From sac at 300baud.de Sat Aug 1 15:00:26 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 1 Aug 2020 15:00:26 +0200 Subject: WKD question In-Reply-To: <20200728004548.0000049f.sac@300baud.de> References: <20200727220007.00003593.sac@300baud.de> <20200727222426.nok2mngf23q4evpd@dynein.local.incenp,org> <20200728004548.0000049f.sac@300baud.de> Message-ID: <20200801150026.0000442e.sac@300baud.de> Stefan Claas wrote: > Damien Goutte-Gattat wrote: > > > On Mon, Jul 27, 2020 at 10:00:07PM +0200, Stefan Claas wrote: > > >For testing my new Nitrokey I have just install Enigmail for > > >Thunderbird on a fresh Ubuntu system and when clicking on > > >a signed message from a friend, which has properly set-up > > >WKD Thunderbird/Enigmail can not fetch the pub key. :-( > > > > Unless I missed something, I believe Enigmail will only attempt to > > automatically fetch a key from a Web Key Directory when *composing* a > > message (if there?s no key for the recipient in the local keyring), and > > *not* when checking a signature on a received message. > > > > See that excerpt from Enigmail 2.0 changelog [1]: > > > > > Support for Web Key Directory (WKD) is implemented. Enigmail will try > > > to download unavailable keys during message composition from WKD. > > Ah, ok, thanks. I thought it will fetch also automatically when checking > signatures. > > > You can force GnuPG to try to fetch a missing key when verifying a > > signature by enabling the --auto-key-retrieve option (please read the > > note about the ?web bug? in gpg?s man page before doing so?that option > > is disabled by default for a reason.) > > I enabled it now and it works. :-) One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but with a different Fingerprint. https://metacode.biz/openpgp/web-key-directory Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 805 bytes Desc: Digitale Signatur von OpenPGP URL: From dag at gnui.org Sun Aug 2 06:38:21 2020 From: dag at gnui.org (Dmitry Alexandrov) Date: Sun, 02 Aug 2020 07:38:21 +0300 Subject: WKD question In-Reply-To: <20200801150026.0000442e.sac@300baud.de> (Stefan Claas's message of "Sat, 1 Aug 2020 15:00:26 +0200") References: <20200727220007.00003593.sac@300baud.de> <20200727222426.nok2mngf23q4evpd@dynein.local.incenp,org> <20200728004548.0000049f.sac@300baud.de> <20200801150026.0000442e.sac@300baud.de> Message-ID: Stefan Claas wrote: > One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but with a different Fingerprint. > > https://metacode.biz/openpgp/web-key-directory Well, that?s seems to be true: $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk at gnupg.org)" | gpg --with-colons gpg: WARNING: no command supplied. Trying to guess what you mean ... pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: uid:::::::::wk at gnupg.org: sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: I dunno why @wk at gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable. Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating). BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s options are so tangled, that I have failed to find it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From kloecker at kde.org Sun Aug 2 12:22:59 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sun, 02 Aug 2020 12:22:59 +0200 Subject: WKD question In-Reply-To: References: <20200727220007.00003593.sac@300baud.de> Message-ID: <1803396.a0EWGg1j7a@breq> On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote: > $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url > wk at gnupg.org)" | gpg --with-colons gpg: WARNING: no command supplied. > Trying to guess what you mean ... > pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: > uid:::::::::wk at gnupg.org: > sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: > [snip] > > BTW, does anyone remember, how to command gpg(1) to print the above in a > human-readable format? There was some incantation, IIRC, but GPG?s options > are so tangled, that I have failed to find it. Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"? Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: From sac at 300baud.de Sun Aug 2 16:17:00 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 2 Aug 2020 16:17:00 +0200 Subject: WKD question In-Reply-To: References: <20200727220007.00003593.sac@300baud.de> <20200727222426.nok2mngf23q4evpd@dynein.local.incenp,org> <20200728004548.0000049f.sac@300baud.de> <20200801150026.0000442e.sac@300baud.de> Message-ID: <20200802161537.00006c39.sac@300baud.de> Dmitry Alexandrov wrote: > Stefan Claas wrote: > > One more question, I tried to verify Werner's signature, from postings here on the ML, but his signature could not be > > verified, due to a missing pub key (0xFF80AE9D1DEC358D). But when looking at Wiktor's WKD checker a key is present, but > > with a different Fingerprint. > > > > https://metacode.biz/openpgp/web-key-directory > > Well, that?s seems to be true: > > $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk at gnupg.org)" | gpg --with-colons > gpg: WARNING: no command supplied. Trying to guess what you mean ... > pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: > uid:::::::::wk at gnupg.org: > sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: > > I dunno why @wk at gnupg.org did that, but whatever his reasons were, the fact that he was _able_ to do that, is exactly the key > reason why proper (write-only) keyserver networks (SKS- or Hockeypuck-based) are indispensable. Hopefully he can tell us. > Use them, not WKD or proprietary keyserver services, when you want to get a key by a given fingerprint. In other words, when > enabling --auto-key-retrieve, make sure that --keyserver is set to something like hkps://keyserver.ubuntu.com. IIUC, there > is, unfortunately, still no way to configure multiple keyservers for retrieval (contrary to locating). I have as key server keys.openpgp.org in my config, besides WKD and when I switched it to the Ubuntu key server Claws-Mail said key for verification of this signature not available. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From dag at gnui.org Sun Aug 2 19:16:22 2020 From: dag at gnui.org (Dmitry Alexandrov) Date: Sun, 02 Aug 2020 20:16:22 +0300 Subject: WKD question In-Reply-To: <1803396.a0EWGg1j7a@breq> ("Ingo =?utf-8?Q?Kl=C3=B6cker=22's?= message of "Sun, 02 Aug 2020 12:22:59 +0200") References: <20200727220007.00003593.sac@300baud.de> <1803396.a0EWGg1j7a@breq> Message-ID: Ingo Kl?cker wrote: > On Sonntag, 2. August 2020 06:38:21 CEST Dmitry Alexandrov wrote: >> >> $ wget -qO - "$(/usr/lib/gnupg/gpg-wks-client --print-wkd-url wk at gnupg.org)" | gpg --with-colons >> gpg: WARNING: no command supplied. Trying to guess what you mean ... >> pub:-:256:22:63113AE866587D0A:1538149415:1801393200::-: >> uid:::::::::wk at gnupg.org: >> sub:-:256:18:3CD7B3A055039224:1538149415:1643626805::: > >> BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s options are so tangled, that I have failed to find it. > > Do you mean "gpg --show-key" resp. "gpg --show-key --with-subkey-fingerprint"? Yes, exactly. Indeed, in contrast with --with-colons, --with-subkey-fingerprint alone does nothing: $ wget -qO - ??? | gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid wk at gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] $ wget -qO - ??? | gpg --with-subkey-fingerprint gpg: WARNING: no command supplied. Trying to guess what you mean ... pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid wk at gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] $ wget -qO - ??? | gpg --show-key --with-subkey-fingerprint pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid wk at gnupg.org sub cv25519 2018-09-28 [E] [expires: 2022-01-31] E05BA20ED4F17768613B03C53CD7B3A055039224 Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Tue Aug 4 10:43:29 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 04 Aug 2020 10:43:29 +0200 Subject: WKD question In-Reply-To: (Dmitry Alexandrov's message of "Sun, 02 Aug 2020 07:38:21 +0300") References: <20200727220007.00003593.sac@300baud.de> <20200727222426.nok2mngf23q4evpd@dynein.local.incenp,org> <20200728004548.0000049f.sac@300baud.de> <20200801150026.0000442e.sac@300baud.de> Message-ID: <87v9hyu7gu.fsf@wheatstone.g10code.de> On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said: > I dunno why @wk at gnupg.org did that, but whatever his reasons were, the > fact that he was _able_ to do that, is exactly the key reason why I have a post-it on my CA laptop to add a signing subkey to my new key, I should really do that soon. Because ed25519 was not in widespread use when I created the key in 2018 I decided to use it only for encryption for some time and add a signing key later. > BTW, does anyone remember, how to command gpg(1) to print the above in > a human-readable format? There was some incantation, IIRC, but GPG?s gpg --locate-external-key -v foo at example.rog looks up foo at example.org even if a key with that user id already exists. It then imports the key and lists it with all existing user ids. The -v is there to get information on how foo at example.org was retrieved. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Aug 4 16:46:34 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 04 Aug 2020 16:46:34 +0200 Subject: WKD - .onion redirects mapping In-Reply-To: <20200727190142.GA994367@fullerene.field.pennock-tech.net> (Phil Pennock via Gnupg-users's message of "Mon, 27 Jul 2020 15:01:42 -0400") References: <20200727190142.GA994367@fullerene.field.pennock-tech.net> Message-ID: <875z9ytqnp.fsf@wheatstone.g10code.de> On Mon, 27 Jul 2020 15:01, Phil Pennock said: > My understanding is that for .onion hostname services they already have > security equivalent to TLS providing privacy in their direct links onto Yes, privacy. But that is just a welcome side-effect. What we need is that the domain is authenticated so that we can consider the key to be valid at a certain level. I see no way how you can do this via an anonymizer because the two goals are in contradiction. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dag at gnui.org Tue Aug 4 18:17:56 2020 From: dag at gnui.org (Dmitry Alexandrov) Date: Tue, 04 Aug 2020 19:17:56 +0300 Subject: WKD question In-Reply-To: <87v9hyu7gu.fsf@wheatstone.g10code.de> (Werner Koch via Gnupg-users's message of "Tue, 04 Aug 2020 10:43:29 +0200") References: <20200727220007.00003593.sac@300baud.de> <20200727222426.nok2mngf23q4evpd@dynein.local.incenp,org> <20200728004548.0000049f.sac@300baud.de> <20200801150026.0000442e.sac@300baud.de> <87v9hyu7gu.fsf@wheatstone.g10code.de> Message-ID: Werner Koch via Gnupg-users wrote: > On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said: >> I dunno why @wk at gnupg.org did that > > I have a post-it on my CA laptop to add a signing subkey to my new key, I should really do that soon. Maybe, you would like to update an expired key in DNS as well? By the way, it would be nice, if GPG were not interpreting locating an expired key as success, but continued with the next method instead: $$ gpg --auto-key-locate dane,wkd --locate-key wk at gnupg.org gpg: key F2AD85AC1E42B367: public key "Werner Koch " imported gpg: Total number processed: 1 gpg: imported: 1 pub dsa2048 2007-12-31 [SC] [expired: 2018-12-31] 80615870F5BAD690333686D0F2AD85AC1E42B367 uid [ expired] Werner Koch >> BTW, does anyone remember, how to command gpg(1) to print the above in a human-readable format? There was some incantation, IIRC, but GPG?s > > gpg --locate-external-key -v foo at example.rog > > looks up foo at example.org even if a key with that user id already exists. No, thanks, that?s not what I forgot, I was nonplussed by the fact, that --with-subkey-fingerprint has no any effect when --show-key is implied, while --with-colons has []. @kloecker at kde.org had resolved [<1803396.a0EWGg1j7a at breq>] my confusion already. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From gnupg-users at spodhuis.org Tue Aug 4 20:06:07 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Tue, 4 Aug 2020 14:06:07 -0400 Subject: WKD - .onion redirects mapping In-Reply-To: <875z9ytqnp.fsf@wheatstone.g10code.de> References: <20200727190142.GA994367@fullerene.field.pennock-tech.net> <875z9ytqnp.fsf@wheatstone.g10code.de> Message-ID: <20200804180607.GA462230@fullerene.field.pennock-tech.net> On 2020-08-04 at 16:46 +0200, Werner Koch via Gnupg-users wrote: > Yes, privacy. But that is just a welcome side-effect. What we need is > that the domain is authenticated so that we can consider the key to be > valid at a certain level. I see no way how you can do this via an > anonymizer because the two goals are in contradiction. Isn't that what a static mapping file accomplishes? Not a good longer-term solution, but buys the ability to explore the problem space. Eg, there could be DNSSEC-signed records in DNS saying "this string is equivalent for TOR". If DNS is routed over TOR then the object signing gives you that assurance. You get privacy and assurance. DNSSEC means you no longer need to care how you get the responses, provided that there's a DS trust chain down to the result you want. So spitballing wildly, `_tor_https.example.org` as a set of TXT records could provide one domain each which are equivalent. -Phil From gpg-users at chiraag.me Wed Aug 5 23:18:42 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Wed, 05 Aug 2020 21:18:42 +0000 Subject: Clearing cached PIN for Yubikey Message-ID: <20200805211746.GA207@chiraag> Hello! I was attempting to figure out what the 'canonical' way of clearing a Yubikey's cached PIN is. I adjusted the default-cache-ttl and max-cache-ttl values in gpg-agent.conf to no effect. I also attempted to use card-timeout (even though it was clear from searching around that it was probably useless). I know there's a setting to force (or not force) entering a PIN for signing in gpg --edit-card, but there doesn't seem to be a corresponding option for forcing a PIN for decryption. Obviously I can just yank out my Yubikey or restart the agent (systemctl --user restart gpg-agent) and get the desired effect (although echo RELOADAGENT | gpg-connect-agent *doesn't* achieve the same thing...), but I'd like to find another option if available. Here is the output of gpg --version: gpg (GnuPG) 2.2.20 libgcrypt 1.8.6 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/chiraag/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 I'm running Debian sid/experimental and use systemd as my init system and service manager, if that impacts anything. Thank you very much for any tips and/or pointers! Sincerely, Chiraag -- ?????? ?????? Pronouns: he/him/his -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Thu Aug 6 07:10:55 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 06 Aug 2020 14:10:55 +0900 Subject: Clearing cached PIN for Yubikey In-Reply-To: <20200805211746.GA207@chiraag> References: <20200805211746.GA207@chiraag> Message-ID: <87a6z8cqao.fsf@jumper.gniibe.org> ?????? ?????? wrote: > I was attempting to figure out what the 'canonical' way of clearing a > Yubikey's cached PIN is. Clearing the authentication status is supported in scdaemon (in the lower level), but there is no good way by command line. If you don't care about using a kind of develper's tool (gpg-connect-agent), you can do following. For signing, type: $ gpg-connect-agent "SCD PASSWD --clear 1" /bye For decryption/authentication, type: $ gpg-connect-agent "SCD PASSWD --clear 2" /bye Perhaps, using a tool for users would be more relevant. Then, $ gpgconf --kill scdaemon could be used to clear all authentication status. -- From 74cmonty at gmail.com Fri Aug 7 08:33:39 2020 From: 74cmonty at gmail.com (Thomas Schneider) Date: Fri, 7 Aug 2020 08:33:39 +0200 Subject: Subkeys export to Security Token fails: Secret key available. Message-ID: <37cadf95-68da-455a-5a4f-0ccfca71313f@gmail.com> Hi, I had to reset my blocked Yubikey. Then I started with setting up the key again; all worked fine including "key attributes". After this I tried to export the PGP keys to the token, however this fails with error message: gpg: KEYTOCARD failed: Unusable secret key I don't understand how to fix this issue, and I don't understand what's causing this issue. When I execute "gpg --expert --edit-key 0x I can see this: Secret key available. pub rsa4096/Secret subkey is available. pub rsa4096/ created: 2020-01-06 expires: 2021-01-05 Nutzung: C Trust: unbekannt Validity: unbekannt ssb rsa4096/ created: 2020-01-06 expires: 2021-01-05 Nutzung: A Card number:0006 ssb rsa4096/ created: 2020-01-06 expires: 2021-01-05 Nutzung: S Card number:0006 ssb rsa4096/ created: 2020-01-06 expires: 2021-01-05 Nutzung: E Card number:0006 All subkeys are marked as Stub which is correct because the keys have been exported before. However now the keys don't exist anymore on the keycard. Can you please advise how to fix this issue? THX From sac at 300baud.de Fri Aug 7 13:35:15 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 13:35:15 +0200 Subject: In case you use OpenPGP on a smartphone ... Message-ID: <20200807133515.00005086@300baud.de> ... you may like to check out Mr. Snowden's YouTube video: https://www.youtube.com/watch?v=wltrint1JrA Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From sac at 300baud.de Fri Aug 7 15:21:44 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 15:21:44 +0200 Subject: keyoxide.org - new service for GnuPG users Message-ID: <20200807152144.0000570a@300baud.de> Hi all, just discovered this new service: https://keyoxide.org/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Fri Aug 7 15:44:06 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Fri, 07 Aug 2020 13:44:06 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807133515.00005086@300baud.de> References: <20200807133515.00005086@300baud.de> Message-ID: <20200807134400.GA207@chiraag> Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which could, for example, be a montage of several different speeches or interviews? Sincerely, Chiraag -- ?????? ?????? Pronouns: he/him/his 07/08/20 13:35 ?????, Stefan Claas ??????: > > ... you may like to check out Mr. Snowden's YouTube video: > > https://www.youtube.com/watch?v=wltrint1JrA > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Fri Aug 7 16:01:22 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 16:01:22 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807134400.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> Message-ID: <20200807160053.00003a61@300baud.de> ?????? ?????? via Gnupg-users wrote: > Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which > could, for example, be a montage of several different speeches or interviews? > > Sincerely, > > Chiraag Apologies, I currently have no other sources, wish I had. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From sac at 300baud.de Fri Aug 7 16:12:10 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 16:12:10 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807160053.00003a61@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> Message-ID: <20200807161210.00001444@300baud.de> Stefan Claas wrote: > ?????? ?????? via Gnupg-users wrote: > > > Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which > > could, for example, be a montage of several different speeches or interviews? > > > > Sincerely, > > > > Chiraag > > Apologies, I currently have no other sources, wish I had. P.S. I also send a message to Mr Snowden via Twitter, but I doubt he will see this, because of his over 4 Million followers, which might write him too. And yesterday I wrote an email to NSO group, asking if their latest release of Pegasus is capable of doing this. But no reply yet ... Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Fri Aug 7 16:23:33 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Fri, 07 Aug 2020 14:23:33 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807161210.00001444@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> Message-ID: <20200807142325.GA207@chiraag> Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group Sincerely, Chiraag -- ?????? ?????? Pronouns: he/him/his 07/08/20 16:12 ?????, Stefan Claas ??????: > > Stefan Claas wrote: > > > ?????? ?????? via Gnupg-users wrote: > > > > > Is it possible to link the original source material (Snowden's speech or interview or whatever) rather than this video which > > > could, for example, be a montage of several different speeches or interviews? > > > > > > Sincerely, > > > > > > Chiraag > > > > Apologies, I currently have no other sources, wish I had. > > P.S. I also send a message to Mr Snowden via Twitter, but > I doubt he will see this, because of his over 4 Million > followers, which might write him too. > > And yesterday I wrote an email to NSO group, asking if > their latest release of Pegasus is capable of doing > this. But no reply yet ... > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From yo at jacky.wtf Fri Aug 7 15:33:22 2020 From: yo at jacky.wtf (Jacky Alcine) Date: Fri, 07 Aug 2020 13:33:22 +0000 Subject: keyoxide.org - new service for GnuPG users In-Reply-To: <20200807152144.0000570a@300baud.de> References: <20200807152144.0000570a@300baud.de> Message-ID: Reminds me of Keybase without the fluff On August 7, 2020 1:21:44 PM UTC, Stefan Claas wrote: >Hi all, > >just discovered this new service: > >https://keyoxide.org/ > >Regards >Stefan > >-- >my 'hidden' service gopherhole: >gopher://iria2xobffovwr6h.onion > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Fri Aug 7 16:43:14 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 16:43:14 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807142325.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> Message-ID: <20200807164233.00002191@300baud.de> ?????? ?????? via Gnupg-users wrote: > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group Yes, as understood. I think it really doesn't matter where Pegasus does come from. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From andrewg at andrewg.com Fri Aug 7 17:14:47 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 7 Aug 2020 16:14:47 +0100 Subject: keyoxide.org - new service for GnuPG users In-Reply-To: References: <20200807152144.0000570a@300baud.de> Message-ID: <4ac97582-cefb-4500-eb05-7b8df9ba546d@andrewg.com> Base vs Oxide. Chemistry pun... :-) On 07/08/2020 14:33, Jacky Alcine via Gnupg-users wrote: > Reminds me of Keybase without the fluff > > On August 7, 2020 1:21:44 PM UTC, Stefan Claas wrote: > > Hi all, > > just discovered this new service: > > https://keyoxide.org/ > > Regards > Stefan > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From tlikonen at iki.fi Fri Aug 7 18:58:21 2020 From: tlikonen at iki.fi (Teemu Likonen) Date: Fri, 07 Aug 2020 19:58:21 +0300 Subject: keyoxide.org - new service for GnuPG users In-Reply-To: <20200807152144.0000570a@300baud.de> References: <20200807152144.0000570a@300baud.de> Message-ID: <87imduieaa.fsf@iki.fi> * 2020-08-07 15:21:44+02, Stefan Claas wrote: > just discovered this new service: > > https://keyoxide.org/ I think you should have written more content in your message: a description of the service and perhaps some own thoughts about it. Anyway. Keyoxide uses OpenPGP keys' certificate notations to prove that certain social media profile or web site belongs to the key's owner. That is interesting because there are no Keyoxide profiles at all. When opening a (pseudo) profile the service just searches for an OpenPGP key, checks if it has certain type of notations (URL) and goes to find the following string from the URL: [Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] "FINGERPRINT" is OpenPGP key fingerprint. So the "profile" is managed entirely within OpenPGP key and those external social media profiles. -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: not available URL: From ialternatem at gmail.com Fri Aug 7 19:16:10 2020 From: ialternatem at gmail.com (Ahmad) Date: Fri, 7 Aug 2020 13:16:10 -0400 Subject: import of multiple secret keys is stopped as soon as a wrong password for one of the secret keys is entered Message-ID: Hello, I am having trouble importing keys from an old private key ring that I recovered from a back-up hard drive that is about 10 years old: PGP Private Keyring.skr. There are at least 10 pairs of keys in the ring and when I import (either by drag and drop into GPGKeychain; or from the command line), I get a prompt at each private key for the passphrase prior to being able to import the next key. The issue is that I lost the password for one of the keys (the third one in the list) and I can't get past this to the next keys. Is there any to get around this? I have the public key information for all the other keys, is there a way I can selectively bypass this problematic lost key? ie. is there a way I can import the other private keys without knowing the passphrase from the one problematic key pair in the PGP Private Keyring.skr file? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Fri Aug 7 21:33:26 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 7 Aug 2020 21:33:26 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807164233.00002191@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> Message-ID: <20200807213326.000007a1@300baud.de> Stefan Claas wrote: > ?????? ?????? via Gnupg-users wrote: > > > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group > > Yes, as understood. I think it really doesn't matter where Pegasus does come from. This article showed up today, when I did a Google search again: Trustworthy source. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From philihp at gmail.com Sat Aug 8 02:02:48 2020 From: philihp at gmail.com (Philihp Busby) Date: Sat, 8 Aug 2020 00:02:48 +0000 Subject: keyoxide.org - new service for GnuPG users In-Reply-To: References: <20200807152144.0000570a@300baud.de> Message-ID: <20200808000248.GA22035@jinteki.lan> I like it. Keybase did a lot of great things, but with their future in the hands of Zoom, it's good that we have alternative, decentralized, open source things being developed. On 2020-08-07T13:33:22+0000 Jacky Alcine via Gnupg-users wrote 1.9K bytes: > Reminds me of Keybase without the fluff > > On August 7, 2020 1:21:44 PM UTC, Stefan Claas wrote: > >Hi all, > > > >just discovered this new service: > > > >https://keyoxide.org/ > > > >Regards > >Stefan > > > >-- > >my 'hidden' service gopherhole: > >gopher://iria2xobffovwr6h.onion > > > >_______________________________________________ > >Gnupg-users mailing list > >Gnupg-users at gnupg.org > >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From angel at pgp.16bits.net Sat Aug 8 02:05:44 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Sat, 08 Aug 2020 02:05:44 +0200 Subject: Subkeys export to Security Token fails: Secret key available. In-Reply-To: <37cadf95-68da-455a-5a4f-0ccfca71313f@gmail.com> References: <37cadf95-68da-455a-5a4f-0ccfca71313f@gmail.com> Message-ID: <1596845144.1152.14.camel@16bits.net> On 2020-08-07 at 08:33 +0200, Thomas Schneider wrote: > All subkeys are marked as Stub which is correct because the keys have > been exported before. > However now the keys don't exist anymore on the keycard. > > Can you please advise how to fix this issue? > > THX You had some "full" keys (public+private part). Then "moved" them to the Yubikey, so the private part was now in the yubikey, and locally you left just a stub saying "go look at yubikey #1234 for this key". Do you have a backup of the full, original key? Cheers From 74cmonty at gmail.com Sat Aug 8 09:52:02 2020 From: 74cmonty at gmail.com (Thomas) Date: Sat, 08 Aug 2020 09:52:02 +0200 Subject: Subkeys export to Security Token fails: Secret key available. In-Reply-To: <1596845144.1152.14.camel@16bits.net> References: <37cadf95-68da-455a-5a4f-0ccfca71313f@gmail.com> <1596845144.1152.14.camel@16bits.net> Message-ID: <95761BEE-2355-42CA-941F-9855CA6B8773@gmail.com> I have a backup of any key. Am 8. August 2020 02:05:44 MESZ schrieb "?ngel" : >On 2020-08-07 at 08:33 +0200, Thomas Schneider wrote: >> All subkeys are marked as Stub which is correct because the keys have >> been exported before. >> However now the keys don't exist anymore on the keycard. >> >> Can you please advise how to fix this issue? >> >> THX > >You had some "full" keys (public+private part). Then "moved" them to >the >Yubikey, so the private part was now in the yubikey, and locally you >left just a stub saying "go look at yubikey #1234 for this key". > >Do you have a backup of the full, original key? > > >Cheers > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -------------- next part -------------- An HTML attachment was scrubbed... URL: From renws at protonmail.com Sat Aug 8 13:58:43 2020 From: renws at protonmail.com (renws) Date: Sat, 08 Aug 2020 11:58:43 +0000 Subject: Accidentally deleted ~/.gnupg/pubring.gpg Message-ID: Hi, I tried --try-all-secrets but it didn't work: $ gpg -d --try-all-secrets myfile.txt.gpg gpg: encrypted with RSA key, ID xxxxxxxxxxxxx gpg: decryption failed: No secret key I guess I'll have to create a new public key with the same fingerprint? I've searched "gpg create public key with same fingerprint" but didn't get much luck. Could you please provide more detailed how-to instructions? Regards, WS -------------- next part -------------- An HTML attachment was scrubbed... URL: From angel at pgp.16bits.net Sat Aug 8 23:23:43 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Sat, 08 Aug 2020 23:23:43 +0200 Subject: Subkeys export to Security Token fails: Secret key available. In-Reply-To: <95761BEE-2355-42CA-941F-9855CA6B8773@gmail.com> References: <37cadf95-68da-455a-5a4f-0ccfca71313f@gmail.com> <1596845144.1152.14.camel@16bits.net> <95761BEE-2355-42CA-941F-9855CA6B8773@gmail.com> Message-ID: <1596921823.1303.10.camel@16bits.net> > Am 8. August 2020 02:05:44 MESZ schrieb "?ngel": > You had some "full" keys (public+private part). Then "moved" them to the > Yubikey, so the private part was now in the yubikey, and locally you > left just a stub saying "go look at yubikey #1234 for this key". > > Do you have a backup of the full, original key? > > > Cheers On 2020-08-08 at 09:52 +0200, Thomas via Gnupg-users wrote: > I have a backup of any key. Then just restore the full key (either on your normal keyring or on a temporary one, GNUPGHOME is your friend) and start again from that. It should work that time. Best regards From 2017-r3sgs86x8e-lists-groups at riseup.net Sun Aug 9 11:25:07 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sun, 9 Aug 2020 10:25:07 +0100 Subject: import of multiple secret keys is stopped as soon as a wrong password for one of the secret keys is entered In-Reply-To: References: Message-ID: <144813243.20200809102448@mail.riseup.net> Hi On Friday 7 August 2020 at 6:16:10 PM, in , Ahmad via Gnupg-users wrote:- > The issue is that I lost the password for one of the > keys (the third one in > the list) and I can't get past this to the next keys. > Is there any to get around this? gpg --delete-secret-keys [key-ID] gpg --delete-key [key-ID] You might want to make a backup first in case you find the key's passphrase later. -- Best regards MFPA Can you imagine a world with no hypothetical situations? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From sac at 300baud.de Sun Aug 9 22:06:13 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 9 Aug 2020 22:06:13 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807213326.000007a1@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> Message-ID: <20200809220613.00000dd9@300baud.de> Stefan Claas wrote: > Stefan Claas wrote: > > > ?????? ?????? via Gnupg-users wrote: > > > > > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group > > > > Yes, as understood. I think it really doesn't matter where Pegasus does come from. > > This article showed up today, when I did a Google search again: > > > > Trustworthy source. Mmmhhh, it is getting 'better and better' for smartphone users. https://www.androidauthority.com/government-tracking-apps-1145989/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From guru at unixarea.de Mon Aug 10 01:38:57 2020 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 10 Aug 2020 01:38:57 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200809220613.00000dd9@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> Message-ID: <20200809233857.GA4440@c720-r342378> El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: > > This article showed up today, when I did a Google search again: > > > > > > > > Trustworthy source. > > Mmmhhh, it is getting 'better and better' for smartphone users. > > https://www.androidauthority.com/government-tracking-apps-1145989/ > One can use a Linux mobile phone running UBports.com (as I and all my family do) or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). Stop whining, stand up and fight and protect yourself. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: ???????? ????????????! Thank you very much, Russian liberators! From sac at 300baud.de Mon Aug 10 09:07:51 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 10 Aug 2020 09:07:51 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200809233857.GA4440@c720-r342378> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> Message-ID: <20200810090751.000022d4@300baud.de> Matthias Apitz wrote: > El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: > > > > This article showed up today, when I did a Google search again: > > > > > > > > > > > > Trustworthy source. > > > > Mmmhhh, it is getting 'better and better' for smartphone users. > > > > https://www.androidauthority.com/government-tracking-apps-1145989/ > > > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). Yes, people gave me already (not from here of course) good advise for other OSs which one can use. The question is how long will those OSs been unaffected ... > Stop whining, stand up and fight and protect yourself. I am not whining ... I only wanted to let the people know. Also very interesting that only one person in this thread replied, besides you ... Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From bernhard at intevation.de Mon Aug 10 10:53:28 2020 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 10 Aug 2020 10:53:28 +0200 Subject: root certificate for smime missing gpgconf --launch dirmngr In-Reply-To: <87k0ymttz5.fsf@mat.ucm.es> References: <87eeqqnc1p.fsf@mat.ucm.es> <20200728185154.GA342506@pops-mintonw10.globe.nemgint.com> <87k0ymttz5.fsf@mat.ucm.es> Message-ID: <202008101053.34348.bernhard@intevation.de> Am Mittwoch 29 Juli 2020 13:56:46 schrieb Uwe Brauer via Gnupg-users: > > I believe the original question was, how to allow gpg to automatically > > trust the root certificates provided by the os or Thunderbird. > > Yes it was and I still don't know. As far as I know gpgsm does not provide an automatic way to use X509 root certificates from the operating system or Thunderbird. You could construct a simple script to sync certs to dirmngr if the os or other app store updates. Regards, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3855 bytes Desc: not available URL: From gpg-users at chiraag.me Mon Aug 10 16:27:43 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Mon, 10 Aug 2020 14:27:43 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810090751.000022d4@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> Message-ID: <20200810142736.GA207@chiraag> 10/08/20 09:07 ?????, Stefan Claas ??????: > > Matthias Apitz wrote: > > > El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: > > > > > > This article showed up today, when I did a Google search again: > > > > > > > > > > > > > > > > Trustworthy source. > > > > > > Mmmhhh, it is getting 'better and better' for smartphone users. > > > > > > https://www.androidauthority.com/government-tracking-apps-1145989/ > > > > > > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > Yes, people gave me already (not from here of course) good advise for other OSs > which one can use. The question is how long will those OSs been unaffected ... > > > Stop whining, stand up and fight and protect yourself. > > I am not whining ... I only wanted to let the people know. Also very > interesting that only one person in this thread replied, besides you ... I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would presumably be much easier...). Just another way to mitigate the risk of stuff like this. Sincerely, Chiraag -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Mon Aug 10 17:14:25 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 10 Aug 2020 17:14:25 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810142736.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> Message-ID: <20200810171405.00001033@300baud.de> ?????? ?????? via Gnupg-users wrote: > 10/08/20 09:07 ?????, Stefan Claas ??????: > > > > Matthias Apitz wrote: > > > > > El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: > > > > > > > > This article showed up today, when I did a Google search again: > > > > > > > > > > > > > > > > > > > > Trustworthy source. > > > > > > > > Mmmhhh, it is getting 'better and better' for smartphone users. > > > > > > > > https://www.androidauthority.com/government-tracking-apps-1145989/ > > > > > > > > > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > > > Yes, people gave me already (not from here of course) good advise for other OSs > > which one can use. The question is how long will those OSs been unaffected ... > > > > > Stop whining, stand up and fight and protect yourself. > > > > I am not whining ... I only wanted to let the people know. Also very > > interesting that only one person in this thread replied, besides you ... > > I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey > and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the > Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the > Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would > presumably be much easier...). > > Just another way to mitigate the risk of stuff like this. Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone. I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore. As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content created on the offline laptop. [1]I have to check out if they are mobile and inexpensive Raspberry Pi solutions available for purchase. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Mon Aug 10 17:18:21 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Mon, 10 Aug 2020 15:18:21 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> Message-ID: <20200810151817.GA207@chiraag> 10/08/20 18:05 ?????, bereska ??????: > Dear Chiraag, > > I've been thinking of a similar setup with my GPG keys on a smart card > to encrypt/decrypt data on my android phone. > Could be more specific about your setup? > > thank you > Dmitry Hi Dmitry, I created a tutorial a while back on my website for setting this stuff up: https://chiraag.me/passwords/index.php Let me know if you have questions or if anything's unclear! Best, Chiraag -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From mgorny at gentoo.org Mon Aug 10 17:19:56 2020 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Mon, 10 Aug 2020 17:19:56 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810171405.00001033@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> Message-ID: <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> On Mon, 2020-08-10 at 17:14 +0200, Stefan Claas wrote: > ?????? ?????? via Gnupg-users wrote: > > > 10/08/20 09:07 ?????, Stefan Claas ??????: > > > Matthias Apitz wrote: > > > > > > > El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: > > > > > > > > > > This article showed up today, when I did a Google search again: > > > > > > > > > > > > > > > > > > > > > > > > Trustworthy source. > > > > > > > > > > Mmmhhh, it is getting 'better and better' for smartphone users. > > > > > > > > > > https://www.androidauthority.com/government-tracking-apps-1145989/ > > > > > > > > > > > > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > > > > > Yes, people gave me already (not from here of course) good advise for other OSs > > > which one can use. The question is how long will those OSs been unaffected ... > > > > > > > Stop whining, stand up and fight and protect yourself. > > > > > > I am not whining ... I only wanted to let the people know. Also very > > > interesting that only one person in this thread replied, besides you ... > > > > I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey > > and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the > > Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the > > Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would > > presumably be much easier...). > > > > Just another way to mitigate the risk of stuff like this. > > Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure > know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone. > > I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable > and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop > CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore. > > As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content > created on the offline laptop. > Why use PGP on your phone if you carry a whole laptop with you anyway? -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: This is a digitally signed message part URL: From sac at 300baud.de Mon Aug 10 17:49:02 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 10 Aug 2020 17:49:02 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> Message-ID: <20200810174848.0000630b@300baud.de> Micha? G?rny wrote: [...] > Why use PGP on your phone if you carry a whole laptop with you anyway? Good question. There is software for Andoid available called OpenKeyChain, which as understood is the defacto standard for Android smartphone users, in combination with a MUA for Android. The question IMHO now is what should mobile device users do now? I showed a solution, assuming those users have an offline laptop too, which then would allow them to comfortably and securely create their messages. Not all people can purchase now a new smartphone with a more secure OpenSource OS and new SIM, I assume. I also do not know if it is common if people use an (compromised?) online laptop, as a smartphone, when on the road. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From bereska at hotmail.com Mon Aug 10 17:05:19 2020 From: bereska at hotmail.com (bereska) Date: Mon, 10 Aug 2020 18:05:19 +0300 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810142736.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> Message-ID: Dear Chiraag, I've been thinking of a similar setup with my GPG keys on a smart card to encrypt/decrypt data on my android phone. Could be more specific about your setup? thank you Dmitry On 10.08.2020 17:27, ?????? ?????? via Gnupg-users wrote: > 10/08/20 09:07 ?????, Stefan Claas ??????: >> >> Matthias Apitz wrote: >> >>> El d?a domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribi?: >>> >>>>> This article showed up today, when I did a Google search again: >>>>> >>>>> >>>>> >>>>> Trustworthy source. >>>> >>>> Mmmhhh, it is getting 'better and better' for smartphone users. >>>> >>>> https://www.androidauthority.com/government-tracking-apps-1145989/ >>>> >>> >>> One can use a Linux mobile phone running UBports.com (as I and all my family do) >>> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). >> >> Yes, people gave me already (not from here of course) good advise for other OSs >> which one can use. The question is how long will those OSs been unaffected ... >> >>> Stop whining, stand up and fight and protect yourself. >> >> I am not whining ... I only wanted to let the people know. Also very >> interesting that only one person in this thread replied, besides you ... > > I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would presumably be much easier...). > > Just another way to mitigate the risk of stuff like this. > > Sincerely, > > Chiraag > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From azbigdogs at gmx.com Tue Aug 11 02:19:07 2020 From: azbigdogs at gmx.com (Mark) Date: Mon, 10 Aug 2020 17:19:07 -0700 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810174848.0000630b@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> Message-ID: I was thinking about getting an app called iPGMail for iPhone/iPad to use PGP on them. From my very limited experience it looks like it might be a good choice as well. On 8/10/2020 8:49 AM, Stefan Claas wrote: > Micha? G?rny wrote: > > [...] > >> Why use PGP on your phone if you carry a whole laptop with you anyway? > Good question. There is software for Andoid available called OpenKeyChain, > which as understood is the defacto standard for Android smartphone users, > in combination with a MUA for Android. > > The question IMHO now is what should mobile device users do now? I showed > a solution, assuming those users have an offline laptop too, which then > would allow them to comfortably and securely create their messages. > > Not all people can purchase now a new smartphone with a more secure OpenSource > OS and new SIM, I assume. > > I also do not know if it is common if people use an (compromised?) online > laptop, as a smartphone, when on the road. > > Regards > Stefan > From guru at unixarea.de Tue Aug 11 09:15:33 2020 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 11 Aug 2020 09:15:33 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810090751.000022d4@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> Message-ID: <20200811071533.GB19975@sh4-5.1blu.de> El d?a Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribi?: > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > Yes, people gave me already (not from here of course) good advise for other OSs > which one can use. The question is how long will those OSs been unaffected ... The kernel and all apps are OpenSource i.e. people can (and do) read the sources. It's impossible to build in backdoors. The attack could come through the firmware in the chips (which are not OpenSource). For this the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). The authorities can not track you. See: https://puri.sm/products/librem-5/ matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: ???????? ????????????! Thank you very much, Russian liberators! From sac at 300baud.de Tue Aug 11 10:32:17 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 10:32:17 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811071533.GB19975@sh4-5.1blu.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200811071533.GB19975@sh4-5.1blu.de> Message-ID: <20200811103217.00003d79@300baud.de> Matthias Apitz wrote: > El d?a Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribi?: > > > > One can use a Linux mobile phone running UBports.com (as I and all my family do) > > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > > > Yes, people gave me already (not from here of course) good advise for other OSs > > which one can use. The question is how long will those OSs been unaffected ... > > The kernel and all apps are OpenSource i.e. people can (and do) read the > sources. It's impossible to build in backdoors. The attack could come > through the firmware in the chips (which are not OpenSource). For this > the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to > poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). > > The authorities can not track you. See: > > https://puri.sm/products/librem-5/ Thanks for the information! While it is a nice product, according to their web site, they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better said, should we all (those who use encryption software often) still use it directly on online devices? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From sac at 300baud.de Tue Aug 11 11:39:31 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 11:39:31 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> Message-ID: <20200811113931.000060e2@300baud.de> Mark wrote: > I was thinking about getting an app called iPGMail for iPhone/iPad to > use PGP on them. From my very limited experience it looks like it might > be a good choice as well. For me it looks like that encryption al? OpenPGP, whether iOS or Android is unfortunately dead, after I have seen Mr Snowden's YouTube Video. Based on my proposal, I would like to see in the future (OpenSource) *hardware* based encryption products, for at least voice comms, which is affordable for the majority of us and easy to use, so that people do not need to use good old email encryption for important things, on a mobile device. https://www.securstar.com/en/phonecrypt-voice.html Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From johanw at vulcan.xs4all.nl Tue Aug 11 16:19:36 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 11 Aug 2020 16:19:36 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811113931.000060e2@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> Message-ID: <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> On 11-08-2020 11:39, Stefan Claas wrote: > Based on my proposal, I would like to see in the future (OpenSource) > *hardware* based encryption products, for at least voice comms, which > is affordable for the majority of us and easy to use, so that people > do not need to use good old email encryption for important things, > on a mobile device. Why hardware? If a bug is found you can't upgrade it easily. On mobile, encrypted messengers are the norm. WhatsApp is the biggest, and it uses Signal's encryption algorithm which is excellent. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sac at 300baud.de Tue Aug 11 17:18:55 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 17:18:55 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> Message-ID: <20200811171855.00002e2c@300baud.de> Johan Wevers wrote: > On 11-08-2020 11:39, Stefan Claas wrote: > > > Based on my proposal, I would like to see in the future (OpenSource) > > *hardware* based encryption products, for at least voice comms, which > > is affordable for the majority of us and easy to use, so that people > > do not need to use good old email encryption for important things, > > on a mobile device. > > Why hardware? If a bug is found you can't upgrade it easily. Because hardware can't be tampered with like software. > On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > and it uses Signal's encryption algorithm which is excellent. And you think that continuing with those is a good practice since Mr Snowden's YouTube Video was released? You may like to read an older brochure of Pegasus and then tell us your thoughts. https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html or Google for zero-click attacks/exploits. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Tue Aug 11 17:41:00 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Tue, 11 Aug 2020 15:41:00 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811171855.00002e2c@300baud.de> References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> Message-ID: <20200811154054.GA207@chiraag> 11/08/20 17:18 ?????, Stefan Claas ??????: > > And you think that continuing with those is a good practice since > Mr Snowden's YouTube Video was released? I mean, don't you think it's odd that you can't find a single other source for those statements coming from Snowden? And don't you find it odd that Pegasus is claimed to be a Russian group, when in fact they're Israeli (showing a basic lack of care regarding factual statements that are easily verified or debunked)? I don't think Snowden would make that sort of mistake, and I would think we'd see a lot more articles or videos or whatever about this. Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face value? Not really, no. And I doubt that Snowden actually said all of those things as one coherent statement (although they might be various statements taken from various different interviews or speeches or whatever). The whole veracity of the video rests on Snowden's authority, and I suspect the people who made the video are banking on people trusting it because it seems to come from Snowden. Sincerely, Chiraag -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Tue Aug 11 18:17:15 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 18:17:15 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811154054.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> <20200811154054.GA207@chiraag> Message-ID: <20200811181543.000066c6@300baud.de> ?????? ?????? via Gnupg-users wrote: > > 11/08/20 17:18 ?????, Stefan Claas ??????: > > > > And you think that continuing with those is a good practice since > > Mr Snowden's YouTube Video was released? > > I mean, don't you think it's odd that you can't find a single other source for those statements coming from Snowden? And > don't you find it odd that Pegasus is claimed to be a Russian group, when in fact they're Israeli (showing a basic lack of > care regarding factual statements that are easily verified or debunked)? I don't think Snowden would make that sort of > mistake, and I would think we'd see a lot more articles or videos or whatever about this. > > Is Pegasus dangerous? Absolutely. Do I take the claims in the video at face value? Not really, no. And I doubt that Snowden > actually said all of those things as one coherent statement (although they might be various statements taken from various > different interviews or speeches or whatever). > > The whole veracity of the video rests on Snowden's authority, and I suspect the people who made the video are banking on > people trusting it because it seems to come from Snowden. Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From andrewg at andrewg.com Tue Aug 11 20:32:30 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 11 Aug 2020 19:32:30 +0100 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811181543.000066c6@300baud.de> References: <20200811181543.000066c6@300baud.de> Message-ID: <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another. If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don?t click on anything unsolicited), and don?t use your phone for anything that would endanger your life if you were rooted. Andrew Gallagher > On 11 Aug 2020, at 17:18, Stefan Claas wrote: > > Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me. From sac at 300baud.de Tue Aug 11 20:57:57 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 20:57:57 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> Message-ID: <20200811205757.000005ec@300baud.de> Andrew Gallagher wrote: > It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and > whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and > similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some > form or another. Fully agree! > If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or > PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in > the first place (i.e. update regularly and don?t click on anything unsolicited), and don?t use your phone for anything that > would endanger your life if you were rooted. I must admit that I only use a smartphone for a couple of months now, because I wanted to see what things I can do with it. Besides that I must also say that I am no fan of smartphone technology. You say that we must be careful that not someone roots our smartphone. As understood a Pegasus operator can do what ever he likes to do remotely, anonymously with our (Android/iOS) smartphone, without that we know that this happens. And then some people may also have problems with their Desktop computer, in case FinFisher and friends allows zero-clicks too, which we don't know. So, to sum it up (I know you prefer Tails) would you agree that sooner or later the community should develop strategies, in form of a best practice FAQ (cross-platform), to no longer use encryption software on online devices and work out strategies to use offline devices and how to handle this data securely over to an online device, until proper and affordable hardware encryption devices for online usage are available? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Tue Aug 11 21:13:17 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Tue, 11 Aug 2020 19:13:17 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> Message-ID: <20200811191311.GA207@chiraag> I suppose, you're right. I'm wary of blindly believing videos, especially when faking them has become relatively easy at this point. I think one thing both Android and iOS get wrong is that the user isn't really in control of the device. So many manufacturer ROMs have built-in bloatware and various apps you'll never use, and there's no way to get rid of it. There are different classes of apps with differing levels of access to the internals of the OS, and there isn't much you can do about it. And on iOS, you're at the mercy of Apple as to whether your device remains supported and whether e.g. bugs in WebKit (the only renderer available on iOS) get fixed for your device. While custom ROMs solve some of these issues, most phones are bought with a locked bootloader (since most people aren't rich enough to buy their smartphones outright and end up leasing them through the service provider), which sort of renders that argument moot for *most* people. Fundamentally, while a Linux phone may not necessarily have all of the hardening or whatever that many Android phones come with today, I'd argue that the privacy aspects, and the fact that the user truly _owns_ their device, more than make up for those (current) deficiencies. It will be easier, I think, to defend against what you're talking about in terms of malware, shady links, and so on because you have the opportunity to control literally *everything* running on your device. Once I get my PinePhone, one of the first things I will be doing is playing around with things like firejail to see if I can get seamless sandboxing for most programs (I already heavily utilize firejail on my laptop). And I suspect that level of control (and ability to keep receiving updates, no matter how old the phone) will put Linux phones over the top in terms of security. Sincerely, Chiraag -- ?????? ?????? Pronouns: he/him/his 11/08/20 19:32 ?????, Andrew Gallagher ??????: > > It matters little whether these statements were made by Snowden. Whether a particular piece of software exists or not, and whether it is owned by the Russians or the Israelis or the Americans, is beside the point. In principle, it can exist and similar pieces of software have existed in the past, so we can safely assume that something like it will always exist in some form or another. > > If someone roots your phone, or your laptop, it is Game Over. It does not matter if you are using Signal, or WhatsApp, or PGP. If the Bad Guys have rooted your phone you are helpless against them. The solution is not to let them root your phone in the first place (i.e. update regularly and don?t click on anything unsolicited), and don?t use your phone for anything that would endanger your life if you were rooted. > > Andrew Gallagher > > > On 11 Aug 2020, at 17:18, Stefan Claas wrote: > > > > Please ask native U.S. citizens if this is a video with a faked voice from Mr. Snowden, not me. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From johanw at vulcan.xs4all.nl Tue Aug 11 21:18:24 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 11 Aug 2020 21:18:24 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811171855.00002e2c@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> Message-ID: On 11-08-2020 17:18, Stefan Claas wrote: >> Why hardware? If a bug is found you can't upgrade it easily. > > Because hardware can't be tampered with like software. If a hardware bug is found you're still lost. Even Apple has found out the hard way. >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, >> and it uses Signal's encryption algorithm which is excellent. > > And you think that continuing with those is a good practice since > Mr Snowden's YouTube Video was released? It is a risk, but not a bigger risk than someone taking over your pc or laptop. Signal and GnuPG are both defenseless against that. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at nym.hush.com Tue Aug 11 21:49:25 2020 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 11 Aug 2020 15:49:25 -0400 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811205757.000005ec@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> Message-ID: <20200811194926.00033801885@smtp.hushmail.com> On 8/11/2020 at 3:00 PM, "Stefan Claas" wrote: ... >As understood a Pegasus operator can do what ever >he likes to do remotely, anonymously with our (Android/iOS) >smartphone, without that we know that this happens. ... >in form of a best practice FAQ (cross-platform), to no longer use >encryption software on online devices and work out >strategies to use offline devices and how to handle this data >securely over to an online device, until proper and affordable >hardware encryption devices for online usage are available? ===== There is already a simple existing solution. [1] Encrypt and decrypt on a computer that has internet hardware disabled. [2] Use an Orbic Journey V phone that gets and sends *only text* [3] Use a microsd expansion card on the orbis phone [4] set up the phone to save encrypted texts on the microsd 'storage' card [5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted) Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line. (this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.) Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and transferring only text to a microsd, it is hard to see how it can be compromised. (Yes *Anything* can happen, but without evidence, there is no end to paranoia) It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file. The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it. The rest is up to the User's threat model. (btw, There is, [afaik], no protection available in GnuPG against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer, and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message by flicking a wand at it, and using the simple charm 'Revelato' ) but not really in my threat model 8^)))) vedaal From sac at 300baud.de Tue Aug 11 22:10:24 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 22:10:24 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> Message-ID: <20200811221024.00001e85@300baud.de> Johan Wevers wrote: > On 11-08-2020 17:18, Stefan Claas wrote: > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > Because hardware can't be tampered with like software. > > If a hardware bug is found you're still lost. Even Apple has found out > the hard way. Yes, you are right. While I am no programmer I would assume that designers of such little hardware devices, same as YubiKey or Nitrokey for example, do not have to deal with a boatload of large software components, burned into ROMS. > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > >> and it uses Signal's encryption algorithm which is excellent. > > > > And you think that continuing with those is a good practice since > > Mr Snowden's YouTube Video was released? > > It is a risk, but not a bigger risk than someone taking over your pc or > laptop. Signal and GnuPG are both defenseless against that. Yes, a risk, but at what price? I could imagine that many people do not care to much if it hurts journalists or activists from foreign countries. But how about cybercrimes in general? https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From gpg-users at chiraag.me Tue Aug 11 22:21:11 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Tue, 11 Aug 2020 20:21:11 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811221024.00001e85@300baud.de> References: <20200807133515.00005086@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> <20200811221024.00001e85@300baud.de> Message-ID: <20200811202100.GA207@chiraag> Yubikey dealt with a mass recall only last year due to a bug in their firmware: https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html -- ?????? ?????? Pronouns: he/him/his 11/08/20 22:10 ?????, Stefan Claas ??????: > > Johan Wevers wrote: > > > On 11-08-2020 17:18, Stefan Claas wrote: > > > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > > > Because hardware can't be tampered with like software. > > > > If a hardware bug is found you're still lost. Even Apple has found out > > the hard way. > > Yes, you are right. While I am no programmer I would assume that designers > of such little hardware devices, same as YubiKey or Nitrokey for example, > do not have to deal with a boatload of large software components, burned > into ROMS. > > > >> On mobile, encrypted messengers are the norm. WhatsApp is the biggest, > > >> and it uses Signal's encryption algorithm which is excellent. > > > > > > And you think that continuing with those is a good practice since > > > Mr Snowden's YouTube Video was released? > > > > It is a risk, but not a bigger risk than someone taking over your pc or > > laptop. Signal and GnuPG are both defenseless against that. > > Yes, a risk, but at what price? I could imagine that many people do not > care to much if it hurts journalists or activists from foreign countries. > > But how about cybercrimes in general? > > https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From johanw at vulcan.xs4all.nl Tue Aug 11 22:58:46 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue, 11 Aug 2020 22:58:46 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811194926.00033801885@smtp.hushmail.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> Message-ID: <13af230c-6033-b53d-211e-908c36beeaad@vulcan.xs4all.nl> On 11-08-2020 21:49, vedaal via Gnupg-users wrote: > There is already a simple existing solution. Simple is not how I see this. > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > [2] Use an Orbic Journey V phone that gets and sends *only text* > [3] Use a microsd expansion card on the orbis phone The Iranians though this too. And then someone invents Stuxnet-like attack software. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sac at 300baud.de Tue Aug 11 23:02:44 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 11 Aug 2020 23:02:44 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811202100.GA207@chiraag> References: <20200807133515.00005086@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> <20200811221024.00001e85@300baud.de> <20200811202100.GA207@chiraag> Message-ID: <20200811230038.00006309@300baud.de> ?????? ?????? via Gnupg-users wrote: > Yubikey dealt with a mass recall only last year due to a bug in their firmware: > https://www.engadget.com/2019-06-13-yubico-recalls-government-grade-security-keys-due-to-bug.html Quote: Fortunately, any affected customers will receive a replacement key. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From brian at minton.systems Tue Aug 11 21:56:35 2020 From: brian at minton.systems (Brian Minton) Date: Tue, 11 Aug 2020 14:56:35 -0500 Subject: Why does gpg -k write to tofu.db? Message-ID: <20200811195634.GA14182@lab.bjmgeek.science> I have a lot of public keys in my keybox (it's about 45 MB or so). I was trying to figure out why seemingly innocent tasks in gpg take a very long time. It seems that gnupg is making a very long running transaction to the sqlite3 database ~/.gnupg/tofu.db laptop:~/.gnupg$ date;ls -last Tue 11 Aug 2020 03:38:14 PM EDT total 101184 4 drwxr-xr-x 109 bminton bminton 4096 Aug 11 15:35 .. 12 drwx------ 5 bminton bminton 12288 Aug 11 15:17 . 112 -rw-r--r-- 1 bminton bminton 111320 Aug 11 15:16 tofu.db-journal 4 -rw------- 1 bminton bminton 600 Aug 11 15:16 random_seed 2580 -rw-r--r-- 1 bminton bminton 2637824 Aug 11 15:16 tofu.db 0 -rw------- 1 bminton bminton 0 Aug 11 15:16 tofu.db-want-lock 4 -rw-r--r-- 1 bminton bminton 26 Aug 11 15:05 .#lk0xxxxx... So, this seems like the transaction has been running for at least 20 minutes. That's just to run gpg -k Why does gpg -k need to write to the tofu db? I should mention that gpg is running at 100% cpu in the R state. Before starting the gpg -k command, I killed all gpg processes with gpgconf --kill all just to make sure there was no other process trying to talk to gpg. This seems like it may also be related to https://dev.gnupg.org/T1938 or https://dev.gnupg.org/T2019 but I'm not sure. Some version info: gpg (GnuPG) 2.2.20 libgcrypt 1.8.4 Linux kernel 5.5.0 Debian 10 (buster) + backports arch: x86_64 hardware: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz with 4 cores (note that gpg only seems to be pegging one core) 16 GB RAM SATA SSD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From sac at 300baud.de Wed Aug 12 00:24:23 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 00:24:23 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811194926.00033801885@smtp.hushmail.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> Message-ID: <20200812002423.00003bef@300baud.de> vedaal at nym.hush.com wrote: > There is already a simple existing solution. > > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > > [2] Use an Orbic Journey V phone that gets and sends *only text* > > [3] Use a microsd expansion card on the orbis phone > > [4] set up the phone to save encrypted texts on the microsd 'storage' card > > [5] Take out the microsd card and use a card reader in the computer in [1] transfer text only (encrypted or decrypted) > > Any file can be sent as encrypted text by using the armor option -a on the GnuPG command line. > (this includes audio, video .jpg, .png, pdf, etc. literally any and all possible file types.) > > Even if the Orbic uses the *unknown* system, if your are encrypting and decrypting on a separate air-gapped computer, and > transferring only text to a microsd, it is hard to see how it can be compromised. (Yes *Anything* can happen, but without > evidence, there is no end to paranoia) (I only replied to you and not the list) Thanks for the detailed description, much appreciated! > It is not the place of the FAQ to solve the transmission issues of an already perfectly formed GnuPG encrypted .asc file. > > The manual and/or FAQ, tells how to use GnuPG to encrypt or decrypt the file, and armor it. > > The rest is up to the User's threat model. Well, yes and no. It should be a least discussed and if to many people write from old FAQs new tutorials then new users will never know these dangers, when using online devices. > (btw, > There is, [afaik], no protection available in GnuPG > against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer, > and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message > by flicking a wand at it, and using the simple charm 'Revelato' ) I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage. > but not really in my threat model 8^)))) Mine neither. :-) Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From brian at minton.name Tue Aug 11 23:40:44 2020 From: brian at minton.name (Brian Minton) Date: Tue, 11 Aug 2020 17:40:44 -0400 Subject: Why does gpg -k write to tofu.db? In-Reply-To: <20200811195634.GA14182@lab.bjmgeek.science> References: <20200811195634.GA14182@lab.bjmgeek.science> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnupg is making a very long > running transaction to the sqlite3 database ~/.gnupg/tofu.db > This did eventually complete: pops-mintonw10:~/.gnupg$ time gpg -k|wc -l 13729 real 117m26.112s user 25m56.486s sys 90m31.859s -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCXzMQOAAKCRA3uVB6z/IB buclAQCkAgCcf5qGZg0Z57NLBl1FiE1x/cKnzD8V5Hy6++UW+AD7BHRFb90QZv8d cHrod3qCQb9dqZwmyQk8sLsADTH6uweIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO s6Blz7qpBQJfMxA4AAoJEGuOs6Blz7qpqvEA/1ZkQLqdOLMSeJA+vle3nPe0m8j+ hrfGY2rjEyQAJKQGAP9vsR4vZ8BjgcNvVWnePvrEoRJ4CvkrQwa56193kvisJw== =ZXla -----END PGP SIGNATURE----- From brian at minton.name Tue Aug 11 23:45:29 2020 From: brian at minton.name (Brian Minton) Date: Tue, 11 Aug 2020 17:45:29 -0400 Subject: Why does gpg -k write to tofu.db? In-Reply-To: References: <20200811195634.GA14182@lab.bjmgeek.science> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Aug 11, 2020 at 5:32 PM Brian Minton wrote: > > I have a lot of public keys in my keybox (it's about 45 MB or so). > I was trying to figure out why seemingly innocent tasks in gpg take > a very long time. It seems that gnupg is making a very long > running transaction to the sqlite3 database ~/.gnupg/tofu.db > This did eventually complete: pops-mintonw10:~/.gnupg$ time gpg -k|wc -l 13729 real 117m26.112s user 25m56.486s sys 90m31.859s -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTu0BWAE9wubW4AHqQ3uVB6z/IBbgUCXzMRXgAKCRA3uVB6z/IB bn01AP9W/gmgerjE836I0I1wDnLwqDsHL8zI5Ns47MaMOmJo+gD7BQtr67zdb8Wo LoRRRASIMbzR+lIbBg1xbuvXcNkZdQiIdQQBEQgAHRYhBPnEu3YOeD8N7BCmimuO s6Blz7qpBQJfMxFeAAoJEGuOs6Blz7qp4T0A/2ts7xVV21ywpbVXPwaaCmJO8DhN VEsYBhja9VjfBB2rAP0WFbgbAsjKhuCh/ilot78DKS0xNbLjnwKYRUkTVNhC3A== =23f5 -----END PGP SIGNATURE----- From philihp at gmail.com Wed Aug 12 04:44:42 2020 From: philihp at gmail.com (Philihp Busby) Date: Wed, 12 Aug 2020 02:44:42 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <20200811113931.000060e2@300baud.de> <77c282b1-8f37-92d3-4d2f-11392700b8c7@vulcan.xs4all.nl> <20200811171855.00002e2c@300baud.de> Message-ID: <20200812024442.GB43649@jinteki.lan> On 2020-08-11T21:18:24+0200 Johan Wevers wrote 0.9K bytes: > On 11-08-2020 17:18, Stefan Claas wrote: > > >> Why hardware? If a bug is found you can't upgrade it easily. > > > > Because hardware can't be tampered with like software. > > If a hardware bug is found you're still lost. Even Apple has found out > the hard way. A hardware smartcard is meant to be a closed system, and you can enumerate all (or fuzz most) of the possible inputs. If you have a Nest thermostat, why bother with an alcohol thermometer? Perhaps there is a bug with your Nest and it reports in Farenheit instead of Celcius. Google can issue an update, and send out an email apologizing profusely. If your alcohol thermometer is inaccurate, your homeostasis is surely doomed. From andrewg at andrewg.com Wed Aug 12 11:42:47 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 12 Aug 2020 10:42:47 +0100 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811205757.000005ec@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> Message-ID: <2eec830c-95a6-bd79-d56e-d942bdcfec8d@andrewg.com> On 11/08/2020 19:57, Stefan Claas wrote: > So, to sum it up (I know you prefer Tails) would you agree that > sooner or later the community should develop strategies, in form of a > best practice FAQ (cross-platform), to no longer use encryption > software on online devices and work out strategies to use offline > devices and how to handle this data securely over to an online > device, until proper and affordable hardware encryption devices for > online usage are available? The problem with best practices is that they are context-dependent. Any FAQ that steps outside the purely technical domain into operational security will be misleading at best, and outright dangerous at worst. I am a Tails user, but I only use it for specific things - I don't boot it up for my everyday work (that would be insane, given my job). But my threat model is very different to that of others, so I would never presume to tell them that my best practice should be theirs. Hardware encryption devices are already plentiful. The problem is that secure hardware comes at a huge cost in flexibility, meaning that only a small part of our computing landscape will ever be "secure hardware". That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small, limited-functionality device is much more likely to be secure because it is much easier to audit. Anything with the breadth of functionality of a general-purpose computer will never be fully trustworthy. Your CPU is an entire GP computer, buried in another computer. Same with your SSD drive. A USB-C *cable* now has more computing power than the Apollo moon mission. It's software all the way down. No, you should not stop using encryption software on online devices. That would be insane. We should be adding more encryption at multiple levels, so that compromise of one layer of encryption does not mean a compromise of the entire system. Defence in depth is the only long-term sustainable strategy. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Aug 12 13:51:37 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 13:51:37 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <2eec830c-95a6-bd79-d56e-d942bdcfec8d@andrewg.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <2eec830c-95a6-bd79-d56e-d942bdcfec8d@andrewg.com> Message-ID: <20200812135118.00007271@300baud.de> Andrew Gallagher wrote: > On 11/08/2020 19:57, Stefan Claas wrote: > > So, to sum it up (I know you prefer Tails) would you agree that > > sooner or later the community should develop strategies, in form of a > > best practice FAQ (cross-platform), to no longer use encryption > > software on online devices and work out strategies to use offline > > devices and how to handle this data securely over to an online > > device, until proper and affordable hardware encryption devices for > > online usage are available? > > The problem with best practices is that they are context-dependent. Any > FAQ that steps outside the purely technical domain into operational > security will be misleading at best, and outright dangerous at worst. I > am a Tails user, but I only use it for specific things - I don't boot it > up for my everyday work (that would be insane, given my job). But my > threat model is very different to that of others, so I would never > presume to tell them that my best practice should be theirs. > > Hardware encryption devices are already plentiful. The problem is that > secure hardware comes at a huge cost in flexibility, meaning that only a > small part of our computing landscape will ever be "secure hardware". > That's why we have Yubikeys, smartcards, HSMs, Nitrokeys, etc. A small, > limited-functionality device is much more likely to be secure because it > is much easier to audit. Anything with the breadth of functionality of a > general-purpose computer will never be fully trustworthy. Your CPU is an > entire GP computer, buried in another computer. Same with your SSD > drive. A USB-C *cable* now has more computing power than the Apollo moon > mission. It's software all the way down. Thank you very much for your reply, much appreciated! > No, you should not stop using encryption software on online devices. > That would be insane. We should be adding more encryption at multiple > levels, so that compromise of one layer of encryption does not mean a > compromise of the entire system. Defence in depth is the only long-term > sustainable strategy. While I personally stopped using online encryption, long ago, after my Linux system was hacked, I like to mention (in case people do not know) that YubiKeys and Nitrokeys allow also login-in protection via 2FA and that than sudo usage requires also tapping on the YubiKey, besides pw usage. Not sure if it is the same procedure with a Nitrokey. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From felix at audiofair.de Wed Aug 12 13:56:42 2020 From: felix at audiofair.de (Felix) Date: Wed, 12 Aug 2020 13:56:42 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812002423.00003bef@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200812002423.00003bef@300baud.de> Message-ID: <8d0b60db-5adc-c3a9-93bd-0e1cdf19a9c9@audiofair.de> Just adding my 2 cents to this discussion. I think it doesn't matter what sort of spyware potentially exists somewhere out there for some phone, what matters is whether it is on your phone. This isn't really about the security of OpenPGP either but about a fundamental trust in the things we use both hardware and software. I can recommend this video from 36C3 that talks about hardware security (spoilers: its absolutely non trivial and nigh impossible to verify): https://www.youtube.com/watch?v=Hzb37RyagCQ It's also about threat models that you as the user of software (that you trust does its job correctly) are trying to protect against. If an attacker having root access to your device is part of a threat you want to defend against your only choice is to use a (hopefully) known good device that performs the encryption/decryption for you. If you are only interested in end to end encryption where the message might be intercepted in transit or verification of signatures then OpenPGP does its job pretty damn well still. There is not a single encryption algorithm that can't be defeated by simply having full access to the device it is running on. Now we can talk about mitigations that exist for the threat model where the device you are using to read/send messages is compromised and I think the recommendations in this thread are pretty sound. I personally have been using OpenKeychain and a Yubikey via NFC. That means that while any message that I have decrypted might be compromised the keys used to decrypt are still secure (under the assumption that Yubikeys are as secure as advertised, see the video above). For me this is secure enough. For you it might not be. I think that in general users of software should be aware that the environment their software is running in is a threat vector, if you do not trust it or you only trust it so far then only keep information you can afford to get compromised in it. If you are a person under close government watch, live in an authoritarian regime or are a dissident I would of course recommend to use an airgapped device. If you are working for a company with important trade secrets you hopefully don't have access to those on your phone anyway. If you are a normal person not defending against any sort of advanced persistent threat I think a smartphone still offers decent (enough) security in day to day use for non-sensitive information. And then there is of course still: https://xkcd.com/538/ In the end it all comes down to: How much effort is the attacker going to spend on you? That determines how much effort you need to spend to protect yourself against them. From ryan at digicana.com Wed Aug 12 17:10:03 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 15:10:03 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200810174848.0000630b@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> Message-ID: <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> I guess the real question is: what are people using PGP for on mobile devices?? If it's for communication, that's silly.? There are at least a half dozen far, far, far better ways to securely communicate on a smartphone.? Also -- unless you are steeped in the security industry and run a hardened OS, your laptop is likely as vulnerable if not more vulnerable to the kinds of state level actors deploying this kind of mobile malware.? The best mobile devices are far less vulnerable than typically configured PCs.? An iPad is likely orders of magnitude more secure than using a laptop with a typical consumer OS (Windows, Ubuntu, etc).? Both can be compromised but the iPad, if kept up to date, is going to be a much more expensive target.? The people of the world with Snowden-level paranoia (at least the ones not tied to some nation's security service) are using air-gapped internet-virgin hardware to communicate.? For everyone else, a locked down (location services off, iCloud account off, always-on VPN, kept in faraday bag when not in use) iPhone/iPad is as close as they're going to get to real privacy/security.? On 8/10/20 10:49 AM, Stefan Claas wrote: > Micha? G?rny wrote: > > [...] > >> Why use PGP on your phone if you carry a whole laptop with you anyway? > Good question. There is software for Andoid available called OpenKeyChain, > which as understood is the defacto standard for Android smartphone users, > in combination with a MUA for Android. > > The question IMHO now is what should mobile device users do now? I showed > a solution, assuming those users have an offline laptop too, which then > would allow them to comfortably and securely create their messages. > > Not all people can purchase now a new smartphone with a more secure OpenSource > OS and new SIM, I assume. > > I also do not know if it is common if people use an (compromised?) online > laptop, as a smartphone, when on the road. > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From ryan at digicana.com Wed Aug 12 17:15:33 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 15:15:33 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811103217.00003d79@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200811071533.GB19975@sh4-5.1blu.de> <20200811103217.00003d79@300baud.de> Message-ID: <2b885683-3308-d6ad-5181-92e1009d39d8@digicana.com> If you don't want to be location tracked on a mobile device you just power it off and put it in a Faraday bag when not in use.? https://silent-pocket.com/ If you want to deep dive into this sort of thing (it's a really deep lake), give this book a read:? https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0 On 8/11/20 3:32 AM, Stefan Claas wrote: > Matthias Apitz wrote: > >> El d?a Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribi?: >> >>>> One can use a Linux mobile phone running UBports.com (as I and all my family do) >>>> or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). >>> Yes, people gave me already (not from here of course) good advise for other OSs >>> which one can use. The question is how long will those OSs been unaffected ... >> The kernel and all apps are OpenSource i.e. people can (and do) read the >> sources. It's impossible to build in backdoors. The attack could come >> through the firmware in the chips (which are not OpenSource). For this >> the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to >> poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). >> >> The authorities can not track you. See: >> >> https://puri.sm/products/librem-5/ > Thanks for the information! While it is a nice product, according to their web site, > they say they run Gnu/Linux. Do you think that Gnu/Linux can't be hacked? Or better > said, should we all (those who use encryption software often) still use it directly > on online devices? > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Aug 12 17:25:29 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 17:25:29 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <8d0b60db-5adc-c3a9-93bd-0e1cdf19a9c9@audiofair.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200812002423.00003bef@300baud.de> <8d0b60db-5adc-c3a9-93bd-0e1cdf19a9c9@audiofair.de> Message-ID: <20200812172529.00004b99@300baud.de> Felix wrote: [...] apologies for not quoting each paragraph from you! No doubt that a system tool (like Werner says) like GnuPG or any others for that matter, which are free and OpenSource, are good tools people rely on. We all know that threats for online devices exist and mostly bugs or security holes are more or less quickly discovered and fixed. I believe that users interested in security and privacy always try to strive for the best solutions available, regardless of their threat model, i.e. what is good for activists or journalist in oppressed regimes etc. (which received advice and how-to's from professionals) may also be good for us, when trying to protect things we are doing online. My concern however, with the advancement of these powerful tools is that this is already a 'Russian roulette' while there is currently no defense AFAIK against them or guarantees that these tools are not been misused by third parties. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From ryan at digicana.com Wed Aug 12 17:33:02 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 15:33:02 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <13af230c-6033-b53d-211e-908c36beeaad@vulcan.xs4all.nl> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <13af230c-6033-b53d-211e-908c36beeaad@vulcan.xs4all.nl> Message-ID: <99e34535-13ff-640c-038a-1cffe2172aee@digicana.com> I presume the goal of people (who know what they are doing) going through all these inconvenient steps isn't to build the perfect impenetrable fortress of security (which doesn't exist) but rather to make it more difficult or expensive to circumvent from the threat actor's perspective, hopefully to the point where it's not worth it.? An iOS 0day used to run over a million buckaroos on the open market (it's cheaper now, Apple's security has flagged a bit in recent years) so it's not something Script-Kiddie McHighshoolKid? is going to use to try to get at your filthy nudes.? But I wouldn't run the SCADA control interface of my highly controversial uranium centrifuge farm on my iPhone, because spending a million buckaroos is like dropping a penny in a pond for the kinds of actors who'd be interested in that sort of thing.? If you're trying to defeat the amorous advances of the NSA and you don't have the support and training of an entire nation's intelligence agency behind you, just accept that you've already lost.? Also, don't post here, anyone the NSA is actively interested in lives a life way too interesting to be self-owning any kind of OSINT about themselves in public.? For the average bloke, owning an iPhone with a strong passcode and using Signal or Wire to communicate is going to give them some of the best hardware and communications security money can buy.? ? On 8/11/20 3:58 PM, Johan Wevers wrote: > On 11-08-2020 21:49, vedaal via Gnupg-users wrote: > >> There is already a simple existing solution. > Simple is not how I see this. > >> [1] Encrypt and decrypt on a computer that has internet hardware disabled. >> [2] Use an Orbic Journey V phone that gets and sends *only text* >> [3] Use a microsd expansion card on the orbis phone > The Iranians though this too. And then someone invents Stuxnet-like > attack software. > > -- > ir. J.C.A. Wevers > PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Aug 12 18:46:14 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 18:46:14 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> References: <20200807133515.00005086@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> Message-ID: <20200812184557.0000141c@300baud.de> Ryan McGinnis via Gnupg-users wrote: > I guess the real question is: what are people using PGP for on mobile > devices?? If it's for communication, that's silly.? There are at least a > half dozen far, far, far better ways to securely communicate on a > smartphone.? Well, it is listed by the OpenPGP experts: https://www.openpgp.org/software/openkeychain/ Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From ryan at digicana.com Wed Aug 12 18:56:52 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 16:56:52 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812184557.0000141c@300baud.de> References: <20200807133515.00005086@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> Message-ID: <813d8b1a-c657-61c8-4a35-e0d267e7abff@digicana.com> Well yes I realize that it exists, what I'm saying is why would anyone use it for secure communications on a smartphone when there are solutions orders of magnitude more secure and simple to use.? It'd be like buying a helicopter but deciding you'd still fly only 2 feet off the ground and stick to paved roads.? On 8/12/20 11:46 AM, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > >> I guess the real question is: what are people using PGP for on mobile >> devices?? If it's for communication, that's silly.? There are at least a >> half dozen far, far, far better ways to securely communicate on a >> smartphone.? > Well, it is listed by the OpenPGP experts: > > https://www.openpgp.org/software/openkeychain/ > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From ryan at digicana.com Wed Aug 12 18:57:19 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 16:57:19 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812184557.0000141c@300baud.de> References: <20200807133515.00005086@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> Message-ID: <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> Well yes I realize that it exists, what I'm saying is why would anyone use it for secure communications on a smartphone when there are solutions orders of magnitude more secure and simple to use.? It'd be like buying a helicopter but deciding you'd still fly only 2 feet off the ground and stick to paved roads.? On 8/12/20 11:46 AM, Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > >> I guess the real question is: what are people using PGP for on mobile >> devices?? If it's for communication, that's silly.? There are at least a >> half dozen far, far, far better ways to securely communicate on a >> smartphone.? > Well, it is listed by the OpenPGP experts: > > https://www.openpgp.org/software/openkeychain/ > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Aug 12 18:57:14 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 18:57:14 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <2b885683-3308-d6ad-5181-92e1009d39d8@digicana.com> References: <20200807133515.00005086@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200811071533.GB19975@sh4-5.1blu.de> <20200811103217.00003d79@300baud.de> <2b885683-3308-d6ad-5181-92e1009d39d8@digicana.com> Message-ID: <20200812185706.000056cf@300baud.de> Ryan McGinnis via Gnupg-users wrote: > If you don't want to be location tracked on a mobile device you just > power it off and put it in a Faraday bag when not in use.? > https://silent-pocket.com/ Yup, still waiting for my Faraday bags, which I won from the Nym project giveaway. > > If you want to deep dive into this sort of thing (it's a really deep > lake), give this book a read:? > > https://www.amazon.com/gp/product/B0898YGR58/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i0 Thanks for the info! According to the Amazon info he teaches celebrities. I read an article yesterday that a lot of celebrities prefer dump phones over smartphones. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From sac at 300baud.de Wed Aug 12 19:48:55 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 19:48:55 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> References: <20200807133515.00005086@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> Message-ID: <20200812194855.00003531@300baud.de> Ryan McGinnis via Gnupg-users wrote: > Well yes I realize that it exists, what I'm saying is why would anyone > use it for secure communications on a smartphone when there are > solutions orders of magnitude more secure and simple to use.? It'd be > like buying a helicopter but deciding you'd still fly only 2 feet off > the ground and stick to paved roads.? Maybe there was a demand from PGP users and the author fulfilled their wish or it is maybe hip among the young smartphone generation, who grew up with smartphones, to have OpenPGP on a smartphone, because they trust only OpenPGP based software. I don't know. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From sac at 300baud.de Wed Aug 12 20:04:16 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 20:04:16 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812194855.00003531@300baud.de> References: <20200807133515.00005086@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> <20200812194855.00003531@300baud.de> Message-ID: <20200812200416.00005819@300baud.de> Stefan Claas wrote: > Ryan McGinnis via Gnupg-users wrote: > > > Well yes I realize that it exists, what I'm saying is why would anyone > > use it for secure communications on a smartphone when there are > > solutions orders of magnitude more secure and simple to use.? It'd be > > like buying a helicopter but deciding you'd still fly only 2 feet off > > the ground and stick to paved roads.? > > Maybe there was a demand from PGP users and the author fulfilled their > wish or it is maybe hip among the young smartphone generation, who grew > up with smartphones, to have OpenPGP on a smartphone, because they > trust only OpenPGP based software. I don't know. P.S. and it can be used with a smardcard. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From felix at audiofair.de Wed Aug 12 20:07:04 2020 From: felix at audiofair.de (Felix) Date: Wed, 12 Aug 2020 20:07:04 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> References: <20200807133515.00005086@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> Message-ID: <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> I'm not sure that there are solutions orders of magnitude more secure that are available readily. Also people tend to get emails on the go as well that might be encrypted. It's convenient to decrypt emails on a smartphone and not really that insecure if you're using an external device for actual keystorage (such as a Yubikey). I don't actually see what's so silly about the whole thing. On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote: > Well yes I realize that it exists, what I'm saying is why would anyone > use it for secure communications on a smartphone when there are > solutions orders of magnitude more secure and simple to use.? It'd be > like buying a helicopter but deciding you'd still fly only 2 feet off > the ground and stick to paved roads.? > > > > On 8/12/20 11:46 AM, Stefan Claas wrote: >> Ryan McGinnis via Gnupg-users wrote: >> >>> I guess the real question is: what are people using PGP for on mobile >>> devices?? If it's for communication, that's silly.? There are at least a >>> half dozen far, far, far better ways to securely communicate on a >>> smartphone.? >> Well, it is listed by the OpenPGP experts: >> >> https://www.openpgp.org/software/openkeychain/ >> >> Regards >> Stefan >> >> -- >> my 'hidden' service gopherhole: >> gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan at digicana.com Wed Aug 12 20:26:48 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 18:26:48 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812185706.000056cf@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807213326.000007a1@300baud.de> <20200809220613.00000dd9@300baud.de> <20200809233857.GA4440@c720-r342378> <20200810090751.000022d4@300baud.de> <20200811071533.GB19975@sh4-5.1blu.de> <20200811103217.00003d79@300baud.de> <2b885683-3308-d6ad-5181-92e1009d39d8@digicana.com> <20200812185706.000056cf@300baud.de> Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From ryan at digicana.com Wed Aug 12 20:29:45 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Wed, 12 Aug 2020 18:29:45 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Wed Aug 12 21:19:54 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 12 Aug 2020 21:19:54 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> Message-ID: <20200812211314.0000185a@300baud.de> Ryan McGinnis via Gnupg-users wrote: > The reasons to abandon PGP for secure communications?have been accepted in the security community for years. ?Here?s one > security researcher explaining why (there are many others out there with similar sentiments):? > > https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/ He is working at Google and IIRC responsible for Golang crypto libs. Can you do me a favor, in case you have a Twitter account? If so, please ask him what are his thoughts as a Signal user about Pegasus and if a factory reset and new SIM card would be good enough? Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From azbigdogs at gmx.com Thu Aug 13 01:53:33 2020 From: azbigdogs at gmx.com (Mark) Date: Wed, 12 Aug 2020 16:53:33 -0700 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> Message-ID: For example, in this message from Ryan, Enigmail says it has a bad signature. I think that could be an issue too with it's adoption. On 8/12/2020 11:29 AM, Ryan McGinnis via Gnupg-users wrote: > The reasons to abandon PGP for secure communications?have been > accepted in the security community for years. ?Here?s one security > researcher explaining why (there are many others out there with > similar sentiments):? > > https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/ > > -Ryan McGinnis > http://www.bigstormpicture.com > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > > Sent from ProtonMail Mobile > > > On Wed, Aug 12, 2020 at 13:07, Felix > wrote: >> >> I'm not sure that there are solutions orders of magnitude more secure >> that are available readily. >> >> Also people tend to get emails on the go as well that might be >> encrypted. It's convenient to decrypt emails on a smartphone and not >> really that insecure if you're using an external device for actual >> keystorage (such as a Yubikey). >> >> I don't actually see what's so silly about the whole thing. >> >> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote: >>> Well yes I realize that it exists, what I'm saying is why would anyone >>> use it for secure communications on a smartphone when there are >>> solutions orders of magnitude more secure and simple to use.? It'd be >>> like buying a helicopter but deciding you'd still fly only 2 feet off >>> the ground and stick to paved roads.? >>> >>> >>> >>> On 8/12/20 11:46 AM, Stefan Claas wrote: >>>> Ryan McGinnis via Gnupg-users wrote: >>>> >>>>> I guess the real question is: what are people using PGP for on mobile >>>>> devices?? If it's for communication, that's silly.? There are at least a >>>>> half dozen far, far, far better ways to securely communicate on a >>>>> smartphone.? >>>> Well, it is listed by the OpenPGP experts: >>>> >>>> https://www.openpgp.org/software/openkeychain/ >>>> >>>> Regards >>>> Stefan >>>> >>>> -- >>>> my 'hidden' service gopherhole: >>>> gopher://iria2xobffovwr6h.onion >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From felix at audiofair.de Thu Aug 13 02:00:45 2020 From: felix at audiofair.de (Felix Winterhalter) Date: Thu, 13 Aug 2020 02:00:45 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: References: <20200807133515.00005086@300baud.de> <20200810142736.GA207@chiraag> <20200810171405.00001033@300baud.de> <01114eb76be56c5adf38dda54aefb719e9576e3c.camel@gentoo.org> <20200810174848.0000630b@300baud.de> <379c6c8e-e46c-ecc7-fd73-a4c914a230e0@digicana.com> <20200812184557.0000141c@300baud.de> <88f4e2c4-a210-d060-eceb-e94483a16376@digicana.com> <4c6cb6fe-0c5c-c64a-2d59-44e4901bf0da@audiofair.de> Message-ID: <3f76d476-b75e-8be4-bf7f-10e011886534@audiofair.de> That's a good article and I think it makes a lot of sense in the context. I still think PGP is valid for sending encrypted emails if you exchange public keys beforehand (as he also states he still uses it in that manner). The web of trust also never did anything for me sadly. On 12/08/2020 20:29, Ryan McGinnis via Gnupg-users wrote: > The reasons to abandon PGP for secure communications?have been > accepted in the security community for years. ?Here?s one security > researcher explaining why (there are many others out there with > similar sentiments):? > > https://arstechnica.com/information-technology/2016/12/op-ed-im-giving-up-on-pgp/ > > -Ryan McGinnis > http://www.bigstormpicture.com > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > > Sent from ProtonMail Mobile > > > On Wed, Aug 12, 2020 at 13:07, Felix > wrote: >> >> I'm not sure that there are solutions orders of magnitude more secure >> that are available readily. >> >> Also people tend to get emails on the go as well that might be >> encrypted. It's convenient to decrypt emails on a smartphone and not >> really that insecure if you're using an external device for actual >> keystorage (such as a Yubikey). >> >> I don't actually see what's so silly about the whole thing. >> >> On 2020-08-12 18:57, Ryan McGinnis via Gnupg-users wrote: >>> Well yes I realize that it exists, what I'm saying is why would anyone >>> use it for secure communications on a smartphone when there are >>> solutions orders of magnitude more secure and simple to use.? It'd be >>> like buying a helicopter but deciding you'd still fly only 2 feet off >>> the ground and stick to paved roads.? >>> >>> >>> >>> On 8/12/20 11:46 AM, Stefan Claas wrote: >>>> Ryan McGinnis via Gnupg-users wrote: >>>> >>>>> I guess the real question is: what are people using PGP for on mobile >>>>> devices?? If it's for communication, that's silly.? There are at least a >>>>> half dozen far, far, far better ways to securely communicate on a >>>>> smartphone.? >>>> Well, it is listed by the OpenPGP experts: >>>> >>>> https://www.openpgp.org/software/openkeychain/ >>>> >>>> Regards >>>> Stefan >>>> >>>> -- >>>> my 'hidden' service gopherhole: >>>> gopher://iria2xobffovwr6h.onion >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Thu Aug 13 10:15:35 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 13 Aug 2020 10:15:35 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200811194926.00033801885@smtp.hushmail.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> Message-ID: <20200813101535.000020d3@300baud.de> vedaal at nym.hush.com wrote: > > > On 8/11/2020 at 3:00 PM, "Stefan Claas" wrote: > > ... > > >As understood a Pegasus operator can do what ever > >he likes to do remotely, anonymously with our (Android/iOS) > >smartphone, without that we know that this happens. > > ... > > >in form of a best practice FAQ (cross-platform), to no longer use > >encryption software on online devices and work out > >strategies to use offline devices and how to handle this data > >securely over to an online device, until proper and affordable > >hardware encryption devices for online usage are available? > > ===== > > There is already a simple existing solution. > > [1] Encrypt and decrypt on a computer that has internet hardware disabled. I am thinking about this mobile one, once it hits the market. https://pocket.popcorncomputer.com/#products > [2] Use an Orbic Journey V phone that gets and sends *only text* Seems not to be available in Germany, so I must look for a similar one. Regards Stefan -- my 'hidden' service gopherhole: gopher://iria2xobffovwr6h.onion From me at entrez.cc Fri Aug 14 03:26:17 2020 From: me at entrez.cc (Michael Meyer) Date: Fri, 14 Aug 2020 01:26:17 +0000 Subject: Gnupg-users logo Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi everyone, I like to use unique icons for the items I save in my password manager, so that I can distinguish between them more easily at a glance. In pursuit of this goal, I sometimes end up putting together my own images for sites or services which don't have an existing logo readily available online. I had a tough time finding a suitable image for the gnupg-users mailing list that was distinct from the logo for the gnupg project as a whole, so I ended up slapping something together in GIMP for my own use. I'm not going to make any promises about it being a stunning work of art or anything, but I figured I would share it here just in case anyone else might find it useful for some reason or other. Here it is: https://0x0.st/iYuB.jpg - - Michael Meyer -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEau/tqk0YEkf4B7L/I018NiIuApUFAl816CsACgkQI018NiIu ApUQ8Q//XYZPkL/7Iwpf4Id7U2cbxPMUpzrGoXAVY84UVlXo2LeYfyphTqYej9FN hFbHw5CXxpPGe3zvLM/13FR5Bggz60WtK9atPu+4e1PMtkI3gXDFceBIiW3tx+U6 AFpp+v0KGoB+A5uqS1OJR0esNeJBCGTLPI9N5YYn4CqRvI01wDAFAvCace0BuFcL hOfpaa0kAnaWOmSUgAMcoF1muMBGc6gfYdc4PJ86y/WXjYrYKwDnr1JQsALVFZ7N cS+ZASG8SkFFJEAHXcPln3Dr/4gNUjyvnmxk5X/D+sdV7s1zvu+fluB45qOpsrMa 5Z9Z2Av3fdZmuLtzJJ2r44+pK1FVEuQVoajdBTMaweLLcnL1sfhLfUnUPFzBxxfn /VFt1gjh+DTBSIkJuKAxoxa9UZ9kR64JFhnzARl1B9vFLjQQJoCIIIHQ2zlXKqdb s3Wkg38OcNbmu+5jWM6iIFbJmTi9XxP4A+/mbNcglQ1bej8qA03La5HIwHhA72j0 yOP3eVq5ezw0TRYObl0Zuredfq525v6IgqGPzmDD18YvRvzHq0/GFDoXmbBhq0Gb V1/xBCbCY0bFuZJ+psi1OQ5agG6EbXd+RP9Sg7ZUvCOtbd5gdAvDyTNZWcLTZBmA k/rsZJEjlo0eKy9PecPUBbrQYGfgS23VCUonVVCKFLnUJASKBf8= =KUVj -----END PGP SIGNATURE----- From sac at 300baud.de Fri Aug 14 14:16:52 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 14 Aug 2020 14:16:52 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812135118.00007271@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <2eec830c-95a6-bd79-d56e-d942bdcfec8d@andrewg.com> <20200812135118.00007271@300baud.de> Message-ID: <20200814141652.000069a3@300baud.de> Stefan Claas wrote: > Andrew Gallagher wrote: > > No, you should not stop using encryption software on online devices. > > That would be insane. We should be adding more encryption at multiple > > levels, so that compromise of one layer of encryption does not mean a > > compromise of the entire system. Defence in depth is the only long-term > > sustainable strategy. > > While I personally stopped using online encryption, long ago, after my > Linux system was hacked, I like to mention (in case people do not know) > that YubiKeys and Nitrokeys allow also login-in protection via 2FA and > that than sudo usage requires also tapping on the YubiKey, besides pw > usage. Not sure if it is the same procedure with a Nitrokey. Hacking Tool to break into Linux computers. Regards Stefan From sac at 300baud.de Fri Aug 14 18:43:03 2020 From: sac at 300baud.de (Stefan Claas) Date: Fri, 14 Aug 2020 18:43:03 +0200 Subject: Gnupg-users logo In-Reply-To: References: Message-ID: <20200814184255.000011b7@300baud.de> Michael Meyer via Gnupg-users wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi everyone, > > I like to use unique icons for the items I save in my password manager, > so that I can distinguish between them more easily at a glance. In > pursuit of this goal, I sometimes end up putting together my own images > for sites or services which don't have an existing logo readily > available online. > > I had a tough time finding a suitable image for the gnupg-users mailing > list that was distinct from the logo for the gnupg project as a whole, > so I ended up slapping something together in GIMP for my own use. I'm > not going to make any promises about it being a stunning work of art or > anything, but I figured I would share it here just in case anyone else > might find it useful for some reason or other. > > Here it is: > > https://0x0.st/iYuB.jpg Cool, looking nice! I would however write GnuPG instead of Gnupg. Regards Stefan From me at entrez.cc Fri Aug 14 22:04:02 2020 From: me at entrez.cc (Michael Meyer) Date: Fri, 14 Aug 2020 20:04:02 +0000 Subject: Gnupg-users logo In-Reply-To: <20200814184255.000011b7@300baud.de> References: <20200814184255.000011b7@300baud.de> Message-ID: <20200814200357.iiamutzibxbjw37a@rain.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey Stefan, On Fri, Aug 14, 2020 at 06:43:03PM +0200, Stefan Claas wrote: > I would however write GnuPG instead of Gnupg. Do you prefer this? https://0x0.st/iYel.jpg BTW, I think I capitalized just the first letter because the mailing list archives and listinfo page both write it that way... but I also see now that it's written in all lowercase on , so really I have no idea what the ``right'' capitalization is supposed to be! - - Michael -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEau/tqk0YEkf4B7L/I018NiIuApUFAl827iQACgkQI018NiIu ApVSwA/+OhY4PVf0AChQ3mFr9CgWWA9uHzQwbmCKiAcEKRFRjWPutgEIRKYIyqvk TR5pKE8zHxYQZDerAzicTQHxQnjiGLLqLEWZT59jBs9qD/tY5bOiQRxqI3/luKpB Kl8oFErnKTK56gY7EUTXBtnQ1cNS/FmF/vthsnZLSr0yHcE/coDmrK0XRG9V0mEN qyn0T+m8JOXYodsl0uDfTgEtAy7ioF6DiyPulcDpCttslXgcVMCcfcyRHPXKlHaK 49YUn6VuKt9wtJj/fI/4uifEMGS9qltlhMoWdyezPa/M0l/GjBCkJdF2BVjN/5o+ n4jre5dE4SK9KFx9dQssRpOT265UJNSd6UBjVhxQJ8NconGLRx91LGWxnwMBmD4i 7PMj5aC2DatTY4sA9ZbWk18G0wFHcrHGm9myN487lLxqRWgVz5fNnABJYlgMGd93 NXjlstBj4Bl9wUVw6jDV1QzSF8Xvvt60laAODut/Mtv+yUnurJuP63rstI4GeEf4 5zbdqJhwQKUabJ9vBlj4CFR5EaQzVLFNAoT/iGxPdYynmeWwEIK9sVk8/kImMMBh GZqh9tf9IGabfjLu4dSB24+JSE7M7hhq0kckj3b3Ot3IA70lqNRu5/9CZRmzqRQd 68F0IVr4ls9HX8h+q0SWEUqpnCqisIxtY0OlZVMU3cbtbyYsKPU= =95g2 -----END PGP SIGNATURE----- From sac at 300baud.de Sat Aug 15 01:15:28 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 15 Aug 2020 01:15:28 +0200 Subject: Gnupg-users logo In-Reply-To: <20200814200357.iiamutzibxbjw37a@rain.local> References: <20200814184255.000011b7@300baud.de> <20200814200357.iiamutzibxbjw37a@rain.local> Message-ID: <20200815011528.00005c66@300baud.de> Michael Meyer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hey Stefan, > > On Fri, Aug 14, 2020 at 06:43:03PM +0200, Stefan Claas wrote: > > I would however write GnuPG instead of Gnupg. > > Do you prefer this? > > https://0x0.st/iYel.jpg Yes. :-) > BTW, I think I capitalized just the first letter because the mailing > list archives and > listinfo page > both write it that way... but I also see now that it's written in all > lowercase on , so really I have no idea what > the ``right'' capitalization is supposed to be! If you look at the main page of gnupg.org it is written as GnuPG. Regards Stefan From sac at 300baud.de Sat Aug 15 17:33:15 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 15 Aug 2020 17:33:15 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200813101535.000020d3@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200813101535.000020d3@300baud.de> Message-ID: <20200815173315.0000363a@300baud.de> Stefan Claas wrote: > vedaal at nym.hush.com wrote: > > > > > > > On 8/11/2020 at 3:00 PM, "Stefan Claas" wrote: > > > > ... > > > > >As understood a Pegasus operator can do what ever > > >he likes to do remotely, anonymously with our (Android/iOS) > > >smartphone, without that we know that this happens. > > > > ... > > > > >in form of a best practice FAQ (cross-platform), to no longer use > > >encryption software on online devices and work out > > >strategies to use offline devices and how to handle this data > > >securely over to an online device, until proper and affordable > > >hardware encryption devices for online usage are available? > > > > ===== > > > > There is already a simple existing solution. > > > > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > > I am thinking about this mobile one, once it hits the market. > > https://pocket.popcorncomputer.com/#products > > > [2] Use an Orbic Journey V phone that gets and sends *only text* > > Seems not to be available in Germany, so I must look for a similar one. I did a bit research and purchased today the IMHO beautiful Doro Primo 413 dumb phone (for elderly people) and it includes a USB C to USB charger/data cable, which then can be connected to an offline Notebook. Once my batteries are charged, later today, I will try out the following: Preparing a PGP message, converting it to JAB-Code and then transfer the .png image( less than 300 KB, due to German Telefon Carrier specs.) to the dumb phone. Finally I will prepare an MMS and load the image and send the message for a test to my smartphone, for later retrival, to see if everything went well. Regards Stefan From sac at 300baud.de Sat Aug 15 18:58:30 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 15 Aug 2020 18:58:30 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200815173315.0000363a@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200813101535.000020d3@300baud.de> <20200815173315.0000363a@300baud.de> Message-ID: <20200815185830.0000660a@300baud.de> Stefan Claas wrote: > I did a bit research and purchased today the IMHO beautiful Doro Primo 413 > dumb phone (for elderly people) and it includes a USB C to USB charger/data > cable, which then can be connected to an offline Notebook. > > Once my batteries are charged, later today, I will try out the following: > > Preparing a PGP message, converting it to JAB-Code and then transfer the > .png image( less than 300 KB, due to German Telefon Carrier specs.) to the > dumb phone. > > Finally I will prepare an MMS and load the image and send the message for a > test to my smartphone, for later retrival, to see if everything went well. Ok, worked! :-) SHA256 hashes matched from both devices. Only thing I have to do is purchasing an sd memory card, because the regular memory is to low. Regards Stefan From Klaus at ethgen.ch Fri Aug 14 15:31:26 2020 From: Klaus at ethgen.ch (Klaus Ethgen) Date: Fri, 14 Aug 2020 14:31:26 +0100 Subject: Unknown key in gpg-agent Message-ID: <20200814133126.GA18488@ikki.ethgen.ch> Hello, I have one key in my gpg agent that I do not remember anymore and do not know where it comes from. `KEYINFO --list` showes me one key (no ssh key), that I do not know. I can preseed that key with a known passphrase what suggests that I had it in gnupg once. However, `gpg --list-keys --list-options show-unusable-subkeys --with-keygrip` does not display this keygrip. Is there any posibility to export that key or get info about that key, find it whatever? As the key is in the agent, there is a corresponding .key file in .gnupg/private-keys-v1.d. So, ssh-add does not show the key (as well as KEYINFO --ssh-list) and gpg doesnt show the key. What could have put that key there when it is none of that commands? By the way, using '&KEYGRIP' does not work with gpg to select a key for listing by keygrip. Regards Klaus Ps. Please keep me explicitly in reply as I am not subscribet to the list. -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 688 bytes Desc: not available URL: From renws at protonmail.com Sun Aug 16 06:33:22 2020 From: renws at protonmail.com (renws) Date: Sun, 16 Aug 2020 04:33:22 +0000 Subject: Accidentally deleted ~/.gnupg/pubring.gpg In-Reply-To: <20200810215019.2CDF0827B86@smtp.hushmail.com> References: <20200810215019.2CDF0827B86@smtp.hushmail.com> Message-ID: Hi Veddal, Thanks for your reply. Sorry I meant to reply to an answer of my original post https://lists.gnupg.org/pipermail/gnupg-users/2020-July/063772.html, but I'm a little confused how mailing list work so I might have created a new thread with the same title. Basically, I've accidentally deleted ~/.gnupg/pubring.gpg and now I'm not able to see any output from `gpg --list-keys' and `gpg --list-secret-keys'. And I don't have any backup of my public key, so I would like to know whether it's possible to decrypt my files (I've still got ~/.gnupg/private-keys-v1.d, which I think stores my private key?). Tried your suggestions but didn't work for: ? .gnupg gpg /home/rws/.gnupg/secring.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: DBG: FIXME: merging secret key blocks is not anymore available gpg: DBG: FIXME: No way to print secret key packets here ? .gnupg gpg 6906A68A85C4AEAC gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: can't open '6906A68A85C4AEAC' Regards, Wenshan ??????? Original Message ??????? On Tuesday, August 11, 2020 7:50 AM, wrote: > On 8/8/2020 at 3:13 PM, "renws via Gnupg-users"gnupg-users at gnupg.org wrote: > > > Hi, > > I tried --try-all-secrets but it didn't work: > > $ gpg -d --try-all-secrets myfile.txt.gpg > > gpg: encrypted with RSA key, ID xxxxxxxxxxxxx > > gpg: decryption failed: No secret key > > I guess I'll have to create a new public key with the same > > fingerprint? I've searched "gpg create public key with same > > fingerprint" but didn't get much luck. Could you please provide > > more detailed how-to instructions? > > == > > It's not clear what you did and what the problem is. Please explain more. > > The Subject is "Accidentally deleted ~/.gnupg/pubring.gpg" > > This is not so terrible, as the Secret Keys automatically contain the public keys, and they can be regenerated from them. > > Try this: > > gpg secring.gpg > (you need to put in the exact path of where the secring.gpg is located, before the secring.gpg) > > GnuPG will list all the secret keys. It might detect the absence of a pubring.gpg and automatically create one, but I have not tried it, and do not have a test system here to try it. > > But > I (have successfully) tried to restore a public key just by the command > gpg keyname of the secret key. > > vedaal From wk at gnupg.org Mon Aug 17 10:31:24 2020 From: wk at gnupg.org (Werner Koch) Date: Mon, 17 Aug 2020 10:31:24 +0200 Subject: Accidentally deleted ~/.gnupg/pubring.gpg In-Reply-To: (renws via Gnupg-users's message of "Sun, 16 Aug 2020 04:33:22 +0000") References: <20200810215019.2CDF0827B86@smtp.hushmail.com> Message-ID: <87y2mdd677.fsf@wheatstone.g10code.de> On Sun, 16 Aug 2020 04:33, renws said: > And I don't have any backup of my public key, so I would like to know > whether it's possible to decrypt my files (I've still got > ~/.gnupg/private-keys-v1.d, which I think stores my private key?). If you just want to decrypt your files, you can do this: - Create a new key, best using the mail address you used in your lost key. - Add a subkey so you can decrypt old data, for example $ gpg --expert --edit-key NEWKEYID Secret key is available. [Prints infor about that key] gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key (14) Existing key from card Your selection? 13 Enter the keygrip: here you need to enter the keygrip of your lost key. That is the name of the file in private-keys-v1.d/ without the ".key" suffix. With your new key you should have 4 files in that directory, chekc the date to pick the right one; if it does not work, you picked then signing key and not the encryption key. Start over in this case. Enter "save" and you have a new encryption subkey which matches the old one mathematically. - To decrypt with the new/old file you need to add the option: --try-all-secrets The last point is an obvious drawback but it is the easiest way to get to your data. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From vedaal at nym.hush.com Mon Aug 17 21:40:24 2020 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 17 Aug 2020 15:40:24 -0400 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200815185830.0000660a@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200813101535.000020d3@300baud.de> <20200815173315.0000363a@300baud.de> <20200815185830.0000660a@300baud.de> Message-ID: <20200817194024.650668038E7@smtp.hushmail.com> On 8/15/2020 at 1:02 PM, "Stefan Claas" wrote: >Ok, worked! :-) SHA256 hashes matched from both devices. ===== Great to hear! ----- >Only thing I have to do is purchasing an sd memory card, because >the regular memory is to low. ===== If you can afford it, there are 1 TB microsd cards available: https://www.amazon.com/SanDisk-Extreme-microSDXC-Memory-Adapter/dp/B07P9W5HJV/ref=sr_1_2?crid=LIUTHCJU5JEA&dchild=1&keywords=1tb+sandisk+micro+sd+card&qid=1597692282&sprefix=1+tb+sandisk%2Caps%2C507&sr=8-2: I have the 1tb sandisk microsd for the phone (my smartphone is a sony xperia z2 premium. I'm in love with the camera and optics, and watch all my videos and amazon prime on the phone). Point is, official specs says it only accommodates a 250 gb microsd. This is not true. Even older galaxy androids that officially say accommodates a 64 gb card, also accommodated a sandisk 400 gb card. As long as there is a microsd slot, it accommodates any size. *BUT* The vast majority of 1 TB cards, are COUNTERFEIT, and don't ho;d more than a nominal minimal amount! Even the Kingston ones, unless you get them from Kingston itself, are very convincingly appearing fakes. I have been using sandisk since 64gb, then 128, then 400, and now 1 tb. and all of them worked, and got them all on Amazon. If you know from people who actually used them, of other brands on Amazon that are trustworthy, maybe you can get a good card for less. Even If you don't need more than 64gb, I would still recommend a Sandisk newer 64gb card, because of the much faster transfer rates. vedaal From sac at 300baud.de Mon Aug 17 22:25:07 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 17 Aug 2020 22:25:07 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200817194024.650668038E7@smtp.hushmail.com> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200813101535.000020d3@300baud.de> <20200815173315.0000363a@300baud.de> <20200815185830.0000660a@300baud.de> <20200817194024.650668038E7@smtp.hushmail.com> Message-ID: <20200817222507.00003085@300baud.de> vedaal at nym.hush.com wrote: > > > On 8/15/2020 at 1:02 PM, "Stefan Claas" wrote: > > >Ok, worked! :-) SHA256 hashes matched from both devices. > ===== > Great to hear! Thanks. :-) > >Only thing I have to do is purchasing an sd memory card, because > >the regular memory is to low. > ===== > If you can afford it, there are 1 TB microsd cards available: > > https://www.amazon.com/SanDisk-Extreme-microSDXC-Memory-Adapter/dp/B07P9W5HJV/ref=sr_1_2?crid=LIUTHCJU5JEA&dchild=1&keywords=1tb+sandisk+micro+sd+card&qid=1597692282&sprefix=1+tb+sandisk%2Caps%2C507&sr=8-2: No, can't afford it. I already purchased a 32GB card, wich is more than enough for me. Regards Stefan From brian at minton.systems Tue Aug 18 17:24:32 2020 From: brian at minton.systems (Brian Minton) Date: Tue, 18 Aug 2020 10:24:32 -0500 Subject: Why does gpg -k write to tofu.db? In-Reply-To: References: <20200811195634.GA14182@lab.bjmgeek.science> Message-ID: <20200818152432.GA23877@lab.bjmgeek.science> On Tue, Aug 11, 2020 at 05:40:44PM -0400, Brian Minton wrote: > real 117m26.112s > user 25m56.486s > sys 90m31.859s Sorry about the bad signature. But, the question remains, why would just listing 13 thousand keys take 2 hours? By comparison, gpg1 takes just over a second with the same keys (except for ecc keys of course) laptop:~$ time gpg1 -k|wc -l 11531 real 0m1.094s user 0m1.061s sys 0m0.034s -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From renws at protonmail.com Tue Aug 18 17:01:09 2020 From: renws at protonmail.com (renws) Date: Tue, 18 Aug 2020 15:01:09 +0000 Subject: Accidentally deleted ~/.gnupg/pubring.gpg In-Reply-To: <87y2mdd677.fsf@wheatstone.g10code.de> References: <20200810215019.2CDF0827B86@smtp.hushmail.com> <87y2mdd677.fsf@wheatstone.g10code.de> Message-ID: It worked, and it was much easier than I expected, thank you so much! WS ??????? Original Message ??????? On Monday, August 17, 2020 6:31 PM, Werner Koch wrote: > On Sun, 16 Aug 2020 04:33, renws said: > > > And I don't have any backup of my public key, so I would like to know > > whether it's possible to decrypt my files (I've still got > > ~/.gnupg/private-keys-v1.d, which I think stores my private key?). > > If you just want to decrypt your files, you can do this: > > - Create a new key, best using the mail address you used in your lost > key. > > - Add a subkey so you can decrypt old data, for example > > $ gpg --expert --edit-key NEWKEYID > Secret key is available. > > [Prints infor about that key] > > gpg> addkey > Please select what kind of key you want: > (3) DSA (sign only) > (4) RSA (sign only) > (5) Elgamal (encrypt only) > (6) RSA (encrypt only) > (7) DSA (set your own capabilities) > (8) RSA (set your own capabilities) > (10) ECC (sign only) > (11) ECC (set your own capabilities) > (12) ECC (encrypt only) > (13) Existing key > (14) Existing key from card > Your selection? 13 > Enter the keygrip: > > here you need to enter the keygrip of your lost key. That is the > name of the file in private-keys-v1.d/ without the ".key" suffix. > With your new key you should have 4 files in that directory, chekc > the date to pick the right one; if it does not work, you picked then > signing key and not the encryption key. Start over in this case. > > Enter "save" and you have a new encryption subkey which matches the > old one mathematically. > > - To decrypt with the new/old file you need to add the option: > > --try-all-secrets > > The last point is an obvious drawback but it is the easiest way to get > to your data. > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > From sac at 300baud.de Wed Aug 19 16:31:05 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 19 Aug 2020 16:31:05 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200807164233.00002191@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> Message-ID: <20200819163105.000006c4@300baud.de> Stefan Claas wrote: > ?????? ?????? via Gnupg-users wrote: > > > Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group > > Yes, as understood. I think it really doesn't matter where Pegasus does come from. Sorry for being now probably completely off-topic, but when it comes to informations we find on the Internet and/or are discussing if videos or informations are faked, or some people like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's 'Shadow Gate' documentary, which was released a couple of days ago and is already banned on YouTube and Facebook. https://banned.video/watch?id=5f37fcc2df77c4044ee2eb03 Regards Stefan From marcus at haget.se Wed Aug 19 19:54:22 2020 From: marcus at haget.se (Marcus =?utf-8?Q?Kvarnstr=C3=B6m?=) Date: Wed, 19 Aug 2020 19:54:22 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200819163105.000006c4@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> Message-ID: <20200819175422.sja3f727tfwytxt3@MacBook.localdomain> * Stefan Claas Aug 19, 16:31: > >videos or informations are faked, or some people like to guide us in wrong directions, Oh, the irony... >I would highly recommend to watch Millie Weaver's 'Shadow Gate' documentary, which was released a couple of days ago and is already banned on YouTube and Facebook. No, it is not banned. Anyone with access to a web browser can see that. It's a conspiracy theory produced by the well known misinformation and conspiracy website Infowars. -- // Marcus From rjh at sixdemonbag.org Wed Aug 19 20:10:29 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 19 Aug 2020 14:10:29 -0400 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200819163105.000006c4@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> Message-ID: <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> > Sorry for being now probably completely off-topic, but when it comes to informations we find > on the Internet and/or are discussing if videos or informations are faked, or some people > like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's > 'Shadow Gate' documentary, which was released a couple of days ago and is already banned > on YouTube and Facebook. Stefan, I'm not a list moderator and I have absolutely zero authority to say this, but I'm going to say it anyway: Please take this stuff elsewhere. You're linking to a conspiracy theory video alleging a... look, I'm not going to give these people credibility even by *summarizing* it. It should be enough to say that InfoWars is backing it. It has no connection to fact or even reality, and even less than no connection to GnuPG or communications security. Please, I'm begging you: take it elsewhere. It doesn't belong here. https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ From kloecker at kde.org Wed Aug 19 23:28:31 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 19 Aug 2020 23:28:31 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> References: <20200807133515.00005086@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> Message-ID: <2558194.ojgTuyLS5B@breq> On Mittwoch, 19. August 2020 20:10:29 CEST Robert J. Hansen wrote: > You're linking to a conspiracy theory video alleging a... look, I'm not > going to give these people credibility even by *summarizing* it. It > should be enough to say that InfoWars is backing it. We need to stop calling such rubbish "theories". Better call it "conspiracy myths" or "conspiracy tales" or "conspiracy stories" or anything else that makes it clear that (unlike scientific theories) it is not supported by facts. Sorry, for adding to this off-topic thread. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. URL: From johanw at vulcan.xs4all.nl Thu Aug 20 00:36:32 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu, 20 Aug 2020 00:36:32 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <2558194.ojgTuyLS5B@breq> References: <20200807133515.00005086@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> <2558194.ojgTuyLS5B@breq> Message-ID: <4639d130-49d7-28a6-6306-f20f4a02838f@vulcan.xs4all.nl> On 19-08-2020 23:28, Ingo Kl?cker wrote: > We need to stop calling such rubbish "theories". Better call it "conspiracy > myths" or "conspiracy tales" or "conspiracy stories" or anything else that > makes it clear that (unlike scientific theories) it is not supported by facts. You mean like the conspiracy myth that the NSA was eavesdropping on everyone, whether they were allowed to or not? Yes, that was not supported by facts (before the Snowden revelations) so it must have been utter rubbish. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From debian at services.bfiedler.ch Wed Aug 19 23:19:56 2020 From: debian at services.bfiedler.ch (Ben Fiedler) Date: Wed, 19 Aug 2020 23:19:56 +0200 Subject: gpg-agent support for GNUPGHOME and systemd In-Reply-To: References: Message-ID: <8de1efee094d706f1e07db3d12dc3458@services.bfiedler.ch> On Wed Aug 19, 2020 at 10:10 PM, Ben Fiedler wrote: > Relevant env vars: > DBUS_SESSION_BUS_ADDRESS correctly set > GNUPGHOME=${HOME}/.config/gnupg, set for both the systemd service and > GPG_TTY=$(tty) set and exported in .zshrc > SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh set and exported > in .zprofile Aha! I think I've found the issue: When GNUPGHOME is set the gpg command line tools use different sockets: % unset GNUPGHOME % gpgconf --dry-run --create-socketdir gpgconf: socketdir is '/run/user/1000/gnupg' % export GNUPGHOME=$HOME/.config/gnupg % gpgconf --dry-run --create-socketdir gpgconf: socketdir is '/run/user/1000/gnupg/d.6oynbz4mc38pz8n5gyedka7a' gpgconf: non-default homedir This is pretty unexpected to me, why is this the case? And is there a way to mitigate this behaviour? A bit of background: The original "problem" I'm trying to solve is uncluttering my homedir from `.appname` folders and trying to get as much as possible to conform to the XDG directory specification. The Arch wiki [1] recommends setting GNUPGHOME, which is probably not intended to be used that way when using socket-based activation with systemd. I've seen that the gpg project doesn't intend to support automatically creating it's config in XDG_CONFIG_HOME, but would there be a way to set the socket dir instead of using the pseudo-random location? The result would be a systemd-socket-activation-compliant way of using GNUPGHOME to set the GnuPG directory with minimal changes needed. If someone can give me a few pointers I'd be glad to take a look at implementing it myself. Best, Ben [1]: https://wiki.archlinux.org/index.php/XDG_Base_Directory#Partial From debian at services.bfiedler.ch Wed Aug 19 22:10:53 2020 From: debian at services.bfiedler.ch (Ben Fiedler) Date: Wed, 19 Aug 2020 22:10:53 +0200 Subject: gpg-agent support for GNUPGHOME and systemd Message-ID: Hi, I'm using gpg together with a custom GNUPGHOME ($HOME/.config/gnupg) and the systemd user unit provided in the basic Debian sid install and a smart card (Yubikey). I am doing both signing/decryption and authentication (ssh) using gpg, which leads to two different instances of gpg-agent being started: One is used when en-/decrypting is done via the gpg command line tool, and another one is used when using gpg-agents ssh function: % ps aux | grep gpg-agent bfiedler 32046 0.0 0.0 6112 660 pts/1 S+ 21:44 0:00 grep --color gpg-agent % ssh bfiedler.vsos.ethz.ch exit % ps aux | grep gpg-agent bfiedler 32072 0.0 0.0 81020 3792 ? SLs 21:44 0:00 /usr/bin/gpg-agent --supervised bfiedler 32106 0.0 0.0 6112 664 pts/1 S+ 21:44 0:00 grep --color gpg-agent % echo test | gpg -s > /dev/null % ps aux | grep gpg-agent bfiedler 32072 0.0 0.0 81020 3792 ? SLs 21:44 0:00 /usr/bin/gpg-agent --supervised bfiedler 32134 0.0 0.0 81020 3212 ? Ss 21:45 0:00 gpg-agent --homedir /home/bfiedler/.config/gnupg --use-standard-socket --daemon bfiedler 32203 0.0 0.0 6112 660 pts/1 S+ 21:45 0:00 grep --color gpg-agent This is pretty annoying since one gpg-agent hogs the smartcard and forces me to remove and replug it when switching from signing/decrypting to ssh authentication. It seems that gpg-agent --supervised is launched via systemd user units (by socket activation from $XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh) and the other gpg-agent instance is launched by the gpg command line tools. As far as I understand the systemd user unit gpg-agent is the only one that should be launched. I've skimmed over the gpg code and it looks like the gpg command line should use the S.gpg-agent socket and thus cause systemd to launch the gpg-agent, but somehow they don't notice that and start a second instance. Has this happened to anyone else? Am I simply missing some environment variable? Additionally, and I don't know if this is related, pinentry-curses seems to not work correctly despite gpg-connect-agent being run. Tested it on both a tty and a pty, didn't work on either. May of course be the case since the wrong gpg-agent is launched as well. Using --raw-socket and the systemd socket fixes part of the problem: only the systemd gpg-agent is launched, but it still does not correctly pass on term info. Relevant env vars: DBUS_SESSION_BUS_ADDRESS correctly set GNUPGHOME=${HOME}/.config/gnupg, set for both the systemd service and GPG_TTY=$(tty) set and exported in .zshrc SSH_AUTH_SOCK=${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh set and exported in .zprofile gpg-agent.conf: enable-ssh-support sshcontrol: has the correct keygrip GPG version: % gpg --version gpg (GnuPG) 2.2.20 libgcrypt 1.8.6 OS version: Debian sid Thanks in advance! Best, Ben From wk at gnupg.org Thu Aug 20 14:43:44 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 20 Aug 2020 14:43:44 +0200 Subject: gpg-agent support for GNUPGHOME and systemd In-Reply-To: <8de1efee094d706f1e07db3d12dc3458@services.bfiedler.ch> (Ben Fiedler's message of "Wed, 19 Aug 2020 23:19:56 +0200") References: <8de1efee094d706f1e07db3d12dc3458@services.bfiedler.ch> Message-ID: <87o8n58p33.fsf@wheatstone.g10code.de> Hi! On Wed, 19 Aug 2020 23:19, Ben Fiedler said: > % gpgconf --dry-run --create-socketdir > gpgconf: socketdir is '/run/user/1000/gnupg/d.6oynbz4mc38pz8n5gyedka7a' > gpgconf: non-default homedir > > This is pretty unexpected to me, why is this the case? And is there a > way to mitigate this behaviour? It should be obvious that for a different homedirectory GnuPG also requires a different socket. Thus we hash the name of the homedir and append it to the standard directory for sockets. The ~/.gnupg file name is pretty important and there is no way to chnage this to something different without breaking a lot of stuff. You can simply use a symlink, though. That is how I handle this with .gnupg being stored on a g13 encrypted partition. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Aug 20 14:51:20 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 20 Aug 2020 14:51:20 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <4639d130-49d7-28a6-6306-f20f4a02838f@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 20 Aug 2020 00:36:32 +0200") References: <20200807133515.00005086@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> <2558194.ojgTuyLS5B@breq> <4639d130-49d7-28a6-6306-f20f4a02838f@vulcan.xs4all.nl> Message-ID: <87k0xt8oqf.fsf@wheatstone.g10code.de> On Thu, 20 Aug 2020 00:36, Johan Wevers said: > You mean like the conspiracy myth that the NSA was eavesdropping on > everyone, whether they were allowed to or not? Yes, that was not > supported by facts (before the Snowden revelations) so it must have been There have been technical facts around for a long time. Examples are the Interception Report 2000 to the European Parliament and later a testimony from an AT&T employee. Checkout cryptome.org ;-) Snowden then provided internal NSA documents as final evidence. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sac at 300baud.de Thu Aug 20 17:23:18 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 20 Aug 2020 17:23:18 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> Message-ID: <20200820172318.000042f1@300baud.de> Robert J. Hansen wrote: > > Sorry for being now probably completely off-topic, but when it comes to informations we find > > on the Internet and/or are discussing if videos or informations are faked, or some people > > like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's > > 'Shadow Gate' documentary, which was released a couple of days ago and is already banned > > on YouTube and Facebook. > > Stefan, I'm not a list moderator and I have absolutely zero authority to > say this, but I'm going to say it anyway: > > Please take this stuff elsewhere. > > You're linking to a conspiracy theory video alleging a... look, I'm not > going to give these people credibility even by *summarizing* it. It > should be enough to say that InfoWars is backing it. > > It has no connection to fact or even reality, and even less than no > connection to GnuPG or communications security. > > Please, I'm begging you: take it elsewhere. It doesn't belong here. > > https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ Hi Robert, at least you may agree that Millie's documentary shows viewers that since a long time private contractors play an important role for Intelligence Agencies. Regards Stefan From rjh at sixdemonbag.org Thu Aug 20 20:50:36 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 20 Aug 2020 14:50:36 -0400 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200820172318.000042f1@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> <20200820172318.000042f1@300baud.de> Message-ID: <184bf61b-33df-3795-9512-2c629afb5c3e@sixdemonbag.org> > at least you may agree that Millie's documentary shows viewers that > since a long time private contractors play an important role for > Intelligence Agencies. Yes. Obviously. As everyone has known since the day the CIA was established. There's even a website for contractors with security clearances: https://www.clearancejobs.com. This nonsense video of conspiracy delusions revealed nothing factual. Please, I'm begging you: stop hyping this madness. At the very least, do it elsewhere. From sac at 300baud.de Thu Aug 20 21:31:50 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 20 Aug 2020 21:31:50 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <184bf61b-33df-3795-9512-2c629afb5c3e@sixdemonbag.org> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> <20200820172318.000042f1@300baud.de> <184bf61b-33df-3795-9512-2c629afb5c3e@sixdemonbag.org> Message-ID: <20200820213150.00001dd3@300baud.de> Robert J. Hansen wrote: > > at least you may agree that Millie's documentary shows viewers that > > since a long time private contractors play an important role for > > Intelligence Agencies. > > Yes. Obviously. As everyone has known since the day the CIA was > established. There's even a website for contractors with security > clearances: https://www.clearancejobs.com. This nonsense video of > conspiracy delusions revealed nothing factual. > > Please, I'm begging you: stop hyping this madness. At the very least, > do it elsewhere. As you wish, I will now no longer reply to this part of this thread. Regards Stefan From ryan at digicana.com Fri Aug 21 15:53:47 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Fri, 21 Aug 2020 13:53:47 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200819163105.000006c4@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> Message-ID: Generally when something is "banned from Youtube" and the reason for the ban wasn't that it was outright pornography, copyrighted content, or illegal content, you can rest assured that the "banned video" is some Grade A Prime Whackadoo McCrazy Bullshit and that you will become dumber if you watch it.? On 8/19/20 9:31 AM, Stefan Claas wrote: > Stefan Claas wrote: > >> ?????? ?????? via Gnupg-users wrote: >> >>> Isn't the NSO group Israeli, not Russian as claimed in the video? https://en.wikipedia.org/wiki/NSO_Group >> Yes, as understood. I think it really doesn't matter where Pegasus does come from. > Sorry for being now probably completely off-topic, but when it comes to informations we find > on the Internet and/or are discussing if videos or informations are faked, or some people > like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's > 'Shadow Gate' documentary, which was released a couple of days ago and is already banned > on YouTube and Facebook. > > https://banned.video/watch?id=5f37fcc2df77c4044ee2eb03 > > Regards > Stefan > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From ryan at digicana.com Fri Aug 21 15:56:29 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Fri, 21 Aug 2020 13:56:29 +0000 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200820172318.000042f1@300baud.de> References: <20200807133515.00005086@300baud.de> <20200807134400.GA207@chiraag> <20200807160053.00003a61@300baud.de> <20200807161210.00001444@300baud.de> <20200807142325.GA207@chiraag> <20200807164233.00002191@300baud.de> <20200819163105.000006c4@300baud.de> <2cf874cc-8a05-a129-3c84-e862932b333f@sixdemonbag.org> <20200820172318.000042f1@300baud.de> Message-ID: <8600566b-8db9-9bbc-2bac-d24f5c826386@digicana.com> Calling that a documentary is like me tattooing angel wings on my back and trying to pass as an attack helicopter. On 8/20/20 10:23 AM, Stefan Claas wrote: > Robert J. Hansen wrote: > >>> Sorry for being now probably completely off-topic, but when it comes to informations we find >>> on the Internet and/or are discussing if videos or informations are faked, or some people >>> like to guide us in wrong directions, I would highly recommend to watch Millie Weaver's >>> 'Shadow Gate' documentary, which was released a couple of days ago and is already banned >>> on YouTube and Facebook. >> Stefan, I'm not a list moderator and I have absolutely zero authority to >> say this, but I'm going to say it anyway: >> >> Please take this stuff elsewhere. >> >> You're linking to a conspiracy theory video alleging a... look, I'm not >> going to give these people credibility even by *summarizing* it. It >> should be enough to say that InfoWars is backing it. >> >> It has no connection to fact or even reality, and even less than no >> connection to GnuPG or communications security. >> >> Please, I'm begging you: take it elsewhere. It doesn't belong here. >> >> https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ > Hi Robert, > > at least you may agree that Millie's documentary shows viewers that since a long time private contractors > play an important role for Intelligence Agencies. > > > > Regards > Stefan > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- -Ryan McGinnis http://bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From aajaxx at gmail.com Fri Aug 21 21:00:52 2020 From: aajaxx at gmail.com (Ajax) Date: Fri, 21 Aug 2020 19:00:52 +0000 Subject: gpg-agent is older than us Message-ID: On a Debian box, 'gpg -K' gives "server 'gpg-agent' is older than us (2.2.12 < 2.2.21)". 2.2.21 was built using speedo in my home directory populating ~/bin which appears at the head of $PATH. The commands 'which gpg' and 'which gpg-agent' both point to ~/bin. 2.2.12 would have been installed by the Debian package manager with /usr/bin/gpg-agent. How can I cause '~/bin/gpg -K' to use '~/bin/gp-agent' and omit "older than us" warning? Thank You From gnupg-users at spodhuis.org Sat Aug 22 02:22:53 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Fri, 21 Aug 2020 20:22:53 -0400 Subject: gpg-agent is older than us In-Reply-To: References: Message-ID: <20200822002253.GA170972@fullerene.field.pennock-tech.net> On 2020-08-21 at 19:00 +0000, Ajax via Gnupg-users wrote: > On a Debian box, 'gpg -K' gives "server 'gpg-agent' is older than us > (2.2.12 < 2.2.21)". 2.2.21 was built using speedo in my home > directory populating ~/bin which appears at the head of $PATH. The > commands 'which gpg' and 'which gpg-agent' both point to ~/bin. > 2.2.12 would have been installed by the Debian package manager with > /usr/bin/gpg-agent. How can I cause '~/bin/gpg -K' to use > '~/bin/gp-agent' and omit "older than us" warning? How is gpg-agent being _started_? Is it systemd? If so, go to and scroll down to "Users of systemd with vendor-installed socket activation of gpg-agent will have to weigh their options carefully" neat the bottom; it's one of the bullet points for the `optgnupg-gnupg` package. It talks about how to change the gpg-agent which systemd will launch for you. Those are the steps I use on an Ubuntu system to swap out /usr/bin/gpg-agent in favour of /opt/gnupg/bin/gpg-agent. -Phil From avemilia at protonmail.com Sat Aug 22 18:09:35 2020 From: avemilia at protonmail.com (Ave Milia) Date: Sat, 22 Aug 2020 16:09:35 +0000 Subject: The infinite struggle of Yubikey, GPG and SSH Message-ID: What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here. The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it. Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory". I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't. What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together. ? inxi -Sz System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux ? ykman info Device type: YubiKey 4 Serial number: XXXXXXX Firmware version: 4.3.5 Enabled USB interfaces: OTP+FIDO+CCID Applications OTP Enabled FIDO U2F Enabled OpenPGP Enabled PIV Enabled OATH Enabled FIDO2 Not available ? ykman openpgp info OpenPGP version: 2.1 Application version: 4.3.5 PIN tries remaining: 10 Reset code tries remaining: 0 Admin PIN tries remaining: 10 Touch policies Signature key On Encryption key On Authentication key On ? gpg --version gpg (GnuPG) 2.2.21 libgcrypt 1.8.6 ? gpg -K /home/ave/.gnupg/pubring.kbx ---------------------------- sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C] Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC uid [ultimate] Ave Milia ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S] ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E] ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A] ? gpg --card-status Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Application type .: OpenPGP Version ..........: 2.1 Manufacturer .....: Yubico Serial number ....: XXXXXXX Name of cardholder: Ave Milia Language prefs ...: en Salutation .......: Mr. URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 127 127 127 PIN retry counter : 10 0 10 Signature counter : 5 Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX created ....: 2020-08-11 20:13:49 Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX created ....: 2020-08-11 20:14:37 Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX created ....: 2020-08-11 20:15:07 General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never card-no: XXXX XXXXXXXX ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never card-no: XXXX XXXXXXXX ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never card-no: XXXX XXXXXXXX ? gpgconf --list-dirs sysconfdir:/etc/gnupg bindir:/usr/bin libexecdir:/usr/lib/gnupg libdir:/usr/lib/gnupg datadir:/usr/share/gnupg localedir:/usr/share/locale socketdir:/run/user/1000/gnupg dirmngr-socket:/run/user/1000/gnupg/S.dirmngr agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser agent-socket:/run/user/1000/gnupg/S.gpg-agent homedir:/home/ave/.gnupg ? grep -v "^#" .gnupg/gpg.conf personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version no-greeting keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint require-cross-certification no-symkey-cache use-agent throw-keyids keyserver hkps://hkps.pool.sks-keyservers.net ? grep -v "^#" .gnupg/gpg-agent.conf enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 pinentry-program /usr/bin/pinentry-curses ? grep -v "^#" .gnupg/scdaemon.conf pcsc-driver /usr/lib/libpcsclite.so card-timeout 5 disable-ccid ? ll /usr/lib/libpcsclite.so lrwxrwxrwx 1 root root 20 19.??en 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0 ? sudo systemctl status pcscd.service ? pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago TriggeredBy: ? pcscd.socket Docs: man:pcscd(8) Main PID: 54997 (pcscd) Tasks: 5 (limit: 19134) Memory: 1.8M CGroup: /system.slice/pcscd.service ??54997 /usr/bin/pcscd --foreground --auto-exit srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon. srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011) srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011) srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly. ? cat /etc/opensc.conf app default { # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC # can handle both to access keys and certificates, but only one at a time. card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { name = "Yubikey 4"; # Select the PKI applet to use ("PIV-II" or "openpgp") driver = "openpgp"; # Recover from other applications accessing a different applet flags = "keep_alive"; } } ? cat /usr/share/p11-kit/modules/opensc.module module: opensc-pkcs11.so ? p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Flags: uPIN uninitialized Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Module: p11-kit-trust.so Token 1: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust Label: Default Trust Type: Trust module Flags: uPIN uninitialized Manufacturer: PKCS#11 Kit Model: p11-kit-trust Serial: 1 Module: p11-kit-trust.so Token 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00 Label: OpenPGP card (User PIN) Type: Hardware token Flags: Requires login Manufacturer: Yubico Model: PKCS#15 emulated Serial: XXXXXXXXXXXX Module: opensc-pkcs11.so Token 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00 Label: OpenPGP card (User PIN (sig)) Type: Hardware token Flags: Requires login Manufacturer: Yubico Model: PKCS#15 emulated Serial: XXXXXXXXXXXX Module: opensc-pkcs11.so ? pkcs11-tool -O --login Using slot 0 with a present token (0x0) Logging in to "OpenPGP card (User PIN)". Please enter User PIN: Private Key Object; RSA label: Encryption key ID: 02 Usage: decrypt, unwrap Access: sensitive, always sensitive, never extractable, local Public Key Object; RSA 4096 bits label: Encryption key ID: 02 Usage: encrypt, wrap Access: none Private Key Object; RSA label: Authentication key ID: 03 Usage: decrypt, sign, non-repudiation, unwrap Access: sensitive, always sensitive, never extractable, local Public Key Object; RSA 4096 bits label: Authentication key ID: 03 Usage: encrypt, verify, wrap Access: none ? Relevant part from .zshrc unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null ? ssh-add -L Error connecting to agent: No such file or directory ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX So, any ideas which tambourine should I pick this time? [0] [1] [2] [3] From avemilia at protonmail.com Sat Aug 22 21:28:23 2020 From: avemilia at protonmail.com (Ave Milia) Date: Sat, 22 Aug 2020 19:28:23 +0000 Subject: The infinite struggle of Yubikey, GPG and SSH In-Reply-To: References: Message-ID: <_qdshQWAnr6u7mRgwH73Meh-ShdJvrfgnglbpqTt4xjZO7eMWjvOzRBoFkFOmQp8ifGSh1wNWUemB9IhYqdSVX7_LXxUMfDu4Z3p2Ml0rZA=@protonmail.com> On Saturday, August 22, 2020 6:09 PM, Ave Milia via Gnupg-users wrote: > What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here. > > The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it. > > Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory". > > I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't. > > What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together. > > ? inxi -Sz > System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux > > ? ykman info > Device type: YubiKey 4 > Serial number: XXXXXXX > Firmware version: 4.3.5 > Enabled USB interfaces: OTP+FIDO+CCID > > Applications > OTP Enabled > FIDO U2F Enabled > OpenPGP Enabled > PIV Enabled > OATH Enabled > FIDO2 Not available > > ? ykman openpgp info > OpenPGP version: 2.1 > Application version: 4.3.5 > > PIN tries remaining: 10 > Reset code tries remaining: 0 > Admin PIN tries remaining: 10 > > Touch policies > Signature key On > Encryption key On > Authentication key On > > ? gpg --version > gpg (GnuPG) 2.2.21 > libgcrypt 1.8.6 > > ? gpg -K > /home/ave/.gnupg/pubring.kbx > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C] > Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC > uid [ultimate] Ave Milia avemilia at protonmail.com > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A] > > ? gpg --card-status > Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 > Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Application type .: OpenPGP > Version ..........: 2.1 > Manufacturer .....: Yubico > Serial number ....: XXXXXXX > Name of cardholder: Ave Milia > Language prefs ...: en > Salutation .......: Mr. > URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC > Login data .......: [not set] > Signature PIN ....: not forced > Key attributes ...: rsa4096 rsa4096 rsa4096 > Max. PIN lengths .: 127 127 127 > PIN retry counter : 10 0 10 > Signature counter : 5 > Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:13:49 > Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:14:37 > Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:15:07 > General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia avemilia at protonmail.com > sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > > card-no: XXXX XXXXXXXX > > > ? gpgconf --list-dirs > sysconfdir:/etc/gnupg > bindir:/usr/bin > libexecdir:/usr/lib/gnupg > libdir:/usr/lib/gnupg > datadir:/usr/share/gnupg > localedir:/usr/share/locale > socketdir:/run/user/1000/gnupg > dirmngr-socket:/run/user/1000/gnupg/S.dirmngr > agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh > agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra > agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser > agent-socket:/run/user/1000/gnupg/S.gpg-agent > homedir:/home/ave/.gnupg > > ? grep -v "^#" .gnupg/gpg.conf > personal-cipher-preferences AES256 AES192 AES > personal-digest-preferences SHA512 SHA384 SHA256 > personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed > default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed > cert-digest-algo SHA512 > s2k-digest-algo SHA512 > s2k-cipher-algo AES256 > charset utf-8 > fixed-list-mode > no-comments > no-emit-version > no-greeting > keyid-format 0xlong > list-options show-uid-validity > verify-options show-uid-validity > with-fingerprint > require-cross-certification > no-symkey-cache > use-agent > throw-keyids > keyserver hkps://hkps.pool.sks-keyservers.net > > ? grep -v "^#" .gnupg/gpg-agent.conf > enable-ssh-support > default-cache-ttl 60 > max-cache-ttl 120 > pinentry-program /usr/bin/pinentry-curses > > ? grep -v "^#" .gnupg/scdaemon.conf > pcsc-driver /usr/lib/libpcsclite.so > card-timeout 5 > disable-ccid > > ? ll /usr/lib/libpcsclite.so > lrwxrwxrwx 1 root root 20 19.??en 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0 > > ? sudo systemctl status pcscd.service > ? pcscd.service - PC/SC Smart Card Daemon > Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) > Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago > TriggeredBy: ? pcscd.socket > Docs: man:pcscd(8) > Main PID: 54997 (pcscd) > Tasks: 5 (limit: 19134) > Memory: 1.8M > CGroup: /system.slice/pcscd.service > ??54997 /usr/bin/pcscd --foreground --auto-exit > > srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon. > srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > > ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly. > > ? cat /etc/opensc.conf > app default { > # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC > # can handle both to access keys and certificates, but only one at a time. > card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { > name = "Yubikey 4"; > # Select the PKI applet to use ("PIV-II" or "openpgp") > driver = "openpgp"; > # Recover from other applications accessing a different applet > flags = "keep_alive"; > } > } > > ? cat /usr/share/p11-kit/modules/opensc.module > module: opensc-pkcs11.so > > ? p11tool --list-tokens > Token 0: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > Token 1: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust > Label: Default Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > Token 2: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00 > Label: OpenPGP card (User PIN) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > Token 3: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00 > Label: OpenPGP card (User PIN (sig)) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > ? pkcs11-tool -O --login > Using slot 0 with a present token (0x0) > Logging in to "OpenPGP card (User PIN)". > Please enter User PIN: > Private Key Object; RSA > label: Encryption key > ID: 02 > Usage: decrypt, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Encryption key > ID: 02 > Usage: encrypt, wrap > Access: none > Private Key Object; RSA > label: Authentication key > ID: 03 > Usage: decrypt, sign, non-repudiation, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Authentication key > ID: 03 > Usage: encrypt, verify, wrap > Access: none > > ? Relevant part from .zshrc > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" > fi > export GPG_TTY=$(tty) > gpg-connect-agent updatestartuptty /bye >/dev/null > > ? ssh-add -L > Error connecting to agent: No such file or directory > > ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX > > So, any ideas which tambourine should I pick this time? Todays tambourine turned out to be transitioning to systemd services as per [4] and attempting to do something about gpg-agent-ssh.socket. For me, systemd units are more pleasant to work with, because there is a single standard way to query them and to see their logs. Now, this took extra time, because apparently restart on a .socket didn't work, most probably because of space radiation. Or maybe just systemd things. Anyway. Stop and latter start restarted the socket and I attempted to use git, which hinted me to the next error I already knew. Which is the requirement to have `gpg-connect-agent updatestartuptty /bye` in shellrc file [5] (I removed the previous paste above, leaving only SSH_AUTH_SOCK export). This is what works in .zshrc as of now: export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null I should also point attention to the fact that `gpgconf --kill/reload gpg-agent/all`, attempted probably a hundred times by now, had no impact on the borked socket. Perhaps I was doing something wrong. Or not. > > [0] https://github.com/drduh/YubiKey-Guide > [1] https://wiki.archlinux.org/index.php/GnuPG#SSH_agent > [2] https://wiki.archlinux.org/index.php/GnuPG#Smartcards > [3] https://wiki.archlinux.org/index.php/Smartcards [4] [5] > > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From bereska at hotmail.com Sat Aug 22 22:14:38 2020 From: bereska at hotmail.com (bereska) Date: Sat, 22 Aug 2020 23:14:38 +0300 Subject: The infinite struggle of Yubikey, GPG and SSH In-Reply-To: References: Message-ID: try this: gpg -k --with-subkey-fingerprint --with-keygrip avemilia take a note of the keygrip of your authentication key [A] echo your-[A]-keygrip > ~/.gnupg/sshcontrol gpgconf --reload all On 22.08.2020 19:09, Ave Milia via Gnupg-users wrote: > What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here. > > The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it. > > Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory". > > I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't. > > What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together. > > ? inxi -Sz > System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux > > > ? ykman info > Device type: YubiKey 4 > Serial number: XXXXXXX > Firmware version: 4.3.5 > Enabled USB interfaces: OTP+FIDO+CCID > > Applications > OTP Enabled > FIDO U2F Enabled > OpenPGP Enabled > PIV Enabled > OATH Enabled > FIDO2 Not available > > > ? ykman openpgp info > OpenPGP version: 2.1 > Application version: 4.3.5 > > PIN tries remaining: 10 > Reset code tries remaining: 0 > Admin PIN tries remaining: 10 > > Touch policies > Signature key On > Encryption key On > Authentication key On > > > ? gpg --version > gpg (GnuPG) 2.2.21 > libgcrypt 1.8.6 > > > ? gpg -K > /home/ave/.gnupg/pubring.kbx > ---------------------------- > sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C] > Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC > uid [ultimate] Ave Milia > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A] > > > ? gpg --card-status > Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 > Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Application type .: OpenPGP > Version ..........: 2.1 > Manufacturer .....: Yubico > Serial number ....: XXXXXXX > Name of cardholder: Ave Milia > Language prefs ...: en > Salutation .......: Mr. > URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC > Login data .......: [not set] > Signature PIN ....: not forced > Key attributes ...: rsa4096 rsa4096 rsa4096 > Max. PIN lengths .: 127 127 127 > PIN retry counter : 10 0 10 > Signature counter : 5 > Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:13:49 > Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:14:37 > Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:15:07 > General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia > sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > > > ? gpgconf --list-dirs > sysconfdir:/etc/gnupg > bindir:/usr/bin > libexecdir:/usr/lib/gnupg > libdir:/usr/lib/gnupg > datadir:/usr/share/gnupg > localedir:/usr/share/locale > socketdir:/run/user/1000/gnupg > dirmngr-socket:/run/user/1000/gnupg/S.dirmngr > agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh > agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra > agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser > agent-socket:/run/user/1000/gnupg/S.gpg-agent > homedir:/home/ave/.gnupg > > > ? grep -v "^#" .gnupg/gpg.conf > personal-cipher-preferences AES256 AES192 AES > personal-digest-preferences SHA512 SHA384 SHA256 > personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed > default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed > cert-digest-algo SHA512 > s2k-digest-algo SHA512 > s2k-cipher-algo AES256 > charset utf-8 > fixed-list-mode > no-comments > no-emit-version > no-greeting > keyid-format 0xlong > list-options show-uid-validity > verify-options show-uid-validity > with-fingerprint > require-cross-certification > no-symkey-cache > use-agent > throw-keyids > keyserver hkps://hkps.pool.sks-keyservers.net > > > ? grep -v "^#" .gnupg/gpg-agent.conf > enable-ssh-support > default-cache-ttl 60 > max-cache-ttl 120 > pinentry-program /usr/bin/pinentry-curses > > > ? grep -v "^#" .gnupg/scdaemon.conf > pcsc-driver /usr/lib/libpcsclite.so > card-timeout 5 > disable-ccid > > > ? ll /usr/lib/libpcsclite.so > lrwxrwxrwx 1 root root 20 19.??en 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0 > > > ? sudo systemctl status pcscd.service > ? pcscd.service - PC/SC Smart Card Daemon > Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) > Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago > TriggeredBy: ? pcscd.socket > Docs: man:pcscd(8) > Main PID: 54997 (pcscd) > Tasks: 5 (limit: 19134) > Memory: 1.8M > CGroup: /system.slice/pcscd.service > ??54997 /usr/bin/pcscd --foreground --auto-exit > > srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon. > srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > > ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly. > > > ? cat /etc/opensc.conf > app default { > # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC > # can handle both to access keys and certificates, but only one at a time. > card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { > name = "Yubikey 4"; > # Select the PKI applet to use ("PIV-II" or "openpgp") > driver = "openpgp"; > # Recover from other applications accessing a different applet > flags = "keep_alive"; > } > } > > > ? cat /usr/share/p11-kit/modules/opensc.module > module: opensc-pkcs11.so > > > ? p11tool --list-tokens > Token 0: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > > Token 1: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust > Label: Default Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > > Token 2: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00 > Label: OpenPGP card (User PIN) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > > Token 3: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00 > Label: OpenPGP card (User PIN (sig)) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > > ? pkcs11-tool -O --login > Using slot 0 with a present token (0x0) > Logging in to "OpenPGP card (User PIN)". > Please enter User PIN: > Private Key Object; RSA > label: Encryption key > ID: 02 > Usage: decrypt, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Encryption key > ID: 02 > Usage: encrypt, wrap > Access: none > Private Key Object; RSA > label: Authentication key > ID: 03 > Usage: decrypt, sign, non-repudiation, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Authentication key > ID: 03 > Usage: encrypt, verify, wrap > Access: none > > > ? Relevant part from .zshrc > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" > fi > export GPG_TTY=$(tty) > gpg-connect-agent updatestartuptty /bye >/dev/null > > > ? ssh-add -L > Error connecting to agent: No such file or directory > > ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX > > > > So, any ideas which tambourine should I pick this time? > > > [0] > [1] > [2] > [3] > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From philihp at gmail.com Sun Aug 23 13:11:47 2020 From: philihp at gmail.com (Philihp Busby) Date: Sun, 23 Aug 2020 11:11:47 +0000 Subject: The infinite struggle of Yubikey, GPG and SSH In-Reply-To: References: Message-ID: <20200823111147.GA6731@valencia.lan> This is quite a painful process; I went through a similar journey on macOS. For me, it seemed that GPG was expecting my master key to be in the signing key slot on my Yubikey. What helped me debug this was turning on logging with gpg-agent, and guru-level logging on scdaemon... have you tried that? As the current issue is with gpg-agent, has it been confirmed that it will work fine repeatedly with keys on your hard drive? Also there isn't any reason to redact your key/subkey fingerprints. If it helps you stay sane, I can say with confidence that this setup is possible with your hardware. I blogged about it here , although ssh over gpg-agent just worked out of the box so I didn't go into any detail. On 2020-08-22T16:09:35+0000 Ave Milia via Gnupg-users wrote 13K bytes: > What I want: Yubikey contains GPG subkeys. Master key is elsewhere. SSH is controlled by GPG agent. SSH key from Yubikey is automatically enrolled and used for connection to git remote. And it "just works". It's been two weeks that I can't get to that point, so I decided to ask for help here. > > The most depressing fact is sometimes it works, and the other time it doesn't. And I never know why. And I don't know how to fix it. > > Current problem: ssh-add -L returns "Error connecting to agent: No such file or directory". > > I have followed [0] to generate and load GPG keys into Yubikey. It didn't work well (I don't remember what exactly was failing, there has been a million issues at this point and I don't know what I'm doing anymore), so I started to dig deeper and tried information from [1] [2] [3]. The result of it is that I can do a git pull once and it works, then I do another git pull and it doesn't. > > What I have tried: relogging, launching new terminal, gpgconf --reload all, systemctl restart pcscd, Yubikey replug. Everything alone and everything together. > > ? inxi -Sz > System: Kernel: 5.7.14-1-MANJARO x86_64 bits: 64 Desktop: i3 4.18.2 Distro: Manjaro Linux > > > ? ykman info > Device type: YubiKey 4 > Serial number: XXXXXXX > Firmware version: 4.3.5 > Enabled USB interfaces: OTP+FIDO+CCID > > Applications > OTP Enabled > FIDO U2F Enabled > OpenPGP Enabled > PIV Enabled > OATH Enabled > FIDO2 Not available > > > ? ykman openpgp info > OpenPGP version: 2.1 > Application version: 4.3.5 > > PIN tries remaining: 10 > Reset code tries remaining: 0 > Admin PIN tries remaining: 10 > > Touch policies > Signature key On > Encryption key On > Authentication key On > > > ? gpg --version > gpg (GnuPG) 2.2.21 > libgcrypt 1.8.6 > > > ? gpg -K > /home/ave/.gnupg/pubring.kbx > ---------------------------- > sec# rsa4096/0xF971F82552850CEC 2020-08-11 [C] > Key fingerprint = 3A3F 8B8B 7A45 77FE D7C8 A955 F971 F825 5285 0CEC > uid [ultimate] Ave Milia > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [S] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [E] > ssb> rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 [A] > > > ? gpg --card-status > Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00 > Application ID ...: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > Application type .: OpenPGP > Version ..........: 2.1 > Manufacturer .....: Yubico > Serial number ....: XXXXXXX > Name of cardholder: Ave Milia > Language prefs ...: en > Salutation .......: Mr. > URL of public key : https://keys.openpgp.org/vks/v1/by-fingerprint/3A3F8B8B7A4577FED7C8A955F971F82552850CEC > Login data .......: [not set] > Signature PIN ....: not forced > Key attributes ...: rsa4096 rsa4096 rsa4096 > Max. PIN lengths .: 127 127 127 > PIN retry counter : 10 0 10 > Signature counter : 5 > Signature key ....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:13:49 > Encryption key....: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:14:37 > Authentication key: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX > created ....: 2020-08-11 20:15:07 > General key info..: sub rsa4096/0xXXXXXXXXXXXXXXXX 2020-08-11 Ave Milia > sec# rsa4096/0xF971F82552850CEC created: 2020-08-11 expires: never > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > ssb> rsa4096/0xXXXXXXXXXXXXXXXX created: 2020-08-11 expires: never > card-no: XXXX XXXXXXXX > > > ? gpgconf --list-dirs > sysconfdir:/etc/gnupg > bindir:/usr/bin > libexecdir:/usr/lib/gnupg > libdir:/usr/lib/gnupg > datadir:/usr/share/gnupg > localedir:/usr/share/locale > socketdir:/run/user/1000/gnupg > dirmngr-socket:/run/user/1000/gnupg/S.dirmngr > agent-ssh-socket:/run/user/1000/gnupg/S.gpg-agent.ssh > agent-extra-socket:/run/user/1000/gnupg/S.gpg-agent.extra > agent-browser-socket:/run/user/1000/gnupg/S.gpg-agent.browser > agent-socket:/run/user/1000/gnupg/S.gpg-agent > homedir:/home/ave/.gnupg > > > ? grep -v "^#" .gnupg/gpg.conf > personal-cipher-preferences AES256 AES192 AES > personal-digest-preferences SHA512 SHA384 SHA256 > personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed > default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed > cert-digest-algo SHA512 > s2k-digest-algo SHA512 > s2k-cipher-algo AES256 > charset utf-8 > fixed-list-mode > no-comments > no-emit-version > no-greeting > keyid-format 0xlong > list-options show-uid-validity > verify-options show-uid-validity > with-fingerprint > require-cross-certification > no-symkey-cache > use-agent > throw-keyids > keyserver hkps://hkps.pool.sks-keyservers.net > > > ? grep -v "^#" .gnupg/gpg-agent.conf > enable-ssh-support > default-cache-ttl 60 > max-cache-ttl 120 > pinentry-program /usr/bin/pinentry-curses > > > ? grep -v "^#" .gnupg/scdaemon.conf > pcsc-driver /usr/lib/libpcsclite.so > card-timeout 5 > disable-ccid > > > ? ll /usr/lib/libpcsclite.so > lrwxrwxrwx 1 root root 20 19.??en 21.40 /usr/lib/libpcsclite.so -> libpcsclite.so.1.0.0 > > > ? sudo systemctl status pcscd.service > ? pcscd.service - PC/SC Smart Card Daemon > Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) > Active: active (running) since Sat 2020-08-22 17:47:28 CEST; 50s ago > TriggeredBy: ? pcscd.socket > Docs: man:pcscd(8) > Main PID: 54997 (pcscd) > Tasks: 5 (limit: 19134) > Memory: 1.8M > CGroup: /system.slice/pcscd.service > ??54997 /usr/bin/pcscd --foreground --auto-exit > > srp 22 17:47:28 ave-pc systemd[1]: Started PC/SC Smart Card Daemon. > srp 22 17:47:28 ave-pc pcscd[54997]: 00000000 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000069 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:0:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > srp 22 17:47:28 ave-pc pcscd[54997]: 00007224 ifdhandler.c:150:CreateChannelByNameOrChannel() failed > srp 22 17:47:28 ave-pc pcscd[54997]: 00000016 readerfactory.c:1105:RFInitializeReader() Open Port 0x200000 Failed (usb:1050/0407:libudev:1:/dev/bus/usb/003/011) > srp 22 17:47:28 ave-pc pcscd[54997]: 00000002 readerfactory.c:376:RFAddReader() Yubico YubiKey OTP+FIDO+CCID init failed. > > ^^^ Despite pcscd errors, in my experience this is orthogonal to whether Yubikey/GPG/SSH is in the mood for working correctly. > > > ? cat /etc/opensc.conf > app default { > # Yubikey is known to have the PIV applet and the OpenPGP applet. OpenSC > # can handle both to access keys and certificates, but only one at a time. > card_atr 3b:f8:13:00:00:81:31:fe:15:59:75:62:69:6b:65:79:34:d4 { > name = "Yubikey 4"; > # Select the PKI applet to use ("PIV-II" or "openpgp") > driver = "openpgp"; > # Recover from other applications accessing a different applet > flags = "keep_alive"; > } > } > > > ? cat /usr/share/p11-kit/modules/opensc.module > module: opensc-pkcs11.so > > > ? p11tool --list-tokens > Token 0: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust > Label: System Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > > Token 1: > URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust > Label: Default Trust > Type: Trust module > Flags: uPIN uninitialized > Manufacturer: PKCS#11 Kit > Model: p11-kit-trust > Serial: 1 > Module: p11-kit-trust.so > > > Token 2: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%29%00%00%00%00%00%00%00%00%00 > Label: OpenPGP card (User PIN) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > > Token 3: > URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Yubico;serial=XXXXXXXXXXXX;token=OpenPGP%20card%20%28User%20PIN%20%28sig%29%29%00%00%00 > Label: OpenPGP card (User PIN (sig)) > Type: Hardware token > Flags: Requires login > Manufacturer: Yubico > Model: PKCS#15 emulated > Serial: XXXXXXXXXXXX > Module: opensc-pkcs11.so > > > ? pkcs11-tool -O --login > Using slot 0 with a present token (0x0) > Logging in to "OpenPGP card (User PIN)". > Please enter User PIN: > Private Key Object; RSA > label: Encryption key > ID: 02 > Usage: decrypt, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Encryption key > ID: 02 > Usage: encrypt, wrap > Access: none > Private Key Object; RSA > label: Authentication key > ID: 03 > Usage: decrypt, sign, non-repudiation, unwrap > Access: sensitive, always sensitive, never extractable, local > Public Key Object; RSA 4096 bits > label: Authentication key > ID: 03 > Usage: encrypt, verify, wrap > Access: none > > > ? Relevant part from .zshrc > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" > fi > export GPG_TTY=$(tty) > gpg-connect-agent updatestartuptty /bye >/dev/null > > > ? ssh-add -L > Error connecting to agent: No such file or directory > > ^^^ Should give: ssh-rsa [...] cardno:XXXXXXXXXXXX > > > > So, any ideas which tambourine should I pick this time? > > > [0] > [1] > [2] > [3] > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From aajaxx at gmail.com Sun Aug 23 16:41:24 2020 From: aajaxx at gmail.com (Ajax) Date: Sun, 23 Aug 2020 14:41:24 +0000 Subject: gpg-agent is older than us In-Reply-To: <20200822002253.GA170972@fullerene.field.pennock-tech.net> References: <20200822002253.GA170972@fullerene.field.pennock-tech.net> Message-ID: Thank you Phil, /usr/bin/gpg-agent is started by systemd and I think it should be left as it is for the Debian package manager to use with /usr/bin/gpg. Why cannot ~/bin/gpg use ~/bin/gpg-agent? Is it true that gpg in $HOME or /usr/local should work independently from /usr/bin/gpg? On Sat, Aug 22, 2020 at 12:22 AM Phil Pennock wrote: > > On 2020-08-21 at 19:00 +0000, Ajax via Gnupg-users wrote: > > On a Debian box, 'gpg -K' gives "server 'gpg-agent' is older than us > > (2.2.12 < 2.2.21)". 2.2.21 was built using speedo in my home > > directory populating ~/bin which appears at the head of $PATH. The > > commands 'which gpg' and 'which gpg-agent' both point to ~/bin. > > 2.2.12 would have been installed by the Debian package manager with > > /usr/bin/gpg-agent. How can I cause '~/bin/gpg -K' to use > > '~/bin/gp-agent' and omit "older than us" warning? > > How is gpg-agent being _started_? Is it systemd? > > If so, go to and scroll down to > "Users of systemd with vendor-installed socket activation of gpg-agent > will have to weigh their options carefully" neat the bottom; it's one of > the bullet points for the `optgnupg-gnupg` package. It talks about how > to change the gpg-agent which systemd will launch for you. > > Those are the steps I use on an Ubuntu system to swap out > /usr/bin/gpg-agent in favour of /opt/gnupg/bin/gpg-agent. > > -Phil From bernhard at intevation.de Mon Aug 24 09:57:16 2020 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 24 Aug 2020 09:57:16 +0200 Subject: WKD question In-Reply-To: References: <20200727220007.00003593.sac@300baud.de> <87v9hyu7gu.fsf@wheatstone.g10code.de> Message-ID: <202008240957.24827.bernhard@intevation.de> Am Dienstag 04 August 2020 18:17:56 schrieb Dmitry Alexandrov: > it would be nice, if GPG were not interpreting locating an > expired key as success, but continued with the next method instead: This is related to https://dev.gnupg.org/T5028 (gpg --locate-key should refetch via wkd, if configured and no good pubkey found) Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Mon Aug 24 10:00:17 2020 From: bernhard at intevation.de (Bernhard Reiter) Date: Mon, 24 Aug 2020 10:00:17 +0200 Subject: Gnupg-users logo In-Reply-To: <20200815011528.00005c66@300baud.de> References: <20200814200357.iiamutzibxbjw37a@rain.local> <20200815011528.00005c66@300baud.de> Message-ID: <202008241000.17583.bernhard@intevation.de> Am Samstag 15 August 2020 01:15:28 schrieb Stefan Claas: > > Do you prefer this? > > > > ? ? https://0x0.st/iYel.jpg > > Yes. :-) Nice. What is the license on the artwork? Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From guille.hdelatorre at gmail.com Mon Aug 24 08:08:46 2020 From: guille.hdelatorre at gmail.com (Guille De La Torre) Date: Mon, 24 Aug 2020 01:08:46 -0500 Subject: Password Decript GPG public key Message-ID: Hello good evening, is it possible to create a key for symmetric encryption in such a way that the person who has my public key does not need to enter a password? to decrypt. I appreciate your kind response. regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From johanw at vulcan.xs4all.nl Mon Aug 24 20:53:17 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 24 Aug 2020 20:53:17 +0200 Subject: Password Decript GPG public key In-Reply-To: References: Message-ID: <9e2a2cea-6702-61b1-16c4-65422f8b0d76@vulcan.xs4all.nl> On 24-08-2020 8:08, Guille De La Torre via Gnupg-users wrote: > Hello good evening, is it possible to create a key for symmetric > encryption in such a way that the person who has my public key does not > need to enter a password? to decrypt. The receiver uses your public key only to encrypt and verify. If you send him encrypted mail you need HIS public key to encrypt the message, and the receiver needs his secret key to decrypt it. If the receiver protects his secret key with a password is something you have no influence over. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at nym.hush.com Mon Aug 24 21:28:33 2020 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 24 Aug 2020 15:28:33 -0400 Subject: Password Decript GPG public key In-Reply-To: Message-ID: <20200824192833.F122D802061@smtp.hushmail.com> On 8/24/2020 at 8:36 AM, "Guille De La Torre via Gnupg-users" wrote: > is it possible to create a key for symmetric encryption >in such a way that the person who has my public key does not need >to enter a password? to decrypt. ===== No. and Yes. 8^) It is not possible that the person does not have to enter 'anything' to decrypt. But is it possible for you both to have a secret symmetric passphrase you share by sending your public key, if you create a public key, and don't post it anywhere or encrypt or sign anything with it, and send that public key, encrypted, to the intended receiver's public key. Now, use the key name and long fingerprint as the password for the symmetric encryption. Example: Here is a key created for this purpose: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 Comment: Acts of Kindness better the World, and protect the Soul mQENBF9EEJEBCADKJIFeU4YaiZOp6tgbOMCp2ax12btTYDBqbnoveqTTwIrHZurX 1Gm2fU0X/c1WqyDbg7F5Kv9vmkn+2NGRD+AOpU6B1SiZny07ZNtgIps10zXIGI3A vgR+77HfhbZE46AK8BYuHriW0OpHmFdK11Zl3uRROA1bgPpmEGNT5dm9UzpQ+xSN 0d6O33pYisHd4E5S+uiroY08cU/i2LV0Q1YPoErtmP6OIkCvMvOWUpy3iEI+szwV db8mm0Cj4c28mYAL3qsJfKc7P8JEufjiAXmYIIsku60fmHEA0RuQtIb1zW/CGAVg 7de5rWR4fit+uyOQwW68BbvYK8VBZgOGP1MlABEBAAG0S214dHpwaHUua2xlbWF1 aiAobm9uLXB1YmxpY2l6ZWQga2V5KSA8bXh0enBodS5rbGVtYXVqQHF3ZWppZG5h bGxkaW9weHoud2RiPokBOQQTAQgAIwUCX0QQkQIbDwcLCQgHAwIBBhUIAgkKCwQW AgMBAh4BAheAAAoJECX/By3f019dnFMIAICCRK3YF3iDkXfcDYLV8+Kq+94BrZfx Bwjn9n+vgldTTtkHP+0AHvQ1QAYVRWH/gPJR7D9bU/oc3A2lWXQzt/wwR1WOogFC 1rDKJtSgPkjpeirEauoXQLiTOUCtNcM2w2Zn8yK9lAvOfdQoaH+RxN8AASYU7QUt 3CtJ7EQpA/dSRkDt5NHVVrhXcih6oCZuGyOoAldT1GB+Tz4BGDhveygWlcR6/e9o kcw6lgwgrPvfjXekQsQ2LeeO+UGcG1ITjjaBPRH6gA1Nlq/wCS/Nj98xoCzCyLab pzUcGdzOz8ScgHY11CfAR7CAlCNzcfOe1J8e3qQogXXgVtJiCB2Jav4= =tAGm -----END PGP PUBLIC KEY BLOCK----- Importing the key gives the following information: User-ID: mxtzphu.klemauj (non-publicized key) Validity: from 2020-08-24 15:10 until forever Certificate type: 2,048-bit RSA Certificate usage: Signing EMails and Files, Encrypting EMails and Files, Certifying other Certificates Key-ID: DFD35F5D Fingerprint: 9D7ECA9BEDF40F804EB26A3C25FF072DDFD35F5D The user id and email address were done by typing semi-randomly at the keyboard. Now use the userid and the long fingerprint as the passphrase for your symmetric encryption: mxtzphu.klemauj at qwejidnalldiopxz.wdb9D7ECA9BEDF40F804EB26A3C25FF072DDFD35F5D Only you and the person you send this key to, will be able to decrypt your symmetrically encrypted messages. vedaal From wk at gnupg.org Tue Aug 25 15:12:45 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 25 Aug 2020 15:12:45 +0200 Subject: Unknown key in gpg-agent In-Reply-To: <20200814133126.GA18488@ikki.ethgen.ch> (Klaus Ethgen via Gnupg-users's message of "Fri, 14 Aug 2020 14:31:26 +0100") References: <20200814133126.GA18488@ikki.ethgen.ch> Message-ID: <874koq6f8y.fsf@wheatstone.g10code.de> On Fri, 14 Aug 2020 14:31, Klaus Ethgen said: > However, `gpg --list-keys --list-options show-unusable-subkeys > --with-keygrip` does not display this keygrip. You can also use gpg -k \&KEYGRIP to list a key. And with gpgsm use gpgsm -k --with-ephemeral-keys \&KEYGRIP to see whether there is such a key. > Is there any posibility to export that key or get info about that key, > find it whatever? Make a backup of the key and if sometime in the future you run into decrypt problems (or trying to connect to some rareley used server) restore it. > So, ssh-add does not show the key (as well as KEYINFO --ssh-list) and > gpg doesnt show the key. What could have put that key there when it is > none of that commands? A canceled or crashed key generation or import might be the culprit. > By the way, using '&KEYGRIP' does not work with gpg to select a key for > listing by keygrip. Just to be sure, you quoted the ampersand, right. It works for me and some GnuPG components are using it a lot. Just a quick test: $ ~/b/gnupg-2.2/g10/gpg -k \&1BFC2CF9BC9C265E6D3CC6B966C883722C5256C8 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! pub ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA6E64A76D2840571B4902528897B826403ADA uid [ultimate] Werner Koch (dist signing 2020) using my development version of 2.2 but I can't remember that we ever had a regression. It is a bit slow on a larger keyring, though. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Aug 25 16:03:24 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 25 Aug 2020 16:03:24 +0200 Subject: Why does gpg -k write to tofu.db? In-Reply-To: <20200811195634.GA14182@lab.bjmgeek.science> (Brian Minton via Gnupg-users's message of "Tue, 11 Aug 2020 14:56:35 -0500") References: <20200811195634.GA14182@lab.bjmgeek.science> Message-ID: <87wo1m4yc3.fsf@wheatstone.g10code.de> On Tue, 11 Aug 2020 14:56, Brian Minton said: > Why does gpg -k need to write to the tofu db? I should mention that gpg > is running at 100% cpu in the R state. Before starting the gpg -k I was not able to replicate it but I must say that I don't have a large useful tofu.db. AFAICS, gpg sometimes updates the tofu.db to track expired bindings. You can have a closer look at hi8t by running gpg -k --debug trust or to disable updates by using gpg -k --dry-run I suspect that the TOFU database scheme is not well suited for large number of keys. In particular not if several gpg processes are running. I also don't like that it stores meta data of all signatures ever verified. Revamping the tofu stuff is on my list but I have not yet found the time (as usual). The Tofu information should be stored along the key and not in a separate database with all its transaction overhead. The optional keyboxd we will provide in 2.3 may help to solve the problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sac at 300baud.de Tue Aug 25 21:20:44 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 25 Aug 2020 21:20:44 +0200 Subject: Password Decript GPG public key In-Reply-To: <20200824192833.F122D802061@smtp.hushmail.com> References: <20200824192833.F122D802061@smtp.hushmail.com> Message-ID: <20200825212044.000056fe@300baud.de> vedaal via Gnupg-users wrote: > > > On 8/24/2020 at 8:36 AM, "Guille De La Torre via Gnupg-users" wrote: > > > is it possible to create a key for symmetric encryption > >in such a way that the person who has my public key does not need > >to enter a password? to decrypt. > > ===== > No. and Yes. 8^) > > It is not possible that the person does not have to enter 'anything' to decrypt. Maybe he could try to use a secret key without a passphrase and give then the secret key personally to his friend? A workflow like this can be done with sequoia-pgp, have not tested with GnuPG. msg.txt: The quick brown fox jumps over the lazy dog. sq key generate -c cv25519 -e key No user ID given, using direct key signature -----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 2E44 985D 3FAC 531F 029F F0EC 005C 8853 963C B85E xVgEX0VhThYJKwYBBAHaRw8BAQdAl00Pc6ZL/UvWA4z9Auvv9iA2HICkZfwJzOwe 6Yg3+8UAAQDqa37jLZ3yzxZVm46R6Kg3vs2thHLjVLdOHa9Bp+LC+RLpwocEHxYK ABgFgl9FYU4FiQWkj70CCwkCFQoCmwECHgEAIQkQAFyIU5Y8uF4WIQQuRJhdP6xT HwKf8OwAXIhTljy4Xg4EAQD61fVvaPLLhoglET9SR16mjUQumIgU/LdGs7gSS0nm kQD+M6GvdSjckDpf/cFutnir8OmOrg6ILpvFFrRVhVqPQQzHWARfRWFOFgkrBgEE AdpHDwEBB0BtUk9+bJA8zfYDht94kfQjmEitlykWjccx5LWh7VHJOQABAJiL7HXP KF+H2XfrbCspU1y15mdbk0o84qlTlPDBMGV9ELfCwDgEGBYKABIFgl9FYU4FiQWk j70CmwICHgEAmAkQAFyIU5Y8uF52oAQZFgoABgWCX0VhTgAhCRCSUbL52YRWFhYh BDnBZTfNWRsc6RHMj5JRsvnZhFYWUqMBAOlBob9vZLRf78Y2G0ReyrraIr5WnBzV NDKr6lIHuUINAQDOqSHYXJNZ9i6kT9mu7INTAD0U9j8WlsTHDEYHkiMhBxYhBC5E mF0/rFMfAp/w7ABciFOWPLhe5iwBAJxet8cZZI6YfE1qz1pUXSF/XBV/RR0pP6B4 dBYnOgy/AQDJaac+/9o/Rg7MSRMATSZFABhq0gc5NfPXP7J3VA9IAMddBF9FYU4S CisGAQQBl1UBBQEBB0CdQ3BFqAUfHsJCqsCUpupbfXaJqivk26ywapJ4zhgXRAMB CAkAAP9y3NMZM/14jHYw2rkJSS7nGF+QwEAMrFu8StTtkfcI+BF2woEEGBYKABIF gl9FYU4FiQWkj70CmwwCHgEAIQkQAFyIU5Y8uF4WIQQuRJhdP6xTHwKf8OwAXIhT ljy4XsiSAQCwrxIxD4wlh0Q67hksQlp4Tjn0Yq4onRbMQdMqmBHcawD/TnloezC8 ipZshjOeeimN6XXhyg/oJNj2K3+DKJIf4w4= =qQ2b -----END PGP PRIVATE KEY BLOCK----- sq encrypt --recipient-key-file key < msg.txt > msg_enc.txt msg_enc.txt: -----BEGIN PGP MESSAGE----- wV4DOqgrJ15WGrUSAQdAtkxy/GVuxw6MLOZerr2HTLcXlsouSxEiCEp2SZw0UiYw nNK5qmhvslxZErJ3WMsmjGmwqFLTKYAh132HkH9fSDlCF9i1Qv/cGEf0Q2E0F98h 0mcBsvCcpBjLqFzQSEslEOPWEqW3CHbMi6pMZxfU/CcGwNZKfd7m6ccgi3505t41 OuAs/KtlF/qZbyy75mRmDoU8+3SaT9nasQsobFcuET1e4Es3yJZ3RKOdmLE3+FJO u7gYo4wnDfUc =YTSR -----END PGP MESSAGE----- sq decrypt --secret-key-file key < msg_enc.txt > output.txt Encrypted using AES with 256-bit key Compressed using ZIP output.txt: The quick brown fox jumps over the lazy dog. Regards Stefan From vedaal at nym.hush.com Tue Aug 25 22:09:01 2020 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 25 Aug 2020 16:09:01 -0400 Subject: Password Decript GPG public key In-Reply-To: <20200825212044.000056fe@300baud.de> References: <20200824192833.F122D802061@smtp.hushmail.com> <20200825212044.000056fe@300baud.de> Message-ID: <20200825200901.B27D8802066@smtp.hushmail.com> On 8/25/2020 at 3:21 PM, "Stefan Claas" wrote: >Maybe he could try to use a secret key without a passphrase and >give then the secret key personally to his friend? ===== And just have the ascii armored text of the secret key as the passphrase for the symmetrically encrypted text? There still needs to be a way to 'enter' it as the 'passphrase'. If the OP doesn't mind saving it in a file-decsriptor way, that would work, but it would work the same as the secret key had a passphrase, or even if it was an unpublished public key. vedaal From sac at 300baud.de Tue Aug 25 22:19:30 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 25 Aug 2020 22:19:30 +0200 Subject: Password Decript GPG public key In-Reply-To: <20200825200901.B27D8802066@smtp.hushmail.com> References: <20200824192833.F122D802061@smtp.hushmail.com> <20200825212044.000056fe@300baud.de> <20200825200901.B27D8802066@smtp.hushmail.com> Message-ID: <20200825221930.0000230d@300baud.de> vedaal at nym.hush.com wrote: > > > On 8/25/2020 at 3:21 PM, "Stefan Claas" wrote: > > > >Maybe he could try to use a secret key without a passphrase and > >give then the secret key personally to his friend? > > ===== > > And just have the ascii armored text of the secret key as the passphrase for the symmetrically encrypted text? > > There still needs to be a way to 'enter' it as the 'passphrase'. If the OP doesn't mind saving it in a file-decsriptor way, > that would work, but it would work the same as the secret key had a passphrase, or even if it was an unpublished public key. Well, as we know GnuPG uses hybrid encryption when using public key encryption, so why use then direct symmetric encryption with a passphrase, if the shown workflow would work also with GnuPG? What I have shown would allow a group of people to use the same secret-key, among them, without having a public key to share (found on a keyservers ...) and without using a passphrase (preferably on an offline device). Regards Stefan From klaus at ethgen.ch Tue Aug 25 17:13:38 2020 From: klaus at ethgen.ch (Klaus Ethgen) Date: Tue, 25 Aug 2020 16:13:38 +0100 Subject: Unknown key in gpg-agent In-Reply-To: <874koq6f8y.fsf@wheatstone.g10code.de> References: <20200814133126.GA18488@ikki.ethgen.ch> <874koq6f8y.fsf@wheatstone.g10code.de> Message-ID: <20200825151338.GE20266@ikki.ethgen.ch> Hi Werner, Am Di den 25. Aug 2020 um 14:12 schrieb Werner Koch: > Just to be sure, you quoted the ampersand, right. It works for me and > some GnuPG components are using it a lot. Just a quick test: ~> gpg --version gpg (GnuPG) 2.2.20 libgcrypt 1.8.6 ... ~> gpg --list-secret-keys /home/klaus/.gnupg/pubring.gpg ------------------------------ sec> rsa4096/0x79D0B06F4E20AF1C 2011-05-16 [C] [verf?llt: 2050-12-31] Schl.-Fingerabdruck = 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C Keygrip = E9CAF66DDA858EE60D654C864BB8E12E41C78242 ... ~> gpg -k \&E9CAF66DDA858EE60D654C864BB8E12E41C78242 gpg: keydb_search failed: Invalid argument gpg: error reading key: Invalid argument Sure I did use quoting for "&". Gru? Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 688 bytes Desc: not available URL: From wk at gnupg.org Wed Aug 26 11:29:39 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Aug 2020 11:29:39 +0200 Subject: Unknown key in gpg-agent In-Reply-To: <20200825151338.GE20266@ikki.ethgen.ch> (Klaus Ethgen via Gnupg-users's message of "Tue, 25 Aug 2020 16:13:38 +0100") References: <20200814133126.GA18488@ikki.ethgen.ch> <874koq6f8y.fsf@wheatstone.g10code.de> <20200825151338.GE20266@ikki.ethgen.ch> Message-ID: <87r1rt92m4.fsf@wheatstone.g10code.de> Hi! it works for me: $ ~/b/gnupg-2.2/g10/gpg -k \&E9CAF66DDA858EE60D654C864BB8E12E41C78242 gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! pub rsa4096 2011-05-16 [C] [expires: 2050-12-31] 85D4CA42952C949B175362B379D0B06F4E20AF1C [...] The difference is that you use the legacy pubring.gpg and I use the pubring.kbx. It is quite possible that keygrip based lookup does not work with the old format - I have not checked. Try this: --8<---------------cut here---------------start------------->8--- cd ~/.gnupg gpg --export-options backup --export >allkeys.gpg mv pubring.gpg pubring.gpg-saved gpg --import-options restore --import 8--- Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Aug 27 15:19:56 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 27 Aug 2020 15:19:56 +0200 Subject: [Announce] GnuPG 2.2.22 released Message-ID: <87r1rs6xab.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.22. This is maintenace release with some minor changes. See below for details. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.22 ==================================== * gpg: Change the default key algorithm to rsa3072. * gpg: Add regular expression support for Trust Signatures on all platforms. [#4843] * gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option. [#4991] * gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021] * gpgsm: Make rsaPSS a de-vs compliant scheme. * gpgsm: Show also the SHA256 fingerprint in key listings. * gpgsm: Do not require a default keyring for --gpgconf-list. [#4867] * gpg-agent: Default to extended key format and record the creation time of keys. Add new option --disable-extended-key-format. * gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016] * gpg-agent: Allow using --gpgconf-list even if HOME does not exist. [#4866] * gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string. [#4137] * scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the "verify" command of "gpg --edit-key" with only the signature key being present. * dirmngr: Better handle systems with disabled IPv6. [#4977] * gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4. [#5023] * gpgtar: Handle Unicode file names on Windows correctly (requires libgpg-error 1.39). [#4083] * gpgtar: Make --files-from and --null work as documented. [#5027] * Build the Windows installer with the new Ntbtls 0.2.0 so that TLS connections succeed for servers demanding GCM. Release-info: https://dev.gnupg.org/T5030 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.22 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.22.tar.bz2 (6932k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.22.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.22_20200827.exe (4183k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.22_20200827.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new version of the GnuPG Desktop for Windows (aka Gpg4win) featuring this version of GnuPG will be released shortly. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.22.tar.bz2 you would use this command: gpg --verify gnupg-2.2.22.tar.bz2.sig gnupg-2.2.22.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.22.tar.bz2, you run the command like this: sha1sum gnupg-2.2.22.tar.bz2 and check that the output matches the next line: 6afc2f6b20d42f243d039a1f19abde6d55b7632e gnupg-2.2.22.tar.bz2 849577288146cda3befc6a024ba8a4a225a8f070 gnupg-w32-2.2.22_20200827.tar.xz 4d080669656b108fb9f2d7be11043ca01d67a6e4 gnupg-w32-2.2.22_20200827.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5030 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support go to or . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and currently mostly financed by donations. Two full-time employed developers as well as two contractor exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From mlnl at mailbox.org Fri Aug 28 21:39:39 2020 From: mlnl at mailbox.org (mlnl) Date: Fri, 28 Aug 2020 21:39:39 +0200 Subject: [Announce] GnuPG 2.2.22 released Message-ID: <20200828213939.48f937b4@localhost> Hi, today, i have compiled 2.2.22 under Debian Buster. Decryption of files fail in terminal. Decryption of e-mails with Claws-Mail fail too. For Claws i had compiled and installed gpgme-1.12.1. I'm using a Yubikey for key storage & usage. Works flawless with GnuPG 2.2.21. From my gpg-agent.log: 2020-08-28 21:20:46 gpg-agent[23604] SIGUSR2 received - updating card event counter 2020-08-28 21:20:46 gpg-agent[23604] DBG: chan_11 <- ERR 100663297 Allgemeiner Fehler 2020-08-28 21:20:46 gpg-agent[23604] smartcard decryption failed: Allgemeiner Fehler 2020-08-28 21:20:46 gpg-agent[23604] command 'PKDECRYPT' failed: Allgemeiner Fehler 2020-08-28 21:20:46 gpg-agent[23604] DBG: chan_10 -> ERR 100663297 Allgemeiner Fehler 2020-08-28 21:21:05 gpg-agent[23604] smartcard decryption failed: Dateiende 2020-08-28 21:21:05 gpg-agent[23604] command 'PKDECRYPT' failed: Dateiende 2020-08-28 21:21:05 gpg-agent[23604] DBG: chan_10 -> ERR 67125247 Dateiende 2020-08-28 21:21:13 gpg-agent[23604] error accessing card: Daten?bergabe unterbrochen (broken pipe) 2020-08-28 21:21:13 gpg-agent[23604] smartcard decryption failed: Daten?bergabe unterbrochen (broken pipe) 2020-08-28 21:21:13 gpg-agent[23604] command 'PKDECRYPT' failed: Daten?bergabe unterbrochen (broken pipe) 2020-08-28 21:21:13 gpg-agent[23604] DBG: chan_10 -> ERR 67141741 Daten?bergabe unterbrochen (broken pipe) I went back to 2.2.21. -- mlnl From sheogorath at shivering-isles.com Sat Aug 29 16:17:51 2020 From: sheogorath at shivering-isles.com (Sheogorath) Date: Sat, 29 Aug 2020 16:17:51 +0200 Subject: Brace yourself: User-friendly but broken OpenPGP is here Message-ID: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> Hello to everyone, Today I got an encrypted email from a friend that turned out to be undecryptable in first place. After my evolution integration failed, I checked manually using gpg --decrypt. This provided me with the lovely statement of: gpg: encrypted with 4096-bit RSA key, ID FCB98C2A3EC6F601, created 2019-09-04 "Sheogorath " gpg: decryption failed: No secret key First I was confused as this was obviously my key, but why no secret key around? I'm using a smartcard so maybe an issue there? A closer inspection of the key ID showed that it was encrypted with my master key. A key that is not marked to be used for encryption. So how the heck did that happened? Reaching out to the friend I was told that they were using canarymail[1]. This email client for Mac and iOS claims to support OpenPGP. Reaching out to my Mastodon followers I tried to reproduce the issue with someone who never mailed me before and here it got even better. They seem to discover keys using WKD. But they ignore expiry dates and revocations on keys as they listed my old and, as mentioned, revoked keys. So if you get any undecryptable emails in the next few days. Don't worry, your setup is not broken, it's probably just a Mac user using an email client that didn't bother to implement OpenPGP even remotely correct. --- TL;DR: Canarymail[1] implements the encryption part of OpenPGP properly but ignores all the key management parts. From selecting the right encryption key to take care of revoked or expired keys. But they provide a nice GUI and make it easy for people to use this broken implementation so don't wonder if you get some email that require you to get your master secret key out to read them, even when it never allowed to be used for encryption. --- I hope this email help the community to find the right people to fix the problem. I tried to reach out to them via Twitter but so far, no luck. And otherwise to spread at least awareness about the problem. [1]: https://canarymail.io/ -- Signed Sheogorath OpenPGP: https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From johanw at vulcan.xs4all.nl Sat Aug 29 21:50:28 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 29 Aug 2020 21:50:28 +0200 Subject: Brace yourself: User-friendly but broken OpenPGP is here In-Reply-To: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> References: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> Message-ID: On 29-08-2020 16:17, Sheogorath via Gnupg-users wrote: > A closer > inspection of the key ID showed that it was encrypted with my master > key. A key that is not marked to be used for encryption. It would be nice if GnuPG implemented an override option to use this key for decryption anyway. The alternative is that people will fall back to unencrypted mail. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From look at my.amazin.horse Sat Aug 29 22:17:49 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Sat, 29 Aug 2020 22:17:49 +0200 Subject: Brace yourself: User-friendly but broken OpenPGP is here In-Reply-To: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> References: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> Message-ID: <2M3QCY033DDU9.2Q2240OABZA4B@my.amazin.horse> > A closer inspection of the key ID showed that it was encrypted with my master > key. A key that is not marked to be used for encryption. So how the heck did > that happened? I believe what you're experiencing here is actually a direct consequence of a GnuPG policy decision: Subkeys that don't have an encryption flag *are* typically allowed for decryption by GnuPG. I suspect it only doesn't work because you are using a smartcard key (or perhaps the policy has changed?). Some more background: I filed an issue with GnuPG for this in 2018, when I received related bug reports for OpenKeychain. Users complained that they received encrypted data they couldn't decrypt with OpenKeychain, but could with GnuPG. I'm aware of at least one bank that does this, as well as a Perl OpenPGP implementation, and now apparently canarymail. GnuPG allows this behavior, so other implementations will in practice rely on it. Hyrum's law: > With a sufficient number of users of an API, > it does not matter what you promise in the contract: > all observable behaviors of your system > will be depended on by somebody. Relevant issue on the GnuPG issue tracker: https://dev.gnupg.org/T4235 For convenience, here's the relevant response from Werner: > I don't see a problem. If you have the private key you can and will use it. > I guess your concern is an oracle? And the response from Andre (GnuPG dev): > Bug compatibility is nothing esoteric or bad especially for a general purpose > backend tool like gnupg. Being open to accepting broken input is a good thing > because it will mean that we can get people out of a "broken tool vendor lock > in". Hope that sheds some light on this. Cheers - V From johanw at vulcan.xs4all.nl Sun Aug 30 00:50:59 2020 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun, 30 Aug 2020 00:50:59 +0200 Subject: Brace yourself: User-friendly but broken OpenPGP is here In-Reply-To: References: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> Message-ID: <17cfaf0e-bced-74ac-4a0d-d486011ea6cb@vulcan.xs4all.nl> I wrote: > It would be nice if GnuPG implemented an override option to use this key > for decryption anyway. Sorry, I see from Vincent's mail that GnuPG already does this but it might be the keycard that is causing this. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Aug 30 16:46:12 2020 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Aug 2020 16:46:12 +0200 Subject: [Announce] GnuPG 2.2.22 released In-Reply-To: <20200828213939.48f937b4@localhost> (mlnl via Gnupg-users's message of "Fri, 28 Aug 2020 21:39:39 +0200") References: <20200828213939.48f937b4@localhost> Message-ID: <87k0xg5gzv.fsf@wheatstone.g10code.de> On Fri, 28 Aug 2020 21:39, mlnl said: > For Claws i had compiled and installed gpgme-1.12.1. I'm using a Yubikey > for key storage & usage. Works flawless with GnuPG 2.2.21. Please run this command: gpg-connect-agent 'scd getinfo version' /bye and check that the returned version is 2.2.22. Also run the gpg command with option --verbose to get more diagnostics. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Sun Aug 30 16:54:22 2020 From: wk at gnupg.org (Werner Koch) Date: Sun, 30 Aug 2020 16:54:22 +0200 Subject: Brace yourself: User-friendly but broken OpenPGP is here In-Reply-To: <17cfaf0e-bced-74ac-4a0d-d486011ea6cb@vulcan.xs4all.nl> (Johan Wevers's message of "Sun, 30 Aug 2020 00:50:59 +0200") References: <0cf5ae094f6ffb8a14005933ec28e57d31467349.camel@shivering-isles.com> <17cfaf0e-bced-74ac-4a0d-d486011ea6cb@vulcan.xs4all.nl> Message-ID: <87ft845gm9.fsf@wheatstone.g10code.de> On Sun, 30 Aug 2020 00:50, Johan Wevers said: > Sorry, I see from Vincent's mail that GnuPG already does this but it > might be the keycard that is causing this. Right, smartcards are pretty strict in what they accept as input. Thus you can't use certain keys on a smartcard for different purposes. In particular the signing key, which is in most cases also the primary key, allows only signing and even checks the padding. I am not sure whether this works, but the OP could try gpg --try-all-secrets -vd Form the man page: --try-all-secrets Don't look at the key ID as stored in the message but try all secret keys in turn to find the right decryption key. This option forces the behaviour as used by anonymous recipients (created by using --throw-keyids or --hidden-recipient) and might come handy in case where an encrypted message contains a bogus key ID. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From mgorny at gentoo.org Sun Aug 30 17:23:32 2020 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Sun, 30 Aug 2020 17:23:32 +0200 Subject: [Announce] GnuPG 2.2.22 released In-Reply-To: <20200828213939.48f937b4@localhost> References: <20200828213939.48f937b4@localhost> Message-ID: <0d65d3a007c75aef8a1c4eebed6e42a96ab61db0.camel@gentoo.org> On Fri, 2020-08-28 at 21:39 +0200, mlnl via Gnupg-users wrote: > Hi, > > today, i have compiled 2.2.22 under Debian Buster. Decryption of > files fail in terminal. Decryption of e-mails with Claws-Mail fail too. > For Claws i had compiled and installed gpgme-1.12.1. I'm using a Yubikey > for key storage & usage. Works flawless with GnuPG 2.2.21. > I suppose I'm hitting the same problem. With 2.2.22, I need to manually run 'gpg --card-status' after rebooting to get Nitrokey working. -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: This is a digitally signed message part URL: From bjacke at samba.org Sun Aug 30 20:12:19 2020 From: bjacke at samba.org (=?UTF-8?Q?Bj=c3=b6rn_Jacke?=) Date: Sun, 30 Aug 2020 20:12:19 +0200 Subject: gnupg --fetch-key problems Message-ID: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> Hello Werner, Hello gnupg community, I recently implemented WKD and stumbled over a couple of pitfalls with that. One problem was that after implementing it and watching the server logs I noticed that a number of WKD related http requests were refused with HTTP 403. The User-agent string of those requests was empty/not existing. Taking a closer look at it reveled, that those requests were refused because it were HTTP 1.0 requests. That site's load balancer is rejecting HTTP 1.0 requests usually because those requests are mostly coming from bad robots these days and legit clients use at lease HTTP 1.1. It turned out that gnupg --fetch-key is actually making those HTTP 1.0 requests without user agent string. A rule that forbids HTTP 1.0 requests is not uncommon these days. In order to make gpg users' experience better I suggest that gnupg should not use HTTP 1.0 but at least HTTP 1.1 and also send a user agent header. Actually I think it would be best if gnupg would use libcurl for that. The web server protocols a becoming more and more complex and even HTTP 1.1 might not be good enough for some sites now or in the near future. I guess gnupg doesn't want to implement a valid HTTP 2.0 or QUIC client in the future. Using libcurl would be a simple solution. Also the portability and quality of libcurl is excellent. What do you think? Best regards Bj?rn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From angel at pgp.16bits.net Mon Aug 31 02:48:54 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 31 Aug 2020 02:48:54 +0200 Subject: gnupg --fetch-key problems In-Reply-To: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> References: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> Message-ID: <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> On 2020-08-30 at 20:12 +0200, Bj?rn Jacke via Gnupg-users wrote: > A rule that forbids HTTP 1.0 requests is not uncommon these days. In > order to make gpg users' experience better I suggest that gnupg > should not use HTTP 1.0 but at least HTTP 1.1 and also send a user > agent header. Actually I think it would be best if gnupg would use > libcurl for that. The web server protocols a becoming more and more > complex and even HTTP 1.1 might not be good enough for some sites now > or in the near future. I don't think it's a good idea to block HTTP/1.0 requests. Your system, your choice, of course. HTTP/1.1 would require support for things that currently may not be present, such as chunked transfer encodings, whereas HTTP/1.0 is perfectly fine for the expected use. I agree it should provide an User-Agent, though. From mlnl at mailbox.org Mon Aug 31 09:22:52 2020 From: mlnl at mailbox.org (mlnl) Date: Mon, 31 Aug 2020 09:22:52 +0200 Subject: [Announce] GnuPG 2.2.22 released In-Reply-To: <87k0xg5gzv.fsf@wheatstone.g10code.de> References: <20200828213939.48f937b4@localhost> <87k0xg5gzv.fsf@wheatstone.g10code.de> Message-ID: <20200831092252.16d9be58@localhost> Hi Werner, Werner Koch wrote: > Please run this command: > > gpg-connect-agent 'scd getinfo version' /bye > > and check that the returned version is 2.2.22. Also run the gpg > command with option --verbose to get more diagnostics. $ systemctl --user start gpg-agent.service $ gpg-connect-agent 'scd getinfo version' /bye D 2.2.22 OK And i don't know why, but encryption and decryption works in terminal today (the outputs with --verbose --verbose are looking OK) :) The other thing is Claws-Mail. I can't check signatures or decrypte-mails. With the hint from Micha? G?rny (gpg --card-status) it works. Without gpg --card-status i get (with claws-mail --debug): prefs_gpg.c:668:unset GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 sgpgme.c:716:setting gpgme CTYPE locale sgpgme.c:723:setting gpgme CTYPE locale to: de_DE.UTF-8 sgpgme.c:730:setting gpgme locale to UTF8: de_DE.UTF-8 sgpgme.c:733:done sgpgme.c:741:setting gpgme MESSAGES locale sgpgme.c:748:setting gpgme MESSAGES locale to: de_DE.UTF-8 sgpgme.c:754:setting gpgme locale to UTF8: de_DE.UTF-8 sgpgme.c:758:done sgpgme.c:767:GpgME Protocol: OpenPGP Version: 2.2.22 (req 1.4.0) Executable: /usr/local/bin/gpg sgpgme.c:767:GpgME Protocol: CMS Version: 2.2.22 (req 2.0.4) Executable: /usr/local/bin/gpgsm sgpgme.c:767:GpgME Protocol: GPGCONF Version: 2.2.22 (req 2.0.4) Executable: /usr/local/bin/gpgconf sgpgme.c:767:GpgME Protocol: Assuan Version: 1.0.0 (req 1.0.0) Executable: /run/user/1000/gnupg/S.gpg-agent sgpgme.c:767:GpgME Protocol: UIServer Version: 1.0.0 (req 1.0.0) Executable: /run/user/1000/gnupg/S.uiserver sgpgme.c:767:GpgME Protocol: Spawn Version: 1.0.0 (req 1.0.0) Executable: /nonexistent prefs_gpg.c:521:Saving GPG config prefs.c:295:Found [GPG] plugin.c:527:Plugin PGP/Core (from file /usr/lib/x86_64-linux-gnu/claws-mail/plugins/pgpcore.so) loaded plugin.c:527:Plugin PGP/inline (from file /usr/lib/x86_64-linux-gnu/claws-mail/plugins/pgpinline.so) loaded plugin.c:527:Plugin PGP/MIME (from file /usr/lib/x86_64-linux-gnu/claws-mail/plugins/pgpmime.so) loaded signature checking: pgpmime.c:189:Checking PGP/MIME signature sgpgme.c:465:data 0x72d1a7190810 (2903 618) mimeview.c:1132:mimeview_check_sig_thread_cb sgpgme.c:110:err code 9 sgpgme.c:110:err code 9 decryption: procheader.c:174:generic_get_one_field: empty line message/rfc822 (offset:0 length:7882 encoding: 6) multipart/encrypted (offset:4131 length:3751 encoding: 6) application/pgp-encrypted (offset:4278 length:11 encoding: 6) application/octet-stream (offset:4414 length:3429 encoding: 6) messageview.c:1400:decrypting message part sgpgme.c:465:data 0x7ffde758bef0 (4414 3429) prefs_gpg.c:668:unset GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 sgpgme.c:505:can't decrypt (Dateiende) pgpmime.c:343:plain is null! -- mlnl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 882 bytes Desc: Digitale Signatur von OpenPGP URL: From mgorny at gentoo.org Mon Aug 31 10:01:28 2020 From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=) Date: Mon, 31 Aug 2020 10:01:28 +0200 Subject: [Announce] GnuPG 2.2.22 released In-Reply-To: <20200828213939.48f937b4@localhost> References: <20200828213939.48f937b4@localhost> Message-ID: <44c71449645fedd069b493113f85b7746ff37515.camel@gentoo.org> On Fri, 2020-08-28 at 21:39 +0200, mlnl via Gnupg-users wrote: > Hi, > > today, i have compiled 2.2.22 under Debian Buster. Decryption of > files fail in terminal. Decryption of e-mails with Claws-Mail fail too. > For Claws i had compiled and installed gpgme-1.12.1. I'm using a Yubikey > for key storage & usage. Works flawless with GnuPG 2.2.21. > > From my gpg-agent.log: > > 2020-08-28 21:20:46 gpg-agent[23604] SIGUSR2 received - updating card event counter > 2020-08-28 21:20:46 gpg-agent[23604] DBG: chan_11 <- ERR 100663297 Allgemeiner Fehler > 2020-08-28 21:20:46 gpg-agent[23604] smartcard decryption failed: Allgemeiner Fehler > 2020-08-28 21:20:46 gpg-agent[23604] command 'PKDECRYPT' failed: Allgemeiner Fehler > 2020-08-28 21:20:46 gpg-agent[23604] DBG: chan_10 -> ERR 100663297 Allgemeiner Fehler > > 2020-08-28 21:21:05 gpg-agent[23604] smartcard decryption failed: Dateiende > 2020-08-28 21:21:05 gpg-agent[23604] command 'PKDECRYPT' failed: Dateiende > 2020-08-28 21:21:05 gpg-agent[23604] DBG: chan_10 -> ERR 67125247 Dateiende > > 2020-08-28 21:21:13 gpg-agent[23604] error accessing card: Daten?bergabe unterbrochen (broken pipe) > 2020-08-28 21:21:13 gpg-agent[23604] smartcard decryption failed: Daten?bergabe unterbrochen (broken pipe) > 2020-08-28 21:21:13 gpg-agent[23604] command 'PKDECRYPT' failed: Daten?bergabe unterbrochen (broken pipe) > 2020-08-28 21:21:13 gpg-agent[23604] DBG: chan_10 -> ERR 67141741 Daten?bergabe > unterbrochen (broken pipe) > > I went back to 2.2.21. > Maybe it's the same root cause as https://dev.gnupg.org/T5039 -- Best regards, Micha? G?rny -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 618 bytes Desc: This is a digitally signed message part URL: From wk at gnupg.org Mon Aug 31 10:35:17 2020 From: wk at gnupg.org (Werner Koch) Date: Mon, 31 Aug 2020 10:35:17 +0200 Subject: [Announce] GnuPG 2.2.22 released In-Reply-To: <20200831092252.16d9be58@localhost> (mlnl via Gnupg-users's message of "Mon, 31 Aug 2020 09:22:52 +0200") References: <20200828213939.48f937b4@localhost> <87k0xg5gzv.fsf@wheatstone.g10code.de> <20200831092252.16d9be58@localhost> Message-ID: <87364343i2.fsf@wheatstone.g10code.de> Hi! As a workaround please run --gpg --card-status after plugging in a Gnuk token. We are working on a fix; see https://dev.gnupg.org/T5039 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From bjacke at samba.org Mon Aug 31 22:59:13 2020 From: bjacke at samba.org (=?UTF-8?Q?Bj=c3=b6rn_Jacke?=) Date: Mon, 31 Aug 2020 22:59:13 +0200 Subject: gnupg --fetch-key problems In-Reply-To: <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> References: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> Message-ID: <656cfa7a-898e-d254-317d-32b97211aea7@samba.org> On 31.08.20 02:48, ?ngel wrote: > I don't think it's a good idea to block HTTP/1.0 requests. Your system, > your choice, of course. as I wrote in my provious mail, it is not uncommon that sites are blocking HTTP 1.0 these days. So it is not a good idea to only support HTTP 1.0 in gpg. This makes gpg work suboptimal for it's users. You need to face the fact that HTTP is not available everywhere any more and http clients have also to adopt to what servers support. It's my choice what I configure on my server of course and only for gpg I allow HTTP 1.0 for the needed paths here. I managed to figure out what the problem was but most sites and most users will not. It's up to the gnupg developers to improve the situation for your users. > HTTP/1.1 would require support for things that currently may not be > present, such as chunked transfer encodings, whereas HTTP/1.0 is > perfectly fine for the expected use. see what I wrote above and I already proposed in my previous mail that libcurl would probably a very good idea. Bj?rn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From avemilia at protonmail.com Mon Aug 31 23:03:42 2020 From: avemilia at protonmail.com (Ave Milia) Date: Mon, 31 Aug 2020 21:03:42 +0000 Subject: Windows GPG 2.22.2: ERR 100663354 No data Message-ID: Windows, GPG 2.22.2 from chocolatey (choco install gnupg) While trying to setup gpg-agent to work with SSH key on Yubikey on Windows I have noticed (perhaps unrelated) issue: PS C:\Users\avemilia> gpgconf.exe --kill all PS C:\Users\avemilia> gpgconf.exe --launch all PS C:\Users\avemilia> echo "scd getinfo reader_list" | gpg-connect-agent.exe --decode ERR 100663354 No data PS C:\Users\avemilia> gpgconf.exe --kill all On Linux this gives: ? echo "scd getinfo reader_list" | gpg-connect-agent --decode D 1050:0407:X:0 OK I found two mentions of this issue [0][1]. It seems like this issue was addressed in 2.3.0? Why do I care? I am configuring gpg and ssh on Windows and was reading [2] which mentions this command to determine reader-port value in order to operate only on one smartcard. I am struggling to understand what this error means -- gpg cannot determine the smartcard to use? If so, why does gpg --card-status work? If not, what does the error imply? Can it be one of the reasons why agent forwarding over ssh fails (this is what I was debugging before I met this error)? gpg-agent.conf: enable-ssh-support enable-putty-support default-cache-ttl 60 max-cache-ttl 120 verbose debug-level advanced log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log scdaemon.conf: #reader-port Yubico Yubikey 4 OTP+U2F+CCID 0 card-timeout 5 verbose debug-level advanced log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log Notice that reader-port is commented out, but it the error is the same when it is set as well. I have looked up this value from Device Manager according to some guide on the internet that recommended setting reader-port so that scdaemon doesn't choke on virtual smartcards generated by 365 Office, or something. Below are the logs of gpg-agent and scdaemon based on (only) 4 commands provided at the beginning of this email. agent: 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent' 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra' 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser' 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh' 2020-08-31 22:59:54 gpg-agent[7220] gpg-agent (GnuPG) 2.2.22 started 2020-08-31 22:59:54 gpg-agent[7220] putty message loop thread started 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK Pleased to meet you 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- RESET 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- NOP 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- [eof] 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> OK Pleased to meet you 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- RESET 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> OK 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- scd getinfo reader_list 2020-08-31 23:00:06 gpg-agent[7220] no running SCdaemon - starting it 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK GNU Privacy Guard's Smartcard server ready 2020-08-31 23:00:06 gpg-agent[7220] DBG: first connection to SCdaemon established 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> GETINFO socket_name 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK 2020-08-31 23:00:06 gpg-agent[7220] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> OPTION event-signal=0x000002a4 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> getinfo reader_list 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- ERR 100663354 No data 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> ERR 100663354 No data 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- [eof] 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> RESTART 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK Pleased to meet you 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- RESET 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- GETINFO scd_running 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- scd killscd 2020-08-31 23:00:09 gpg-agent[7220] new connection to SCdaemon established (reusing) 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc -> killscd 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc <- OK closing connection 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- [eof] 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc -> RESTART 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc <- [eof] 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK Pleased to meet you 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 <- RESET 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 <- KILLAGENT 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK closing connection 2020-08-31 23:00:09 gpg-agent[7220] secmem usage: 0/32768 bytes in 0 blocks scd: 2020-08-31 23:00:06 scdaemon[12216] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' 2020-08-31 23:00:06 scdaemon[12216] handler for fd -1 started 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK GNU Privacy Guard's Smartcard server ready 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- GETINFO socket_name 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- OPTION event-signal=0x000002a4 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- getinfo reader_list 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> ERR 100663354 No data 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- RESTART 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK 2020-08-31 23:00:09 scdaemon[12216] DBG: chan_0x00000100 <- killscd 2020-08-31 23:00:09 scdaemon[12216] DBG: chan_0x00000100 -> OK closing connection Thank you in advance for the reply (and replies on my previous thread, on which I replied with own solution). [0] [1] [2]