From sac at 300baud.de Fri Feb 1 09:58:45 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 09:58:45 +0100 Subject: [OT] Where can I find some papers to read on mail (and envelope) security? In-Reply-To: <65f4a745-0113-f91c-7c17-c3460c09deaf@schokokeks.org> References: <20190130163327.3c8a9135@300baud.de> <65f4a745-0113-f91c-7c17-c3460c09deaf@schokokeks.org> Message-ID: <20190201095845.1966a479@300baud.de> On Wed, 30 Jan 2019 21:36:15 +0100, Michael Kesper wrote: Hi Michael, > On 30.01.19 16:33, Stefan Claas wrote: > > Interesting topic, which i am interested in as well. I started, as German > > citizen, to use also epost Brief and De-Mail a while ago, when > > communicating sometimes with friends, because i like those paid > > services much more than the classical email PGP combo. > > You know that you use snake oil then? > These services decrypt your e-mails to "protect you against viruses" [0]. It does not matter to much for me. My threat model is not so high and if i like to do so i can encrypt my mail and run it through codegroup. And with De-Mail people can put an OpenPGP pub key in their directory, so that people can get the pub key from there, regardless of which De-Mail service provider they use. P.S. We should get back on topic from the OP, on how to send securely OpenPGP letters / postcards via regular mail. If one googles for the string "encrypted postcards" there are many links shown, from people who did that in the early 20th century. :-) Best regards Stefan From Siemons at CleanFuels.nl Fri Feb 1 09:03:54 2019 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Fri, 1 Feb 2019 09:03:54 +0100 Subject: GPA errors when creating key pair In-Reply-To: References: Message-ID: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl> Dear List, I am trying to help somebody to set up GPG4Win. He uses Win10. Trying to create a new key pair using GPA, GPA returns: "The GPGME library returned an unexpected error at gpagenkeyadvop.c:163. The error was: Invalid argument" How can this be resolved? Greetz, -- Roland Siemons Haaksbergerstraat 205 ENSCHEDE t: O645616734 From Siemons at CleanFuels.nl Fri Feb 1 10:05:23 2019 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Fri, 1 Feb 2019 10:05:23 +0100 Subject: Fwd: GPA errors when creating key pair In-Reply-To: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl> References: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl> Message-ID: <32945592-71b8-8084-d52a-d23e9ef3f2d0@CleanFuels.nl> An HTML attachment was scrubbed... URL: From chrisbcoutinho at gmail.com Fri Feb 1 12:26:03 2019 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Fri, 1 Feb 2019 12:26:03 +0100 Subject: gpg-agent forwarding to remote with systemd - status? In-Reply-To: References: Message-ID: I should add that the remote is OpenSUSE Leap 15.0 running GnuPG 2.2.5, and my current client is OpenSUSE Leap 15.0 running WSL on Windows 10, also running GnuPG 2.2.5. The WSL client doesn't have systemd installed on it, so it uses the old ~/.gnupg directory for holding sockets. On client: $ gpgconf --list-dir socketdir /home/chris/.gnupg On remote: $ gpgconf --list-dir socketdir /run/user/1001/gnupg Regards, Chris On Fri, 1 Feb 2019 at 11:42, Chris Coutinho wrote: > > Hi, > > I'm trying to forward my local gpg-agent over ssh to a remote that > controls the gnupg sockets via systemd. This fails because sshd > attempts to place the socket in a directory that doesn't exist, > because that is handled on the remote by systemd. > > This issue was raised back in 2016: > > https://gnupg-users.gnupg.narkive.com/eYVmOa2h/agent-forwarding-failure-when-the-socketdir-was-autodeleted > > It was suggested in that thread to place `gpgconf --create-socketdir` > in '.bashrc' to create the proper directory, but this doesn't work in > my case because on the remote the directory is created/deleted by > systemd and shell scripts are sourced after ssh attempts to place the > socket. > > From my limited understanding of the issue, it seems that it wasn't > clear in what project the solution should be (openssh, systemd, > gnupg). > > Is there an update regarding this issue, or any proposed workarounds > for systemd-based remotes? > > Regards, > Chris From chrisbcoutinho at gmail.com Fri Feb 1 11:42:27 2019 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Fri, 1 Feb 2019 11:42:27 +0100 Subject: gpg-agent forwarding to remote with systemd - status? Message-ID: Hi, I'm trying to forward my local gpg-agent over ssh to a remote that controls the gnupg sockets via systemd. This fails because sshd attempts to place the socket in a directory that doesn't exist, because that is handled on the remote by systemd. This issue was raised back in 2016: https://gnupg-users.gnupg.narkive.com/eYVmOa2h/agent-forwarding-failure-when-the-socketdir-was-autodeleted It was suggested in that thread to place `gpgconf --create-socketdir` in '.bashrc' to create the proper directory, but this doesn't work in my case because on the remote the directory is created/deleted by systemd and shell scripts are sourced after ssh attempts to place the socket. >From my limited understanding of the issue, it seems that it wasn't clear in what project the solution should be (openssh, systemd, gnupg). Is there an update regarding this issue, or any proposed workarounds for systemd-based remotes? Regards, Chris From sac at 300baud.de Fri Feb 1 17:37:51 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 17:37:51 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: <20190130215006.6f436b0b@300baud.de> References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> Message-ID: <20190201173751.4a95bcc4@300baud.de> On Wed, 30 Jan 2019 21:50:06 +0100, Stefan Claas wrote: > On Wed, 30 Jan 2019 21:23:56 +0100, Peter Lebbing wrote: > > > On 30/01/2019 20:44, Stefan Claas wrote: > > > But which one ... ;-) I may check this again with a friend. > > > > Well there are the classical options: > > > > > > > > Debian provides free fonts like that as packages fonts-ocr-a and > > fonts-ocr-b, which come from: > > > > and > > > > Thanks, i will take a look! O.k. just did some tests again with old .pdf's containing images of scanned text and then also used a jpeg image (small resolution) with the free tesseract. Tesseract did not do a good job, to many errors. Then i googled a bit and ... Google can do it. According to a youtube video you need a gmail account, upload to Google Drive and then from there open the image or pdf with Google Docs, which does imho the best job i have seen do far. I will do more tests, once time permits. Regards Stefan From justina at colmena.biz Fri Feb 1 05:43:35 2019 From: justina at colmena.biz (justina colmena) Date: Thu, 31 Jan 2019 19:43:35 -0900 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190130234741.3e8ce8af@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> Message-ID: On January 30, 2019 1:47:41 PM AKST, Stefan Claas wrote: >On Wed, 30 Jan 2019 12:46:26 -0800, Allen M. Juinio wrote: >> > Date: Wed, 30 Jan 2019 20:44:07 +0100 >> > From: Stefan Claas > >> > On the other side i wish PGPfone would have been further developed. >> > I found it, way back then, pretty cool and super easy to use, >compared >> > to PGP or GnuPG. > >> Have you tried using Signal from Open Whisper Systems? They have >both an Android and Apple version. > >Thanks, i am aware of Signal, but what i mean is to communicate >directly >and not via servers and also by not giving away phone numbers. > >With PGPfone one needed only the (current) IP address of its >communication >partner and then connected directly, without any servers involved. > >Regards >Stefan > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users I don't mean to sound rude or out of place, but there appear to be too many distractions to have a productive discussion on this list, and there are some critical issues, because GnuPG has become an essential part of many important systems throughout the free and open source software community. The weekly "digest" option for the mailing list should be no-reply. People who wish to participate in a pointed or on-topic discussion really need to receive each email message independently. I realize it's a German domain, but 300baud.de is just really obnoxious in English. The phrase "300 baud" itself is, of course, completely unobjectionable hacker lore, but baud+de = "bawdy" as in "bawdy house" which is extremely vulgar in English. Only for the gentlemen. That sort of "humor" is not friendly to women and children, and I know especially a lot of women and girls would otherwise be very interested in cryptography, PGP-encrypted email, etc. Let's lose the vulgarity and focus on Alice's secret message to Bob, something Eve or Mallory has no need to know, basic elements of what needs to be done right with respect to the core functionality of GnuPG. Not to advertise, but my own domain is the Spanish word "colmena" (hive, colony of bees, beehive in English) with the "biz" tld, slang for "business." Bees are busy, and they make that buzzing noise. Point being, it's entirely possible to avoid a lewd implication or double entendre. I can't let people take me for all honey and no sting with my domain. With regards to PGPfone etc., all you need to do is run Asterisk on a server somewhere, enable SIP with encryption. If you or your conversation partner don't have a public key, there is a voice verification of endpoints, but do note that encrypted real-time voice conversations are extremely difficult to protect from packet-timing and other side-channel attacks which often trivially reveal a muffled but clear recording and transcript. The human voice is in a certain sense "too rich" to hide or conceal, and the Bible tells of a "line" of every signal or sound that extends to be heard to the ends the earth, and of the ungodly that "the sound of his words shall come unto the Lord for the manifestation of his wicked deeds." -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/contacto.php -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From sac at 300baud.de Fri Feb 1 19:44:34 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 19:44:34 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> Message-ID: <20190201194434.42338084@300baud.de> On Fri, 1 Feb 2019 17:53:09 +0100, Dirk-Willem van Gulik wrote: > It is a bit of a hack - and quite setting specific for us - but we?ve been using > > https://github.com/dirkx/gpg-offline-batch-key- > > and had to occasionally recover keys (every few years or so). > > Typical output below. Thanks for the info! I had a quick look at the source code and as understood it uses QR-Codes, which i have played also in the past with. However, i am currently interested in using codegroup armor so that it can be printed too and then read properly (hopefully) with OCR solutions. Maybe a bit old fashioned, but worth a try imho, because in case OCR fails one could type it in manually, if its are short encrypted messages. Regards Stefan From dirkx at webweaving.org Fri Feb 1 20:01:58 2019 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Fri, 1 Feb 2019 20:01:58 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: <20190201194434.42338084@300baud.de> References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> <20190201194434.42338084@300baud.de> Message-ID: <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org> On 1 Feb 2019, at 19:44, Stefan Claas wrote: > On Fri, 1 Feb 2019 17:53:09 +0100, Dirk-Willem van Gulik wrote: > >> It is a bit of a hack - and quite setting specific for us - but we?ve been using >> >> https://github.com/dirkx/gpg-offline-batch-key- > > However, i am currently interested in using codegroup armor > so that it can be printed too and then read properly (hopefully) > with OCR solutions. Yes - if you look at the next pages in the example - that is what is being done there. With specific care taken to minimise what one has to enter. So one can either OCR the written text, use the QR code or enter it by hand. Over the years we've come to rely on this a lot - and regularly had to resort to manual entry or OCR ing of the numbers. Dw. From sac at 300baud.de Fri Feb 1 20:05:58 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 20:05:58 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> Message-ID: <20190201200558.34a720eb@300baud.de> On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote: > With regards to PGPfone etc., all you need to do is run Asterisk on a server somewhere, enable SIP with encryption. > If you or your conversation partner don't have a public key, there is a voice verification of endpoints, but do note > that encrypted real-time voice conversations are extremely difficult to protect from packet-timing and other > side-channel attacks which often trivially reveal a muffled but clear recording and transcript. Thanks for the info, but i do not want to install server software, for encrypted communications, where 3rd parties could have theoretically access to it. Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further so that it can be used on Linux too or modern macOS. The old Windows version still runs fine, under Windows 7, for example. Regards Stefan P.S. About my domain name, for the interested women or children, please take a look here: https://en.wikipedia.org/wiki/Baud From sheogorath at shivering-isles.com Fri Feb 1 18:20:22 2019 From: sheogorath at shivering-isles.com (Sheogorath) Date: Fri, 1 Feb 2019 18:20:22 +0100 Subject: WKD with HTTP redirect possible? Message-ID: Hi, I have a domain with a catchall setup. So I wonder if I can just setup a HTTP redirect to my main key so WKD works fine. So far it seems to fail. The standard basically says that the GET request has to return the binary key, which is quite unhandy in this case. I mean, not impossible to build, but feels wrong to me. Also, and that's not overly important, but given that WKD discovers a key, downloads it and it's not containing the mail address, is this key still used for the communication or is it ignored? Does it throw an error? Even with `-vv` set I couldn't really figure out. Version used (on Fedora 29): gpg (GnuPG) 2.2.12 libgcrypt 1.8.4 -- Signed Sheogorath -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Fri Feb 1 20:19:35 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 20:19:35 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org> References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> <20190201194434.42338084@300baud.de> <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org> Message-ID: <20190201201935.3b8eb1ee@300baud.de> On Fri, 1 Feb 2019 20:01:58 +0100, Dirk-Willem van Gulik wrote: > On 1 Feb 2019, at 19:44, Stefan Claas wrote: > > However, i am currently interested in using codegroup armor > > so that it can be printed too and then read properly (hopefully) > > with OCR solutions. > > Yes - if you look at the next pages in the example - that is what is being done there. > > With specific care taken to minimise what one has to enter. > > So one can either OCR the written text, use the QR code or enter it by hand. > > Over the years we've come to rely on this a lot - and regularly had to resort to manual entry or OCR ing of the > numbers. Oh, sorry, than i have to take a closer look again! Many thanks for pointing this out! Regards Stefan From peter at digitalbrains.com Fri Feb 1 20:23:26 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 1 Feb 2019 20:23:26 +0100 Subject: OpenPGP on paper In-Reply-To: <20190201173751.4a95bcc4@300baud.de> References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> Message-ID: On 01/02/2019 17:37, Stefan Claas wrote: > Tesseract did not do a good job, to many errors. Just an idea: OCR'ing a special OCR font like the two classics I mentioned will go a lot better if the OCR engine *knows* it is looking at that font. They designed the glyphs to be dissimilar. I don't know if there are any free software OCR engines that can restrict themselves to a specific font, I'm just reasoning about it without domain knowledge. Also, if you choose an encoding that avoids similar glyphs like one and ell, zero and oh, etcetera, your miss rate should go down. > Then i googled a bit and ... Google can do it. That doesn't seem useful for secret letters. And I don't think you'll get an offline engine which has been trained like theirs from them. HTH, Peter. PS: Could you removed the (was: ...) bit from the subject in replies? I think I'll stop doing that type of formatting from now on. I saw it being used quite some time back and when it works it's okay, so I followed suit. But it's not working that well anymore. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Fri Feb 1 21:06:16 2019 From: sac at 300baud.de (Stefan Claas) Date: Fri, 1 Feb 2019 21:06:16 +0100 Subject: OpenPGP on paper In-Reply-To: References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> Message-ID: <20190201210616.0a6ef14a@300baud.de> On Fri, 1 Feb 2019 20:23:26 +0100, Peter Lebbing wrote: > On 01/02/2019 17:37, Stefan Claas wrote: > > Tesseract did not do a good job, to many errors. > > Just an idea: OCR'ing a special OCR font like the two classics I > mentioned will go a lot better if the OCR engine *knows* it is looking > at that font. They designed the glyphs to be dissimilar. I don't know if > there are any free software OCR engines that can restrict themselves to > a specific font, I'm just reasoning about it without domain knowledge. > > Also, if you choose an encoding that avoids similar glyphs like one and > ell, zero and oh, etcetera, your miss rate should go down. Well, i googled a bit and it seems one has to train tesseract to give good results. As understood Google's engine uses also tesseract, but it must be trained then pretty good, i assume. > > Then i googled a bit and ... Google can do it. > > That doesn't seem useful for secret letters. And I don't think you'll > get an offline engine which has been trained like theirs from them. Probably not, but i thought to share my findings. > PS: Could you removed the (was: ...) bit from the subject in replies? I > think I'll stop doing that type of formatting from now on. I saw it > being used quite some time back and when it works it's okay, so I > followed suit. But it's not working that well anymore. Sorry, i always overlook this ... Regards Stefan From dirkx at webweaving.org Fri Feb 1 17:53:09 2019 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Fri, 1 Feb 2019 17:53:09 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: <20190201173751.4a95bcc4@300baud.de> References: <20190130163327.3c8a9135@300baud.de> <20190130204407.4c195dc7@300baud.de> <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de> Message-ID: > On 1 Feb 2019, at 17:37, Stefan Claas wrote: > > On Wed, 30 Jan 2019 21:50:06 +0100, Stefan Claas wrote: >> On Wed, 30 Jan 2019 21:23:56 +0100, Peter Lebbing wrote: >> >>> On 30/01/2019 20:44, Stefan Claas wrote: >>>> But which one ... ;-) I may check this again with a friend. >>> >>> Well there are the classical options: >>> >>> >>> >>> Debian provides free fonts like that as packages fonts-ocr-a and >>> fonts-ocr-b, which come from: >>> >>> and >>> >> >> Thanks, i will take a look! > > O.k. just did some tests again with old .pdf's containing images > of scanned text and then also used a jpeg image (small resolution) > with the free tesseract. > > Tesseract did not do a good job, to many errors. > > Then i googled a bit and ... Google can do it. > > According to a youtube video you need a gmail account, upload to > Google Drive and then from there open the image or pdf with > Google Docs, which does imho the best job i have seen do far. > > I will do more tests, once time permits. It is a bit of a hack - and quite setting specific for us - but we?ve been using https://github.com/dirkx/gpg-offline-batch-key- and had to occasionally recover keys (every few years or so). Typical output below. Dw. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: privkey.pdf.pdf Type: application/pdf Size: 211080 bytes Desc: not available URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: From justina at colmena.biz Sat Feb 2 04:26:21 2019 From: justina at colmena.biz (justina colmena) Date: Fri, 01 Feb 2019 18:26:21 -0900 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190201200558.34a720eb@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> Message-ID: On February 1, 2019 10:05:58 AM AKST, Stefan Claas wrote: >On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote: > >> With regards to PGPfone etc., all you need to do is run Asterisk on a >server somewhere, enable SIP with encryption. >> If you or your conversation partner don't have a public key, there is >a voice verification of endpoints, but do note >> that encrypted real-time voice conversations are extremely difficult >to protect from packet-timing and other >> side-channel attacks which often trivially reveal a muffled but clear >recording and transcript. > >Thanks for the info, but i do not want to install server software, for >encrypted communications, >where 3rd parties could have theoretically access to it. > >Maybe someone, in the future, can pick-up the idea of PGPfone and >develop it further >so that it can be used on Linux too or modern macOS. The old Windows >version still runs >fine, under Windows 7, for example. > >Regards >Stefan > >P.S. About my domain name, for the interested women or children, please >take >a look here: https://en.wikipedia.org/wiki/Baud I am definitely not asking anyone to install anything for my use. I'm just trying to explain AFAIK, what you need to do if you want to experiment with voice encryption. I don't want to be held responsible for it or arrested for it any more than anyone else, and I'm also trying to explain how some of these things come across to authorities who continually amd repeatedly insist on viewing all such matters in the worst possible light. Didn't Martin Luther say to place the best construction on all things? But no, we must submit to "parallel construction" and falsely sworn warrants by over-informed and under-educated law enforcement officers. "Thou shalt not bear false witness" and all that, and we just had a holiday, Dr. Martin Luther King Jr. day - and that's right, now that I think about it - not only a doctorate like his German namesake, but his father and grandfather and their wives must have been staunch Lutherans as well, in so far as to name one son after another after him. There is so much Catholic insistence on communist totalitarianism under a papal dictatorship of the proletariat, and opposition in the name of that religion to every precept of human rights and due process of law, that even the Finnish Protestants preach "oikeutta" & "lain oikeaa k?ytt??" in church, because like us they have not attained to such rights and freedoms in this life on Earth, and so the struggle continues against Catholicism. The full name of "baud" is "Baudot," a Frenchman, if I recall correctly, a contemporary of Hartley or Shannon, definitely a co-worker on such matters. Living relatives? Is it another family feud? France is practically at war already with a migrant situation, the recent Europol or Interpol shake-up with China or Russia or South Korea, general E.U. upheaval, Brexit sympathies, and so on and so forth. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/contacto.php -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From jhs at berklix.com Sat Feb 2 14:02:32 2019 From: jhs at berklix.com (Julian H. Stacey) Date: Sat, 02 Feb 2019 14:02:32 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: Your message "Fri, 01 Feb 2019 18:26:21 -0900." Message-ID: <201902021302.x12D2WEt060862@fire.js.berklix.net> Message-id: Date: Fri, 01 Feb 2019 18:26:21 -0900 (Sat 04:26 CET) >From justina colmena had nothing relevant to list remit https://lists.gnupg.org/mailman/listinfo/gnupg-users Cheers, Julian -- Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent http://www.berklix.uk/brexit/#email_an_mp From vedaal at nym.hush.com Sun Feb 3 06:12:07 2019 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Sun, 03 Feb 2019 00:12:07 -0500 Subject: pgp-phone (was Gnupg-users Digest, Vol 184, Issue 22) In-Reply-To: <20190201200558.34a720eb@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> Message-ID: <20190203051207.61504C06D8@smtp.hushmail.com> On 2/1/2019 at 2:48 PM, "Stefan Claas" wrote:Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further so that it can be used on Linux too or modern macOS. The old Windows version still runs fine, under Windows 7, for example. ===== Can be done on Ubuntu, or any Linux OS running Oracle Virtual Box with win 7, (and maybe on VB with old dos 6,2, but have not actually tried it on dos) vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sun Feb 3 10:14:06 2019 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 3 Feb 2019 04:14:06 -0500 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190201200558.34a720eb@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> Message-ID: <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> > Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further > so that it can be used on Linux too or modern macOS. The old Windows version still runs > fine, under Windows 7, for example. Why? It's a serious question. What exact feature set was there present in PGPfone which you believe is not easily available with out-of-the-box software solutions? From sac at 300baud.de Sun Feb 3 12:49:06 2019 From: sac at 300baud.de (Stefan Claas) Date: Sun, 3 Feb 2019 12:49:06 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> Message-ID: <20190203124906.57ef92c6@300baud.de> On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote: > > Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further > > so that it can be used on Linux too or modern macOS. The old Windows version still runs > > fine, under Windows 7, for example. > > Why? > > It's a serious question. What exact feature set was there present in > PGPfone which you believe is not easily available with out-of-the-box > software solutions? What i liked about PGPfone was that you could directly connect to your communications partner, without any servers involved and it was super easy to use. You simply put in the (current) IP Adress, connect and then read some displayed letters to each other, to prevent MITM, and then communicated. There was no learning curve involved. I think i have to look harder to find a cross-platform FOSS solution that works the same. Regards Stefan From sac at 300baud.de Sun Feb 3 12:51:10 2019 From: sac at 300baud.de (Stefan Claas) Date: Sun, 3 Feb 2019 12:51:10 +0100 Subject: pgp-phone (was Gnupg-users Digest, Vol 184, Issue 22) In-Reply-To: <20190203051207.61504C06D8@smtp.hushmail.com> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <20190203051207.61504C06D8@smtp.hushmail.com> Message-ID: <20190203125110.2cdf27c6@300baud.de> On Sun, 03 Feb 2019 00:12:07 -0500, vedaal via Gnupg-users wrote: > On 2/1/2019 at 2:48 PM, "Stefan Claas" wrote:Maybe someone, in the > future, can pick-up the idea of PGPfone and develop it further > so that it can be used on Linux too or modern macOS. The old Windows > version still runs > fine, under Windows 7, for example. > > ===== > Can be done on Ubuntu, or any Linux OS running Oracle Virtual Box with > win 7, (and maybe on VB with old dos 6,2, but have not actually tried > it on dos) > vedaal Thanks for the info, much appreciated. What i don't remember is if the used ciphers in PGPFone are still safe nowadays. Have to look for that. Regards Stefan From rjh at sixdemonbag.org Sun Feb 3 17:48:28 2019 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 3 Feb 2019 11:48:28 -0500 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203124906.57ef92c6@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> Message-ID: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> > What i liked about PGPfone was that you could directly connect to your > communications partner, without any servers involved and it was super > easy to use. You simply put in the (current) IP Adress, connect and then > read some displayed letters to each other, to prevent MITM, and then > communicated. There was no learning curve involved. In the era before NAT, this may have made sense. In today's NAT-pervasive era, not so much. Under NAT, your IP address is hidden from the rest of the internet. The address my router gives me is not one the outside world can use to route information to me; and if I go to a website that lists my IP, that's actually my router's IP, not mine. I won't go into how NAT works except to say that under NAT, connections cannot[1] be made from one peer to another. You need a server that's not NATted in order to facilitate connections between peers. So -- I hate to be the one to tell you this, but the architecture of the internet has changed dramatically since PGPfone was released in ... what was it, '94? Today, one of the major purposes of these servers is to facilitate traversing NATs. [1] It's technically possible to do peer to peer behind NAT, but beyond the technical capabilities of the vast majority of users. From sac at 300baud.de Sun Feb 3 20:12:19 2019 From: sac at 300baud.de (Stefan Claas) Date: Sun, 3 Feb 2019 20:12:19 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> Message-ID: <20190203201219.72824c1e@300baud.de> On Sun, 3 Feb 2019 11:48:28 -0500, Robert J. Hansen wrote: > > What i liked about PGPfone was that you could directly connect to your > > communications partner, without any servers involved and it was super > > easy to use. You simply put in the (current) IP Adress, connect and then > > read some displayed letters to each other, to prevent MITM, and then > > communicated. There was no learning curve involved. > > In the era before NAT, this may have made sense. In today's > NAT-pervasive era, not so much. > > Under NAT, your IP address is hidden from the rest of the internet. The > address my router gives me is not one the outside world can use to route > information to me; and if I go to a website that lists my IP, that's > actually my router's IP, not mine. Well, i can only say last time i used PGPfone was in 2014, with a friend. We both used a website that showed us our IP addresses and it worked fine. We only had to set UDP port 17447 in our routers, for incoming and outgoing connections. I currently have no Windows box, otherwise i would try it out again and let you know. Regards Stefan From sac at 300baud.de Sun Feb 3 20:52:00 2019 From: sac at 300baud.de (Stefan Claas) Date: Sun, 3 Feb 2019 20:52:00 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203201219.72824c1e@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> <20190203201219.72824c1e@300baud.de> Message-ID: <20190203205200.620c6453@300baud.de> On Sun, 3 Feb 2019 20:12:19 +0100, Stefan Claas wrote: > Well, i can only say last time i used PGPfone was in 2014, with a friend. > We both used a website that showed us our IP addresses and it worked > fine. We only had to set UDP port 17447 in our routers, for incoming > and outgoing connections. > > I currently have no Windows box, otherwise i would try it out again > and let you know. Maybe, if such a software would see the light again it could be done via Tor usage, like Onionshare works. People set up a Tor Hidden Service on their own computer, like Onionshare does and then you provide the .onion address to the caller ... Regards Stefan From justina at colmena.biz Sun Feb 3 20:56:54 2019 From: justina at colmena.biz (justina colmena) Date: Sun, 03 Feb 2019 10:56:54 -0900 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> Message-ID: On February 3, 2019 7:48:28 AM AKST, "Robert J. Hansen" wrote: >> What i liked about PGPfone was that you could directly connect to >your >> communications partner, without any servers involved and it was super >> easy to use. You simply put in the (current) IP Adress, connect and >then >> read some displayed letters to each other, to prevent MITM, and then >> communicated. There was no learning curve involved. > >In the era before NAT, this may have made sense. In today's >NAT-pervasive era, not so much. > >Under NAT, your IP address is hidden from the rest of the internet. >The >address my router gives me is not one the outside world can use to >route >information to me; and if I go to a website that lists my IP, that's >actually my router's IP, not mine. > >I won't go into how NAT works except to say that under NAT, connections >cannot[1] be made from one peer to another. You need a server that's >not NATted in order to facilitate connections between peers. > >So -- I hate to be the one to tell you this, but the architecture of >the >internet has changed dramatically since PGPfone was released in ... >what >was it, '94? Today, one of the major purposes of these servers is to >facilitate traversing NATs. > > >[1] It's technically possible to do peer to peer behind NAT, but beyond >the technical capabilities of the vast majority of users. > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users The official answer to NAT is IPv6. Works quite well, except for a few technology luddites. Other than that, my place was SWATted about 1:30am last night. The previous night the phone rang at 4:38am, caller ID from Washington, D.C. A strange car had been parked at my place, listening for the phone to ring. We've got to think outside the box on that one. There's a German pub down the street, the "West Berlin," just across from the local telephone office, GCI, yes, luddites, all NAT, no IPv6. Gotta go AT&T for that. So think reality: location, location, location. It's S.O.P. for the C.C.C., and no, we're not talking about the Civilian Conservation Corps. Young white male cops on the graveyard shift, amped up on adrenaline and testosterone, brash and eager to make their bones on a big bust. That color-of-law stuff from the feds is starting to get to them. Talk too much on the phone, and there's bound to be some girl or female operator pressing charges by the minute. "Get off my block, bitch, I'm listening!" she mutters in a sleepy voice. It's the Democratic boiler room Party line. The ladies have a stranglehold on the telephone surveillance business, yes, those ladies, meaning none other than Dianne Feinstein and friends on the Senate Intelligence Committee, Eve and Mallory listening to Alice and Bob. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/contacto.php -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From jhs at berklix.com Sun Feb 3 21:39:33 2019 From: jhs at berklix.com (Julian H. Stacey) Date: Sun, 03 Feb 2019 21:39:33 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: Your message "Sun, 03 Feb 2019 10:56:54 -0900." Message-ID: <201902032039.x13KdXPD022271@fire.js.berklix.net> justina at colmena.biz Emited more politics not to list remit. http://lists.gnupg.org/mailman/admin/gnupg-users/privacy/sender has eg reject_these_nonmembers etc Cheers, Julian -- Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent From juergen at bruckner.tk Sun Feb 3 21:43:34 2019 From: juergen at bruckner.tk (Juergen Bruckner) Date: Sun, 3 Feb 2019 21:43:34 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203124906.57ef92c6@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> Message-ID: <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk> Hello Stefan, ever had a look at "Jami" (formerly 'ring') [1] regards Juergen [1]https://jami.net/ Am 03.02.19 um 12:49 schrieb Stefan Claas: > On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote: >>> Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further >>> so that it can be used on Linux too or modern macOS. The old Windows version still runs >>> fine, under Windows 7, for example. >> >> Why? >> >> It's a serious question. What exact feature set was there present in >> PGPfone which you believe is not easily available with out-of-the-box >> software solutions? > > What i liked about PGPfone was that you could directly connect to your > communications partner, without any servers involved and it was super > easy to use. You simply put in the (current) IP Adress, connect and then > read some displayed letters to each other, to prevent MITM, and then > communicated. There was no learning curve involved. > > I think i have to look harder to find a cross-platform FOSS solution > that works the same. > > Regards > Stefan > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Juergen M. Bruckner juergen at bruckner.tk -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3894 bytes Desc: S/MIME Cryptographic Signature URL: From sac at 300baud.de Sun Feb 3 21:56:49 2019 From: sac at 300baud.de (Stefan Claas) Date: Sun, 3 Feb 2019 21:56:49 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk> Message-ID: <20190203215649.36ace68b@300baud.de> On Sun, 3 Feb 2019 21:43:34 +0100, Juergen Bruckner wrote: Hi Juergen, > ever had a look at "Jami" (formerly 'ring') [1] > > > regards > Juergen > > [1]https://jami.net/ Thanks a lot, will look into it. Regards Stefan From juergen at bruckner.tk Sun Feb 3 22:01:25 2019 From: juergen at bruckner.tk (Juergen Bruckner) Date: Sun, 3 Feb 2019 22:01:25 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203215649.36ace68b@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk> <20190203215649.36ace68b@300baud.de> Message-ID: Hi Stefan, youre welcome! :) I really don't know how far the developement of this software is. They did introduce their project to a few people at the FOSDEM 2016. And if I remember right they did get a funding by the p?p Foundation; but not fully sure about this last point. regards Juergen Am 03.02.19 um 21:56 schrieb Stefan Claas: > On Sun, 3 Feb 2019 21:43:34 +0100, Juergen Bruckner wrote: > > Hi Juergen, > >> ever had a look at "Jami" (formerly 'ring') [1] >> >> >> regards >> Juergen >> >> [1]https://jami.net/ > > Thanks a lot, will look into it. > > Regards > Stefan > -- Juergen M. Bruckner juergen at bruckner.tk -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3894 bytes Desc: S/MIME Cryptographic Signature URL: From rjh at sixdemonbag.org Mon Feb 4 05:38:35 2019 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 3 Feb 2019 23:38:35 -0500 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203201219.72824c1e@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> <20190203201219.72824c1e@300baud.de> Message-ID: <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org> > Well, i can only say last time i used PGPfone was in 2014, with a friend. > We both used a website that showed us our IP addresses and it worked > fine. We only had to set UDP port 17447 in our routers, for incoming > and outgoing connections. "All you had to do" was: (a) understand computer networking well enough to understand what you needed to do, (b) know your router could be used to do port forwarding, (c) log into your router, navigate bad UX, (d) probably switch your DHCP allocation to a static one, so you wouldn't have to do this again every time you acquired a new DHCP lease, (e) and on and on and on. No, PGPfone was not "easier to use". The skills required to use it were far in excess of what most users possessed. I get that you liked PGPfone. Nothing wrong with that. But there are good reasons it failed to get traction in the privacy community, most of them revolving around user-unfriendliness and inconvenience. From sac at 300baud.de Mon Feb 4 16:48:30 2019 From: sac at 300baud.de (Stefan Claas) Date: Mon, 4 Feb 2019 16:48:30 +0100 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org> <20190203201219.72824c1e@300baud.de> <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org> Message-ID: <20190204164830.0a120aa4@300baud.de> On Sun, 3 Feb 2019 23:38:35 -0500, Robert J. Hansen wrote: > > Well, i can only say last time i used PGPfone was in 2014, with a friend. > > We both used a website that showed us our IP addresses and it worked > > fine. We only had to set UDP port 17447 in our routers, for incoming > > and outgoing connections. > > "All you had to do" was: > > (a) understand computer networking well enough to understand what you > needed to do, > > (b) know your router could be used to do port forwarding, > > (c) log into your router, navigate bad UX, > > (d) probably switch your DHCP allocation to a static one, so you > wouldn't have to do this again every time you acquired a new DHCP lease, > > (e) and on and on and on. > > No, PGPfone was not "easier to use". The skills required to use it were > far in excess of what most users possessed. > > I get that you liked PGPfone. Nothing wrong with that. But there are > good reasons it failed to get traction in the privacy community, most of > them revolving around user-unfriendliness and inconvenience. With all due respect, my friend has no crypto experience at all and also noodles not around with network settings, but found PGPfone easy to use as well. But people with Windows boxes can tryout themselves and ask themselves why it was not further developed for the (Linux) community ... And if it is really so hard to use, like you wan't to make people believe, then one can pick-up the development idea from my previous posting and provide us with a solution that uses .onion addresses, like Onionshare does. ;-) Regards Stefan From justina at colmena.biz Tue Feb 5 22:47:10 2019 From: justina at colmena.biz (justina colmena) Date: Tue, 05 Feb 2019 12:47:10 -0900 Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375) In-Reply-To: References: Message-ID: On February 4, 2019 8:07:33 AM AKST, Citizen Kepler wrote: >I would like to say that I need to have a signature on all of the >emails that I send to authenticate me as the sender, but not encrypt >them. Often these messages are going back into bug tracking systems or >mailing lists, and manually signing each email is a bad solution. I >will need to allow a opt-in sign by default option. [[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]] PGP signatures do have a couple of rather severe and vicious limitations. THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message. THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases. Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. .... -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/contacto.php -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From vedaal at nym.hush.com Tue Feb 5 23:38:07 2019 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 05 Feb 2019 17:38:07 -0500 Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375) In-Reply-To: References: Message-ID: <20190205223807.AB08420132@smtp.hushmail.com> On 2/5/2019 at 4:50 PM, "justina colmena via Gnupg-users" wrote:>THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended >recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of >these headers in the body of the signed message when composing a signed email message. >THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME >standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single >additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email >message, but without breaking the signatures of remaining attachments in such cases. ===== In this case, there is a simple workaround : [1] Put the subject, the intended recipients, and the date, in the introductory line(s) in the plaintext. [2] enarmor all the attachments, [ using the GnuPG --enarmor command (-a command in PGP) ], and paste the enarmored text into the body of the message, at the end of the message, right after a line saying; here are the following attachments :[3] Sign and encrypt the entire message composed of parts [1] and [2] and send it off this has the following 3 advantages: (a) no one knows what kind of attachments are being sent, or how many. (b) all the important data is in the Plaintext, where it belongs, and not vulnerable to MIMT attacks (c) backward compatibility in maintained, and no new standards have to be designed vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From oub at mat.ucm.es Wed Feb 6 10:30:04 2019 From: oub at mat.ucm.es (Uwe Brauer) Date: Wed, 06 Feb 2019 10:30:04 +0100 Subject: can't encrypt with public key from sectigo (former comodo) Message-ID: <875ztx1cyr.fsf@mat.ucm.es> I have used certificates from comodo since almost 10 years, without any problems. Now they changed their name to sectigo. I just received a public key from somebody, who obtained 2 days ago a certificate from them. With this certificate: Encrypting and signing still works in thunderbird But I tried the following in the command line gpgsm --encrypt -r 0xCC6EDB92 epg-error.txt And obtain gpgsm: Note: non-critical certificate policy not allowed gpgsm: dirmngr cache-only key lookup failed: Not found gpgsm: issuer certificate {09C0F2FC0BDA94DB5FFE2BDFA89942CFC9E0AD00} not found using authorityKeyIdentifier gpgsm: dirmngr cache-only key lookup failed: Not found gpgsm: issuer certificate not found gpgsm: issuer certificate: #/CN=Sectigo RSA Client Authentication and Secure Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB gpgsm: can't encrypt to '0xCC6EDB92': Missing issuer certificate How can I solve that issue? Thanks Uwe Brauer -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5025 bytes Desc: not available URL: From wk at gnupg.org Wed Feb 6 13:50:23 2019 From: wk at gnupg.org (Werner Koch) Date: Wed, 06 Feb 2019 13:50:23 +0100 Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375) In-Reply-To: (justina colmena via Gnupg-users's message of "Tue, 05 Feb 2019 12:47:10 -0900") References: Message-ID: <87zhr96pyo.fsf@wheatstone.g10code.de> [Please don't cross-post!] On Tue, 5 Feb 2019 12:47, gnupg-users at gnupg.org said: > THE DATE PROBLEM. Only the body of the email is signed, not the > envelope headers, namely the subject and intended recipients, and Sure, mail headers are subject to changes. For example by mailing list software or simpluy by forwarding mail. Tehre is a reason that OpenPGP signatures carry a creation date. > THE STRIPPING PROBLEM. Currently, each attachment is signed separately > and independently by the PGP-MIME standard. It would be preferable to Nope. Please actually read RFC3156 and check compliant implementation - All I known get it right. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From kloecker at kde.org Wed Feb 6 18:03:43 2019 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 06 Feb 2019 18:03:43 +0100 Subject: can't encrypt with public key from sectigo (former comodo) In-Reply-To: <875ztx1cyr.fsf@mat.ucm.es> References: <875ztx1cyr.fsf@mat.ucm.es> Message-ID: <2256828.CUm3igvvs5@collossus.ingo-kloecker.de> On Mittwoch, 6. Februar 2019 10:30:04 CET Uwe Brauer wrote: > With this certificate: > Encrypting and signing still works in thunderbird Thunderbird probably uses the certificate bundle provided by your distribution. > But I tried the following in the command line > > gpgsm --encrypt -r 0xCC6EDB92 epg-error.txt > > And obtain > > gpgsm: Note: non-critical certificate policy not allowed > gpgsm: dirmngr cache-only key lookup failed: Not found > gpgsm: issuer certificate {09C0F2FC0BDA94DB5FFE2BDFA89942CFC9E0AD00} not > found using authorityKeyIdentifier gpgsm: dirmngr cache-only key lookup > failed: Not found > gpgsm: issuer certificate not found > gpgsm: issuer certificate: #/CN=Sectigo RSA Client Authentication and Secure > Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB gpgsm: > can't encrypt to '0xCC6EDB92': Missing issuer certificate > > How can I solve that issue? Add the CA certifcate of Sectigo to ~/.gnupg/trustlist.txt . gpgsm explicitly does not use the certificate bundles provided by the distributions. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. URL: From oub at mat.ucm.es Wed Feb 6 19:29:00 2019 From: oub at mat.ucm.es (Uwe Brauer) Date: Wed, 6 Feb 2019 19:29:00 +0100 Subject: can't encrypt with public key from sectigo (former comodo) In-Reply-To: <2256828.CUm3igvvs5@collossus.ingo-kloecker.de> References: <875ztx1cyr.fsf@mat.ucm.es> <2256828.CUm3igvvs5@collossus.ingo-kloecker.de> Message-ID: <1E5C0822-0C63-41C4-97F1-D01C76197C47@mat.ucm.es> Sent from my iPhone > On 6. Feb 2019, at 18:03, Ingo Kl?cker wrote: > > Add the CA certifcate of Sectigo to ~/.gnupg/trustlist.txt My problem was I did not know where to find that CA certificate! Pointers are welcome. Finally I solved it as I described in a different message. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2356 bytes Desc: not available URL: From andre at ockers.eu Sat Feb 9 09:06:43 2019 From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=) Date: Sat, 9 Feb 2019 09:06:43 +0100 Subject: Keysigning party: after the event challenges Message-ID: Dear GnuPG users, I went to the FOSDEM keysigning party [1] and now I'm in trouble. The situation is: - GNU/Linux Trisquel + Icedove (= Thunderbird rebranded) + Enigmail here at home; - 171 official keysigning party participants, of who 107 showed up to my awareness; - 5 participants have a key on the keyserver in a for Enigmail downloadable state; - when I want to check [2] a fingerprint of a downloaded Key ID I get an error message, for example $ gpg --fingerprint <599C62A291810408> bash: syntax error near unexpected symbol 'newline' Please help! Thank you very much, Best regards, Andr? Ockers [1] https://fosdem.org/2019/keysigning/ [2] http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party From tlikonen at iki.fi Sat Feb 9 10:23:35 2019 From: tlikonen at iki.fi (Teemu Likonen) Date: Sat, 09 Feb 2019 11:23:35 +0200 Subject: Keysigning party: after the event challenges In-Reply-To: (=?iso-8859-1?Q?=22Andr=E9?= Ockers"'s message of "Sat, 9 Feb 2019 09:06:43 +0100") References: Message-ID: <87tvhde2nc.fsf@iki.fi> Andr? Ockers [2019-02-09 09:06:43+01] wrote: > $ gpg --fingerprint <599C62A291810408> > bash: syntax error near unexpected symbol 'newline' Your Bash shell uses characters "<" and ">" for input and output redirection. Remove those characters: gpg --fingerprint 599C62A291810408 -- /// Teemu Likonen - .-.. // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From peter at digitalbrains.com Sat Feb 9 12:48:55 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 9 Feb 2019 12:48:55 +0100 Subject: Keysigning party: after the event challenges In-Reply-To: References: Message-ID: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> Hello Andr?, On 09/02/2019 09:06, Andr? Ockers wrote: > - 171 official keysigning party participants, of who 107 showed up to my > awareness; This is going to be a pain to do manually. But you don't have to! As the FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool." (last sentence of the page, not counting the footer). If you open your ksp-fosdem2019.txt file and put "x" in every checkbox you have checked on your paper list, you can feed this text file with checkmarks directly to caff and it will import the keys for you *and* verify their fingerprints! It will only consider entries with checkmarks for both "Fingerprint OK" and "ID OK", so only when the participant has acknowledged their fingerprint matches and you have marked that you find their identification papers match. The FOSDEM KSP offers a keyring with all the keys from the party. You can feed that to caff as well and it won't even need to fetch the keys from a keyserver (which might not have all keys). My suggestion is to look for "caff" and documentation and try that before you verify 107 fingerprints manually :-). If you still hit problems, report back here and we can take a further look. > - 5 participants have a key on the keyserver in a for Enigmail > downloadable state; That sounds odd, there might be something malfunctioning. But if you use caff, you don't need Enigmail. And if you use the supplied keyring from the party, you don't need to use a keyserver at all. HTH, Peter. [1] https://fosdem.org/2019/keysigning/ -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wolfgang.traylor at posteo.de Sat Feb 9 11:20:39 2019 From: wolfgang.traylor at posteo.de (Wolfgang Traylor) Date: Sat, 9 Feb 2019 11:20:39 +0100 Subject: Upload key to WKD from command line? Message-ID: <20190209102039.jbuom4mb34kgrt52@lyta> Hello GnuPG community, Is there a way to upload my public key to the Web Key Directory (WKD) of my email provider using command-line tools? I am looking for a simple solution just like `gpg --send-keys`, but for WKD. My providers are Posteo, mailbox.org, and Protonmail. (Enigmail shows the ?Upload to Web Key Directory? only in gray. I don?t know why.) Best regards, W. Traylor From andre at ockers.eu Sun Feb 10 15:36:05 2019 From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=) Date: Sun, 10 Feb 2019 15:36:05 +0100 Subject: Keysigning party: after the event challenges In-Reply-To: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> References: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> Message-ID: Hi Peter, Thank you very much. Op 09-02-19 om 12:48 schreef Peter Lebbing: > Hello Andr?, > > On 09/02/2019 09:06, Andr? Ockers wrote: >> - 171 official keysigning party participants, of who 107 showed up to my >> awareness; > This is going to be a pain to do manually. But you don't have to! As the > FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool." > (last sentence of the page, not counting the footer). > > If you open your ksp-fosdem2019.txt file and put "x" in every checkbox > you have checked on your paper list, you can feed this text file with > checkmarks directly to caff and it will import the keys for you *and* > verify their fingerprints! It will only consider entries with checkmarks > for both "Fingerprint OK" and "ID OK", so only when the participant has > acknowledged their fingerprint matches and you have marked that you find > their identification papers match. Done. > The FOSDEM KSP offers a keyring with all the keys from the party. You > can feed that to caff as well and it won't even need to fetch the keys > from a keyserver (which might not have all keys). > > My suggestion is to look for "caff" and documentation and try that > before you verify 107 fingerprints manually :-). If you still hit > problems, report back here and we can take a further look. Following documentation [1], I checked that I have Postfix installed and now I'm here [2] $ sudo postconf -e 'relayhost = smtp.provider.nl' [sudo] wachtwoord voor andre: postconf: fatal: open /etc/postfix/main.cf for reading: No such file or directory Best regards, Andr? Ockers [1] https://wiki.debian.org/caff [2] https://www.howtoforge.com/postfix_relaying_through_another_mailserver -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Sun Feb 10 18:07:26 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 10 Feb 2019 18:07:26 +0100 Subject: Configuring Linux system mail submission In-Reply-To: References: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> Message-ID: <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com> Hi Andr?, On 10/02/2019 15:36, Andr? Ockers wrote: > Following documentation [1], I checked that I have Postfix installed and > now I'm here [2] I had feared it would break down at the mail configuration stage :-). I have mail servers running with a hand-managed config file with Exim 4, but I know nothing about Postfix. However, for mail submission, I use nullmailer myself. It can only do mail submission, but is much easier to manage than a full mail system (in my opinion). So I don't know if you installed Postfix for this purpose or actually use it for a real mail server, but if you can switch to nullmailer that would allow me to easily help you, probably. Personally, I run nullmailer on all systems that are not running a full-fledged mail server, and they connect to my edge mail server for mail submission. You can just use any SMTP-supporting provider for the latter. When installing nullmailer on Debian, it will ask you interactively for entries for files in /etc and /etc/nullmailer. Mine look like this: /etc/mailname: hostname.digitalbrains.com (the actual fully qualified domain name of the local host) /etc/nullmailer/adminaddr: empty file /etc/nullmailer/defaultdomain: digitalbrains.com /etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...] That last one is the really important one. It uses the SMTP submission port, STARTTLS, and in my case a password that has been chosen to not require quotes. But you can use quotes to just use your provider account password. I believe /etc/mailname is primarily used to build the sender address and build recipient addresses that specify no host, i.e., something like . /etc/nullmailer/defaultdomain is used for not fully qualified hosts, i.e., if I write it will qualify the hostname butters with that domain name. It's not that important for this purpose. There is one more detail to get right. Because this will actually make the mail originate from the user in this example and a username of peter. This is probably not what you want, you want if you're me. If this is always what you want when sending mail through the system mailer, you could make sure the following environment variables are set for this user: MAILUSER=p.lebbing MAILHOST=provider.nl If you're anxious about changing environment variables that have influence over programs other than nullmailer, you can use NULLMAILER_USER and NULLMAILER_HOST instead. But for me, the is actually an e-mail address that will be accepted on the right side of my firewall, and is used for system messages from, e.g., cron. It is not the address I want for caff, though. But caff does the right thing already by specifying the e-mail address you want in ~/.caffrc: $CONFIG{'email'} = 'p.lebbing at provider.nl'; This will automatically set both the envelope sender and From: to that address. One remark: the hostname from /etc/mailname is used to build the Message-Id: header. If you'd like to hide that, you could set: /etc/nullmailer/idhost: provider.nl I think that mirrors Thunderbird's behaviour, taking a peek in my "Sent" folder. You could also arguably just set /etc/mailname to provider.nl and drop the MAILHOST env variable in the process, but I'd feel slightly anxious over accidentally building mail addresses of other customers of my provider as if they were the sender, so I wouldn't do that. Imagine your webserver started sending mails from accidentally that way, or ... these might annoy your provider. And it gets worse with a regular user account, let's call her Anna. She might not control . I think that covers it. You can try stuff from the command line to see what it becomes without actually sending with: $ nullmailer-inject -nv -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From ben at adversary.org Sun Feb 10 19:29:19 2019 From: ben at adversary.org (Ben McGinnes) Date: Mon, 11 Feb 2019 05:29:19 +1100 Subject: Keysigning party: after the event challenges In-Reply-To: References: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> Message-ID: <20190210182919.i42mkfcosgn6hya4@adversary.org> On Sun, Feb 10, 2019 at 03:36:05PM +0100, Andr? Ockers wrote: > Hi Peter, > > Thank you very much. > > > Op 09-02-19 om 12:48 schreef Peter Lebbing: > > Hello Andr?, > > > > On 09/02/2019 09:06, Andr? Ockers wrote: > >> - 171 official keysigning party participants, of who 107 showed up to my > >> awareness; > > This is going to be a pain to do manually. But you don't have to! As the > > FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool." > > (last sentence of the page, not counting the footer). > > > > If you open your ksp-fosdem2019.txt file and put "x" in every checkbox > > you have checked on your paper list, you can feed this text file with > > checkmarks directly to caff and it will import the keys for you *and* > > verify their fingerprints! It will only consider entries with checkmarks > > for both "Fingerprint OK" and "ID OK", so only when the participant has > > acknowledged their fingerprint matches and you have marked that you find > > their identification papers match. > > Done. > > > The FOSDEM KSP offers a keyring with all the keys from the party. You > > can feed that to caff as well and it won't even need to fetch the keys > > from a keyserver (which might not have all keys). > > > > My suggestion is to look for "caff" and documentation and try that > > before you verify 107 fingerprints manually :-). If you still hit > > problems, report back here and we can take a further look. > > Following documentation [1], I checked that I have Postfix installed and > now I'm here [2] > > $ sudo postconf -e 'relayhost = smtp.provider.nl' > [sudo] wachtwoord voor andre: > postconf: fatal: open /etc/postfix/main.cf for reading: No such file or > directory Make sure that the postconf in your $PATH matches where the Postfix config directory really is. Depending on which distro you're actually using, it might be somewhere like /usr/local/etc/postfix/ or something similar. If locate's db is up to date then there's a good chance that running "locate main.cf" will answer this for you (or confirm you really don't have a Postfix config file; but if that were true then you'd have much bigger problems with launching Postfix). Anyway, assuming postconf is not loading the right file, but the config file exists, then you can just edit the main.cf file directly ((possibly via sudoedit) to add your relayhost config line. Then follow it with: $ sudo postfix reload Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From felix.klee at inka.de Sun Feb 10 23:26:10 2019 From: felix.klee at inka.de (Felix E. Klee) Date: Sun, 10 Feb 2019 23:26:10 +0100 Subject: 0.332 Message-ID: FYI: https://github.com/feklee/0.332 This is a mod of the SCM SPR332 v2 smart card reader, making it smaller and lighter. For quite a while I have regularly been using it with my phone: https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19 From vesely at tana.it Mon Feb 11 13:28:33 2019 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 11 Feb 2019 13:28:33 +0100 Subject: Upload key to WKD from command line? In-Reply-To: <20190209102039.jbuom4mb34kgrt52@lyta> References: <20190209102039.jbuom4mb34kgrt52@lyta> Message-ID: <779eae10-084b-1dda-19cc-abb6f9fe0cf3@tana.it> On Sat 09/Feb/2019 11:20:39 +0100 Wolfgang Traylor wrote: > > Is there a way to upload my public key to the Web Key Directory (WKD) of my email provider using command-line tools? It might be possible, but not straightforward. The protocol is designed to work over SMTP. It makes sense that a provider automates the procedure, although small providers can do it manually. For users, it is definitely overkill. See https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-4 It is a work in progress, so don't mind the SRV RRset in bullet #1. > > (Enigmail shows the ?Upload to Web Key Directory? only in gray. I don?t know why.) Neither do I. https://posteo.de/.well-known/openpgpkey/submission-address has an address of keys at posteo.de. However, their "policy" entry have: #Policy for draft-koch-openpgp-webkey-service-04 mailbox-only auth-submit (Version -04 didn't provide for a submission address among policy flags, but maybe Enigmail looks for it just there?) Best Ale From vesely at tana.it Mon Feb 11 14:04:31 2019 From: vesely at tana.it (Alessandro Vesely) Date: Mon, 11 Feb 2019 14:04:31 +0100 Subject: The "advanced" URL of openpgp-webkey-service-07, and l= Message-ID: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> Werner, I just saw version -07 today. The advanced method: WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey doesn't seem to make much sense to me. I tried it with posteo.de, and got: ale at pcale:~/tmp$ dig +short openpgp.posteo.de 89.146.220.134 ale at pcale:~/tmp$ curl --head https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address curl: (51) SSL: no alternative certificate subject name matches target host name 'openpgp.posteo.de' The subdomain is probably a star (*) DNS record. However, their certificate's Subject Alt Name doesn't have a star, but a list of subdomains. Certificates cost, albeit not much, so the need to set up a new subdomain may hamper implementation. I'm unable to get the "flexibility in setting up the Web Key Directory in environments where more than one mail domain is hosted". Say I host A.example and B.example. Then I need to set up both subdomains openpgpkey.A.example and openpgpkey.B.example. Internally, they can be redirected in a number of ways, but the server should hold the HTTP_HOST anyway. To repeat tha mail domain between .well-known and openpgpkey doesn't seem to help much. The openpgpkey folder can be implemented by plain files named after the 32 byte string and containing the key to be served. The l= parameter would just be discarded in that case. Otherwise, if the server side script is cute, should it verify whether the value of the parameter interpreted as a local part matches the 32 byte string? What if they don't match? To urlencode the local part might have been easier than Z-encoding its SHA1, but what's the point of doing both? Best Ale From gerd.von.egidy at intra2net.com Mon Feb 11 12:17:09 2019 From: gerd.von.egidy at intra2net.com (Gerd v. Egidy) Date: Mon, 11 Feb 2019 12:17:09 +0100 Subject: 0.332 In-Reply-To: References: Message-ID: <1626952.OYuuDd0FtQ@thunder.m.i2n> > https://github.com/feklee/0.332 > > This is a mod of the SCM SPR332 v2 smart card reader, making it > smaller and lighter. Nice. How does it compare size-wise to the cyberJack one from Reiner SCT? That is the one I use for size-constrained use cases. I think having a slot for a regular card is an advantage as you can easily take the card out, carry it with you in your wallet and use it on other systems too. Kind regards, Gerd From gerd.von.egidy at intra2net.com Mon Feb 11 12:10:37 2019 From: gerd.von.egidy at intra2net.com (Gerd v. Egidy) Date: Mon, 11 Feb 2019 12:10:37 +0100 Subject: OpenPGP on paper (was: Where can I find some papers to read on mail (and envelope) security?) In-Reply-To: References: <20190130204407.4c195dc7@300baud.de> Message-ID: <4672360.boooG8vsat@thunder.m.i2n> > Well there are the classical options: > > > > Debian provides free fonts like that as packages fonts-ocr-a and > fonts-ocr-b, which come from: > > and > You might also want to take a look at https://github.com/intra2net/paperbackup This was specifically developed to store or transfer GPG encrypted text or secret keys on paper. Kind regards, Gerd From felix.klee at inka.de Mon Feb 11 23:24:22 2019 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 11 Feb 2019 23:24:22 +0100 Subject: 0.332 In-Reply-To: <1626952.OYuuDd0FtQ@thunder.m.i2n> References: <1626952.OYuuDd0FtQ@thunder.m.i2n> Message-ID: On Mon, Feb 11, 2019 at 12:17 PM Gerd v. Egidy wrote: > How does it compare size-wise to the cyberJack one from Reiner SCT? * cyberJack RFID standard: 62 x 95 x 13 mm * 0.332 enclosure: 69 ? 111 ? 13 mm It could be fun to replace the pin pad by a smaller one and create a custom board. IOW it could be fun to create an open source card reader! > That is the one I use for size-constrained use cases. Did that in the past too. However, the ?cyberJack RFID standard? needs dedicated drivers while the Reiner SCT directly interfaces with GnuPG. In particular with Termux on my rooted Android phone, I did not get the cyberJack to work. > I think having a slot for a regular card is an advantage as you can > easily take the card out, carry it with you in your wallet and use it > on other systems too. I understand, but that?s not my use-case. If someone wants to give it a go, it should not be too hard to modify the current design. You can start from the STL files if you don?t have Rhino3D (proprietary). From wk at gnupg.org Tue Feb 12 19:36:12 2019 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Feb 2019 19:36:12 +0100 Subject: The "advanced" URL of openpgp-webkey-service-07, and l= In-Reply-To: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> (Alessandro Vesely's message of "Mon, 11 Feb 2019 14:04:31 +0100") References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> Message-ID: <87ef8c3lcz.fsf@wheatstone.g10code.de> Hi! On Mon, 11 Feb 2019 14:04, vesely at tana.it said: > I just saw version -07 today. The advanced method: > > WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey > > doesn't seem to make much sense to me. I tried it with posteo.de, and got: The two parts were accidently swapped in the I-D. It has been corrected in the repo. See https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d > The subdomain is probably a star (*) DNS record. However, their Right, they fixed it a few weeks ago, but they might have broken it agains. Actually only posteo.de works at all because they have invalid certificate for posteo.net for a frew years now (posteo.net is 301-redirected to posteo.de but posteo.net needs to have a cert for posteo.net). > I'm unable to get the "flexibility in setting up the Web Key Directory > in environments where more than one mail domain is hosted". Say I > host A.example and B.example. Then I need to set up both subdomains > openpgpkey.A.example and openpgpkey.B.example. Internally, they can You redirect the host openpgpkey.example.com and openpgpkey.example.org to, say, webkeys.example.com but keep the path to avoid CSRF. Then you can install gpg-wks-server on the webkeys.example.com host using its default layout with a directory for each domain. It is really convenient, because it requires less configuration. > What if they don't match? To urlencode the local part might have been > easier than Z-encoding its SHA1, but what's the point of doing both? Percent-encoding does not allow to store it as plain text files becuase '/' does not need to be percent encoded and the entire length of the filename might get too long without using a hash. The l= parameter has been added as an alternative way for looking up the key for those platforms which already employ databases or such and don't want to store extra data like a hash. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Feb 12 18:54:35 2019 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Feb 2019 18:54:35 +0100 Subject: [Announce] GnuPG 2.2.13 released Message-ID: <87mun03nac.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.13. This is a maintenance release; see below for a list of fixed bugs. About GnuPG =========== The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.13 ==================================== * gpg: Implement key lookup via keygrip (using the & prefix). * gpg: Allow generating Ed25519 key from existing key. * gpg: Emit an ERROR status line if no key was found with -k. * gpg: Stop early when trying to create a primary Elgamal key. [#4329] * gpgsm: Print the card's key algorithms along with their keygrips in interactive key generation. * agent: Clear bogus pinentry cache in the error case. [#4348] * scd: Support "acknowledge button" feature. * scd: Fix for USB INTERRUPT transfer. [#4308] * wks: Do no use compression for the the encrypted challenge and response. Release-info: https://dev.gnupg.org/T4290 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.13 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.13.tar.bz2 (6545k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.13.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.13_20190212.exe (4078k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.13_20190212.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.13.tar.bz2 you would use this command: gpg --verify gnupg-2.2.13.tar.bz2.sig gnupg-2.2.13.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.13.tar.bz2, you run the command like this: sha1sum gnupg-2.2.13.tar.bz2 and check that the output matches the next line: 66ebc053e2d22f743673d3fbe54453774e4fac58 gnupg-2.2.13.tar.bz2 2b76bf7981957ebc8ca74e70cb1776ad6ab656fd gnupg-w32-2.2.13_20190212.tar.xz ce2c5e60f851f3d54c85da1be717cc53742c4953 gnupg-w32-2.2.13_20190212.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. In case of build problems specific to this release please first check https://dev.gnupg.org/T4290 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs two full-time developers and one contractor. They all work exclusively on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From justina at colmena.biz Tue Feb 12 21:00:17 2019 From: justina at colmena.biz (justina colmena) Date: Tue, 12 Feb 2019 11:00:17 -0900 Subject: The "advanced" URL of openpgp-webkey-service-07, and l= In-Reply-To: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> Message-ID: On February 11, 2019 4:04:31 AM AKST, Alessandro Vesely wrote: >Werner, > >I just saw version -07 today. The advanced method: > >WELLKNOWN := >https://openpgpkey.example.org/.well-known/example.org/openpgpkey > >doesn't seem to make much sense to me. I tried it with posteo.de, and >got: > >ale at pcale:~/tmp$ dig +short openpgp.posteo.de >89.146.220.134 > >ale at pcale:~/tmp$ curl --head >https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address >curl: (51) SSL: no alternative certificate subject name matches target >host name 'openpgp.posteo.de' > >The subdomain is probably a star (*) DNS record. However, their >certificate's Subject Alt Name doesn't have a star, but a list of >subdomains. Certificates cost, albeit not much, so the need to set up >a new subdomain may hamper implementation. > >I'm unable to get the "flexibility in setting up the Web Key Directory >in environments where more than one mail domain is hosted". Say I host >A.example and B.example. Then I need to set up both subdomains >openpgpkey.A.example and openpgpkey.B.example. Internally, they can be >redirected in a number of ways, but the server should hold the >HTTP_HOST anyway. To repeat tha mail domain between .well-known and >openpgpkey doesn't seem to help much. > >The openpgpkey folder can be implemented by plain files named after the >32 byte string and containing the key to be served. The l= parameter >would just be discarded in that case. Otherwise, if the server side >script is cute, should it verify whether the value of the parameter >interpreted as a local part matches the 32 byte string? What if they >don't match? To urlencode the local part might have been easier than >Z-encoding its SHA1, but what's the point of doing both? > > >Best >Ale > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users Certificates COST, do they? Should a * star certificate COST so infinitely much, then? WELLKNOWN := Check the sex offender registry list, grab a guy by short and curlies, dig in with your fingernails, and give a sharp twist to the left, or something like that. Is that what those Russian ladies from NGINX call a "leftist" programming style? -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From amuza at riseup.net Wed Feb 13 18:27:00 2019 From: amuza at riseup.net (amuza) Date: Wed, 13 Feb 2019 17:27:00 +0000 Subject: It's more GNU/Linux than GnuPG Message-ID: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> Hi, I have two GNU/Linux computers syncing their ~/.gnupg directories. "alice" is my username in one computer, "bob" is my username in the other one. I have a CA certificate stored in my home directory of both computers, and would like to keep it there. Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to that CA cert: keyserver-options ca-cert-file=~/keyserverCA.pem But that line does not seem to work because of "~". Everything works ok in one computer if I write: keyserver-options ca-cert-file=/home/alice/keyserverCA.pem and in the other computer if I write: keyserver-options ca-cert-file=/home/bob/keyserversCA.pem But then, by specifying names, when syncing, that line won't work in one of the two computers because of the usernames. Is there any way to specify "user" without writing their name? Any other suggestion? Thank you From vojtas199 at gmail.com Wed Feb 13 20:11:31 2019 From: vojtas199 at gmail.com (=?UTF-8?B?Vm9qdMSbY2ggxaBpcsWvxI1law==?=) Date: Wed, 13 Feb 2019 20:11:31 +0100 Subject: Problem with generating Brainpool P-512 Message-ID: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com> Hello, I have encountered quite unusual problem. I had been able to already generate brainpool keys but it is quite a time ago but when I try to generate them now the gpg fails with ??? gpg: signing failed: Invalid length ??? gpg: make_keysig_packet failed: Invalid length ??? Key generation failed: Invalid length ??? [GNUPG:] ERROR key_generate 67109003 ??? [GNUPG:] KEY_NOT_CREATED and in syslog I have found this ??? gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key ??? gpg-agent[pid]:command 'PKSIGN' failed: Invalid length Full debug in paste https://ghostbin.com/paste/oeth5 I would appreciate any input Best regards V? From wk at gnupg.org Thu Feb 14 07:44:42 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Feb 2019 07:44:42 +0100 Subject: Problem with generating Brainpool P-512 In-Reply-To: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com> (=?utf-8?B?IlZvanTEm2NoCcWgaXLFr8SNZWsiJ3M=?= message of "Wed, 13 Feb 2019 20:11:31 +0100") References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com> Message-ID: <87d0nu27j9.fsf@wheatstone.g10code.de> On Wed, 13 Feb 2019 20:11, vojtas199 at gmail.com said: > and in syslog I have found this gpg-agent writes to syslog - that's new to me (with the exception of certain diagnositics from Libgcrypt). > ??? gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key > ??? gpg-agent[pid]:command 'PKSIGN' failed: Invalid length Please provide more information: GnuPG version, OS, and command uses to create the key. > Full debug in paste https://ghostbin.com/paste/oeth5 Javascript required for paste - I won't look at it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 14 07:51:30 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Feb 2019 07:51:30 +0100 Subject: It's more GNU/Linux than GnuPG In-Reply-To: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> (amuza's message of "Wed, 13 Feb 2019 17:27:00 +0000") References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> Message-ID: <878syi277x.fsf@wheatstone.g10code.de> On Wed, 13 Feb 2019 17:27, amuza at riseup.net said: > keyserver-options ca-cert-file=~/keyserverCA.pem Didn't you got the warning that this option is obsolete. Certifciates are configured in dirmngr.conf. In case you are using a 2.0 version of GnuPG, please note that this branch reached EOL 14 months ago. In case of the 1.4 version please considre to move to 2.2 - we may eventually remove the keyserver support from 1.4. > Is there any way to specify "user" without writing their name? POSIX systems always have the $HOME envar set. Thus use $HOME/keyserverCA.pem instead of the "~" abbreviation for $HOME. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 14 08:01:53 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Feb 2019 08:01:53 +0100 Subject: Upload key to WKD from command line? In-Reply-To: <20190209102039.jbuom4mb34kgrt52@lyta> (Wolfgang Traylor's message of "Sat, 9 Feb 2019 11:20:39 +0100") References: <20190209102039.jbuom4mb34kgrt52@lyta> Message-ID: <874l9626qm.fsf@wheatstone.g10code.de> On Sat, 9 Feb 2019 11:20, wolfgang.traylor at posteo.de said: > I am looking for a simple solution just like `gpg --send-keys`, but for WKD. Locate the gpg-wks-client binary. On Windows it should be found via $PATH but on Unix it is installed at one of this locations /usr/local/libexec/gpg-wks-client /usr/local/lib/gpg-wks-client /usr/libexec/gpg-wks-client /usr/lib/gpg-wks-client On Unix you can also invoke it directly using: $(gpgconf --list-dirs libexecdir)/gpg-wks-client To create a publishing request use gpg-wks-client --create --send FINGERPRINT USERID For example with my key $(gpgconf --list-dirs libexecdir)/gpg-wks-client \ --create --send AEA84EDCF01AD86C4701C85C63113AE866587D0A wk at gnupg.org Which sends the request using the usual sendmail stub. If you don't have this installed, don't use --send in which case the command creates a mail which somehow needs to be send off. With this in your /etc/mailcap --8<---------------cut here---------------start------------->8--- application/vnd.gnupg.wks; /usr/local/libexec/gpg-wks-client \ -v --read --send; needsterminal; description=WKS message --8<---------------cut here---------------end--------------->8--- you can then easily process the incoming challenge from the server if you use a MUA which support mailcap (Mutt, Gnus, and probably many more). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wolfgang.traylor at posteo.de Thu Feb 14 10:53:07 2019 From: wolfgang.traylor at posteo.de (Wolfgang Traylor) Date: Thu, 14 Feb 2019 09:53:07 +0000 Subject: Upload key to WKD from command line? In-Reply-To: <874l9626qm.fsf@wheatstone.g10code.de> References: <20190209102039.jbuom4mb34kgrt52@lyta> <874l9626qm.fsf@wheatstone.g10code.de> Message-ID: <20190214095306.akb4h2uzca4jnfc4@gruenfink> Thank you very much for pointing to gpg-wks-client. Werner Koch schrieb am 14.02 19 08:01: > To create a publishing request use > > gpg-wks-client --create --send FINGERPRINT USERID I receive the following error (with or without `--send`): $ /lib/gnupg/gpg-wks-client --create A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8 wolfgang.traylor at posteo.de gpg-wks-client: submitting request to 'keys at posteo.de' gpg-wks-client: no confirmation required for 'wolfgang.traylor at posteo.de' gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user id 'wolfgang.traylor at posteo.de' gpg-wks-client: gpg: key "A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8" not found: No secret key gpg-wks-client: error running '/usr/bin/gpg': exit status 2 gpg-wks-client: adding user id failed: General error gpg-wks-client: creating request failed: General error I have my secret subkeys on a smartcard (unlocked when issuing the command). Could that be the issue? Or do I even need my secret primary key? My GnuPG version: 2.2.13 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From vesely at tana.it Thu Feb 14 11:57:55 2019 From: vesely at tana.it (Alessandro Vesely) Date: Thu, 14 Feb 2019 11:57:55 +0100 Subject: The "advanced" URL of openpgp-webkey-service-07, and l= In-Reply-To: <87ef8c3lcz.fsf@wheatstone.g10code.de> References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> <87ef8c3lcz.fsf@wheatstone.g10code.de> Message-ID: <6b6e3285-cf64-768b-8bc7-215599e4efde@tana.it> On Tue 12/Feb/2019 19:36:12 +0100 Werner Koch wrote: > On Mon, 11 Feb 2019 14:04, vesely at tana.it said: > >> WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey >> >> doesn't seem to make much sense to me. I tried it with posteo.de, and got: > > The two parts were accidently swapped in the I-D. It has been corrected > in the repo. See > https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d Oh, ok, that makes some more sense. If example.org is a single domain, it is probably convenient to alias both /.well-known/openpgpkey/example.org and /.well-known/openpgpkey/ to the same directory where keys are stored. That way it also stays compatible with previous versions of this protocol. >> I'm unable to get the "flexibility in setting up the Web Key Directory >> in environments where more than one mail domain is hosted". Say I >> host A.example and B.example. Then I need to set up both subdomains >> openpgpkey.A.example and openpgpkey.B.example. Internally, they can > > You redirect the host openpgpkey.example.com and openpgpkey.example.org > to, say, webkeys.example.com but keep the path to avoid CSRF. Then you > can install gpg-wks-server on the webkeys.example.com host using its > default layout with a directory for each domain. It is really > convenient, because it requires less configuration. I have not installed gpg-wks-server, but it seems to be primarily concerned with automating key installation, not plain key retrieval. To simply retrieve a key is not a transaction, so there should be no worry of CSRF. If the domain is missing, as in the "direct" method, an appropriate URL rewriting rule can easily recover it from the HTTP_HOST server variable. I'm not clear if that may be an urlencoded IDN rather than an A-label. The domain name can also be recovered from the SNI (an A-label, according to rfc6066). BTW, the revised reason to suppress SRV records sounds paranoid, given that (e.g. in the case of DNS poisoning) a subdomain under an attacker control still has to provide a valid domain certificate. At any rate, using "wkd" rather than "openpgpkey" as a subdomain label would have leveraged previous version's recommendation. >> What if they don't match? To urlencode the local part might have been >> easier than Z-encoding its SHA1, but what's the point of doing both? > > Percent-encoding does not allow to store it as plain text files because > '/' does not need to be percent encoded and the entire length of the > filename might get too long without using a hash. According to rfc5321, the maximum total length of a user name or other local-part is 64 octets. However, yes, slashes may entail hairy scripting by those providers who allow funny characters in their email addresses. > The l= parameter has been added as an alternative way for looking up the > key for those platforms which already employ databases or such and don't > want to store extra data like a hash. Indeed, those hashes are difficult. However, after one learns how to do them, they're quite handy. Having alternative ways to retrieve (alternative?) keys sounds strange. Thank you for your attention Best Ale -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mlnl at mailbox.org Thu Feb 14 10:52:14 2019 From: mlnl at mailbox.org (mlnl) Date: Thu, 14 Feb 2019 10:52:14 +0100 Subject: Problem with generating Brainpool P-512 In-Reply-To: <87d0nu27j9.fsf@wheatstone.g10code.de> References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com> <87d0nu27j9.fsf@wheatstone.g10code.de> Message-ID: Hi Werner, >> gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key >> gpg-agent[pid]:command 'PKSIGN' failed: Invalid length > > Please provide more information: GnuPG version, OS, and command uses > to create the key. you should add it in the man page, because it's a FAQ: cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit -- mlnl From wk at gnupg.org Thu Feb 14 21:05:11 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Feb 2019 21:05:11 +0100 Subject: Upload key to WKD from command line? In-Reply-To: <20190214095306.akb4h2uzca4jnfc4@gruenfink> (Wolfgang Traylor's message of "Thu, 14 Feb 2019 09:53:07 +0000") References: <20190209102039.jbuom4mb34kgrt52@lyta> <874l9626qm.fsf@wheatstone.g10code.de> <20190214095306.akb4h2uzca4jnfc4@gruenfink> Message-ID: <87va1myw3s.fsf@wheatstone.g10code.de> > gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user > id 'wolfgang.traylor at posteo.de' > Or do I even need my secret primary key? Right. The primary key is required to create a new user id. gpg tries to be helpful there but it can't work for high security environments with an offline primary key. I would suggest that you create a second user id with just the mail address on your other box with the primary key. Then gpg-wks-client has no need to create it of its own. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 14 21:10:03 2019 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Feb 2019 21:10:03 +0100 Subject: Problem with generating Brainpool P-512 In-Reply-To: (mlnl's message of "Thu, 14 Feb 2019 10:52:14 +0100") References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com> <87d0nu27j9.fsf@wheatstone.g10code.de> Message-ID: <87r2cayvvo.fsf@wheatstone.g10code.de> On Thu, 14 Feb 2019 10:52, mlnl at mailbox.org said: > you should add it in the man page, because it's a FAQ: > cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit Sorry, I can't parse that. Please also note that --cert-digest-algo should not be used because it viloates the OpenPGP preference system Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wolfgang.traylor at posteo.de Thu Feb 14 22:32:05 2019 From: wolfgang.traylor at posteo.de (Wolfgang Traylor) Date: Thu, 14 Feb 2019 21:32:05 +0000 Subject: Upload key to WKD from command line? In-Reply-To: <87va1myw3s.fsf@wheatstone.g10code.de> References: <20190209102039.jbuom4mb34kgrt52@lyta> <874l9626qm.fsf@wheatstone.g10code.de> <20190214095306.akb4h2uzca4jnfc4@gruenfink> <87va1myw3s.fsf@wheatstone.g10code.de> Message-ID: <20190214213205.gk55sx6dsljlhbxb@gruenfink> Thank you very much. That answered all my questions. Werner Koch schrieb am 14.02 19 21:05: > > > gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user > > id 'wolfgang.traylor at posteo.de' > > > Or do I even need my secret primary key? > > Right. The primary key is required to create a new user id. gpg tries > to be helpful there but it can't work for high security environments > with an offline primary key. I would suggest that you create a second > user id with just the mail address on your other box with the primary > key. Then gpg-wks-client has no need to create it of its own. > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From amuza at riseup.net Fri Feb 15 11:50:00 2019 From: amuza at riseup.net (amuza) Date: Fri, 15 Feb 2019 10:50:00 +0000 Subject: How to specify ca-cert-file as a path relative to ~? (was: It's more GNU/Linux than GnuPG) In-Reply-To: <20190213223631.GH15406@kugelfisch.zuhause.test> References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> <20190213223631.GH15406@kugelfisch.zuhause.test> Message-ID: Friedhelm Waitzmann: >> I have two GNU/Linux computers syncing their ~/.gnupg directories. >> "alice" is my username in one computer, "bob" is my username in the >> other one. > >> I have a CA certificate stored in my home directory of both computers, >> and would like to keep it there. > >> Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to >> that CA cert: > >> keyserver-options ca-cert-file=~/keyserverCA.pem > >> But that line does not seem to work because of "~". > >> Everything works ok in one computer if I write: > >> keyserver-options ca-cert-file=/home/alice/keyserverCA.pem > >> and in the other computer if I write: > >> keyserver-options ca-cert-file=/home/bob/keyserversCA.pem > >> But then, by specifying names, when syncing, that line won't work in one >> of the two computers because of the usernames. > >> Is there any way to specify "user" without writing their name? > >> Any other suggestion? > > Just guessing: How about specifying the file as a path relative > to the .gnupg directory? > > (1) > keyserver-options ca-cert-file=../keyserversCA.pem > > or > > (2) > In the .gnupg directory create a symbolic link pointing to ..: > $ ln -s .. ~/.gnupg/homedir > Then set ca-cert-file to homedir/keyserversCA.pem: > keyserver-options ca-cert-file=homedir/keyserversCA.pem > Hey Friedhelm, thanks a lot! Suggestion 2 worked!! Thank you Werner too. Cheers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From andre at ockers.eu Sat Feb 16 10:34:43 2019 From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=) Date: Sat, 16 Feb 2019 10:34:43 +0100 Subject: Configuring Linux system mail submission In-Reply-To: <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com> References: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com> Message-ID: <21387077-216a-1e2c-807e-40363704927b@ockers.eu> Hi Peter and list, Op 10-02-19 om 18:07 schreef Peter Lebbing: > Hi Andr?, > > On 10/02/2019 15:36, Andr? Ockers wrote: >> Following documentation [1], I checked that I have Postfix installed and >> now I'm here [2] > I had feared it would break down at the mail configuration stage :-). I > have mail servers running with a hand-managed config file with Exim 4, > but I know nothing about Postfix. However, for mail submission, I use > nullmailer myself. It can only do mail submission, but is much easier to > manage than a full mail system (in my opinion). Thank you. > So I don't know if you installed Postfix for this purpose or actually > use it for a real mail server, but if you can switch to nullmailer that > would allow me to easily help you, probably. Removed Postfix. Installed Nullmailer. > Personally, I run nullmailer on all systems that are not running a > full-fledged mail server, and they connect to my edge mail server for > mail submission. You can just use any SMTP-supporting provider for the > latter. > > When installing nullmailer on Debian, it will ask you interactively for > entries for files in /etc and /etc/nullmailer. Mine look like this: > > /etc/mailname: hostname.digitalbrains.com (the actual fully qualified > domain name of the local host) So what do you do here if you have an emailadress, like andre at ockers.eu at an email service provider, let's say serviceprovider.nl? Would that be ockers.eu or serviceprovider.nl in /etc/mailname? > /etc/nullmailer/adminaddr: empty file Check > /etc/nullmailer/defaultdomain: digitalbrains.com Would that be ockers.eu or serviceprovider.nl in /etc/nullmailer/defaultdomain? > /etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...] > > That last one is the really important one. It uses the SMTP submission > port, STARTTLS, and in my case a password that has been chosen to not > require quotes. But you can use quotes to just use your provider account > password. Would that be mail.serviceprovider.nl smtp --port=587 --starttls --user=andre-nullmailer --pass=... or mail.ockers.eu smtp --port=587 --starttls --user=andre-nullmailer --pass=... in /etc/nullmailer/remotes? Thank you in advance, Andr? Ockers -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Sat Feb 16 12:46:22 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 16 Feb 2019 12:46:22 +0100 Subject: Configuring Linux system mail submission In-Reply-To: <21387077-216a-1e2c-807e-40363704927b@ockers.eu> References: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com> <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com> <21387077-216a-1e2c-807e-40363704927b@ockers.eu> Message-ID: <7535be96-3245-df1a-c1bf-36fb18566aeb@digitalbrains.com> Hi Andr?, On 16/02/2019 10:34, Andr? Ockers wrote: >> /etc/mailname: hostname.digitalbrains.com (the actual fully qualified >> domain name of the local host) > > So what do you do here if you have an emailadress, like > andre at ockers.eu > at an email service provider, let's say > serviceprovider.nl? > Would that be ockers.eu or serviceprovider.nl in /etc/mailname? The more domain names, the merrier! There is no single right answer. These names are used to build e-mail addresses when you don't specify a fully valid e-mail address when you send the mail; both for the sender and the recipient addresses. As I indicated in the previous mail, I think you should avoid the situation where nullmailer will build e-mail adresses on a domain you don't control yourself, to prevent annoying people who happen to have the address that nullmailer builds. This all simply does not apply to caff, and caff is our intended goal. But configuring nullmailer might also cause daemons on your computer to try and start sending e-mails, and that is where it does apply. I've gone through several iterations of this e-mail. The thing is, there is no single right answer. There are multiple wrong answers. And my system is configured differently than yours, so I can't just say "this works for me", since I know for a fact it will not work for you. I'm sorry if I'm confusing you. I'm doing my best, but I'm simply not sure of the *best* solution in this case. So I hope that this is the best outcome: First, let's see what your computer thinks it is called. Invoke this: $ hostname --fqdn It will give you the domain name of the computer. Let's say this happened: $ hostname --fqdn mario.itsa.me Then let's put this in the files: /etc/mailname: mario.itsa.me /etc/nullmailer/adminaddr: andre at ockers.eu /etc/nullmailer/defaultdomain: itsa.me /etc/nullmailer/idhost: ockers.eu This will cause any e-mails addressed to some-username at mario, some-username at mario.itsa.me and some-username at localhost to end up being delivered to andre at ockers.eu. They might not succeed, though, because your e-mail provider might very well reject the sender of the mail. You should probably check every now and then whether there is anything stuck in /var/spool/nullmailer/queue. You can delete any files there and it will stop trying to deliver that e-mail. You do need to be root to delete them. Note that Postfix would probably not do better at delivering those e-mails. It could be configured to do so, but by default it would not. And the idhost line prevents the name mario.itsa.me from ending up in the e-mail headers (specifically, the Message-ID line). It mirrors your current e-mail setup, which I could see in your e-mail headers. Some people don't like names from their internal network leaking out to the big bad internet. But it might still happen in other places. >> /etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...] >> >> That last one is the really important one. It uses the SMTP submission >> port, STARTTLS, and in my case a password that has been chosen to not >> require quotes. But you can use quotes to just use your provider account >> password. > > Would that be > mail.serviceprovider.nl smtp --port=587 --starttls > --user=andre-nullmailer --pass=... > or > mail.ockers.eu smtp --port=587 --starttls --user=andre-nullmailer --pass=... > in /etc/nullmailer/remotes? This is the same as when configuring your e-mail client. If your e-mail service provider has given you the following outgoing mail server settings: Outgoing mail server: smtp.serviceprovider.nl User name: some-username at serviceprovider.nl Password: lalala Then the line becomes /etc/nullmailer/remotes: smtp.serviceprovider.nl smtp --port=587 --starttls --user=some-username at serviceprovider.nl --pass=lalala Some providers will use a full e-mail address as user name, others just the bit before the @. You could take a look in your e-mail client software (which clearly works) and see what it has there for outgoing mail server settings. That probably will not show you the password right away. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mgorny at gentoo.org Sat Feb 16 19:25:38 2019 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Sat, 16 Feb 2019 19:25:38 +0100 Subject: An option to generate revocation cert for subkey(s)? Message-ID: <1550341538.642.7.camel@gentoo.org> Hello, I'd like to ask whether it'd be feasible to have an option to generate revocation certificate that revokes one (or more?) subkeys rather than the whole key. Our use case involves signing key kept on a server for the purpose of automated signatures. We'd like to keep the secret portion of the primary key offline and use a dedicated signing subkey on the server. At the same time, we'd like to be able to quickly revoke the subkey if need arises without having to reach for the primary key. I know that currently with a bit of hacking we can store an export of the key with subkey revoked, and use that for the purpose. However, I think it would be much more convenient if had an option to generate the revocation signature separately. -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: This is a digitally signed message part URL: From tlikonen at iki.fi Sun Feb 17 07:23:38 2019 From: tlikonen at iki.fi (Teemu Likonen) Date: Sun, 17 Feb 2019 08:23:38 +0200 Subject: Two utilities: gpg-tofu and gpg-graph Message-ID: <87ftsnorv9.fsf@iki.fi> Hello! I have made two utilities to help my usage of gpg. I think the functionality of one of them should be part of gpg. gpg-tofu -------- https://github.com/tlikonen/gpg-tofu This program parses "gpg --batch --no-tty --with-tofu-info --with-colons --list-keys -- [...]" output and displays human readable TOFU statistics. An example: $ gpg-tofu tlikonen at iki.fi 4E1055DC84E9DFF613D78557719D69D324539450 [ultimate] Teemu Likonen TOFU validity: (4/4) a lot of history for trust, TOFU policy: good 428 signatures in 1 year 252 days, first: 2017-06-09 11:28:16, last: 2019-02-16 19:36:03 404 encryptions in 1 year 244 days, first: 2017-06-15 14:41:30, last: 2019-02-14 19:25:41 [...] In my opinion "gpg --with-tofu-info --list-keys" etc. (without --with-colons) should display similar human readable TOFU info. Please make my tool obsolete. :-) gpg-graph --------- https://github.com/tlikonen/gpg-graph This program parses "gpg --batch --no-tty --with-colons --check-signatures -- [...]" and prints graph data for Graphviz for drawing nice web of trust graphs. $ gpg-graph [key1 ...] | dot -Tpng >wot-dot.png $ gpg-graph [key1 ...] | neato -Tpng >wot-neato.png $ gpg-graph [key1 ...] | sfdp -Tpng >wot-sfdp.png I have seen one similar tool before (packaged in Debian) but it was broken by design because it tries to parse the human readable output of "gpg --check-signatures". It didn't work with the default --list-options of gpg 2.1. Obviously it should parse machine readable --with-colons output which my version does. -- /// Teemu Likonen - .-.. // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From farhan at farhan.codes Sun Feb 17 08:20:30 2019 From: farhan at farhan.codes (Farhan Khan) Date: Sun, 17 Feb 2019 02:20:30 -0500 Subject: Yubikey keytocard: "Bad secret key" Message-ID: <81ffafa24469e91bc6164ddd431674b1@farhan.codes> Hi all, I am trying to import my existing PGP key to my Yubikey and I keep getting: gpg: KEYTOCARD failed: Bad secret key Even after I reset the pin or set a custom value. I am following the instructions here (https://support.yubico.com/support/solutions/articles/15000006421-resetting-the-openpgp-applet-on-your-yubikey) to reset the device, but am told the pin is wrong. This happens both when I set a custom pin and not. Am I doing something wrong? Below is an output of what I did to reset the pin, expecting it to be "1234578". Please advise. --------------- $ gpg --card-status Reader ...........: 1050:0407:X:0 Application ID ...: D2760001240102010006047082720000 Version ..........: 2.1 Manufacturer .....: Yubico Serial number ....: XXXXXXXX Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] $ gpg-connect-agent --hex > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[0000] 69 83 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[0000] 69 82 i. OK > scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[0000] 69 83 i. OK > scd apdu 00 e6 00 00 D[0000] 90 00 .. OK > scd apdu 00 44 00 00 D[0000] 90 00 .. OK > --------------- >From here I killed the running gpg-agent process, removed the device, re-entered it, and opened a new terminal. I do not have gpg-connect-agent running. --------------- $ gpg --card-status Reader ...........: 1050:0407:X:0 Application ID ...: D2760001240102010006047082720000 Version ..........: 2.1 Manufacturer .....: Yubico Serial number ....: XXXXXXXX Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] $ gpg --list-keys test at test.com pub rsa1024 2019-02-16 [SC] B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82 uid [ultimate] test test (Test Comment) sub rsa1024 2019-02-16 [E] $ gpg --edit-key B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82 gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1). test test (Test Comment) gpg> toggle sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1). test test (Test Comment) gpg> 1 sec rsa1024/A08B3F30A45C3E82 created: 2019-02-16 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa1024/4D997E0AE0CEC20C created: 2019-02-16 expires: never usage: E [ultimate] (1)* test test (Test Comment) gpg> keytocard Really move the primary key? (y/N) y Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg: KEYTOCARD failed: Bad secret key --------------- I am prompted to enter the PGP password, which seems to work, but when I enter the admin key of "12345678" I get this error. Any ideas where the problem may lay? Thanks! --- Farhan Khan From andrewg at andrewg.com Sun Feb 17 10:26:03 2019 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 17 Feb 2019 09:26:03 +0000 Subject: Yubikey keytocard: "Bad secret key" In-Reply-To: <81ffafa24469e91bc6164ddd431674b1@farhan.codes> References: <81ffafa24469e91bc6164ddd431674b1@farhan.codes> Message-ID: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com> > On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users wrote: > > Key attributes ...: rsa2048 rsa2048 rsa2048 But you?re trying to load an rsa1024 key onto it. Have you tried loading a 2048 bit key instead? A From 2017-r3sgs86x8e-lists-groups at riseup.net Sun Feb 17 13:25:24 2019 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sun, 17 Feb 2019 12:25:24 +0000 Subject: Two utilities: gpg-tofu and gpg-graph In-Reply-To: <87ftsnorv9.fsf@iki.fi> References: <87ftsnorv9.fsf@iki.fi> Message-ID: <1908274116.20190217122524@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 17 February 2019 at 6:23:38 AM, in , Teemu Likonen wrote:- > In my opinion "gpg --with-tofu-info --list-keys" etc. > (without > --with-colons) should display similar human readable > TOFU info. Currently I don't think the option "--with-tofu-info" changes the output of "gpg --list-keys" at all. It would be interesting to see this, but I'm not sure the information is useful to me. - -- Best regards MFPA You can't build a reputation on what you are going to do -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXGlSxl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +uq4AQCGlSbteRcfDt4kLRazRd/GIIGUzkrrL7+OPA0WPjbgMQD/VdAH4qSVY34I 8NLGK7bvPQ7fAKnyAtnnYVcxWLBSBgyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCXGlSxl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/6omD/9rdw0aFyU3r+rl+TjmXRgm4sVE V0zh6ZdKPUb8n7fsyGu/Yu8mt9zBQHI4NusnKJ+cpr2G+KcAvdYxomMU9vOi57rK ujevvLjt3v19c4jqF2oM5B6fe6dcYe1q+jJfy0JJNG52S4DQ4BjyuImYWjsyj6dC ec06qHSEbDYatK/ZenRJwv5JC+R7SFBog9DbTNy8nPUzZoyFeuw5Td/9/Tik0Y9o rC61+KCvii71atIZ/fOp4NIDOjl5OWTboG7n+miFRJ7cvLkHaqxWKMyseFFs6QYV CTQNAEwT+k9mvf7bbXaXjKZl88GjfRr521KubaEDP0M4oJrS8VaINphSxZspPSKy kWqg+x/cbBMAi/eYfLxqwdQ+kECildwjNckuwPsr7kZAOyD8DNmDSuVAoIa+iKw1 oUn0GLnTNlxUNuFlgn978Oy+pUz5/U0zlYxbL9iWB57Cs5JXcxKbrtV/Ilh+pxH/ FxX9cdEtkBp5Kg9RoHEK5OjhuXzD7sp5XZThlkHor46D74H7v1JfPED5hRBVuwY/ wFjCVUW74WWM//HKfw1FcUGXZ6u1CuYeB1GeTpvbG8pygmKb4+N/FWTqjWZyGTRK Ptr97TOqo04RZym6CLEztmQsp3qOhrlpk2Z6R2JF8+pOxT00pz2T+plDMU9g0Xcl 5usBfSrldizpbPietQ== =4N13 -----END PGP SIGNATURE----- From jerry at seibercom.net Sun Feb 17 13:34:29 2019 From: jerry at seibercom.net (Jerry) Date: Sun, 17 Feb 2019 07:34:29 -0500 Subject: An option to generate revocation cert for subkey(s)? In-Reply-To: <1550341538.642.7.camel@gentoo.org> References: <1550341538.642.7.camel@gentoo.org> Message-ID: <20190217073429.0000365c@seibercom.net> On Sat, 16 Feb 2019 19:25:38 +0100, Micha? G?rny stated: >Hello, > >I'd like to ask whether it'd be feasible to have an option to generate >revocation certificate that revokes one (or more?) subkeys rather than >the whole key. > >Our use case involves signing key kept on a server for the purpose of >automated signatures. We'd like to keep the secret portion >of the primary key offline and use a dedicated signing subkey >on the server. At the same time, we'd like to be able to quickly >revoke the subkey if need arises without having to reach for the >primary key. > >I know that currently with a bit of hacking we can store an export >of the key with subkey revoked, and use that for the purpose. However, >I think it would be much more convenient if had an option to generate >the revocation signature separately. +1 -- Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From james at cleverstudentlets.com Sun Feb 17 13:36:11 2019 From: james at cleverstudentlets.com (james at cleverstudentlets.com) Date: Sun, 17 Feb 2019 12:36:11 +0000 (GMT) Subject: =?utf-8?Q?Re:_Re:_An_option_to_generate_revocation_cert_for_subkey=28s=29=3F?= Message-ID: <20190217123611.BB9C9CF5F2E@cloud328480-1.lcncloud.com> Thanks for your e-mail. Please note that I am away from the office at the moment. If your enquiry is of an urgent nature please call the office on 01752-500511 or e-mail mark at cleverstudentlets.com. From aajaxx at gmail.com Sun Feb 17 21:08:50 2019 From: aajaxx at gmail.com (Ajax) Date: Sun, 17 Feb 2019 20:08:50 +0000 Subject: Speedo build of GnuPG v2.2.13 fails for me Message-ID: This is with Debian Stretch (Debian 9.8) and Linux kernel 4.19.0-0.bpo.2-amd64 Speedo fails as follows: ajax:~/src/gnupg/gnupg-2.2.13$ LD_LIBRARY_PATH=$(pwd)/PLAY/inst/lib make -f build-aux/speedo.mk native make -f /home/jam/src/gnupg/gnupg-2.2.13/build-aux/speedo.mk UPD_SWDB=1 TARGETOS=native WHAT=release WITH_GUI=0 all make[1]: Entering directory '/home/jam/src/gnupg/gnupg-2.2.13' gpgv: Signature made Mon 11 Feb 2019 10:41:15 AM UTC gpgv: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpgv: Good signature from "Werner Koch (dist sig)" GnuPG version in swdb.lst is less than this version! This version: 2.2.13 SWDB version: 2.2.12 /home/ajax/src/gnupg/gnupg-2.2.13/build-aux/speedo.mk:279: *** Error getting GnuPG software version database. Stop. make[1]: Leaving directory '/home/ajax/src/gnupg/gnupg-2.2.13' build-aux/speedo.mk:73: recipe for target 'native' failed make: *** [native] Error 2 I notice the following: ajax:~/src/gnupg/gnupg-2.2.13$ gpg --verify swdb.lst.sig swdb.lst gpg: Signature made Mon 11 Feb 2019 10:41:15 AM UTC gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" jajax:~/src/gnupg/gnupg-2.2.13$ head -n 1 swdb.lst gnupg22_ver 2.2.12 Is the above what is to be expected? FWIW without speedo, I get the following and the build seems to be fine. ajax:~/src/gnupg/gnupg-2.2.13$ ./configure | tail -n 30 config.status: creating po/Makefile GnuPG v2.2.13 has been configured as follows: Revision: 7922e2dd1 (31010) Platform: GNU/Linux (x86_64-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) G13: no Dirmngr: yes Gpgtar: yes WKS tools: yes Protect tool: (default) LDAP wrapper: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) Dirmngr auto start: yes Readline support: yes LDAP support: yes TLS support: ntbtls TOFU support: yes Tor support: yes What should I do to make a speedo build work? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From farhan at farhan.codes Mon Feb 18 06:19:03 2019 From: farhan at farhan.codes (Farhan Khan) Date: Mon, 18 Feb 2019 00:19:03 -0500 Subject: Using Yubikey only to encrypt/sign Message-ID: <20190218051902.GA19367@pc.farhan.codes> Hi all, How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to encrypt, sign, or decrypt? This might be in a scenario where I only have the keys on my card but not on disk such as while traveling. I can confirm that 'gpg --card-status' lists the keys as present. I am simulating this scenario by moving ~/.gnupg to another directory, but running 'gpg --list-keys' does not list the list the key as present. Please advise. Thanks! --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF From farhan at farhan.codes Mon Feb 18 06:51:17 2019 From: farhan at farhan.codes (Farhan Khan) Date: Mon, 18 Feb 2019 05:51:17 +0000 Subject: Yubikey keytocard: "Bad secret key" In-Reply-To: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com> References: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com> <81ffafa24469e91bc6164ddd431674b1@farhan.codes> Message-ID: February 17, 2019 4:26 AM, "Andrew Gallagher" wrote: >> On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users wrote: >> >> Key attributes ...: rsa2048 rsa2048 rsa2048 > > But you?re trying to load an rsa1024 key onto it. Have you tried loading a 2048 bit key instead? > > A > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users This was it, loading a 2048-bit key works just fine Thanks Andrew! --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF From andrewg at andrewg.com Mon Feb 18 08:35:27 2019 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 18 Feb 2019 07:35:27 +0000 Subject: Using Yubikey only to encrypt/sign In-Reply-To: <20190218051902.GA19367@pc.farhan.codes> References: <20190218051902.GA19367@pc.farhan.codes> Message-ID: > On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users wrote: > > How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to > encrypt, sign, or decrypt? This might be in a scenario where I only have the > keys on my card but not on disk such as while traveling. I can confirm that > 'gpg --card-status' lists the keys as present. > > I am simulating this scenario by moving ~/.gnupg to another directory, but > running 'gpg --list-keys' does not list the list the key as present. You need to download the public key of the secret keys you are about to use, and then run `gpg --card-status` again. After that it Should Just Work. A From peter at digitalbrains.com Mon Feb 18 12:09:36 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 18 Feb 2019 12:09:36 +0100 Subject: Yubikey keytocard: "Bad secret key" In-Reply-To: References: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com> <81ffafa24469e91bc6164ddd431674b1@farhan.codes> Message-ID: <5db47951-9500-6fdc-f083-3542bbfbed6e@digitalbrains.com> On 18/02/2019 06:51, Farhan Khan via Gnupg-users wrote: > This was it, loading a 2048-bit key works just fine > Thanks Andrew! First of all, I think it's a much better idea to generate a 2048-bit key anyway, so it worked out okay. But the problem is interesting. Before --card-edit gained its key-attr command, GnuPG would do the correct key-attr stuff automatically to switch to the desired key length. Maybe it has stopped doing that now, and you need to do: $ gpg --card-edit [...] gpg> key-attr to select the desired key length before keytocard. At the moment, I don't have a version with key-attr at hand to quickly test myself. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From konstantin at linuxfoundation.org Mon Feb 18 14:32:41 2019 From: konstantin at linuxfoundation.org (Konstantin Ryabitsev) Date: Mon, 18 Feb 2019 08:32:41 -0500 Subject: Two utilities: gpg-tofu and gpg-graph In-Reply-To: <87ftsnorv9.fsf@iki.fi> References: <87ftsnorv9.fsf@iki.fi> Message-ID: <20190218133241.GB1151@chatter.qube.local> On Sun, Feb 17, 2019 at 08:23:38AM +0200, Teemu Likonen wrote: >gpg-graph >--------- > >https://github.com/tlikonen/gpg-graph > >This program parses "gpg --batch --no-tty --with-colons >--check-signatures -- [...]" and prints graph data for Graphviz for >drawing nice web of trust graphs. > > >$ gpg-graph [key1 ...] | dot -Tpng >wot-dot.png >$ gpg-graph [key1 ...] | neato -Tpng >wot-neato.png >$ gpg-graph [key1 ...] | sfdp -Tpng >wot-sfdp.png > > >I have seen one similar tool before (packaged in Debian) but it was >broken by design because it tries to parse the human readable output of >"gpg --check-signatures". It didn't work with the default --list-options >of gpg 2.1. Obviously it should parse machine readable --with-colons >output which my version does. There's also this graphing tool that I've been using for kernel.org needs: https://github.com/mricon/wotmate -K -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From wk at gnupg.org Mon Feb 18 20:16:25 2019 From: wk at gnupg.org (Werner Koch) Date: Mon, 18 Feb 2019 20:16:25 +0100 Subject: Speedo build of GnuPG v2.2.13 fails for me In-Reply-To: (Ajax's message of "Sun, 17 Feb 2019 20:08:50 +0000") References: Message-ID: <87d0nox5yu.fsf@wheatstone.g10code.de> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said: > GnuPG version in swdb.lst is less than this version! > This version: 2.2.13 > SWDB version: 2.2.12 Something went wrong uploading the version file. I just repeated it and it wortks now (try: "build-aux/getswdb.sh"). Thanks for reporting, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From aajaxx at gmail.com Mon Feb 18 21:10:20 2019 From: aajaxx at gmail.com (Ajax) Date: Mon, 18 Feb 2019 20:10:20 +0000 Subject: Speedo build of GnuPG v2.2.13 fails for me In-Reply-To: <87d0nox5yu.fsf@wheatstone.g10code.de> References: <87d0nox5yu.fsf@wheatstone.g10code.de> Message-ID: On Mon, Feb 18, 2019 at 7:20 PM Werner Koch wrote: > On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said: > > > GnuPG version in swdb.lst is less than this version! > > This version: 2.2.13 > > SWDB version: 2.2.12 > > Something went wrong uploading the version file. I just repeated it and > it wortks now (try: "build-aux/getswdb.sh" > Any hints where I might find build-aux on debian stretch? -------------- next part -------------- An HTML attachment was scrubbed... URL: From farhan at farhan.codes Mon Feb 18 21:35:30 2019 From: farhan at farhan.codes (Farhan Khan) Date: Mon, 18 Feb 2019 20:35:30 +0000 Subject: Using Yubikey only to encrypt/sign In-Reply-To: References: <20190218051902.GA19367@pc.farhan.codes> Message-ID: February 18, 2019 2:35 AM, "Andrew Gallagher" wrote: >> On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users wrote: >> >> How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to >> encrypt, sign, or decrypt? This might be in a scenario where I only have the >> keys on my card but not on disk such as while traveling. I can confirm that >> 'gpg --card-status' lists the keys as present. >> >> I am simulating this scenario by moving ~/.gnupg to another directory, but >> running 'gpg --list-keys' does not list the list the key as present. > > You need to download the public key of the secret keys you are about to use, and then run `gpg > --card-status` again. After that it Should Just Work. > > A > Hey Andrew, I was given the message "gpg: decryption failed: No secret key". I ran this: mv .gnupg .gnupg.bak gpg --card-status cat encrypted_message | gpg --decrypt This gave me the warning message: gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18 "Farhan Khan " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key When I run gpg --list-secret-keys, I see the serial number listed for my card. I suspect this is a gpg-agent issue? Thanks, --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF From andrewg at andrewg.com Mon Feb 18 21:51:07 2019 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 18 Feb 2019 20:51:07 +0000 Subject: Using Yubikey only to encrypt/sign In-Reply-To: References: <20190218051902.GA19367@pc.farhan.codes> Message-ID: <67563238-716E-49C5-B379-99072F17060F@andrewg.com> > On 18 Feb 2019, at 20:35, Farhan Khan wrote: > Hey Andrew, > I was given the message "gpg: decryption failed: No secret key". I ran this: > > mv .gnupg .gnupg.bak > gpg --card-status > cat encrypted_message | gpg --decrypt > > This gave me the warning message: > gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18 > "Farhan Khan " > gpg: public key decryption failed: Invalid ID > gpg: decryption failed: No secret key > > When I run gpg --list-secret-keys, I see the serial number listed for my card. > I suspect this is a gpg-agent issue? Would you mind posting the results of `gpg --list-secret-keys`? With the yubikey plugged in. It shouldn?t contain anything too sensitive. You may have the decryption key in the wrong slot. A From farhan at farhan.codes Mon Feb 18 22:39:47 2019 From: farhan at farhan.codes (Farhan Khan) Date: Mon, 18 Feb 2019 21:39:47 +0000 Subject: Using Yubikey only to encrypt/sign In-Reply-To: <67563238-716E-49C5-B379-99072F17060F@andrewg.com> References: <67563238-716E-49C5-B379-99072F17060F@andrewg.com> <20190218051902.GA19367@pc.farhan.codes> Message-ID: <17d7b19a31012c16d560882e4b510220@farhan.codes> February 18, 2019 3:51 PM, "Andrew Gallagher" wrote: >> On 18 Feb 2019, at 20:35, Farhan Khan wrote: >> Hey Andrew, >> I was given the message "gpg: decryption failed: No secret key". I ran this: >> >> mv .gnupg .gnupg.bak >> gpg --card-status >> cat encrypted_message | gpg --decrypt >> >> This gave me the warning message: >> gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18 >> "Farhan Khan " >> gpg: public key decryption failed: Invalid ID >> gpg: decryption failed: No secret key >> >> When I run gpg --list-secret-keys, I see the serial number listed for my card. >> I suspect this is a gpg-agent issue? > > Would you mind posting the results of `gpg --list-secret-keys`? With the yubikey plugged in. It > shouldn?t contain anything too sensitive. You may have the decryption key in the wrong slot. > > A Sure! So, I have two tracks I'm taking at once, and perhaps you can provide some clarity on usage. My intention was to have the key on both my disk for use locally and on card for use while away from my computer. A. I have a keyring with the secret key. I ran --edit-key, then keytocard. When I list --secret-keys, I get this: --- $ gpg --list-secret-keys farhan at farhan.codes sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17] 7BEF02AB89AF9581194D57F1BF0F750DB428FFFF Card serial no. = XXXX XXXXXXXX uid [ultimate] Farhan Khan --- Notice the serial card number. At this point, I cannot decrypt files without the key present. Has the secret key been removed from disk? If so, this means I can only have the key in one place at a time and risk losing it. Ideally I would like to have the secret key on my computer, which I trust, but not on other devices. B. I moved ~/.gnupg and created a new keyring. Then, I imported my public key. This simulates a situation where I can access my public key from the internet, but will not store it on the machine. Here is the output you requested: --- $ gpg --list-secret-keys farhan at farhan.codes sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17] 7BEF02AB89AF9581194D57F1BF0F750DB428FFFF Card serial no. = 0006 04708272 uid [ unknown] Farhan Khan --- I expect to be able to decrypt messages, but cannot: --- $ echo test | gpg --encrypt -r farhan at farhan.codes | gpg --decrypt gpg: BF0F750DB428FFFF: There is no assurance this key belongs to the named user pub rsa2048/BF0F750DB428FFFF 2019-02-18 Farhan Khan Primary key fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18 "Farhan Khan " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key --- Please advise where my mistakes or incorrect assumptions are. Thanks, --- Farhan Khan PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF From aajaxx at gmail.com Mon Feb 18 22:54:58 2019 From: aajaxx at gmail.com (Ajax) Date: Mon, 18 Feb 2019 21:54:58 +0000 Subject: Speedo build of GnuPG v2.2.13 fails for me In-Reply-To: References: <87d0nox5yu.fsf@wheatstone.g10code.de> Message-ID: On Mon, Feb 18, 2019 at 8:10 PM Ajax wrote: > > > On Mon, Feb 18, 2019 at 7:20 PM Werner Koch wrote: > >> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said: >> >> > GnuPG version in swdb.lst is less than this version! >> > This version: 2.2.13 >> > SWDB version: 2.2.12 >> >> Something went wrong uploading the version file. I just repeated it and >> it wortks now (try: "build-aux/getswdb.sh" >> > > Any hints where I might find build-aux on debian stretch? > Thank you for your quick abs suscibct response and please excuse me for ny last silly response. The speedo build worked fine after using "build-aux/getswdb.sh". After the speedo build make install gives: make: *** No rule to make target 'install'. Stop. What am I missing now? -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Feb 19 11:23:52 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 19 Feb 2019 11:23:52 +0100 Subject: Using Yubikey only to encrypt/sign In-Reply-To: <17d7b19a31012c16d560882e4b510220@farhan.codes> References: <67563238-716E-49C5-B379-99072F17060F@andrewg.com> <20190218051902.GA19367@pc.farhan.codes> <17d7b19a31012c16d560882e4b510220@farhan.codes> Message-ID: <2d3a85b6-b812-1752-b3ca-88e6a7c2828e@digitalbrains.com> On 18/02/2019 22:39, Farhan Khan via Gnupg-users wrote: > $ gpg --list-secret-keys farhan at farhan.codes > sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17] Ah, well, there's your problem. You should not use your primary key for encryption; they invented subkeys for that. And with the smartcard, you come into the uncomfortable situation that the smartcard will decline to decrypt with what it knows is a signature key, and likewise decline to sign with what it knows is an encryption key. But both those usages are this key, and there will only be one stub in GnuPG, which will refer to either a smartcard signature key or a smartcard encryption key, but not both. The most straightforward solution is to create an RSA primary key that does certification and signatures (usage: SC), and an RSA subkey that does encryption (usage: E). My --full-gen-key calls this option "RSA and RSA (default)". You can then upload those keys to the correct slots in the smartcard (it will decline to pick the wrong slot). But if you wish to use the on-disk keys after that, and the smartcard somewhere else, you should "Quit without save", because as you have experienced, it will *delete* the on-disk key when you "Save and quit" and only use the smartcard key from then on. As an aside, I'll note that you could also create a primary key that can only certify, and a separate subkey that does signatures. That way, you can have only subkeys on your smartcard, and compromise of the system you use the smartcard on will only allow the attacker to issue signatures on documents, but not edit your key or issue signatures on other /keys/. But this might not be necessary for you, it depends on what threat model you envision. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From mac3iii at gmail.com Tue Feb 19 15:29:26 2019 From: mac3iii at gmail.com (murphy) Date: Tue, 19 Feb 2019 09:29:26 -0500 Subject: Speedo build of GnuPG v2.2.13 fails for me Message-ID: <42a0ec20-e8f8-bf4f-6544-ecd5d0fd68e9@gmail.com> Hi Ajax - For what it is worth I put up a github bash file that should build the latest version of gpg using the fabulous speedo method in a Debian based environment.? I ran this yesterday and it works on Ubuntu 18.04 and the latest Raspbian Stretch (Raspberry Pi OS based on Stretch). https://github.com/sandyCH/gpg_build I also noticed that the database had not been updated and chose to wait until it was found and corrected.? It happens sometimes.? I hope you find this useful! murphy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From abbot at monksofcool.net Tue Feb 19 18:26:39 2019 From: abbot at monksofcool.net (Ralph Seichter) Date: Tue, 19 Feb 2019 18:26:39 +0100 Subject: Problems while joining/leaving this mailing list Message-ID: <87zhqrpu40.fsf@ra.horus-it.com> I have written to the list owners but did not receive a reply yet, and I also wonder if anybody else has experienced this: I tried to subscribe with new at dom.ain and unsubscribe with old at dom.ain by sending email to gnupg-users-request at gnupg.org from each of this addresses. Firstly, I find it very irritating that messages to the mailing list robot are subjected to greylisting delay of at least one hour. Secondly, I have received two replies with different confirmation codes for each of my (un)subscription attempts -- four codes total. It seems to me that the mailing list robot is experiencing hiccups. Can anybody here confirm this? -Ralph From idmsdba at nycap.rr.com Tue Feb 19 21:28:38 2019 From: idmsdba at nycap.rr.com (Michael A. Yetto) Date: Tue, 19 Feb 2019 15:28:38 -0500 Subject: Problems while joining/leaving this mailing list In-Reply-To: <87zhqrpu40.fsf@ra.horus-it.com> References: <87zhqrpu40.fsf@ra.horus-it.com> Message-ID: <20190219152838.70bdcee1@braetac.lighthouse.yetnet> On Tue, 19 Feb 2019 18:26:39 +0100 Ralph Seichter writes, and having writ moves on: >I have written to the list owners but did not receive a reply yet, and >I also wonder if anybody else has experienced this: > >I tried to subscribe with new at dom.ain and unsubscribe with old at dom.ain >by sending email to gnupg-users-request at gnupg.org from each of this >addresses. Firstly, I find it very irritating that messages to the >mailing list robot are subjected to greylisting delay of at least one >hour. Secondly, I have received two replies with different confirmation >codes for each of my (un)subscription attempts -- four codes total. > >It seems to me that the mailing list robot is experiencing hiccups. Can >anybody here confirm this? > When you sent mail to what did you use as the Subject? Did you try the unsubscribe URL found in the "List-Unsubscribe:" header of each email sent to the list? Mike Yetto -- "The hard but just rule is that if the ideas don't work, you must throw them away. Don't waste any neurons on what doesn't work. Devote those neurons to new ideas that better explain the data. Valid criticism is doing you a favor." - Carl Sagan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From abbot at monksofcool.net Wed Feb 20 04:02:00 2019 From: abbot at monksofcool.net (Ralph Seichter) Date: Wed, 20 Feb 2019 04:02:00 +0100 Subject: Problems while joining/leaving this mailing list In-Reply-To: <20190219152838.70bdcee1@braetac.lighthouse.yetnet> References: <87zhqrpu40.fsf@ra.horus-it.com> <20190219152838.70bdcee1@braetac.lighthouse.yetnet> Message-ID: <87o97717tj.fsf@ra.horus-it.com> * Michael A. Yetto: > When you sent mail to what did you use > as the Subject? I used "subscribe" and "unsubscribe" as subjects for my (un)subscription attempts, as shown in the List-Subscribe and List-Unsubscribe headers. I also tried to unsubscribe using the URL provided in the headers, in which case I received one confirmation code per attempt (not two per attempt like with the mail interface), but these codes were rejected in the web form. I've since managed to unsub my old address, but something definitely feels borked here. I have "rolled" my address for about a dozen mailing lists over the last two days, and gnupg-users is the only ML which caused problems. -Ralph From wk at gnupg.org Wed Feb 20 09:03:39 2019 From: wk at gnupg.org (Werner Koch) Date: Wed, 20 Feb 2019 09:03:39 +0100 Subject: An option to generate revocation cert for subkey(s)? In-Reply-To: <1550341538.642.7.camel@gentoo.org> (=?utf-8?Q?=22Micha=C5=82?= =?utf-8?Q?_G=C3=B3rny=22's?= message of "Sat, 16 Feb 2019 19:25:38 +0100") References: <1550341538.642.7.camel@gentoo.org> Message-ID: <87sgwihoo4.fsf@wheatstone.g10code.de> On Sat, 16 Feb 2019 19:25, mgorny at gentoo.org said: > of the key with subkey revoked, and use that for the purpose. However, > I think it would be much more convenient if had an option to generate > the revocation signature separately. Can you please enter a feature request at dev.gnupg.org? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From amuza at riseup.net Wed Feb 20 13:15:00 2019 From: amuza at riseup.net (amuza) Date: Wed, 20 Feb 2019 12:15:00 +0000 Subject: How to specify ca-cert-file as a path relative to ~? (was: It's more GNU/Linux than GnuPG) In-Reply-To: References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> <20190213223631.GH15406@kugelfisch.zuhause.test> Message-ID: amuza: > > > Friedhelm Waitzmann: >>> I have two GNU/Linux computers syncing their ~/.gnupg directories. >>> "alice" is my username in one computer, "bob" is my username in the >>> other one. >> >>> I have a CA certificate stored in my home directory of both computers, >>> and would like to keep it there. >> >>> Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to >>> that CA cert: >> >>> keyserver-options ca-cert-file=~/keyserverCA.pem >> >>> But that line does not seem to work because of "~". >> >>> Everything works ok in one computer if I write: >> >>> keyserver-options ca-cert-file=/home/alice/keyserverCA.pem >> >>> and in the other computer if I write: >> >>> keyserver-options ca-cert-file=/home/bob/keyserversCA.pem >> >>> But then, by specifying names, when syncing, that line won't work in one >>> of the two computers because of the usernames. >> >>> Is there any way to specify "user" without writing their name? >> >>> Any other suggestion? >> >> Just guessing: How about specifying the file as a path relative >> to the .gnupg directory? >> >> (1) >> keyserver-options ca-cert-file=../keyserversCA.pem >> >> or >> >> (2) >> In the .gnupg directory create a symbolic link pointing to ..: >> $ ln -s .. ~/.gnupg/homedir >> Then set ca-cert-file to homedir/keyserversCA.pem: >> keyserver-options ca-cert-file=homedir/keyserversCA.pem >> > > Hey Friedhelm, thanks a lot! > Suggestion 2 worked!! > > Thank you Werner too. > Hi again, I was wrong, suggestion 2 does not work either. I have tried with (1) keyserver-options ca-cert-file=../keyserversCA.pem (2) keyserver-options ca-cert-file=symlink_to_home/keyserversCA.pem (3) keyserver-options ca-cert-file=$HOME/keyserverCA.pem I also tried moving the certificate into ~/.gnupg/ and did: (4) keyserver-options ca-cert-file=keyserverCA.pem (5) keyserver-options ca-cert-file=./keyserverCA.pem None of them works. Any other suggestion without writing the full path? I would like it to work for both Alice and Bob, but would like to keep the certificate into the home directory. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Feb 20 14:54:48 2019 From: wk at gnupg.org (Werner Koch) Date: Wed, 20 Feb 2019 14:54:48 +0100 Subject: How to specify ca-cert-file as a path relative to ~? In-Reply-To: (amuza's message of "Wed, 20 Feb 2019 12:15:00 +0000") References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> <20190213223631.GH15406@kugelfisch.zuhause.test> Message-ID: <87k1huh8ev.fsf@wheatstone.g10code.de> On Wed, 20 Feb 2019 12:15, amuza at riseup.net said: > (1) > keyserver-options ca-cert-file=../keyserversCA.pem I recently asked whether you got a warning regarding this option. Would you mind to look again at the output and, more important, tell us what version of gpg you are using (gpg --version). Note: Since gnupg 2.1 the above option is obsolete and has no effect. You need to configure non-standard CA certificates in dirmngr.conf instead. Just in case you are still using gpg 1.4.x: You may very weel run into problems with that if you try to access keyservers. Shalom-Salam, Werner p.s. Please do not use full quotes. Quotes are used to give context to the reader and thus a few lines are in almost all cases enough. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From mgorny at gentoo.org Wed Feb 20 16:37:50 2019 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Wed, 20 Feb 2019 16:37:50 +0100 Subject: An option to generate revocation cert for subkey(s)? In-Reply-To: <87sgwihoo4.fsf@wheatstone.g10code.de> References: <1550341538.642.7.camel@gentoo.org> <87sgwihoo4.fsf@wheatstone.g10code.de> Message-ID: <1550677070.732.0.camel@gentoo.org> On Wed, 2019-02-20 at 09:03 +0100, Werner Koch wrote: > On Sat, 16 Feb 2019 19:25, mgorny at gentoo.org said: > > > of the key with subkey revoked, and use that for the purpose. However, > > I think it would be much more convenient if had an option to generate > > the revocation signature separately. > > Can you please enter a feature request at dev.gnupg.org? > https://dev.gnupg.org/T4370 Thanks. -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: This is a digitally signed message part URL: From amuza at riseup.net Wed Feb 20 17:33:00 2019 From: amuza at riseup.net (amuza) Date: Wed, 20 Feb 2019 16:33:00 +0000 Subject: How to specify ca-cert-file as a path relative to ~? In-Reply-To: <87k1huh8ev.fsf@wheatstone.g10code.de> References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> <20190213223631.GH15406@kugelfisch.zuhause.test> <87k1huh8ev.fsf@wheatstone.g10code.de> Message-ID: <4143b745-3abb-21d1-4ee8-8fd6f3951462@riseup.net> > I recently asked whether you got a warning regarding this option. Everything works fine if I set the full path. If I use relative paths and try, for instance, gpg --search-keys user at domain.tld, I get the following: gpg: searching for "user at domain.tld" from hkps server hkps.foo.tld gpgkeys: HTTP search error 77: gpg: key "user at domain.tld" not found on keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error > tell us what > version of gpg you are using (gpg --version). 1.4.20 I can also see I have 2.1.11 installed. However, I always use the gpg command, I have never used the gpg2 command. I have just tried now: $ gpg2 --search-keys user at domain.tld gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory gpg: connecting dirmngr at '/home/Alice/.gnupg/S.dirmngr' failed: No such file or directory gpg: error searching keyserver: No dirmngr gpg: keyserver search failed: No dirmngr So it seems I have version 2 installed, but not that dirmngr thing. > > Note: Since gnupg 2.1 the above option is obsolete and has no effect. > You need to configure non-standard CA certificates in dirmngr.conf > instead. > Just in case you are still using gpg 1.4.x: You may very weel run > into problems with that if you try to access keyservers. What kind of problems? I never had a problem when the full path was set. Will relative paths work if I use version 2? In that case, what should I do for the upgrade? Any explanation or link is welcome, I don't know anything about version 2 and that dirmngr file. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Thu Feb 21 19:59:47 2019 From: brian at minton.name (Brian Minton) Date: Thu, 21 Feb 2019 13:59:47 -0500 Subject: Gnupg-users Digest, Vol 184, Issue 22 In-Reply-To: <20190203124906.57ef92c6@300baud.de> References: <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net> <20190130234741.3e8ce8af@300baud.de> <20190201200558.34a720eb@300baud.de> <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org> <20190203124906.57ef92c6@300baud.de> Message-ID: <20190221185946.GC8995@brian.minton.name> On Sun, Feb 03, 2019 at 12:49:06PM +0100, Stefan Claas wrote: > On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote: > > I think i have to look harder to find a cross-platform FOSS solution > that works the same. Signal seems to work that way. Well, it relies on a server, but you can host your own server. See for instance https://www.reddit.com/r/signal/wiki/faq#wiki_can_i_host_my_own_server.3F ). So in that sense, you could directly connect to the person you want to talk to, if one of you cares to run your own server. -- Brian Minton brian at minton dot name https://brian.minton.name Live long, and prosper longer! OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20 2206 0424 DC19 B678 A1A9 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: not available URL: From brian at minton.name Thu Feb 21 22:55:50 2019 From: brian at minton.name (Brian Minton) Date: Thu, 21 Feb 2019 16:55:50 -0500 Subject: NIST 800-57 compatible unattended encryption? In-Reply-To: <20190221213551.olhcmmfkiyfxejmj@raf.org> References: <20190102050203.7psom2s5hqvphxgp@raf.org> <20190102094747.e5lhhj4rndllufos@aurora.local.incenp.org> <5504353a-3347-502c-590f-31daf9bd0d7f@metacode.biz> <20190108031541.6f4ziukdpccmcejg@raf.org> <20190221184118.GB8995@brian.minton.name> <20190221213551.olhcmmfkiyfxejmj@raf.org> Message-ID: <20190221215550.GD8995@brian.minton.name> On Fri, Feb 22, 2019 at 08:35:51AM +1100, gnupg at raf.org wrote: > > All of it. If you look at Part 1, Section 5, pp 29-31, > you'll see the complete list of the different types of > cryptographic key that are considered to be part of the > standard and hence approved: Based on my quick skimming of the document, this is what openpgp uses asymmetric crypto for: > 10 Private key-transport key > 11 Public key-transport key From that document, the definition of key-transport key is as follows: 10. Private key-transport key: Private key-transport keys are the private keys of asymmetric (public) key pairs that are used to decrypt keys that have been encrypted with the corresponding public key using a public-key algorithm. Key-transport keys are usually used to establish keys (e.g., key-wrapping keys, data-encryption keys or MAC keys) and, optionally, other keying material (e.g., Initialization Vectors). That usage (data-encryption keys) is exactly what gnupg uses to encrypt a file. You can go through the document and see the rest of the policies, whether or not they apply to gnupg as implemented, but at first glance, that is the case. -- Brian Minton brian at minton dot name https://brian.minton.name Live long, and prosper longer! OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20 2206 0424 DC19 B678 A1A9 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: not available URL: From swedebugia at riseup.net Fri Feb 22 11:36:02 2019 From: swedebugia at riseup.net (swedebugia) Date: Fri, 22 Feb 2019 11:36:02 +0100 Subject: Help with SSH and GPG subkey for authentication Message-ID: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> Hi I'm quite a beginner to gnupg. I would like to have a master key used for both encrypting documents and mail and a subkey of that used for SSH. Following this https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html I first set up the keys: sec? ed25519/CFCD435B280B6CD2 ???? created: 2019-02-22? expires: 2021-02-21? usage: SC ???? trust: ultimate????? validity: ultimate ssb? cv25519/4FD4A5C38C7715BB ???? created: 2019-02-22? expires: 2021-02-21? usage: E ssb? ed25519/B84BE844E27BFE21 ???? created: 2019-02-22? expires: 2021-02-21? usage: A [ultimate] (1). swedebugia (followed these two guides: https://www.gniibe.org/memo/software/gpg/keygen-25519.html and https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/) I get this after restarting my gpg-agent: $ gpg-agent --server OK Pleased to meet you and in another terminal: $ ssh-add -l The agent has no identities. My environment is this: $ env|grep SSH SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh SSH_AGENT_PID=538 $ gpgconf --list-dirs agent-ssh-socket /run/user/1000/gnupg/S.gpg-agent.ssh My configs are attached. Thanks in advance! Cheers swedebugia -------------- next part -------------- enable-ssh-support -------------- next part -------------- 7338C1836152D95BBCEFF33F45C49516CC810826 From aajaxx at gmail.com Fri Feb 22 19:23:15 2019 From: aajaxx at gmail.com (Ajax) Date: Fri, 22 Feb 2019 18:23:15 +0000 Subject: Speedo build of GnuPG v2.2.13 fails for me In-Reply-To: References: <87d0nox5yu.fsf@wheatstone.g10code.de> Message-ID: On Mon, Feb 18, 2019 at 9:54 PM Ajax wrote: > > > On Mon, Feb 18, 2019 at 8:10 PM Ajax wrote: > >> >> >> On Mon, Feb 18, 2019 at 7:20 PM Werner Koch wrote: >> >>> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said: >>> >>> > GnuPG version in swdb.lst is less than this version! >>> > This version: 2.2.13 >>> > SWDB version: 2.2.12 >>> >>> Something went wrong uploading the version file. I just repeated it and >>> it wortks now (try: "build-aux/getswdb.sh" >>> >> >> Any hints where I might find build-aux on debian stretch? >> > > Thank you for your quick abs suscibct response and please excuse me for ny > last silly response. > The speedo build worked fine after using "build-aux/getswdb.sh". > > After the speedo build make install gives: > > make: *** No rule to make target 'install'. Stop. > > What am I missing now? > Missing was INSTALL_PREFIX=/usr/local Thanks, all is well now. -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndoe65534 at mail.com Sat Feb 23 08:06:20 2019 From: johndoe65534 at mail.com (john doe) Date: Sat, 23 Feb 2019 08:06:20 +0100 Subject: user id question Message-ID: Hi, I'm in the process of creating a gpg key, I have one question though: Some time I use the name x and sometime I use a shorter form of that name but the e-mail address is the same. EG: first-name last-name short-name Is it acceptable to have multiple 'user ID's with the same address e-mail? -- John Doe From chrisbcoutinho at gmail.com Sat Feb 23 12:43:10 2019 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Sat, 23 Feb 2019 12:43:10 +0100 Subject: Help with SSH and GPG subkey for authentication In-Reply-To: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> Message-ID: <20190223114310.zd24325lwkd4lafx@tumbleweed> On Feb-22-19, swedebugia wrote: >Hi > >I'm quite a beginner to gnupg. > >I would like to have a master key used for both encrypting documents >and mail and a subkey of that used for SSH. > >Following this >https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html > >I first set up the keys: > >sec? ed25519/CFCD435B280B6CD2 >???? created: 2019-02-22? expires: 2021-02-21? usage: SC >???? trust: ultimate????? validity: ultimate >ssb? cv25519/4FD4A5C38C7715BB >???? created: 2019-02-22? expires: 2021-02-21? usage: E >ssb? ed25519/B84BE844E27BFE21 >???? created: 2019-02-22? expires: 2021-02-21? usage: A >[ultimate] (1). swedebugia > >(followed these two guides: >https://www.gniibe.org/memo/software/gpg/keygen-25519.html and >https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/) > >I get this after restarting my gpg-agent: > >$ gpg-agent --server >OK Pleased to meet you > >and in another terminal: > >$ ssh-add -l >The agent has no identities. > >My environment is this: > >$ env|grep SSH >SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh >SSH_AGENT_PID=538 >$ gpgconf --list-dirs agent-ssh-socket >/run/user/1000/gnupg/S.gpg-agent.ssh > >My configs are attached. > >Thanks in advance! > >Cheers > >swedebugia > >enable-ssh-support >7338C1836152D95BBCEFF33F45C49516CC810826 >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users What is the key that you in include in the .gnupg/sshcontrol file? On my system, it's the authentication subkey's 'keygrip'. I'm not exactly sure what the difference is between that and a fingerprint, but you can determine what it is using: $ gpg --list-secret-keys --with-keygrip Then make sure the keygrip in 'sshcontrol' matches the keygrip of your authentication subkey. Cheers, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From peter at digitalbrains.com Sat Feb 23 14:10:49 2019 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 23 Feb 2019 14:10:49 +0100 Subject: Help with SSH and GPG subkey for authentication In-Reply-To: <20190223114310.zd24325lwkd4lafx@tumbleweed> References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> <20190223114310.zd24325lwkd4lafx@tumbleweed> Message-ID: On 23/02/2019 12:43, Chris Coutinho wrote: > I'm not exactly sure what the difference is between that and a fingerprint A key's fingerprint is something specific to OpenPGP. It includes OpenPGP-specific information and formats. As such, it is undefined for an OpenSSH key or a CMS (X.509) key; it simply doesn't exist. A keygrip is a short representation of an asymmetric keypair's actual public key material. For example, it is the same for an RSA key whether that key is used for an OpenPGP key, an OpenSSH key or a CMS key. gpg-agent works with keygrips because it provides services to all of OpenPGP, SSH and CMS. And it allows you to use the same material in multiple formats that way, such as with the Authentication subkey. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From swedebugia at riseup.net Sat Feb 23 09:14:10 2019 From: swedebugia at riseup.net (swedebugia) Date: Sat, 23 Feb 2019 09:14:10 +0100 Subject: Help with SSH and GPG subkey for authentication In-Reply-To: <20190223114310.zd24325lwkd4lafx@tumbleweed> References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> <20190223114310.zd24325lwkd4lafx@tumbleweed> Message-ID: On 2019-02-23 12:43, Chris Coutinho wrote: > On Feb-22-19, swedebugia wrote: snip >> > >> enable-ssh-support > >> 7338C1836152D95BBCEFF33F45C49516CC810826 > >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > What is the key that you in include in the .gnupg/sshcontrol file? On my > system, it's the authentication subkey's 'keygrip'. I'm not exactly sure > what the difference is between that and a fingerprint, but you can > determine what it is using: > > $ gpg --list-secret-keys --with-keygrip > > Then make sure the keygrip in 'sshcontrol' matches the keygrip of your > authentication subkey. > > Cheers, > Chris I think I did it correctly. Here is the output of the grip: $ gpg2 --with-keygrip -k swedebugia pub ed25519 2019-02-22 [SC] [expires: 2021-02-21] 7A2163653A22E7F610FA6B55CFCD435B280B6CD2 Keygrip = E1A8AB878329A205F4F3A5BD899EAD95996DD344 uid [ultimate] swedebugia sub cv25519 2019-02-22 [E] [expires: 2021-02-21] Keygrip = B0CA7175D7173FC906264F1A55DDE766A572ECFB sub ed25519 2019-02-22 [A] [expires: 2021-02-21] Keygrip = 7338C1836152D95BBCEFF33F45C49516CC810826 My problem is that neither gpg-agent nor ssh-add gives me debug output so I can pinpoint the error. I resorted to creating a separate ssh-key with ssh-keygen instead as it seems to be a hassle to keep it in gpg and use it from there. -- Cheers Swedebugia -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From chrisbcoutinho at gmail.com Sat Feb 23 14:42:00 2019 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Sat, 23 Feb 2019 14:42:00 +0100 Subject: Help with SSH and GPG subkey for authentication In-Reply-To: References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net> <20190223114310.zd24325lwkd4lafx@tumbleweed> Message-ID: <20190223134200.6fnth23ydciw6eo5@tumbleweed> On Feb-23-19, Peter Lebbing wrote: >On 23/02/2019 12:43, Chris Coutinho wrote: >> I'm not exactly sure what the difference is between that and a fingerprint > >A key's fingerprint is something specific to OpenPGP. It includes >OpenPGP-specific information and formats. As such, it is undefined for >an OpenSSH key or a CMS (X.509) key; it simply doesn't exist. > >A keygrip is a short representation of an asymmetric keypair's actual >public key material. For example, it is the same for an RSA key whether >that key is used for an OpenPGP key, an OpenSSH key or a CMS key. >gpg-agent works with keygrips because it provides services to all of >OpenPGP, SSH and CMS. And it allows you to use the same material in >multiple formats that way, such as with the Authentication subkey. > >HTH, > >Peter. > >-- >I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >You can send me encrypted mail if you want some privacy. >My key is available at > Thanks for the succinct explanation Peter. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From rjh at sixdemonbag.org Sat Feb 23 14:55:02 2019 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Feb 2019 08:55:02 -0500 Subject: user id question In-Reply-To: References: Message-ID: <70daef56-bd2d-a64e-73a8-12f6a71eb922@sixdemonbag.org> > Is it acceptable to have multiple 'user ID's with the same address e-mail? There's nothing forbidding it. Whether it's a good idea depends on your own particular use case. I'd recommend thinking long and hard before doing this, as it's possible you'll confuse some badly-written workflows somewhere. But if after thinking long and hard you decide to go for it, knock yourself out: it's allowed. :) From 2017-r3sgs86x8e-lists-groups at riseup.net Sat Feb 23 16:34:57 2019 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sat, 23 Feb 2019 15:34:57 +0000 Subject: user id question In-Reply-To: References: Message-ID: <997697746.20190223153457@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Saturday 23 February 2019 at 7:06:20 AM, in , john doe wrote:- > Is it acceptable to have multiple 'user ID's with the > same address e-mail? Yes. It might be simpler to have a single UID containing only the email address and with neither form of your name. - -- Best regards MFPA The truth is rarely pure and never simple -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXHFoIV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +koDAQDBAEye7byh7617Tv4okXTAwwwimt61xoJiPrZQIe6GkQD/diXY6TJqOind FdHZRY8C+SFQ/feN79R8i6DY29Ue+QuJApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCXHFoIV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/xbTD/0YDxIAVnIl0PiRvfzUQ9I7hmau 6qKsn+BadR+DeAOt1zxoRvCDxH2unzwONde928ak3XGGWFkytmnPpw7Z6Yby7323 ULd+/QGSJqIdjG42b/voYpQI0n/VcGsbXiZgfo+umZzP9i0Ro/UOalBJfOG3TNg4 KWeLrozmbxB3p/FQH2pZ7+VQO2QqOY9UJwEZuw61YlXStyfyd2nHngkIYX06NVXy zhmJoicMyOQ84nPfapwBE7pA7ooWe6CXpBkz+zvLV2iu+uFPD5GOYhzqTYFsTZaW GC7hc/WFeNBrH8teEwmmMgHQob/ZMeGVTi5uPGQidz1v1MWsV2bxe8UJEBf0PHld AYn7v3yfnLmvKB3226yaZSfPNOSe6DtYEO2wOnOyyc4jS4h4xjzMngG4os/tvhm7 epjr7pBWIYeLfufJ3BPRAlIMtdVcmDMeHuhSlB7iPfxfAmd2qMS/HAYDyXNNzdRT 09ywMFz9fVbjA+CQp/fvpZpIOScbIdgSWGOXkKZCy/Di2ImgS4j55nUpx8ZwrpVd 4ZBq3M/PFuOz6E2MymqGSDTeTSQ2Aaw2JtARuuWwH97LiozEOGx8cjqmzcQriH/Z ZMmyFTjFgLl5Pw3TM7nYmeRSrwdtODubEFRsHr8z/8v3k+jfuEgOV6eEQaVpIalD aa4BIK8A4bb1hRcF/A== =/+F+ -----END PGP SIGNATURE----- From roshii at riseup.net Sat Feb 23 15:49:03 2019 From: roshii at riseup.net (roshii) Date: Sat, 23 Feb 2019 15:49:03 +0100 Subject: Serialize a message and parse its ECDSA signature Message-ID: <28446efb-73ae-f13f-bebe-ddbd267bd4bf@riseup.net> Hi, I am playing around with GPG which I'd like to use to sign message and use the resulting signature binary in another piece of code. So far I have created a simple PGP packet parser in JuliaLang with which I think I can successfully extract the elliptic curve point representing the public key as follows. See GitLab for source code. ``` $ gpg --output pubkey.bin --export 8FAB2B40D753C0F6 ``` ``` julia> packets = bin2packet("pubkey.bin") 3-element Array{PGPPacket,1}: ?Public-Key Packet ?Length : 79, Partial : false PublicKey(0x04, 1550079457, scep256k1 Point(?,?): f05314566c9bfc8d8cf463a7a01e7735245d588a60dd874f09a9636620abb314, 6bda245d43cbbe019ab1ad74316d675dd858cdd776820969bcc21bbccbd3a661) ``` I am then generating a message within Julia, an integer, which needs to be signed and which I just save to file made of 32 bytes representing the 256 bits number in big-endian. But I wonder if this should be serialized in some way? Should their be a package header indicating to GPG what it is signing for, what length is has or anything else? Should I maybe follow X.690 for integer encoding? Next, comes signature parsing which I haven't been able to interpret so far, finding no hints in RFC4880 or 5480. Nevertheless, I assume the last 68 bytes must be signature representation with two integer, preceded by some bytes which looks to be 00ff in the below message. How should EC signature be parsed exactly? Where would this be documented? Last but not least, is the signature hashed? And if yes, is there a way to get it unhashed? ``` julia> z = 99621552382283238930643867389539606415724582999531180113553721867524305282175; julia> f = open("z.bin","w"); julia> write(f,int2bytes(z)) 32 ``` ``` $ gpg -b -u D753C0F6 z.bin ``` ``` julia> packet = bin2packet("z.bin.sig") 1-element Array{PGPPacket,1}: ?Signature Packet ?Length : 117, Partial : false ?Version : 4 ?Type : SHA256 SignatureSubPacket[ ??? Issuer Fingerprint ??? 041f6132045b4b6c393c48846e8fab2b40d753c0f6, ??? Signature Creation Time ??? 5c70346a] SignatureSubPacket[ ??? Issuer ??? 8fab2b40d753c0f6] ?Hash left : 3462 ?scep256k1 signature(?, ?): "00ff6ae576da68ddbd1a2aff20d450186fdd1a13bbbddc1b9837a19080364f3cd83700ff4727b504b86d667b048147c939b4eafae21203e1235ae6e68aa71477292ea173" ``` All my attempt to verify signature of message provided pub key have so far failed and so there is clearly something I do not get. I am looking forward at receiving any tips :) Thanks upfront -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndoe65534 at mail.com Sun Feb 24 10:09:52 2019 From: johndoe65534 at mail.com (john doe) Date: Sun, 24 Feb 2019 10:09:52 +0100 Subject: user id question In-Reply-To: <997697746.20190223153457@my_localhost_LG> References: <997697746.20190223153457@my_localhost_LG> Message-ID: <1b3e599f-22f1-dd18-3349-949c2afb5ff0@mail.com> On 2/23/2019 4:34 PM, MFPA wrote: > Hi > > > On Saturday 23 February 2019 at 7:06:20 AM, in > , john doe wrote:- > > >> Is it acceptable to have multiple 'user ID's with the >> same address e-mail? > > Yes. It might be simpler to have a single UID containing only the > email address and with neither form of your name. > > Thank you everyone for your answers. What I understand is that there is no clear convention. Lets say that my first name 'abcdefgh' is and my short name is 'abcd', based on this thread I'll use something like: abcdefgh abcd LAST-NAME Should I put the short name between '()' or quoates or is the above example the best way forward? Thanks again for the help/input. -- John Doe From farhan at farhan.codes Sun Feb 24 20:34:02 2019 From: farhan at farhan.codes (Farhan Khan) Date: Sun, 24 Feb 2019 19:34:02 +0000 Subject: Why Signing key part of Master key Message-ID: <022355adc2488d5b86c07fc52bf78001@farhan.codes> Hi all, I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I question, why is the signing key part of the master key? Why not have it be a subkey? Almost everywhere I looked, the two were a single key except this site (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing functionality worked the same when they the signing key was a subkey versus a part of the master. Are there any advantages of disadvantages either way? Thank you, --- Farhan Khan From mgorny at gentoo.org Sun Feb 24 20:51:14 2019 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Sun, 24 Feb 2019 20:51:14 +0100 Subject: Why Signing key part of Master key In-Reply-To: <022355adc2488d5b86c07fc52bf78001@farhan.codes> References: <022355adc2488d5b86c07fc52bf78001@farhan.codes> Message-ID: <1551037874.21411.6.camel@gentoo.org> On Sun, 2019-02-24 at 19:34 +0000, Farhan Khan via Gnupg-users wrote: > Hi all, > > I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I > question, why is the signing key part of the master key? Why not have it be a subkey? Almost > everywhere I looked, the two were a single key except this site > (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing > functionality worked the same when they the signing key was a subkey versus a part of the master. > > Are there any advantages of disadvantages either way? > Gentoo policy [1] requires split signing subkey. The main advantage is that you can then store primary key offline, and not have it exposed the same way subkeys are. [1]:https://www.gentoo.org/glep/glep-0063.html -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: This is a digitally signed message part URL: From farhan at farhan.codes Sun Feb 24 20:53:53 2019 From: farhan at farhan.codes (Farhan Khan) Date: Sun, 24 Feb 2019 19:53:53 +0000 Subject: Why Signing key part of Master key In-Reply-To: References: <022355adc2488d5b86c07fc52bf78001@farhan.codes> Message-ID: <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes> February 24, 2019 2:39 PM, "Kristian Fiskerstrand" wrote: > On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote: > >> Hi all, >> >> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I >> question, why is the signing key part of the master key? Why not have it be a subkey? Almost >> everywhere I looked, the two were a single key except this site >> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing >> functionality worked the same when they the signing key was a subkey versus a part of the master. >> >> Are there any advantages of disadvantages either way? >> >> Thank you, > > its mostly a sensible default as people tend to keep key material on > disk on online computers to begin with.. the benefits of a separate > primary normally comes out in scenarios with stronger security > requirement, at which point the manual interaction required to set it > up isn't the biggest hurdle anyways, but actually keeping up with > operational security is. > > (note, its not the SC capable primary that is the issue to begin with, > but actually keeping it isolated, the primary will always be able to > become signing-capable anyways by updating the flags on its self-signature) > > -- > ---------------------------- > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > ---------------------------- > Public OpenPGP keyblock at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > ---------------------------- > Corruptissima re publica plurim? leges > The greater the degeneration of the republic, the more of its laws I was under the impression that best practice was to keep the master key offline in cold storage. If so, wouldn't that make having the signing key impossible to use? And if so, is it possible to remove the Signing functionality from my Certificate key that I already generated? --- Farhan Khan From kristian.fiskerstrand at sumptuouscapital.com Sun Feb 24 20:39:39 2019 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sun, 24 Feb 2019 20:39:39 +0100 Subject: Why Signing key part of Master key In-Reply-To: <022355adc2488d5b86c07fc52bf78001@farhan.codes> References: <022355adc2488d5b86c07fc52bf78001@farhan.codes> Message-ID: On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote: > Hi all, > > I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I > question, why is the signing key part of the master key? Why not have it be a subkey? Almost > everywhere I looked, the two were a single key except this site > (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing > functionality worked the same when they the signing key was a subkey versus a part of the master. > > Are there any advantages of disadvantages either way? > > Thank you, its mostly a sensible default as people tend to keep key material on disk on online computers to begin with.. the benefits of a separate primary normally comes out in scenarios with stronger security requirement, at which point the manual interaction required to set it up isn't the biggest hurdle anyways, but actually keeping up with operational security is. (note, its not the SC capable primary that is the issue to begin with, but actually keeping it isolated, the primary will always be able to become signing-capable anyways by updating the flags on its self-signature) -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- Corruptissima re publica plurim? leges The greater the degeneration of the republic, the more of its laws -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From oliver at schinagl.nl Mon Feb 25 07:54:33 2019 From: oliver at schinagl.nl (Olliver Schinagl) Date: Mon, 25 Feb 2019 07:54:33 +0100 Subject: gpg vs gpgv and trustedkeys Message-ID: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl> While working on a little project, I found that there seems to be some discrepancy on how gpg and gpgv are to be used. What I am trying to accomplish, is to generate an OS image, which contains a public gpg key. The public is added using gpg --import and kets added to the newly created pubkey.gpg. However, the OS image has no need for the full blown gpg and happily uses gpgv. However gpgv fails with the (now) well known error that it cannot find the trustedkeys.gpg/kbx keyring/box. The internet has some suggestions that it is needed for gpg to generate a special keyring and import the keys into there. However the options (no-default-keyring and/or --keyring) are not existant with the gpg tools (on alpine and debian) (anymore, I believe gpg1 did have them in the past?). While gpgv still has the options, I don't think the intention was to always having to supply a custom keyring to gpgv. And so it appears that the default used keyring between the generator and the validator are miss-matching. Is this intended? If so, why? And what would be the reason for having the two separate keyrings anyway. For now, I have simply added a hack in that the two files are symlinked, this atleast makes gpgv to work as a user would intend. I suppose the alternative would be to rename the key after installation, but if that was the intention, I don't seem to see why the option to use a different keyring was removed from gpg to begin with. Both my Alpine based gpg and gpgv are the same version, gpg (GnuPG) 2.1.18 P.S. Please keep me CC-ed as I am not subsribed. From michaelholly at discover.com Mon Feb 25 15:13:32 2019 From: michaelholly at discover.com (Michael Holly) Date: Mon, 25 Feb 2019 14:13:32 +0000 Subject: Ok this is a stupid questions Message-ID: So I completely preface this question is not a valid use case for gpg. I know, I get it. I have a potential issue that I'm trying to diagnose. I'm trying to understand how gpg will react to the input file size changing during the encrypt or decrypt step. Right now it appears that the gpg process goes a bit crazy and the 200 MB file I am decrypting becomes 1.2 TB or greater. Here is the order of the events 1. File lands on my system. 2. PGP decrypt is invoked on the file. 3. Since the file is not truly done being sent to me, the file grows in size. 4. GPG seems to expand the decrypted file many times over. What I suspect is that instead of erroring out, GPG starts the decrypt process over and appends the new output to the previous cycle.. I have not tested this, but will soon. I just wanted to see if anyone else has seen this happen. Thanks Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From justina at colmena.biz Mon Feb 25 20:27:18 2019 From: justina at colmena.biz (justina colmena) Date: Mon, 25 Feb 2019 10:27:18 -0900 Subject: Ok this is a stupid questions In-Reply-To: References: Message-ID: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> On February 25, 2019 5:13:32 AM AKST, Michael Holly wrote: > So I completely preface this question is not a valid use case for gpg. > I know, I get it. > > I have a potential issue that I'm trying to diagnose. I'm trying to > understand how gpg will react to the input file size changing during > the encrypt or decrypt step. > > Right now it appears that the gpg process goes a bit crazy and the 200 > MB file I am decrypting becomes 1.2 TB or greater. > > Here is the order of the events > > > 1. File lands on my system. > > 2. PGP decrypt is invoked on the file. > > 3. Since the file is not truly done being sent to me, the file > grows in size. > > 4. GPG seems to expand the decrypted file many times over. > > What I suspect is that instead of erroring out, GPG starts the decrypt > process over and appends the new output to the previous cycle.. I > have not tested this, but will soon. > > I just wanted to see if anyone else has seen this happen. > > Thanks > > Michael News media questions? Many times it is the case that large files are compresssed before being encrypted, and there are certain information-theoretical reasons to do so. Aside from efficiency and possibly a slightly better security, it is absolutely impossible to compress files after they are encrypted because the repetitive or redundant patterns, on which the compression is based, are precisely what is obfuscated and concealed by the encryption. In any case, if the file was compressed before encryption, then it will have to be expanded back to its original size after decryption. Then there is the base64 ASCII armor, which causes a ciphertext expansion to the tune of some 35% by using only 6 of the 8 bits of each byte plus extra formatting for new lines and such. So how did the Firstlook Media reporters from The Intercept come to give up their GPG keys and go so mainstream corporate? They never got along all that well with the military, and they're not even remotely "alternative" anymore if they ever were. It's all establishment Democrat party line mainstream media, and "Don't you dare try to get smart and buck the labor union!" Holed up in Brazil somewhere pushing that atrocious "7me" spyware app on my Android phone as if that gay male reporter is suddenly a good Christian sitting on the church pew keeping the Sabbath so obediently on the Seventh Day and circumcising his kids under the law of Moses. That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care. -- Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido. https://www.colmena.biz/~justina/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 683 bytes Desc: not available URL: From vedaal at nym.hush.com Mon Feb 25 22:02:50 2019 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 25 Feb 2019 16:02:50 -0500 Subject: Ok this is a stupid questions In-Reply-To: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> References: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> Message-ID: <20190225210252.775A8C017A@smtp.hushmail.com> On 2/25/2019 at 2:29 PM, "justina colmena via Gnupg-users" wrote: That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care. ===== Maybe *proprietary* encryption is theoretical only.What problems do you have with GnuPG as a FOSS program ? Ordinarily, I'm on the cautious, [maybe even borderline paranoid ;-) ] side of things, and I don't just trust things lightly. But I *DO* trust GnuPG, WK, and the host of other people who have put the time and effort into GnuPG, releasing the source code routinely so that it can be compiled by the end user on FOSS platforms (Linux, Ubuntu. etc.) You sound capable enough to review source-code, and use a Linux variant. Why do you think GnuPG is useless if you check the source-code, run it on hardware you trust, and a Linux variant you trust, with a Chromium/Iron browser, and avoid anything google or microsoft or apple or any non-FOSS product? If I misunderstand you, and your beef is not with GnuPG, only with Google, Android, MS, apple etc.then I apologize. That said, can i ask you to trim your posts from the political rants, much as they may be deserved. There are other forums ideally suited to that. Thanks. vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcel.waldvogel at uni-konstanz.de Mon Feb 25 18:01:22 2019 From: marcel.waldvogel at uni-konstanz.de (Marcel Waldvogel) Date: Mon, 25 Feb 2019 18:01:22 +0100 Subject: git.gnupg.org: Certificate expired Message-ID: Hi, this is probably not the right place to post, but I did not find anything more appropriate: The certificate for git.gnupg.org expired yesterday. Could someone with the appropriate privileges please fix this? Thanks, -Marcel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part URL: From andrei at bislog.se Mon Feb 25 19:53:17 2019 From: andrei at bislog.se (Andrei Fokau) Date: Mon, 25 Feb 2019 19:53:17 +0100 Subject: Weird locale at passphrase step Message-ID: Hello, I have just installed GnuPG on macOS Mojave using Homebrew. When I try to generate a new key I can go through almost all steps seeing messages and dialogs in English, but when it asks my passphrase, I see: [image: image.png] My GnuPG version and locale: $ gpg --version gpg (GnuPG) 2.2.13 libgcrypt 1.8.4 $ echo $LANGUAGE en_US.UTF-8 $ locale LANG="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" LC_MESSAGES="en_US.UTF-8" LC_MONETARY="en_US.UTF-8" LC_NUMERIC="en_US.UTF-8" LC_TIME="en_US.UTF-8" LC_ALL="en_US.UTF-8" How do I fix this? Thanks, Andrei -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 31993 bytes Desc: not available URL: From angel at pgp.16bits.net Mon Feb 25 23:32:06 2019 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 25 Feb 2019 23:32:06 +0100 Subject: Ok this is a stupid questions In-Reply-To: References: Message-ID: <1551133926.1070.10.camel@16bits.net> On 2019-02-25 at 14:13 +0000, Michael Holly wrote: > What I suspect is that instead of erroring out, GPG starts the decrypt > process over and appends the new output to the previous cycle.. I > have not tested this, but will soon. > > I just wanted to see if anyone else has seen this happen. > Not that it couldn't happen, but I find strange gpg would do that. Erroring out would make more sense. Note that GnuPG can work in filter mode, so you can do cat incomplete_file | gpg -d > output_file (*) in which case it really can't start over. I don't think it would process things differently, but worth trying. How are you invoking gpg? Which version are you running? (*) Yes, this is an useless use of cat? In fact, it's quite likely cat will be faster than whatever is transferring the file, piping eg. wget -O - would make more sense. (**) Remember that even though you are getting an incomplete output, unless the gpg terminates with no error after verifying the data, **there's no guarantee about the contents** Don't pipe that output to bash or otherwise treat as trusted data! Wait to the next command for that (after verifying that gpg is ok with what was provided). Cheers ?ngel From dkg at fifthhorseman.net Tue Feb 26 00:03:52 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 25 Feb 2019 18:03:52 -0500 Subject: git.gnupg.org: Certificate expired In-Reply-To: References: Message-ID: <87d0nfpj1j.fsf@fifthhorseman.net> On Mon 2019-02-25 18:01:22 +0100, Marcel Waldvogel wrote: > this is probably not the right place to post, but I did not find > anything more appropriate: > > The certificate for git.gnupg.org expired yesterday. Could someone with > the appropriate privileges please fix this? It's probably a fine place. The last time this happened was on November 24 (3 months ago!) and it was reported on gnupg-devel: Message-Id: Perhaps the certificate update mechanism (it appears to be Let's Encrypt) needs to be automated into refreshing the webserver when a new certificate is issued. Thanks for the report. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dkg at fifthhorseman.net Tue Feb 26 00:47:08 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 25 Feb 2019 18:47:08 -0500 Subject: Weird locale at passphrase step In-Reply-To: References: Message-ID: <875zt7ph1f.fsf@fifthhorseman.net> On Mon 2019-02-25 19:53:17 +0100, Andrei Fokau wrote: > I have just installed GnuPG on macOS Mojave using Homebrew. When I try to > generate a new key I can go through almost all steps seeing messages and > dialogs in English, but when it asks my passphrase, I see [ image of cyrillic glyphs and U+FFFD REPLACEMENT CHARACTER symbols ] It sounds to me like the gpg-agent process that is running on your system has a different locale. GnuPG asks the agent for a new passphrase, which in turn displays the prompt. > How do I fix this? unfortunately, it depends on how your gpg-agent is initialized, which we don't have enough information on here. perhaps it was launched before your locale was set to en_US.UTF-8? One thing you can try as a workaround is to kill off the gpg-agent and it should get manually restarted on subsequent use: gpgconf --kill gpg-agent maybe someone with more info about how MacOS and Homebrew manage per-user services can weigh in on better workarounds, or suggest a more principled fix for that platform. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dkg at fifthhorseman.net Tue Feb 26 07:45:51 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 26 Feb 2019 01:45:51 -0500 Subject: gpg vs gpgv and trustedkeys In-Reply-To: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl> References: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl> Message-ID: <87ftsbnj34.fsf@fifthhorseman.net> On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote: > What I am trying to accomplish, is to generate an OS image, which > contains a public gpg key. The public is added using gpg --import and > kets added to the newly created pubkey.gpg. I think your description here is missing some background: why do you need the public OpenPGP key in your OS image? If the goal is just to use it with gpgv (e.g. to verify software updates or some other post-build artifact that you'll fetch over the network) then i recommend just explicitly pointing gpgv at the curated keyring using --keyring, and not bothering with public.gpg or anything else. This is the best approach because it lets you precisely control what is being checked against, and you don't have to worry that other uses of ~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check you're hoping to make strong. if you want an analogous example, check out the best-pratice guidance in https://wiki.debian.org/DebianRepository/UseThirdParty about using isolated keys per repository (with apt's Signed-By: options). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dkg at fifthhorseman.net Tue Feb 26 08:35:25 2019 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 26 Feb 2019 02:35:25 -0500 Subject: Why Signing key part of Master key In-Reply-To: <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes> References: <022355adc2488d5b86c07fc52bf78001@farhan.codes> <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes> Message-ID: <874l8rngsi.fsf@fifthhorseman.net> On Sun 2019-02-24 19:53:53 +0000, Farhan Khan via Gnupg-users wrote: > I was under the impression that best practice was to keep the master > key offline in cold storage. "best practice" for some is "unusable complexity" for others :) If it works for you, it's probably not unreasonable to keep the primary key offline in cold storage. But remember that what that does is to protect the primary key itself -- if you've got subkeys that are capable of acting as you (with the exception of making OpenPGP certifications), those subkeys are not protected by keeping the primary key offline. > If so, wouldn't that make having the signing key impossible to use? sure, but there's nothing stopping an "SC-capable" primary key from *also* certifying another S-capable subkey, and using that one, if the primary key is kept offline. > And if so, is it possible to remove the Signing functionality from my > Certificate key that I already generated? the "change-usage" subcommand to "gpg --edit-key" might be what you're looking for. it's documented in more recent versions of the gpg(1) man page. change-usage Change the usage flags (capabilities) of the primary key or of subkeys. These usage flags (e.g. Certify, Sign, Authenticate, Encrypt) are set during key creation. Sometimes it is useful to have the opportunity to change them (for example to add Authenticate) after they have been created. Please take care when doing this; the al? lowed usage flags depend on the key algorithm. Note that if you do this after having sent messages signed by the primary key, it's not clear what the behavior will be for someone who reads those signed messages after fetching your updated OpenPGP certificate. Should the message signature be invalid because the primary key is no longer signing-capable? Also note that OpenPGP certificates are built and updated by aggregation. So if you change your primary key's usage flags, that'll simply be a new set of self-signatures that makes this change. Anyone who wants to build a composite OpenPGP certificate from your key material by filtering out this change can easily do so, producing a certificate that is appears to still be SC-capable. Reasonable OpenPGP clients that see this certificate *and* your updated one will merge them and respect the most recent usage flags. But does everyone you correspond with use a reasonable OpenPGP client and have access to your update certificate? (exercise left to the reader?) --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ciprian.craciun at gmail.com Tue Feb 26 10:02:59 2019 From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun) Date: Tue, 26 Feb 2019 11:02:59 +0200 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing Message-ID: Hello all! Given the recent survey in password managers security [1], which concluded with their failure to properly sanitize / scrub the sensitive data (i.e. "master key") in "running locked state", I was wondering how does GnuPG Agent fare in this regard? More specifically: * let's assume that one uses GnuPG Agent; (only for PGP;) * the user enters the password for a particular private key; * (one assumes that the password was used to get the private key cryptographic material, and then scrubbed;) * then `--max-cache-ttl` seconds passes; * one assumes that the private key cryptographic material is now scrubbed; Is this expectation correct? Is there some external analysis about the security of the agent with regard to the scrubbing of both passwords and cryptographic material? Thanks, Ciprian. [1] https://www.securityevaluators.com/casestudies/password-manager-hacking/ P.S.: My interest in this subject is because I have a "custom" password-manager implemented on-top of GnuPG, which I'm sure leaks passwords all over the place (because it's written in Bash, and uses various X tools, none made for security). However I am curios how "safe" the actual GnuPG agent really is. From ciprian.craciun at gmail.com Tue Feb 26 12:54:01 2019 From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun) Date: Tue, 26 Feb 2019 13:54:01 +0200 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing In-Reply-To: References: Message-ID: On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan wrote: > I'm not able to answer your main question, but I believe it is you explained. However, regarding the matter in P.S., I'm glad to inform you that such a tool exists. It is called pass [1] and it is fully integrated with GnuPG and Git. So you can backup your password like a Git repository. I know about that tool, however it is unfortunately written also in Bash, which as my own implementation has countless ways to (permanently) leak the password. For example take the following commit: https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24 Which has the following change: ~~~~ - $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" <<<"$password" || die "Password encryption aborted." + echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." ~~~~ In was committed in 2018, but the tool is from 2015, thus in the interim all the passwords were leaked into `$TMPDIR` and thus on the disk, which in most cases is actually the `rootfs`. Thus without much effort, one can take out the HDD, and just run a file-system recovery tool to recover deleted files, or dump ASCII tokens, and thus get access to the used passwords. I'm not criticizing the `pass` tool, as I know myself how hard it is to write a tool that doesn't leak data, however any such tool should come with a big warning to its users. Unfortunately on the project page there is no mention of its security weaknesses or any hint to the users about possible data leaks. Ciprian. From sarunint at sarunint.com Tue Feb 26 11:58:22 2019 From: sarunint at sarunint.com (Sarun Intaralawan) Date: Tue, 26 Feb 2019 17:58:22 +0700 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing In-Reply-To: References: Message-ID: Hi Caprian, I'm not able to answer your main question, but I believe it is you explained. However, regarding the matter in P.S., I'm glad to inform you that such a tool exists. It is called pass [1] and it is fully integrated with GnuPG and Git. So you can backup your password like a Git repository. There's also Android and iOS implementation of pass. Hope this helps. Regards, Sarun [1]: https://www.passwordstore.org On Tue, 26 Feb 2019, 17:47 Ciprian Dorin Craciun, wrote: > Hello all! > > Given the recent survey in password managers security [1], which > concluded with their failure to properly sanitize / scrub the > sensitive data (i.e. "master key") in "running locked state", I was > wondering how does GnuPG Agent fare in this regard? > > More specifically: > * let's assume that one uses GnuPG Agent; (only for PGP;) > * the user enters the password for a particular private key; > * (one assumes that the password was used to get the private key > cryptographic material, and then scrubbed;) > * then `--max-cache-ttl` seconds passes; > * one assumes that the private key cryptographic material is now scrubbed; > > Is this expectation correct? > > > Is there some external analysis about the security of the agent with > regard to the scrubbing of both passwords and cryptographic material? > > Thanks, > Ciprian. > > > [1] > https://www.securityevaluators.com/casestudies/password-manager-hacking/ > > > > > P.S.: My interest in this subject is because I have a "custom" > password-manager implemented on-top of GnuPG, which I'm sure leaks > passwords all over the place (because it's written in Bash, and uses > various X tools, none made for security). However I am curios how > "safe" the actual GnuPG agent really is. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michaelholly at discover.com Tue Feb 26 14:10:35 2019 From: michaelholly at discover.com (Michael Holly) Date: Tue, 26 Feb 2019 13:10:35 +0000 Subject: Ok this is a stupid questions In-Reply-To: References: Message-ID: Hello As a follow up to my previous post, let me emphasize the size expansion is not related to the compression that is applied during encryption. My issue is that I have files that are being transferred to me, and for a cause that I am trying to track down, gpg begins to decrypt before the file has fully arrived. From my perspective it appears to send gpg into a tailspin. The process seems to be able to continue for a week or more and does not seem to complete. >From a design perspective, I expect the usual replies of "if that is not what you want to do then don't do it". Yes I know. What I am looking to do is to be able to understand why it goes into this race condition instead of erroring out. My ask of the gpg listers, is has anyone ever seen this behavior? From: Michael Holly Sent: Monday, February 25, 2019 8:14 AM To: gnupg-users at gnupg.org Subject: Ok this is a stupid questions So I completely preface this question is not a valid use case for gpg. I know, I get it. I have a potential issue that I'm trying to diagnose. I'm trying to understand how gpg will react to the input file size changing during the encrypt or decrypt step. Right now it appears that the gpg process goes a bit crazy and the 200 MB file I am decrypting becomes 1.2 TB or greater. Here is the order of the events 1. File lands on my system. 2. PGP decrypt is invoked on the file. 3. Since the file is not truly done being sent to me, the file grows in size. 4. GPG seems to expand the decrypted file many times over. What I suspect is that instead of erroring out, GPG starts the decrypt process over and appends the new output to the previous cycle.. I have not tested this, but will soon. I just wanted to see if anyone else has seen this happen. Thanks Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Tue Feb 26 15:03:21 2019 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 26 Feb 2019 14:03:21 +0000 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing In-Reply-To: References: Message-ID: <93c45378-a0b9-dbe6-207f-520d0f7e21d9@andrewg.com> On 26/02/2019 11:54, Ciprian Dorin Craciun wrote: > Thus without much > effort, one can take out the HDD, and just run a file-system recovery > tool to recover deleted files, or dump ASCII tokens, and thus get > access to the used passwords. Indeed, but if you use one of the standard web browsers your session tokens are also stored on disk, by default unencrypted, and in many cases these are equivalent to passwords (depending on the website). Password managers address the issue of a network attacker. They don't directly solve the problem of an attacker who has physical access to your device. An encrypted drive is a better way to prevent an attacker getting access to sensitive material on disk (not only passwords). So while the problem you identify is bad, it's not fatal. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Tue Feb 26 16:26:04 2019 From: sac at 300baud.de (Stefan Claas) Date: Tue, 26 Feb 2019 16:26:04 +0100 Subject: AW: Ok this is a stupid questions In-Reply-To: <20190225210252.775A8C017A@smtp.hushmail.com> References: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> <20190225210252.775A8C017A@smtp.hushmail.com> Message-ID: Von: vedaal via Gnupg-users Gesendet: Montag, 25. Februar 2019 22:09 An: justina colmena; gnupg-users at gnupg.org Betreff: Re: Ok this is a stupid questions Why do you think GnuPG is useless if you check the source-code, run it on hardware you trust, and a Linux variant you trust, with a Chromium/Iron browser, and avoid anything google or microsoft or apple or any non-FOSS product?? Why do you think FOSS is more secure? Do you think that people always check the source code, with every release of their OS updates or the GnuPG updates? I doubt that. And how about FOSS developers? Do they regularly check their sites if the code was exchanged and if their keys are already compromised? The detached signatures or hashes of FOSS software are not time stamped. Is / was FOSS, like GnuPG, ever audited by major and trustworthy institutions, were users could read reports about their findings? Can you always trust developers, because they have many sigs on their keys but not sign back the signers keys? I have learned in the past trust nobody. Therefore I would not rely on people from the GnuPG ecosystem and what they say. Last but not least don?t forget rule 41, for example, which allows the FBI to hack computers worldwide. And if they can hack and access computers then others can do so too. You also never read here best practice tips like use a second computer, not connected to the Internet, and GnuPG in command line mode. ? Regards Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Tue Feb 26 19:57:01 2019 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 26 Feb 2019 13:57:01 -0500 Subject: AW: Ok this is a stupid questions In-Reply-To: <20190226152942.7E012A0AD8@smtp2.hushmail.com> References: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> <20190225210252.775A8C017A@smtp.hushmail.com> <20190226152942.7E012A0AD8@smtp2.hushmail.com> Message-ID: <20190226185702.9EA37C015E@smtp.hushmail.com> On 2/26/2019 at 10:29 AM, "Stefan Claas" wrote: Von: vedaal via Gnupg-users Gesendet: Montag, 25. Februar 2019 22:09 An: justina colmena; gnupg-users at gnupg.org Betreff: Re: Ok this is a stupid questions Why do you think GnuPG is useless if you check the source-code, run it on hardware you trust, and a Linux variant you trust, with a Chromium/Iron browser, and avoid anything google or microsoft or apple or any non-FOSS product? I have learned in the past trust nobody. Therefore I would not rely on people from the GnuPG ecosystem and what they say. ===== It depends on how realistic your threat model is. For someone in a politically repressive regime who is being targeted, yes, trust should be very limited, and clearly earned. For those whose threat model is criminal hacking by individual opportunists, there is a certain leeway. When i first started out, I knew people who read every single line of PGP 2.x sourcecode, and even today, refuse to migrate to gnupg because they haven't the time to read all the code. (Although some have considered that if there would be a minimalist version, with a small enough code to read, they would definitely use it.) These people routinely 'airgap' their encrypting functions. I respect it, but there is literally no end to how paranoid one can be ... For example, has anyone you know, ever checked how the compilers work? (Reviewed gcc's source code, and the hardware necessary to make it run, to ensure that nothing is 'added/subtracted/altered' when it gets to machine language? Even more difficult when it is a proprietary compiler.) GnuPG is offering a FOSS privacy tool. One can scrutinize it, appreciate it, and say thank you, or be paranoid enough to never use it, or some other in-between balance, that's comfortable for the individual's threat model. The gnupg-users list can help with clearing up technical questions and let the users decide for themselves. vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Tue Feb 26 21:28:12 2019 From: sac at 300baud.de (Stefan Claas) Date: Tue, 26 Feb 2019 21:28:12 +0100 Subject: Ok this is a stupid questions In-Reply-To: <20190226185702.9EA37C015E@smtp.hushmail.com> References: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> <20190225210252.775A8C017A@smtp.hushmail.com> <20190226152942.7E012A0AD8@smtp2.hushmail.com> <20190226185702.9EA37C015E@smtp.hushmail.com> Message-ID: <20190226212812.5559ac4a@iria.my-fqdn.de> Am Tue, 26 Feb 2019 13:57:01 -0500 schrieb vedaal at nym.hush.com: > On 2/26/2019 at 10:29 AM, "Stefan Claas" wrote: >> I have learned in the past trust nobody. Therefore I would >> not rely on people from the GnuPG ecosystem and what they say. > It depends on how realistic your threat model is. Well, mine is actually very low, otherwise I would only read the list via Tor, for tips and tricks and don't publish keys on key servers, nor use smtp to submit encrypted messages. ;-) > For example, has anyone you know, ever checked how the > compilers work? (Reviewed gcc's source code, and the hardware > necessary to make it run, to ensure that nothing is > 'added/subtracted/altered' when it gets to machine language? Even > more difficult when it is a proprietary compiler.) You bring up an interesting question, imho ... Let's assume the tool chain is in good condition, but do you / we know if FOSS coders use online computers to code and do we know if their computers are hacked too? And if so, do coders have always checksums handy (on paper) for comparison or are superior Linux tools availabe which would detect changes immediately? And maybe another FOSS point? How about issuing Warrant Canaries? I have seen that VeraCrypt does this. Regards Stefan From andrei at bislog.se Tue Feb 26 19:31:42 2019 From: andrei at bislog.se (Andrei Fokau) Date: Tue, 26 Feb 2019 19:31:42 +0100 Subject: Weird locale at passphrase step In-Reply-To: <875zt7ph1f.fsf@fifthhorseman.net> References: <875zt7ph1f.fsf@fifthhorseman.net> Message-ID: That command fixed it! Thanks a lot! Still curious how it picked up the other locale... I do have russian layout as one of the input sources but have never set locale to ru and the system was always in English. In some cases the agent shows another dialog that is half-english and half-broken-cyrillic. Very weird. Thanks, Andrei On Tue, Feb 26, 2019 at 12:52 AM Daniel Kahn Gillmor wrote: > On Mon 2019-02-25 19:53:17 +0100, Andrei Fokau wrote: > > > I have just installed GnuPG on macOS Mojave using Homebrew. When I try to > > generate a new key I can go through almost all steps seeing messages and > > dialogs in English, but when it asks my passphrase, I see > > [ image of cyrillic glyphs and U+FFFD REPLACEMENT CHARACTER symbols ] > > It sounds to me like the gpg-agent process that is running on your > system has a different locale. > > GnuPG asks the agent for a new passphrase, which in turn displays the > prompt. > > > How do I fix this? > > unfortunately, it depends on how your gpg-agent is initialized, which we > don't have enough information on here. perhaps it was launched before > your locale was set to en_US.UTF-8? > > One thing you can try as a workaround is to kill off the gpg-agent and > it should get manually restarted on subsequent use: > > gpgconf --kill gpg-agent > > maybe someone with more info about how MacOS and Homebrew manage > per-user services can weigh in on better workarounds, or suggest a more > principled fix for that platform. > > --dkg > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kara_da at xiala.net Tue Feb 26 21:37:17 2019 From: kara_da at xiala.net (Daniel) Date: Tue, 26 Feb 2019 21:37:17 +0100 Subject: Newbie: Installing Build Dependencies to gnupg-2.2.13 update from gnupg 2.0.22 on Ubuntu 14.04 LTS failed Message-ID: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net> dear members of gnupg-users, prolog: hello my name is daniel. if i may introduce myself, i'm not an entirely sophisticated or seasoned unix/linux user and usually dependend on whatever snippets of information i can find in forums and on the web that give me usually a ballpark idea of what i can or cannot do via the command line. i understand that this approach doesn't always make sense or seems abit farfetched to the more experienced programmer. that said, i recently learned when trying to update my outmoded gnupg 2.0.22 on my Ubuntu 14.04 LTS distro, that i ran into some major issues for which i'm currently looking for advice on how to resolve them and get my update to work. so, if there's anyone who has the patience and the time necessary to give this problem a fair introspection, your help would be greatly appreciated. thanks. the deal: trying to install gnupg-2.2.13 on Ubuntu 14.04 LTS, including build dependencies libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, libksba-1.3.5, npth-1.6, pinentry-1.1.0 & gpg-agent history/approach: largely dependend on the information i deployed from a website called https://gist.github.com/vt0r/a2f8c0bcb1400131ff51 i tried and followed the instructions there blindly, save for a few alterations. 1. for instance i wrote (copy/paste) each line of code separately for each building routine, instead of using &&. 2. I also did a detailed log of each command (copy/paste) that I ran on the shell in gedit, for each building block, including error messages that I got in return. 3. instead of https://www.gnupg.org/ftp/gcrypt/ as the mainsource from which to recover the tarball, I used for instance $ sudo wget -c ftp://ftp.gnupg.org/gcrypt/pinentry/pinentry-1.1.0.tar.bz2 as the protocol on the website suggest, i first cleaned up the older GNuPG 2.0.22 build, by sudo apt-get --purge remove gnupg2 mistakenly, I also removed gnupg-agent at first, because I thought it also took an updated version. however re-installed gnupg-agent at a later point in the process, when my enigmail add-on to thunderbird, seemed to have trouble making the connection. the next step I created directory /var/src/gnupg22 with mkdir. the contents of var/src/gnupg22 currently look like this: daniel at daniel-ThinkPad-X240:/var/src/gnupg22$ ls gnupg-2.2.10.tar.bz2 libgcrypt-1.8.4.tar.gz.sig gnupg-2.2.10.tar.bz2.sig libgpg-error-1.32.tar.gz gnupg-2.2.13 libgpg-error-1.32.tar.gz.sig gnupg-2.2.13.tar.bz2 libgpg-error-1.35 gnupg-2.2.13.tar.bz2.sig libgpg-error-1.35.tar.gz index.html libgpg-error-1.35.tar.gz.sig libassuan-2.5.1.tar.bz2 libksba-1.3.5 libassuan-2.5.1.tar.bz2.sig libksba-1.3.5.tar.bz2 libassuan-2.5.3 libksba-1.3.5.tar.bz2.sig libassuan-2.5.3.tar.bz2 npth-1.6 libassuan-2.5.3.tar.bz2.sig npth-1.6.tar.bz2 libgcrypt-1.8.3.tar.gz npth-1.6.tar.bz2.sig libgcrypt-1.8.3.tar.gz.sig pinentry-1.1.0 libgcrypt-1.8.4 pinentry-1.1.0.tar.bz2 libgcrypt-1.8.4.tar.gz pinentry-1.1.0.tar.bz2.sig I did check and verify each signature of the respective tarball file! installation procedure: then I ran in the same order as on the website the complete /.configure cycle, including $ ./configure --prefix=/usr $ make $ make check $ sudo make install for the configuration of pinentry for instance, the return i got was: Pinentry v1.1.0 has been configured as follows: Revision: 02df3d2 (735) Platform: x86_64-pc-linux-gnu Curses Pinentry ..: no TTY Pinentry .....: yes Emacs Pinentry ...: no GTK+-2 Pinentry ..: yes GNOME 3 Pinentry .: no Qt Pinentry ......: no TQt Pinentry .....: no W32 Pinentry .....: no FLTK Pinentry ....: no Fallback to Curses: no Emacs integration : yes libsecret ........: no Default Pinentry .: pinentry-gtk-2 now for instance if i run: $ aptitude search pinentry-gtk-2 i get no search results in return! same is true for all other build dependencies (libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, libksba-1.3.5, npth-1.6, pinentry-1.1.0), including gnupg-2.2.13. one of the main problems of the build, seemed that libraries like libgcrypt-1.8.4 couldn't detect it's build dependencies like libgpg-error-1.35.. so the $ make check of libgcrypt-1.8.4 >>>>>>>>>>returned 27 Test failed!!<<<<<<<<<<<<<<<<<<<<<<<<<<<< the $ make check of libgpg-error-1.35 returned PASS: gpg-error-config-test.sh ============= 1 test passed; and ================== All 9 tests passed and after $ sudo make install: the contents of usr/local/lib currently looks like this: daniel at daniel-ThinkPad-X240:/usr/local/lib$ ls libgcrypt.la libgpg-error.la node_modules site_ruby libgcrypt.so libgpg-error.so pkgconfig libgcrypt.so.20 libgpg-error.so.0 python2.7 libgcrypt.so.20.2.4 libgpg-error.so.0.26.1 python3.4 hypothesis: On a website called: https://dev.gnupg.org/T4068, someone mentioned, that I probably did this mistake: "You configure your environment for your compiling and installation, but not for running. Thus, old original libgpg-error in system was used, and failed." My folder/directory libgpg-error-1.35 looks like this and so do all the other dependencies, including gnupg-2.2.13: daniel at daniel-ThinkPad-X240:/var/src/gnupg22/libgpg-error-1.35$ ls ABOUT-NLS config.h COPYING.LIB Makefile src aclocal.m4 config.h.in doc Makefile.am stamp-h1 AUTHORS config.log INSTALL Makefile.in tests autogen.rc config.status lang mkinstalldirs THANKS autogen.sh configure libgpg-error.spec NEWS VERSION build-aux configure.ac libgpg-error.spec.in po ChangeLog contrib libtool potomo ChangeLog-2011 COPYING m4 README furthermore: >>>>>my usr/bin directory for instance, contains a file called libgcrypt-config, when I open it in gedit, I get the following header: # File: src/libgcrypt-config. Generated from libgcrypt-config.in by configure. # General. prefix="/usr" exec_prefix="${prefix}" version="1.8.4" includedir="${prefix}/include" libdir="${exec_prefix}/lib" gpg_error_libs="-L/usr/local/lib -lgpg-error" gpg_error_cflags="-I/usr/local/include" >>>>>>>>>> or usr/bin/libassuan-config for instance returns: # Configure libgpg-error. gpg_error_cflags="" gpg_error_libs="-lgpg-error" PGM=libassuan-config lib="-lassuan" extralibs="$gpg_error_libs" cflags=" $gpg_error_cflags" api_version="2" my_host="x86_64-pc-linux-gnu" prefix=/usr exec_prefix=${prefix} includes="" libdirs="" exec_prefix_set=no echo_libs=no echo_cflags=no echo_prefix=no echo_exec_prefix=no echo_host=no ------------------------------------------------- epilog: on the website https://gist.github.com/vt0r/a2f8c0bcb1400131ff51, finishing the build via command line goes: echo "/usr/local/lib" > /etc/ld.so.conf.d/gpg2.conf && ldconfig -v however, i don't exactly know what that is supposed to do?!! the return i get is: bash: /etc/ld.so.conf.d/gpg2.conf: Permission denied >>>>>>but instead in directory usr/lib for instance i find: libassuan.la libassuan.so libassuan.so.0 libassuan.so.0.8.3 . . libgcrypt.la libgcrypt.so libgcrypt.so.20 libgcrypt.so.20.2.4 . . libksba.la libksba.so libksba.so.8 libksba.so.8.11.6 >>>>>>>>>in /usr/local/bin$ i find: gpg-error-config libgcrypt-config gpg-error gpgrt-config >>>>>>>>>>and in /usr/local/share$ i find: libgpg-error the directories usr/local/sbin; usr/local/etc; and usr/local/src are empty! So this is about the gist of my troubleshooting. perhaps if you find the information helpful that i supplied, it would be great if you could give me a hint, where and how to fix my build. if you need any further information on my initial configuration and install process i be happy to comply with more detailed analysis as far as i can supply the resulting outputs i stored safely of each step. again, your input would be greatly appreciated. thank you for your consideration, kindly yours, daniel -- pgp fingerprint: 02EF 1CA4 A4FB 0F12 76CA BC08 B678 C658 9B03 AB5E From angel at pgp.16bits.net Wed Feb 27 00:14:34 2019 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Wed, 27 Feb 2019 00:14:34 +0100 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing In-Reply-To: References: Message-ID: <1551222874.1053.22.camel@16bits.net> On 2019-02-26 at 11:02 +0200, Ciprian Dorin Craciun wrote: > Hello all! > > Given the recent survey in password managers security [1], which > concluded with their failure to properly sanitize / scrub the > sensitive data (i.e. "master key") in "running locked state", I was > wondering how does GnuPG Agent fare in this regard? > > More specifically: > * let's assume that one uses GnuPG Agent; (only for PGP;) > * the user enters the password for a particular private key; > * (one assumes that the password was used to get the private key > cryptographic material, and then scrubbed;) > * then `--max-cache-ttl` seconds passes; > * one assumes that the private key cryptographic material is now scrubbed; > > Is this expectation correct? I would say this is the right expectation. However note that even with a perfect agent implementation, you might find eg. that the kernel swapped to disk the page where the password was read (before providing it to the program, which would hopefully be using mlock(2) to avoid being swapped itself). > Is there some external analysis about the security of the agent with > regard to the scrubbing of both passwords and cryptographic material? Intrigued by this I did a quick glance at the relevant code: The cache purging seems to be done at housekeeping() [1], which simply calls release_data over the entry to free. In turn, release_data() [2] is just a xfree() call, which would be converted to gcry_free(), which is a libgcrypt function that will call _gcry_private_free() [3]. _gcry_private_free() checks[4] whether this allocation was from a secure pool (ie. allocated with gcry_xmalloc_secure), in which case it will call _gcry_secmem_free[5], which does attempt to wipe the memory by overwriting it with 0xff, 0xaa, 0x55 and 0x00 [6] using the macro wipememory2,[7] which may do so inline (using volatile to avoid compiler optimization) or end up calling _gcry_fast_wipememory, which would end up calling the normal memset() through a function pointer.[8] (I would expect either an attempt to use memset_s if available, similar to the check for explicit_bzero, or a note that like SecureZeroMemory it provides no benefit, instead of a plain memset, though) Best regards [1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l198 [2] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l141 [3] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/global.c;h=d82c680a5d2a2981129d0531ff43b337ffebb085;hb=refs/heads/master#l1019 [4] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/stdmem.c;h=04ce64fba14b2fd5d58be5050b80d6a159dffed5;hb=refs/heads/master#l220 [5] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l787 [6] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l768 [7] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/g10lib.h;h=694c2d83e2682103d83be03070c737a1bb6a3ae4;hb=refs/heads/master#l337 [8] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/misc.c;h=bb39e1c2fe1c94affe1f024a87621f79e77ba1aa;hb=refs/heads/master#l504 From vedaal at nym.hush.com Wed Feb 27 00:15:29 2019 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 26 Feb 2019 18:15:29 -0500 Subject: Ok this is a stupid questions In-Reply-To: <20190226212812.5559ac4a@iria.my-fqdn.de> References: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> <20190225210252.775A8C017A@smtp.hushmail.com> <20190226152942.7E012A0AD8@smtp2.hushmail.com> <20190226185702.9EA37C015E@smtp.hushmail.com> <20190226212812.5559ac4a@iria.my-fqdn.de> Message-ID: <20190226231529.6FEAAC015F@smtp.hushmail.com> On 2/26/2019 at 3:28 PM, "Stefan Claas" wrote:And maybe another FOSS point? How about issuing Warrant Canaries? I have seen that VeraCrypt does this. ===== Yes. The latest one is here: https://www.idrix.fr/VeraCrypt/canary.txt Interesting, but it still boils down to *trust*. I would trust WK and the GnuPG team even if they didn't *sign* a Warrant Canary (i / we all, sort-of trust the verification of the new GnuPG releases, with his sig), And if we *don't trust*, then signing a Warrant Canary with the same signing key as the GnuPG release, wouldn't help ;-) vedaal From gnupg at raf.org Wed Feb 27 02:16:54 2019 From: gnupg at raf.org (gnupg at raf.org) Date: Wed, 27 Feb 2019 12:16:54 +1100 Subject: Question about the security of the GnuPG Agent with regard to cryptographic material scrubbing In-Reply-To: References: Message-ID: <20190227011654.4bwu7dmlkmly2fvg@raf.org> Ciprian Dorin Craciun wrote: > On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan > wrote: > > I'm not able to answer your main question, but I believe it is you > > explained. However, regarding the matter in P.S., I'm glad to inform > > you that such a tool exists. It is called pass [1] and it is fully > > integrated with GnuPG and Git. So you can backup your password like > > a Git repository. > > I know about that tool, however it is unfortunately written also in > Bash, which as my own implementation has countless ways to > (permanently) leak the password. > > For example take the following commit: > https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24 > > Which has the following change: > ~~~~ > - $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" > <<<"$password" || die "Password encryption aborted." > + echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" > "${GPG_OPTS[@]}" || die "Password encryption aborted." > ~~~~ > > In was committed in 2018, but the tool is from 2015, thus in the > interim all the passwords were leaked into `$TMPDIR` and thus on the > disk, which in most cases is actually the `rootfs`. Thus without much > effort, one can take out the HDD, and just run a file-system recovery > tool to recover deleted files, or dump ASCII tokens, and thus get > access to the used passwords. The new version still leaks, just not as badly (permanently). On Linux, for example, unless system call tracing and arbitrary RAM reading has been completely disabled, even for root, with "sysctl kernel.yama.ptrace_scope=3", the password will appear in ptrace/strace/ltrace output when $GPG reads stdin. Admittedly, there needs to be an adversary with root privileges (or the user's privileges) active on the host at the time but it's still a potential leak. And it might make its way to swap which might not be encrypted. Even with kernel.yama.ptrace_scope=3, systemtap or dtrace (on hosts that have it) can probably see the password. It's probably impossible to completely avoid (transient) leaks without hardware cryptographic modules. But of course, that's no reason not to do whatever you can to make it as difficult as possible for an adversary. > I'm not criticizing the `pass` tool, as I know myself how hard it is > to write a tool that doesn't leak data, however any such tool should > come with a big warning to its users. > > Unfortunately on the project page there is no mention of its security > weaknesses or any hint to the users about possible data leaks. > > Ciprian. [The rest is even more off-topic for this list] To be fair, all software probably has unknown security bugs. Warning users about the possibility before you know that there's a problem might seem alarmist. But if a security bug has been identified and fixed, users should be notified if there's anything that they need to do. Changelogs at least should highlight security bug fixes. In that commit, the author said that "Do not put passwords in herestrings: Bash sometimes writes these into temporary files, which isn't okay". If it is only sometimes, maybe bash only uses temporary files for here strings when they are large. If that's the case, the passwords might never have been written to disk. So it might be OK. However, it's not sometimes. It's always: $ bash -c 'lsof -a -p $$ -d0' <<< Password1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME lsof 24183 raf 0r REG 253,1 10 7864877 /tmp/zshz9mNt3 (deleted) So the commit message wasn't alarmist enough. And there doesn't seem to be a Changelog file for pass or a news or security notices section on its website. Maybe you could submit a bug report for the passwordstore.org website about its lack of a news or security notices section for notifying users about security issues. I suppose the remedy is to cryptographically shred free space if users didn't already have full disk encryption (and hope they don't have SSDs). It would be good if pass users were notified of that. cheers, raf From oscar at spindel.tax Wed Feb 27 11:43:26 2019 From: oscar at spindel.tax (Oscar Carlsson) Date: Wed, 27 Feb 2019 11:43:26 +0100 Subject: Newbie: Installing Build Dependencies to gnupg-2.2.13 update from gnupg 2.0.22 on Ubuntu 14.04 LTS failed In-Reply-To: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net> References: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net> Message-ID: <7b714f10ef400a5959c47d2dcb760372@spindel.tax> 2019-02-26 21:37 skrev Daniel: > dear members of gnupg-users, > > prolog: > > hello my name is daniel. if i may introduce myself, i'm not an > entirely sophisticated or seasoned unix/linux user and usually > dependend on whatever snippets of information i can find in forums and > on the web that give me usually a ballpark idea of what i can or > cannot do via the command line. i understand that this approach > doesn't always make sense or seems abit farfetched to the more > experienced programmer. that said, i recently learned when trying to > update my outmoded gnupg 2.0.22 on my Ubuntu 14.04 LTS distro, that i > ran into some major issues for which i'm currently looking for advice > on how to resolve them and get my update to work. so, if there's > anyone who has the patience and the time necessary to give this > problem a fair introspection, your help would be greatly appreciated. > thanks. > > the deal: > > trying to install gnupg-2.2.13 on Ubuntu 14.04 LTS, including build > dependencies libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, > libksba-1.3.5, npth-1.6, pinentry-1.1.0 & gpg-agent > > history/approach: > > largely dependend on the information i deployed from a website called > https://gist.github.com/vt0r/a2f8c0bcb1400131ff51 > > i tried and followed the instructions there blindly, save for a few > alterations. 1. for instance i wrote (copy/paste) each line of code > separately for each building routine, instead of using &&. 2. I also > did a detailed log of each command (copy/paste) that I ran on the > shell in gedit, for each building block, including error messages that > I got in return. 3. instead of https://www.gnupg.org/ftp/gcrypt/ as > the mainsource from which to recover the tarball, I used for instance > $ sudo wget -c > ftp://ftp.gnupg.org/gcrypt/pinentry/pinentry-1.1.0.tar.bz2 > > as the protocol on the website suggest, i first cleaned up the older > GNuPG 2.0.22 build, by sudo apt-get --purge remove gnupg2 > mistakenly, I also removed gnupg-agent at first, because I thought it > also took an updated version. however re-installed gnupg-agent at a > later point in the process, when my enigmail add-on to thunderbird, > seemed to have trouble making the connection. > > the next step I created directory /var/src/gnupg22 with mkdir. > > the contents of var/src/gnupg22 currently look like this: > > daniel at daniel-ThinkPad-X240:/var/src/gnupg22$ ls > gnupg-2.2.10.tar.bz2 libgcrypt-1.8.4.tar.gz.sig > gnupg-2.2.10.tar.bz2.sig libgpg-error-1.32.tar.gz > gnupg-2.2.13 libgpg-error-1.32.tar.gz.sig > gnupg-2.2.13.tar.bz2 libgpg-error-1.35 > gnupg-2.2.13.tar.bz2.sig libgpg-error-1.35.tar.gz > index.html libgpg-error-1.35.tar.gz.sig > libassuan-2.5.1.tar.bz2 libksba-1.3.5 > libassuan-2.5.1.tar.bz2.sig libksba-1.3.5.tar.bz2 > libassuan-2.5.3 libksba-1.3.5.tar.bz2.sig > libassuan-2.5.3.tar.bz2 npth-1.6 > libassuan-2.5.3.tar.bz2.sig npth-1.6.tar.bz2 > libgcrypt-1.8.3.tar.gz npth-1.6.tar.bz2.sig > libgcrypt-1.8.3.tar.gz.sig pinentry-1.1.0 > libgcrypt-1.8.4 pinentry-1.1.0.tar.bz2 > libgcrypt-1.8.4.tar.gz pinentry-1.1.0.tar.bz2.sig > > I did check and verify each signature of the respective tarball file! > > installation procedure: > > then I ran in the same order as on the website the complete > /.configure cycle, including > > $ ./configure --prefix=/usr > $ make > $ make check > $ sudo make install > > for the configuration of pinentry for instance, the return i got was: > > Pinentry v1.1.0 has been configured as follows: > > Revision: 02df3d2 (735) > Platform: x86_64-pc-linux-gnu > > Curses Pinentry ..: no > TTY Pinentry .....: yes > Emacs Pinentry ...: no > GTK+-2 Pinentry ..: yes > GNOME 3 Pinentry .: no > Qt Pinentry ......: no > TQt Pinentry .....: no > W32 Pinentry .....: no > FLTK Pinentry ....: no > > Fallback to Curses: no > Emacs integration : yes > > libsecret ........: no > > Default Pinentry .: pinentry-gtk-2 > > now for instance if i run: $ aptitude search pinentry-gtk-2 > > i get no search results in return! same is true for all other build > dependencies (libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, > libksba-1.3.5, npth-1.6, pinentry-1.1.0), including gnupg-2.2.13. > > one of the main problems of the build, seemed that libraries like > libgcrypt-1.8.4 couldn't detect it's build dependencies like > libgpg-error-1.35.. so the > > $ make check of libgcrypt-1.8.4 >>>>>>>>>>> returned 27 Test failed!!<<<<<<<<<<<<<<<<<<<<<<<<<<<< > > the $ make check of libgpg-error-1.35 returned PASS: > gpg-error-config-test.sh > ============= > 1 test passed; > > and > ================== > All 9 tests passed > > > and after $ sudo make install: the contents of usr/local/lib currently > looks like this: > > daniel at daniel-ThinkPad-X240:/usr/local/lib$ ls > libgcrypt.la libgpg-error.la node_modules site_ruby > libgcrypt.so libgpg-error.so pkgconfig > libgcrypt.so.20 libgpg-error.so.0 python2.7 > libgcrypt.so.20.2.4 libgpg-error.so.0.26.1 python3.4 > > hypothesis: > > On a website called: https://dev.gnupg.org/T4068, someone mentioned, > that I probably did this mistake: "You configure your environment for > your compiling and installation, but not for running. Thus, old > original libgpg-error in system was used, and failed." > > My folder/directory libgpg-error-1.35 looks like this and so do all > the other dependencies, including gnupg-2.2.13: > > daniel at daniel-ThinkPad-X240:/var/src/gnupg22/libgpg-error-1.35$ ls > ABOUT-NLS config.h COPYING.LIB Makefile src > aclocal.m4 config.h.in doc Makefile.am > stamp-h1 > AUTHORS config.log INSTALL Makefile.in > tests > autogen.rc config.status lang mkinstalldirs > THANKS > autogen.sh configure libgpg-error.spec NEWS > VERSION > build-aux configure.ac libgpg-error.spec.in po > ChangeLog contrib libtool potomo > ChangeLog-2011 COPYING m4 README > > furthermore: > >>>>>> my usr/bin directory for instance, contains a file called >>>>>> libgcrypt-config, when I open it in gedit, I get the following >>>>>> header: > > # File: src/libgcrypt-config. Generated from libgcrypt-config.in > by configure. > > # General. > prefix="/usr" > exec_prefix="${prefix}" > version="1.8.4" > includedir="${prefix}/include" > libdir="${exec_prefix}/lib" > gpg_error_libs="-L/usr/local/lib -lgpg-error" > gpg_error_cflags="-I/usr/local/include" > > >>>>>>>>>>> or usr/bin/libassuan-config for instance returns: > > > # Configure libgpg-error. > gpg_error_cflags="" > gpg_error_libs="-lgpg-error" > > PGM=libassuan-config > lib="-lassuan" > extralibs="$gpg_error_libs" > cflags=" $gpg_error_cflags" > api_version="2" > my_host="x86_64-pc-linux-gnu" > prefix=/usr > exec_prefix=${prefix} > includes="" > libdirs="" > exec_prefix_set=no > echo_libs=no > echo_cflags=no > echo_prefix=no > echo_exec_prefix=no > echo_host=no > > ------------------------------------------------- > epilog: > > on the website https://gist.github.com/vt0r/a2f8c0bcb1400131ff51, > finishing the build via command line goes: > > echo "/usr/local/lib" > /etc/ld.so.conf.d/gpg2.conf && ldconfig -v > > however, i don't exactly know what that is supposed to do?!! the > return i get is: > > bash: /etc/ld.so.conf.d/gpg2.conf: Permission denied > > >>>>>>> but instead in directory usr/lib for instance i find: > > libassuan.la > libassuan.so > libassuan.so.0 > libassuan.so.0.8.3 > . > . > libgcrypt.la > libgcrypt.so > libgcrypt.so.20 > libgcrypt.so.20.2.4 > . > . > libksba.la > libksba.so > libksba.so.8 > libksba.so.8.11.6 > >>>>>>>>>> in /usr/local/bin$ i find: > gpg-error-config libgcrypt-config > gpg-error gpgrt-config > >>>>>>>>>>> and in /usr/local/share$ i find: > > libgpg-error > > > the directories usr/local/sbin; usr/local/etc; and usr/local/src > > are empty! > > So this is about the gist of my troubleshooting. perhaps if you find > the information helpful that i supplied, it would be great if you > could give me a hint, where and how to fix my build. if you need any > further information on my initial configuration and install process i > be happy to comply with more detailed analysis as far as i can supply > the resulting outputs i stored safely of each step. again, your input > would be greatly appreciated. > > thank you for your consideration, > > kindly yours, > > daniel Hi, Ubuntu 14.04 will reach it's end-of-life in 1 month. Please upgrade if possible. There's little to no point in trying to fix the issues above when we are running very old software to begin with. And in future emails, try to be more concise, and/or use pastebin like services and/or attach logs instead of adding them inline like this. -- Oscar From gpirlot at manymore.fr Wed Feb 27 17:19:08 2019 From: gpirlot at manymore.fr (gpirlot at manymore.fr) Date: Wed, 27 Feb 2019 17:19:08 +0100 Subject: Using gpg in an automated environememt Message-ID: <143801d4ceb8$2b0c2eb0$81248c10$@manymore.fr> Hi all, I've been unsuccessfully trying for a while now to have gpg working in an automated environment. I've been following the point 8.20 int the gnupg faq and I get an error at the gpg -homedir command (see screenshot below) I'm rather new with gpg in particular and pki in general, and would greatly appreciate any help that can be sent my way. Looking forward to hearing from you, Regards, Geoffrey. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 65596 bytes Desc: not available URL: From oliver at schinagl.nl Wed Feb 27 21:10:36 2019 From: oliver at schinagl.nl (Olliver Schinagl) Date: Wed, 27 Feb 2019 21:10:36 +0100 Subject: gpg vs gpgv and trustedkeys In-Reply-To: <87ftsbnj34.fsf@fifthhorseman.net> References: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl> <87ftsbnj34.fsf@fifthhorseman.net> Message-ID: Hey Daniel, On 26-02-2019 07:45, Daniel Kahn Gillmor wrote: > On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote: >> What I am trying to accomplish, is to generate an OS image, which >> contains a public gpg key. The public is added using gpg --import and >> kets added to the newly created pubkey.gpg. > I think your description here is missing some background: why do you > need the public OpenPGP key in your OS image? Well it is an embedded system, so the OS image is for the embedded system. During development, engineers also login to the system and may need to use the gpgv tool to check things. Having to point to the exact file is just common cause of imstakes 'where was that file again' or 'oh forgot'. But sure it is manageable, but. > > If the goal is just to use it with gpgv (e.g. to verify software updates > or some other post-build artifact that you'll fetch over the network) > then i recommend just explicitly pointing gpgv at the curated keyring > using --keyring, and not bothering with public.gpg or anything else. Passing it via the argument is 'ok' wouldn't it be for that fact that option was removed a while ago from gpg. So we where reluctant to use it with gpgv as it too, could just dissapear. > > This is the best approach because it lets you precisely control what is > being checked against, and you don't have to worry that other uses of > ~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check > you're hoping to make strong. Sure, but sometimes you don't care about the precise control; just that it works as expected, which was my question was about. So I do thank you a lot for taking the time to answer. However, now that I have the solution (which I kinda guessed) it still does not explain the discrepancy (and especially any text about it). Simple example; I have my keys in my keychain generated/created via gpg. Now I want to use gpgv to validate something, with my key, but now i explicitly have to point it to the pubkey, because the default of gpgv is trustedkey. So why the differences? Why are these not in sync, what is the purpose? If the reason is to force the user to use the parameter, why set a default, why set a default that does not match the generator. Thanks :) Olliver > > if you want an analogous example, check out the best-pratice guidance in > https://wiki.debian.org/DebianRepository/UseThirdParty about using > isolated keys per repository (with apt's Signed-By: options). > > Regards, > > --dkg From gpg at trodman.com Thu Feb 28 14:40:56 2019 From: gpg at trodman.com (gpg at trodman.com) Date: Thu, 28 Feb 2019 07:40:56 -0600 Subject: Howto override "encrypt-to KEYHERE" in gpg.conf? Message-ID: <201902281340.x1SDeuFR024834@epjdn.zq3q.org> I have imported a new / additional primary key (0x2A5D250B1C9BE7D1) to my keyring. But my default-key in gpg.conf is not changed: $ egrep '^(default-key|encrypt-to) ' ~/.gnupg/gpg.conf default-key 040B8410C3F36C1E encrypt-to 040B8410C3F36C1E My goal is to run gpg commands that entirely ignore my default-key and encrypt-to key in ~/.gnupg/gpg.conf. Consider: $ echo hello |gpg2 --encrypt -v --default-key gnupg at baz.com --recipient gnupg at baz.com > /dev/null gpg: using subkey 0xAC725930854EA1D6 instead of primary key 0x040B8410C3F36C1E gpg: using pgp trust model gpg: using subkey 0x6EADCB57CF0962B3 instead of primary key 0x2A5D250B1C9BE7D1 gpg: automatically retrieved 'gnupg at baz.com' via Local gpg: This key belongs to us gpg: reading from '[stdin]' gpg: writing to stdout gpg: RSA/AES256 encrypted for: "0x6EADCB57CF0962B3 Bob S Lorem " gpg: RSA/AES256 encrypted for: "0xAC725930854EA1D6 Robert S Lorem " $ [...] Now comment out this line: "encrypt-to 040B8410C3F36C1E" in gpg.conf: $ echo hi |gpg2 --encrypt -v --default-key gnupg at baz.com --recipient gnupg at baz.com > /dev/null gpg: using pgp trust model gpg: using subkey 0x6EADCB57CF0962B3 instead of primary key 0x2A5D250B1C9BE7D1 gpg: automatically retrieved 'gnupg at baz.com' via Local gpg: This key belongs to us gpg: reading from '[stdin]' gpg: writing to stdout gpg: RSA/AES256 encrypted for: "0x6EADCB57CF0962B3 Bob S Lorem " $ How can I change the "echo hi ..." pipeline above and get the same results without editing ~/.gnupg/gpg.conf? -- thanks, Tom -- The primary private (secret) keys are saved offline, and not present in ~/.gnupg.