? Message-ID: Hi gnupg users: Which gnupg2-smime should I use here with this amazn linux? Error: Package: gnupg2-smime-2.0.14-8.el6.x86_64 (/gnupg2-smime-2.0.14-8.el6.x86_64) Requires: gnupg2 = 2.0.14-8.el6 Installed: gnupg2-2.0.28-1.30.amzn1.x86_64 (installed) gnupg2 = 2.0.28-1.30.amzn1 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest I found a 2.0.28 version for fedora core? Should I try that? Thank you, -Dustin -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac3iii at gmail.com Wed Nov 22 03:44:03 2017 From: mac3iii at gmail.com (murphy) Date: Tue, 21 Nov 2017 21:44:03 -0500 Subject: Complete Ubuntu compile of GnuPG Message-ID: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> My goal is to compile the latest version of GnuPG for Ubuntu.? The following bash file does pretty well: cd ~/Downloads version=gnupg-2.2.3 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig tar xf $version.tar.bz2 cd $version sudo apt-get update sudo apt-get install -y libldap2-dev sudo apt-get install -y gtk+-2 sudo apt-get install -y rng-tools sudo apt-get install -y libbz2-dev sudo apt-get install -y zlib1g-dev sudo apt-get install -y libgmp-dev sudo apt-get install -y nettle-dev sudo apt-get install -y libgnutls28-dev sudo apt-get install -y libsqlite3-dev sudo apt-get install -y adns-tools sudo apt-get install -y libreadline-dev sudo apt-get install -y pinentry-gtk2 sudo apt-get install -y pcscd scdaemon sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local sudo ldconfig But there are a couple of no answers I would like to eliminate: GnuPG v2.2.3 has been configured as follows: Revision:? 97f4fea? (38900) Platform:? GNU/Linux (x86_64-pc-linux-gnu) OpenPGP:?? yes S/MIME:??? yes Agent:???? yes Smartcard: yes (without internal CCID driver) G13:?????? no Dirmngr:?? yes Gpgtar:??? yes WKS tools: no Protect tool:????? (default) LDAP wrapper:????? (default) Default agent:???? (default) Default pinentry:? (default) Default scdaemon:? (default) Default dirmngr:?? (default) Dirmngr auto start:? yes Readline support:??? yes LDAP support:??????? yes TLS support:???????? gnutls TOFU support:??????? yes Tor support:???????? yes Specifically G13 and WKS tools are not supported.? Am I missing some dependencies?? Preferably they should be available via 'sudo apt-get install' since this is checked for in new compiles and not reinstalled. The bash file works on a fresh install of Ubuntu 16.04, 17.10 and Raspbian Stretch (for Raspberry Pi).? Any suggestions for improvements? Murphy From rjh at sixdemonbag.org Wed Nov 22 08:54:36 2017 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 22 Nov 2017 02:54:36 -0500 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> Message-ID: > The bash file works on a fresh install of Ubuntu 16.04, 17.10 and > Raspbian Stretch (for Raspberry Pi).? Any suggestions for improvements? Pass --enable-g13 --enable-wks-tools to your make invocation. make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local \ speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools' \ native Also see https://wiki.gnupg.org/WKS . Hope this helps! From wk at gnupg.org Wed Nov 22 10:11:19 2017 From: wk at gnupg.org (Werner Koch) Date: Wed, 22 Nov 2017 10:11:19 +0100 Subject: Getting more verbose details of a key In-Reply-To: (Peter Lebbing's message of "Tue, 21 Nov 2017 14:01:51 +0100") References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> <87ine5v0wn.fsf@wheatstone.g10code.de> Message-ID: <87bmjuhe4o.fsf@wheatstone.g10code.de> On Tue, 21 Nov 2017 14:01, peter at digitalbrains.com said: > How about just --show? It was suggested in an unfriendly manner at Similar to Wouter's suggestions --show is not specific enough and does not explain that this is to show the keys and not messages. > a file without processing it make sense? It could show all that > --import-options show-only shows for keys, or show recipients for Unless we want to continue the current and mostly debugish output of whatever gpg shows without commands, this requires that the type of the input is first detected. In GPGME we have code to do this which could be lifted for use in gpg. With that --show would make sense. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Nov 22 10:18:33 2017 From: wk at gnupg.org (Werner Koch) Date: Wed, 22 Nov 2017 10:18:33 +0100 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> (murphy's message of "Tue, 21 Nov 2017 21:44:03 -0500") References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> Message-ID: <877euihdsm.fsf@wheatstone.g10code.de> On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said: > sudo apt-get install -y adns-tools You should not need this. > sudo apt-get install -y pcscd scdaemon I guess you install scdaemon to get some infrastructure provided by Ubuntu in their scdameon package. > Specifically G13 and WKS tools are not supported.? Am I missing some WKS tools is just the gpg-wks-server which is commonly not needed. The gpg-wks-client will be build anyway. --enable-g13 is too Linux specific to be enabled by default and is missing all documentation. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Nov 22 10:20:22 2017 From: wk at gnupg.org (Werner Koch) Date: Wed, 22 Nov 2017 10:20:22 +0100 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> (murphy's message of "Tue, 21 Nov 2017 21:44:03 -0500") References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> Message-ID: <873756hdpl.fsf@wheatstone.g10code.de> On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said: > sudo apt-get install -y libgmp-dev > sudo apt-get install -y nettle-dev > sudo apt-get install -y libgnutls28-dev These are also not needed because the speedo Makefile will download and use ntbtls instead. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From seby2kt14 at gmail.com Wed Nov 22 11:16:44 2017 From: seby2kt14 at gmail.com (Seby) Date: Wed, 22 Nov 2017 10:16:44 +0000 Subject: Encrypt to a key without importing it to keyring In-Reply-To: References: Message-ID: Hello, Is there any possibility i could encrypt some text to a public key but without importing it to my keyring? Passing it to gnupg via command line or something (i do know and accept that if i want to encrypt multiple messages or files to the same key i will have to provide it every time) . Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac3iii at gmail.com Wed Nov 22 14:09:32 2017 From: mac3iii at gmail.com (murphy) Date: Wed, 22 Nov 2017 08:09:32 -0500 Subject: Complete Ubuntu compile of GnuPG Message-ID: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com> Thanks to all for the suggested improvements!! One think I forgot to mention was to add the configuration: nano ~/.gnupg/gpg-agent.conf pinentry-program /usr/bin/pinentry-gtk-2 This is required since pinentry is not compiled from source but installed as an Ubuntu package. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From bereska at hotmail.com Wed Nov 22 12:00:53 2017 From: bereska at hotmail.com (Dmitry Gudkov) Date: Wed, 22 Nov 2017 11:00:53 +0000 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: <873756hdpl.fsf@wheatstone.g10code.de> References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> <873756hdpl.fsf@wheatstone.g10code.de> Message-ID: Dear Werner, Could you give me (a gnupg newbie) clear instructions to compile the latest version for Ubuntu 16.04.3? I?m running it as a VM in VirtualBox on my Mac. Also I need you advice on my keys. Now I have rsa2048 but want to switch to rsa4096. What?s the best way of doing? Migrate or delete & create a new one? On the other hand I?ve noticed you have rsa2048. Maybe just keep rsa2048? P.S. I have been happily using GnuPG 2.1.22 on my Mac, which I installed as binary. Now it?s time to move on with building my own like a pro) on Linux Danke Dmitry 22.11.2017, 12:31 ???????????? "Gnupg-users ?? ????? Werner Koch" ???????: On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said: > sudo apt-get install -y libgmp-dev > sudo apt-get install -y nettle-dev > sudo apt-get install -y libgnutls28-dev These are also not needed because the speedo Makefile will download and use ntbtls instead. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users&data=02%7C01%7Cbereska%40hotmail.com%7C63437d0ef6f64667f31808d5318bc7e9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636469398771031091&sdata=RLHdOolYXmecqfk4ME6mEmRGgtLKlDhSC9%2FvoAngZE8%3D&reserved=0 From mac3iii at gmail.com Wed Nov 22 17:49:53 2017 From: mac3iii at gmail.com (murphy) Date: Wed, 22 Nov 2017 11:49:53 -0500 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> <873756hdpl.fsf@wheatstone.g10code.de> Message-ID: <507d3f1c-56f1-26b9-27c2-169a1120acca@gmail.com> On 11/22/2017 06:00 AM, Dmitry Gudkov wrote: > ...clear instructions to compile the latest version for Ubuntu 16.04.3? Hi Dmitry - I haven't finished testing Werner's suggestions but this will work on Ubuntu 16.04: 1.? create an empty file: gpg223.sh and cut, paste and save the following: cd ~/Downloads version=gnupg-2.2.3 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig tar xf $version.tar.bz2 cd $version sudo apt-get update sudo apt-get install -y libldap2-dev sudo apt-get install -y gtk+-2 sudo apt-get install -y rng-tools sudo apt-get install -y libbz2-dev sudo apt-get install -y zlib1g-dev sudo apt-get install -y libgmp-dev sudo apt-get install -y nettle-dev sudo apt-get install -y libgnutls28-dev sudo apt-get install -y libsqlite3-dev sudo apt-get install -y adns-tools sudo apt-get install -y libreadline-dev sudo apt-get install -y qtbase5-dev sudo apt-get install -y pinentry-gtk2 sudo apt-get install -y pcscd scdaemon sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools' native sudo ldconfig 2. run the above in the location you saved it: sudo bash gpg223.sh 3. after maybe 5-10 minutes it should complete the compilation, check the install: gpg --version 4. create subdirectories (if necessary) with: gpg -K 5. use nano to create a configuration file: nano ~/.gnupg/gpg-agent.conf 6. add the line: pinentry-program /usr/bin/pinentry-gtk-2 7. save by ctrl-x, y, enter One final note for 32 bit machines or operating systems (VM in 32 bit mode or Raspberry Pi) I found the following change is needed: 1. sudo nano /etc/ld.so.conf 2. add as the first line:? include /etc/ld.so.conf.d/libc.conf 3. save 4. sudo ldconfig Hope it works for you! Murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From seby2kt14 at gmail.com Wed Nov 22 20:32:25 2017 From: seby2kt14 at gmail.com (Seby) Date: Wed, 22 Nov 2017 19:32:25 +0000 Subject: Encrypt to a key without importing it to keyring In-Reply-To: References: Message-ID: I need to pass it via batch or something... Like this: $pgp_public_key = 'pgp public key text armored' gpg -e -r $pgp_public_key --always_trust Basically use gnupg without a keyring or trustdb. And the pass the armored pgp public key with each command and operation. Thank you in advance. On Nov 22, 2017 12:16, "Seby" wrote: > Hello, > > Is there any possibility i could encrypt some text to a public key but > without importing it to my keyring? Passing it to gnupg via command line or > something (i do know and accept that if i want to encrypt multiple messages > or files to the same key i will have to provide it every time) . > > Sebastian > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mac3iii at gmail.com Wed Nov 22 21:05:26 2017 From: mac3iii at gmail.com (murphy) Date: Wed, 22 Nov 2017 15:05:26 -0500 Subject: Complete Ubuntu compile of GnuPG Message-ID: <6587b49c-b671-3998-3740-97adeda8bd51@gmail.com> Note that the last lines of the bash file in my previous post didn't print right (arrrgh, my attempt to clarify backfired).? It is probably best to leave it as Werner hinted anyway: sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local sudo ldconfig murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From dustincr at hotmail.com Wed Nov 22 19:53:20 2017 From: dustincr at hotmail.com (Dustin Rogers) Date: Wed, 22 Nov 2017 18:53:20 +0000 Subject: Which gnupg2-smime should I use for this build? In-Reply-To: References: Message-ID: Hi All: Outside of the RPM package that I was using, for some reason I was trying yum install gpgsm. I used yum install gnupg2-smime and it found the correct pkg. I just needed to use the correct command. Thank you, -Dustin ________________________________ From: Dustin Rogers Sent: Tuesday, November 21, 2017 10:40 AM To: gnupg-users at gnupg.org; informationsecurityencryption at capitalone.com Subject: Which gnupg2-smime should I use for this build? Hi gnupg users: Which gnupg2-smime should I use here with this amazn linux? Error: Package: gnupg2-smime-2.0.14-8.el6.x86_64 (/gnupg2-smime-2.0.14-8.el6.x86_64) Requires: gnupg2 = 2.0.14-8.el6 Installed: gnupg2-2.0.28-1.30.amzn1.x86_64 (installed) gnupg2 = 2.0.28-1.30.amzn1 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest I found a 2.0.28 version for fedora core? Should I try that? Thank you, -Dustin -------------- next part -------------- An HTML attachment was scrubbed... URL: From gnupg-users at spodhuis.org Wed Nov 22 23:45:05 2017 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Wed, 22 Nov 2017 17:45:05 -0500 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com> References: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com> Message-ID: <20171122224505.GA18967@tower.spodhuis.org> On 2017-11-22 at 08:09 -0500, murphy wrote: > pinentry-program /usr/bin/pinentry-gtk-2 > > This is required since pinentry is not compiled from source but > installed as an Ubuntu package. GnuPG's configure takes --with-pinentry-pgm=... to override the default. (I build the https://public-packages.pennock.tech/ packages (Xenial, Trusty, Jessie, Stretch; amd64; all installing into /opt/gnupg) using Vagrant on macOS, VirtualBox driver. The repos are maintained with aptly.) -Phil From mac3iii at gmail.com Thu Nov 23 01:57:00 2017 From: mac3iii at gmail.com (murphy) Date: Wed, 22 Nov 2017 19:57:00 -0500 Subject: Complete Ubuntu compile of GnuPG Message-ID: <1cbbe5fe-ed97-c84e-5297-019c8a14b2d0@gmail.com> Thanks Robert and Werner.? Goal accomplished :) OpenPGP:?? yes S/MIME:??? yes Agent:???? yes Smartcard: yes (without internal CCID driver) G13:?????? yes Dirmngr:?? yes Gpgtar:??? yes WKS tools: yes The deletion of adns-tools, libgmp-dev, nettle-dev and libgnutls28-dev from my bash file resulted in a failure to find a suitable c/c++ compiler when using a new install of ubuntu.? I'm not sure which one loaded the required compiler yet...or which compiler it is... but I'm still looking (a new installation of Ubuntu for each change takes time ;-)? The pcscd and scdaemon was to enable the Yubikey smart card (per their recommendation)? I will also try without the Ubuntu version of scdaemon to see if it still works. Thanks (I feel complete now) murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From mac3iii at gmail.com Fri Nov 24 00:57:51 2017 From: mac3iii at gmail.com (murphy) Date: Thu, 23 Nov 2017 18:57:51 -0500 Subject: Complete Ubuntu compile of GnuPG Message-ID: <0390549d-69e9-8e90-61d1-9f9bbfba93f3@gmail.com> Thanks to all for suggestions.? For a complete compile on a fresh install of Ubuntu, I managed to get the bash file down to a minimum of: cd ~/Downloads version=gnupg-2.2.3 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig tar xf $version.tar.bz2 cd $version sudo apt-get update sudo apt-get install -y libldap2-dev sudo apt-get install -y gtk+-2 sudo apt-get install -y rng-tools sudo apt-get install -y libbz2-dev sudo apt-get install -y zlib1g-dev sudo apt-get install -y libgnutls28-dev sudo apt-get install -y libsqlite3-dev sudo apt-get install -y libreadline-dev sudo apt-get install -y pinentry-gtk2 sudo apt-get install -y pcscd scdaemon sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local \ ? speedo_pkg_gnupg_configure='--enable-g13 \ ? --enable-wks-tools' native sudo ldconfig Without the libgnutls28-dev install Ubuntu is without a suitable compiler or even the make command.? This installs make, gcc+-7 and probably lots of unnecessary stuff but at least it is a one-liner.? For the Yubikey smart card the Ubuntu package scdaemon seems to be required as gpg --card-edit complains and fails if it is not included in the ubuntu installation list.? This bash file has the advantage of using only Ubuntu packages and speedo, so the only update change needed is changing a single digit in version=gnupg-2.2.3 for the near future upgrades.? No unnecessary repeat compiles are done since pinentry is a package, although it is necessary to include the configuration file at least once: nano ~/.gnupg/gpg-agent.conf pinentry-program /usr/bin/pinentry-gtk-2 or the pinentry version of your choice (-gnome3, -qt, -tty, -x11, -curses packages are all available for install and configure). I'm sure this can be improved upon and I am eager to see if it can be made even smaller and faster while keeping the convenience of changing a single digit and renaming gpg223.sh to gpg224.sh. Thanks - murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Fri Nov 24 01:48:43 2017 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 24 Nov 2017 09:48:43 +0900 Subject: Encrypt to a key without importing it to keyring In-Reply-To: References: Message-ID: <87efooh578.fsf@iwagami.gniibe.org> Seby wrote: > Basically use gnupg without a keyring or trustdb. And the pass the armored > pgp public key with each command and operation. AFAIK, such a usage is not supported by GnuPG. Well, I would imagine some use cases when we want to avoid any dependency to specific user's configuration, keyring, and trustdb, of his own. Approximation would be using ephemeral GNUPGHOME. I mean, starting your GnuPG session (or script) with: $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d) $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME and remove the $GNUPGHOME after its use. This is very useful for testing GnuPG, for example. -- From seby2kt14 at gmail.com Fri Nov 24 02:02:50 2017 From: seby2kt14 at gmail.com (Seby) Date: Fri, 24 Nov 2017 01:02:50 +0000 Subject: Encrypt to a key without importing it to keyring In-Reply-To: <87efooh578.fsf@iwagami.gniibe.org> References: <87efooh578.fsf@iwagami.gniibe.org> Message-ID: Hello, Thanks a lot for the reply. NIIBE Yutaka wrote: > Seby wrote: >> Basically use gnupg without a keyring or trustdb. And the pass the armored >> pgp public key with each command and operation. > > AFAIK, such a usage is not supported by GnuPG. > > Well, I would imagine some use cases when we want to avoid any > dependency to specific user's configuration, keyring, and trustdb, of > his own. > > Approximation would be using ephemeral GNUPGHOME. > > I mean, starting your GnuPG session (or script) with: > > $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d) > $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME > > and remove the $GNUPGHOME after its use. > > This is very useful for testing GnuPG, for example. > -- The use case is that a script encrypts stuff for different public keys. I don't want to save those public keys to files, then import them in the keyring, do the operation and then delete from the keyring because this is a lot of operations plus using files might be problematic on edge cases. Am I correct that a way around changing the GNUPGHOME variable is using the --no-default-keyring argument? So no way for me to do an operation just by having the public key in clipboard for example (no saving to file, no import, etc.)? Seby From seby2kt14 at gmail.com Fri Nov 24 02:44:08 2017 From: seby2kt14 at gmail.com (Seby) Date: Fri, 24 Nov 2017 01:44:08 +0000 Subject: Encrypt to a key without importing it to keyring In-Reply-To: References: <87efooh578.fsf@iwagami.gniibe.org> Message-ID: Seby wrote: >> Approximation would be using ephemeral GNUPGHOME. >> >> I mean, starting your GnuPG session (or script) with: >> >> $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d) >> $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME >> >> and remove the $GNUPGHOME after its use. >> >> This is very useful for testing GnuPG, for example. [SNIP] > Am I correct that a way around changing the GNUPGHOME variable is > using the --no-default-keyring argument? (No, that is not correct. --homedir is what overrides $GNUPGHOME) Back to the subject, saving to at least a temporary keyring is my only solution? Nothing else I can use in batch mode to serve the armored key from clipboard somehow and do the operation? If this is the only solution, what are the safety recommendations for a use case where many many parallel requests will be sent to do operations (possibly even using the same public key) so things don't break? Does it help if I randomize --homedir and make it different with every request / command? Thanks. From kloecker at kde.org Fri Nov 24 08:13:12 2017 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 24 Nov 2017 08:13:12 +0100 Subject: Encrypt to a key without importing it to keyring In-Reply-To: References: Message-ID: <2918182.x3P4M4sRDf@thufir> On Freitag, 24. November 2017 02:44:08 CET Seby wrote: > Back to the subject, saving to at least a temporary keyring is my only > solution? Nothing else I can use in batch mode to serve the armored > key from clipboard somehow and do the operation? Yes. > If this is the only solution, what are the safety recommendations for > a use case where many many parallel requests will be sent to do > operations (possibly even using the same public key) so things don't > break? Does it help if I randomize --homedir and make it different > with every request / command? A possible solution for many parallel requests (you need to verify its viability) could be some kind of containerization (e.g. Docker or something more low-level). If every request is handled by a new container then all operations are nicely isolated and nothing can break. Regards, Ingo From seby2kt14 at gmail.com Fri Nov 24 10:01:10 2017 From: seby2kt14 at gmail.com (Seby) Date: Fri, 24 Nov 2017 09:01:10 +0000 Subject: Encrypt to a key without importing it to keyring In-Reply-To: <2918182.x3P4M4sRDf@thufir> References: <2918182.x3P4M4sRDf@thufir> Message-ID: "Ingo Kl?cker" wrote: On Freitag, 24. November 2017 02:44:08 CET Seby wrote: > Back to the subject, saving to at least a temporary keyring is my only > solution? Nothing else I can use in batch mode to serve the armored > key from clipboard somehow and do the operation? Yes. > If this is the only solution, what are the safety recommendations for > a use case where many many parallel requests will be sent to do > operations (possibly even using the same public key) so things don't > break? Does it help if I randomize --homedir and make it different > with every request / command? A possible solution for many parallel requests (you need to verify its viability) could be some kind of containerization (e.g. Docker or something more low-level). If every request is handled by a new container then all operations are nicely isolated and nothing can break. Regards, Ingo Thanks for the answer. If i run the command every time in a different shell or with a different user, will this help? I am not familiar with docker. -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Fri Nov 24 10:55:13 2017 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 24 Nov 2017 10:55:13 +0100 Subject: Using the OpenPGP Card on Unix && Win7 In-Reply-To: <20171121145921.GA2874@c720-r314251> References: <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251> <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251> <20171120075612.GA2475@c720-r314251> <87lgj1os8q.fsf@wheatstone.g10code.de> <20171121081507.GA2467@c720-r314251> <87lgj06jvp.fsf@fsij.org> <20171121145921.GA2874@c720-r314251> Message-ID: <20171124095513.GA19318@c720-r314251> One last question on this. The gpg4win-3.0.0.exe installs among others an OutLook plugin (GpgOl DLL) which let you encrypt and sign mails in OutLook. Ofc, my keypair I'm using with the OpenPGP Card was built for 'Matthias Apitz ' and not for my company mail addr Matthias.Apitz at oclc.org; this brings always on signing up a Window like this http://www.unixarea.de/kleo3.jpg of Kleopatra because it can not choose by its own the correct certificate. Is there a way to configure this within Kleopatra or GpgOl? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From nicolas.boullis at ecp.fr Fri Nov 24 10:30:44 2017 From: nicolas.boullis at ecp.fr (Nicolas Boullis) Date: Fri, 24 Nov 2017 10:30:44 +0100 Subject: Ask gpg-agent/scdaemon to release a smartcard? Message-ID: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr> Hi, I just got a new Yubikey 4 token, that I?m willing to use for its PIV applet. Unfotunately, as soon as I connect it, gpg-agent/scdaemon sees its OpenPGP applet and connects to it. Then, if I try to use the PIV applet, I get error messages like: Failed to connect to card: Reader in use by another application Is there a way I can ask gpg-agent/scdaemon to release this smartcard, so I can use it with another application? Or even better some way to ?share? the reader? Note that killing gpg-agent or completely disabling smartcard support would not be an option, since I also use an OpenPGP Smart Card. I also know that I have the option to use my token with gpg-agent/scdaemon and Scute, but I think more complex to set up for end users. Best regards, -- Nicolas From wk at gnupg.org Fri Nov 24 12:10:24 2017 From: wk at gnupg.org (Werner Koch) Date: Fri, 24 Nov 2017 12:10:24 +0100 Subject: Encrypt to a key without importing it to keyring In-Reply-To: (Seby's message of "Wed, 22 Nov 2017 10:16:44 +0000") References: Message-ID: <877eug53vj.fsf@wheatstone.g10code.de> On Wed, 22 Nov 2017 11:16, seby2kt14 at gmail.com said: > Is there any possibility i could encrypt some text to a public key but > without importing it to my keyring? Passing it to gnupg via command line or gpg -e -f FILE_WITH_KEY or -F for hidden recipient. --recipient-file file -f This option is similar to --recipient except that it encrypts to a key stored in the given file. file must be the name of a file containing exactly one key. gpg assumes that the key in this file is fully valid. Requires at least 2.1.14 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From 2017-r3sgs86x8e-lists-groups at riseup.net Sat Nov 25 11:54:15 2017 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sat, 25 Nov 2017 10:54:15 +0000 Subject: Getting more verbose details of a key In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de> References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> <87ine5v0wn.fsf@wheatstone.g10code.de> Message-ID: <94683068.20171125105415@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 20 November 2017 at 7:56:24 AM, in , Werner Koch wrote:- > gpg --import-options show-only --import > (Suggestions for the name of a shortcut command are > welcome) How about gpg --list-keys --file filename? - -- Best regards MFPA You're only young once; you can be immature forever -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWhlLyV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +g7qAP94pel8wyaQkXXdP0G+bPh9ldw37YI1sl1+NWK/cdmtoQD9E/TizezsFlpT GgCfnThznJGeqhR9q+OJbsBykwfuuwSJApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCWhlLyV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/6LhD/9MTUH3MVIHFrrSJN6iw9VdXiuY HKg5RILGQj6em/dRdO15xfEqJQcg9D+PeAx71cwtcDDVMnrIneeZ1kH6Q+HSqf7e mZ0KWamKqh16FjRbDJFTdD1XA/O8+YnZ9hUoTsqEMWMT4OU9lCi+lIMpYyVkNa+b AoeHQJdqNDA5z8ghqopBdNvVq+Wu5FLtIRQ6Q9RtNUXa7J5kpt3ODsd2T8AqhlmN md7oaRXd0QhvFphTCXghI0H7sOJZsKRE1d8pXHckTUFVou5Wcrq9k/bGesYC/Zea tDzUP7Oi0HkCDiA45W16cDM8GCBRyw6NMaSxPF3Ax9yOps3sbfdcGe09jEvtssbv efS0lfu8Lu+IkxFb4arvLYjREfHNtDWUupG/1b/uPaTkmGC3A4d5t38zLCWBnuKP STXHLHBgZlHEr/BBnP40u7XUDc7n5GTZRXA4TPx2MYxoNjMg0N3C/5igcxWmFpSU byfRwyisZEiBliDW+iMuE0fsBcXbagZsXB7zvTdfzIRGMq18/FQcZ9RfBBAMfl+r 9HjEzFD9YCVXy7VkQE4vJuLUA/kxxYf5XUJNUsNTu5YrgiWZTaUGuhjpvFV3bIFu +QSVl5pOcUlWejD2qHPVPhM55ktQ5TMWdJi4+rFnT6Iw0/7vQjG+5Y2NfYFcGvry +V+XJVWHoABDO/tSaw== =ecKP -----END PGP SIGNATURE----- From mac3iii at gmail.com Sat Nov 25 13:40:22 2017 From: mac3iii at gmail.com (murphy) Date: Sat, 25 Nov 2017 07:40:22 -0500 Subject: Complete Ubuntu compile of GnuPG In-Reply-To: References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> <873756hdpl.fsf@wheatstone.g10code.de> <507d3f1c-56f1-26b9-27c2-169a1120acca@gmail.com> Message-ID: Yes, the permissions and gpg-agent.conf creation is a problem I would like to find an easy way around.? As it turns out a fresh install of ubuntu 16.04.3 already has /usr/bin/pinentry-gnome3 installed.? That, plus the fact that libgnutls28-dev also installs a bunch of stuff on my bash file means I can reduce it to: cd ~/Downloads version=gnupg-2.2.3 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2 wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig tar xf $version.tar.bz2 cd $version sudo apt-get update sudo apt-get install -y libldap2-dev sudo apt-get install -y gtk+-2 sudo apt-get install -y rng-tools sudo apt-get install -y libbz2-dev sudo apt-get install -y libgnutls28-dev sudo apt-get install -y libsqlite3-dev sudo apt-get install -y libreadline-dev sudo apt-get install -y pcscd scdaemon sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools --with-pinentry-pgm=/usr/bin/pinentry-gnome3' native sudo ldconfig Of course the line "sudo make -f ... native" is all one line.? This enables pinentry-gnome3 without having to do a separate creation of gpg-agent.conf and the whole issue of permissions is avoided.? I would like to thank Werner, Robert, and Phil for the very helpful suggestions. murphy On 11/25/2017 04:02 AM, Dmitry Gudkov wrote: > > hi murphy, > > > i dare suggest adding this command after creating gpg-agent.conf file: > > > *chmod 600 agp-agent.conf* > > > i came across an old thread on gnupg 2.xxx where its said that .gnupg > directory?must have 700 and all files inside this directory 600 > permissions > > > cheers > > Dmitry > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From bnsmall69169 at gmail.com Fri Nov 24 09:10:44 2017 From: bnsmall69169 at gmail.com (Brent Small) Date: Fri, 24 Nov 2017 00:10:44 -0800 Subject: SHA1 collision found Message-ID: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com> What?s up Sent from my iPhone From jerry at seibercom.net Sat Nov 25 14:24:29 2017 From: jerry at seibercom.net (Jerry) Date: Sat, 25 Nov 2017 08:24:29 -0500 Subject: SHA1 collision found In-Reply-To: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com> References: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com> Message-ID: <20171125082429.00007442@seibercom.net> On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated: >What?s up up ADVERB toward the sky or a higher position: "he jumped up" ? [more] synonyms: up ? higher ? uphill ? upslope ? to the top ? skyward ? heavenward to the place where someone is: "Dot didn't hear Mrs. Parvis come creeping up behind her" at or to a higher level of intensity, volume, or activity: "she turned the volume up" ? [more] into the desired or a proper condition: "the mayor agreed to set up a committee" PREPOSITION from a lower to a higher point on (something); upward along: "she climbed up a flight of steps" ADJECTIVE directed or moving toward a higher place or position: "the up escalator" in a cheerful mood; ebullient: "the mood here is resolutely up" (of a computer system or industrial process) functioning properly: "the system is now up" at an end: "his contract was up in three weeks" ? [more] NOUN a period of good fortune: "you can't have ups all the time in football" VERB do something abruptly or boldly: "she upped and left him" cause (a level or amount) to be increased: "capacity will be upped by 70 percent next year" lift (something) up: "everybody was cheering and upping their glasses" From guru at unixarea.de Sat Nov 25 16:45:12 2017 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 25 Nov 2017 16:45:12 +0100 Subject: SHA1 collision found In-Reply-To: <20171125082429.00007442@seibercom.net> References: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com> Message-ID: <91c8bcda-0c87-44d8-94a5-633c409cdeea@unixarea.de> On Saturday, 25 November 2017 14:24:29 CET, Jerry wrote: > On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated: > >>What?s up > > up > > ADVERB > > ... Maybe the OP wanted to sent this to What's Ape. matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ From wk at gnupg.org Sat Nov 25 18:27:02 2017 From: wk at gnupg.org (Werner Koch) Date: Sat, 25 Nov 2017 18:27:02 +0100 Subject: Ask gpg-agent/scdaemon to release a smartcard? In-Reply-To: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr> (Nicolas Boullis's message of "Fri, 24 Nov 2017 10:30:44 +0100") References: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr> Message-ID: <87bmjqw9p5.fsf@wheatstone.g10code.de> On Fri, 24 Nov 2017 10:30, nicolas.boullis at ecp.fr said: > Is there a way I can ask gpg-agent/scdaemon to release this smartcard, gpg-connect-agent 'scd killscd' /bye Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From raysatiro at yahoo.com Sun Nov 26 07:26:49 2017 From: raysatiro at yahoo.com (Ray Satiro) Date: Sun, 26 Nov 2017 01:26:49 -0500 Subject: gpg in windows hanging rarely Message-ID: I'm using gpg and I notice rarely I will run a command and it will just hang. What could be the reasons for that? The two commands I've noticed it happening are --import and --delete-keys. I've noticed it in my regular key database and was able to reproduce it once when I set GNUPGHOME to an empty directory to make a new database (unfortunately I did not have the foresight to run --debug-all at that time). gpg (GnuPG) 2.2.1 libgcrypt 1.8.1 In an attempt to coax out the hang I imported in a loop a few thousand times, but it didn't hang. cd foo set GNUPGHOME=. then I run a batch file ..\a.bat that does the loop: :restart gpg --debug-all --import c:\fedora.gpg rm -rf * goto restart One thing I did notice was I ended up with a number of gpg-agent processes that did not immediately terminate. After a minute they did though. I also notice there's 4 gpg-agent processes still running from earlier in the day. From raysatiro at yahoo.com Sun Nov 26 09:05:25 2017 From: raysatiro at yahoo.com (Ray Satiro) Date: Sun, 26 Nov 2017 03:05:25 -0500 Subject: gpg in windows hanging rarely In-Reply-To: References: Message-ID: <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com> On 11/26/2017 1:26 AM, Ray Satiro wrote: > I'm using gpg and I notice rarely I will run a command and it will just > hang. What could be the reasons for that? The two commands I've noticed > it happening are --import and --delete-keys. I've noticed it in my > regular key database and was able to reproduce it once when I set > GNUPGHOME to an empty directory to make a new database (unfortunately I > did not have the foresight to run --debug-all at that time). > > gpg (GnuPG) 2.2.1 > libgcrypt 1.8.1 > > In an attempt to coax out the hang I imported in a loop a few thousand > times, but it didn't hang. > > cd foo > set GNUPGHOME=. > > then I run a batch file ..\a.bat that does the loop: > > :restart > gpg --debug-all --import c:\fedora.gpg > rm -rf * > goto restart > > One thing I did notice was I ended up with a number of gpg-agent > processes that did not immediately terminate. After a minute they did > though. I also notice there's 4 gpg-agent processes still running from > earlier in the day. https://dev.gnupg.org/T3378 might be it. Let me know if I can be of any assistance. From wk at gnupg.org Mon Nov 27 08:01:41 2017 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 Nov 2017 08:01:41 +0100 Subject: gpg in windows hanging rarely In-Reply-To: <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com> (Ray Satiro via Gnupg-users's message of "Sun, 26 Nov 2017 03:05:25 -0500") References: <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com> Message-ID: <871skkurvu.fsf@wheatstone.g10code.de> On Sun, 26 Nov 2017 09:05, gnupg-users at gnupg.org said: > https://dev.gnupg.org/T3378 might be it. Let me know if I can be of any > assistance. Right. It is hard to replicate and, worse, we can't replicate it with any debug logging enabled. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Nov 27 08:04:08 2017 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 Nov 2017 08:04:08 +0100 Subject: Getting more verbose details of a key In-Reply-To: <94683068.20171125105415@my_localhost_LG> (MFPA's message of "Sat, 25 Nov 2017 10:54:15 +0000") References: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> <87ine5v0wn.fsf@wheatstone.g10code.de> <94683068.20171125105415@my_localhost_LG> Message-ID: <87wp2ctd7b.fsf@wheatstone.g10code.de> On Sat, 25 Nov 2017 11:54, 2017-r3sgs86x8e-lists-groups at riseup.net said: > How about gpg --list-keys --file filename? Well, a single command would be better. I am currently thinking about --show detect type of input and use approriate listing --show-key assume a key and list that --show-msg assume a message and print something without decryption. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From hexumg at gmail.com Mon Nov 27 20:32:12 2017 From: hexumg at gmail.com (Eugene Bright) Date: Mon, 27 Nov 2017 22:32:12 +0300 Subject: gpg --card-status doesn't create key stubs Message-ID: Hello! I'm truing to make my hand-made OpenPGP smart card work. Card status are looks good and I can move keys with keytocard command. But I can't find a way to encrypt data by card-stored keys. Public keys are imported and can be shown by `gpg -k`. `gpg --card-status` shows that keys are on the card. `gpg -K` show no private keys available. Can someone give me an advice what step should I do next to make my card work? I've posted full reproduction scenario. It can be found here https://github.com/jderuiter/javacard-openpgpcard/issues/5 Regards, Eugene Bright. From gnupgpacker at on.yourweb.de Tue Nov 28 11:27:13 2017 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Tue, 28 Nov 2017 11:27:13 +0100 Subject: Extending validity of main- and subkeys in one step possible? Message-ID: <000001d36833$74acd160$5e067420$@on.yourweb.de> Hello, is there any possibility to extend key's validity of *all* keys in a keyset in *one* step? So 2017-12-31 should be changed to 2019-12-31 for all subkeys... Otherwise it would be necessary to choose every subkey with key 1, key 2 and so on, than 'expire', than passphrase... --example-- Geheimer Schl?ssel ist vorhanden. pub 4096R/7BF4xxxx erzeugt: 2015-01-08 verf?llt: 2017-12-31 Aufruf: C Vertrauen: uneingeschr?nkt G?ltigkeit: uneingeschr?nkt sub 4096R/13EDxxxx erzeugt: 2015-01-08 verf?llt: 2017-12-31 Aufruf: A sub 4096R/CCFCxxxx erzeugt: 2015-01-08 verf?llt: 2017-12-31 Aufruf: S sub 4096R/EBB9xxxx erzeugt: 2015-01-08 verf?llt: 2017-12-31 Aufruf: E [ uneing.] (1). xy xz ?ndern des Verfallsdatums des Hauptschl?ssels. Bitte w?hlen Sie, wie lange der Schl?ssel g?ltig bleiben soll. 0 = Schl?ssel verf?llt nie = Schl?ssel verf?llt nach n Tagen w = Schl?ssel verf?llt nach n Wochen m = Schl?ssel verf?llt nach n Monaten y = Schl?ssel verf?llt nach n Jahren Wie lange bleibt der Schl?ssel g?ltig? (0) 24m --example-end-- Thx + regards, Chris From wk at gnupg.org Wed Nov 29 18:16:59 2017 From: wk at gnupg.org (Werner Koch) Date: Wed, 29 Nov 2017 18:16:59 +0100 Subject: Extending validity of main- and subkeys in one step possible? In-Reply-To: <000001d36833$74acd160$5e067420$@on.yourweb.de> (gnupgpacker@on.yourweb.de's message of "Tue, 28 Nov 2017 11:27:13 +0100") References: <000001d36833$74acd160$5e067420$@on.yourweb.de> Message-ID: <87po81knsk.fsf@wheatstone.g10code.de> On Tue, 28 Nov 2017 11:27, gnupgpacker at on.yourweb.de said: > is there any possibility to extend key's validity of *all* keys in a keyset > in *one* step? key * selects all keys. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From gnupgpacker at on.yourweb.de Thu Nov 30 11:19:04 2017 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Thu, 30 Nov 2017 11:19:04 +0100 Subject: Extending validity of main- and subkeys in one step possible? In-Reply-To: <87po81knsk.fsf@wheatstone.g10code.de> References: <000001d36833$74acd160$5e067420$@on.yourweb.de> <87po81knsk.fsf@wheatstone.g10code.de> Message-ID: <003b01d369c4$a61755d0$f2460170$@on.yourweb.de> Sorry, it doesn't work for GPG v1.4.22... Key set is called, then gpg> key * => Changing date with 'expire' is not working for all (sub)keys. gpg> key 1 => working Any additional hint? Thx + regards, Chris >> is there any possibility to extend key's validity of *all* keys in a >> keyset >> in *one* step? > > key * > > selects all keys. > From lechtitseb at gmail.com Wed Nov 29 21:50:54 2017 From: lechtitseb at gmail.com (Sebastien) Date: Wed, 29 Nov 2017 21:50:54 +0100 Subject: Using gpg-agent as ssh-agent on Windows with MSYS Message-ID: Hello, I think I'm currently facing the issue described in https://lists.gnupg.org/pipermail/gnupg-users/2016-September/056771.html (sorry, couldn't find how to just reply to that thread). I'm using GnuPG, gpg and gpg-agent in my Windows Git bash environment (MSYS) (on Windows 10 x64). I like having everything in there for ease of use and portability. I'd like to know if this is just a known issue/limitation with a known workaround or if it's just not supported? Some more background about what I've configured/tried: Just starting gpg-agent with gpg-connect-agent/bye doesn't work for me, it always gives the following error: $ gpg-connect-agent /bye ERR 67109139 Unknown IPC command I could work around that error using: MSYS_NO_PATHCONV=1 gpg-connect-agent --homedir $GNUPGHOME_WIN /bye Where $GNUPGHOME_WIN just contains the Windows style path to my gnupg folder (in my case c:\CloudStation\Configuration\SebHome\.gnupg). Effectively like that MSYS doesn't perform path conversions and gpg-connect-agent / gpg-agent seem to receive the correct path. In my ~/.gnupg folder I then do find those files: gnupg_spawn_agent_sentinel.lock S.gpg-agent ... S.gpg-agent.ssh And the agent seems to be running: $ gpg-agent gpg-agent[14380]: gpg-agent running and available Unfortunately if I execute ssh-add -L, I get: $ ssh-add -L Error connecting to agent: Bad file descriptor Here's the part of my bash profile with comments about things I've tried and that didn't help: # GnuPG home export GPG4WIN_HOME=$TOOLS_HOME/Gpg4Win_3.0.1 export GPG_HOME=$GPG4WIN_HOME/GnuPG export KLEOPATRA_HOME=$GPG4WIN_HOME/Gpg4win append_to_path $GPG_HOME append_to_path $GPG_HOME/bin append_to_path $KLEOPATRA_HOME/bin_64 append_to_path $KLEOPATRA_HOME/bin # where it puts its files and looks for its configuration export GNUPGHOME=$HOME/.gnupg # path conversion ref: https://stackoverflow.com/questions/13701218/windows- path-to-posix-path-conversion-in-bash export GNUPGHOME_WIN=$(eval "echo $GNUPGHOME" | sed -e 's/^\///' -e 's/\//\\/g' -e 's/^./\0:/') # create the home folder otherwise gpg will complain mkdir -p `echo $GNUPGHOME` alias gpg='gpg.exe' alias pgp='gpg' alias kleopatra='kleopatra.exe' # Start the gpg-agent (daemon) # Eliminate path conversion issues for that specific command # Reference: https://stackoverflow.com/questions/7250130/how-to-stop- mingw-and-msys-from-mangling-path-names-given-at-the-command-line # daemon that will manage the gpg keys and allow to perform ssh auth #eval $( MSYS_NO_PATHCONV=1 gpg-agent --daemon --enable-ssh-support --enable-putty-support --homedir $GNUPGHOME_WIN ) & # Ref: https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html # Ref: https://www.gnupg.org/documentation/manuals/gnupg/ Invoking-gpg_002dconnect_002dagent.html MSYS_NO_PATHCONV=1 gpg-connect-agent --homedir $GNUPGHOME_WIN /bye # Configure SSH_AUTH_SOCK (so that ssh-add can contact the gpg-agent) #export GPG_AGENT_PID=$$ #export GPG_AUTH_SOCK=$(echo $HOME/.gnupg/S.gpg-agent.ssh) #export SSH_AUTH_SOCK=$GPG_AUTH_SOCK # with Win path (not helping) #export GPG_AUTH_SOCK=$(echo $GNUPGHOME_WIN/S.gpg-agent.ssh) #export SSH_AUTH_SOCK=$GPG_AUTH_SOCK #export SSH_ENV="$HOME/.ssh/environment" Any help would really be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Nov 30 12:39:03 2017 From: wk at gnupg.org (Werner Koch) Date: Thu, 30 Nov 2017 12:39:03 +0100 Subject: Extending validity of main- and subkeys in one step possible? In-Reply-To: <003b01d369c4$a61755d0$f2460170$@on.yourweb.de> (gnupgpacker@on.yourweb.de's message of "Thu, 30 Nov 2017 11:19:04 +0100") References: <000001d36833$74acd160$5e067420$@on.yourweb.de> <87po81knsk.fsf@wheatstone.g10code.de> <003b01d369c4$a61755d0$f2460170$@on.yourweb.de> Message-ID: <87bmjkj8rs.fsf@wheatstone.g10code.de> On Thu, 30 Nov 2017 11:19, gnupgpacker at on.yourweb.de said: > Sorry, it doesn't work for GPG v1.4.22... That is quite possible. Won't be changed. Please use 2.2. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From gnupg-users.dirk at o.banes.ch Thu Nov 30 22:53:35 2017 From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch) Date: Thu, 30 Nov 2017 22:53:35 +0100 Subject: Decryption fails with error: ERR 100663364 Missing item in object Message-ID: <4bad4a09-303f-642d-a6e9-6a9dbf7006e3@o.banes.ch> Dear list, I'm using GnuPG with OpenPGP SmartCard. The Key is available on two smartcards which use on two different readers. This setup works good since about 1 year. Now I have a new person mailing me - using the correct key but decryption fails "ERR 100663364 Missing item in object " The Problem sound exactly like [1]. Can you let me know what debugging information you need and where and if I should open a defect. best regards Dirk [1]https://dev.gnupg.org/T2285