From dirk.gottschalk1980 at googlemail.com Wed Aug 1 17:41:24 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 01 Aug 2018 17:41:24 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? Message-ID: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> Hi. Is it possible to encrypt an external USB drive in LUKS format with an OpenPGP smartcard? The device is, until now, only passphrase encrypted and mounted on detect. Would it be possible to let gpg ask for the PIN of the card, it it's in locket state? Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From peter at digitalbrains.com Wed Aug 1 18:06:48 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 1 Aug 2018 18:06:48 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> Message-ID: On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote: > Is it possible to encrypt an external USB drive in LUKS format with an > OpenPGP smartcard? On a system with systemd: no, I don't think this can be done. Systemd doesn't want to implement cryptsetup keyscripts, and those would be needed. On a different system: it depends. What system are we talking about? :-) HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From dirk.gottschalk1980 at googlemail.com Wed Aug 1 18:16:36 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 01 Aug 2018 18:16:36 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> Message-ID: <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> Hi, Am Mittwoch, den 01.08.2018, 18:06 +0200 schrieb Peter Lebbing: > On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote: > > Is it possible to encrypt an external USB drive in LUKS format with > > an > > OpenPGP smartcard? > > On a system with systemd: no, I don't think this can be done. Systemd > doesn't want to implement cryptsetup keyscripts, and those would be > needed. > > On a different system: it depends. What system are we talking about? > :-) I am using Fedora and it uses SystemD. On the other hanjd, the HDD is mounted when plugged in via GVFS and Gnome asks for the passphrase or reads it from gnome's keyring. Coult this be raplaces by the smartcard to use the gpg key in some way? I tried to use g13 with dm-crypt, but this seems not to work on Frdora for an unknown reason. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From peter at digitalbrains.com Wed Aug 1 18:32:19 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 1 Aug 2018 18:32:19 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> Message-ID: <16391f3f-ffa2-de89-4e6d-d8a4f50ece0d@digitalbrains.com> On 01/08/18 18:16, Dirk Gottschalk wrote: > Coult this be raplaces by the smartcard > to use the gpg key in some way? AFAIK, this is just systemd delegating passphrase querying to the physically present user. I suppose if you could somehow influence where it got the passphrase from, there might be a way to achieve it, but I have no idea how. That's all the direction I can provide. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From tookmund at gmail.com Wed Aug 1 21:28:23 2018 From: tookmund at gmail.com (Jacob Adams) Date: Wed, 1 Aug 2018 15:28:23 -0400 Subject: GPGME status callback not working for need entropy Message-ID: I've been trying to use the GPGME status callback to get an indication of when the system is low on entropy, but I don't seem to get a callback when such an even occurs. I've enabled full status and I get Pinentry Launched status messages, so it seems to sort of be working. When generating a key without enough randomness, the whole application just locks up with no indication of what is happening. Is there anything else I could query to inform the user of what's occurring in this scenario? Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From damien at cassou.me Thu Aug 2 07:28:41 2018 From: damien at cassou.me (Damien Cassou) Date: Thu, 02 Aug 2018 07:28:41 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> Message-ID: <87o9el49rq.fsf@cassou.me> Dirk Gottschalk via Gnupg-users writes: > Is it possible to encrypt an external USB drive in LUKS format with an > OpenPGP smartcard? The device is, until now, only passphrase encrypted > and mounted on detect. > > Would it be possible to let gpg ask for the PIN of the card, it it's in > locket state? what I do is to have the external HDD encryption passphrase in a GnuPG encrypted file of my main hard disk. Then, a bash script takes care of (1) getting the passphrase from the encrypted file, (2) mount the external disk with the passphrase. That way, you can use your smartcard. All my passwords are in GnuPG encrypted files and handled by https://www.passwordstore.org/. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill From felix.klee at inka.de Thu Aug 2 11:07:12 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Thu, 2 Aug 2018 11:07:12 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> Message-ID: Hi Dirk, thanks for all your suggestions! If I can, I want to avoid creating another key. I prefer getting the issue resolved and have bugs reported/fixed along the way. I had it once before that I could not decrypt a document encrypted by a big German company with my private key. These enterprise ?solutions? seem to have issues. On Mon, Jul 30, 2018 at 5:14 PM, Dirk Gottschalk via Gnupg-users wrote: > The last packet mentions your signature key as used for encryption, > this is an error for sure. I now removed my signature key BEF6EFD38FE8DCA0 from the encrypted message: $ gpg --dearmor encrypted.asc $ gpgsplit encrypted.asc.gpg $ ls -1 000001-001.pk_enc 000002-001.pk_enc 000003-001.pk_enc 000004-001.pk_enc 000005-018.encrypted_mdc encrypted.asc encrypted.asc.gpg $ pgpdump 000001-001.pk_enc New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0xBEF6EFD38FE8DCA0 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4096 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 $ pgpdump 000002-001.pk_enc New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x04FDF78D1679DD94 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4095 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 $ pgpdump 000003-001.pk_enc New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x92663E7CA68E4EC6 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4096 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 $ pgpdump 000004-001.pk_enc New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x9D8C454A43A6D2DE Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4094 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 $ pgpdump 000005-018.encrypted_mdc New: Symmetrically Encrypted and MDC Packet(tag 18)(1718 bytes) Ver 1 (plain text + MDC SHA1(20 bytes)) $ cat 000002-001.pk_enc 000003-001.pk_enc 000004-001.pk_enc \ 000005-018.encrypted_mdc >new.gpg Decryption still fails: $ gpg -d new.gpg gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2016-12-17 "Felix E. Klee " gpg: public key decryption failed: Missing item in object gpg: decryption failed: No secret key $ gpg --list-packets new.gpg gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2016-12-17 "Felix E. Klee " gpg: public key decryption failed: Missing item in object gpg: decryption failed: No secret key # off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 data: [4095 bits] # off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6 data: [4096 bits] # off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE data: [4094 bits] # off=1581 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb :encrypted data packet: length: 1718 mdc_method: 2 As before, the reason given for ?public key decryption failed? depends on the card reader used: * SCM SPR332 v2: ?Missing item in object? * Cherry ST-2000: ?Invalid value? * REINER SCT cyberJack: ?Missing item in object? It seems like the card reader cannot decrypt the session key. *Is that correct?* I also tried removing all keys except for my encryption key 04FDF78D1679DD94. This does not make a difference, i.e. encryption fails as above. / Felix From peter at digitalbrains.com Thu Aug 2 14:14:17 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 2 Aug 2018 14:14:17 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> Message-ID: <467b2a30-d43d-5561-840c-ca0c3b8a93e5@digitalbrains.com> On 02/08/18 11:07, Felix E. Klee wrote:> It seems like the card reader cannot decrypt the session key. *Is that correct?* The fact this "enterprise solution" decided to encrypt it to your primary, non-encryption-capable, key, is a big red flag that this "solution" is not compatible to "modern-day" OpenPGP. So I think it's a safe bet they also screwed up the PKESK packet for your subkey, and the error is indeed related to it not representing a valid session key. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From stefano.tranquillini at gmail.com Thu Aug 2 14:11:34 2018 From: stefano.tranquillini at gmail.com (Stefano Tranquillini) Date: Thu, 2 Aug 2018 14:11:34 +0200 Subject: cannot decrypt file symmetric encrypted Message-ID: Hi all, last year I encrypted some files, today i tried to decrypt them but the decryption fails stefano@~/Downloads/words$ gpg -d words.1.gpg gpg: AES256 encrypted data gpg: encrypted with 1 passphrase gpg: decryption failed: Bad session key can it be the difference between 1.4 (i guess in july 2017 that was) and the current one stefano@~/Downloads/words$ gpg --version gpg (GnuPG/MacGPG2) 2.2.8 libgcrypt 1.8.3 what can I do? (i'm on a mac) -- Stefano -------------- next part -------------- An HTML attachment was scrubbed... URL: From sebastian at karotte.org Thu Aug 2 16:25:21 2018 From: sebastian at karotte.org (Sebastian Wiesinger) Date: Thu, 2 Aug 2018 16:25:21 +0200 Subject: Pinentry does not show "please insert smartcard" dialog In-Reply-To: <20180731162249.rorosljshypjo5si@danton.fire-world.de> References: <20180627074208.dpn2z2mi3agswev3@danton.fire-world.de> <7caacdf33f7192a5d41752816544a0dfab70ee7c.camel@googlemail.com> <20180731162249.rorosljshypjo5si@danton.fire-world.de> Message-ID: <20180802142520.fiqsif3ppnhflibm@danton.fire-world.de> * Sebastian Wiesinger [2018-07-31 18:24]: > > There is no card reader available, when yubikey is not plugged in. I > > use the smartcard with a external reader. I also do not see this dialof > > when the Reader is not connected. > > > > I think, there is a dependence to a connected reader to schow this > > dialog. > > I don't think this is the reason because the same setup works under > OSX. And after upgrading to Xubuntu 18.04 it started working again... no idea what the problem was in the end. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 614 bytes Desc: not available URL: From dirk.gottschalk1980 at googlemail.com Thu Aug 2 20:56:57 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Thu, 02 Aug 2018 20:56:57 +0200 Subject: cannot decrypt file symmetric encrypted In-Reply-To: References: Message-ID: <742bc6df4ac89ca5e595e1f24e2d6faef0ecf14b.camel@googlemail.com> Hi. Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano Tranquillini: > Hi all, > last year I encrypted some files, today i tried to decrypt them but > the > decryption fails > stefano@~/Downloads/words$ gpg -d words.1.gpg > gpg: AES256 encrypted data > gpg: encrypted with 1 passphrase > gpg: decryption failed: Bad session key > can it be the difference between 1.4 (i guess in july 2017 that was) > and > the current one I don't now if there's any difference in symmetric encryption between 1.4.X and 2.2.X. > stefano@~/Downloads/words$ gpg --version > gpg (GnuPG/MacGPG2) 2.2.8 > libgcrypt 1.8.3 > what can I do? > (i'm on a mac) You could download and build the legacy version of GPG and give it a try. Are you sure you used the correct passphrase to decrypt? Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From felix.klee at inka.de Fri Aug 3 09:16:59 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Fri, 3 Aug 2018 09:16:59 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: <467b2a30-d43d-5561-840c-ca0c3b8a93e5@digitalbrains.com> References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> <467b2a30-d43d-5561-840c-ca0c3b8a93e5@digitalbrains.com> Message-ID: On Thu, Aug 2, 2018 at 2:14 PM, Peter Lebbing wrote: > So I think it's a safe bet they also screwed up the PKESK packet for > your subkey, and the error is indeed related to it not representing a > valid session key. As I would like to understand things a bit better, do you think it is possible to get some more details? In particular: * Is the encrypted packet in a bad format? * Does the 4096 bit RSA decryption fail? * Or: Is the decrypted packet in a bad format? Again, the output by `pgpdump` for the packet associated with my encryption key 04FDF78D1679DD94: $ pgpdump 000002-001.pk_enc New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x04FDF78D1679DD94 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4095 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 For comparison, the output for a packet encrypted with GnuPG: $ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3 [?] $ gpg --recv BEF6EFD38FE8DCA0 $ echo "Hello world!" >test $ gpg -e -r BEF6EFD38FE8DCA0 test $ gpgsplit test.gpg $ ls -1 000001-001.pk_enc 000002-018.encrypted_mdc test test.gpg $ pgpdump 000001-001.pk_enc Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) New version(3) Key ID - 0x04FDF78D1679DD94 Pub alg - RSA Encrypt or Sign(pub 1) RSA m^e mod n(4095 bits) - ... -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02 The only difference: `Old` vs. `New` ? Could this be an issue? PS: Had to think a bit that PKESK = ?Public-Key Encrypted Session Key?. The crypto world seems to love acronyms. ;) (which does not make things easier for us users) From stefano.tranquillini at gmail.com Fri Aug 3 15:47:31 2018 From: stefano.tranquillini at gmail.com (Stefano Tranquillini) Date: Fri, 3 Aug 2018 15:47:31 +0200 Subject: cannot decrypt file symmetric encrypted In-Reply-To: <742bc6df4ac89ca5e595e1f24e2d6faef0ecf14b.camel@googlemail.com> References: <742bc6df4ac89ca5e595e1f24e2d6faef0ecf14b.camel@googlemail.com> Message-ID: the fact is that no passphrase is asked, and I don't know how I can force the system to ask it. On Thu, Aug 2, 2018 at 8:57 PM Dirk Gottschalk via Gnupg-users < gnupg-users at gnupg.org> wrote: > Hi. > > Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano > Tranquillini: > > Hi all, > > last year I encrypted some files, today i tried to decrypt them but > > the > > decryption fails > > > stefano@~/Downloads/words$ gpg -d words.1.gpg > > gpg: AES256 encrypted data > > gpg: encrypted with 1 passphrase > > gpg: decryption failed: Bad session key > > > can it be the difference between 1.4 (i guess in july 2017 that was) > > and > > the current one > > I don't now if there's any difference in symmetric encryption between > 1.4.X and 2.2.X. > > > stefano@~/Downloads/words$ gpg --version > > gpg (GnuPG/MacGPG2) 2.2.8 > > libgcrypt 1.8.3 > > > what can I do? > > (i'm on a mac) > > You could download and build the legacy version of GPG and give it a > try. > > Are you sure you used the correct passphrase to decrypt? > > Regards, > Dirk > > -- > Dirk Gottschalk > Paulusstrasse 6-8 > 52064 Aachen, Germany > > GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 > Keybase.io: https://keybase.io/dgottschalk > GitHub: https://github.com/Dirk1980ac > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Stefano -------------- next part -------------- An HTML attachment was scrubbed... URL: From fuzzy_drawrings at protonmail.com Fri Aug 3 20:38:25 2018 From: fuzzy_drawrings at protonmail.com (FuzzyDrawrings) Date: Fri, 03 Aug 2018 18:38:25 +0000 Subject: cannot decrypt file symmetric encrypted Message-ID: Stefano Tranquillini wrote: > the fact is that no passphrase is asked When you hit the Enter key after typing your decrypt command, it might also be closing the pinentry dialog immediately before it can appear on screen. Make sure you don't hold down the Enter key at all - just tap it once as briefly as possible. From stefano.tranquillini at gmail.com Mon Aug 6 09:28:21 2018 From: stefano.tranquillini at gmail.com (Stefano Tranquillini) Date: Mon, 6 Aug 2018 09:28:21 +0200 Subject: cannot decrypt file symmetric encrypted In-Reply-To: References: Message-ID: i don't think that's the case. is there aa way to force the program to ask passphrase? On Fri, Aug 3, 2018 at 10:34 PM FuzzyDrawrings via Gnupg-users < gnupg-users at gnupg.org> wrote: > Stefano Tranquillini wrote: > > > the fact is that no passphrase is asked > > When you hit the Enter key after typing your decrypt command, it might > also be closing the pinentry dialog immediately before it can appear on > screen. Make sure you don't hold down the Enter key at all - just tap it > once as briefly as possible. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Stefano -------------- next part -------------- An HTML attachment was scrubbed... URL: From ciprian.craciun at gmail.com Mon Aug 6 08:38:45 2018 From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun) Date: Mon, 6 Aug 2018 09:38:45 +0300 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: <16391f3f-ffa2-de89-4e6d-d8a4f50ece0d@digitalbrains.com> References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> <16391f3f-ffa2-de89-4e6d-d8a4f50ece0d@digitalbrains.com> Message-ID: On Wed, Aug 1, 2018 at 7:32 PM Peter Lebbing wrote: > AFAIK, this is just systemd delegating passphrase querying to the > physically present user. I suppose if you could somehow influence where > it got the passphrase from, there might be a way to achieve it, but I > have no idea how. That's all the direction I can provide. I have a similar setup where at boot time I use GnuPG to decrypt my drive with keys protected by GnuPG (instead of using LUKS). I have managed to instruct GnuPG to use `systemd-ask-password` to retrieve the password. However I imagine that with some "tinkering" one can implement a simple PIN-entry application to use `systemd-ask-password`, and thus manage to make the whole setup work with a smart card. My script and systemd service file can be found at the following link: https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c You just need to place these somewhere, update your paths (especially in the `.service` file by replacing `store` and `lvm` with appropriate tokens), and it should work by just updating your `/etc/fstab`. (These were developed and tested only on OpenSUSE.) Hope it helps, Ciprian. P.S.: I really love GnuPG for its crypto-related features, but on the flip-side I really hate it for it's "integration" related features within environments where it shouldn't double fork processes (like its agent), muck with the TTY (like when reading passwords by the agent), and in general just be "well behaved"... From aheinecke at intevation.de Mon Aug 6 10:35:59 2018 From: aheinecke at intevation.de (Andre Heinecke) Date: Mon, 06 Aug 2018 10:35:59 +0200 Subject: cannot decrypt file symmetric encrypted In-Reply-To: References: Message-ID: <2614513.PfN87sa9Oo@esus> On Monday, August 6, 2018 9:28:21 AM CEST Stefano Tranquillini wrote: > i don't think that's the case. is there aa way to force the program to ask > passphrase? Try adding "--pinentry mode loopback" to your command. Maybe there is a problem with your installation / pinentry program so that it does not start or you are acidentally using a dummy / test pinentry which provides the wrong passphrase. -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From lawrence.larabee at ephibian.com Tue Aug 7 18:52:25 2018 From: lawrence.larabee at ephibian.com (Lawrence Larabee) Date: Tue, 7 Aug 2018 09:52:25 -0700 (MST) Subject: Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation" In-Reply-To: <740108783.83977639.1533659502978.JavaMail.zimbra@ephibian.com> Message-ID: <1711178313.83992991.1533660745370.JavaMail.zimbra@ephibian.com> I've got a new Yubikey NEO that I am trying to set up for SSH authentication. I've already personalized the card and loaded the keys, following all the creation rules (2048-bit max RSA, etc.) and loaded all the packages I am supposed to load. However I can't make it work. My platform is AMD64 GNU/Linux Ubuntu 16.04 running the Lubuntu flavor. I have tried it on two different machines with this same configuration. I have verified that I am not running ssh-agent or gnome-keyring, as I have read these can interfere. "ssh-agent -L" shows my key I run export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=/home/$USER/.gnupg/S.gpg-agent.ssh gpg - connect - agent updatestartuptty /bye I confirm that gpg-agent is running and that the auth sock environment variable is pointing to the correct place. gpg-agent.conf is: default-cache-ttl 36000 pinentry-program /usr/bin/pinentry-gtk-2 no-grab enable-ssh-support (tried disabling no-grab, no difference) scdaemon.conf: reader-port "Yubico Yubikey NEO OTP CCID 00 00" card-timeout 1 (these don't make a difference, but some threads said to try it. it does same thing without the scdaemon options) I turned on debugging, here is a dump of attempting to connect via SSH: @:~$ ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so @ no slots gpg-agent[24850]: ssh handler 0x7fa474d1a700 for fd 5 started gpg-agent[24850]: ssh request handler for request_identities (11) started gpg-agent[24850]: new connection to SCdaemon established (reusing) gpg-agent[24850]: DBG: chan_6 -> GETATTR $AUTHKEYID gpg-agent[24850]: DBG: chan_6 <- S $AUTHKEYID OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> GETATTR SERIALNO gpg-agent[24850]: DBG: chan_6 <- S SERIALNO gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> READKEY OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- [ ...(286 byte(s) skipped) ] gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> GETATTR $DISPSERIALNO gpg-agent[24850]: DBG: chan_6 <- S $DISPSERIALNO gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: ssh request handler for request_identities (11) ready gpg-agent[24850]: ssh request handler for sign_request (13) started gpg-agent[24850]: DBG: chan_6 -> SERIALNO gpg-agent[24850]: DBG: chan_6 <- S SERIALNO 0 gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: detected card with S/N gpg-agent[24850]: DBG: encoded hash: gpg-agent[24850]: DBG: chan_6 -> SETDATA gpg-agent[24850]: DBG: chan_6 <- OK gpg-agent[24850]: DBG: chan_6 -> PKAUTH OPENPGP.3 gpg-agent[24850]: DBG: chan_6 <- INQUIRE NEEDPIN ||Please enter the PIN gpg-agent[24850]: starting a new PIN Entry gpg-agent[24850]: DBG: connection to PIN entry established gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 started gpg-agent[24850]: DBG: chan_10 -> OK Pleased to meet you, process 24850 gpg-agent[24850]: DBG: chan_8 <- OK Pleased to meet you, process 24850 gpg-agent[24850]: DBG: chan_8 -> GETINFO pid gpg-agent[24850]: DBG: chan_10 <- GETINFO pid gpg-agent[24850]: DBG: chan_10 -> D 24850 gpg-agent[24850]: DBG: chan_10 -> OK gpg-agent[24850]: DBG: chan_8 <- D 24850 gpg-agent[24850]: DBG: chan_8 <- OK gpg-agent[24850]: DBG: chan_8 -> BYE gpg-agent[24850]: DBG: chan_10 <- BYE gpg-agent[24850]: DBG: chan_10 -> OK closing connection gpg-agent[24850]: handler 0x7fa46f7fe700 for fd 10 terminated gpg-agent[24850]: DBG: chan_6 -> [ ...(76 byte(s) skipped) ] gpg-agent[24850]: DBG: chan_6 -> END gpg-agent[24850]: DBG: chan_6 <- ERR 100663404 Card error gpg-agent[24850]: smartcard signing failed: Card error gpg-agent[24850]: ssh sign request failed: Card error gpg-agent[24850]: ssh request handler for sign_request (13) ready sign_and_send_pubkey: signing failed: agent refused operation @'s password: As you can see, PIN entry works correctly, but after this everything fails with an error 100663404 and returns "signing failed: agent refused operation" I have Googled this extensively and have tried everything I can find to try to resolve this, but I've run out of things to try. Please help, LL From 999iscool at gmail.com Tue Aug 7 22:27:44 2018 From: 999iscool at gmail.com (Yu) Date: Tue, 7 Aug 2018 16:27:44 -0400 Subject: gpg: decryption failed: No secret key Message-ID: Hi I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have the master key and subkeys. So my authentication key, encryption key, and signing key should be totally fine. John-Wong:tmp jwong$ gpg --list-secret-keys /Users/jwong/.gnupg/pubring.kbx ------------------------------- sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE 6539 uid [ultimate] John Wong ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] I am confused why I get this message: gpg: decryption failed: No secret key I tried gpg --import but still doesn't help. John-Wong:~ jwong$ gpg --import mastersub.key gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status gpg: key 0xC9E7221DAFCE6539: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: Does anyone have any ideas for why this is happening? Thank you very much. This has been bothering me for few days now. John -------------- next part -------------- An HTML attachment was scrubbed... URL: From dirk.gottschalk1980 at googlemail.com Tue Aug 7 23:54:52 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Tue, 07 Aug 2018 23:54:52 +0200 Subject: gpg: decryption failed: No secret key In-Reply-To: References: Message-ID: Hello John. Am Dienstag, den 07.08.2018, 16:27 -0400 schrieb Yu: > Hi > > I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have > the > master key and subkeys. So my authentication key, encryption key, and > signing key should be totally fine. > > John-Wong:tmp jwong$ gpg --list-secret-keys > /Users/jwong/.gnupg/pubring.kbx > ------------------------------- > sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] > Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE > 6539 > uid [ultimate] John Wong > ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] > ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] > ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] > The # indicates, that the Keys are not available in the keyring. > I am confused why I get this message: > > gpg: decryption failed: No secret key > I tried gpg --import but still doesn't help. > > John-Wong:~ jwong$ gpg --import mastersub.key > gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed > gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card- > status > gpg: key 0xC9E7221DAFCE6539: secret key imported > gpg: Total number processed: 1 > gpg: unchanged: 1 > gpg: secret keys read: > > > Does anyone have any ideas for why this is happening? Thank you very > much. > This has been bothering me for few days now. You should delete the complete secret key set from you keyring. Then import the PUBLIC keys for the card keys and then do a gpg --card- status. Importing stubs is completely senseless, in my eyes. If you set a fetch URL, you could also make --card-edit and issue a fetch command. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From 999iscool at gmail.com Wed Aug 8 01:38:29 2018 From: 999iscool at gmail.com (Yu) Date: Tue, 7 Aug 2018 19:38:29 -0400 Subject: gpg: decryption failed: No secret key In-Reply-To: References: Message-ID: Hi Dirk Thank you very much. I just want to make sure I am doing the right thing, so please excuse me if I am asking too much. You should delete the complete secret key set from you keyring. Then > import the PUBLIC keys for the card keys and then do a gpg --card- > status. > > Do I just call "gpg delete-secret-key ID" for each key ID listed in the --list-secret-keys output? > If you set a fetch URL, you could also make --card-edit and issue a > fetch command. > I have not :/ Thanks, John -------------- next part -------------- An HTML attachment was scrubbed... URL: From dirk.gottschalk1980 at googlemail.com Wed Aug 8 01:59:05 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 08 Aug 2018 01:59:05 +0200 Subject: gpg: decryption failed: No secret key In-Reply-To: References: Message-ID: Hi. Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > Hi Dirk > Thank you very much. I just want to make sure I am doing the right > thing, > so please excuse me if I am asking too much. > > You should delete the complete secret key set from you keyring. > Then > > import the PUBLIC keys for the card keys and then do a gpg --card- > > status. > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > the > --list-secret-keys output? You have just to delete the keys, which are stored on the card. Deleteing the master key of them also deletes the sub keys. > > If you set a fetch URL, you could also make --card-edit and issue a > > fetch command. > > > > I have not :/ That's no problem at all. Then you have to imnport the public key of the card key BEFORE you insert the card and make --card-status. Only then the card is recognised and the stubs are generated automatically. If the public keys are not in your public keyring, the card keys are ignored. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From 999iscool at gmail.com Wed Aug 8 06:03:48 2018 From: 999iscool at gmail.com (Yu) Date: Wed, 8 Aug 2018 00:03:48 -0400 Subject: gpg: decryption failed: No secret key In-Reply-To: References: Message-ID: WOW! That works. To document this, if anyone ever run into this situation: > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: never This is the key I need to delete from the card/yubikey. 1. gpg --delete-key 0xC9E7221DAFCE6539 2. gpg --card-status should return NONE and gpg --list-keys would return gpg: no ultimately trusted keys found 3. pull out the card 4. run gpg --import PUBLIC_KEY_FILE 5. insert the card 6. gpg --card-status 7. now try to encrypt and decrypt (you will be prompted to enter your PIN to unlock your card). Thank you Dirk! On Tue, Aug 7, 2018 at 7:59 PM Dirk Gottschalk < dirk.gottschalk1980 at googlemail.com> wrote: > Hi. > > Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > > Hi Dirk > > > Thank you very much. I just want to make sure I am doing the right > > thing, > > so please excuse me if I am asking too much. > > > > You should delete the complete secret key set from you keyring. > > Then > > > import the PUBLIC keys for the card keys and then do a gpg --card- > > > status. > > > > > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > > the > > --list-secret-keys output? > > You have just to delete the keys, which are stored on the card. > Deleteing the master key of them also deletes the sub keys. > > > > > If you set a fetch URL, you could also make --card-edit and issue a > > > fetch command. > > > > > > > I have not :/ > > That's no problem at all. Then you have to imnport the public key of > the card key BEFORE you insert the card and make --card-status. Only > then the card is recognised and the stubs are generated automatically. > > If the public keys are not in your public keyring, the card keys are > ignored. > > Regards, > Dirk > > -- > Dirk Gottschalk > Paulusstrasse 6-8 > 52064 Aachen, Germany > > GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 > Keybase.io: https://keybase.io/dgottschalk > GitHub: https://github.com/Dirk1980ac > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Wed Aug 8 03:35:29 2018 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 07 Aug 2018 21:35:29 -0400 Subject: cannot decrypt file symmetric encrypted In-Reply-To: <742bc6df4ac89ca5e595e1f24e2d6faef0ecf14b.camel@googlemail.com> References: <742bc6df4ac89ca5e595e1f24e2d6faef0ecf14b.camel@googlemail.com> Message-ID: <20180808013529.804A7E0151@smtp.hushmail.com> On 8/2/2018 at 3:01 PM, "Dirk Gottschalk via Gnupg-users" wrote: >Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano >Tranquillini: >> Hi all, >> last year I encrypted some files, today i tried to decrypt them >but >> the >> decryption fails > >> stefano@~/Downloads/words$ gpg -d words.1.gpg >> gpg: AES256 encrypted data >> gpg: encrypted with 1 passphrase >> gpg: decryption failed: Bad session key ... >Are you sure you used the correct passphrase to decrypt? ===== It was probably not the correct passphrase. The error that gpg2 gives when entering the wrong passphrase for a symmetrically encrypted message is exactly: gpg: decryption failed: Bad session key This is the same whether you are off for even 1 character of the passphrase, or even if you just press 'enter' without a passphrase at all. Here is a sample symmetrically encrypted message: -----BEGIN PGP MESSAGE----- Version: GnuPG v1 Comment: Passphrase: sss jA0EBwMCPJYegoCPRBRg0jkBnZym0Pr+ggBpBJYtHlYJgf90SL6YbWa1vcbLdl7H jwxeR5cIFoNhytyUIFxdvrLNP59qkqzLKkI= =pHIB -----END PGP MESSAGE----- First enter the correct passphrase, sss gpg (V1 and V2) decrypts it as is should be. now enter just ss or anything except the correct passphrase, or just press enter, and you get: gpg: decryption failed: bad key (when using Version 1.4.x) gpg: decryption failed: Bad session key (when using Version 2.x) (Something to do with the string-to-key formation. When the passphrase is off, the 'key' generated from it, is wrong, and when that wrong 'key' is used to attempt decryption, gpg rightfully gives an error message that the 'key' is bad. maybe worthy of a note in the FAQ ... ) vedaal From dirk.gottschalk1980 at googlemail.com Wed Aug 8 06:14:45 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 08 Aug 2018 06:14:45 +0200 Subject: gpg: decryption failed: No secret key In-Reply-To: References: Message-ID: Hi. Am Mittwoch, den 08.08.2018, 00:03 -0400 schrieb Yu: > WOW! That works. > > To document this, if anyone ever run into this situation: > > > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: > > never > > This is the key I need to delete from the card/yubikey. > > 1. gpg --delete-key 0xC9E7221DAFCE6539 > > 2. gpg --card-status should return NONE and gpg --list-keys would > return > gpg: no ultimately trusted keys found > > 3. pull out the card > > 4. run gpg --import PUBLIC_KEY_FILE > > 5. insert the card > > 6. gpg --card-status > > 7. now try to encrypt and decrypt (you will be prompted to enter your > PIN > to unlock your card). > > Thank you Dirk! You're welcome. This is, AFAIK, also somewhere deep inside the docs. Just to make things clear. The user information, UID and so on, is in the public part of the key, AFAIK. This means, to map the secret key to it's ither data, you must have the public key in your keyring. The -- card-status reads the information oin the card and maps the key to the public part using the Fingerprint, I think. In my case, when I use one of my cards, where the fetch URL is not set, I download the keys from the keyserver with "--recv-keys" and then I read the card with "--card-status". But in general, I prefer the way using the fetch URL. It's faster to make "--card-edit" and just use fetch. This comines both funcrions. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From tim.perkins at nwea.org Fri Aug 10 02:20:49 2018 From: tim.perkins at nwea.org (Tim Perkins) Date: Fri, 10 Aug 2018 00:20:49 +0000 Subject: keys.gnupg.net is blocked by Palo Alto Wildfire Message-ID: Not sure if this is the right place to send this, but I figured I?d start here since keys.gnupg.net seems to be hardcoded as a default in the source code for GnuPG. The company I work for leverages Palo Alto products for security, and we recently observed that keys.gnupg.net was not resolving properly. After digging into it, we discovered that Palo Alto is flagging keys.gnupg.net as a Malware site. I?ve gone ahead and submitted a request for them to reclassify it as a non-malicious ?Computer and Internet Info,? but that doesn?t exactly answer _why_ it was flagged. And it looks like they may have just changed it while I was in the process of writing this email (can be checked at https://urlfiltering.paloaltonetworks.com/query/ ). I did observe that at least one of the pool members seems to not be configured properly (if I do a ?curl -k -H 'Host: http-keys.gnupg.net' https://37.191.226.104? it displays a busted Matomo page). And I?m left wondering if one of the pool members was serving up something that caused Palo Alto to flag keys.gnupg.net. Oddly enough, neither hkps.pool.sks-keyservers.net nor sks-keyserver.net was blocked. --Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Fri Aug 10 11:10:54 2018 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 10 Aug 2018 11:10:54 +0200 Subject: keys.gnupg.net is blocked by Palo Alto Wildfire In-Reply-To: References: Message-ID: <0e43755d-11c8-343d-fdb8-4174436e9760@sumptuouscapital.com> On 08/10/2018 02:20 AM, Tim Perkins wrote: > I did observe that at least one of the pool members seems to not be > configured properly (if I do a ?curl -k -H 'Host: > http-keys.gnupg.net' https://37.191.226.104? it displays a busted > Matomo page). This is actually my server, but why would it respond to such a host on port 80? it responds to keys.gnupg.net on 11371 (default HKP port) as it should. Fut for HKPS/HTTPS there aren't any expectations for certificates for the SNI etc, hkps.pool.sks-keyservers.net is used for that by default. -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Audaces fortuna iuvat Fortune favors the brave -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From kardan at riseup.net Sat Aug 11 09:49:03 2018 From: kardan at riseup.net (kardan) Date: Sat, 11 Aug 2018 09:49:03 +0200 Subject: ERR 167804929 Permission denied / No rule to make target 'audit-events.h' Message-ID: <20180811094223.27453c3c@t43.ts> Hi, today i was able to catch up on gnupg and IPv6 (somehow I missed the primer before). Long story below, here's the short fix: echo "SocksPort 9050 IPv6Traffic" >> /etc/tor/torrc # don't run it I have two issues with gpg on debian buster. dirmngr constantly fails (does not anymore) to search for keys: $ gpg --search 74A941BA219EC810 gpg: error searching keyserver: Permission denied gpg: keyserver search failed: Permission denied $ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/user/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Long version for Werner and other gurus I fail to name: $ gpg --debug-level=guru --recv-key 74A941BA219EC810 gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extp rog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/user/.gnupg gpg: DBG: chan_3 <- # Config: /home/user/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.2.9 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.2.9 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_GET -- 0x74A941BA219EC810 gpg: DBG: chan_3 <- ERR 167804929 Keine Berechtigung gpg: keyserver receive failed: Permission denied gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks ) = 39 write(3, "KS_GET -- 0x74A941BA219EC810", 28) = 28 write(3, "\n", 1) = 1 read(3, "ERR 167804929 Keine Berechtigung"..., 1002) = 42 read(3, "\n", 960) = 1 write(2, "gpg: DBG: ", 10gpg: DBG: ) = 10 write(2, "chan_3 <- ERR 167804929 Keine Be"..., 53chan_3 <- ERR 167804929 Keine Berechtigung ) = 53 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or dirctory) openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or diretory) openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directry) openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directoy) openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory) write(2, "gpg: keyserver receive failed: P"..., 48gpg: keyserver receive failed: Permission denied) = 48 write(2, "\n", 1 ) = 1 write(2, "gpg: DBG: ", 10gpg: DBG: ) = 10 write(2, "chan_3 -> BYE\n", 14chan_3 -> BYE ) = 14 write(3, "BYE", 3) = 3 write(3, "\n", 1) = 1 close(3) = 0 write(2, "gpg: DBG: [not enabled in the so"..., 42gpg: DBG: [not enabled in the source] stop) = 42 write(2, "\n", 1 ) = 1 write(2, "gpg: keydb: handles=0 locks=0 pa"..., 43gpg: keydb: handles=0 locks=0 parse=0 get=0) = 43 write(2, "\n", 1 ) = 1 write(2, "gpg: build=0 update=0 ins"..., 46gpg: build=0 update=0 insert=0 delete=0) = 46 write(2, "\n", 1 ) = 1 write(2, "gpg: reset=0 found=0 not="..., 47gpg: reset=0 found=0 not=0 cache=0 not=0) = 47 write(2, "\n", 1 ) = 1 write(2, "gpg: kid_not_found_cache: count="..., 50gpg: kid_not_found_cache: count=0 peak=0 flushes=0) = 50 write(2, "\n", 1 ) = 1 write(2, "gpg: sig_cache: total=0 cached=0"..., 45gpg: sig_cache: total=0 cached=0 good=0 bad=0) = 45 write(2, "\n", 1 ) = 1 write(2, "\n", 1 ) = 1 write(2, "gpg: random usage: poolsize=600 "..., 59gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0) = 59 write(2, "\n", 1 ) = 1 write(2, " outmix=0 getlvl1=0"..., 46 outmix=0 getlvl1=0/0 getlvl2=0/0) = 46 write(2, "\n", 1 ) = 1 write(2, "gpg: rndjent stat: collector=0x0"..., 55gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0) = 55 write(2, "\n", 1 ) = 1 write(2, "gpg: secmem usage: 0/65536 bytes"..., 37gpg: secmem usage: 0/65536 bytes in 0) = 37 write(2, " blocks\n", 8 blocks ) = 8 munmap(0xb7f68000, 65536) = 0 exit_group(2) = ? +++ exited with 2 +++ ### End of log I stopped dirmngr several times, tried 'dirmngr --flush', started it with 'dirmngr --debug-all --standard-resolver' when searching for keys. It showed nothing so I assume gpg starts another instance of dirmngr in the background. Removing ~/.gnupg did not help either. My second issue is trying to install latest dirmngr from git: $ git clone https://dev.gnupg.org/source/gnupg.git ; cd gnupg # apt install libksba-dev libnpth0-dev libassuan-dev libgcrypt20-dev $ ./autogen.sh && ./configure --prefix=$HOME && make [...] GnuPG v2.3.0-beta440 has been configured as follows: Revision: 1b309d9f6 (6960) Platform: GNU/Linux (i686-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) G13: no Dirmngr: yes Gpgtar: yes WKS tools: no Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: no LDAP support: no TLS support: gnutls TOFU support: yes Tor support: yes make all-recursive make[1]: Entering directory '/media/user/src/gnupg' Making all in m4 make[2]: Entering directory '/media/user/src/gnupg/m4' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/media/user/src/gnupg/m4' Making all in common make[2]: Entering directory '/media/user/src/gnupg/common' make[2]: *** No rule to make target 'audit-events.h', needed by 'all'. Stop. make[2]: Leaving directory '/media/user/src/gnupg/common' make[1]: *** [Makefile:615: all-recursive] Error 1 make[1]: Leaving directory '/media/user/src/gnupg' [make: *** [Makefile:535: all] Error 2 ### End of log Therefor I went back to investigate the origin of "ERR 167804929". It is not a hardcoded in gnupg or tor, at least it doesn't show up in the source with rgrep. With the help of google (my favourite search engine left me on this) I became aware of this log from ealier dirmngr 2.1.18, quoting : Jul 08 05:57:22 debian dirmngr[2574]: DBG: chan_5 <- KS_SEARCH -- intrig... at debian.org Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2a01:4a0:59:1000:223:9eff:fe00:100f]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2600:1f16:41e:bd0a::73:6b73]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:bc8:4700:2300::10:f15]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '[2001:470:1:116::6]' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '216.66.15.2' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '192.146.137.11' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '68.187.0.77' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '51.15.53.138' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '37.191.226.104' Jul 08 05:57:24 debian dirmngr[2574]: resolve_dns_addr for 'hkps.pool.sks-keyservers.net': '18.191.65.131' Jul 08 05:57:24 debian dirmngr[2574]: can't connect to '2001:bc8:4700:2300::10:f15': Permission denied Jul 08 05:57:24 debian dirmngr[2574]: error connecting to 'https://[2001:bc8:4700:2300::10:f15]:443': Permission denied Jul 08 05:57:24 debian dirmngr[2574]: (Tor configuration problem) Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING tor_config_problem 0 Please check that the "SocksPort" flag "IPv6Traffic" is set in torrc Jul 08 05:57:24 debian dirmngr[2574]: command 'KS_SEARCH' failed: Permission denied Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> ERR 167804929 Permission denied Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 <- BYE ### End of quote This error helped significantly, adding to torrc: SocksPort PORT IPv6Traffic It however may timeout with "No data" several times before succeeding. Would be a great feature to catch this and retry for the sake of scripted installations. I imagine this could affect a lot of users, so it could have some user time to restore this error message. Note that "gpg: DBG: [not enabled in the source] stop" is the default packaged gnugp on debian based systems. Thanks for joining me on this interesting journey and please send back suggestions on the compilation error. If you are interested, read part two below when I try reproduce the error. Best, kardan PartII: How to reproduct "Permission denied" with dirmngr A usual quest after fixing an error is to try to make it happen again. In this case, i removed the IPv6Traffic from the torrc line, stopped tor altogether, killed all instances of dirmngr and gpgagent and deleted the key: $ gpg --delete-key 74A941BA219EC810 $ gpg --verbose --recv 74A941BA219EC810 gpg: data source: https://216.66.15.2:443 gpg: ASCII-H?lle: Version: SKS 1.1.6 gpg: ASCII-H?lle: Comment: Hostname: zimmermann.mayfirst.org gpg: pub rsa2048/0xEE8CBC9E886DDD89 2009-09-04 deb.torproject.org archive signing key ... gpg: Tiefe: 0 g?ltig: 6 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 6u gpg: n?chste "Trust-DB"-Pflicht?berpr?fung am 2018-12-20 gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 This is confusing because it should fail when tor is enabled: $ cat ~/.gnupg/dirmngr.conf ###+++--- GPGConf ---+++### use-tor ###+++--- GPGConf ---+++### Wed Jul 25 16:16:02 2018 CEST # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. And 'torsocks w3m http://ic6au7wa3f6naxjq.onion' fails as expected. So either gnupg ships it's own tor instance and runs it hiddenly, or it found out how to recycle the circuit of my TBB or it silently falls back to non-tor connections which is a bug. So here I am left unable to reproduce the error, but at least this story will help some later me to solve it again. Thanks for following part II, am happy to read your thoughts on my remaining questions: 1. is it hard to restore the error from 2.1.18 (where to start) 2. how to fix: No rule to make target 'audit-events.h' 3. How does dirmngr connect when no tor circuit is available 4. Why does a foreground dirmngr does not show connections 5. How to enable "DBG: [not enabled in the source]" 6. Where's the database to look up ERR 167804929 7. How can I change the timeout? I know that all answers can be solved by looking at the code, but maybe someone can save me some time and I might be able to prepare a patch stub in the next days. Thanks for taking the time to go through all this. Have a nice day! kardan From drivas1993 at gmail.com Tue Aug 14 06:20:28 2018 From: drivas1993 at gmail.com (Damian Rivas) Date: Mon, 13 Aug 2018 21:20:28 -0700 Subject: Public vs Private Fingerprint Message-ID: Hello, Is there a reason why the fingerprints for my public and private keys are exactly the same? I'm new to encryption and this may be a dumb question so I apologize in advance. I just can't seem to find a straightforward answer to this on Google. -Damian -------------- next part -------------- An HTML attachment was scrubbed... URL: From dgouttegattat at incenp.org Tue Aug 14 10:26:44 2018 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Tue, 14 Aug 2018 09:26:44 +0100 Subject: Public vs Private Fingerprint In-Reply-To: References: Message-ID: <1a3ff020-b633-5470-8ac9-3759ba9d9dc3@incenp.org> On 08/14/2018 05:20 AM, Damian Rivas wrote: > Is there a reason why the fingerprints for my public and private keys are > exactly the same? Actually there's no such thing as a private key fingerprint. Fingerprints are only calculated on public keys. (Theoretically you *could* compute a fingerprint on a private key, but as far as I know that's never used in OpenPGP.) Even when GnuPG is displaying a private key (e.g. with the --list-secret-keys command), the fingerprint is the fingerprint of the corresponding public key. Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From ralph at inputplus.co.uk Tue Aug 14 13:05:56 2018 From: ralph at inputplus.co.uk (Ralph Corderoy) Date: Tue, 14 Aug 2018 12:05:56 +0100 Subject: Public vs Private Fingerprint In-Reply-To: <1a3ff020-b633-5470-8ac9-3759ba9d9dc3@incenp.org> References: <1a3ff020-b633-5470-8ac9-3759ba9d9dc3@incenp.org> Message-ID: <20180814110556.D551D21910@orac.inputplus.co.uk> Hi Damien, > Actually there's no such thing as a private key fingerprint. > Fingerprints are only calculated on public keys. That was my conclusion after having searched a bit this morning, but I didn't notice it explicitly documented? -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy From dgouttegattat at incenp.org Tue Aug 14 14:43:21 2018 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Tue, 14 Aug 2018 13:43:21 +0100 Subject: Public vs Private Fingerprint In-Reply-To: <20180814110556.D551D21910@orac.inputplus.co.uk> References: <1a3ff020-b633-5470-8ac9-3759ba9d9dc3@incenp.org> <20180814110556.D551D21910@orac.inputplus.co.uk> Message-ID: <7869dd3d-896e-316f-c592-4671e4be5b2b@incenp.org> On 08/14/2018 12:05 PM, Ralph Corderoy wrote: > That was my conclusion after having searched a bit this morning, > but I didn't notice it explicitly documented? Maybe not in GnuPG's manual, but it is explicitly documented in the specification of the OpenPGP format (RFC 4880, ?12.2 [1]): > A [V4] fingerprint is the 160-bit SHA-1 hash of the octet 0x99, > followed by the two-octet packet length, followed by the entire > *Public-Key packet* starting with the version field. Damien [1] https://tools.ietf.org/html/rfc4880#section-12.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From email at andrewnesbit.org Tue Aug 14 17:08:14 2018 From: email at andrewnesbit.org (Andrew Nesbit) Date: Tue, 14 Aug 2018 16:08:14 +0100 Subject: Public vs Private Fingerprint In-Reply-To: <7869dd3d-896e-316f-c592-4671e4be5b2b@incenp.org> References: <1a3ff020-b633-5470-8ac9-3759ba9d9dc3@incenp.org> <20180814110556.D551D21910@orac.inputplus.co.uk> <7869dd3d-896e-316f-c592-4671e4be5b2b@incenp.org> Message-ID: <52A36413-9639-4A5E-A34A-2E3EAA78B358@andrewnesbit.org> Hello all, >> On 14 Aug 2018, at 13:43, Damien Goutte-Gattat via Gnupg-users wrote: >> >>> On 08/14/2018 12:05 PM, Ralph Corderoy wrote: >> >> A [V4] fingerprint is the 160-bit SHA-1 hash of the octet 0x99, >> followed by the two-octet packet length, followed by the entire >> *Public-Key packet* starting with the version field. Following on from this, in my experience, studying the output of the `?list-packets` option has been one of the most effective ways of learning how GnuPG works. See https://gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html#index-list_002dpackets . Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From felix.klee at inka.de Wed Aug 15 09:08:42 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Wed, 15 Aug 2018 09:08:42 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: Message-ID: *Update:* Yesterday, I was reading the [GnuPG wiki page on SmartCards][1] due to another issue. At its bottom I found listed as known bug: * Encrypted message with 3DES can't be decrypted with OpenPGP Card (V2.1, V3.3 without fix) - Due to the bug, it results: Missing item in object - See: https://dev.gnupg.org/T3576 Well, indeed if I encrypt a message with 3DES, I cannot decrypt it with my SmartCard: $ echo "Hello, world!" >foo $ gpg -e -r felix.klee at inka.de --personal-cipher-preference 3DES foo $ gpg -d --debug=crypto foo.gpg [?] gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Missing item in object gpg: decryption failed: No secret key gpg: secmem usage: 0/32768 bytes in 0 blocks $ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3 [?] ?Missing item in object? is the same message that I get when trying to decrypt the enQsig encrypted message! So, perhaps enQsig is using 3DES. *How do I find that out?* Also, I don?t understand: I was assuming that all the card does is decrypt my session key using my private 4096 bit RSA key. *If the session key is a 3DES key, why should the card care?* [1]: https://wiki.gnupg.org/SmartCard From peter at digitalbrains.com Wed Aug 15 11:50:58 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 15 Aug 2018 11:50:58 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> <467b2a30-d43d-5561-840c-ca0c3b8a93e5@digitalbrains.com> Message-ID: <333591dc-7d2f-b05b-18a2-f735dd766e7e@digitalbrains.com> On 03/08/18 09:16, Felix E. Klee wrote: > As I would like to understand things a bit better, do you think it is > possible to get some more details? Answering this in any detail would be a lot of answer. But the basic mechanism is --debug, --debug-level or perhaps just --debug-all and sifting through it. At the same time having a copy of RFC 4880 and PKCS#1 to explain all the numbers. The fact that it's a smartcard makes this more difficult: when the decrypt action fails, you don't see the actual numerical result. To protect against attacks, the smartcard denies to divulge this data to protect the private key. > The only difference: `Old` vs. `New` ? Could this be an issue? I don't think so. There are two ways to encode the packet tag, and GnuPG takes the "old" if possible. RFC 4880 Section Section 4.2. > PS: Had to think a bit that PKESK = ?Public-Key Encrypted Session Key?. > The crypto world seems to love acronyms. ;) (which does not make things > easier for us users) Yeah, sorry, this occured due to a transient failure in my brain matter ;-). When I wrote it, I really thought you were the first one to use the acronym, so I could save time by using it as well. Unfortunately this wasn't the case. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Aug 15 12:13:59 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 15 Aug 2018 12:13:59 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: Message-ID: <337a49a0-a9a5-9e8a-538f-e2db65430854@digitalbrains.com> On 15/08/18 09:08, Felix E. Klee wrote: > So, perhaps enQsig is using 3DES. Good find! This sounds plausible. I myself had completely forgotten reading about this bug. Besides, I completely dismissed the encrypting application in this case because it decided to encrypt the session key to your primary key as well, which is very clearly not according to specification. > *How do I find that out?* Here's the catch: unless you have an on-disk copy of your private encryption key, you can't. As I just wrote in my other answer in this thread, the smartcard denies giving out the data it didn't like to see. But whether 3DES was used can only be decided by looking at the decrypted... erm... PKESK packet X-D. If you have a computer with an on-disk copy, you could try it with that on-disk copy and it will simply tell you when you ask for more verbosity and stuff. The usual caveats apply: you are using a smartcard to protect your private key material, but I'm now suggesting you use an on-disk copy of the key. Treat it like you would if you were transferring the key to a new smartcard to replace a broken one. This strange product also encrypted to your primary key, but it's probably only more difficult to use this than it is to use your encryption key. You'd have to, again, load an on-disk copy and then change the usage flags to make in encryption-capable. But if you don't have a backup of the encryption key but do have one of the primary key, you could do it. But after all this think about whether you should use an encryption key you don't have a backup of: if your smartcard ever dies, you can't decrypt anything anybody has ever sent you encrypted. > Also, I don?t understand: I was assuming that all the card does is > decrypt my session key using my private 4096 bit RSA key. *If the > session key is a 3DES key, why should the card care?* Because it inspects the decryption result for sanity before handing it back to the computer. This is done because an attacker might learn information about the private key if it were able to just have the smartcard decrypt anything it was given. And the whole point of a smartcard is that it should not be possible (or at least very hard) to extract the private key from the smartcard. I think the bug boils down to the card incorrectly dismissing the decryption result as invalid. But I'm not intimately acquainted with the bug, so this might be a misinterpretation. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Aug 15 12:57:04 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 15 Aug 2018 12:57:04 +0200 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> <16391f3f-ffa2-de89-4e6d-d8a4f50ece0d@digitalbrains.com> Message-ID: <6721759f-192e-a81c-b683-7310d75857ae@digitalbrains.com> On 06/08/18 08:38, Ciprian Dorin Craciun wrote: > My script and systemd service file can be found at the following link: > > https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c Hey, that systemd service file seems to basically grab cryptsetup handling from the clutches of systemd, enabling all sorts of operations not possible with systemd's cryptsetup handling! That's really clever! I'm saving this for future reference, thanks. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From ciprian.craciun at gmail.com Wed Aug 15 13:49:11 2018 From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun) Date: Wed, 15 Aug 2018 14:49:11 +0300 Subject: Encrypt USB-HDD with LUKS using OpenPGP smartcard? In-Reply-To: <6721759f-192e-a81c-b683-7310d75857ae@digitalbrains.com> References: <8309323a3afef6b7ec21883aa088ab922caaaf2f.camel@googlemail.com> <07950c7916a6df751a435a2fff746a84d0375615.camel@googlemail.com> <16391f3f-ffa2-de89-4e6d-d8a4f50ece0d@digitalbrains.com> <6721759f-192e-a81c-b683-7310d75857ae@digitalbrains.com> Message-ID: On Wed, Aug 15, 2018 at 1:57 PM Peter Lebbing wrote: > > https://gist.github.com/cipriancraciun/c8a0dfb973b586053c167fec91093d9c > > Hey, that systemd service file seems to basically grab cryptsetup > handling from the clutches of systemd, enabling all sorts of operations > not possible with systemd's cryptsetup handling! That's really clever! Basically I just looked at how a similar file was generated by systemd for other `/etc/crypttab` targets and adapted. Ciprian. From lawrence.larabee at ephibian.com Wed Aug 15 20:14:11 2018 From: lawrence.larabee at ephibian.com (Lawrence Larabee) Date: Wed, 15 Aug 2018 11:14:11 -0700 (MST) Subject: Yubikey Card Error "sign_and_send_pubkey: signing failed: agent refused operation" In-Reply-To: <1711178313.83992991.1533660745370.JavaMail.zimbra@ephibian.com> References: <1711178313.83992991.1533660745370.JavaMail.zimbra@ephibian.com> Message-ID: <458139522.90807458.1534356851021.JavaMail.zimbra@ephibian.com> > I've got a new Yubikey NEO that I am trying to set up for SSH authentication [...] PIN entry works correctly, but after this everything fails with an error 100663404 and returns "signing failed: agent refused operation" For closure, this problem has been solved. I had too many PIN failures, so the stick was rejecting further attempts. Resetting the pin counter using gnupg --card-edit, admin, passwd fixed the problem. Now I am able to use my Yubikey and gpg-agent for SSH login. LL -------------- next part -------------- An HTML attachment was scrubbed... URL: From felix.klee at inka.de Thu Aug 16 07:52:53 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Thu, 16 Aug 2018 07:52:53 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: <337a49a0-a9a5-9e8a-538f-e2db65430854@digitalbrains.com> References: <337a49a0-a9a5-9e8a-538f-e2db65430854@digitalbrains.com> Message-ID: On Wed, Aug 15, 2018 at 12:13 PM, Peter Lebbing wrote: > Here's the catch: unless you have an on-disk copy of your private > encryption key, you can't. [if enQsig uses 3DES] I do have a backup of the private key, but it?s 1. out of reach at the moment and 2. it?s a pain to restore. So far, I?m still optimistic that the sender will eventually provide me with a message that I can decrypt. Thanks a lot for your explanations! PS: I?m toying with the idea of switching from my smart card to a Trezor hardware token. This would mean generating an entirely new key (only 256 bit ECC supported). OTOH there are several advantages such as the Trezor being a well documented open source device, and ? of course ? its size with integrated key pad solution. It also depends on whether I can get either a smart card reader or the Trezor to work with Termux/Android. From peter at digitalbrains.com Thu Aug 16 09:58:38 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Aug 2018 09:58:38 +0200 Subject: ECC smartcard (was: Cannot decrypt file encrypted with enQsig) In-Reply-To: References: <337a49a0-a9a5-9e8a-538f-e2db65430854@digitalbrains.com> Message-ID: <234b1b77-5961-c441-4115-c9757f12366c@digitalbrains.com> On 16/08/18 07:52, Felix E. Klee wrote: > PS: I?m toying with the idea of switching from my smart card to a > Trezor hardware token. This would mean generating an entirely new key > (only 256 bit ECC supported). I didn't look at the Trezor to check, but I'll assume it allows usage with GnuPG based on the context you brought it up in. Note that many OpenPGP peers might not support ECC. You could add ECC subkeys to your current key, and arrange for peers that support them to prefer those. That way, anybody able to send you an ECC-encrypted document could do so, and others could fall back to the RSA encryption subkey. For signatures, you'd either still use RSA or accept the fact that only people with ECC-supporting clients could verify your signatures. The alternative is signing with both keys; if both are on cards/tokens, that becomes tiresome really quickly, I'd imagine. If you add ECC subkeys to your current key, you'd still use an RSA primary key, without anything elliptic about it. > OTOH there are several advantages such as the Trezor being a well > documented open source device There's also the GnuK, which is free software. My 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From witt.austin at gmail.com Thu Aug 16 07:32:45 2018 From: witt.austin at gmail.com (Austin Witt) Date: Thu, 16 Aug 2018 00:32:45 -0500 Subject: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial Message-ID: I want: To be able to configure an Ubuntu Xenial machine with passphrase-protected gpg2 keys on disk, and have a running gpg-agent with a passphrase for the keys pre-loaded by a script. "Users" of this environment should never see a gpg passphrase prompt: the script will have been run and will have populated the gpg-agent with the passphrase for the keys before they run a single command. I'd settle for getting it working with vanilla gpg2, but ultimately I want git to be able to sign commits. I've had a hard time tracking down online documentation that speaks specifically to gpg 2.1+; most of what I've found (on the stackexchange sites, forums, and mailing lists, etc) reference older versions of gpg, especially where gpg-agent is concerned. I execute gpg-preset-passphrase to the best of my understanding, but all GPG tools still prompt me for a passphrase. After entering the passphrase, the gpg-agent correctly saves it and I avoid any future prompts. I suspect that one of the following is true: 1. I don't know how to use gpg-preset-passphrase 2.1.11 2. gpg-preset-passphrase 2.1.11 doesn't work with gpg-agent 2.1.11 3. gpg-preset-passphrase 2.1.11 doesn't work in Ubuntu Xenial To aid in debugging, I have created a git repository that builds an Ubuntu Xenial Docker image that reproduces the issue. Really it just does what I am trying to do, in the environment I was trying to do it in, and fails the same way. So, while I'll quickly tell you some relevant things about my environment, e.g. 1. OS: Ubuntu 16.04.5 LTS 2. gpg2 version: gpg (GnuPG) 2.1.11 3. gpg-agent version: gpg-agent (GnuPG) 2.1.11 4. gpg-preset-passphrase version: gpg-preset-passphrase (GnuPG) 2.1.11 You can (if you have "docker" installed), visit & clone https://github.com/Gengar003/linux-gpg2-agent-preset to reproduce & explore my situation in my exact environment with my exact commands. My actual questions are: 1. Am I using gpg-agent correctly for gpg 2.1+? 2. Am I using gpg-preset-passphrase correctly for gpg 2.1+? 3. Should gpg-preset-passphrase work with gpg 2.1+? 4. Does anyone know of a working example of a preset passphrase with gpg-agent in gpg 2.1+? Thank you for your time. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Thu Aug 16 18:31:19 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Aug 2018 18:31:19 +0200 Subject: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial In-Reply-To: References: Message-ID: gpg-preset-passphrase wants a keygrip, not a key fingerprint. To get the keygrip for a specific key, use f.e.: --8<---------------cut here---------------start------------->8--- $ gpg --with-keygrip -k 211601B877A3395Apub rsa1024 2012-03-17 [SC] [expires: 2018-08-23] 825472F37172B95ADC7349BE98B67DE4DCDFDFA4 Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A uid [ full ] Test Teststra uid [ full ] Test Teststra (Koning van Wezel) sub rsa1024 2012-03-17 [E] Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D sub rsa2048 2016-01-12 [A] Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 --8<---------------cut here---------------end--------------->8--- Or for machine-parseable output, f.e.: --8<---------------cut here---------------start------------->8--- $ gpg --batch --with-colons --with-keygrip -k 211601B877A3395Atru::7:1534436270:1537177125 pub:f:1024:1:98B67DE4DCDFDFA4:1331982780:1535041047::n:::scESCA::::::: fpr:::::::::825472F37172B95ADC7349BE98B67DE4DCDFDFA4: grp:::::::::2F677680CA15F6F7B963AF35822E8EC01FBF840A: uid:f::::1534436249::A57955B7E1CD67534EBEB1E2F56C1FA882CDDE44::Test Teststra : uid:f::::1534436247::B56114536967B4C81D29D6942712F43E831224A5::Test Teststra (Koning van Wezel) : sub:f:1024:1:211601B877A3395A:1331982780::::::e:::::: fpr:::::::::9A40F128868A76CF92320458211601B877A3395A: grp:::::::::15CB764B81D542CF921978CA89910C69D53F4E2D: sub:f:2048:1:0BF68DE438EF7410:1452622346::::::a:::::: fpr:::::::::029CE2AB6B2E28D10BF9E7140BF68DE438EF7410: grp:::::::::3D88DC9D60F791821AF8D537EEAC3C8DF7720D63: sub:e:1024:1:24FE6FCFC9685297:1490208195:1490812995:::::s:::::: fpr:::::::::39F1AE29CE8B6C313CEE723E24FE6FCFC9685297: grp:::::::::B93CA4F1A44FAD92D45DC836DEC653769421E703: --8<---------------cut here---------------end--------------->8--- Scan lines up to the signing subkey, and take the grp-record that follows the signing subkey. See doc/DETAILS for details about the format. preset-passphrase works on individual keys, if you need to preset both encryption and signature keys, use it once for each keygrip. By the way, the GnuPG 2.1 in Ubuntu 16.04 hasn't been updated in almost two years. I don't feel comfortable with it, and I would consider alternatives. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Thu Aug 16 18:34:32 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 16 Aug 2018 18:34:32 +0200 Subject: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial In-Reply-To: References: Message-ID: <59270888-9544-47f2-8da9-85c1ac0925d3@digitalbrains.com> On 16/08/18 18:31, Peter Lebbing wrote: > By the way, the GnuPG 2.1 in Ubuntu 16.04 hasn't been updated in almost > two years. I don't feel comfortable with it, and I would consider > alternatives. s/two years/two and a half years/ It hasn't been updated since release. For a moment I was thinking about the .10 releases. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From fishkits at hotmail.com Fri Aug 17 15:59:51 2018 From: fishkits at hotmail.com (Anna Kitces and Seth Fishman) Date: Fri, 17 Aug 2018 13:59:51 +0000 Subject: Gpg (GnuPG) 2.2.9 versus gpg (GnuPG) 1.4.23 Message-ID: Dear gpg users: I am migrating to gpg 2.2 All my gpg 1.4 keys were migrated to 2.2 during the upgrade. When I try to decrypt a document I am getting the following: gpg: encrypted with 2048-bit RSA key, ID 2BDB2DD8782B904E, created 2017-03-15 "mykey " gpg: public key decryption failed: No pinentry gpg: decryption failed: No secret key I am thinking maybe there is a minimum version of pinentry required? I am running on two platforms: Linux, RHEL 7.3 (Maipo) and Unix, Solaris 11. The Solaris machine has pinentry 0.7.6 already provided and the Linux box has 0.8.1. Is that the reason I am having this issue? I have tried to upgrade pinentry going through the ./configure, gmake, gmake check, gmake install2 steps but I keep getting errors. So if I must upgrade pinentry, then if anyone has some pointers on this for either of both of these platforms, I'd be most appreciative. Also, pinentry was not a factor before. Can I just get pinentry out of the equation altogether somehow or is that a bad idea. Sorry for so many questions. Would appreciate any insight you can provide. Regards, Seth Fishman -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndoe65534 at mail.com Sat Aug 18 08:49:27 2018 From: johndoe65534 at mail.com (john doe) Date: Sat, 18 Aug 2018 08:49:27 +0200 Subject: Gpg (GnuPG) 2.2.9 versus gpg (GnuPG) 1.4.23 In-Reply-To: References: Message-ID: On 8/17/2018 3:59 PM, Anna Kitces and Seth Fishman wrote: > Dear gpg users: > > I am migrating to gpg 2.2 > > All my gpg 1.4 keys were migrated to 2.2 during the upgrade. > > When I try to decrypt a document I am getting the following: > > > gpg: encrypted with 2048-bit RSA key, ID 2BDB2DD8782B904E, created 2017-03-15 > > "mykey " > > gpg: public key decryption failed: No pinentry > > gpg: decryption failed: No secret key > > > I am thinking maybe there is a minimum version of pinentry required? > > > I am running on two platforms: Linux, RHEL 7.3 (Maipo) and Unix, Solaris 11. The Solaris machine has pinentry 0.7.6 already provided and the Linux box has 0.8.1. Is that the reason I am having this issue? > > > I have tried to upgrade pinentry going through the ./configure, gmake, gmake check, gmake install2 steps but I keep getting errors. So if I must upgrade pinentry, then if anyone has some pointers on this for either of both of these platforms, I'd be most appreciative. > > > Also, pinentry was not a factor before. Can I just get pinentry out of the equation altogether somehow or is that a bad idea. > > > Sorry for so many questions. Would appreciate any insight you can provide. > > Regards, > > Seth Fishman > From the ML archive: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060688.html HTH. -- John Doe From witt.austin at gmail.com Thu Aug 16 20:33:20 2018 From: witt.austin at gmail.com (Austin Witt) Date: Thu, 16 Aug 2018 13:33:20 -0500 Subject: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial In-Reply-To: <59270888-9544-47f2-8da9-85c1ac0925d3@digitalbrains.com> References: <59270888-9544-47f2-8da9-85c1ac0925d3@digitalbrains.com> Message-ID: It really was that simple! Thank you! I must have spent too many hours staring at it to be able to see such a simple issue. gpg-preset-passphrase is happy with a keygrip and works exactly as I want it to. Cheers! On Thu, Aug 16, 2018 at 11:34 AM, Peter Lebbing wrote: > On 16/08/18 18:31, Peter Lebbing wrote: > > By the way, the GnuPG 2.1 in Ubuntu 16.04 hasn't been updated in almost > > two years. I don't feel comfortable with it, and I would consider > > alternatives. > > s/two years/two and a half years/ > > It hasn't been updated since release. For a moment I was thinking about > the .10 releases. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From henrich at iijmio-mail.jp Tue Aug 21 08:57:22 2018 From: henrich at iijmio-mail.jp (Hideki Yamane) Date: Tue, 21 Aug 2018 15:57:22 +0900 Subject: Q: select between multiple signing key Message-ID: <20180821155722.3301c2edc57677af2bc0e2b7@iijmio-mail.jp> Hi, I've generated multiple sign subkey but could not select it, only last generated one was used. > $ gpg2 --edit-key henrich at example.jp > gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > sec rsa2048/A65B17610C406CE6 > created: 2018-08-21 expires: never usage: SC > trust: ultimate validity: ultimate > ssb rsa2048/4B9A876348781F24 > created: 2018-08-21 expires: never usage: E > ssb rsa2048/F216455835F7F392 > created: 2018-08-21 expires: never usage: S > ssb rsa2048/BD6695496E30735F > created: 2018-08-21 expires: never usage: S > [ultimate] (1). Hideki Yamane There are three sign keys (one is Master, other two are subkey). Then tried to sign file with Masterkey... > $ gpg2 --default-key A65B17610C406CE6 --clearsign .bashrc But asked passphrase for BD6695496E30735F, the last generated one. My question is - Can we have multiple signature subkey on one GPG key? - If so, how do select it? - If not, why we can do exec addkey? -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp From peter at digitalbrains.com Tue Aug 21 10:57:15 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 21 Aug 2018 10:57:15 +0200 Subject: Q: select between multiple signing key In-Reply-To: <20180821155722.3301c2edc57677af2bc0e2b7@iijmio-mail.jp> References: <20180821155722.3301c2edc57677af2bc0e2b7@iijmio-mail.jp> Message-ID: <43efe982-3a56-0631-5646-0eb4a3327d49@digitalbrains.com> Hi, On 21/08/18 08:57, Hideki Yamane wrote: > - If so, how do select it? From the man page: Section "HOW TO SPECIFY A USER ID", subsection "By key Id": > When using gpg an exclamation mark (!) may be appended to force > using the specified primary or secondary key and not to try and > calculate which primary or secondary key to use. And so: $ gpg2 --default-key A65B17610C406CE6\! --clearsign .bashrc HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Aug 21 16:28:13 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 21 Aug 2018 16:28:13 +0200 Subject: ERR 167804929 Permission denied / No rule to make target 'audit-events.h' In-Reply-To: <20180811094223.27453c3c@t43.ts> (kardan@riseup.net's message of "Sat, 11 Aug 2018 09:49:03 +0200") References: <20180811094223.27453c3c@t43.ts> Message-ID: <87efer3ibm.fsf@wheatstone.g10code.de> On Sat, 11 Aug 2018 09:49, kardan at riseup.net said: > $ gpg --debug-level=guru --recv-key 74A941BA219EC810 Instead of using that debug level (in any case use "--debug help" for more specific levels) it would have been suffcient if you had used $ gpg --verbose --recv-key 74A941BA219EC810 which shows you certain error messages from dirmngr directly in the gpg output. In particular a text like > Jul 08 05:57:24 debian dirmngr[2574]: DBG: chan_5 -> S WARNING > tor_config_problem 0 Please check that the "SocksPort" flag > "IPv6Traffic" is set in torrc should have showed up. I always assume that the first action on unknown problems is to add -v or --verbose ;-) > ###+++--- GPGConf ---+++### > use-tor [Which forces the use of Tor] > 1. is it hard to restore the error from 2.1.18 (where to start) Did not try > 2. how to fix: No rule to make target 'audit-events.h' Unpack a fesh tarball and it will work becuase it is part of the distributions. > 3. How does dirmngr connect when no tor circuit is available With use-tor you should not be able to connect - I have not read through your log though. > 4. Why does a foreground dirmngr does not show connections dirmngr is intended to be started on the fly by gpg etc. You may also start that using gpgconf --launch dirmngr or by connecting to the dirmngr interface with gpg-connect-agent --dirmngr > 5. How to enable "DBG: [not enabled in the source]" That is for benchmarking. You need to add --enable-log-clock to the configure call - either for gnupg or with newer libgpg-error versions with that. > 6. Where's the database to look up ERR 167804929 $ gpg-error --desc 167804929 167804929 = (10, 32769) = (GPG_ERR_SOURCE_DIRMNGR, GPG_ERR_EACCES) = (Dirmngr, Permission denied) (for some error codes --desc shows notes on the use of that error) > 7. How can I change the timeout? grep for timeout in the dirmngr man page. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Aug 22 10:38:52 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 22 Aug 2018 10:38:52 +0200 Subject: GPGME status callback not working for need entropy In-Reply-To: (Jacob Adams's message of "Wed, 1 Aug 2018 15:28:23 -0400") References: Message-ID: <87y3cy23tv.fsf@wheatstone.g10code.de> On Wed, 1 Aug 2018 21:28, tookmund at gmail.com said: > generating a key without enough randomness, the whole application just > locks up with no indication of what is happening. Is there anything else > I could query to inform the user of what's occurring in this scenario? You need to install a progress callback. Something like: --8<---------------cut here---------------start------------->8--- static void progress_cb (void *opaque, const char *what, int type, int current, int total) { (void)opaque; (void)type; if (total) fprintf (stderr, "progress for '%s' %u%% (%d of %d)\n", nonnull (what), (unsigned)(((double)current / total) * 100), current, total); else fprintf (stderr, "progress for '%s' %d\n", nonnull(what), current); fflush (stderr); } main() { gpgme_set_progress_cb (ctx, progress_cb, NULL); } --8<---------------cut here---------------end--------------->8--- See gpgme/tests/run-genkey.c for a test program. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From felix.klee at inka.de Wed Aug 22 11:07:59 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Wed, 22 Aug 2018 11:07:59 +0200 Subject: Android/Termux: How to build gpg-agent without maintainer mode? Message-ID: I managed to get `gpg-agent` run with USB smart card support under Android/Termux: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19 What bugs me is that I had to compile in maintainer mode: Now I get warnings that the software should not used be used with production keys. Maintainer mode is in fact suggested by `autogen.sh`: $ git clone git://git.gnupg.org/gnupg.git [?] $ cd gnupg $ export C_INCLUDE_PATH=$PREFIX/include/:$PREFIX/include/libusb-1.0/ :$PREFIX/include/libandroid-support $ ./autogen.sh [?] autogen.sh: You may now run: ./configure --sysconfdir=/etc --enable-maintainer-mode && make If I try without maintainer mode, then I get: $ ./configure [output attached] $ make make all-recursive make[1]: Entering directory '/data/data/com.termux/files/home/src/g/ gnupg' Making all in m4 make[2]: Entering directory '/data/data/com.termux/files/home/src/g/ gnupg/m4' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/ gnupg/m4' Making all in common make[2]: Entering directory '/data/data/com.termux/files/home/src/g/ gnupg/common' make[2]: *** No rule to make target 'audit-events.h', needed by 'all '. Stop. make[2]: Leaving directory '/data/data/com.termux/files/home/src/g/g nupg/common' make[1]: *** [Makefile:613: all-recursive] Error 1 make[1]: Leaving directory '/data/data/com.termux/files/home/src/g/g nupg' make: *** [Makefile:533: all] Error 2 *How do I build `gpg-agent` without maintainer mode?* Note that I only need the agent, so I could probably speed up compile time by quite a lot if disable the other tools in `./configure`. But that?s not a priority now. -------------- next part -------------- A non-text attachment was scrubbed... Name: configure_output Type: application/octet-stream Size: 18720 bytes Desc: not available URL: From dirk.gottschalk1980 at googlemail.com Wed Aug 22 13:08:17 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 22 Aug 2018 13:08:17 +0200 Subject: Android/Termux: How to build gpg-agent without maintainer mode? In-Reply-To: References: Message-ID: <990d348a33a265b3cbe4d69c3435d12372ea03f3.camel@googlemail.com> Hi. Am Mittwoch, den 22.08.2018, 11:07 +0200 schrieb Felix E. Klee: > I managed to get `gpg-agent` run with USB smart card support under > Android/Termux: > > https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19 > > What bugs me is that I had to compile in maintainer mode: Now I get > warnings that the software should not used be used with production > keys. > > Maintainer mode is in fact suggested by `autogen.sh`: > [...snipped...] Maintainer mode is needed, especially in a fresh copy of the source. In case of GnuPG, maintainer mode invokes some functions and does some work which is needed to compile GnuPG. There's nothing what should "bug" you. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From felix.klee at inka.de Wed Aug 22 13:21:21 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Wed, 22 Aug 2018 13:21:21 +0200 Subject: Android/Termux: How to build gpg-agent without maintainer mode? In-Reply-To: <990d348a33a265b3cbe4d69c3435d12372ea03f3.camel@googlemail.com> References: <990d348a33a265b3cbe4d69c3435d12372ea03f3.camel@googlemail.com> Message-ID: On Wed, Aug 22, 2018 at 1:08 PM, Dirk Gottschalk wrote: > There's nothing what should "bug" you. Well if I call `g10/gpg` in the build, I get a big fat warning: gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! *Shouldn?t that bug me?* That being said: * The `agent/gpg-agent` does not output the warning. * As said in my original post, I am only interested in the agent. It is compatible with the `gpg` provided with Termux. From dirk.gottschalk1980 at googlemail.com Wed Aug 22 13:48:31 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Wed, 22 Aug 2018 13:48:31 +0200 Subject: Android/Termux: How to build gpg-agent without maintainer mode? In-Reply-To: References: <990d348a33a265b3cbe4d69c3435d12372ea03f3.camel@googlemail.com> Message-ID: <7b02b13238db3e98d01131d9ad7a6954acde9949.camel@googlemail.com> Am Mittwoch, den 22.08.2018, 13:21 +0200 schrieb Felix E. Klee: > On Wed, Aug 22, 2018 at 1:08 PM, Dirk Gottschalk > wrote: > > There's nothing what should "bug" you. > > Well if I call `g10/gpg` in the build, I get a big fat warning: > > gpg: NOTE: THIS IS A DEVELOPMENT VERSION! > gpg: It is only intended for test purposes and should NOT be > gpg: used in a production environment or with production keys! > > *Shouldn?t that bug me?* This depends on the source of your source version. If it is from a release tarball, this shouldn't bother you. I only get this warning if I have compiled from the GIT repository. > That being said: > > * The `agent/gpg-agent` does not output the warning. > > * As said in my original post, I am only interested in the agent. > It > is compatible with the `gpg` provided with Termux. I don't know if it is possible to compile only the agent. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From felix.klee at inka.de Wed Aug 22 21:45:31 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Wed, 22 Aug 2018 21:45:31 +0200 Subject: Android/Termux: How to build gpg-agent without maintainer mode? In-Reply-To: <7b02b13238db3e98d01131d9ad7a6954acde9949.camel@googlemail.com> References: <990d348a33a265b3cbe4d69c3435d12372ea03f3.camel@googlemail.com> <7b02b13238db3e98d01131d9ad7a6954acde9949.camel@googlemail.com> Message-ID: On 8/22/18, Dirk Gottschalk wrote: > This depends on the source of your source version. If it is from a > release tarball, this shouldn't bother you. > > I only get this warning if I have compiled from the GIT repository. Uh oh, I didn?t check out a release! Changed the [build instructions][1] now to also include: $ git checkout gnupg-2.2.9 # matches GnuPG in Termux Thanks for pointing me in the right direction! > I don't know if it is possible to compile only the agent. Doesn?t really matter anyhow. The compile process on my phone is quite fast, profiting from the multi core architecture. [1]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19 From henrich at iijmio-mail.jp Thu Aug 23 05:26:33 2018 From: henrich at iijmio-mail.jp (Hideki Yamane) Date: Thu, 23 Aug 2018 12:26:33 +0900 Subject: Q: select between multiple signing key In-Reply-To: <43efe982-3a56-0631-5646-0eb4a3327d49@digitalbrains.com> References: <20180821155722.3301c2edc57677af2bc0e2b7@iijmio-mail.jp> <43efe982-3a56-0631-5646-0eb4a3327d49@digitalbrains.com> Message-ID: <20180823122633.7f55037880d26ca248043c44@iijmio-mail.jp> Hi Peter, On Tue, 21 Aug 2018 10:57:15 +0200 Peter Lebbing wrote: > Section "HOW TO SPECIFY A USER ID", subsection "By key Id": > > > When using gpg an exclamation mark (!) may be appended to force > > using the specified primary or secondary key and not to try and > > calculate which primary or secondary key to use. > > And so: > > $ gpg2 --default-key A65B17610C406CE6\! --clearsign .bashrc Yes, it work well. Thank you! -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp From m4rtntns at gmail.com Thu Aug 23 12:07:17 2018 From: m4rtntns at gmail.com (Martin T) Date: Thu, 23 Aug 2018 13:07:17 +0300 Subject: gpg not able to find my secret key In-Reply-To: References: Message-ID: On Thu, Aug 23, 2018 at 12:54 PM Martin T wrote: > > Hi! > > I reinstalled my workstation and moved ~/.gnupg directory from old > machine to new one. Gpg version in both workstations is 2.1.18. The > problem is, that in the new workstation, when I try to decrypt a file, > it doesn't find the secret key: > > $ gpg -o .file -d .file.gpg > gpg: encrypted with RSA key, ID 7BA1DFF9E00DF644 > gpg: decryption failed: No secret key > $ > > When I list the secret keys(gpg --list-secret-keys), then the output > is empty. When I start the "gpg --list-secret-keys" with "strace -e > open", then ~/.gnupg/secring.gpg file is not searched. gpg-agent is > not running. When I start the gpg-agent, then it does't change > anything, i.e the "gpg --list-secret-keys" is empty. > Directory and file permissions for ~/.gnupg are the same as in old > installation. I also started both gpg and gpg-agent with > "--debug-level guru" option, but it provided no useful information. > For example: > > $ gpg --debug-level guru --list-secret-keys > gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache > memstat trust hashing ipc clock lookup extprog > gpg: DBG: [not enabled in the source] start > gpg: DBG: [not enabled in the source] keydb_new > gpg: DBG: [not enabled in the source] keydb_search_reset > gpg: DBG: keydb_search: reset (hd=0x000055e6f13ce8b0) > gpg: DBG: [not enabled in the source] keydb_search enter > gpg: DBG: keydb_search: 1 search descriptions: > gpg: DBG: keydb_search 0: FIRST > gpg: DBG: keydb_search: searching keybox (resource 0 of 1) > gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF > gpg: DBG: [not enabled in the source] keydb_search leave (not found) > gpg: DBG: [not enabled in the source] stop > gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 > outmix=0 getlvl1=0/0 getlvl2=0/0 > gpg: secmem usage: 0/65536 bytes in 0 blocks > $ > > What might cause this? > > > thanks, > Martin I forgot to add, that "gpg-connect-agent 'keyinfo --list' /bye" prints four(if I remember correctly, then I had two keys) keys: $ gpg-connect-agent 'keyinfo --list' /bye S KEYINFO D1FB0DC2361FC6826CE6CB6EAB4D36DA6E254FFA D - - - P - - - S KEYINFO EF4529B5ED613C1F849849C1025805114A13B946 D - - - P - - - S KEYINFO 6B1903F77C2C0F502EC28F484F5BD9FCB4A3F3EB D - - - P - - - S KEYINFO DE9D9A4362E8E4D8AA64B85149939F8A711B2CE0 D - - - P - - - OK $ Maybe it is a communication issue between the gpg and gpg-agent? However, I would expect the gpg to report it if this is the case. thanks, Martin From m4rtntns at gmail.com Thu Aug 23 11:54:57 2018 From: m4rtntns at gmail.com (Martin T) Date: Thu, 23 Aug 2018 12:54:57 +0300 Subject: gpg not able to find my secret key Message-ID: Hi! I reinstalled my workstation and moved ~/.gnupg directory from old machine to new one. Gpg version in both workstations is 2.1.18. The problem is, that in the new workstation, when I try to decrypt a file, it doesn't find the secret key: $ gpg -o .file -d .file.gpg gpg: encrypted with RSA key, ID 7BA1DFF9E00DF644 gpg: decryption failed: No secret key $ When I list the secret keys(gpg --list-secret-keys), then the output is empty. When I start the "gpg --list-secret-keys" with "strace -e open", then ~/.gnupg/secring.gpg file is not searched. gpg-agent is not running. When I start the gpg-agent, then it does't change anything, i.e the "gpg --list-secret-keys" is empty. Directory and file permissions for ~/.gnupg are the same as in old installation. I also started both gpg and gpg-agent with "--debug-level guru" option, but it provided no useful information. For example: $ gpg --debug-level guru --list-secret-keys gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: [not enabled in the source] keydb_new gpg: DBG: [not enabled in the source] keydb_search_reset gpg: DBG: keydb_search: reset (hd=0x000055e6f13ce8b0) gpg: DBG: [not enabled in the source] keydb_search enter gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: FIRST gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: DBG: [not enabled in the source] keydb_search leave (not found) gpg: DBG: [not enabled in the source] stop gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: secmem usage: 0/65536 bytes in 0 blocks $ What might cause this? thanks, Martin From dgouttegattat at incenp.org Thu Aug 23 17:50:00 2018 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Thu, 23 Aug 2018 16:50:00 +0100 Subject: gpg not able to find my secret key In-Reply-To: References: Message-ID: Hi, On 08/23/2018 10:54 AM, Martin T wrote: > When I start the "gpg --list-secret-keys" with "strace -e open", > then ~/.gnupg/secring.gpg file is not searched. GnuPG >= 2.1 does not use ~/.gnupg/secring.gpg anymore. Secret keys are now stored in the ~/.gnupg/private-keys-v1.d folder (one file per key). When you say you "moved ~/.gnupg directory from old machine to new one", did you make sure to include the private-keys-v1.d folder? Related question: Do you have a file named "gpg-v21-migrated" in your .gnupg directory? Waiting for your answers, I suspect the following happened: * You were using GnuPG < 2.1 before (1.4 or 2.0), with your private keys in the secring.gpg file. * At some point you upgraded to GnuPG 2.1; GnuPG automatically migrated your keys from the secring.gpg file to the private-keys-v1.d folder (leaving the gpg-v21-migrated file as a marker that the migration occured). * When you moved your .gnupg folder, the private-keys-v1.d folder was somehow left behind (maybe because you didn't know about it). So gpg-agent cannot find your private keys. * Even though you still have a copy of your private keys in the secring.gpg file, GnuPG will not even look at this file, since the gpg-v21-migrated file tells it that the private keys were already migrated. If that's what happened, then simply removing the gpg-v21-migrated file should be enough to trigger a new migration and allow you to get your private keys where the agent expects to find them. I am, however, a little bit concerned by the following: > When I list the secret keys(gpg --list-secret-keys), then the output > is empty. gpg-agent is not running. gpg-agent should be started automatically by gpg as soon as it is needed (such as when you ask for a listing of the secret keys). The fact that the agent is *not* running could indicate a problem in your GnuPG installation, independently of the presence or absence of the private-keys-v1.d folder. Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Aug 23 21:17:08 2018 From: wk at gnupg.org (Werner Koch) Date: Thu, 23 Aug 2018 21:17:08 +0200 Subject: gpg not able to find my secret key In-Reply-To: (Damien Goutte-Gattat via Gnupg-users's message of "Thu, 23 Aug 2018 16:50:00 +0100") References: Message-ID: <876000yjt6.fsf@wheatstone.g10code.de> On Thu, 23 Aug 2018 17:50, gnupg-users at gnupg.org said: > Related question: Do you have a file named "gpg-v21-migrated" in your > .gnupg directory? The file name is actually ".gpg-v21-migrated" (note the leading dot) and thus only listed by ls with the option -a. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From tookmund at gmail.com Thu Aug 23 22:58:47 2018 From: tookmund at gmail.com (Jacob Adams) Date: Thu, 23 Aug 2018 16:58:47 -0400 Subject: Fwd: GPGME status callback not working for need entropy In-Reply-To: References: Message-ID: Resending with a compressed log file since it ended up way bigger than I expected. -------- Forwarded Message -------- Subject: Re: GPGME status callback not working for need entropy Date: Thu, 23 Aug 2018 16:54:13 -0400 From: Jacob Adams To: gnupg-users at gnupg.org On 08/22/2018 04:38 AM, Werner Koch wrote: > On Wed, 1 Aug 2018 21:28, tookmund at gmail.com said: >> generating a key without enough randomness, the whole application just >> locks up with no indication of what is happening. Is there anything else >> I could query to inform the user of what's occurring in this scenario? > > You need to install a progress callback. Something like: I have a progress callback installed but it's not reporting anything. My progress callback currently looks like this: def _progress(what, type, current, total, prog): if what == "primegen": prog.inc() else: _log.info(what+" "+type+" "+current+" "+total) if prog.gk.redraw: prog.screen.finish() prog.screen = newt.Screen() prog.recreate() (_log is a Logger that logs to a file, and prog is a progress bar I setup earlier) But I don't have anything logged when the application runs out of entropy. The progress callback is simply not called as far as I can tell. So I was hoping I could maybe get something out of status, but I guess not. Any idea why progress wouldn't be called? I've captured a GPGME debug log from an affected system and attached it below. It seems _gpgme_io_select is just waiting on some file descriptor, probably for randomness that never arrives. This same test system completely locked up on shutdown and had to be forced off. Not sure if that's related but seems likely. Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgme.log.gz Type: application/gzip Size: 16178 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From m4rtntns at gmail.com Fri Aug 24 08:47:59 2018 From: m4rtntns at gmail.com (Martin T) Date: Fri, 24 Aug 2018 09:47:59 +0300 Subject: gpg not able to find my secret key In-Reply-To: <876000yjt6.fsf@wheatstone.g10code.de> References: <876000yjt6.fsf@wheatstone.g10code.de> Message-ID: Hi! Thanks for replies! The problem was indeed the existing ~/.gnupg/.gpg-v21-migrated file. Once I removed it, I did see the keys in the output of "gpg --list-keys" and "gpg --list-secret-keys". One more small question- in the output of "gpg --list-keys" or "gpg --list-secret-keys" I see two keys, but in the output of "gpg-connect-agent 'keyinfo --list' /bye" or "ls ~/.gnupg/private-keys-v1.d/" I see four keys with different hashes. Why is that so? Martin From dgouttegattat at incenp.org Fri Aug 24 13:38:08 2018 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Fri, 24 Aug 2018 12:38:08 +0100 Subject: gpg not able to find my secret key In-Reply-To: References: <876000yjt6.fsf@wheatstone.g10code.de> Message-ID: On 08/24/2018 07:47 AM, Martin T wrote: > One more small question- in the output of "gpg --list-keys" or "gpg > --list-secret-keys" I see two keys, but in the output of > "gpg-connect-agent 'keyinfo --list' /bye" or "ls > ~/.gnupg/private-keys-v1.d/" I see four keys with different hashes. > Why is that so? When you say that you have two keys, do you mean two *primary* keys? If so, each primary key probably has an encryption *subkey* (automatically generated by GnuPG, that has been the default behavior of GnuPG for a very long time), so you end up with four private keys. As for the fact that you see "different hashes", that's because `gpg --list-keys` prints out the *fingerprints*, whereas gpg-agent's keyinfo command prints out the *keygrips*. A fingerprint and a keygrip are both hashes of a public key, but they are computed differently and don't serve the same purpose. Fingerprints are specified by the OpenPGP format and uniquely identify an OpenPGP key. Keygrips are used internally by gpg-agent to uniquely identify a key independently of any protocol. Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From sunrises at gmx.com Sat Aug 25 08:18:48 2018 From: sunrises at gmx.com (sunrises at gmx.com) Date: Sat, 25 Aug 2018 08:18:48 +0200 Subject: Issue with pinentry GUI agent Message-ID: <20180825081848.43e260fa@black> Hi all, since some days I'm having an issue with pinentry, I've set the default agent as pinentry-qt4 from update-alternatives (I've also tried pinentry-qt and pinentry-gnome) but when I run gpg --decrypt file it's always falling on the cli for prompting the password. In .gnupg/gpg-agent.conf as the first line I have pinentry-program /usr/bin/pinentry-qt4 as well, but I don't get why it's ignoring it. There's a way to debug what's going on? From felix.klee at inka.de Sat Aug 25 21:25:34 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Sat, 25 Aug 2018 21:25:34 +0200 Subject: Communication with card reader encrypted? Message-ID: When I decrypt a file using an OpenPGP card, is the communication between a USB card reader and the GnuPG daemon encrypted? Or: Is the decrypted session key sent unencrypted through the cable? From dirk.gottschalk1980 at googlemail.com Sun Aug 26 00:31:56 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Sun, 26 Aug 2018 00:31:56 +0200 Subject: Communication with card reader encrypted? In-Reply-To: References: Message-ID: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> Hi. Am Samstag, den 25.08.2018, 21:25 +0200 schrieb Felix E. Klee: > When I decrypt a file using an OpenPGP card, is the communication > between a USB card reader and the GnuPG daemon encrypted? Or: Is the > decrypted session key sent unencrypted through the cable? This is a really interesting question. But, does this really matter got an USB device? If there is a program on your computer, which interceps the communication, the security of you system is already broken. So the decrypted file itself could/would be read by a third party. The session key is, in this moment, the least problematic thing on your system. But, regardless of this, it is an interesting question. Werner, please tell us. ^^ Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From felix.klee at inka.de Sun Aug 26 09:48:31 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Sun, 26 Aug 2018 09:48:31 +0200 Subject: Communication with card reader encrypted? In-Reply-To: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> Message-ID: On Sun, Aug 26, 2018 at 12:31 AM, Dirk Gottschalk wrote: > This is a really interesting question. But, does this really matter > got an USB device? If there is a program on your computer, which > interceps the communication, the security of you system is already > broken. I am more thinking about a hardware attack. If the communication is not encrypted, this opens another attack vector. For comparison, think about [key loggers][1]. Putting a hardware logger somewhere between the USB peripheral device and the computer is potentially easier and quicker than tampering with either the peripheral device or the computer. Background: I want to put my SCM SPR332 v2 card reader into a different enclosure, so that it?s more portable for [use with my mobile phone][2]. The very long cable also needs to be replaced. One option is to add a USB port to the reader so that arbitrary cables can be used. This thought coincided with me reading about [doctored USB cables][3]. I don?t want to be required to trust three devices: phone, reader, and now cable [1]: http://www.taz.de/!5307828/ [2]: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19 [3]: From peter at digitalbrains.com Sun Aug 26 10:41:33 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 26 Aug 2018 10:41:33 +0200 Subject: Communication with card reader encrypted? In-Reply-To: References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> Message-ID: <3a75368e-2b7d-5671-c94e-22b4df3c2eac@digitalbrains.com> On 25/08/18 21:25, Felix E. Klee wrote: > When I decrypt a file using an OpenPGP card, is the communication > between a USB card reader and the GnuPG daemon encrypted? The OpenPGP smartcard and generic smartcard protocols do define "Secure Messaging", but I don't think this is commonly used for cabled OpenPGP smartcards. So: no, I think in most cases data is unencrypted in USB wires. On 26/08/18 09:48, Felix E. Klee wrote: > This thought coincided with me reading about [doctored USB > cables][3]. I don?t want to be required to trust three devices: > phone, reader, and now cable I think you'll need to trust the cable anyway, since a malicious USB device by someone with the means and motivation to attack your OpenPGP smartcard will most likely be able to compromise your phone instead. Securely using cryptography on a compromised operating system is simply impossible. So in the end, it doesn't seem to make a difference: if the cable is malicious, you're done anyway. Even if it were encrypted, I think we still need to think about man-in-the-middle resistance of Secure Messaging. I think there's a distinct possibility it is only meant to thwart passive attacks, but I haven't looked into it. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From felix.klee at inka.de Sun Aug 26 11:12:32 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Sun, 26 Aug 2018 11:12:32 +0200 Subject: Communication with card reader encrypted? In-Reply-To: <3a75368e-2b7d-5671-c94e-22b4df3c2eac@digitalbrains.com> References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> <3a75368e-2b7d-5671-c94e-22b4df3c2eac@digitalbrains.com> Message-ID: On Sun, Aug 26, 2018 at 10:41 AM, Peter Lebbing wrote: > The OpenPGP smartcard and generic smartcard protocols do define > "Secure Messaging", but I don't think this is commonly used for cabled > OpenPGP smartcards. Would be interesting to find out. > I think you'll need to trust the cable anyway, Well, if the cable is soldered to the reader, then it?s much harder to tamper with. Swapping a replaceable cable requires much less effort. Concerning key loggers for comparison: It is possible that the [attack at TAZ][1] would not have happened had the attacker to tamper with the victim?s keyboards, their computers, or their software. I would not be surprised if you can find USB cables on Alibaba that include sniffers and multiple GBs of flash memory for logging everything, for debugging of course. ;) [1]: http://www.taz.de/!5307828/ From peter at digitalbrains.com Sun Aug 26 11:31:13 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 26 Aug 2018 11:31:13 +0200 Subject: Communication with card reader encrypted? In-Reply-To: References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> <3a75368e-2b7d-5671-c94e-22b4df3c2eac@digitalbrains.com> Message-ID: <7024d0ea-83b7-18d1-2ef4-dc826eef7fe2@digitalbrains.com> On 26/08/18 11:12, Felix E. Klee wrote: >> I think you'll need to trust the cable anyway, > > Well, if the cable is soldered to the reader, then it?s much harder > to tamper with. Swapping a replaceable cable requires much less > effort. I meant: even if the communication were encrypted and protected against men in the middle, you still cannot use a compromised cable, ever, since the compromised cable will compromise your entire phone instead of the encrypted communication. So avoiding the need of a separate cable altogether is indeed a possibility if you're concerned about this. However, you'll need to avoid cables for anything you plug into your phone, not just for your smartcard reader. If instead you just store your charger, its cable and your smartcard reader together, you can use that one cable for both charging your phone and using the smartcard reader. And clearly you'll need to protect all these parts against tampering, not just the smartcard reader, regardless of whether your smartcard reader has a lead or not. > [...] logging everything, for debugging of course. ;) Nah, for getting back that data you accidentally deleted ;-). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Mon Aug 27 11:51:52 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 Aug 2018 11:51:52 +0200 Subject: Communication with card reader encrypted? In-Reply-To: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> (Dirk Gottschalk via Gnupg-users's message of "Sun, 26 Aug 2018 00:31:56 +0200") References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> Message-ID: <87efek16iv.fsf@wheatstone.g10code.de> On Sun, 26 Aug 2018 00:31, gnupg-users at gnupg.org said: > decrypted file itself could/would be read by a third party. The session > key is, in this moment, the least problematic thing on your system. Right. We assume physical security. The connection between the card reader and the host is not encrypted because that would require a key setup first and that would also be subject to key logging. Or you need to configure a session key on the host and on your reader. That would be very inconvenient. Communication between the host and the _card_ can indeed be encrypted but that is subject to the same problem. The common use case for this is to encrypt the communication between the card and a remote host utilizing the card (e.g. ATM and bank) but that a preshared key etc. has already been setup. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From m4rtntns at gmail.com Mon Aug 27 12:14:52 2018 From: m4rtntns at gmail.com (Martin T) Date: Mon, 27 Aug 2018 13:14:52 +0300 Subject: gpg not able to find my secret key In-Reply-To: References: <876000yjt6.fsf@wheatstone.g10code.de> Message-ID: On Fri, Aug 24, 2018 at 2:38 PM Damien Goutte-Gattat wrote: > > On 08/24/2018 07:47 AM, Martin T wrote: > > One more small question- in the output of "gpg --list-keys" or "gpg > > --list-secret-keys" I see two keys, but in the output of > > "gpg-connect-agent 'keyinfo --list' /bye" or "ls > > ~/.gnupg/private-keys-v1.d/" I see four keys with different hashes. > > Why is that so? > > When you say that you have two keys, do you mean two *primary* keys? If > so, each primary key probably has an encryption *subkey* (automatically > generated by GnuPG, that has been the default behavior of GnuPG for a > very long time), so you end up with four private keys. > > As for the fact that you see "different hashes", that's because `gpg > --list-keys` prints out the *fingerprints*, whereas gpg-agent's keyinfo > command prints out the *keygrips*. > > A fingerprint and a keygrip are both hashes of a public key, but they > are computed differently and don't serve the same purpose. Fingerprints > are specified by the OpenPGP format and uniquely identify an OpenPGP > key. Keygrips are used internally by gpg-agent to uniquely identify a > key independently of any protocol. > > > Damien > Damien, thanks! I indeed have two primary key-pairs and each primary key-pair has a subkey pair. When I execute "gpg --list-keys --with-keygrip", then I see the same four public key hashes as with "keyinfo --list" in gpg-connect-agent utility. Martin From felix.klee at inka.de Mon Aug 27 17:09:01 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 27 Aug 2018 17:09:01 +0200 Subject: Communication with card reader encrypted? In-Reply-To: <87efek16iv.fsf@wheatstone.g10code.de> References: <964a862d1a06bdd6360f50948b86c2dbbc0437ce.camel@googlemail.com> <87efek16iv.fsf@wheatstone.g10code.de> Message-ID: Thanks for clarification! On Mon, Aug 27, 2018 at 11:51 AM, Werner Koch wrote: > The connection between the card reader and the host is not encrypted > because that would require a key setup first and that would also be > subject to key logging. The host could provide a public encryption key to the card reader. Of course: * With a tampered USB cable, there still would be attacks possible, though different ones. That is, unless the reader can know the identify of the host, which would again require a priori exchange, so nothing gained. * This is very likely not part of the existing API (PC/SC?). From dkg at fifthhorseman.net Tue Aug 28 20:22:29 2018 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 28 Aug 2018 14:22:29 -0400 Subject: Issue with pinentry GUI agent In-Reply-To: <20180825081848.43e260fa@black> References: <20180825081848.43e260fa@black> Message-ID: <87mut65p22.fsf@fifthhorseman.net> On Sat 2018-08-25 08:18:48 +0200, sunrises at gmx.com wrote: > Hi all, since some days I'm having an issue with pinentry, I've set the default agent as pinentry-qt4 > from update-alternatives (I've also tried pinentry-qt and pinentry-gnome) but when I run gpg --decrypt file > it's always falling on the cli for prompting the password. In .gnupg/gpg-agent.conf as the first line I have > pinentry-program /usr/bin/pinentry-qt4 as well, but I don't get why it's ignoring it. > There's a way to debug what's going on? can you give a little bit more information about your system (OS, version, version of gpg, version of pinentry, etc), and how you're accessing it (e.g. via ssh, via a graphical environment, etc)? have you terminated your gpg-agent program ("gpgconf --kill gpg-agent") after updating your settings in ~/.gnupg/gpg-agent.conf so that the settings would take effect? --dkg From kristian.fiskerstrand at sumptuouscapital.com Wed Aug 29 00:41:18 2018 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 29 Aug 2018 00:41:18 +0200 Subject: Issue with pinentry GUI agent In-Reply-To: <87mut65p22.fsf@fifthhorseman.net> References: <20180825081848.43e260fa@black> <87mut65p22.fsf@fifthhorseman.net> Message-ID: <4b4d861e-33c6-b3eb-e17f-8f69818ef486@sumptuouscapital.com> On 08/28/2018 08:22 PM, Daniel Kahn Gillmor wrote: > On Sat 2018-08-25 08:18:48 +0200, sunrises at gmx.com wrote: >> Hi all, since some days I'm having an issue with pinentry, I've set the default agent as pinentry-qt4 >> from update-alternatives (I've also tried pinentry-qt and pinentry-gnome) but when I run gpg --decrypt file >> it's always falling on the cli for prompting the password. In .gnupg/gpg-agent.conf as the first line I have >> pinentry-program /usr/bin/pinentry-qt4 as well, but I don't get why it's ignoring it. >> There's a way to debug what's going on? > > can you give a little bit more information about your system (OS, > version, version of gpg, version of pinentry, etc), and how you're > accessing it (e.g. via ssh, via a graphical environment, etc)? > > have you terminated your gpg-agent program ("gpgconf --kill gpg-agent") > after updating your settings in ~/.gnupg/gpg-agent.conf so that the > settings would take effect? Not sure if it is related, but I'm currently also investigating an issue with the qt pinentry for Gentoo installations. no similar issues for the other ones.. I'm able to reproduce failures with the auto-spawned gpg-agent though, that doesn't materialize when calling the pinentry application directly in an environment. In this case the gtk2 pinentry works as expected though... but something is possibly off with the handling of DISPLAY (as far as I've gotten in my debugging that is the only diff in the env vars between the direct invocation and the bash propmpted one, it might not be ultimately relevant) -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only laws that applies in Australia is the law of Australia." (Malcolm Turnbull, Prime Minister of Australia). From ben at artfuldodge.io Wed Aug 29 16:00:46 2018 From: ben at artfuldodge.io (Ben Edwards) Date: Wed, 29 Aug 2018 15:00:46 +0100 Subject: exporting always prompts for password Message-ID: <1535550912.js0s0u4d62.astroid@greyskull.none> Is there any way to avoid having to pass in the password each time you do an export? I have a script that I want to use to roll the expiration of my keys that does does something like ``` gpg2 --import "$secret" fpr=$(gpg2 --with-colons -k | grep fpr | head -n1 | cut -d':' -f10) gpg2 --quick-set-expire "$fpr" 1y gpg2 --quick-set-expire "$fpr" 1y '*' gpg2 --armor --export-secret-keys "$fpr" >"$secret" gpg2 --armor --export-secret-subkeys "$fpr" >"$secret_subs" gpg2 --armor --export "$fpr" >"$public" ``` where `$secret` is a path to some armored backup of my keys.I would very much like it if I could adjust my invocations such that I am able 1) use a standard pinentry program and 2) only enter the password once. I have a working agent setup. Is such a thing possible? Best, Ben NB: I am well aware that the code that grabs the fingerprints is a bit janky. This is a work in progress. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From peter at digitalbrains.com Thu Aug 30 13:00:11 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 30 Aug 2018 13:00:11 +0200 Subject: exporting always prompts for password In-Reply-To: <1535550912.js0s0u4d62.astroid@greyskull.none> References: <1535550912.js0s0u4d62.astroid@greyskull.none> Message-ID: <38ac6175-d02b-141d-2f4d-7fe125d6e047@digitalbrains.com> On 29/08/18 16:00, Ben Edwards wrote: > Is there any way to avoid having to pass in the password each time you > do an export? For GnuPG 2.1 and above: GnuPG really needs to know the password to export an OpenPGP secret key. The key is stored on disk with a different encryption scheme than in the export, so a decrypt-encrypt cycle is needed to change the encryption scheme of the data. It looks like gpg-preset-passphrase has no effect for this particular application either. So I think you will have to pass the passphrase on each export invocation, unless someone else has an idea :-). I did once cobble together something that piped a passphrase from the agent passphrase cache back to the agent; more to see if it could be done. > I have a script that I want to use to roll the expiration > of my keys that does does something like Expiration is public data, why do you want to refresh the secret data as well? On restoration from backup, just import the stale secret data and then refresh it with the latest public data by importing that subsequently. The secret export includes a copy of the public data, so the secret data will indeed have stale expiration dates. But you can refresh it from a backup of the public data. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Aug 30 15:46:08 2018 From: wk at gnupg.org (Werner Koch) Date: Thu, 30 Aug 2018 15:46:08 +0200 Subject: [Announce] GnuPG 2.2.10 released Message-ID: <87tvncvufz.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.10. This is a maintenance release; see below for a list of fixed bugs. About GnuPG =========== The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. As an Universal Crypto Engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.10 ===================================- gpg: Refresh expired keys originating from the WKD. [#2917] gpg: Use a 256 KiB limit for a WKD imported key. gpg: New option --known-notation. [#4060] scd: Add support for the Trustica Cryptoucan reader. agent: Speed up starting during on-demand launching. [#3490] dirmngr: Validate SRV records in WKD queries. Release-info: https://dev.gnupg.org/T4112 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.10 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.10.tar.bz2 (6503k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.10.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.10_20180830.exe (3919k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.10_20180830.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new Gpg4win installer featuring this version of GnuPG will be available soon. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.10.tar.bz2 you would use this command: gpg --verify gnupg-2.2.10.tar.bz2.sig gnupg-2.2.10.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.10.tar.bz2, you run the command like this: sha1sum gnupg-2.2.10.tar.bz2 and check that the output matches the next line: 3e87504e2ca317718aa9b6299947ebf7e906b54e gnupg-2.2.10.tar.bz2 c67cde7dffc82d592dff8538ed1ac8c28cc7c33d gnupg-w32-2.2.10_20180830.tar.xz 682002bce9e45309179a09348df3b92a82bdc501 gnupg-w32-2.2.10_20180830.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Norwegian, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details availabale only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and two contractors. All work exclusively on GnuPG and closely related software like Libgcrypt and GPGME. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. =========== -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dkg at fifthhorseman.net Thu Aug 30 16:26:12 2018 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 30 Aug 2018 10:26:12 -0400 Subject: [Announce] GnuPG 2.2.10 released In-Reply-To: <87tvncvufz.fsf@wheatstone.g10code.de> References: <87tvncvufz.fsf@wheatstone.g10code.de> Message-ID: <87k1o83p8b.fsf@fifthhorseman.net> On Thu 2018-08-30 15:46:08 +0200, Werner Koch wrote: > We are pleased to announce the availability of a new GnuPG release: > version 2.2.10. This is a maintenance release; see below for a list > of fixed bugs. thanks for this work! I note that https://gnupg.org/ftp/gcrypt/gnupg/ does not list 2.2.10 yet, though the file is already there. Can you make refreshing that index a part of the standard release process? it would help automated tools that scan that directory looking for new releases to pick up the new release. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Fri Aug 31 11:13:07 2018 From: wk at gnupg.org (Werner Koch) Date: Fri, 31 Aug 2018 11:13:07 +0200 Subject: [Announce] GnuPG 2.2.10 released In-Reply-To: <87k1o83p8b.fsf@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu, 30 Aug 2018 10:26:12 -0400") References: <87tvncvufz.fsf@wheatstone.g10code.de> <87k1o83p8b.fsf@fifthhorseman.net> Message-ID: <87h8jax5jw.fsf@wheatstone.g10code.de> On Thu, 30 Aug 2018 16:26, dkg at fifthhorseman.net said: > I note that https://gnupg.org/ftp/gcrypt/gnupg/ does not list 2.2.10 > yet, though the file is already there. It is there. > Can you make refreshing that index a part of the standard release > process? it would help automated tools that scan that directory looking > for new releases to pick up the new release. There is a cron job for it. You simply checked too early or I sent the announcement too early ;-) # Create HTML index files for the FTP server 20 1-23/2 * * * root /etc/mk-ftp-index.html.sh Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Roman.Fiedler at ait.ac.at Fri Aug 31 19:11:58 2018 From: Roman.Fiedler at ait.ac.at (Fiedler Roman) Date: Fri, 31 Aug 2018 17:11:58 +0000 Subject: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled" Message-ID: <874899396fd84b039af389d00ac65fb4@ait.ac.at> Hello list, I am attempting to upgrade software to use gpg2 instead of gpg. After fixing the usual "Inappropriate ioctl for device" and "Sorry, we are in batchmode - can't get input" messages and applying all the gpg_agent security workarounds, I am now stuck at this sequence: The key generation command ['/usr/bin/gpg', '--homedir', '/tmp/tmp-3abk6l8', '--with-colons', '--status-fd', '2', '--pinentry-mode', 'loopback', '--batch', '--gen-key', '--command-fd', '0'] with the security-sensitive passphrase-input via the command-fd b'%echo Generating key\nKey-Type: RSA\nKey-Length: 1024\nSubkey-Type: ELG-E\nSubkey-Length: 1024\nName-Real: AutomationKey\nExpire-Date: 0\n%commit\n', will generate following output: gpg: keybox '/tmp/tmp-3abk6l8/pubring.kbx' created gpg: Generating key [GNUPG:] INQUIRE_MAXLEN 100 [GNUPG:] GET_HIDDEN passphrase.enter [GNUPG:] GOT_IT gpg: agent_genkey failed: Operation cancelled gpg: key generation failed: Operation cancelled [GNUPG:] ERROR key_generate 33554531 [GNUPG:] KEY_NOT_CREATED It seems that agent and gpg are going through some "brain-split" episode as the errors seem to indicate, that everyone is thinking the other party canceled the transfer. The strace indicates, that gnupg itself sends the "cancel" request to the agent and is astonished by the result - it cannot even give a meaningful error message about the current condition. As there is no other syscall activity, all the reasons for have to be in gpg2. 2138 write(2, "[GNUPG:] INQUIRE_MAXLEN 100", 27) = 27 2138 write(2, "\n", 1) = 1 2138 write(2, "[GNUPG:] GET_HIDDEN passphrase.enter", 36) = 36 2138 write(2, "\n", 1) = 1 2138 read(0, "", 1) = 0 2138 write(2, "[GNUPG:] GOT_IT", 15) = 15 --- not knowing what gnupg successfully got here as there is no passphrase to read 2138 write(2, "\n", 1) = 1 2138 write(3, "CAN", 3) = 3 --- Gnupg sending cancel 2138 write(3, "\n", 1) = 1 2138 read(3, 2142 read(9, "CAN\n", 1002) = 4 --- Agent reading cancel 2142 getpid() = 2141 2142 write(2, "gpg-agent[2141]: command 'GENKEY' failed: IPC call has been cancelled", 69) = 69 2142 write(2, "\n", 1) = 1 2142 write(9, "ERR 67109141 IPC call has been cancelled ", 52) = 52 --- Agent telling gnupg about cancel 2138 <... read resumed> "ERR 67109141 IPC call has been cancelled ", 1002) = 52 -- gpg reading cancel 2138 read(3, 2142 write(9, "\n", 1) = 1 2138 <... read resumed> "\n", 950) = 1 2138 write(2, "gpg: agent_genkey failed: Operation cancelled", 45) = 45 2138 write(2, "\n", 1) = 1 2138 write(2, "gpg: key generation failed: Operation cancelled", 47) = 47 2138 write(2, "\n", 1) = 1 2138 write(2, "[GNUPG:] ERROR key_generate 33554531", 36) = 36 2138 write(2, "\n", 1) = 1 2138 write(2, "[GNUPG:] KEY_NOT_CREATED ", 25) = 25 2138 write(2, "\n", 1) = 1 2138 read(0, "", 8192) = 0 2138 munmap(0x7faad0a44000, 65536) = 0 2138 exit_group(2) = ? 2138 +++ exited with 2 +++ Does someone know how to fix that? LG Roman