From jsmith9810 at gmx.com  Mon Mar  1 06:36:07 2021
From: jsmith9810 at gmx.com (jsmith9810 at gmx.com)
Date: Mon, 1 Mar 2021 06:36:07 +0100
Subject: New packet format for OpenPGP
In-Reply-To: <87k0qta4ig.fsf@wheatstone.g10code.de>
References: <trinity-e752c0dc-8dae-4870-b21e-4ab8b9964854-1614366846239@3c-app-mailcom-bs02>
 <87k0qta4ig.fsf@wheatstone.g10code.de>
Message-ID: <trinity-b64a002e-5dc0-4318-b9b9-873802eedfae-1614576967854@3c-app-mailcom-bs02>


Hello, thank you for your response.

> Sent: Saturday, February 27, 2021 at 10:56 AM
> From: "Werner Koch" <wk at gnupg.org>
> To: "jsmith9810--- via Gnupg-users" <gnupg-users at gnupg.org>
> Cc: jsmith9810 at gmx.com
> Subject: Re: New packet format for OpenPGP
>
> On Fri, 26 Feb 2021 20:14, jsmith9810--- said:
>
> > I noticed that GnuPG (I'm using v2.2.19) still uses the old format
> > OpenPGP packets, when I export my keys, for example.
>
> That is perfectly fine - no need to chnage this.

I found my answer soon after posting this question by looking through g10/build_packet.c,
where it's hardcoded not to use new_ctb unless dealing with packets that absolutely need it.
I'm still curious as to why though, since RFC4880 strongly recommends use of the new format
packets. If not the default behavior, at least the --rfc4880 option should enforce it.
Although I agree that it doesn't affect the functionality, so it hardly matters.
>
> > Also, is it possible to use a private keyring (secring.gpg) for
> > decryption without importing it?
>
> No.  Since 2.1 there is no more secring.gpg; instead gnupg uses one file
> per private key.  You find these files under ~/.gnupg/private-keys-v1.d
> and their format is stable.  To get the name of the file run
>
>   gpg -k --with-keygrip USERIDORFINGERPRINT
>
> and use the printed keygrip.  Use --with-colons for scripts and see
> doc/DETAILS to see how the keygrip is printed.

It's sad that this functionality is no longer available. I understand that GnuPG has been
redesigned to use a different internal format to store the private keys now, but it would
have been so much better if it retained the support for external secring.gpg, just like it
currently supports reading recepient keys from an external file using -F option for one-off
use.

As an occassional GnuPG user, I have to say that I much preferred the simplicity of the
old GnuPG software that allowed for a cleaner, portable and standalone installation, with
no hard dependency on gnupg-agent. Just built 1.4.23 and liking it, now I have to figure
out how to keep it alongside gpg2 which is disguised as gpg now.
>
> Salam-Shalom,
>
>    Werner
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>


From josef.grieb at gmail.com  Mon Mar  1 10:25:13 2021
From: josef.grieb at gmail.com (Josef)
Date: Mon, 1 Mar 2021 10:25:13 +0100
Subject: libgpg-error build error
Message-ID: <CAAss7+qqoayum5PkQ08K7zTegD9WPnenpCoEm9ObxN7rAAA3gQ@mail.gmail.com>

I was trying to build following the instructions on the readme
file(autogen,configure..) and the make command was failing with the
following error:

gpgrt.texi:4: @include: could not find version.texi
gpgrt.texi:11: warning: undefined flag: VERSION
gpgrt.texi:12: warning: undefined flag: UPDATED
gpgrt.texi:57: warning: undefined flag: VERSION
gpgrt.texi:58: warning: undefined flag: UPDATED
make[2]: *** [Makefile:603: gpgrt.info] Error 1
make[2]: Leaving directory '/home/jo/remove/libgpg-error/doc'
make[1]: *** [Makefile:514: all-recursive] Error 1
make[1]: Leaving directory '/home/jo/remove/libgpg-error'
make: *** [Makefile:446: all] Error 2

I don't know if I was doing something wrong

--
Josef


From kloecker at kde.org  Mon Mar  1 19:31:04 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Mon, 01 Mar 2021 19:31:04 +0100
Subject: libgpg-error build error
In-Reply-To: <CAAss7+qqoayum5PkQ08K7zTegD9WPnenpCoEm9ObxN7rAAA3gQ@mail.gmail.com>
References: <CAAss7+qqoayum5PkQ08K7zTegD9WPnenpCoEm9ObxN7rAAA3gQ@mail.gmail.com>
Message-ID: <12522380.laTKaa7EeH@breq>

On Montag, 1. M?rz 2021 10:25:13 CET Josef via Gnupg-users wrote:
> I was trying to build following the instructions on the readme
> file(autogen,configure..) and the make command was failing with the
> following error:
> 
> gpgrt.texi:4: @include: could not find version.texi
> gpgrt.texi:11: warning: undefined flag: VERSION
> gpgrt.texi:12: warning: undefined flag: UPDATED
> gpgrt.texi:57: warning: undefined flag: VERSION
> gpgrt.texi:58: warning: undefined flag: UPDATED
> make[2]: *** [Makefile:603: gpgrt.info] Error 1
> make[2]: Leaving directory '/home/jo/remove/libgpg-error/doc'
> make[1]: *** [Makefile:514: all-recursive] Error 1
> make[1]: Leaving directory '/home/jo/remove/libgpg-error'
> make: *** [Makefile:446: all] Error 2
> 
> I don't know if I was doing something wrong

Please tell us exactly which commands you used and what the output of the 
commands was, so that we can figure out what went wrong.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210301/74561b14/attachment.sig>

From angel at pgp.16bits.net  Tue Mar  2 00:04:00 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Tue, 02 Mar 2021 00:04:00 +0100
Subject: gpg: error retrieving 'erich@eckner.net' via WKD: Connection
 closed in DNS
In-Reply-To: <1293ef9-a1a4-ae34-8de5-9c887f852b6@eckner.net>
References: <90e2f419-6df7-8592-9728-a8676bfcd4b7@eckner.net>
 <874kjbbx3r.fsf@wheatstone.g10code.de>
 <615d7260-d5fe-71f0-2510-5cb67b51b7@eckner.net>
 <87bldjaepg.fsf@wheatstone.g10code.de>
 <53a2e650-118a-c84a-bc7-2f615660c6e4@eckner.net>
 <875z3p6xtg.fsf@wheatstone.g10code.de>
 <5da07512-2584-3edb-25ef-b39cdb9f4ba@eckner.net>
 <87h7n93wum.fsf@wheatstone.g10code.de>
 <f746b59e-a350-dc93-347c-e22f72c7519@eckner.net>
 <7889404e-b5b2-3d74-6b3e-efb86ffa5a97@eckner.net>
 <87k0qxeq2t.fsf@wheatstone.g10code.de>
 <1293ef9-a1a4-ae34-8de5-9c887f852b6@eckner.net>
Message-ID: <f02e305bae25eede6a04980c630c5c569649f681.camel@16bits.net>

On 2021-02-24 at 12:40 +0100, Erich Eckner wrote:
> Hi,
> 
> thanks, again, just a minor typo:
> 
> >  --use-tor
> >  --no-use-tor
> > 
> >    The option --use-tor switches Dirmngr and thus GnuPG into ``Tor
> >    mode'' to route all net? work access via Tor (an anonymity network).
> >    Certain other features are disabled in this mode.  The effect of
> >    --use-tor cannot be overridden by any other command or even by
> >    reloading dirmngr.  The use of --no-use-tor disables the use of Tor.
> >    The default is to use Tor if it is available on startup or after
> >    reloading dirmngr.  The test on the avail? able of Tor is done by
> >    trying to connects to a SOCKS proxy at either port 9050 or 9150); if
> 
> -    reloading dirmngr.  The test on the avail? able of Tor is done by
> -    trying to connects to a SOCKS proxy at either port 9050 or 9150); if
> +    reloading dirmngr.  The test on the avail? ability of Tor is done by
> +    trying to connect to a SOCKS proxy at either port 9050 or 9150); if
> 
> >    another type of proxy is listening on one of these ports, you should
> >    use --no-use-tor.
> > 

Note the last ) should be removed?




From romain.lebrun-thauront at protonmail.com  Tue Mar  2 11:35:52 2021
From: romain.lebrun-thauront at protonmail.com (Romain Lebrun Thauront)
Date: Tue, 02 Mar 2021 10:35:52 +0000
Subject: GTK pinentry with gpg-agent as ssh-agent
Message-ID: <LX5iNuAVgO1tHFkqn5H_eAFkSqzrG8g0G6woaka-xgIz7bb8SM5Pce4_Y_kIhPAebc0oXyq10VTUNhPDdCtVkZ0Pr5GdtaCfQG1daWmYl1k=@protonmail.com>

Hi folks,

I start using my gpg key as my ssh key and I configure gpg-agent to manage my ssh keys as mention in [the arch wiki article](https://wiki.archlinux.org/index.php/GnuPG#SSH_agent).
The problem is, it work well but my gpg-agent is now "link" to the last terminal I opened, and I do not have the GTK's Pinentry prompt.
It's very annoying as I use a lot of terminal, and some graphic software like thunderbird will not trigger the GTK prompt to unlock my GPG key anymore. (Therefore hanging indefinitely in the hope to receive access to my GPG private key, which they never acceed as I do not have any prompt to unlock it)
I actually trigger a dummy unlocking of my GPG key on the last terminal I have open every time I know an application is going to need access to the key. (which is really annoying)

So, is there a way to have BOTH gpg-agent managing ssh, and GTK pinentry prompts for unlocking keys ?
If not, is there a way to export/convert a gpg private key into an ssh private key, so I can go back to classic ssh-agent. (And I will convert my GPG A private subkey to a SSH private key each time I rotate my subkeys) (this is not a big deal if I can automate it...)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210302/9f8c6e31/attachment-0001.html>

From chrisbcoutinho at gmail.com  Tue Mar  2 13:33:38 2021
From: chrisbcoutinho at gmail.com (Chris Coutinho)
Date: Tue, 02 Mar 2021 13:33:38 +0100
Subject: GTK pinentry with gpg-agent as ssh-agent
In-Reply-To: <LX5iNuAVgO1tHFkqn5H_eAFkSqzrG8g0G6woaka-xgIz7bb8SM5Pce4_Y_kIhPAebc0oXyq10VTUNhPDdCtVkZ0Pr5GdtaCfQG1daWmYl1k=@protonmail.com>
References: <LX5iNuAVgO1tHFkqn5H_eAFkSqzrG8g0G6woaka-xgIz7bb8SM5Pce4_Y_kIhPAebc0oXyq10VTUNhPDdCtVkZ0Pr5GdtaCfQG1daWmYl1k=@protonmail.com>
Message-ID: <1cceb47124411bd4bcf9394bcfd873f0d5c5986f.camel@gmail.com>



On Tue, 2021-03-02 at 10:35 +0000, Romain Lebrun Thauront via Gnupg-users wrote:
> Hi folks,
> 
> I start using my gpg key as my ssh key and I configure gpg-agent to manage my
> ssh keys as mention in the arch wiki
> article.
> The problem is, it work well but my gpg-agent is now "link" to the last
> terminal I opened, and I do not have the GTK's
> Pinentry prompt.
> It's very annoying as I use a lot of terminal, and some graphic software like
> thunderbird will not trigger the GTK
> prompt to unlock my GPG key anymore. (Therefore hanging indefinitely in the
> hope to receive access to my GPG private
> key, which they never acceed as I do not have any prompt to unlock it)
> I actually trigger a dummy unlocking of my GPG key on the last terminal I have
> open every time I know an application is
> going to need access to the key. (which is really annoying)
> 
> So, is there a way to have BOTH gpg-agent managing ssh, and GTK pinentry
> prompts for unlocking keys ?
> If not, is there a way to export/convert a gpg private key into an ssh private
> key, so I can go back to classic ssh-
> agent. (And I will convert my GPG A private subkey to a SSH private key each
> time I rotate my subkeys) (this is not a
> big deal if I can automate it...)
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sounds like you?don't have GPG_TTY setup correctly. Did you pass over this part
of the documentation? Adding this to your .bashrc (or equivalent) should allow
whichever terminal you're using to access the gpg-agent

https://wiki.archlinux.org/index.php/GnuPG#Configure_pinentry_to_use_the_correct_TTY



From angel at pgp.16bits.net  Tue Mar  2 23:20:14 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Tue, 02 Mar 2021 23:20:14 +0100
Subject: gpg: [don't know]: invalid packet (ctb=00)
In-Reply-To: <CAPb1sStTit8U4J0ZuN7tShZ4omwdsODWftTgRGUuBmeLXQi3MA@mail.gmail.com>
References: <CAPb1sStTit8U4J0ZuN7tShZ4omwdsODWftTgRGUuBmeLXQi3MA@mail.gmail.com>
Message-ID: <2c53b609dcc9377a0dd1c5dbaffc4473e6072389.camel@16bits.net>

On 2021-02-11 at 18:24 +0100, Charles Moulliard via Gnupg-users wrote:
> Hi
> 
> We experience a very weird problem when the following command
> is executed on macos using gpg 2.2.27 (installed by homebrew tool).
> 
> (...)
> 
> Do you know what is the problem ("gpg: [don't know]: invalid packet
> (ctb=00)")and how to fix it ?
> 
> Cheers
> 
> Charles Moulliard

That secring.gpg file is corrupt.

It's trying to automatically migrate /Users/cmoullia/.jenkins/
workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg to the new secret
keyring format, but in doing so it is finding a NUL byte (at the
beginning of the file, presumably), where it was expecting a secret
key.

Best regards





From wk at gnupg.org  Wed Mar  3 09:22:38 2021
From: wk at gnupg.org (Werner Koch)
Date: Wed, 03 Mar 2021 09:22:38 +0100
Subject: GTK pinentry with gpg-agent as ssh-agent
In-Reply-To: <LX5iNuAVgO1tHFkqn5H_eAFkSqzrG8g0G6woaka-xgIz7bb8SM5Pce4_Y_kIhPAebc0oXyq10VTUNhPDdCtVkZ0Pr5GdtaCfQG1daWmYl1k=@protonmail.com>
 (Romain Lebrun Thauront via Gnupg-users's message of "Tue, 02 Mar 2021
 10:35:52 +0000")
References: <LX5iNuAVgO1tHFkqn5H_eAFkSqzrG8g0G6woaka-xgIz7bb8SM5Pce4_Y_kIhPAebc0oXyq10VTUNhPDdCtVkZ0Pr5GdtaCfQG1daWmYl1k=@protonmail.com>
Message-ID: <87czwg7ik1.fsf@wheatstone.g10code.de>

On Tue,  2 Mar 2021 10:35, Romain Lebrun Thauront said:

> So, is there a way to have BOTH gpg-agent managing ssh, and GTK
> pinentry prompts for unlocking keys ?

I use this for more than a decade.  You have to use

  gpg-connect-agent updatestartuptty /bye

if you switch your xserver; that is if you login from another machine or
account int the xserver where gpg-agent has been started.  With gpg or
gpgsm this is not required because they can tell gpg-agent about their
own environment.  ssh is not able to do this.  I have posted patch to
the openssh portable list to enhance ssh-agent but they have not yet
been merged.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210303/7cbf65ae/attachment.sig>

From wk at gnupg.org  Wed Mar  3 09:26:57 2021
From: wk at gnupg.org (Werner Koch)
Date: Wed, 03 Mar 2021 09:26:57 +0100
Subject: New packet format for OpenPGP
In-Reply-To: <trinity-b64a002e-5dc0-4318-b9b9-873802eedfae-1614576967854@3c-app-mailcom-bs02>
 (jsmith's message of "Mon, 1 Mar 2021 06:36:07 +0100")
References: <trinity-e752c0dc-8dae-4870-b21e-4ab8b9964854-1614366846239@3c-app-mailcom-bs02>
 <87k0qta4ig.fsf@wheatstone.g10code.de>
 <trinity-b64a002e-5dc0-4318-b9b9-873802eedfae-1614576967854@3c-app-mailcom-bs02>
Message-ID: <878s747icu.fsf@wheatstone.g10code.de>

On Mon,  1 Mar 2021 06:36, jsmith9810--- said:

> I'm still curious as to why though, since RFC4880 strongly recommends
> use of the new format
> packets. If not the default behavior, at least the --rfc4880 option

It SHOULD do this but I see no reason for this.  For the sake of
interoperability we better keep with the old format.  There is no
technical or security drawback with this and implementations need some
support anyway to compute fingerprints.  The code required to handle
both is trivial.

> currently supports reading recepient keys from an external file using
> -F option for one-off
> use.

Support an option name and open a feature request at dev.gnupg.org.

> old GnuPG software that allowed for a cleaner, portable and standalone
> installation, with

Reminds be somehow of the sendmail vs. postfix discussions 25 years ago ;-)

> out how to keep it alongside gpg2 which is disguised as gpg now.

You should not name it gpg2 - this has only been done to allow
co-existing back then when gpg2 used to be part of most Debian's base
systems.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210303/05bbf44f/attachment.sig>

From cmoullia at redhat.com  Wed Mar  3 09:17:09 2021
From: cmoullia at redhat.com (Charles Moulliard)
Date: Wed, 3 Mar 2021 09:17:09 +0100
Subject: gpg: [don't know]: invalid packet (ctb=00)
In-Reply-To: <2c53b609dcc9377a0dd1c5dbaffc4473e6072389.camel@16bits.net>
References: <CAPb1sStTit8U4J0ZuN7tShZ4omwdsODWftTgRGUuBmeLXQi3MA@mail.gmail.com>
 <2c53b609dcc9377a0dd1c5dbaffc4473e6072389.camel@16bits.net>
Message-ID: <CAPb1sSuUrbs8E2fVnuPXUHSJGy1o8MCBQtzOWRC04=-N+wr9wA@mail.gmail.com>

As the file was present on the filesystem, I suspect another error then.
Anyway, GPG should report a more user friendly message explaining what we
should investigate to fix it.

On Tue, Mar 2, 2021 at 11:20 PM ?ngel <angel at pgp.16bits.net> wrote:

> On 2021-02-11 at 18:24 +0100, Charles Moulliard via Gnupg-users wrote:
> > Hi
> >
> > We experience a very weird problem when the following command
> > is executed on macos using gpg 2.2.27 (installed by homebrew tool).
> >
> > (...)
> >
> > Do you know what is the problem ("gpg: [don't know]: invalid packet
> > (ctb=00)")and how to fix it ?
> >
> > Cheers
> >
> > Charles Moulliard
>
> That secring.gpg file is corrupt.
>
> It's trying to automatically migrate /Users/cmoullia/.jenkins/
> workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg to the new secret
> keyring format, but in doing so it is finding a NUL byte (at the
> beginning of the file, presumably), where it was expecting a secret
> key.
>
> Best regards
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210303/f9291c0b/attachment.html>

From angel at pgp.16bits.net  Wed Mar  3 23:08:25 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Wed, 03 Mar 2021 23:08:25 +0100
Subject: gpg: [don't know]: invalid packet (ctb=00)
In-Reply-To: <CAPb1sSuUrbs8E2fVnuPXUHSJGy1o8MCBQtzOWRC04=-N+wr9wA@mail.gmail.com>
References: <CAPb1sStTit8U4J0ZuN7tShZ4omwdsODWftTgRGUuBmeLXQi3MA@mail.gmail.com>
 <2c53b609dcc9377a0dd1c5dbaffc4473e6072389.camel@16bits.net>
 <CAPb1sSuUrbs8E2fVnuPXUHSJGy1o8MCBQtzOWRC04=-N+wr9wA@mail.gmail.com>
Message-ID: <aee998b14606ad077b61be796b3cabc28f9a34a4.camel@16bits.net>

On 2021-03-03 at 09:17 +0100, Charles Moulliard via Gnupg-users wrote:
> As the file was present on the filesystem, I suspect another error
> then. Anyway, GPG should report a more user friendly message
> explaining what we should investigate to fix it.

Of course the file is there. The problem is with its contents.
Run
  gpg --list-packets secring.gpg

that should begin with
# off=0 ctb=95 tag=5 hlen=3 plen=...
:secret key packet:
...

but it will probably show you
 gpg: [don't know]: invalid packet (ctb=00)

either due to nul bytes at the beginning, or after some valid pgp
packets.


Cheers




From klaus+gnupg at ethgen.ch  Fri Mar  5 10:16:41 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Fri, 5 Mar 2021 10:16:41 +0100
Subject: gpg-agent and X
Message-ID: <YEH2+T/146OVr7w3@ikki.ethgen.ch>

Hi,

I have a my setup depending strongly on gpg-agent. For this, I preseed
some passphrases via pam_gnupg.

While this setup work well on my Devuan machine, I have some troubles on
the Gentoo one, that I don't get solved.

When the agent is started when I login via xdm (wdm), the agent does
never use X for displaying the pinentry. Even when `updatestartuptty` is
issued afterwards. As I use gpg-card even not everytime from the
console, I need that to display a X pinentry (currently the qt one, gtk
was preferred with gtk2 but the gtk3 one is horrible.)

I mitigated that now to kill the agent in xinit so the pam module is
only in charge when unlocking the screen. However, I want to get it work
even with login session.

Anyone an idea, why it is not working correctly and why the agent is
refusing to accept the DISPLAY setting when started via pam?

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/53922a8b/attachment-0001.sig>

From wk at gnupg.org  Fri Mar  5 15:59:21 2021
From: wk at gnupg.org (Werner Koch)
Date: Fri, 05 Mar 2021 15:59:21 +0100
Subject: gpg-agent and X
In-Reply-To: <YEH2+T/146OVr7w3@ikki.ethgen.ch> (Klaus Ethgen's message of
 "Fri, 5 Mar 2021 10:16:41 +0100")
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
Message-ID: <877dml63zq.fsf@wheatstone.g10code.de>

On Fri,  5 Mar 2021 10:16, Klaus Ethgen said:

> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.

I am also using Devuan without problems.  Did you used

  touch /var/lib/elogind/USERNAME

to avoid elogin stealing the socket directory?

> Anyone an idea, why it is not working correctly and why the agent is
> refusing to accept the DISPLAY setting when started via pam?

I have no idea.  I don't know whether this is of any help, but you can

  gpg-connect-agent 'getinfo std_session_env' /bye

to show the environment of a new session.  If you run that in the
context of PAM it might give a hint.  Or use debug-pinetry in
gpg-agent.conf which should also show the envars.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/e6070156/attachment.sig>

From klaus+gnupg at ethgen.ch  Fri Mar  5 16:14:56 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Fri, 5 Mar 2021 16:14:56 +0100
Subject: gpg-agent and X
In-Reply-To: <877dml63zq.fsf@wheatstone.g10code.de>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
 <877dml63zq.fsf@wheatstone.g10code.de>
Message-ID: <YEJK8ENNAFeOpnY8@ikki.ethgen.ch>

Hi Werner,

Am Fr den  5. M?r 2021 um 15:59 schrieb Werner Koch:
> On Fri,  5 Mar 2021 10:16, Klaus Ethgen said:
> 
> > While this setup work well on my Devuan machine, I have some troubles on
> > the Gentoo one, that I don't get solved.
> 
> I am also using Devuan without problems.  Did you used

Devuan isn't the problem, it is Gentoo...

>   touch /var/lib/elogind/USERNAME
> 
> to avoid elogin stealing the socket directory?

I do not use elogind or any other logind. I do not like that concept and
limit the amount of bloated p?tterware on my system(s) to the absolute
minimum.

However, if it helps, there is a bug in gentoo ([0]) that is preventing
the session registering. But I have the mentioned workaround in place.

Gru?
   Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=716596
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/25e810f4/attachment.sig>

From mwood at iupui.edu  Fri Mar  5 17:05:41 2021
From: mwood at iupui.edu (Mark H. Wood)
Date: Fri, 5 Mar 2021 11:05:41 -0500
Subject: gpg-agent and X
In-Reply-To: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
Message-ID: <YEJW1Rp+gZKwfjHs@IUPUI.Edu>

On Fri, Mar 05, 2021 at 10:16:41AM +0100, Klaus Ethgen wrote:
> I have a my setup depending strongly on gpg-agent. For this, I preseed
> some passphrases via pam_gnupg.
> 
> While this setup work well on my Devuan machine, I have some troubles on
> the Gentoo one, that I don't get solved.
> 
> When the agent is started when I login via xdm (wdm), the agent does
> never use X for displaying the pinentry. Even when `updatestartuptty` is
> issued afterwards. As I use gpg-card even not everytime from the
> console, I need that to display a X pinentry (currently the qt one, gtk
> was preferred with gtk2 but the gtk3 one is horrible.)

The only thing I can think of to check is:  have you selected
pinentry-qt5 using 'eselect'?

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/10838998/attachment.sig>

From klaus+gnupg at ethgen.ch  Fri Mar  5 20:17:17 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Fri, 5 Mar 2021 20:17:17 +0100
Subject: gpg-agent and X
In-Reply-To: <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
 <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
Message-ID: <YEKDvTBoIBz1TB9V@ikki.ethgen.ch>

Hi,

Am Fr den  5. M?r 2021 um 17:05 schrieb Mark H. Wood via Gnupg-users:
> The only thing I can think of to check is:  have you selected
> pinentry-qt5 using 'eselect'?

Sure. That is all fine.
   ~> eselect pinentry list         
   Available pinentry binary implementations:
     [1]   pinentry-gnome3
     [2]   pinentry-qt5 *
     [3]   pinentry-curses

From Werner Koch, I enabled pinentry-debug, here are the results:
   2021-03-05 20:03:24 gpg-agent[27031] gpg-agent (GnuPG) 2.2.25 started
   2021-03-05 20:03:48 gpg-agent[27031] SIGHUP received - re-reading configuration and flushing cache
   2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
   2021-03-05 20:03:53 gpg-agent[27031] failed to unprotect the secret key: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] failed to read the secret key
   2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] no device present
   2021-03-05 20:03:53 gpg-agent[27031] can't connect to the PIN entry module '/usr/bin/pinentry': End of file
   2021-03-05 20:03:53 gpg-agent[27031] smartcard decryption failed: No pinentry
   2021-03-05 20:03:53 gpg-agent[27031] command 'PKDECRYPT' failed: No pinentry

The strange thing is, that /usr/bin/pinentry is absolutely correct:
   ~> ls -l /usr/bin/pinentry
   lrwxrwxrwx 1 root root 12 29. Jan 20:37 /usr/bin/pinentry -> pinentry-qt5
   ~> ls -lL /usr/bin/pinentry
   -rwxr-xr-x 1 root root 129504 26. Jan 18:25 /usr/bin/pinentry

The Environment looks good:
   ~> gpg-connect-agent 'getinfo std_session_env' /bye
   D GPG_TTY=/dev/pts/2
   D TERM=xterm-256color
   D DISPLAY=localhost:10.0
   OK

And when logged from .xsession:
   D DISPLAY=:0
   OK

use flags:
   ~> equery u pinentry
   [ Legend : U - final flag setting for installation]
   [        : I - package is installed with flag     ]
   [ Colors : set, unset                             ]
    * Found these USE flags for app-crypt/pinentry-1.1.0-r4:
    U I
    + + caps          : Use Linux capabilities library to control privilege
    - - emacs         : Add support for GNU Emacs
    - - gnome-keyring : Enable support for storing passwords via gnome-keyring
    + + gtk           : Add support for x11-libs/gtk+ (The GIMP Toolkit)
    + + ncurses       : Add ncurses support (console display library)
    + + qt5           : Add support for the Qt 5 application and UI framework

   ~> equery u app-crypt/gnupg
   [ Legend : U - final flag setting for installation]
   [        : I - package is installed with flag     ]
   [ Colors : set, unset                             ]
    * Found these USE flags for app-crypt/gnupg-2.2.25:
    U I
    + + bzip2             : Use the bzlib compression library
    - - doc               : Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead
			    of globally
    - - ldap              : Add LDAP support (Lightweight Directory Access Protocol)
    + + nls               : Add Native Language Support (using gettext - GNU locale utilities)
    + + readline          : Enable support for libreadline, a GNU line-editing library that almost everyone wants
    - - scd-shared-access : Allow concurrent access to scdaemon by multiple apps from same user. Useful if you want to
			    use scdaemon with gnupg and for example NitroKey. 
    + + smartcard         : Build scdaemon software. Enables usage of OpenPGP cards. For other type of smartcards, try
			    app-crypt/gnupg-pkcs11-scd. Bring in dev-libs/libusb as a dependency; enable scdaemon. 
    + + ssl               : Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
    + + tofu              : Enable support for Trust on First use trust model; requires dev-db/sqlite. 
    + + tools             : Install extra tools (including gpgsplit and gpg-zip). 
    + + usb               : Build direct CCID access for scdaemon; requires dev-libs/libusb. 
    - - user-socket       : try a socket directory which is not removed by init manager at session end 

So, the conclusion is:
- Environment seems to be fine
- pinentry is correct (and working as it work when I kill and restart
  the gpg-agent in xsession)
- The error logged is strange for me, I have no idea what went wrong

Gru?
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/5a6140fb/attachment.sig>

From klaus+gnupg at ethgen.ch  Fri Mar  5 20:43:33 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Fri, 5 Mar 2021 20:43:33 +0100
Subject: gpg-agent and X
In-Reply-To: <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
 <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
Message-ID: <YEKJ5Q4AnchqxwR7@ikki.ethgen.ch>

Some further debuging of the capabilities:

pinentry(-qt) has no file capabilities, the process of gpg-agent has the
following:
   ~> getpcaps 27031
   27031: cap_dac_override,cap_net_admin,cap_net_raw,cap_sys_rawio,cap_sys_admin=i

And in strace I find the following:
   28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28441 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_IPC_LOCK, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)
   28443 20:23:54 capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_IPC_LOCK, inheritable=0}) = -1 EPERM (Die Operation ist nicht erlaubt)

I get the same errors when I set the capabilities to cap_ipc_lock=ep.

So it seems to be something with capabilities.. And looking at the
binary of devuan, it is not linked against libcap!

I will recompile pinentry without caps use flag. But I am curious why it
has troubles with libcap.

Gru?
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/14ad9679/attachment.sig>

From klaus+gnupg at ethgen.ch  Fri Mar  5 20:52:38 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Fri, 5 Mar 2021 20:52:38 +0100
Subject: gpg-agent and X
In-Reply-To: <YEKJ5Q4AnchqxwR7@ikki.ethgen.ch>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch> <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
 <YEKJ5Q4AnchqxwR7@ikki.ethgen.ch>
Message-ID: <YEKMBm87/sjIbwvl@ikki.ethgen.ch>

That was a dead end.

Even without libcap linkage, the pinentry does not work.

Also the process capabilities of a manual started gpg-agent are the
same.

Gru?
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210305/938c2a9b/attachment-0001.sig>

From christian.ribeaud at karakun.com  Sat Mar  6 08:44:20 2021
From: christian.ribeaud at karakun.com (Christian Ribeaud)
Date: Sat, 6 Mar 2021 07:44:20 +0000
Subject: gpg: error searching keyserver: Network is unreachable
Message-ID: <A1219297-C2DA-408D-959C-0DFD88DEB30A@contoso.com>

Good morning,

Desperately searching for hours now?
I am NOT able to run following command:

gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options no-self-sigs-only,no-import-clean --search-keys <any-key>

Always getting following output:

gpg: error searching keyserver: No keyserver available
gpg: keyserver search failed: No keyserver available

Changing keyserver does not help. I've tried ipv4.pool.sks-keyservers.net as well.
Because the command takes some time to return, I would assume that it is still trying to do something.

What could be the reason? How to fix it?
I am using v2.2.27, installed via Homebrew (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/gnupg.rb) on Mac OS X Big Sur.
Any help greatly appreciated here. Thanks a lot, and have a beautiful day,

christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210306/8efb6182/attachment.html>

From klaus+gnupg at ethgen.ch  Sat Mar  6 16:32:09 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Sat, 6 Mar 2021 16:32:09 +0100
Subject: gpg-agent and X
In-Reply-To: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch>
Message-ID: <YEOgeREO+cXgNuNY@ikki.ethgen.ch>

I created a bug ([0]) for gentoo.

Gru?
   Klaus

[0] https://bugs.gentoo.org/show_bug.cgi?id=774468
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210306/a43d198f/attachment.sig>

From christian.ribeaud at karakun.com  Sat Mar  6 20:56:44 2021
From: christian.ribeaud at karakun.com (Christian Ribeaud)
Date: Sat, 6 Mar 2021 19:56:44 +0000
Subject: error searching keyserver: Network is unreachable
Message-ID: <6AB1BF01-F2EC-41A9-9152-76899F0AE924@karakun.com>

Stefan,

Thanks for your answer.

Up to you, which one should I take for testing? There is a lot of red here?
And, actually, we deployed our own (hkp://keyserver.dcc.sib.swiss:80) keyserver, which I am trying to access. But can't for some reason I do not understand.
This instance is working properly. This is for sure. The problem is only on my side and my gpg installation.
Best,

christian

From: Stefan Claas <stefan.claas at posteo.de>
Date: Saturday, 6 March 2021 at 15:18
To: Christian Ribeaud <christian.ribeaud at karakun.com>, "gnupg-users at gnupg.org" <gnupg-users at gnupg.org>
Subject: Re: gpg: error searching keyserver: Network is unreachable


Christian Ribeaud wrote:

> Good morning, > > > > Desperately searching for hours now? > > I am NOT able to run following command: > > > > gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options > no-self-sigs-only,no-import-clean --search-keys <any-key> > > > > Always getting following output: > > > > gpg: error searching keyserver: No keyserver available > > gpg: keyserver search failed: No keyserver available > > > > Changing keyserver does not help. I've tried > /ipv4.pool.sks-keyservers.net/ as well. > > Because the command takes some time to return, I would assume that it > is still trying to do something. > > > > What could be the reason? How to fix it? > > I am using v2.2.27, installed via Homebrew > (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/gnupg.rb) > on Mac OS X Big Sur. > > Any help greatly appreciated here. Thanks a lot, and have a beautiful > day, >
Hello,


you may check out the current status of the SKS Network and try to select

a different server.


https://sks-keyservers.net/status/


Regards

Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210306/7df0a294/attachment-0001.html>

From jarramundi at protonmail.com  Sun Mar  7 01:17:28 2021
From: jarramundi at protonmail.com (Mundi)
Date: Sun, 07 Mar 2021 00:17:28 +0000
Subject: New to GnuPG, having some difficulty
Message-ID: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>

Hello gnupg-users!

I have recently been required to use GnuPG to encrypt messages, and have been endeavouring to create a master key however I think I have fumbled.
I created and deleted some keys while I was trying to work it out and now I cannot make heads or tails of my keyring.
Quite simply there are keys and subkeys and secret keys and they all seem to have the same ID. I haven't shared anything as yet, so I would like to start again and hopefully achieve some clarity in the process on my second attempt.

> Is there a safe way to delete everything and start over?

Also, I need to create and export a public key *and* an encryption subkey. I've been reading everything I can find online, but honestly I'm finding it to be quite difficult to discipher.

> If there are any clear cut human readable guides for GnuPG I would appreciate knowing where they are.

I am using Arch Linux, with fish shell and micro text editor.

Thanks in advance, and I apologise if I'm asking basic questions, it's not often I feel like a novice but this encryption business has me doing so.

Kind Regards.

Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210307/fb40ac49/attachment.html>

From rjh at sixdemonbag.org  Sun Mar  7 03:06:47 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 6 Mar 2021 21:06:47 -0500
Subject: New to GnuPG, having some difficulty
In-Reply-To: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>
References: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>
Message-ID: <382cb383-7b2f-3598-4527-073fa4f603af@sixdemonbag.org>

> Hello gnupg-users!

Hello and welcome!

First, please only send plain text (not HTML) to the list.  Some of the 
most knowledgeable people here refuse to open HTML mails from people 
they don't know.  :)

> I have recently been required to use GnuPG to encrypt messages, and have 
> been endeavouring to create a master key however I think I have fumbled.

The best way to begin is to just run "gpg --gen-key" and use the 
defaults.  Really, the defaults are good: we picked them for good 
reasons.  The vast majority of the webpages you find about "creating the 
perfect GnuPG key!" are at least 90% whaleshit.

> Is there a safe way to delete everything and start over?

gpgconf --kill gpg-agent
gpgconf --kill scdaemon
gpgconf --kill dirmngr
rm -rf $HOME/.gnupg

Then the next time you start GnuPG you'll be starting anew.

> Also, I need to create and export a public key *and* an encryption 
> subkey.

Again, I really recommend just running --gen-key unless you have a clear 
and compelling reason otherwise.

> Thanks in advance, and I apologise if I'm asking basic questions, it's 
> not often I feel like a novice but this encryption business has me doing 
> so.

We were all newbies once.  :)


From andrewg at andrewg.com  Sun Mar  7 11:11:21 2021
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sun, 7 Mar 2021 10:11:21 +0000
Subject: error searching keyserver: Network is unreachable
In-Reply-To: <6AB1BF01-F2EC-41A9-9152-76899F0AE924@karakun.com>
References: <6AB1BF01-F2EC-41A9-9152-76899F0AE924@karakun.com>
Message-ID: <867d3ba2-a355-aadf-4b7a-cba22911a05c@andrewg.com>


Hi, Christian
 >
 > And, actually, we deployed our own (hkp://keyserver.dcc.sib.swiss:80) 
keyserver, which I am trying to access. But can't for some reason I do 
not understand.

I can connect to that server from here, but it appear to contain only 85 
keys. Did you import a dump, or is it meant to be internal-only?

> Desperately searching for hours now? I am NOT able to run following
> command:
 >
> gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options no-self-sigs-only,no-import-clean --search-keys <any-key> 
 >
> Always getting following output: 
 >
> gpg: error searching keyserver: No keyserver available > gpg: keyserver search failed: No keyserver available

In the title of this thread however, you report "Network is 
unreachable". Are you getting both errors? "Network unreachable" is 
usually a network routing issue.

What happens if you run the following in your terminal?

     host keyserver.dcc.sib.swiss
     ping keyserver.dcc.sib.swiss
     host keys.openpgp.org
     ping keys.openpgp.org

> Changing keyserver does not help. I've tried 
> /ipv4.pool.sks-keyservers.net/ as well. Because the command takes
> some time to return, I would assume that it is still trying to do
> something. What could be the reason? How to fix it?
The pool algorithm doesn't include a test for server capacity, so it is 
common to get directed to a node running a single-threaded SKS instance, 
which can lead to long timeouts. Try testing against pgpkeys.uk, 
pgpkeys.eu and keyserver.trifence.ch instead. If it times out on all of 
those, then I would suspect a network issue, either a bad routing table 
or a firewall DROP rule.

> I am using v2.2.27, installed via Homebrew 
> (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/gnupg.rb) on
> Mac OS X Big Sur.
Did you ever install from gpgtools.org or only homebrew?

Andrew


From klaus+gnupg at ethgen.ch  Sun Mar  7 11:40:46 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Sun, 7 Mar 2021 11:40:46 +0100
Subject: gpg: error searching keyserver: Network is unreachable
In-Reply-To: <A1219297-C2DA-408D-959C-0DFD88DEB30A@contoso.com>
References: <A1219297-C2DA-408D-959C-0DFD88DEB30A@contoso.com>
Message-ID: <YEStrmSo8ANKmLbM@ikki.ethgen.ch>

Hi Christian,

Am Sa den  6. M?r 2021 um  8:44 schrieb Christian Ribeaud:
> Desperately searching for hours now???
> I am NOT able to run following command:
> 
> gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options no-self-sigs-only,no-import-clean --search-keys <any-key>
> 
> Always getting following output:
> 
> gpg: error searching keyserver: No keyserver available
> gpg: keyserver search failed: No keyserver available

Remember, dirmng is using tor by default if it is installed and running!

You have to put no-use-tor to your .gnupg/dirmngr.conf to prevent this.

This did cost me hours to find out, when the feature was implemented.

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210307/1b8ac005/attachment.sig>

From christian.ribeaud at karakun.com  Sun Mar  7 13:52:59 2021
From: christian.ribeaud at karakun.com (Christian Ribeaud)
Date: Sun, 7 Mar 2021 12:52:59 +0000
Subject: error searching keyserver: Network is unreachable
In-Reply-To: <867d3ba2-a355-aadf-4b7a-cba22911a05c@andrewg.com>
References: <6AB1BF01-F2EC-41A9-9152-76899F0AE924@karakun.com>
 <867d3ba2-a355-aadf-4b7a-cba22911a05c@andrewg.com>
Message-ID: <4CD89428-AD66-41D3-AB47-7C0A3DE37BDC@karakun.com>

Hi,

Thanks to all for the great support and the warm feedbacks, I learned a lot.

Finally, after a long search and research, I was able to solve the problem by putting 'standard-resolver' in a '~/.gnupg/dirmngr.conf' file.
I could not explain to you why though... __

Wishing you a great Sunday.
Best regards,

christian 

?On 07.03.21, 11:12, "Andrew Gallagher via Gnupg-users" <gnupg-users at gnupg.org> wrote:


    Hi, Christian
     >
     > And, actually, we deployed our own (hkp://keyserver.dcc.sib.swiss:80) 
    keyserver, which I am trying to access. But can't for some reason I do 
    not understand.

    I can connect to that server from here, but it appear to contain only 85 
    keys. Did you import a dump, or is it meant to be internal-only?

    > Desperately searching for hours now? I am NOT able to run following
    > command:
     >
    > gpg --keyserver hkp://keyserver.dcc.sib.swiss:80 --keyserver-options no-self-sigs-only,no-import-clean --search-keys <any-key> 
     >
    > Always getting following output: 
     >
    > gpg: error searching keyserver: No keyserver available > gpg: keyserver search failed: No keyserver available

    In the title of this thread however, you report "Network is 
    unreachable". Are you getting both errors? "Network unreachable" is 
    usually a network routing issue.

    What happens if you run the following in your terminal?

         host keyserver.dcc.sib.swiss
         ping keyserver.dcc.sib.swiss
         host keys.openpgp.org
         ping keys.openpgp.org

    > Changing keyserver does not help. I've tried 
    > /ipv4.pool.sks-keyservers.net/ as well. Because the command takes
    > some time to return, I would assume that it is still trying to do
    > something. What could be the reason? How to fix it?
    The pool algorithm doesn't include a test for server capacity, so it is 
    common to get directed to a node running a single-threaded SKS instance, 
    which can lead to long timeouts. Try testing against pgpkeys.uk, 
    pgpkeys.eu and keyserver.trifence.ch instead. If it times out on all of 
    those, then I would suspect a network issue, either a bad routing table 
    or a firewall DROP rule.

    > I am using v2.2.27, installed via Homebrew 
    > (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/gnupg.rb) on
    > Mac OS X Big Sur.
    Did you ever install from gpgtools.org or only homebrew?

    Andrew

    _______________________________________________
    Gnupg-users mailing list
    Gnupg-users at gnupg.org
    http://lists.gnupg.org/mailman/listinfo/gnupg-users


From kloecker at kde.org  Sun Mar  7 21:32:54 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Sun, 07 Mar 2021 21:32:54 +0100
Subject: New to GnuPG, having some difficulty
In-Reply-To: <382cb383-7b2f-3598-4527-073fa4f603af@sixdemonbag.org>
References: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>
 <382cb383-7b2f-3598-4527-073fa4f603af@sixdemonbag.org>
Message-ID: <4856139.1OvEHaAt41@breq>

On Sonntag, 7. M?rz 2021 03:06:47 CET Robert J. Hansen via Gnupg-users wrote:
> > Is there a safe way to delete everything and start over?
> 
> gpgconf --kill gpg-agent
> gpgconf --kill scdaemon
> gpgconf --kill dirmngr

Or simply
gpgconf --kill all
(which will also take care of all future background services used by gpg, e.g. 
the upcoming keybox daemon)

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210307/55eb5d65/attachment.sig>

From angel at pgp.16bits.net  Sun Mar  7 23:04:22 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Sun, 07 Mar 2021 23:04:22 +0100
Subject: New to GnuPG, having some difficulty
In-Reply-To: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>
References: <HwsKkdRPCGbV6Kg64Ojp8XUrxiVtL5visrtsUCBUtWOu_Dp8Jtk6hKuF2Ihh29jhaXtbW-rzzCQVIwaKWCixNYsDyPfQBBOiDwUeTA1iYKw=@protonmail.com>
Message-ID: <25d27ebddf67b50363cc7c66e4d820fa67be1222.camel@16bits.net>

On 2021-03-07 at 00:17 +0000, Mundis wrote:
> Hello gnupg-users!

Hello Mundis!



> I have recently been required to use GnuPG to encrypt messages, and
> have been endeavouring to create a master key however I think I have
> fumbled.
> I created and deleted some keys while I was trying to work it out and
> now I cannot make heads or tails of my keyring. 
> Quite simply there are keys and subkeys and secret keys and they all
> seem to have the same ID. I haven't shared anything as yet, so I
> would like to start again and hopefully achieve some clarity in the
> process on my second attempt. 
> 
> > Is there a safe way to delete everything and start over?

You can delete everything and start over by doing:

  gpgconf --kill all
  rm -rf $HOME/.gnupg

although, as you are asking for a 'safe' way, you may prefer to rename
the .gnupg folder to something else. Deleting this folder is not a
problem since you didn't use any key so far, but for anyone else it
would be a very bad idea, as it would remove all public and private
keys the user had created.


> Also, I need to create and export a public key *and* an encryption
> subkey. I've been reading everything I can find online, but honestly
> I'm finding it to be quite difficult to discipher.

You only need to create a public key that uses a separate encryption
subkey (which is the default nowadays). Exporting this key will export
both the master key and the encryption subkey.

So in your case it will be enough to do something like:
 gpg --export jarramundi at protonmail.com > mykey.pub


> > If there are any clear cut human readable guides for GnuPG I would
> appreciate knowing where they are.
> 
> I am using Arch Linux, with fish shell and micro text editor.

The GNU Privacy Handbook <https://gnupg.org/gph/en/manual.html> is a
bit old, but other than the new key algorithms, it should cover the
basics. Where are you having problems?

Also note, you will probably be exchanging GnuPG encrypted messages by
email. Although it's possible to manage them through the command line
(particularly when not using PGP/MIME, which would be harder), it will
help immensely if you use a mail client which supports this format.
Received mails are automatically decrypted (well, after prompting you
for your passphrase), and sending encrypted mails is just clicking a
button in the toolbar to enable it, and the client does the rest for
you, which (a) is easier and (b) avoids human errors such as not
encrypting to all recipients.

Caveat: it needs to be properly configured, for outgoing encryption on
your system (e.g. having the keys for the people you are going to write
to) and for the decryption to work by whoever is sending you mails
(I have seen too many mails where someone tried to send a PGP mail by
pasting an armored PGP block in a html mail instead of doing it the
right way).


> Thanks in advance, and I apologise if I'm asking basic questions,
> it's not often I feel like a novice but this encryption business has
> me doing so. 
> 
> Kind Regards.

Not a problem. Happy to help. 

Kind regards




From wk at gnupg.org  Mon Mar  8 09:34:19 2021
From: wk at gnupg.org (Werner Koch)
Date: Mon, 08 Mar 2021 09:34:19 +0100
Subject: gpg-agent and X
In-Reply-To: <YEKDvTBoIBz1TB9V@ikki.ethgen.ch> (Klaus Ethgen's message of
 "Fri, 5 Mar 2021 20:17:17 +0100")
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch> <YEJW1Rp+gZKwfjHs@IUPUI.Edu>
 <YEKDvTBoIBz1TB9V@ikki.ethgen.ch>
Message-ID: <87a6re3uyc.fsf@wheatstone.g10code.de>

Hi!

I am not sure whether you already di this: Use a script like

--8<---------------cut here---------------start------------->8---
#!/bin/sh

MYPINENTRY="/foo/bar/pinentry-gtk-2"

locale >/tmp/pinentry.err
set >>/tmp/pinentry.err
exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY  -d "$@" 2>>/tmp/pinentry.err
--8<---------------cut here---------------end--------------->8---

as pinetry replacement to get a better insight into the preblem. 


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/8558a80c/attachment.sig>

From klaus+gnupg at ethgen.ch  Mon Mar  8 19:06:16 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Mon, 8 Mar 2021 19:06:16 +0100
Subject: gpg-agent and X
In-Reply-To: <YEOgeREO+cXgNuNY@ikki.ethgen.ch>
References: <YEH2+T/146OVr7w3@ikki.ethgen.ch> <YEOgeREO+cXgNuNY@ikki.ethgen.ch>
Message-ID: <YEZnmL0KPKnp0GnW@ikki.ethgen.ch>

Am Sa den  6. M?r 2021 um 16:32 schrieb Klaus Ethgen:
> [0] https://bugs.gentoo.org/show_bug.cgi?id=774468

Sadly, Gentoo closed that bug as invalid as they do not have pam_gnupg
in their software stack and so they say, that it is a usecase that is
not supportet by them.

It is a bit short thought. Their pinentry has a bug, that is triggered
this way and they don't care.

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/490b673e/attachment.sig>

From CallM at DNB.com  Mon Mar  8 16:57:05 2021
From: CallM at DNB.com (Call, Margaret)
Date: Mon, 8 Mar 2021 15:57:05 +0000
Subject: question - Gnupg compatibility with Symantec
Message-ID: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>

Good morning,

We would like to migrate our Symantec PGP to GNU PGP.  We tested the system last week with new PGP users and a user that migrated to GNU from Symantec.  We have fixed all bugs except one:

Our legacy Symantec users (who have not yet transferred over to GNU) are unable to decrypt/read GNU PGP emails.

We work on a Windows System with Microsoft Office 16.  The version of Outlook is: 16.0.11929.20776

We downloaded Gpg4win from this webpage: gpg4win.org

Kleopatra version 3.1.15.0

Thanks for any insight as to why Symantec users are unable to decrypt/read the GNU PGP emails.

Margaret

[cid:image001.png at 01D713FD.BFF224D0]

Margaret M. Call
Program Manager, Government Solutions
Mobile 571.992.5764

dnb.com<https://www.dnb.com/>

[cid:image002.png at 01D713FD.BFF224D0]<http://www.facebook.com/DunBradstreet>[cid:image003.png at 01D713FD.BFF224D0]<http://twitter.com/dunbradstreet>[cid:image004.png at 01D713FD.BFF224D0]<http://www.linkedin.com/company/dun-&-bradstreet>[cid:image005.png at 01D713FD.BFF224D0]<http://www.youtube.com/user/DunandBrad>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6442 bytes
Desc: image001.png
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1189 bytes
Desc: image002.png
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1159 bytes
Desc: image003.png
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1143 bytes
Desc: image004.png
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1136 bytes
Desc: image005.png
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210308/0e226f69/attachment-0009.png>

From serando at sunrise.ch  Tue Mar  9 10:49:18 2021
From: serando at sunrise.ch (serando)
Date: Tue, 9 Mar 2021 10:49:18 +0100
Subject: Changes made to keys in Thunderbird are not transferred to GPA
Message-ID: <7743f4ec-c411-0ef7-4e84-c39678557b10@sunrise.ch>

Hello all together

Operating System: MX Linux 19.3 Xfce 64 bit
GPA version: 0.10.0 from MX Packet Installer
Thunderbird: 78.7.1

1)
Because one of my keys has expired, I have changed in thunderbird the 
"expiry date" of one of my own keys into "Key never expires".
After I have started GPA.
My expectation was, that now GPA shows me as "expire date" also "Key 
never expires".
But my change in thunderbird seems not to have any influence to GPA. 
Why? Do I have now two versions of keys on different places? A 
GPA-version and a thunderbird version?

2)
I have deleted one of my own keys in thunderbird.
After I have started GPA.
My expectation was, that now GPA no longer shows me this key.
But it is still in GPA.

Thank you.

With kind regards
Serando


From m at the13thletter.info  Tue Mar  9 12:29:53 2021
From: m at the13thletter.info (Marco Ricci)
Date: Tue, 9 Mar 2021 12:29:53 +0100
Subject: Changes made to keys in Thunderbird are not transferred to GPA
In-Reply-To: <7743f4ec-c411-0ef7-4e84-c39678557b10@sunrise.ch>
References: <7743f4ec-c411-0ef7-4e84-c39678557b10@sunrise.ch>
Message-ID: <cd94fb4c-f648-f220-04a2-0891cdcc2bf8@the13thletter.info>

Hi Serando.

Thus spoke Serando:
> But my change in thunderbird seems not to have any influence to GPA.
> Why?  Do I have now two versions of keys on different places?
> A GPA-version and a thunderbird version?

Yes, you do. And annoyingly, it's up to you to keep both sets of keys in
sync. See [1].

You can ease some of this synchronization burden by using Thunderbird's
"external GnuPG" setting; see [2]. But certain parts are still handled
by Thunderbird in either case; see [3].

[1]: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_i-need-to-use-both-gnupg-and-thunderbird-in-parallel-can-i-synchronize-my-keys
[2]: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards
[3]: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_if-my-secret-key-isnt-supported-by-thunderbird-what-can-i-do

Cheers,
Marco

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210309/5034f9ce/attachment.sig>

From vedaal at nym.hush.com  Tue Mar  9 18:47:16 2021
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 09 Mar 2021 12:47:16 -0500
Subject: question - Gnupg compatibility with Symantec
In-Reply-To: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>
Message-ID: <20210309174717.0275D964E02@smtp.hushmail.com>



On 3/9/2021 at 4:46 AM, "Margaret via Gnupg-users Call"  wrote:      

	We would like to migrate our Symantec PGP to GNU PGP.  We tested the
system last week with new PGP users and a user that migrated to GNU
from Symantec.  We have fixed all bugs except one: 
	Our legacy Symantec users (who have not yet transferred over to GNU)
are unable to decrypt/read GNU PGP emails.   

	 =====

	What type of key, and what encryption algorithm do your Symantec
users have?

	What error messages do you get?   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210309/111fad48/attachment.html>

From rjh at sixdemonbag.org  Tue Mar  9 22:38:53 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 9 Mar 2021 16:38:53 -0500
Subject: question - Gnupg compatibility with Symantec
In-Reply-To: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>
References: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>
Message-ID: <454c5f64-9040-3702-34d9-fd64cd1d6151@sixdemonbag.org>

> Our legacy Symantec users (who have not yet transferred over to GNU) are 
> unable to decrypt/read GNU PGP emails.

Symantec is unfortunately not keeping current with the latest iterations 
of the OpenPGP specification.  Further, some features of current GnuPG 
keys are not supported by Symantec PGP.

A good way to begin would be to find your gpg.conf file, and add "pgp8" 
as the first line.  This will force GnuPG to use PGP 8 compatibility 
mode, which should be a good lowest common denominator for both platforms.

Hope this helps!


From angel at pgp.16bits.net  Wed Mar 10 02:23:45 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Wed, 10 Mar 2021 02:23:45 +0100
Subject: question - Gnupg compatibility with Symantec
In-Reply-To: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>
References: <DM6PR02MB47957B7587897E1325F75A68B2939@DM6PR02MB4795.namprd02.prod.outlook.com>
Message-ID: <5b896e3511cb9ae998a117105fad157b796086f2.camel@16bits.net>

On 2021-03-08 at 15:57 +0000, Call, Margaret wrote:
> Good morning,
>  
> We would like to migrate our Symantec PGP to GNU PGP..  We tested the
> system last week with new PGP users and a user that migrated to GNU
> from Symantec.  We have fixed all bugs except one:
>  
> Our legacy Symantec users (who have not yet transferred over to GNU)
> are unable to decrypt/read GNU PGP emails. 
>  
> We work on a Windows System with Microsoft Office 16..  The version
> of Outlook is: 16.0.11929.20776
>  
> We downloaded Gpg4win from this webpage: gpg4win.org
>  
> Kleopatra version 3.1.15.0
>  
> Thanks for any insight as to why Symantec users are unable to
> decrypt/read the GNU PGP emails.
>  
> Margaret

Welcome Margaret

Which Symantec PGP version are you using? What kind of keys are they
using? Note that what once was Symantec PGP is now part of Broadcom.

I find the problem a bit peculiar, since you shouldn't be having a
problem at this point. Were the keys of the legacy users originally
generated by Symantec PGP? OpenPGP keys describe their capabilities.
Thus, an older version shouldn't be unable to decrypt the content that
was sent by a newer software. It might be unable to verify the
signature, or to reply back, but it should be able to decrypt what was
written to its key.
Or, if the new version had deprecated some algorithm needed by the old
key, I would expect the problem to surface on encryption, not for
decryption.

Similarly, the old version could have issues encrypting to a key using
newer algorithms (or just to import such key, Symantec PGP will
misleadingly claim there is no key when the error is actually that it
unable to import it for being too new for them).

Another possibility would be some error not at actually decrypting the
emails, but at *detecting* that the emails contain PGP data. I actually
find that more likely. Integration with some mail clients is somewhat
fragile, and moreover, certain servers are prone to helpfully "fix"
PGP/MIME messages by corrupting them.

My recommendation is to begin by testing encryption first, and then
moving to encrypted emails. Encrypt on the GnuPG client with the key of
a legacy user, copy that to their machine and have them attempt to
decrypt it. Similarly, try to encrypt a file and send it back. That
shouldn't be an issue either, assuming the GnuPG user had some
conservative options.
If it works by manually exchanging encrypted files, then the problem
lies at the mail layer, although it's a bit hard to guess if it's a
problem with the client sending the encrypted email, with the client
receiving the email and not decryting it, with a mail server changing
the message... or a mix of those.

Kind regards




From geostyles2020 at protonmail.com  Wed Mar 10 09:12:03 2021
From: geostyles2020 at protonmail.com (geostyles2020 at protonmail.com)
Date: Wed, 10 Mar 2021 08:12:03 +0000
Subject: mailto:gnupg-users@gnupg.org?Subject=Re: Can IPAD or Android Tablets
 create Keys and use gnupg
Message-ID: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>

mailto:gnupg-users at gnupg.org?Subject=Re: Can IPAD or Android Tablets create Keys and use gnupg&In-Reply-To=<20120912233505.4C747E672D at smtp.hushmail.com>

Sent from ProtonMail mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210310/4fdce924/attachment.html>

From bernhard at intevation.de  Fri Mar 12 15:29:31 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 12 Mar 2021 15:29:31 +0100
Subject: Can IPAD or Android Tablets create Keys and use gnupg
In-Reply-To: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>
References: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>
Message-ID: <202103121529.37782.bernhard@intevation.de>

Am Mittwoch 10 M?rz 2021 09:12:03 schrieb geostyles2020--- via Gnupg-users:
>  Can IPAD or Android Tablets create Keys and use gnupg

GnuPG is a crypto tool, which implements standards like OpenPGP
and Cryptographic Message Syntax. 

An email application is needed in addition 
to read and send OpenPGP/MIME or S/MIME emails.

(There are other tools, that also implement those standards.)

So your question can be understood in several dimentions:
a) is there a port (or distribution) of GnuPG
   for Android?
   
Not really. Details: There used to be 
https://github.com/guardianproject/gnupg-for-android
but it is unmaintained and outdated.
So it is technically feasable, but not one does the work.

b) is there a port (or distribution) of GnuPG
   for iOS?

Not that I know of. 
Details: There are probably technical and license challenges to port
GnuPG to iOS. While I believe that it is possible to port C applications
to iOS, it is unclear if someone could place it is in the appstore.
Note that GnuPG ports to MacOSX exist.


c) Are there compatible OpenPGP and OpenPGP/MIME implementations for
   Android?

Yes, e.g. Openkeychain + K9Mail (both being Free Software)


d) Are there compatible OpenPGP and OpenPGP/MIME implementations for iOS?

Yes, though proprietary Software (AFAIK), for example I've heard about
Canary Mail, iPGMail, PGPro, Safe Easy Privacy

Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210312/932a13a6/attachment.sig>

From bernhard at intevation.de  Fri Mar 12 16:17:51 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 12 Mar 2021 16:17:51 +0100
Subject: protected to: and cc: email infos (Re: Protect email experience not
 Subject:s (hypothesis, draft))
In-Reply-To: <2745132.OPOr1PVihp@hopper>
References: <202101291752.32473.bernhard@intevation.de>
 <2745132.OPOr1PVihp@hopper>
Message-ID: <202103121617.58740.bernhard@intevation.de>

Am Montag 01 Februar 2021 12:32:03 schrieb Andre Heinecke via Gnupg-users:
> This discussion is very relevant for me because GpgOL is starting to
> include protected-headers mime parts with the next version to transfer To
> and CC information. 

Did you write more about the use case somewhere?
My thinkig is: the to: and cc: information would also
be like addressing hints on an envelope (to stay in this picture)
and there could be a usability downgrade if this infos goes into
protected MIME headers for elder implementations.

> Putting the subject into it would be easy but it's more 
> of a policy decision if we want to encourage or discourage this.

One main concern I am thinking about is the grade and time frame
of backwards compatibility. One main email advantage is that it is based on
decentral standards, thus people can use diverse old (and stable) clients for 
a long time. 

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210312/fd86e829/attachment-0001.sig>

From andrewg at andrewg.com  Fri Mar 12 17:27:08 2021
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Fri, 12 Mar 2021 16:27:08 +0000
Subject: Can IPAD or Android Tablets create Keys and use gnupg
In-Reply-To: <202103121529.37782.bernhard@intevation.de>
References: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>
 <202103121529.37782.bernhard@intevation.de>
Message-ID: <390ce63c-9050-571b-05c0-f42685041571@andrewg.com>

On 12/03/2021 14:29, Bernhard Reiter wrote:
> d) Are there compatible OpenPGP and OpenPGP/MIME implementations for iOS?
> 
> Yes, though proprietary Software (AFAIK), for example I've heard about
> Canary Mail, iPGMail, PGPro, Safe Easy Privacy

PGPro is open source, but neither it nor iPGMail handle openPGP/MIME - 
they use various tricks with the clipboard and attachments to exchange 
ciphertext with the native iOS mail app, due to restrictions in iOS 
<=v13 that forbid third-party apps direct access to the mail delivery API.

(The less said about SAFE Easy Privacy's hateful UX, the better)

Canary Mail is the only one of the above which has (so far) taken 
advantage of the new iOS 14 app policy to implement openPGP/MIME. I have 
not used it much, but it appears well-built (and closed-source, and pricey).

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210312/636ffa55/attachment.sig>

From bernhard at intevation.de  Fri Mar 12 18:02:41 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 12 Mar 2021 18:02:41 +0100
Subject: header protection drafts too early to implement (Re: Protect email
 experience not Subject:s (hypothesis, draft))
In-Reply-To: <202101291752.32473.bernhard@intevation.de>
References: <202101291752.32473.bernhard@intevation.de>
Message-ID: <202103121802.47422.bernhard@intevation.de>

Took a few hours to read through the current version of

Am Freitag 29 Januar 2021 17:52:25 schrieb Bernhard Reiter:
> [3] https://datatracker.ietf.org/doc/draft-ietf-lamps-header-protection/

draft-ietf-lamps-header-protection-03  Last updated 2021-02-22 
which also aims at OpenPGP/MIME mails.

To keep you in the loop, my main take-away so far:

It is not ready to be implemented yet, because 

a) it rightfully aims to proposed one method and leans towards 
   wrapped message approach.

b) the usability problems are not addressed, mainly how to display a mixed set
   up headers where some are signed-only, not protected or
   signed-and-encrypted, but also the complexity arising from this.
   Also what should happen if one of the signature do not validate,
   displaying this for each header field is something I cannot really
   imaging so far.

c) the drawback of server filter and access and indexing problems
   with implementations (where email draws a lot of usability from)
   are unsolved.

Overall, there is some good technical work in the document. Personally I feel
it focusses on some aspects more than other aspects, missing a bit on the
bigger picture.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210312/339df91e/attachment.sig>

From juergen at bruckner.email  Fri Mar 12 18:15:18 2021
From: juergen at bruckner.email (Juergen Bruckner)
Date: Fri, 12 Mar 2021 18:15:18 +0100
Subject: Can IPAD or Android Tablets create Keys and use gnupg
In-Reply-To: <202103121529.37782.bernhard@intevation.de>
References: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>
 <202103121529.37782.bernhard@intevation.de>
Message-ID: <3918a84d-2ac0-fa31-f3d2-a7a1ae4dfb7f@bruckner.email>



Am 12.03.21 um 15:29 schrieb Bernhard Reiter:
> c) Are there compatible OpenPGP and OpenPGP/MIME implementations for
>     Android?
> 
> Yes, e.g. Openkeychain + K9Mail (both being Free Software)

I can also name following Android Apps here

   - FairEMail (+ Openkeychain)
   - R2Mail2
   - MailDroid (+ Crypto-PlugIn)

which supports BOTH OpenPGP and S/MIME.
All of them are available for a small fee.

best regards
Juergen
-- 
/?\   No  |
\ /  HTML |    Juergen Bruckner
  X    in  |    juergen at bruckner.email
/ \  Mail |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210312/f438cb9d/attachment.bin>

From informatik at semy.ch  Sun Mar 14 17:34:11 2021
From: informatik at semy.ch (Daniel Bossert)
Date: Sun, 14 Mar 2021 17:34:11 +0100
Subject: Email encryption within mailaccount
Message-ID: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>

Hello

Is there a way that all mails (sent, incoming, draft) get encrypted by default?

Regards
Daniel 
-- 
Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/7e99f083/attachment.html>

From mailinglist at chiraag.me  Sun Mar 14 18:30:12 2021
From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=)
Date: Sun, 14 Mar 2021 17:30:12 +0000
Subject: Email encryption within mailaccount
In-Reply-To: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>
References: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>
Message-ID: <YE5IHnGcMTsUrUVz@chiraag>

12021/01/32 05:23.74 ?????, Daniel Bossert via Gnupg-users <gnupg-users at gnupg.org> ??????:
> Hello
> 
> Is there a way that all mails (sent, incoming, draft) get encrypted by default?
> 
> Regards
> Daniel
> --
> Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.

Sent: depends on whether you have the other person's public key. If you don't, you can't encrypt to them...
Received: Not generally. See below for what you probably want.
Draft: Depends on the email client.

What you *probably* want is something like ProtonMail, where everything is seamlessly encrypted before being stored. This means that all sent emails are stored encrypted on *your* end (even if they were sent as unencrypted emails to the other person or people). The same is true of drafts and incoming email.

HTH!

- Chiraag
-- 
?????? ??????
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 659 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/f8ab2111/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 233 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/f8ab2111/attachment.sig>

From informatik at semy.ch  Sun Mar 14 18:48:29 2021
From: informatik at semy.ch (Daniel Bossert)
Date: Sun, 14 Mar 2021 18:48:29 +0100
Subject: Email encryption within mailaccount
In-Reply-To: <YE5IHnGcMTsUrUVz@chiraag>
References: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>
 <YE5IHnGcMTsUrUVz@chiraag>
Message-ID: <B411CBC0-3F65-4F32-A364-304E0296A7C3@semy.ch>

Well, the company has an Microsoft online account, what I don't like at all. So I was searching for a solution 

"?????? ?????? via Gnupg-users" <gnupg-users at gnupg.org> skrev: (14 mars 2021 18:30:12 CET)
>12021/01/32 05:23.74 ?????, Daniel Bossert via Gnupg-users
><gnupg-users at gnupg.org> ??????:
>> Hello
>> 
>> Is there a way that all mails (sent, incoming, draft) get encrypted
>by default?
>> 
>> Regards
>> Daniel
>> --
>> Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
>
>Sent: depends on whether you have the other person's public key. If you
>don't, you can't encrypt to them...
>Received: Not generally. See below for what you probably want.
>Draft: Depends on the email client.
>
>What you *probably* want is something like ProtonMail, where everything
>is seamlessly encrypted before being stored. This means that all sent
>emails are stored encrypted on *your* end (even if they were sent as
>unencrypted emails to the other person or people). The same is true of
>drafts and incoming email.
>
>HTH!
>
>- Chiraag
>-- 
>?????? ??????
>Pronouns: he/him/his

-- 
Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/543a07f0/attachment-0001.html>

From mailinglist at chiraag.me  Sun Mar 14 19:07:50 2021
From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=)
Date: Sun, 14 Mar 2021 18:07:50 +0000
Subject: Email encryption within mailaccount
In-Reply-To: <B411CBC0-3F65-4F32-A364-304E0296A7C3@semy.ch>
References: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>
 <YE5IHnGcMTsUrUVz@chiraag> <B411CBC0-3F65-4F32-A364-304E0296A7C3@semy.ch>
Message-ID: <YE5Q8gQQZ494fObn@chiraag>

12021/01/32 05:75.34 ?????, Daniel Bossert <informatik at semy.ch> ??????:
> Well, the company has an Microsoft online account, what I don't like at all. So
> I was searching for a solution
> 
> "?????? ?????? via Gnupg-users" <gnupg-users at gnupg.org> skrev: (14 mars 2021
> 18:30:12 CET)
> 
>     12021/01/32 05:23.74 ?????, Daniel Bossert via Gnupg-users <gnupg-users at gnupg.org> ??????:
>         Hello
> 
>         Is there a way that all mails (sent, incoming, draft) get encrypted by default?
> 
>         Regards
>         Daniel
>         --
>         Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
> 
>     Sent: depends on whether you have the other person's public key. If you don't, you can't encrypt to them...
>     Received: Not generally. See below for what you probably want.
>     Draft: Depends on the email client.
> 
>     What you *probably* want is something like ProtonMail, where everything is seamlessly encrypted before being stored. This means that all sent emails are stored encrypted on *your* end (even if they were sent as unencrypted emails to the other person or people). The same is true of drafts and incoming email.
> 
>     HTH!
> 
>     - Chiraag
> 
> 
> --
> Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.

That's a dangerous game, my friend. So this is for your work email, not for your personal email, right? In that case, I wouldn't bother with this. It's likely risky in terms of information disclosure and will likely raise flags (especially if you're the only one doing this...).

-- 
?????? ??????
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 659 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/59ea13eb/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 233 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/59ea13eb/attachment.sig>

From informatik at semy.ch  Sun Mar 14 19:14:37 2021
From: informatik at semy.ch (Daniel Bossert)
Date: Sun, 14 Mar 2021 19:14:37 +0100
Subject: Email encryption within mailaccount
In-Reply-To: <YE5Q8gQQZ494fObn@chiraag>
References: <95BAFFBB-4193-4A3D-BA3C-AB20CAFBD5BD@semy.ch>
 <YE5IHnGcMTsUrUVz@chiraag> <B411CBC0-3F65-4F32-A364-304E0296A7C3@semy.ch>
 <YE5Q8gQQZ494fObn@chiraag>
Message-ID: <642BBAE4-12F9-4991-BA72-F9D036FD4516@semy.ch>



"?????? ?????? via Gnupg-users" <gnupg-users at gnupg.org> skrev: (14 mars 2021 19:07:50 CET)
>12021/01/32 05:75.34 ?????, Daniel Bossert <informatik at semy.ch> ??????:
>> Well, the company has an Microsoft online account, what I don't like
>at all. So
>> I was searching for a solution
>> 
>> "?????? ?????? via Gnupg-users" <gnupg-users at gnupg.org> skrev: (14
>mars 2021
>> 18:30:12 CET)
>> 
>>     12021/01/32 05:23.74 ?????, Daniel Bossert via Gnupg-users
><gnupg-users at gnupg.org> ??????:
>>         Hello
>> 
>>         Is there a way that all mails (sent, incoming, draft) get
>encrypted by default?
>> 
>>         Regards
>>         Daniel
>>         --
>>         Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min
>f?ordighet.
>> 
>>     Sent: depends on whether you have the other person's public key.
>If you don't, you can't encrypt to them...
>>     Received: Not generally. See below for what you probably want.
>>     Draft: Depends on the email client.
>> 
>>     What you *probably* want is something like ProtonMail, where
>everything is seamlessly encrypted before being stored. This means that
>all sent emails are stored encrypted on *your* end (even if they were
>sent as unencrypted emails to the other person or people). The same is
>true of drafts and incoming email.
>> 
>>     HTH!
>> 
>>     - Chiraag
>> 
>> 
>> --
>> Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
>
>That's a dangerous game, my friend. So this is for your work email, not
>for your personal email, right? In that case, I wouldn't bother with
>this. It's likely risky in terms of information disclosure and will
>likely raise flags (especially if you're the only one doing this...).
>
>-- 
>?????? ??????
>Pronouns: he/him/his

Ok, thank you! 

-- 
Skickat fr?n min Android-enhet med K-9 Mail. Urs?kta min f?ordighet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210314/ec788a3b/attachment.html>

From bernhard at intevation.de  Tue Mar 16 09:42:39 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 16 Mar 2021 09:42:39 +0100
Subject: Can IPAD or Android Tablets create Keys and use gnupg
In-Reply-To: <3918a84d-2ac0-fa31-f3d2-a7a1ae4dfb7f@bruckner.email>
References: <ws0cHmJDFeTruUrtppjgS5HMWsAn0xyBUBaH2toi0lgAz0DNBsklSvy1zg_Hww7k9_ZB68RWl20SKgqSelLBqlwI2fHB6j-qweINimcyi7o=@protonmail.com>
 <202103121529.37782.bernhard@intevation.de>
 <3918a84d-2ac0-fa31-f3d2-a7a1ae4dfb7f@bruckner.email>
Message-ID: <202103160942.51997.bernhard@intevation.de>

Andrew, J?rgen,

Am Freitag 12 M?rz 2021 17:27:08 schrieb Andrew Gallagher via Gnupg-users:
> PGPro is open source, but neither it nor iPGMail handle openPGP/MIME -

> Canary Mail

Am Freitag 12 M?rz 2021 18:15:18 schrieb Juergen Bruckner via Gnupg-users:
> I can also name following Android Apps here

thanks for sharing your experiences?

Anyone cares to link this from wiki.gnupg.org?
To me it would be cool, if more details are available there,
I do sometimes updates some, but more help would be cool. ;)

Best,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/7c82e2af/attachment.sig>

From mmcdonnell at fastly.com  Tue Mar 16 11:00:57 2021
From: mmcdonnell at fastly.com (Mark McDonnell)
Date: Tue, 16 Mar 2021 10:00:57 +0000
Subject: macOS pinentry remove saved password
Message-ID: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>

Hi,

The default behaviour of the pinentry app (on macOS at least) is to have
the option "save password in Keychain" automatically selected.

I have to deselect this every time I use a specific GPG key where I don't
want the password saved in the macOS Keychain. Unfortunately it seems I
neglected to do this one time and so now it has been stored in the Keychain.

I would like to remove it from the Keychain but it seems I can't find the
gpg key listed in the macOS Keychain application and so I'm not sure how to
remove it so that pinentry will again start asking me for the password for
that particular gpg key.

Any help would be appreciated.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/18ce7d76/attachment.html>

From bex at pobox.com  Tue Mar 16 12:40:57 2021
From: bex at pobox.com (bex at pobox.com)
Date: Tue, 16 Mar 2021 12:40:57 +0100
Subject: macOS pinentry remove saved password
In-Reply-To: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
References: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
Message-ID: <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>

Hi,

The key is listed in the login keychain.??It uses the name and one of the associated numbers - It is the fifth element in ?with-key-data but I don?t recognize it.

This default for pin entry is ? frustrating.

Regards,

bex
On Mar 16, 2021, 12:05 PM +0100, Mark McDonnell via Gnupg-users <gnupg-users at gnupg.org>, wrote:
> Hi,
>
> The default behaviour of the pinentry app (on macOS at least) is to have the option "save password in Keychain" automatically selected.
>
> I have to deselect this every time I use a specific GPG key where I don't want the password saved in the macOS Keychain. Unfortunately it seems I neglected to do this one time and so now it has been stored in the Keychain.
>
> I would like to remove it from the Keychain but it seems I can't find the gpg key listed in the macOS Keychain application and so I'm not sure how to remove it so that?pinentry?will again start?asking me for the password for that particular gpg key.
>
> Any help would be appreciated.
>
> Thanks.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/0f1ca66a/attachment-0001.html>

From gnupg at jelmail.com  Tue Mar 16 12:19:17 2021
From: gnupg at jelmail.com (John Lane)
Date: Tue, 16 Mar 2021 11:19:17 +0000
Subject: Prompting on concurrent invocations of gpg
Message-ID: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>

Hello, I have a scenario where gpg is prompting for a passphrase when I
don't think it should because it is cached in the agent. It seems to be
triggered by concurrent use. Here is an example.

First, create some encrypted data:

$ echo test | gpg --encrypt -o test.gpg -r <email-address>

Then decrypt it a number of times:

$ for n in {1..100}; do gpg --decrypt test.gpg &> /dev/null; done

This may prompt for a passphrase if it isn't cached but, if it does, it
should do so only once. I null the output because it's irrelevant. The
main point here is, this works as expected.

Now do the same, but concurrently:

$ for n in {1..10}; do ( gpg --decrypt test.gpg &> /dev/null;) & done

This will prompt for the passphrase a number of times. The number of
iterations can be small, but it seems to start prompting at 6.

Sometimes, not always and only on this concurrent example, I also see a
memory allocation error (this appears unrelated to the prompting and
happens after running the test a few times):

    gpg: public key decryption failed: Cannot allocate memory

Version information:
    gpg (GnuPG) 2.2.25 libgcrypt 1.8.7
    Linux 5.10.6-arch1-1 #1 SMP PREEMPT Sat, 09 Jan 2021 18:22:35 +0000
x86_64 GNU/Linux

Agent config:

    $ cat ~/.gnupg/gpg-agent.conf
    enable-ssh-support
    default-cache-ttl 900
    max-cache-ttl 3600

Why does this happen, can I do something to disable this behaviour, or
is it a bug ?

Thanks



From mmcdonnell at fastly.com  Tue Mar 16 17:19:43 2021
From: mmcdonnell at fastly.com (Mark McDonnell)
Date: Tue, 16 Mar 2021 16:19:43 +0000
Subject: macOS pinentry remove saved password
In-Reply-To: <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>
References: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
 <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>
Message-ID: <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>

Ah, ok cool think I found it.

Thanks bex.

It would be great if users could configure the default as it feels
dangerous to default to saving the passphrase.

On Tue, Mar 16, 2021 at 11:41 AM <bex at pobox.com> wrote:

> Hi,
>
> The key is listed in the login keychain.  It uses the name and one of the
> associated numbers - It is the fifth element in ?with-key-data but I don?t
> recognize it.
>
> This default for pin entry is ? frustrating.
>
> Regards,
>
> bex
> On Mar 16, 2021, 12:05 PM +0100, Mark McDonnell via Gnupg-users <
> gnupg-users at gnupg.org>, wrote:
>
> Hi,
>
> The default behaviour of the pinentry app (on macOS at least) is to have
> the option "save password in Keychain" automatically selected.
>
> I have to deselect this every time I use a specific GPG key where I don't
> want the password saved in the macOS Keychain. Unfortunately it seems I
> neglected to do this one time and so now it has been stored in the Keychain.
>
> I would like to remove it from the Keychain but it seems I can't find the
> gpg key listed in the macOS Keychain application and so I'm not sure how to
> remove it so that pinentry will again start asking me for the password for
> that particular gpg key.
>
> Any help would be appreciated.
>
> Thanks.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/60f01de6/attachment.html>

From kloecker at kde.org  Tue Mar 16 19:40:44 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Tue, 16 Mar 2021 19:40:44 +0100
Subject: Prompting on concurrent invocations of gpg
In-Reply-To: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>
References: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>
Message-ID: <4646289.31r3eYUQgx@collossus.localdomain>

On Dienstag, 16. M?rz 2021 12:19:17 CET John Lane wrote:
> Hello, I have a scenario where gpg is prompting for a passphrase when I
> don't think it should because it is cached in the agent. It seems to be
> triggered by concurrent use. Here is an example.
[snip]
> $ for n in {1..10}; do ( gpg --decrypt test.gpg &> /dev/null;) & done
> 
> This will prompt for the passphrase a number of times. The number of
> iterations can be small, but it seems to start prompting at 6.

Probably the easiest way to avoid this is to seed the cache of gpg-agent with 
the needed passphrases before starting the concurrent invocations. See
man gpg-preset-passphrase
for details.

> Sometimes, not always and only on this concurrent example, I also see a
> memory allocation error (this appears unrelated to the prompting and
> happens after running the test a few times):
> 
>     gpg: public key decryption failed: Cannot allocate memory

That sounds like a bug.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/cd82e0af/attachment.sig>

From klaus+gnupg at ethgen.ch  Tue Mar 16 20:34:32 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Tue, 16 Mar 2021 20:34:32 +0100
Subject: macOS pinentry remove saved password
In-Reply-To: <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>
References: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
 <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>
 <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>
Message-ID: <YFEISGZ6vvqnzM9r@ikki.ethgen.ch>

Hi,

Am Di den 16. M?r 2021 um 17:19 schrieb Mark McDonnell via Gnupg-users:
> It would be great if users could configure the default as it feels
> dangerous to default to saving the passphrase.

I believe, it is the "no-allow-external-cache" option.

I had the same on linux with the shity gnome PW manager. It might be the
same option on mac.

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/89597ebd/attachment.sig>

From gnupg at jelmail.com  Tue Mar 16 21:10:45 2021
From: gnupg at jelmail.com (John Lane)
Date: Tue, 16 Mar 2021 20:10:45 +0000
Subject: Prompting on concurrent invocations of gpg
In-Reply-To: <4646289.31r3eYUQgx@collossus.localdomain>
References: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>
 <4646289.31r3eYUQgx@collossus.localdomain>
Message-ID: <e0892d91-d84d-7362-910e-e5aab7859e87@lane.uk.net>


> 
> Probably the easiest way to avoid this is to seed the cache of gpg-agent with 
> the needed passphrases before starting the concurrent invocations. See
> man gpg-preset-passphrase
> for details.
> 

I just tried that to see if it would help. It doesn't make any
difference because the passphrase is already in the cache (ok, if the
password isn't in the cache then it does stop that first request). In
the example I gave it's the same payload being decrypted each time so
there is only one passphrase.


The subsequent unwanted prompts happen even when the passprase is
already cached. It's like some concurrent calls don't hit the cache.



From wk at gnupg.org  Tue Mar 16 22:03:13 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 16 Mar 2021 22:03:13 +0100
Subject: macOS pinentry remove saved password
In-Reply-To: <YFEISGZ6vvqnzM9r@ikki.ethgen.ch> (Klaus Ethgen's message of
 "Tue, 16 Mar 2021 20:34:32 +0100")
References: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
 <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>
 <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>
 <YFEISGZ6vvqnzM9r@ikki.ethgen.ch>
Message-ID: <871rceu7zi.fsf@wheatstone.g10code.de>

On Tue, 16 Mar 2021 20:34, Klaus Ethgen said:

> I believe, it is the "no-allow-external-cache" option.

Right, but I am not sure about the macOS pinentry; in particular if it
is closely based on the standard pinentry code base or does its own
thing.  Any pointer to that pinentry?


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/b6f3790a/attachment.sig>

From lukele at gpgtools.org  Tue Mar 16 22:42:56 2021
From: lukele at gpgtools.org (Lukas Pitschl)
Date: Tue, 16 Mar 2021 22:42:56 +0100
Subject: macOS pinentry remove saved password
In-Reply-To: <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>
References: <CAKxc2Mkjfacn5JNjYHWJjDC-9jEbkxqGb5+WYC9=+EA2OCyXgQ@mail.gmail.com>
 <f0f975bb-fb8b-4dea-9257-91771f1aa981@Spark>
 <CAKxc2MkH+UheMJyMv0Y3ofLqPfCjP1CW0EPL87mB0fmvM0hBuQ@mail.gmail.com>
Message-ID: <11306698-8C22-482D-BABF-86F9D19487B1@gpgtools.org>

Am 16.03.2021 um 17:19 schrieb Mark McDonnell via Gnupg-users <gnupg-users at gnupg.org>:

> It would be great if users could configure the default as it feels dangerous to default to saving the passphrase.

That is possible by running the following command:

    defaults write org.gpgtools.common UseKeychain -bool NO

To remove any saved passwords from macOS Keychain, search
for GnuPG to find them.

The folks of homebrew are using our version of pinentry which is
based off the standard pinentry, but adds the possibility to store passphrases
for GnuPG keys in macOS Keychain. For our version of GnuPG it should default
to on, but we also provide a macOS preference pane to change the default.
As such a preference pane is not available for homebrew users, we have
brought this issue up with them but they have not reacted.

Best,

Lukas
GPGTools
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/1dc9bd8d/attachment-0001.sig>

From dilfridge at gentoo.org  Tue Mar 16 23:25:41 2021
From: dilfridge at gentoo.org (Andreas K. Huettel)
Date: Tue, 16 Mar 2021 23:25:41 +0100
Subject: gnupg and ssh interaction somehow broken (card reader with pinpad)
Message-ID: <8507494.B369e8A3TW@pinacolada>

Dear all, 

I'd appreciate some advice. I recently returned back from a year abroad to my 
trusted hardware, and it seems an upgrade of gpg in the meantime broke things.

Setup: 
* OpenPGP card with S, E, A subkeys; using both gnupg and ssh with the card
* SPR532 USB card reader with pinpad

~/.bashrc (after consultation of the list archives):
GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
unset SSH_AGENT_PID
unset SSH_ASKPASS
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"

Symptoms:

1) first, sign something (e.g. detached file signature): works as expected 
(pinentry window pops up, pin entered on keypad)
2) then, use ssh with pubkey authentication: pinentry window pops up, pin is 
not accepted ("wrong beep")

alternatively (after removing card, unpowering reader, plugging reader and 
card back in)

1) gpg --card-status finds the card and starts the agent
2) use ssh with pubkey authentication: pinentry window pops up, pin is 
accepted, works
3) then, sign something: pinentry window pops up, pin is not accepted ("wrong 
beep")

Here's an excerpt from the debug log:

2021-03-15 19:41:01 gpg-agent[12004] starting a new PIN Entry
2021-03-15 19:41:01 gpg-agent[12004] DBG: connection to PIN entry established
2021-03-15 19:41:01 gpg-agent[12004] DBG: chan_11 -> END
2021-03-15 19:41:05 gpg-agent[12004] DBG: agent_cache_housekeeping
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- INQUIRE 
DISMISSPINPADPROMPT
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 -> END
2021-03-15 19:41:06 gpg-agent[12004] DBG: chan_11 <- ERR 100663351 Invalid 
value <SCD>
2021-03-15 19:41:06 gpg-agent[12004] smartcard signing failed: Invalid value

Any clue what's happening?

TIA,
Andreas

-- 
Andreas K. H?ttel
dilfridge at gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210316/51df7ef0/attachment.sig>

From wk at gnupg.org  Wed Mar 17 09:48:58 2021
From: wk at gnupg.org (Werner Koch)
Date: Wed, 17 Mar 2021 09:48:58 +0100
Subject: gnupg and ssh interaction somehow broken (card reader with pinpad)
In-Reply-To: <8507494.B369e8A3TW@pinacolada> (Andreas K. Huettel via
 Gnupg-users's message of "Tue, 16 Mar 2021 23:25:41 +0100")
References: <8507494.B369e8A3TW@pinacolada>
Message-ID: <87wnu6rwqt.fsf@wheatstone.g10code.de>

On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:

> 3) then, sign something: pinentry window pops up, pin is not accepted ("wrong 
> beep")

We need a log from the scdaemon.  Put

--8<---------------cut here---------------start------------->8---
log-file /somewhere/scd.log
verbose
debug ipc,reader
--8<---------------cut here---------------end--------------->8---

into scdaemon.conf.  You may also want to add debug-pinentry to
gpg-agent.conf.  Then

  gpgconf --kill scdaemon

or

  gpgconf --kill all


Which gnupg version are you running?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210317/3eb0fa09/attachment.sig>

From andreas.huettel at ur.de  Wed Mar 17 16:31:29 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Wed, 17 Mar 2021 16:31:29 +0100
Subject: gnupg and ssh interaction somehow broken (card reader with pinpad)
In-Reply-To: <87wnu6rwqt.fsf@wheatstone.g10code.de>
References: <8507494.B369e8A3TW@pinacolada>
 <87wnu6rwqt.fsf@wheatstone.g10code.de>
Message-ID: <1853823.PYKUYFuaPT@kailua>

Am Mittwoch, 17. M?rz 2021, 09:48:58 CET schrieb Werner Koch:
> On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > 3) then, sign something: pinentry window pops up, pin is not accepted
> > ("wrong beep")
> 
> We need a log from the scdaemon.  

Here's the critical part from the scdaemon log, when signing fails in step 3: 

2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
2021-03-17 16:15:37 scdaemon[4932] Pr?fung des CHV1 fehlgeschlagen: Ung?ltiger 
Wert
2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ung?ltiger Wert
2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ung?ltiger Wert
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ung?ltiger 
Wert <SCD>
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK

[Not being familiar with the details, I dont know if I can post the full log 
here or if it contains sensitive data.]

> Which gnupg version are you running?

huettel at kailua ~ $ gpg --version
gpg (GnuPG) 2.2.25
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/huettel/.gnupg
Unterst?tzte Verfahren:
?ff. Schl?ssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschl?.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2


If I do gpg signing a file first and ssh later, this is the detail when after 
successful signing the ssh command fails:

2021-03-17 16:28:49 scdaemon[26257] DBG: dismiss pinpad entry prompt
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- END
2021-03-17 16:28:49 scdaemon[26257] Pr?fung des CHV2 fehlgeschlagen: 
Ung?ltiger Wert
2021-03-17 16:28:49 scdaemon[26257] operation auth result: Ung?ltiger Wert
2021-03-17 16:28:49 scdaemon[26257] app_auth failed: Ung?ltiger Wert
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> ERR 100663351 Ung?ltiger 
Wert <SCD>
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 <- RESTART
2021-03-17 16:28:49 scdaemon[26257] DBG: chan_7 -> OK


-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
http://www.physik.uni-r.de/forschung/huettel/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210317/9c141eb7/attachment.sig>

From klaus+gnupg at ethgen.ch  Wed Mar 17 20:52:26 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Wed, 17 Mar 2021 20:52:26 +0100
Subject: gnupg and ssh interaction somehow broken (card reader with pinpad)
In-Reply-To: <1853823.PYKUYFuaPT@kailua>
References: <8507494.B369e8A3TW@pinacolada>
 <87wnu6rwqt.fsf@wheatstone.g10code.de> <1853823.PYKUYFuaPT@kailua>
Message-ID: <YFJd+oRgbYci6/g+@ikki.ethgen.ch>

Hi Andreas,

Am Mi den 17. M?r 2021 um 16:31 schrieb Andreas K. Huettel:
> Am Mittwoch, 17. M?rz 2021, 09:48:58 CET schrieb Werner Koch:
> > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > > 3) then, sign something: pinentry window pops up, pin is not accepted
> > > ("wrong beep")
> > 
> > We need a log from the scdaemon.  
> 
> Here's the critical part from the scdaemon log, when signing fails in step 3: 
> 
> 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
> 2021-03-17 16:15:37 scdaemon[4932] Pr?fung des CHV1 fehlgeschlagen: Ung?ltiger 
> Wert
> 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ung?ltiger Wert
> 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ung?ltiger Wert
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ung?ltiger 
> Wert <SCD>
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
> 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK

Kann es sein, da? der Agent und GnuPG grob unterschiedliche Versionen
haben?

gpg-agent --version
/usr/lib/gnupg/scdaemon --version

Gru?
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210317/222e4838/attachment.sig>

From andreas.huettel at ur.de  Wed Mar 17 21:07:16 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Wed, 17 Mar 2021 21:07:16 +0100
Subject: [EXT] Re: gnupg and ssh interaction somehow broken (card reader
 with pinpad)
In-Reply-To: <YFJd+oRgbYci6/g+@ikki.ethgen.ch>
References: <8507494.B369e8A3TW@pinacolada> <1853823.PYKUYFuaPT@kailua>
 <YFJd+oRgbYci6/g+@ikki.ethgen.ch>
Message-ID: <2365171.0QQBjFxQff@pinacolada>

Am Mittwoch, 17. M?rz 2021, 20:52:26 CET schrieb Klaus Ethgen:
> Hi Andreas,
> 
> Am Mi den 17. M?r 2021 um 16:31 schrieb Andreas K. Huettel:
> > Am Mittwoch, 17. M?rz 2021, 09:48:58 CET schrieb Werner Koch:
> > > On Tue, 16 Mar 2021 23:25, Andreas K. Huettel said:
> > > > 3) then, sign something: pinentry window pops up, pin is not accepted
> > > > ("wrong beep")
> > > 
> > > We need a log from the scdaemon.
> > 
> > Here's the critical part from the scdaemon log, when signing fails in step
> > 3:
> > 
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: dismiss pinpad entry prompt
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> INQUIRE
> > DISMISSPINPADPROMPT 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- END
> > 2021-03-17 16:15:37 scdaemon[4932] Pr?fung des CHV1 fehlgeschlagen:
> > Ung?ltiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] operation sign result: Ung?ltiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] app_sign failed: Ung?ltiger Wert
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> ERR 100663351 Ung?ltiger
> > Wert <SCD>
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 <- RESTART
> > 2021-03-17 16:15:37 scdaemon[4932] DBG: chan_7 -> OK
> 
> Kann es sein, da? der Agent und GnuPG grob unterschiedliche Versionen
> haben?
> 
> gpg-agent --version
> /usr/lib/gnupg/scdaemon --version

I'm pretty sure they didnt have different versions, sorry. 
(I rebooted the machine a few minutes earlier because of a kernel update.)

huettel at kailua ~ $ /usr/libexec/scdaemon --version
scdaemon (GnuPG) 2.2.25
libgcrypt 1.8.6
libksba 1.3.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
huettel at kailua ~ $ gpg-agent --version
gpg-agent (GnuPG) 2.2.25
libgcrypt 1.8.6
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210317/1c8a4c41/attachment.sig>

From andreas.huettel at ur.de  Wed Mar 17 21:16:06 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Wed, 17 Mar 2021 21:16:06 +0100
Subject: [EXT] Re: gnupg and ssh interaction somehow broken (card reader
 with pinpad)
In-Reply-To: <2365171.0QQBjFxQff@pinacolada>
References: <8507494.B369e8A3TW@pinacolada> <YFJd+oRgbYci6/g+@ikki.ethgen.ch>
 <2365171.0QQBjFxQff@pinacolada>
Message-ID: <2134523.M0AJKV5NW6@pinacolada>

Am Mittwoch, 17. M?rz 2021, 21:07:16 CET schrieb Andreas K. Huettel:
> 
> I'm pretty sure they didnt have different versions, sorry.
> (I rebooted the machine a few minutes earlier because of a kernel update.)
> 

OK now it's getting very strange. 

On a second PC with the same reader hardware model, the same gpg version, and 
the same chipcard, things work perfectly fine.

Could this be a hardware defect (i.e., reader was too long in the sun)?

-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210317/b0fad159/attachment-0001.sig>

From jcb62281 at gmail.com  Wed Mar 17 23:48:00 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Wed, 17 Mar 2021 17:48:00 -0500
Subject: [EXT] Re: gnupg and ssh interaction somehow broken (card reader
 with pinpad)
In-Reply-To: <2134523.M0AJKV5NW6@pinacolada>
References: <8507494.B369e8A3TW@pinacolada> <YFJd+oRgbYci6/g+@ikki.ethgen.ch>
 <2365171.0QQBjFxQff@pinacolada> <2134523.M0AJKV5NW6@pinacolada>
Message-ID: <60528720.8010801@gmail.com>

Andreas K. Huettel wrote:
> Am Mittwoch, 17. M?rz 2021, 21:07:16 CET schrieb Andreas K. Huettel:
>   
>> I'm pretty sure they didnt have different versions, sorry.
>> (I rebooted the machine a few minutes earlier because of a kernel update.)
> OK now it's getting very strange. 
>
> On a second PC with the same reader hardware model, the same gpg version, and 
> the same chipcard, things work perfectly fine.
>
> Could this be a hardware defect (i.e., reader was too long in the sun)?
>   

Can you swap the readers between the two computers and see if the 
problem follows the suspected-bad reader?


-- Jacob



From angel at pgp.16bits.net  Thu Mar 18 02:45:39 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Thu, 18 Mar 2021 02:45:39 +0100
Subject: [EXT] Re: gnupg and ssh interaction somehow broken (card reader
 with pinpad)
In-Reply-To: <2134523.M0AJKV5NW6@pinacolada>
References: <8507494.B369e8A3TW@pinacolada>
 <YFJd+oRgbYci6/g+@ikki.ethgen.ch> <2365171.0QQBjFxQff@pinacolada>
 <2134523.M0AJKV5NW6@pinacolada>
Message-ID: <ef3fa7be7d71a0a332fac54f16b408b368a7b226.camel@16bits.net>

On 2021-03-17 at 21:16 +0100, Andreas K. Huettel wrote:
> 
> OK now it's getting very strange. 
> 
> On a second PC with the same reader hardware model, the same gpg
> version, and 
> the same chipcard, things work perfectly fine.
> 
> Could this be a hardware defect (i.e., reader was too long in the
> sun)?

I don't think so. You report that the first program which uses the card
(either gpg or ssh) "keeps" it, and the other is unable to (btw, would 
e.g. a second sign work?). This looks like the first one locks use of
the card.
May gpg and ssh be launchihng separete scdaemon instances? Does it help
if you use --card-timeout on scdaemon config?



From dave.mehler at gmail.com  Thu Mar 18 05:06:24 2021
From: dave.mehler at gmail.com (David Mehler)
Date: Thu, 18 Mar 2021 00:06:24 -0400
Subject: Best practices for obtaining a new GPG certificate
Message-ID: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>

Hello,

My existing GPG certificate is going to expire in less than a month.
I'd like to know current best practices for obtaining a new one? In
particular I'm looking for the best protocol and strength for a
security not a performance stance. The certificate will mainly be used
for verifying and signing sent messages, and tagging git commits on
personal servers. Devices used will be Windows 10 pcs and tablets and
Android (version 10 and 11) phones and tablets.
Suggestions welcome.
Thanks.
Dave.


From andreas.huettel at ur.de  Thu Mar 18 10:21:37 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Thu, 18 Mar 2021 10:21:37 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
Message-ID: <15692477.tgchFWduMW@pinacolada>

Hi David, 

when Gentoo switched to requiring gpg-signed git commits and pushes, we put 
some thought into requirements and best practices. Minus the Gentoo-specific 
parts, this is probably good reading:

https://www.gentoo.org/glep/glep-0063.html
https://wiki.gentoo.org/wiki/Project:Infrastructure/
Generating_GLEP_63_based_OpenPGP_keys

Best,
Andreas

Am Donnerstag, 18. M?rz 2021, 05:06:24 CET schrieb David Mehler via Gnupg-
users:
> Hello,
> 
> My existing GPG certificate is going to expire in less than a month.
> I'd like to know current best practices for obtaining a new one? In
> particular I'm looking for the best protocol and strength for a
> security not a performance stance. The certificate will mainly be used
> for verifying and signing sent messages, and tagging git commits on
> personal servers. Devices used will be Windows 10 pcs and tablets and
> Android (version 10 and 11) phones and tablets.
> Suggestions welcome.
> Thanks.
> Dave.
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/93f8940f/attachment.sig>

From andreas.huettel at ur.de  Thu Mar 18 10:26:02 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Thu, 18 Mar 2021 10:26:02 +0100
Subject: [EXT] Re: gnupg and ssh interaction somehow broken (card reader
 with pinpad)
In-Reply-To: <60528720.8010801@gmail.com>
References: <8507494.B369e8A3TW@pinacolada> <2134523.M0AJKV5NW6@pinacolada>
 <60528720.8010801@gmail.com>
Message-ID: <3642354.nE6jSC6OKo@pinacolada>

> 
> Can you swap the readers between the two computers and see if the
> problem follows the suspected-bad reader?
> 

Possible as last resort, I'd rather figure this out some other way though.

-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/bd6206ce/attachment.sig>

From johndoe65534 at mail.com  Thu Mar 18 13:40:56 2021
From: johndoe65534 at mail.com (john doe)
Date: Thu, 18 Mar 2021 13:40:56 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <15692477.tgchFWduMW@pinacolada>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
Message-ID: <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>

On 3/18/2021 10:21 AM, Andreas K. Huettel wrote:
> Hi David,
>
> when Gentoo switched to requiring gpg-signed git commits and pushes, we put
> some thought into requirements and best practices. Minus the Gentoo-specific
> parts, this is probably good reading:
>
> https://www.gentoo.org/glep/glep-0063.html
> https://wiki.gentoo.org/wiki/Project:Infrastructure/
> Generating_GLEP_63_based_OpenPGP_keys
 >

On the pages, I get 'There is currently no text in this page. You can
search for this page title in other pages, or ...'.
Am I missing something?

--
John Doe


From andreas.huettel at ur.de  Thu Mar 18 14:39:13 2021
From: andreas.huettel at ur.de (Andreas K. Huettel)
Date: Thu, 18 Mar 2021 14:39:13 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
 <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
Message-ID: <64645571.8pcnM708Kx@pinacolada>

https://www.gentoo.org/glep/glep-0063.html
https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys

> On the pages, I get 'There is currently no text in this page. You can
> search for this page title in other pages, or ...'.
> Am I missing something?

Only that kmail insisted on breaking the link... let's hope it doesn't this time.

(Not every mail client implements flowing text correctly, which is why having the client insert line breaks is the safer variant for readability. However...)

-- 
PD Dr. Andreas K. Huettel
Institute for Experimental and Applied Physics
University of Regensburg
93040 Regensburg
Germany

tel. +49 151 241 67748 (mobile)
tel. +49 941 943 1618 (office)
fax +49 941 943 3196
e-mail andreas.huettel at ur.de
http://www.akhuettel.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 981 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/2e4ffc3b/attachment-0001.sig>

From wk at gnupg.org  Thu Mar 18 15:07:12 2021
From: wk at gnupg.org (Werner Koch)
Date: Thu, 18 Mar 2021 15:07:12 +0100
Subject: gnupg and ssh interaction somehow broken (card reader with pinpad)
In-Reply-To: <1853823.PYKUYFuaPT@kailua> (Andreas K. Huettel's message of
 "Wed, 17 Mar 2021 16:31:29 +0100")
References: <8507494.B369e8A3TW@pinacolada>
 <87wnu6rwqt.fsf@wheatstone.g10code.de> <1853823.PYKUYFuaPT@kailua>
Message-ID: <8735wsr1wv.fsf@wheatstone.g10code.de>

On Wed, 17 Mar 2021 16:31, Andreas K. Huettel said:
> 2021-03-17 16:15:37 scdaemon[4932] Pr?fung des CHV1 fehlgeschlagen: Ung?ltiger 
> [Not being familiar with the details, I dont know if I can post the full log 
> here or if it contains sensitive data.]

At that debug level it is okay.  However with a higher debug level
(debug cardio) the log would show your PIN if you have used
disable-pinpad.  With a pinpad it won't show it, of course.

> gpg (GnuPG) 2.2.25

We fixed a reader bug in 2.2.26 which also changed how the SPR532 is
accessed.  See https://dev.gnupg.org/T5167 - Thus you better update to
the latest version first.

If you want to debug things, put

debug cardio
debug-ccid-driver

into scdameon.conf, kill and retry.  You may send the log to me by PM; I
would then only share it with my colleague Gniibe.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/dd8eea09/attachment.sig>

From johndoe65534 at mail.com  Thu Mar 18 15:15:15 2021
From: johndoe65534 at mail.com (john doe)
Date: Thu, 18 Mar 2021 15:15:15 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <64645571.8pcnM708Kx@pinacolada>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
 <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
 <64645571.8pcnM708Kx@pinacolada>
Message-ID: <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>

On 3/18/2021 2:39 PM, Andreas K. Huettel wrote:
> https://www.gentoo.org/glep/glep-0063.html
> https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
>

Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about
a default of '2048' but in the latest (2.2.17) release of GPG it looks
like the default is now '3072':

gpg --expert --full-gen-key
Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    (7) DSA (set your own capabilities)
    (8) RSA (set your own capabilities)
    (9) ECC and ECC
   (10) ECC (sign only)
   (11) ECC (set your own capabilities)
   (13) Existing key
   (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)


Am I missing something?


1)  https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096

--
John Doe


From wk at gnupg.org  Thu Mar 18 15:17:43 2021
From: wk at gnupg.org (Werner Koch)
Date: Thu, 18 Mar 2021 15:17:43 +0100
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 (David Mehler via Gnupg-users's message of "Thu, 18 Mar 2021 00:06:24
 -0400")
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
Message-ID: <87y2ekpmuw.fsf@wheatstone.g10code.de>

On Thu, 18 Mar 2021 00:06, David Mehler said:

> My existing GPG certificate is going to expire in less than a month.
> I'd like to know current best practices for obtaining a new one? In

Do you really want a new one?  Usually it is easier to prolong your key.
By default a new key has an expire data so that unused keys and those
with forgotten passphrase will eventually expire.  In general you just run

  gpg --quick-set-expire FINGERPRING EXPIREDATE

Expire dat may be something like 5y for 5 years or an explicit date like
2024-12-31.

Here is an example

  $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8

  sec   ed25519 2021-03-15 [SC] [expires: 2023-03-15]
        A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
  uid           [ unknown] foo at example.de
  ssb   cv25519 2021-03-15 [E]
        989ABB95E888956DBD5D7F66C376233B98457556
  
  $ gpg --quick-set-expire A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 4y


  $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
  
  sec   ed25519 2021-03-15 [SC] [expires: 2025-03-17]
        A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
  uid           [ unknown] foo at example.de
  ssb   cv25519 2021-03-15 [E]
        989ABB95E888956DBD5D7F66C376233B98457556


Send the public key then to your peers, keyserver, web key directory, or
wherever. 


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/0b713e20/attachment.sig>

From nick.cripps at gmail.com  Thu Mar 18 14:57:01 2021
From: nick.cripps at gmail.com (Nick Cripps)
Date: Thu, 18 Mar 2021 13:57:01 +0000
Subject: Timeout when signing
Message-ID: <CAK=g0dk9SPHxmSwd1a7Nnv1f1RvX3kvw9GVSx3gyHve5nALBsA@mail.gmail.com>

Hi,

I'm trying to encrypt and sign a large file. It takes a while to do this,
and I then do other things while this is happening. It then completes and
presumably asks me for my key passphrase, but I miss this and it times out,
so all I see is the following error message:

gpg: signing failed: Timeout
gpg: file.gz: sign+encrypt failed: Timeout

I guess that it is actually pinentry that times out, and gpg just passes on
the error from pinentry?

How can I configure this timeout?

My /usr/bin/pinentry on my (Gentoo) system is a symlink to
/usr/bin/pinentry-gtk-2, but since I am doing this over SSH without X
forwarding, and it is working fine (and asking me in a curses based
interface), I don't think pinentry-gtk-2 is actually the pinentry program
being used, but I don't really understand how this works TBH. I do know
that Gentoo uses Gentoo's eselect utility to manage the /usr/bin/pinentry
symlink, but it seems like gpg is smart enough to use the appropriate
version if this isn't appropriate, somehow. Can anyone explain this, or
point me to where it is explained?

Many thanks in advance.

Kind regards,
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210318/8f113efe/attachment.html>

From dave.mehler at gmail.com  Fri Mar 19 00:34:50 2021
From: dave.mehler at gmail.com (David Mehler)
Date: Thu, 18 Mar 2021 19:34:50 -0400
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <87y2ekpmuw.fsf@wheatstone.g10code.de>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
Message-ID: <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>

Hello,

Thanks all. I am definitely wanting a new key.

With regards the info John posted:

gpg --expert --full-gen-key
Please select what kind of key you want:
? ?(1) RSA and RSA (default)
? ?(2) DSA and Elgamal
? ?(3) DSA (sign only)
? ?(4) RSA (sign only)
? ?(7) DSA (set your own capabilities)
? ?(8) RSA (set your own capabilities)
? ?(9) ECC and ECC
? (10) ECC (sign only)
? (11) ECC (set your own capabilities)
? (13) Existing key
? (14) Existing key from card

in the output there's ECC output should I go with an ECC-style key or
RSA? As regards RSA keysize I typically use 4096.

Thanks.
Dave.


On 3/18/21, Werner Koch <wk at gnupg.org> wrote:
> On Thu, 18 Mar 2021 00:06, David Mehler said:
>
>> My existing GPG certificate is going to expire in less than a month.
>> I'd like to know current best practices for obtaining a new one? In
>
> Do you really want a new one?  Usually it is easier to prolong your key.
> By default a new key has an expire data so that unused keys and those
> with forgotten passphrase will eventually expire.  In general you just run
>
>   gpg --quick-set-expire FINGERPRING EXPIREDATE
>
> Expire dat may be something like 5y for 5 years or an explicit date like
> 2024-12-31.
>
> Here is an example
>
>   $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>
>   sec   ed25519 2021-03-15 [SC] [expires: 2023-03-15]
>         A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>   uid           [ unknown] foo at example.de
>   ssb   cv25519 2021-03-15 [E]
>         989ABB95E888956DBD5D7F66C376233B98457556
>
>   $ gpg --quick-set-expire A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8 4y
>
>
>   $ gpg -K A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>
>   sec   ed25519 2021-03-15 [SC] [expires: 2025-03-17]
>         A94A6DF8CDF934DB2BF98A46254A558A7E6D52D8
>   uid           [ unknown] foo at example.de
>   ssb   cv25519 2021-03-15 [E]
>         989ABB95E888956DBD5D7F66C376233B98457556
>
>
> Send the public key then to your peers, keyserver, web key directory, or
> wherever.
>
>
> Shalom-Salam,
>
>    Werner
>
>
> --
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
>


From angel at pgp.16bits.net  Fri Mar 19 01:50:37 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Fri, 19 Mar 2021 01:50:37 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
 <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
 <64645571.8pcnM708Kx@pinacolada>
 <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>
Message-ID: <37c68cdad4c388005d7d867401a1efd4b5500bc2.camel@16bits.net>

On 2021-03-18 at 15:15 +0100, john doe via Gnupg-users wrote:
> Reading the URLs given by the OP, I see that the GPG FAQ (1) talks
> about a default of '2048' but in the latest (2.2.17) release of GPG
> it looks like the default is now '3072':
> What keysize do you want? (3072)
> 
> 
> Am I missing something?
> 
> 1)  https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096


The FAQis outdated. GnuPG was indeed updated some years ago to use 3072
as the default size for rsa

https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=909fbca19678e6e36968607e8a2348381da39d8c



From angel at pgp.16bits.net  Fri Mar 19 01:52:21 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Fri, 19 Mar 2021 01:52:21 +0100
Subject: Timeout when signing
In-Reply-To: <CAK=g0dk9SPHxmSwd1a7Nnv1f1RvX3kvw9GVSx3gyHve5nALBsA@mail.gmail.com>
References: <CAK=g0dk9SPHxmSwd1a7Nnv1f1RvX3kvw9GVSx3gyHve5nALBsA@mail.gmail.com>
Message-ID: <f66b77c6ae9b56e8725d40a6f3ebe434b4b22ca3.camel@16bits.net>

On 2021-03-18 at 13:57 +0000, Nick Cripps via Gnupg-users wrote:
> Hi,
> 
> I'm trying to encrypt and sign a large file. It takes a while to do
> this, and I then do other things while this is happening. It then
> completes and presumably asks me for my key passphrase, but I miss
> this and it times out, so all I see is the following error message:
> 
> gpg: signing failed: Timeout
> gpg: file.gz: sign+encrypt failed: Timeout
> 
> I guess that it is actually pinentry that times out, and gpg just
> passes on the error from pinentry? 
> 
> How can I configure this timeout? 
> 
> My /usr/bin/pinentry on my (Gentoo) system is a symlink to
> /usr/bin/pinentry-gtk-2, but since I am doing this over SSH without X
> forwarding, and it is working fine (and asking me in a curses based
> interface), I don't think pinentry-gtk-2 is actually the pinentry
> program being used, but I don't really understand how this works TBH.
> I do know that Gentoo uses Gentoo's eselect utility to manage the
> /usr/bin/pinentry symlink, but it seems like gpg is smart enough to
> use the appropriate version if this isn't appropriate, somehow. Can
> anyone explain this, or point me to where it is explained?
> 
> Many thanks in advance.
> 
> Kind regards,
> Nick

What are your caching preferences? I would first sign an empty/ummy
file, so it asks for the passphrase and unlocks the private key, then
perform the real operation (which will hopefully not require your
input).

Kind regards





From rjh at sixdemonbag.org  Fri Mar 19 07:57:17 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 19 Mar 2021 02:57:17 -0400
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
 <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
 <64645571.8pcnM708Kx@pinacolada>
 <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>
Message-ID: <1ca988fc-3e8d-5dd6-c529-1ad2a52b59ca@sixdemonbag.org>

> Reading the URLs given by the OP, I see that the GPG FAQ (1) talks about
> a default of '2048' but in the latest (2.2.17) release of GPG it looks
> like the default is now '3072':

Yep.

[puts on maintainer hat]

The last time I suggested revisions to that text there was no community 
consensus on what should replace it.  Each proposed replacement met 
significant criticism.

My current plan is to wait until GnuPG 2.3 is released and then update 
the FAQ to reflect those changes, and hope that by that time there's 
community consensus to support the changes.

The FAQ isn't being ignored.  I'd like to do a total overhaul of it. 
However, the FAQ isn't meant to be my opinions and rants: it's meant to 
be *the community's* voice.  So I'm kind of dependent on the mailing 
list for support.

[takes off maintainer hat]


From rjh at sixdemonbag.org  Fri Mar 19 08:12:33 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 19 Mar 2021 03:12:33 -0400
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
Message-ID: <df8cd972-327b-e212-b865-a629ab26401b@sixdemonbag.org>

> I'd like to know current best practices for obtaining a new one?

This question gets asked so often that it has its own FAQ entry.  Yes, 
parts of the FAQ are outdated, but this particular one is very current.

https://www.gnupg.org/faq/gnupg-faq.html#tuning

* You don't need to "tune" GnuPG before using it
* The defaults for key generation are conservative and safe
* Don't overthink things.  :)

My sometimes-snarky (but completely-sincere) opinion on this evergreen 
question is, "unless you know what you're doing and why you're doing it, 
stick with the defaults."

The other piece of sometimes-snarky (but also completely-sincere) advice 
is that a good 90% of the web pages you find that talk about how to 
create the "perfect" GnuPG key are absolutely full of it.


From wk at gnupg.org  Fri Mar 19 08:22:44 2021
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Mar 2021 08:22:44 +0100
Subject: Timeout when signing
In-Reply-To: <CAK=g0dk9SPHxmSwd1a7Nnv1f1RvX3kvw9GVSx3gyHve5nALBsA@mail.gmail.com>
 (Nick Cripps via Gnupg-users's message of "Thu, 18 Mar 2021 13:57:01
 +0000")
References: <CAK=g0dk9SPHxmSwd1a7Nnv1f1RvX3kvw9GVSx3gyHve5nALBsA@mail.gmail.com>
Message-ID: <877dm3ppyz.fsf@wheatstone.g10code.de>

On Thu, 18 Mar 2021 13:57, Nick Cripps said:

> I'm trying to encrypt and sign a large file. It takes a while to do this,
> and I then do other things while this is happening. It then completes and
> presumably asks me for my key passphrase, but I miss this and it times out,

I know this problem but there is no good solution for this.  We could
hack around it for on-disk keys but as soon as a smartcard is used, that
smartcard may want a PIN in any case and thus any delayed cache expiring
won't help.

> How can I configure this timeout?

Put

pinentry-timeout 3600

into gpg.agent.conf for a one hour timeout:

    This option asks the Pinentry to timeout after n seconds with no
    user input.  The default value of 0 does not ask the pinentry to
    timeout, however a Pinentry may use its own default timeout value
    in this case.  A Pinentry may or may not honor this request.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/67a8a439/attachment.sig>

From wk at gnupg.org  Fri Mar 19 08:24:53 2021
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Mar 2021 08:24:53 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <37c68cdad4c388005d7d867401a1efd4b5500bc2.camel@16bits.net>
 (=?utf-8?Q?=22=C3=81ngel=22's?= message of "Fri, 19 Mar 2021 01:50:37
 +0100")
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <15692477.tgchFWduMW@pinacolada>
 <243a4399-56f8-745c-8570-c926de20bd8b@mail.com>
 <64645571.8pcnM708Kx@pinacolada>
 <f47401ff-f68c-47b0-a210-b60f2d4b3cb7@mail.com>
 <37c68cdad4c388005d7d867401a1efd4b5500bc2.camel@16bits.net>
Message-ID: <8735wrppve.fsf@wheatstone.g10code.de>

On Fri, 19 Mar 2021 01:50, ?ngel said:

> The FAQis outdated. GnuPG was indeed updated some years ago to use 3072
> as the default size for rsa

Actually 7 months:

Noteworthy changes in version 2.2.22 (2020-08-27)
-------------------------------------------------

  * gpg: Change the default key algorithm to rsa3072.


But some Linux distributions changed it earlier.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/69639d8b/attachment.sig>

From wk at gnupg.org  Fri Mar 19 08:29:12 2021
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Mar 2021 08:29:12 +0100
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 (David Mehler via Gnupg-users's message of "Thu, 18 Mar 2021 19:34:50
 -0400")
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
Message-ID: <87y2ejob3r.fsf@wheatstone.g10code.de>

On Thu, 18 Mar 2021 19:34, David Mehler said:

> in the output there's ECC output should I go with an ECC-style key or
> RSA? As regards RSA keysize I typically use 4096.

The next default is ECC (ed25519+cv25519) which is supported by most
OpenPGP implementations.  Only if you have a need to communicate with
some niche implementaions you need to use rsa3072.

You may also skip the menu thing and use

  gpg --quick-gen-key bar at example.com future-default


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/a784814f/attachment.sig>

From rjh at sixdemonbag.org  Fri Mar 19 08:33:17 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 19 Mar 2021 03:33:17 -0400
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <87y2ejob3r.fsf@wheatstone.g10code.de>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
Message-ID: <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>

> The next default is ECC (ed25519+cv25519) which is supported by most
> OpenPGP implementations.  Only if you have a need to communicate with
> some niche implementaions you need to use rsa3072.

Last I checked, Thunderbird 78 did not support ed25519+cv25519 keys. 
That's not a niche implementation.


From neal at walfield.org  Fri Mar 19 08:59:09 2021
From: neal at walfield.org (Neal H. Walfield)
Date: Fri, 19 Mar 2021 08:59:09 +0100
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
 <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
Message-ID: <87v99n7ewi.wl-neal@walfield.org>

On Fri, 19 Mar 2021 08:33:17 +0100,
Robert J. Hansen via Gnupg-users wrote:
> 
> > The next default is ECC (ed25519+cv25519) which is supported by most
> > OpenPGP implementations.  Only if you have a need to communicate with
> > some niche implementaions you need to use rsa3072.
> 
> Last I checked, Thunderbird 78 did not support ed25519+cv25519
> keys. That's not a niche implementation.

Thunderbird 78's default OpenPGP implementation is rnp.  According to
the interoperability test suite, rnp is able to use the "Alice" key
from the "OpenPGP Example Keys and Certificates" I-D.

  https://tests.sequoia-pgp.org/#Encrypt-Decrypt_roundtrip_with_key__Alice_
  https://tools.ietf.org/html/draft-bre-openpgp-samples-00#section-2

The "Alice" certificate uses:

  Primary key algorithm: Ed25519
  Subkey algorithm: Curve25519

Neal


From bernhard at intevation.de  Fri Mar 19 11:19:01 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 19 Mar 2021 11:19:01 +0100
Subject: header protection drafts too early to implement (Re: Protect
 email experience not Subject:s (hypothesis, draft))
In-Reply-To: <202103121802.47422.bernhard@intevation.de>
References: <202101291752.32473.bernhard@intevation.de>
 <202103121802.47422.bernhard@intevation.de>
Message-ID: <202103191119.01800.bernhard@intevation.de>

Am Freitag 12 M?rz 2021 18:02:41 schrieb Bernhard Reiter:
> To keep you in the loop, my main take-away so far:
> It is not ready to be implemented yet, because

If it is implemented, to me it makes sense to
 a) only implement one method, and this seems to be
    to wrap one full message in MIME, because it is most
    backwards compatible and proposed in the current draft.

Thunderbird does implement a different outdated approach I believe
(At least I've examined an email from Thunderbird/78.6.0)
and I found Content-Type: multipart/mixed; boundary=".........";
 protected-headers="v1")


 b) implement reading first and do not activate sending.

This is something that Thunderbird should also fix.

Implemententation for reading makes some sense to try out how the unaddressed 
usability problems will fare out.

To send encrypted subjects now means losing information if an injected
approach is used like Thunderbird seems to use.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/cfd32ca2/attachment-0001.sig>

From gnupg at jelmail.com  Fri Mar 19 17:23:29 2021
From: gnupg at jelmail.com (John Lane)
Date: Fri, 19 Mar 2021 16:23:29 +0000
Subject: Prompting on concurrent invocations of gpg
In-Reply-To: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>
References: <63a31170-6d9b-e48e-5321-026d79b9b2f4@lane.uk.net>
Message-ID: <bc7215c4-5306-6f19-5bc0-482ff931cfe6@lane.uk.net>


On 16/03/2021 11:19, John Lane wrote:
> Hello, I have a scenario where gpg is prompting for a passphrase when I
> don't think it should because it is cached in the agent. It seems to be
> triggered by concurrent use. Here is an example.
> 

I've asked someone else to try this and they are seeing similar issues
with unexpected password prompts and out of memory errors. Although
their experience is not as extreme as mine (it doesn't happen as much
for them, but it does happen).

I've updated mine to gpg (GnuPG) 2.2.27 libgcrypt 1.8.7 and retested, I
am still having the problem.

Is there any more information that I can provide?

Is this something I should open a bug report for?

Thanks.



From wk at gnupg.org  Fri Mar 19 18:42:48 2021
From: wk at gnupg.org (Werner Koch)
Date: Fri, 19 Mar 2021 18:42:48 +0100
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org> (Robert
 J. Hansen via Gnupg-users's message of "Fri, 19 Mar 2021 03:33:17
 -0400")
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
 <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
Message-ID: <875z1nnip3.fsf@wheatstone.g10code.de>

On Fri, 19 Mar 2021 03:33, Robert J. Hansen said:

> Last I checked, Thunderbird 78 did not support ed25519+cv25519
> keys. That's not a niche implementation.

I did extensive test with Ribose to make sure that RNP (the crypto
engine now used by TB) is compatible with GnuPG.  Thus I wonder why TB
gets things wrong again.

There are also so many regressions in TB new OpenPGP support compared to
the long standing TB+Enigmail OpenPGP support that I wonder come it is
at all possible to send encrypted OpenPGP mails with TB.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/a9c85024/attachment.sig>

From azbigdogs at gmx.com  Fri Mar 19 23:24:51 2021
From: azbigdogs at gmx.com (Mark)
Date: Fri, 19 Mar 2021 15:24:51 -0700
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
 <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
Message-ID: <d3df8802-80a4-5adf-a0df-fd9c7e372e30@gmx.com>

It "does and it doesn't" I have some that were created in Kleopatra and
then imported into Thunderbird 78. As for creating them, no.... You
don't get to choose any options when generating ECC keys.

On 3/19/2021 12:33 AM, Robert J. Hansen via Gnupg-users wrote:
>> The next default is ECC (ed25519+cv25519) which is supported by most
>> OpenPGP implementations.? Only if you have a need to communicate with
>> some niche implementaions you need to use rsa3072.
>
> Last I checked, Thunderbird 78 did not support ed25519+cv25519 keys.
> That's not a niche implementation.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
PGP Key Upon Request



From azbigdogs at gmx.com  Fri Mar 19 23:30:51 2021
From: azbigdogs at gmx.com (Mark)
Date: Fri, 19 Mar 2021 15:30:51 -0700
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <875z1nnip3.fsf@wheatstone.g10code.de>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
 <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
 <875z1nnip3.fsf@wheatstone.g10code.de>
Message-ID: <d20ab5d7-5011-a958-376c-88c80db868d4@gmx.com>

It also has issues with signed messages and lists. For example you
signed this message but it says "uncertain digital signature".? I don't
remember this being an issue in the older TB/Enigmail.

On 3/19/2021 10:42 AM, Werner Koch via Gnupg-users wrote:
> On Fri, 19 Mar 2021 03:33, Robert J. Hansen said:
>
>> Last I checked, Thunderbird 78 did not support ed25519+cv25519
>> keys. That's not a niche implementation.
> I did extensive test with Ribose to make sure that RNP (the crypto
> engine now used by TB) is compatible with GnuPG.  Thus I wonder why TB
> gets things wrong again.
>
> There are also so many regressions in TB new OpenPGP support compared to
> the long standing TB+Enigmail OpenPGP support that I wonder come it is
> at all possible to send encrypted OpenPGP mails with TB.
>
>
> Shalom-Salam,
>
>     Werner
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

--
PGP Key Upon Request

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210319/9611eda3/attachment.html>

From gnupg at shoran-und-alira.de  Sat Mar 20 19:06:41 2021
From: gnupg at shoran-und-alira.de (Frank)
Date: Sat, 20 Mar 2021 19:06:41 +0100
Subject: Compile of gnupg-2.2.27 fails on t-keydb.c
Message-ID: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>

Greetings,

I am trying to compile gnupg-2.2.27 and it fails with "syntax error"  
on g10/t-keydb.c.
I was yet unable to gather more informations, what is going wrong.
No line, statement or anything else is given.
   Architecture ppc64
   OS AIX 7.2
   Compiler xlc
Any help is greatly appreciated.

Kind regards
Frank



From jsmith9810 at gmx.com  Mon Mar 22 17:43:08 2021
From: jsmith9810 at gmx.com (jsmith9810 at gmx.com)
Date: Mon, 22 Mar 2021 17:43:08 +0100
Subject: Weak encryption keys
Message-ID: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>

Hello all,

I have a private key protected by blowfish cipher that despite a random salt and several rounds of RIPEMD160 iterations is still considered "weak" by GnuPG and it refuses to do anything with it. When I try to import this key manually (--import), gpg throws a "weak encryption key" error and refuses to import it. ...which I find ironic, because it has no problem importing unprotected plain-text keys. Also, it's worth pointing out that GnuPG applies its default protection scheme to the private keys imported this way regardless of what encryption these keys used earlier - which means that the issue that it's complaining about will actually be resolved simply by importing this key.

I still managed to force this key into GnuPG's private key store through the secring.gpg migration route which preserves the key in its openpgp-native format, but now gpg refuses any operation involving this private key - sign, encrypt, etc. It won't even let me change the password - which would actually make this issue go away. I tested with GnuPG 1.4.23 as well and it does not have a problem either importing or using this key.

I am not looking for a solution as I can easily work around this problem by changing password using GnuPG 1.x prior to importing this key in GnuPG 2.x, but should this be logged as a product defect? This doesn't look like reasonable way to deal with these so-called "weak" encryption keys when importing these keys would actually address the issue at hand.

Thanks!


From jcb62281 at gmail.com  Mon Mar 22 20:34:00 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Mon, 22 Mar 2021 14:34:00 -0500
Subject: Weak encryption keys
In-Reply-To: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
Message-ID: <6058F128.6090504@gmail.com>

jsmith9810--- via Gnupg-users wrote:
> Hello all,
>
> I have a private key protected by blowfish cipher that despite a random salt and several rounds of RIPEMD160 iterations is still considered "weak" by GnuPG and it refuses to do anything with it. When I try to import this key manually (--import), gpg throws a "weak encryption key" error and refuses to import it. ...which I find ironic, because it has no problem importing unprotected plain-text keys. Also, it's worth pointing out that GnuPG applies its default protection scheme to the private keys imported this way regardless of what encryption these keys used earlier - which means that the issue that it's complaining about will actually be resolved simply by importing this key.
>
> I still managed to force this key into GnuPG's private key store through the secring.gpg migration route which preserves the key in its openpgp-native format, but now gpg refuses any operation involving this private key - sign, encrypt, etc. It won't even let me change the password - which would actually make this issue go away. I tested with GnuPG 1.4.23 as well and it does not have a problem either importing or using this key.
>
> I am not looking for a solution as I can easily work around this problem by changing password using GnuPG 1.x prior to importing this key in GnuPG 2.x, but should this be logged as a product defect? This doesn't look like reasonable way to deal with these so-called "weak" encryption keys when importing these keys would actually address the issue at hand.
>
> Thanks!

The problem is that a private key protected by a weak cipher is still 
potentially compromised if an attacker can get any copy of the key prior 
to migrating it to a stronger cipher.  In other words, if an attacker is 
able to obtain your current key blob, the attacker can still compromise 
your key by cracking that copy, even after you have migrated your copy 
to a stronger wrapping.

If an attacker was interested in you, your key is lost and the best path 
forwards is to revoke it and generate a new key.  You could sign the new 
key with the old one before revoking the old key.


-- Jacob



From jsmith9810 at gmx.com  Mon Mar 22 22:55:40 2021
From: jsmith9810 at gmx.com (jsmith9810 at gmx.com)
Date: Mon, 22 Mar 2021 22:55:40 +0100
Subject: Weak encryption keys
In-Reply-To: <6058F128.6090504@gmail.com>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <6058F128.6090504@gmail.com>
Message-ID: <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>

> The problem is that a private key protected by a weak cipher is still
> potentially compromised if an attacker can get any copy of the key prior
> to migrating it to a stronger cipher.  In other words, if an attacker is
> able to obtain your current key blob, the attacker can still compromise
> your key by cracking that copy, even after you have migrated your copy
> to a stronger wrapping.
>
> If an attacker was interested in you, your key is lost and the best path
> forwards is to revoke it and generate a new key.  You could sign the new
> key with the old one before revoking the old key.
>
>
> -- Jacob
>

A private key protected by weak blowfish cipher is by no means more at risk
compared to an unencrypted key, which GnuPG has no problem with.

Also, from what I've read about blowfish weak keys (and I admit I didn't spend
too much time on it), the attacks are unrealistic in that even though they
reduce the complexity compared to brute forcing a 128-bit key, it's still
near-impossible to retrieve the plain-text or the key itself within reasonable
amount of time. And I also recall reading that it requires a large amounts of
known plain-text and corresponding cipher-text data. In this case, it's a
unique key that's only used to encrypt a few hundred bytes of data. So the risk
of an attacker being able to just "crack" your private key based on the weakness
of the cipher key seems to be quite an overstatement.

Besides, shouldn't the assessment of the security of the key be better left to
the user? It would be totally reasonable to warn the user about the potential
risks and even make a recommendation to revoke this key. But not allowing them
to decrypt something that was previously encrypted with this key doesn't seem
justifiable even if the risks were as high as you stated.


From jcb62281 at gmail.com  Mon Mar 22 23:32:14 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Mon, 22 Mar 2021 17:32:14 -0500
Subject: Weak encryption keys
In-Reply-To: <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <6058F128.6090504@gmail.com>
 <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>
Message-ID: <60591AEE.2000406@gmail.com>

jsmith9810 at gmx.com wrote:
>> [...]
>
> A private key protected by weak blowfish cipher is by no means more at risk
> compared to an unencrypted key, which GnuPG has no problem with.
>   

The difference is that you *know* an unencrypted key is lying around at 
risk of compromise, and you knowingly chose to take that risk when you 
chose to store the key unencrypted.

> Also, from what I've read about blowfish weak keys (and I admit I didn't spend
> too much time on it), the attacks are unrealistic in that even though they
> reduce the complexity compared to brute forcing a 128-bit key, it's still
> near-impossible to retrieve the plain-text or the key itself within reasonable
> amount of time. And I also recall reading that it requires a large amounts of
> known plain-text and corresponding cipher-text data. In this case, it's a
> unique key that's only used to encrypt a few hundred bytes of data. So the risk
> of an attacker being able to just "crack" your private key based on the weakness
> of the cipher key seems to be quite an overstatement.
>   

I am assuming that there is some more severe problem with OpenPGP 
Blowfish key wrapping, since the situation you describe would not 
warrant the measures GPG has taken.  (In other words, I am assuming that 
the GPG developers know something here that we do not, and I believe 
that to be a reasonable assumption.)

> Besides, shouldn't the assessment of the security of the key be better left to
> the user? It would be totally reasonable to warn the user about the potential
> risks and even make a recommendation to revoke this key. But not allowing them
> to decrypt something that was previously encrypted with this key doesn't seem
> justifiable even if the risks were as high as you stated.
>   

You are correct that the situation you describe does not reasonably 
support completely rejecting the key.  That is the reason I expect that 
there is a problem serious enough that the key should be considered 
compromised.


-- Jacob


From rjh at sixdemonbag.org  Tue Mar 23 06:59:44 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 23 Mar 2021 01:59:44 -0400
Subject: So long, and thanks for all the fish.
Message-ID: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>

There's a song I really enjoy[*] with a line that always hits me as 
being both beautiful and wise:

	"You talk far too much for someone so unkind."

I first heard of the GNU Project and the Free Software Foundation in 
1995.  For twenty-six years I've supported the FSF and FSFE in a variety 
of different ways.  For these twenty-six years, Richard Stallman has 
been at the forefront of the FSF.  In all that time I have trouble 
remembering when I have ever seen him be kind.

My direct experiences with him have all been frustrating.  I know many 
hackers whose direct experiences have been harrowing.  I do not know a 
single hacker whose direct experiences have been marked by kindness.

Last year when the FSF removed him from the Board of Directors, I 
welcomed the news.  I hoped the FSF would appoint better leaders.  They 
did not: instead, they've reappointed him to the board.

None of us have to tolerate toxic leadership.  We can always leave.  For 
that reason, I'm stepping down as the FAQ maintainer.  It was never a 
particularly big job, but I tried to do it responsibly.  I will also be 
ending my financial support of the FSF, FSFE, and affiliated groups for 
so long as Richard Stallman has influence in these organizations.

I'm not leaving the mailing list.  I'm not leaving the community. 
You'll continue to see me around.  And, should Richard Stallman resign 
or be removed from positions of influence in the FSF and FSFE, I will be 
happy to pick up the FAQ maintainer role again.

Thank you, Werner, for the chance to contribute to GnuPG (in my 
admittedly small way).  It's been a true pleasure doing this.

Be kind.  Expect kindness.  Especially demand kindness from your leaders.

[*] "Leave a Trace" by Churches.


From bernhard at intevation.de  Tue Mar 23 09:47:07 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 23 Mar 2021 09:47:07 +0100
Subject: Compile of gnupg-2.2.27 fails on t-keydb.c
In-Reply-To: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>
References: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>
Message-ID: <202103230947.08029.bernhard@intevation.de>

Hi Frank,

Am Samstag 20 M?rz 2021 19:06:41 schrieb Frank:
> I am trying to compile gnupg-2.2.27 and it fails with "syntax error"
> on g10/t-keydb.c.
> I was yet unable to gather more informations, what is going wrong.
> No line, statement or anything else is given.

can you give the precise command lines and outputs (as text)
what you've done? That enables more of us here, to get an idea
why there is no output. Usually c-compiler give more diagnostics,
maybe you can inspect the man page of your compiler and see if there
are options how to increase the verbosity.

Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/77b49fb5/attachment.sig>

From bernhard at intevation.de  Tue Mar 23 09:59:22 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 23 Mar 2021 09:59:22 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
Message-ID: <202103230959.28896.bernhard@intevation.de>

Dear Robert,

Am Dienstag 23 M?rz 2021 06:59:44 schrieb Robert J. Hansen via Gnupg-users:
> None of us have to tolerate toxic leadership. We can always leave. ?For
> that reason, I'm stepping down as the FAQ maintainer. 

thanks for your contributions to GnuPG and its FAQ!

(And I hope there will be more to come
as you wrote you'll be staying on this list.)

> I will also be ending my financial support of the FSF, FSFE,
> and affiliated groups for so long as Richard Stallman has influence
> in these organizations. 

Slightly off topic explanation as I am with the FSFE:
The FSFE is an independent sister organisation with a separate
leadership, and the framework agreement FSFE has with FSF does not give a 
single person a special influcence or one of the organisations a special 
power over the other.  (You may still be critical of both organisations and 
their leaderships and the influence a person from FSF may have on what is
associated with the names, this is not the right list to discuss it. 
But you should be aware about the structural independence.)

Best Regards,
Bernhard
-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/5c70f636/attachment.sig>

From bernhard at intevation.de  Tue Mar 23 10:05:26 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 23 Mar 2021 10:05:26 +0100
Subject: Weak encryption keys
In-Reply-To: <60591AEE.2000406@gmail.com>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>
 <60591AEE.2000406@gmail.com>
Message-ID: <202103231005.26754.bernhard@intevation.de>

Am Montag 22 M?rz 2021 23:32:14 schrieb Jacob Bachmeyer via Gnupg-users:
> I am assuming that there is some more severe problem with OpenPGP
> Blowfish key wrapping, since the situation you describe would not
> warrant the measures GPG has taken. 

Not know details about this one: Sometimes stuff gets deprecated for cleanup 
reasons and for long term prospects. Often you can find more details in the 
code.

> (In other words, I am assuming that 
> the GPG developers know something here that we do not, and I believe
> that to be a reasonable assumption.)

In my experience GnuPG developers (which I'd include myself) strongly like to 
have everything in the open (to be verifiable). The only situation I can 
image that we or others keep something back is for a limited time during the 
course of a responsible disclosure, but this does not seem to be the case 
here as the code is there.
(What also happens with software is that details are not explained.)

Regards,
Bernhard
-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/022c8a2f/attachment.sig>

From rjh at sixdemonbag.org  Tue Mar 23 10:23:32 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 23 Mar 2021 05:23:32 -0400
Subject: So long, and thanks for all the fish.
In-Reply-To: <202103230959.28896.bernhard@intevation.de>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <202103230959.28896.bernhard@intevation.de>
Message-ID: <c24a16a3-4d52-f5b3-0f44-5538d2b967f2@sixdemonbag.org>

> The FSFE is an independent sister organisation with a separate
> leadership, and the framework agreement FSFE has with FSF does not give a
> single person a special influcence or one of the organisations a special
> power over the other.

Regardless of whether he officially has power, he clearly unofficially 
has power.  He's contacted me a few times over the years to insist on 
changes to the FAQ, usually over incredibly silly details like saying 
our pronunciation guidance was wrong because we advised people to 
pronounce GNU as two syllables, guh-NOO.  When I spoke to someone within 
FSFE (name omitted for their privacy) about his 'help', I was told to 
just do what he wanted in order to make him go away.

If the FSFE was independent of Stallman, no one would feel the need to 
appease him.


From bernhard at intevation.de  Tue Mar 23 10:36:43 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 23 Mar 2021 10:36:43 +0100
Subject: We shall value email usage
Message-ID: <202103231036.59847.bernhard@intevation.de>

Dear GnuPG community,

email is a decentral standard for asynchronus communication
 * one-to-one messenging
 * closed groups
 * public discussions (via mailinglists)
 * trust anchor (as needed by many accounts on web-sites)

There is a wealth of Free Software implementations
and service providers, additional tools to make emails scriptable,
searchable and secure (even to be used anonymously).

We should value email and its ecosystem more.

It has become under pressure by
 a) online messenging / web applications
 b) vendors who want more user data and to bring
    people into their walled garden (directing their attention
    to paid advertisment)

It seems that rich native email clients as Free Software are a little
bit losing ground. A contributing factor from my perspective is
the complexity that is needed (and partly needed because propriety vendors
make it more complicated) to make an attractive client for many plattforms.
So it is not like a few volunteer hours can keep a native email client on par
or leading the proprietary vendors web-client development speed.
(My answer to this is more professionalism, more about this elsewhere.)

Considering the use cases above, email and native clients have a number of 
advantages over other solutions and it is the basis for people being able to 
use OpenPGP/MIME with GnuPG. My personal conclusion is that furthering
native Free Software email clients is good for GnuPG (and the world
needed good collaborative tools).

What I observe is that knowledge and practive of email usage
is declining. I notice it in many little things (like folks sending 
alternative HTML mails, not being able to handle CC, good inline quoting, 
good subjects). So where are good explanations about email practice?

Best Regards,
Bernhard
-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/e2be07a8/attachment.sig>

From wk at gnupg.org  Tue Mar 23 13:12:27 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 23 Mar 2021 13:12:27 +0100
Subject: Weak encryption keys
In-Reply-To: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 (jsmith's message of "Mon, 22 Mar 2021 17:43:08 +0100")
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
Message-ID: <878s6em5lg.fsf@wheatstone.g10code.de>

On Mon, 22 Mar 2021 17:43, jsmith9810--- said:

> I try to import this key manually (--import), gpg throws a "weak
> encryption key" error and refuses to import it. ...which I find

Can you please paste the exact error message and the output of
"gpgconf --show-versions"?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/14bb5d79/attachment.sig>

From wk at gnupg.org  Tue Mar 23 13:16:38 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 23 Mar 2021 13:16:38 +0100
Subject: Compile of gnupg-2.2.27 fails on t-keydb.c
In-Reply-To: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>
 (Frank's message of "Sat, 20 Mar 2021 19:06:41 +0100")
References: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>
Message-ID: <874kh2m5eh.fsf@wheatstone.g10code.de>

On Sat, 20 Mar 2021 19:06, Frank said:

> I am trying to compile gnupg-2.2.27 and it fails with "syntax error"
> on g10/t-keydb.c.
> I was yet unable to gather more informations, what is going wrong.
> No line, statement or anything else is given.

Please run

  make V=1

there should be really some more output than just "syntax error".  I
need to see that to figure out where xlc bails out.  I am also not aware
of other reports from AIX users/


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/08dcc973/attachment.sig>

From jsmith9810 at gmx.com  Tue Mar 23 14:31:00 2021
From: jsmith9810 at gmx.com (jsmith9810 at gmx.com)
Date: Tue, 23 Mar 2021 14:31:00 +0100
Subject: Weak encryption keys
In-Reply-To: <878s6em5lg.fsf@wheatstone.g10code.de>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <878s6em5lg.fsf@wheatstone.g10code.de>
Message-ID: <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>

> > I try to import this key manually (--import), gpg throws a "weak
> > encryption key" error and refuses to import it. ...which I find
>
> Can you please paste the exact error message and the output of
> "gpgconf --show-versions"?
>
>
> Shalom-Salam,
>
>    Werner
>

Sure. My gpgconf doesn't seem to have the "--show-versions" option.
It's the 2.2.19 release that currently ships with Ubuntu 20.04 (Focal), in case it helps.

$ gpgconf --show-versions
gpgconf: invalid option "--show-versions"

$ dpkg-query -l *gnupg*
ii  gnupg                   2.2.19-3ubuntu2.1 all          GNU privacy guard - a free PGP replacement
ii  gnupg-l10n              2.2.19-3ubuntu2.1 all          GNU privacy guard - localization files
ii  gnupg-utils             2.2.19-3ubuntu2.1 amd64        GNU privacy guard - utility programs

________________________________________________________________________________

Here's what I get when trying to import this key:

$ gpg --debug-level expert --import /tmp/weak-key.gpg
gpg: key AFD8C1044388D9EB/AFD8C1044388D9EB: error sending to agent: Weak encryption key
gpg: error reading '/tmp/weak-key.gpg': Weak encryption key
gpg: import from '/tmp/weak-key.gpg' failed: Weak encryption key
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1

________________________________________________________________________________

If I do a force-import via secring.gpg migration to 2.x in openpgp-native format,
it's succeeds without error, the secret key is listed but none of the operations
that use this secret key work (including change-passphrase). I see the following
messages after keying in the passphrase in pinentry:

$ gpg --debug-level expert --decrypt secret.gpg
gpg: public key decryption failed: Weak encryption key
gpg: decryption failed: No secret key

$ gpg --debug-level expert --sign message.txt
gpg: signing failed: Weak encryption key

$ gpg --debug-level expert --edit-key 5DA34AB39C214001DB61D96FAFD8C1044388D9EB
gpg: key AFD8C1044388D9EB/AFD8C1044388D9EB: error changing passphrase: Weak encryption key

________________________________________________________________________________

Interestingly, when I tried searching the latest GnuPG code base (cloned from github)
for the "Weak encryption key" error message, nothing showed up.

$ "grep -iRl "Weak encryption key" gnupg
<no matches>


From bernhard at intevation.de  Tue Mar 23 14:34:14 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 23 Mar 2021 14:34:14 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <c24a16a3-4d52-f5b3-0f44-5538d2b967f2@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <202103230959.28896.bernhard@intevation.de>
 <c24a16a3-4d52-f5b3-0f44-5538d2b967f2@sixdemonbag.org>
Message-ID: <202103231434.15296.bernhard@intevation.de>

Am Dienstag 23 M?rz 2021 10:23:32 schrieb Robert J. Hansen via Gnupg-users:
> Regardless of whether he officially has power, he clearly unofficially
> has power.  He's contacted me a few times over the years to insist on
> changes to the FAQ, usually over incredibly silly details like saying
> our pronunciation guidance was wrong because we advised people to
> pronounce GNU as two syllables, guh-NOO. 

GnuPG used to be an official part of the GNU project.
(But this is less relevant now. Personally I believe the GNU project should 
have been declared successfully concluded a few years ago. And work 
restructured.) So yes, RMS had some influence over GnuPG. I don't think I've 
heard about anything in this regard for years. So just like anybody: If he 
would send a nice patch or suggestion, we'd look at it.

> When I spoke to someone within FSFE (name omitted for their privacy) about
> his 'help', I was told to just do what he wanted in order to make him go
> away. 

I doubt that this was an official advise from FSFE. ;)
This probably was practical advise within the GNU projects development teams:
If the requests are small and you have no particular reasons to not make them,
doing them is a way to handle them quickly. (My personal perspective is that 
RMS has done some good work and deserves credit for that, but he can be (and 
should be) criticised for the bad stuff he did, too.)

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/02aa09f4/attachment.sig>

From kloecker at kde.org  Tue Mar 23 14:44:51 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Tue, 23 Mar 2021 14:44:51 +0100
Subject: Weak encryption keys
In-Reply-To: <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <878s6em5lg.fsf@wheatstone.g10code.de>
 <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>
Message-ID: <12738218.vN6VkkLPEO@breq>

On Dienstag, 23. M?rz 2021 14:31:00 CET jsmith9810--- via Gnupg-users wrote:
> Interestingly, when I tried searching the latest GnuPG code base (cloned
> from github) for the "Weak encryption key" error message, nothing showed
> up.
> 
> $ "grep -iRl "Weak encryption key" gnupg
> <no matches>

It's defined in the separate libgpg-error library. It corresponds to the 
symbol GPG_ERR_WEAK_KEY. This symbol occurs in libgcrypt (the low-level crypto 
library of GnuPG), e.g. in blowfish.c, and in gnupg.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/6482a669/attachment.sig>

From gnupg at shoran-und-alira.de  Tue Mar 23 16:16:28 2021
From: gnupg at shoran-und-alira.de (Frank)
Date: Tue, 23 Mar 2021 16:16:28 +0100
Subject: Compile of gnupg-2.2.27 fails on t-keydb.c
In-Reply-To: <874kh2m5eh.fsf@wheatstone.g10code.de>
References: <20210320190641.Horde.ZLPIsIwUqzZkBGVP8ok6aA3@webmail.df.eu>
 <874kh2m5eh.fsf@wheatstone.g10code.de>
Message-ID: <20210323161628.Horde.aogaZ7-Ew0X-TB7xEkVpHw5@webmail.df.eu>

> Please run
>
>   make V=1
>
> there should be really some more output than just "syntax error".  I
> need to see that to figure out where xlc bails out.  I am also not aware
> of other reports from AIX users/
>

Here is a bit more (helpful) information
loaded from gnupg.org:
-rw-r-----    1 root     system      7191555 Mar 19 15:04 gnupg-2.2.27.tar.bz2
-rw-r-----    1 root     system       574039 Mar 19 17:08  
libassuan-2.5.4.tar.bz2
-rw-r-----    1 root     system      3206187 Mar 19 17:08  
libgcrypt-1.9.2.tar.bz2
-rw-r-----    1 root     system       967117 Mar 19 17:08  
libgpg-error-1.41.tar.bz2
-rw-r-----    1 root     system       656518 Mar 19 17:08  
libksba-1.5.0.tar.bz2
-rw-r-----    1 root     system       300486 Mar 19 17:08 npth-1.6.tar.bz2

patch needed, I think AIX might work with __inline__ (? have not tried that):
  # cat libgcrypt-1.9.2-aix.patch
--- ./src/hmac256.c_original    2021-01-07 10:01:04 +0000
+++ ./src/hmac256.c     2021-03-20 13:58:35 +0000
@@ -107,7 +107,7 @@


  /* Rotate a 32 bit word.  */
-static inline u32 ror(u32 x, int n)
+static u32 ror(u32 x, int n)
  {
         return ( ((x) >> (n)) | ((x) << (32-(n))) );
  }

all (except for gnupg) successfully compiled and packed with rpmbuild  
(might still have done a mistake here)
There was some issue with /opt/freeware/info/dir (or /opt/freeware/share/dir)


GnuPG
latest configure (tried with a few more things enabled earlier):
./configure  --prefix=/opt/freeware --disable-gpgsm --disable-scdaemon  
--disable-dirmngr --disable-doc --disable-wks-tools  
--enable-large-secmem --disable-libdns --disable-photo-viewers  
--disable-card-support --disable-ccid-driver  
--disable-dirmngr-auto-start --disable-sqlite --disable-ntbtls  
--disable-gnutls --disable-ldap --disable-nls --disable-tests

# make
...
<snipp>
         source='t-keydb.c' object='t-keydb.o' libtool=no   
DEPDIR=.deps depmode=xlc /opt/freeware/bin/bash ../build-aux/depcomp   
cc -qlanglvl=extc89 -DHAVE_CONFIG_H -I. -I..   
-DLOCALEDIR=\"/opt/freeware/share/locale\"  
-DGNUPG_BINDIR="\"/opt/freeware/bin\""              
-DGNUPG_LIBEXECDIR="\"/opt/freeware/libexec\""      
-DGNUPG_LIBDIR="\"/opt/freeware/lib/gnupg\""    
-DGNUPG_DATADIR="\"/opt/freeware/share/gnupg\""   
-DGNUPG_SYSCONFDIR="\"/opt/freeware/etc/gnupg\""   
-DGNUPG_LOCALSTATEDIR="\"/opt/freeware/var\""           
-I/opt/freeware/include  -I/opt/freeware/include   
-I/opt/freeware/include -I/opt/freeware/include -qmaxmem=16384 -DSYSV  
-D_AIX -D_AIX32 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61  
-D_AIX71 -D_AIX72 -D_ALL_SOURCE -DFUNCPROTO=15 -O2  
-I/opt/freeware/include -c -o t-keydb.o t-keydb.c
1506-046 (S) Syntax error.
make: The error code from the last command is 1.


Stop.
make: The error code from the last command is 1.


Stop.
make: The error code from the last command is 2.


# make V=1
         make  all-recursive
Making all in m4
Target "all" is up to date.
Making all in common
         make  all-am
Target "all-am" is up to date.
Making all in regexp
         make  all-am
Target "all-am" is up to date.
Making all in kbx
Target "all" is up to date.
Making all in g10
         source='t-keydb.c' object='t-keydb.o' libtool=no   
DEPDIR=.deps depmode=xlc /opt/freeware/bin/bash ../build-aux/depcomp   
cc -qlanglvl=extc89 -DHAVE_CONFIG_H -I. -I..   
-DLOCALEDIR=\"/opt/freeware/share/locale\"  
-DGNUPG_BINDIR="\"/opt/freeware/bin\""              
-DGNUPG_LIBEXECDIR="\"/opt/freeware/libexec\""      
-DGNUPG_LIBDIR="\"/opt/freeware/lib/gnupg\""    
-DGNUPG_DATADIR="\"/opt/freeware/share/gnupg\""   
-DGNUPG_SYSCONFDIR="\"/opt/freeware/etc/gnupg\""   
-DGNUPG_LOCALSTATEDIR="\"/opt/freeware/var\""           
-I/opt/freeware/include  -I/opt/freeware/include   
-I/opt/freeware/include -I/opt/freeware/include -qmaxmem=16384 -DSYSV  
-D_AIX -D_AIX32 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61  
-D_AIX71 -D_AIX72 -D_ALL_SOURCE -DFUNCPROTO=15 -O2  
-I/opt/freeware/include -c -o t-keydb.o t-keydb.c
1506-046 (S) Syntax error.
make: The error code from the last command is 1.


Stop.
make: The error code from the last command is 1.


Stop.
make: The error code from the last command is 2.


Stop.



truss on the compile (maybe unrelated because it is an information  
AFTER the Syntax error):
1506-04625624996:       40305045: kwrite(2, 0x30161F20, 8)              = 8
25624996:          1 5 0 6 - 0 4 6
  (25624996:     40305045: kwrite(2, 0x10A247DA, 2)              = 2
25624996:            (
S25624996:      40305045: kwrite(2, 0x30BF4468, 1)              = 1
25624996:          S
) 25624996:     40305045: kwrite(2, 0x10A247DE, 2)              = 2
25624996:          )
Syntax error.25624996:  40305045: kwrite(2, 0x30BF43E8, 13)             = 13
25624996:          S y n t a x   e r r o r .

25624996:       40305045: kwrite(2, 0x10A247E2, 1)              = 1
25624996:         \n
25624996:       40305045: kwrite(11, 0x30505000, 1939)          = 1939
25624996:          
\0\0\0\001\0\0\0\0\0\0\0\0\0\0\0E00110\0\0\0\0\0\0\002\0\0\0\0\0
25624996:         \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 &\0\0\0  \0  
,\0\0\0\0\0\0\0\0
25624996:         \0\0\0\0\0\0\00201\0\0\0 (\0  
P\0\0\080\0\0\00410\0\0\0\0\0\0\0\0
25624996:         \007\002   
\0\0\0\0\0\005\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\b\0\0\0 8
25624996:         \0\0\00F\0\0\016\0\0\002\0\0\0 y\0\0\001\0\0\0  
P\0\0\0\0 I B M
25624996:          X L   C   f o r   A I X ,   V e r s i o n   1 3 . 1  
. 3 . 4\0 1
25624996:         \0\0\0\0\0\0\0 0\0\0\0\0\0\0 s t r t o i m a x\0 s t  
r t o l d\0
25624996:          s e l e c t\0 g p g r t _ a n n o t a t e _ l e a k  
e d _ o b j
25624996:          e c t\0 g p g _ e r r _ m a k e\0 g p g _ e r r o  
r\0 g p g _ e
25624996:          r r _ c o d e\0 g p g _ e r r _ s o u r c e\0 g p g  
_ e r r _ c
25624996:          o d e _ f r o m _ s q l i t e\0 g p g _ e r r _ m a  
k e _ f r o
25624996:          m _ e r r n o\0 g p g _ e r r o r _ f r o m _ e r r  
n o\0 g p g
25624996:          _ e r r o r _ f r o m _ s y s e r r o r\0 g c r y _  
e r r _ m a
25624996:          k e\0 g c r y _ e r r o r\0 g c r y _ e r r _ c o d  
e\0 g c r y
25624996:          _ e r r _ s o u r c e\0 e x i t _ t e s t s\0 A l l  
   % d   t e
25624996:          s t s   p a s s e d .\n\0 % d   o f   % d   t e s t  
s   f a i l
25624996:          e d\0   ( % d   o f   % d   g r o u p s )\0\n\0 p r  
e p e n d _
25624996:          s r c d i r\0 a b s _ t o p _ s r c d i r\0 .\0 / g  
1 0 /\0 / g
25624996:          1 0 /\0 t e s t _ f r e e\0 m a i n\0 v e r b o s  
e\0 o u t _ o
25624996:          f _ c o r e\0 p k t t y p e _ s t r\0 P U B K E Y _  
E N C\0 S I
25624996:          G N A T U R E\0 S Y M K E Y _ E N C\0 O N E P A S S  
_ S I G\0 S
25624996:          E C R E T _ K E Y\0 P U B L I C _ K E Y\0 S E C R E  
T _ S U B K
25624996:          E Y\0 C O M P R E S S E D\0 E N C R Y P T E D\0 M A  
R K E R\0 P
25624996:          L A I N T E X T\0 R I N G _ T R U S T\0 U S E R _ I  
D\0 P U B L
25624996:          I C _ S U B K E Y\0 O L D _ C O M M E N T\0 A T T R  
I B U T E\0
25624996:          E N C R Y P T E D _ M D C\0 M D C\0 C O M M E N T\0  
G P G _ C O
25624996:          N T R O L\0 u n k n o w n   p a c k e t   t y p e\0  
i s _ i n _
25624996:          k l i s t\0 k e y i d _ c m p\0 p k _ i s _ p r i m  
a r y\0 d o
25624996:          _ t e s t\0 t - k e y d b - k e y r i n g . k b x\0  
a b o r t i
25624996:          n g . . .\0 F a i l e d   t o   o p e n   k e y r i  
n g .\0   %
25624996:          s\n\0 F a i l e d   t o   o p e n   k e y r i n g  
.\0 a b o r t
25624996:          i n g . . .\0\0   % s\n\0\0 a b o r t i n g . .  
.\0\0   % s\n\0
25624996:         \0 2 6 8 9   5 E 2 5   E 8 4 4   6 D 4 4   A 2 6 D    
   8 F A F
25624996:          2 F 7 9   9 8 F 3   D B F C   6 A D 9\0 a b o r t i  
n g . . .\0
25624996:          F a i l e d   t o   c o n v e r t   f i n g e r p r  
i n t   f o
25624996:          r   D B F C 6 A D 9\0   % s\n\0 F a i l e d   t o    
c o n v e r
25624996:          t   f i n g e r p r i n t   f o r   D B F C 6 A D  
9\0 a b o r t
25624996:          i n g . . .\0 F a i l e d   t o   l o o k u p   k e  
y   a s s o
25624996:          c i a t e d   w i t h   D B F C 6 A D 9\0   % s\n\0  
F a i l e d
25624996:            t o   l o o k u p   k e y   a s s o c i a t e d    
w i t h   D
25624996:          B F C 6 A D 9\0 8 0 6 1   5 8 7 0   F 5 B A   D 6 9  
0   3 3 3 6
25624996:              8 6 D 0   F 2 A D   8 5 A C   1 E 4 2   B 3 6  
7\0 a b o r t
25624996:          i n g . . .\0 F a i l e d   t o   c o n v e r t   f  
i n g e r p
25624996:          r i n t   f o r   1 E 4 2 B 3 6 7\0   % s\n\0 F a i  
l e d   t o
25624996:            c o n v e r t   f i n g e r p r i n t   f o r   1  
E 4 2 B 3 6
25624996:          7\0 a b o r t i n g . . .\0 F a i l e d   t o   l o  
o k u p   k
25624996:          e y   a s s o c i a t e d   w i t h   1 E 4 2 B 3 6  
7\0   % s\n
25624996:         \0 F a i l e d   t o   l o o k u p   k e y   a s s o  
c i a t e d
25624996:            w i t h   1 E 4 2 B 3 6 7\0 a b o r t i n g . .  
.\0 F a i l e
25624996:          d   t o   g e t   k e y b l o c k   f o r   1 E 4 2  
B 3 6 7\0
25624996:          % s\n\0 F a i l e d   t o   g e t   k e y b l o c k  
   f o r   1
25624996:          E 4 2 B 3 6 7\0 a b o r t i n g . . .\0 F a i l e d  
   t o   g e
25624996:          t   k e y b l o c k   f o r   D B F C 6 A D 9\0   %  
s\n\0 F a i
25624996:          l e d   t o   g e t   k e y b l o c k   f o r   D B  
F C 6 A D 9
25624996:         \0 a b o r t i n g . . .\0 D B F C 6 A D 9   h a s    
n o   u s e
25624996:          r   i d   p a c k e t\0   % s\n\0 D B F C 6 A D 9    
h a s   n o
25624996:            u s e r   i d   p a c k e t\0 a b o r t i n g . .  
.\0 1 E 4 2
25624996:          B 3 6 7   h a s   n o   u s e r   i d   p a c k e  
t\0   % s\n\0
25624996:          1 E 4 2 B 3 6 7   h a s   n o   u s e r   i d   p a  
c k e t\0 u
25624996:          s e r   i d   f o r   D B F C 6 A D 9 :   % s\n\0 u  
s e r   i d
25624996:            f o r   1 E 4 2 B 3 6 7 :   % s\n\0

Thanks and kind regards
Frank




From wk at gnupg.org  Tue Mar 23 19:12:44 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 23 Mar 2021 19:12:44 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <202103231434.15296.bernhard@intevation.de> (Bernhard Reiter's
 message of "Tue, 23 Mar 2021 14:34:14 +0100")
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <202103230959.28896.bernhard@intevation.de>
 <c24a16a3-4d52-f5b3-0f44-5538d2b967f2@sixdemonbag.org>
 <202103231434.15296.bernhard@intevation.de>
Message-ID: <87ft0llowz.fsf@wheatstone.g10code.de>

On Tue, 23 Mar 2021 14:34, Bernhard Reiter said:

> restructured.) So yes, RMS had some influence over GnuPG. I don't think I've 

He has not more influence on GnuPG than on GNOME, which he claims to be
the GNU desktop.  GnuPG still shows the FSF copyright on Unix e as an
appreciation for all the things the _GNU hackers_ did for the free
software movement.

> I doubt that this was an official advise from FSFE. ;)

I won't comment this here.  [I founded the FSFE together with a couple
of friends but left the FSFE a few years ago for a reason.]


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/c07d3f37/attachment.sig>

From joefresh at gmx.us  Tue Mar 23 14:42:49 2021
From: joefresh at gmx.us (joefresh at gmx.us)
Date: Tue, 23 Mar 2021 14:42:49 +0100
Subject: Weak encryption keys
In-Reply-To: <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <878s6em5lg.fsf@wheatstone.g10code.de>
 <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>
Message-ID: <trinity-08415c06-8f7d-49c2-9cea-9f03d4fbde0c-1616506969255@3c-app-mailcom-bs15>

> Interestingly, when I tried searching the latest GnuPG code base (cloned from github)
> for the "Weak encryption key" error message, nothing showed up.
>
> $ "grep -iRl "Weak encryption key" gnupg
> <no matches>
>

It appears that the problem lies in libgcrypt, which refuses to set a key for this
cipher that's considered weak.

libgcrypt/cipher/blowfish.c

static gcry_err_code_t
do_bf_setkey (BLOWFISH_context *c, const byte *key, unsigned keylen)
...

  /* Check for weak key.  A weak key is a key in which a value in
     the P-array (here c) occurs more than once per table.  */
  if (weak)
    return GPG_ERR_WEAK_KEY;


From jcb62281 at gmail.com  Tue Mar 23 22:04:25 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Tue, 23 Mar 2021 16:04:25 -0500
Subject: So long, and thanks for all the fish.
In-Reply-To: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
Message-ID: <605A57D9.1010609@gmail.com>

Robert J. Hansen via Gnupg-users wrote:
> I first heard of the GNU Project and the Free Software Foundation in 
> 1995.  For twenty-six years I've supported the FSF and FSFE in a 
> variety of different ways.  For these twenty-six years, Richard 
> Stallman has been at the forefront of the FSF.  In all that time I 
> have trouble remembering when I have ever seen him be kind.
>
> My direct experiences with him have all been frustrating.  I know many 
> hackers whose direct experiences have been harrowing.  I do not know a 
> single hacker whose direct experiences have been marked by kindness.

Perhaps he has turned over a new leaf; I have not had those problems in 
my interactions (admittedly all by email) with him.  Also admittedly, my 
interactions have all been relatively recent, and in contexts related to 
picking up maintaining DejaGnu, so an effort at reform would explain the 
horror stories others have told that do not match my experience.

> Last year when the FSF removed him from the Board of Directors, I 
> welcomed the news.  I hoped the FSF would appoint better leaders.  
> They did not: instead, they've reappointed him to the board.

The circumstances as I understand them of that removal were quite bad 
and reappointing RMS was probably a right thing to do.  That said, I am 
somewhat troubled by the apparent inability to find another leader 
because it bodes ill for the inevitable day when reappointing RMS will 
no longer be an option.


-- Jacob


From plr.vincent at gmail.com  Tue Mar 23 23:53:37 2021
From: plr.vincent at gmail.com (Vincent Pelletier)
Date: Tue, 23 Mar 2021 22:53:37 +0000
Subject: Weak encryption keys
In-Reply-To: <60591AEE.2000406@gmail.com>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <6058F128.6090504@gmail.com>
 <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>
 <60591AEE.2000406@gmail.com>
Message-ID: <20210323225337.7ab4cb47@gmail.com>

On Mon, 22 Mar 2021 17:32:14 -0500, Jacob Bachmeyer via Gnupg-users <gnupg-users at gnupg.org> wrote:
> The difference is that you *know* an unencrypted key is lying around at 
> risk of compromise, and you knowingly chose to take that risk when you 
> chose to store the key unencrypted.

Pardon my non-gpg-familiarity, but isn't a "weak key" completely
different from a (maybe) divulged key ?

AFAIK a weak key is a key that, when used, produces a result which is
easier to break than what the cipher promises. In other word, this
would be something specific to this very key, to the value of its
components being poorly chosen, and in no way related to how it was
stored/obfuscated itself.

IOW, isn't this specific key one of the identified blowfish weak keys
classes ?
  https://en.wikipedia.org/wiki/Blowfish_(cipher)#Weakness_and_successors
Also:
  https://en.wikipedia.org/wiki/Weak_key

Meaning not only this key, but anything it signed and/or was encrypted
for (I did not check which one is affected), may be considered
compromised ?
-- 
Vincent Pelletier
GPG fingerprint 983A E8B7 3B91 1598 7A92 3845 CAC9 3691 4257 B0C1


From jcb62281 at gmail.com  Wed Mar 24 02:20:02 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Tue, 23 Mar 2021 20:20:02 -0500
Subject: Weak encryption keys
In-Reply-To: <20210323225337.7ab4cb47@gmail.com>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>	<6058F128.6090504@gmail.com>	<trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>	<60591AEE.2000406@gmail.com>
 <20210323225337.7ab4cb47@gmail.com>
Message-ID: <605A93C2.8030306@gmail.com>

Vincent Pelletier wrote:
> On Mon, 22 Mar 2021 17:32:14 -0500, Jacob Bachmeyer via Gnupg-users <gnupg-users at gnupg.org> wrote:
>   
>> The difference is that you *know* an unencrypted key is lying around at 
>> risk of compromise, and you knowingly chose to take that risk when you 
>> chose to store the key unencrypted.
>>     
>
> Pardon my non-gpg-familiarity, but isn't a "weak key" completely
> different from a (maybe) divulged key ?
>   

There are two keys involved here:  a PGP private key that is stored 
encrypted under a symmetric key.  It appears that that symmetric key has 
been found to be weak.  If an attacker can obtain the encrypted blob and 
crack the symmetric encryption, the PGP key would be divulged.

> AFAIK a weak key is a key that, when used, produces a result which is
> easier to break than what the cipher promises. In other word, this
> would be something specific to this very key, to the value of its
> components being poorly chosen, and in no way related to how it was
> stored/obfuscated itself.
>   

The weak key in this case is the symmetric cipher key used to encrypt 
the PGP private key.

> IOW, isn't this specific key one of the identified blowfish weak keys
> classes ?
>   https://en.wikipedia.org/wiki/Blowfish_(cipher)#Weakness_and_successors
> Also:
>   https://en.wikipedia.org/wiki/Weak_key
>
> Meaning not only this key, but anything it signed and/or was encrypted
> for (I did not check which one is affected), may be considered
> compromised ?
>   

The risk is that an attacker may be able to crack the encryption on the 
stored private key because it was encrypted with a weak key.  Given that 
PGP keys are very short, it is possible that Blowfish may be safe here, 
even with a weak key.  If this is the case, using an old version of GPG 
to import the affected private key and change the passphrase should fix 
the problem, since the symmetric key (and possibly algorithm) used to 
store the private key will then change.

If Blowfish is not safe under these circumstances (weak key encrypting a 
limited amount of data), then the PGP key in question should be presumed 
compromised and should be replaced.


-- Jacob


From dkg at fifthhorseman.net  Wed Mar 24 02:27:28 2021
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 23 Mar 2021 21:27:28 -0400
Subject: Thunderbird dealing with signed messages and mailing lists [was:
 Re: Best practices for obtaining a new GPG certificate]
In-Reply-To: <d20ab5d7-5011-a958-376c-88c80db868d4@gmx.com>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
 <705911ee-8e86-66f0-4a0d-c5ee7232cb2d@sixdemonbag.org>
 <875z1nnip3.fsf@wheatstone.g10code.de>
 <d20ab5d7-5011-a958-376c-88c80db868d4@gmx.com>
Message-ID: <87sg4l2ven.fsf@fifthhorseman.net>

On Fri 2021-03-19 15:30:51 -0700, Mark via Gnupg-users wrote:
> It also has issues with signed messages and lists. For example you
> signed this message but it says "uncertain digital signature".? I don't
> remember this being an issue in the older TB/Enigmail.

Signed messages on mailing lists that modify message bodies (and
headers) in the way that gnupg-users at gnupg.org does should *not* show as
a valid digital signature.

See
https://www.ietf.org/archive/id/draft-dkg-lamps-e2e-mail-guidance-01.html#name-mailing-list-wrapping
for a bit more information on the problem, and
https://www.ietf.org/archive/id/draft-dkg-lamps-e2e-mail-guidance-01.html#name-exception-mailing-list-foot
for a proposed method for MUAs to responsibly render such a message.

    --dkg

PS fwiw, "uncertain digital signature" probably shouldn't show at all in
   any reasonable end-user-facing MUA unless the user is in some sort of
   special-cased debug mode.  In typical operation, a message either is
   protected by a valid signature or it is not.  Displaying an
   intermediate status like "uncertain" is likely only to cause
   confusion.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/b8768864/attachment-0001.sig>

From dkg at fifthhorseman.net  Wed Mar 24 02:19:46 2021
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 23 Mar 2021 21:19:46 -0400
Subject: Best practices for obtaining a new GPG certificate
In-Reply-To: <87y2ejob3r.fsf@wheatstone.g10code.de>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <87y2ekpmuw.fsf@wheatstone.g10code.de>
 <CAPORhP7+NkSwWjzMRCckrdYnRcV3p3tLRenBKpZTGh4Xr_j4Mg@mail.gmail.com>
 <87y2ejob3r.fsf@wheatstone.g10code.de>
Message-ID: <87v99h2vrh.fsf@fifthhorseman.net>

On Fri 2021-03-19 08:29:12 +0100, Werner Koch via Gnupg-users wrote:
> You may also skip the menu thing and use
>
>   gpg --quick-gen-key bar at example.com future-default

I agree with Werner's recommendation of using --quick-gen-key and
future-default.

If you're going to provide an e-mail address-only User ID, though, i'd
also recommend wrapping it in angle-brackets, as raw e-mail addresses
are still liable to trigger some minor bugs in various pieces of older
OpenPGP tooling.  So that'd be:

    gpg --quick-gen-key '<bar at example.com>' future-default

Using the defaults (or the future defaults, as here) is a good
practice.  Most people shouldn't need anything fancier.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210323/2cf4942a/attachment.sig>

From bernhard at intevation.de  Wed Mar 24 09:25:31 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 24 Mar 2021 09:25:31 +0100
Subject: [EXT] Best practices for obtaining a new GPG certificate
In-Reply-To: <8735wrppve.fsf@wheatstone.g10code.de>
References: <CAPORhP6tzPjbf3RfBzdWeMH5pCqgg4uY+gt4KGnx+eEZGJHZSA@mail.gmail.com>
 <37c68cdad4c388005d7d867401a1efd4b5500bc2.camel@16bits.net>
 <8735wrppve.fsf@wheatstone.g10code.de>
Message-ID: <202103240925.44938.bernhard@intevation.de>

Am Freitag 19 M?rz 2021 08:24:53 schrieb Werner Koch via Gnupg-users:
> On Fri, 19 Mar 2021 01:50, ?ngel said:
> > The FAQis outdated. GnuPG was indeed updated some years ago to use 3072
> > as the default size for rsa
>
> Actually 7 months:
> Noteworthy changes in version 2.2.22 (2020-08-27)
> -------------------------------------------------
>   * gpg: Change the default key algorithm to rsa3072.
> But some Linux distributions changed it earlier.

https://wiki.gnupg.org/LargeKeys is the wiki page to catch some of the 
arguments leading to the recommendations. It could use some more updates
for the upcoming future default.


-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210324/5709c149/attachment.sig>

From plr.vincent at gmail.com  Wed Mar 24 12:08:41 2021
From: plr.vincent at gmail.com (Vincent Pelletier)
Date: Wed, 24 Mar 2021 11:08:41 +0000
Subject: Weak encryption keys
In-Reply-To: <605A93C2.8030306@gmail.com>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <6058F128.6090504@gmail.com>
 <trinity-155ac915-e656-4277-9529-27b74ef53810-1616450140338@3c-app-mailcom-bs03>
 <60591AEE.2000406@gmail.com> <20210323225337.7ab4cb47@gmail.com>
 <605A93C2.8030306@gmail.com>
Message-ID: <20210324110841.76e92ee0@gmail.com>

On Tue, 23 Mar 2021 20:20:02 -0500, Jacob Bachmeyer <jcb62281 at gmail.com> wrote:
> There are two keys involved here:  a PGP private key that is stored 
> encrypted under a symmetric key.  It appears that that symmetric key has 
> been found to be weak.  If an attacker can obtain the encrypted blob and 
> crack the symmetric encryption, the PGP key would be divulged.

Oh, blowfish is the symetric one. My bad, I so,ehow thought it was the
asymmetric key which was weak.

As you say, it does not really change the conclusion, but thanks a lot
for the correction.

Regards,
-- 
Vincent Pelletier
GPG fingerprint 983A E8B7 3B91 1598 7A92 3845 CAC9 3691 4257 B0C1


From jsmith9810 at gmx.com  Wed Mar 24 17:03:00 2021
From: jsmith9810 at gmx.com (jsmith9810 at gmx.com)
Date: Wed, 24 Mar 2021 17:03:00 +0100
Subject: Weak encryption keys
In-Reply-To: <12738218.vN6VkkLPEO@breq>
References: <trinity-9fb36703-7a46-4186-a075-bc3d315b61e2-1616431388178@3c-app-mailcom-bs09>
 <878s6em5lg.fsf@wheatstone.g10code.de>
 <trinity-fb788700-69b7-4e76-a6f8-4be5805bc6ea-1616506260626@3c-app-mailcom-bs15>
 <12738218.vN6VkkLPEO@breq>
Message-ID: <trinity-c6322f22-7f70-45fb-8e24-fa8ad9a71cdd-1616601780818@3c-app-mailcom-bs05>

> Sent: Tuesday, March 23, 2021 at 9:44 AM
> From: "Ingo Kl?cker" <kloecker at kde.org>
> 
> It's defined in the separate libgpg-error library. It corresponds to the 
> symbol GPG_ERR_WEAK_KEY. This symbol occurs in libgcrypt (the low-level crypto 
> library of GnuPG), e.g. in blowfish.c, and in gnupg.
> 

Okay, I think I have figured out the reason for this behavior.
The libgcrypt library that's used by GnuPG had completely
disabled the use of weak keys for symmetric ciphers. I believe
it previously just issued a warning, but still allowed the use
of the weak keys. This is causing the setkey operation to fail
in GnuPG.
 
I also noticed that libgcrypt gas now introduced a mechanism
to allow the use of weak keys through a recent commit:
2020-02-02: 5beadf201312d0c649971b0c1d4c3827b434a0b5
 
So it's now possible to leverage this feature and support
importing of existing PGP keys protected with a weak symmetric
key, that were generated with the older version of GnuPG. If 
there is an appetite to address this issue, I can create a task
in the tracker.

Thanks!


From stefan.vasilev at posteo.ru  Wed Mar 24 16:15:16 2021
From: stefan.vasilev at posteo.ru (Stefan Vasilev)
Date: Wed, 24 Mar 2021 16:15:16 +0100
Subject: We shall value email usage
In-Reply-To: <202103231036.59847.bernhard@intevation.de>
References: <202103231036.59847.bernhard@intevation.de>
Message-ID: <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>

Bernhard Reiter wrote:

> What I observe is that knowledge and practive of email usage
> is declining. I notice it in many little things (like folks sending
> alternative HTML mails, not being able to handle CC, good inline quoting,
> good subjects). So where are good explanations about email practice?

This is quite normal, because millions of people nowadays are using 
modern web based

email clients and those have with Gmail etc. the option to use OpenPGP 
too. GnuPG

with add-ons for a MUAs seems therefore a bit outdated and is probably 
mostly used

among Mailing List members. An exception might be the new Thunderbird, with

OpenPGP support.


Regards

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4500 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210324/1791d0c0/attachment.bin>

From johanw at vulcan.xs4all.nl  Wed Mar 24 20:15:28 2021
From: johanw at vulcan.xs4all.nl (Johan Wevers)
Date: Wed, 24 Mar 2021 20:15:28 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
Message-ID: <93be2649-88ca-c870-8133-cb5aa50ef2e7@vulcan.xs4all.nl>

On 23-03-2021 6:59, Robert J. Hansen via Gnupg-users wrote:

> Last year when the FSF removed him from the Board of Directors, I
> welcomed the news.? I hoped the FSF would appoint better leaders.? They
> did not: instead, they've reappointed him to the board.

Excelent news, finally a case where cancel culture has been overruled.
That was about time in the current McCarthyism-like culture in the US,
where "communist" is replaced by "non-woke".

-- 
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html



From angel at pgp.16bits.net  Thu Mar 25 02:33:06 2021
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Thu, 25 Mar 2021 02:33:06 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
Message-ID: <8e48484c1fdae5db99fc9c05403a5077dcee5abf.camel@16bits.net>

It's sad to see someone like you stepping down by a cause such as this.
But we cannot but thank you for your support to the project all these
years.
So long... and thanks for keeping all the Answers. :-)





From bernhard at intevation.de  Thu Mar 25 09:48:36 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 25 Mar 2021 09:48:36 +0100
Subject: So long, and thanks for all the fish.
In-Reply-To: <93be2649-88ca-c870-8133-cb5aa50ef2e7@vulcan.xs4all.nl>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <93be2649-88ca-c870-8133-cb5aa50ef2e7@vulcan.xs4all.nl>
Message-ID: <202103250948.36938.bernhard@intevation.de>

Johan,
please let us stick to GnuPG topics on this list.

Robert's mail was on topic because he stated why he stepped down as FAQ 
maintainer. We also shed light on which influence the GNU project had
on GnuPG (little for many years).

Am Mittwoch 24 M?rz 2021 20:15:28 schrieb Johan Wevers:
> Excelent news, finally a case

So to me, your statement is too general and may provoke some folks.
(You could see that Werner and myself also refrained from general 
reasoning. :) )

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/4a9ebf02/attachment.sig>

From bernhard at intevation.de  Thu Mar 25 09:54:01 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 25 Mar 2021 09:54:01 +0100
Subject: We shall value email usage
In-Reply-To: <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
Message-ID: <202103250954.01860.bernhard@intevation.de>



Am Mittwoch 24 M?rz 2021 16:15:16 schrieb Stefan Vasilev via Gnupg-users:
> Bernhard Reiter wrote:
> > What I observe is that knowledge and practive of email usage
> > is declining. I notice it in many little things 

> This is quite normal, because millions of people nowadays are using
> modern web based email clients 

Most webclients I have seen, are not as usable as native clients.
But this is no excuse for not using email in a good way. :)

> and those have with Gmail etc. the option to use OpenPGP 
> too. GnuPG with add-ons for a MUAs seems therefore a bit outdated 
> and is probably mostly used among Mailing List members.

Yes, there is a perception of "outdatedness".
Maybe it is needed to show the advantages to make it look modern.
A tool that is more effective should be modern.

Of course, email belong to many, a proprietary messenger to one vendor,
guess who has more marketing money. ;)

> An exception might be the new Thunderbird, with 
> OpenPGP support.

The choise of implementing a pre-standard way of protected headers
and making it the default without way to disable it, was doing email and 
secure email a disservice in my opionion. :(

Best,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/1e1919d3/attachment.sig>

From klaus+gnupg at ethgen.ch  Thu Mar 25 10:25:22 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Thu, 25 Mar 2021 10:25:22 +0100
Subject: We shall value email usage
In-Reply-To: <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
Message-ID: <YFxXAv1ygADufV5z@ikki.ethgen.ch>

Hi List,

Am Mi den 24. M?r 2021 um 16:15 schrieb Stefan Vasilev via Gnupg-users:
> Bernhard Reiter wrote:
> 
> > What I observe is that knowledge and practive of email usage
> > is declining. I notice it in many little things (like folks sending
> > alternative HTML mails, not being able to handle CC, good inline quoting,
> > good subjects). So where are good explanations about email practice?
> 
> This is quite normal, because millions of people nowadays are using modern
> web based
> 
> email clients and those have with Gmail etc. the option to use OpenPGP too.
> GnuPG

If they are "modern" is something, I do not judge about. But there is
even a solution for Web-based mail clients. Mailvelope does a pretty
good job. Although there are some stuff to know about:
- Mailvelope can (obviously) only handle inline PGP mails. Decoding mime
  mails (or encoding) is far away from such a tool
- Mailvelope cannot handle hidden encrypts (As I understand the
  discussion, current Thunderbird is also unable to handle this.)
- Mailvelope Needs a e-mail address in the key identity. Otherwise it is
  not selectable.

> among Mailing List members. An exception might be the new Thunderbird, with

As you might see, I use mutt as mail client. But recently, I started
having an eye to thunderbird for some reasons. I liked the Enigmail
addon. It is sad, that the native implementation in Thunderbird is a
big step back. Although there is some advantages like the hidden subject
header.

On the other hand, as it was stated here too, it is not possible to
disable it so the still dump majority of Outlook is unable to view the
subject. However, Outlook is also unable to view quotes a usable way,
neither is it able to create proper mails. So I always wonder, why
people stick to such horrible software.

Gru?
   Klaus

Ps. I might need to use this Outlook in future for work mails. But I try
    to fight it. :-)
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/f78ae762/attachment.sig>

From bernhard at intevation.de  Thu Mar 25 11:51:10 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 25 Mar 2021 11:51:10 +0100
Subject: We shall value email usage
In-Reply-To: <YFxXAv1ygADufV5z@ikki.ethgen.ch>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
 <YFxXAv1ygADufV5z@ikki.ethgen.ch>
Message-ID: <202103251151.16656.bernhard@intevation.de>

Hi Klaus,

Am Donnerstag 25 M?rz 2021 10:25:22 schrieb Klaus Ethgen:
> But there is
> even a solution for Web-based mail clients. Mailvelope does a pretty
> good job. Although there are some stuff to know about:
> - Mailvelope can (obviously) only handle inline PGP mails. Decoding mime
>   mails (or encoding) is far away from such a tool

AFAIR Mailvelope can do OpenPGP/MIME 
(if the webmailer it is used with offers some features).
https://www.mailvelope.com/en/faq#only_attachments

Did you know: you can use GnuPG with Mailvelope, if you want (e.g. for 
smartcards or higher security needs) 
  https://github.com/mailvelope/mailvelope/wiki/Mailvelope-GnuPG-integration

> It is sad, that the native implementation in Thunderbird is a
> big step back. Although there is some advantages like the hidden subject
> header.

To me the protected headers implementation Thunderbird is a step back,
as it leads to unnecessary data leaks (subject and cc) to other clients
with are OpenPGP/MIME compatible. And it reduces the usability for emails
in many cases (see my email thread about it).

> On the other hand, as it was stated here too, it is not possible to
> disable 

It is possible to disable (they added this later), but it is an expert option 
and the default is still on (see drawbacks mentioned above).
https://lists.gnupg.org/pipermail/gnupg-users/2021-February/064862.html

Best Regards,
Bernhard
 
-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/793d316d/attachment.sig>

From klaus+gnupg at ethgen.ch  Thu Mar 25 12:34:15 2021
From: klaus+gnupg at ethgen.ch (Klaus Ethgen)
Date: Thu, 25 Mar 2021 12:34:15 +0100
Subject: We shall value email usage
In-Reply-To: <202103251151.16656.bernhard@intevation.de>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
 <YFxXAv1ygADufV5z@ikki.ethgen.ch>
 <202103251151.16656.bernhard@intevation.de>
Message-ID: <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>

Hi,

Am Do den 25. M?r 2021 um 11:51 schrieb Bernhard Reiter:
> To me the protected headers implementation Thunderbird is a step back,
> as it leads to unnecessary data leaks (subject and cc) to other clients
> with are OpenPGP/MIME compatible.

Well, there is other..

For example, if you start editing a mail with thunderbird and put it to
drafts. Then finishing the edit with mutt. This will leak the following
headers:
- user-agent
- x-mailer
- x-mozilla-draft-info
- x-enigmail-draft-status
- x-account-key
- x-identity-key
- fcc

Even when sending mails just from thunderbird, it leaks at least the
user-agent header.

Currently I configured my MTA to remove that headers for outgoing mails.

Gru?
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/cd9c20b5/attachment.sig>

From johndoe65534 at mail.com  Thu Mar 25 15:39:51 2021
From: johndoe65534 at mail.com (john doe)
Date: Thu, 25 Mar 2021 15:39:51 +0100
Subject: We shall value email usage
In-Reply-To: <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
 <YFxXAv1ygADufV5z@ikki.ethgen.ch> <202103251151.16656.bernhard@intevation.de>
 <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>
Message-ID: <80f71f68-7f44-7372-d855-0f051b3294e2@mail.com>

On 3/25/2021 12:34 PM, Klaus Ethgen wrote:
> Hi,
>
> Am Do den 25. M?r 2021 um 11:51 schrieb Bernhard Reiter:
>> To me the protected headers implementation Thunderbird is a step back,
>> as it leads to unnecessary data leaks (subject and cc) to other clients
>> with are OpenPGP/MIME compatible.
>
> Well, there is other..
>
> For example, if you start editing a mail with thunderbird and put it to
> drafts. Then finishing the edit with mutt. This will leak the following
> headers:
> - user-agent
> - x-mailer
> - x-mozilla-draft-info
> - x-enigmail-draft-status
> - x-account-key
> - x-identity-key
> - fcc
>
> Even when sending mails just from thunderbird, it leaks at least the
> user-agent header.
>
> Currently I configured my MTA to remove that headers for outgoing mails.

You can disable the usage of the user-agent in TB, one can only hope for
the others as well.

--
John Doe


From rjh at sixdemonbag.org  Thu Mar 25 15:56:10 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Thu, 25 Mar 2021 10:56:10 -0400
Subject: So long, and thanks for all the fish.
In-Reply-To: <202103250948.36938.bernhard@intevation.de>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <93be2649-88ca-c870-8133-cb5aa50ef2e7@vulcan.xs4all.nl>
 <202103250948.36938.bernhard@intevation.de>
Message-ID: <faccd6cb-7c01-f7bd-3ded-94717eedacfe@sixdemonbag.org>

> So to me, your statement is too general and may provoke some folks.
> (You could see that Werner and myself also refrained from general
> reasoning. :) )

I would also like to say that I have tried to make my stepping-away as 
painless and as friendly as possible.  I don't want to see ill will 
erupt in our community.  I like this community.  If anyone turns this 
into an occasion to launch a political flamewar, I will be very sad. 
Please don't do that.

My reasons for stepping away are simple.  I don't like RMS.  I think he 
is unkind.  I don't want to be associated with anything where he's in a 
position of authority.  It really is that simple.  It has nothing to do 
with politics, "cancel culture", or anything else like that.

Kindness counts.  Let's practice some.  :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x1DCBDC01B44427C7.asc
Type: application/pgp-keys
Size: 11832 bytes
Desc: OpenPGP public key
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/6ca17b83/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/6ca17b83/attachment.sig>

From erikrtn at gmail.com  Thu Mar 25 13:20:47 2021
From: erikrtn at gmail.com (Erik Reinertsen)
Date: Thu, 25 Mar 2021 08:20:47 -0400
Subject: GPG slows git commit
Message-ID: <0E0A8477-4537-437F-AC96-4267E671951C@gmail.com>

GPG slows git commit

I am on macOS 11.2.3, git 2.31.0, and gpg 2.2.27.

I have a private repo with a few python scripts (small). I create an empty text file, git add it, and commit it. I sign commits using GPG.

This process takes 4.64 seconds. Without gpg signing, it takes <1 sec.

Trace output is at https://gist.github.com/erikr/cf7b45d5382de0a5164a35aa08747d4b <https://gpgtools.tenderapp.com/discussions/problems/110188/r?go=aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZXJpa3IvY2Y3YjQ1ZDUzODJkZTBhNTE2NGEzNWFhMDg3NDdkNGI%3D>.

Expected
git commit is lightning fast, and gpg signing does not slow down git commit

Additional info
Any input would be much appreciated. I am also a beginner with GPG and git, so thanks for your patience in advance.

I posted this in the GPGTools support forum, but was told to ask this mailing list instead.

-Erik

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/23833b11/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: carbon.png
Type: image/png
Size: 206605 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/23833b11/attachment-0001.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/23833b11/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2021-03-20_14-05_DebugInfo.gpg
Type: application/octet-stream
Size: 13649 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/23833b11/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210325/23833b11/attachment-0005.html>

From kloecker at kde.org  Fri Mar 26 08:56:07 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Fri, 26 Mar 2021 08:56:07 +0100
Subject: GPG slows git commit
In-Reply-To: <0E0A8477-4537-437F-AC96-4267E671951C@gmail.com>
References: <0E0A8477-4537-437F-AC96-4267E671951C@gmail.com>
Message-ID: <1748697.e9hGeTlPz6@breq>

On Donnerstag, 25. M?rz 2021 13:20:47 CET Erik Reinertsen wrote:
> I have a private repo with a few python scripts (small). I create an empty
> text file, git add it, and commit it. I sign commits using GPG.
> 
> This process takes 4.64 seconds. Without gpg signing, it takes <1 sec.
> 
> Expected
> git commit is lightning fast, and gpg signing does not slow down git commit

That's an unreasonable expectation. gpg signing will take some time. It will 
slow down git commit. But, of course, it shouldn't take multiple seconds.

> Additional info
> Any input would be much appreciated. I am also a beginner with GPG and git,
> so thanks for your patience in advance.

First let's have a look at your key. Please run
gpg --list-secret-keys
and paste the output for your signing key into your reply.

Moreover, let's time gpg signing without git. Run
echo Hello | time gpg --clearsign

Additionally, let's check which version of gpg you are using. Run
gpg --version

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210326/185c6c26/attachment.sig>

From erikrtn at gmail.com  Fri Mar 26 15:16:15 2021
From: erikrtn at gmail.com (Erik Reinertsen)
Date: Fri, 26 Mar 2021 10:16:15 -0400
Subject: GPG slows git commit 
In-Reply-To: <1748697.e9hGeTlPz6@breq>
References: <0E0A8477-4537-437F-AC96-4267E671951C@gmail.com>
 <1748697.e9hGeTlPz6@breq>
Message-ID: <8F9C9867-C654-49C2-A588-6AA4ABA072FC@gmail.com>

Ingo, I greatly appreciate your assistance.

>> Additional info
>> Any input would be much appreciated. I am also a beginner with GPG and git,
>> so thanks for your patience in advance.
> 
> First let's have a look at your key. Please run
> gpg --list-secret-keys
> and paste the output for your signing key into your reply.

$ gpg --list-secret-keys
/Users/erik/.gnupg/pubring.kbx
------------------------------
sec   rsa4096 2021-02-08 [SC] [expires: 2021-04-09]
      581F6A88B3F58A4E94A26040153F263741C51DC1
uid           [ultimate] Erik Reinertsen <erikrtn at gmail.com>
ssb   rsa4096 2021-02-08 [E] [expires: 2021-04-09]

> Moreover, let's time gpg signing without git. Run
> echo Hello | time gpg --clearsign

gpg --clearsign  0.01s user 0.01s system 0% cpu 6.696 total


> Additionally, let's check which version of gpg you are using. Run
> gpg --version

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.2
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/erik/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

--
Erik

From alejacortez69 at gmail.com  Fri Mar 26 22:54:51 2021
From: alejacortez69 at gmail.com (alejandro Cortez)
Date: Fri, 26 Mar 2021 17:54:51 -0400
Subject: Working around SHA1 signatures in keyring
Message-ID: <CAGXOmTBzMRfbfc6fK5_OAZi7yyPiUq+Z-S3MmAhkt46Y5iu0Hg@mail.gmail.com>

For a few years, using gpg (GnuPG) 2.0.22 / libgcrypt 1.5.3 from
ubuntu-14.04 I signed coworker keys using Preferences: AES256 SHA512
BZIP2 ZLIB ZIP in gpg.conf. I am currently setting up an ubuntu-20.04
workstation with gpg (GnuPG) 2.2.19 / libgcrypt 1.8.5 and it would
seem that my config got wiped at some point because the last two keys
I signed (several months ago) give the following error when checking
sigs on my new workstation:

gpg: Note: third-party key signatures using the SHA1 algorithm are rejected

I should point out that I had to add no-self-sigs-only to the
keyserver-options as I guess the default workaround to poisoned keys
(either in the original source or something debian or ubuntu added) is
a scorched earth policy, which is fine but unworkable to our web of
trust. I created some test keys to mimic the same situation and did
the following to try to fix it:

gpg --cert-digest-algo SHA512 --expert --edit-key <key to resign>

I deleted my original signature and signed again. Then I pushed the
test key to the keyservers and added import-clean to gpg.conf and
refreshed the keys from a different test user and it _seems_ to work.
Is this a sane fix? Is there a better or more proper fix?

Thanks!


From kloecker at kde.org  Sat Mar 27 10:36:23 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Sat, 27 Mar 2021 10:36:23 +0100
Subject: Working around SHA1 signatures in keyring
In-Reply-To: <CAGXOmTBzMRfbfc6fK5_OAZi7yyPiUq+Z-S3MmAhkt46Y5iu0Hg@mail.gmail.com>
References: <CAGXOmTBzMRfbfc6fK5_OAZi7yyPiUq+Z-S3MmAhkt46Y5iu0Hg@mail.gmail.com>
Message-ID: <9924855.q3E5SDxYaB@breq>

On Freitag, 26. M?rz 2021 22:54:51 CET alejandro Cortez via Gnupg-users wrote:
> For a few years, using gpg (GnuPG) 2.0.22 / libgcrypt 1.5.3 from
> ubuntu-14.04 I signed coworker keys using Preferences: AES256 SHA512
> BZIP2 ZLIB ZIP in gpg.conf. I am currently setting up an ubuntu-20.04
> workstation with gpg (GnuPG) 2.2.19 / libgcrypt 1.8.5 and it would
> seem that my config got wiped at some point because the last two keys
> I signed (several months ago) give the following error when checking
> sigs on my new workstation:
> 
> gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
> 
> I should point out that I had to add no-self-sigs-only to the
> keyserver-options as I guess the default workaround to poisoned keys
> (either in the original source or something debian or ubuntu added) is
> a scorched earth policy, which is fine but unworkable to our web of
> trust.

From gpg's NEWS file:
=====
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
    signatures.  This change removes all SHA-1 based key signature
    from the web-of-trust.  Note that this includes all key signature
    created with dsa1024 keys.  (Version 2.2.18 limits this to key
    signatures newer than 2019-01-19.)  The new option
    --allow-weak-key-signatues[sic] can be used to override the new and
    safer behaviour.  [#4755,CVE-2019-14855]
=====

Of course, the option is called --allow-weak-key-signatures.

> I created some test keys to mimic the same situation and did
> the following to try to fix it:
> 
> gpg --cert-digest-algo SHA512 --expert --edit-key <key to resign>
> 
> I deleted my original signature and signed again. Then I pushed the
> test key to the keyservers and added import-clean to gpg.conf and
> refreshed the keys from a different test user and it _seems_ to work.
> Is this a sane fix? Is there a better or more proper fix?

Well, deleting your original signature is useless if you have already 
published a key with this signature. Signing the key again with SHA512 is the 
proper fix. Note, that using "gpg --quick-sign-key" may be more convenient 
than using --edit-key.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210327/9821eae3/attachment.sig>

From kloecker at kde.org  Sat Mar 27 22:01:33 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Sat, 27 Mar 2021 22:01:33 +0100
Subject: GPG slows git commit
In-Reply-To: <8F9C9867-C654-49C2-A588-6AA4ABA072FC@gmail.com>
References: <0E0A8477-4537-437F-AC96-4267E671951C@gmail.com>
 <1748697.e9hGeTlPz6@breq> <8F9C9867-C654-49C2-A588-6AA4ABA072FC@gmail.com>
Message-ID: <1682865.UsXe81Qx9F@breq>

On Freitag, 26. M?rz 2021 15:16:15 CET Erik Reinertsen via Gnupg-users wrote:
> > Moreover, let's time gpg signing without git. Run
> > echo Hello | time gpg --clearsign
> 
> gpg --clearsign  0.01s user 0.01s system 0% cpu 6.696 total

I'm not sure that I understand the result. (The time command on my system has 
a different output format.) Does the "6.696 total" mean that clearsigning took 
almost 7 seconds? gpg didn't ask you for your passphrase, right?

Try putting 
  log-file /somewhere/gpg.log
  verbose
  debug ipc,lookup
into ~/.gnupg/gpg.conf

Then make a signed test commit and check the log file.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210327/a419aeb3/attachment.sig>

From jean.rblt at gmail.com  Mon Mar 29 15:09:02 2021
From: jean.rblt at gmail.com (J Rt)
Date: Mon, 29 Mar 2021 15:09:02 +0200
Subject: recommended way to use several smartcards with the same private key
Message-ID: <CABro6ganATVr9BAByxQBJwEW=N0iPOQLQi2MjqQ7R4se+W0WyA@mail.gmail.com>

Hi all,

I am using several smartcards with the same private key for redundancy in
case I lose one of them. I have been doing so for several years, and
occasionally changing which card I use has always been a bit of a hazzle
(in the lines of for example the discussion here:
https://sven-seeberg.de/wp/?p=967 ).

This is not a super big deal, I can fix this easily with a method similar
to what is explained on the blog, but still, it is a bit annoying to need
to fix things by hand.

My questions are:

- is there a better / simpler way to register several cards that are
interchangeable?
- if not, any hope this may be added some day / where could I ask for such
a feature / is there some WIP already working on this?

Thanks in advance!

Best,

JRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210329/92c47596/attachment.html>

From bernhard at intevation.de  Mon Mar 29 17:13:19 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Mon, 29 Mar 2021 17:13:19 +0200
Subject: So long, and thanks for all the fish.
In-Reply-To: <faccd6cb-7c01-f7bd-3ded-94717eedacfe@sixdemonbag.org>
References: <39f98e04-dc25-997c-b5c3-87c49608c995@sixdemonbag.org>
 <202103250948.36938.bernhard@intevation.de>
 <faccd6cb-7c01-f7bd-3ded-94717eedacfe@sixdemonbag.org>
Message-ID: <202103291713.27618.bernhard@intevation.de>

Am Donnerstag 25 M?rz 2021 15:56:10 schrieb Robert J. Hansen via Gnupg-users:
> I don't want to be associated with anything where he's in a
> position of authority. ?

(Though we did establish that GnuPG is indendent of GNU decisions these days.
And FSFE is an independent organisation. Both share some important name-parts 
with what RMS did and does, so yes there is an association some people make. 
But the authority is not here and hasn't been for many years. Anyhow, it is 
your decision of course.)

> Kindness counts. ?Let's practice some. ?:)

Yes, please, thanks! :)
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210329/d96f5ff1/attachment-0001.sig>

From bernhard at intevation.de  Mon Mar 29 17:15:46 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Mon, 29 Mar 2021 17:15:46 +0200
Subject: We shall value email usage
In-Reply-To: <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>
References: <202103231036.59847.bernhard@intevation.de>
 <202103251151.16656.bernhard@intevation.de> <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>
Message-ID: <202103291715.46445.bernhard@intevation.de>

Am Donnerstag 25 M?rz 2021 12:34:15 schrieb Klaus Ethgen:
> if you start editing a mail with thunderbird and put it to
> drafts. Then finishing the edit with mutt.

Just wondering if there is a standard for sharing email drafts ...

Anyhow implementing the wrapped message method of protected headers
would also be good for drafts: Just fully encrypt the real mail.

Note that email needs meta data like a postal package needs an address sticker 
on the cardboard.

Best,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210329/2599cd10/attachment.sig>

From kloecker at kde.org  Mon Mar 29 22:52:53 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Mon, 29 Mar 2021 22:52:53 +0200
Subject: recommended way to use several smartcards with the same private
 key
In-Reply-To: <CABro6ganATVr9BAByxQBJwEW=N0iPOQLQi2MjqQ7R4se+W0WyA@mail.gmail.com>
References: <CABro6ganATVr9BAByxQBJwEW=N0iPOQLQi2MjqQ7R4se+W0WyA@mail.gmail.com>
Message-ID: <13486713.M6zQPPQBt1@breq>

On Montag, 29. M?rz 2021 15:09:02 CEST J Rt via Gnupg-users wrote:
> Hi all,
> 
> I am using several smartcards with the same private key for redundancy in
> case I lose one of them. I have been doing so for several years, and
> occasionally changing which card I use has always been a bit of a hazzle
> (in the lines of for example the discussion here:
> https://sven-seeberg.de/wp/?p=967 ).
> 
> This is not a super big deal, I can fix this easily with a method similar
> to what is explained on the blog, but still, it is a bit annoying to need
> to fix things by hand.
> 
> My questions are:
> 
> - is there a better / simpler way to register several cards that are
> interchangeable?
> - if not, any hope this may be added some day / where could I ask for such
> a feature / is there some WIP already working on this?

The upcoming GnuPG 2.3 (which is currently in beta testing) supports using 
several smartcards with the same private key. gpg simply checks if any of the 
inserted smartcards provide the secret key and then uses this smartcard. If no 
inserted smartcard provides the secret key, then gpg will ask for the 
smartcard registered in the stub file. But you can insert any card providing 
the key. gpg does not insist on using the smartcard listed in the stub file.

This may or may not work with a recent version of gpg 2.2 already because 
quite a few things were backported to the 2.2 series.

What gpg 2.3 does not do is register multiple smartcards in the stub files 
and, consequently, gpg does not ask for all smartcards that provide the secret 
key. It's up to you to keep track of which of your multiple smartcards provide 
the needed secret key.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210329/f83469ee/attachment.sig>

From ralph at ml.seichter.de  Mon Mar 29 22:56:43 2021
From: ralph at ml.seichter.de (Ralph Seichter)
Date: Mon, 29 Mar 2021 22:56:43 +0200
Subject: We shall value email usage
In-Reply-To: <202103291715.46445.bernhard@intevation.de>
References: <202103231036.59847.bernhard@intevation.de>
 <202103251151.16656.bernhard@intevation.de>
 <YFx1N0ohaqys3Ntc@ikki.ethgen.ch>
 <202103291715.46445.bernhard@intevation.de>
Message-ID: <87mtul7k6s.fsf@wedjat.horus-it.com>

* Bernhard Reiter:

> Just wondering if there is a standard for sharing email drafts ...

https://tools.ietf.org/html/rfc6154 defines optional attributes for
"special-use" mailboxes. That applies to IMAP only, of course, but it
may be sufficient, depending on a user's client/server combination.

-Ralph


From jean.rblt at gmail.com  Tue Mar 30 08:56:32 2021
From: jean.rblt at gmail.com (J Rt)
Date: Tue, 30 Mar 2021 08:56:32 +0200
Subject: recommended way to use several smartcards with the same private
 key
In-Reply-To: <13486713.M6zQPPQBt1@breq>
References: <CABro6ganATVr9BAByxQBJwEW=N0iPOQLQi2MjqQ7R4se+W0WyA@mail.gmail.com>
 <13486713.M6zQPPQBt1@breq>
Message-ID: <CABro6gYzq35Nvf-Z==nXDBKGTN_9iRGfk3v-J+Py63J2AXWdzw@mail.gmail.com>

On Mon, Mar 29, 2021 at 11:08 PM Ingo Kl?cker <kloecker at kde.org> wrote:

> On Montag, 29. M?rz 2021 15:09:02 CEST J Rt via Gnupg-users wrote:
> > Hi all,
> >
> > I am using several smartcards with the same private key for redundancy in
> > case I lose one of them. I have been doing so for several years, and
> > occasionally changing which card I use has always been a bit of a hazzle
> > (in the lines of for example the discussion here:
> > https://sven-seeberg.de/wp/?p=967 ).
> >
> > This is not a super big deal, I can fix this easily with a method similar
> > to what is explained on the blog, but still, it is a bit annoying to need
> > to fix things by hand.
> >
> > My questions are:
> >
> > - is there a better / simpler way to register several cards that are
> > interchangeable?
> > - if not, any hope this may be added some day / where could I ask for
> such
> > a feature / is there some WIP already working on this?
>
> The upcoming GnuPG 2.3 (which is currently in beta testing) supports using
> several smartcards with the same private key. gpg simply checks if any of
> the
> inserted smartcards provide the secret key and then uses this smartcard.
> If no
> inserted smartcard provides the secret key, then gpg will ask for the
> smartcard registered in the stub file. But you can insert any card
> providing
> the key. gpg does not insist on using the smartcard listed in the stub
> file.
>
> This may or may not work with a recent version of gpg 2.2 already because
> quite a few things were backported to the 2.2 series.
>
> What gpg 2.3 does not do is register multiple smartcards in the stub files
> and, consequently, gpg does not ask for all smartcards that provide the
> secret
> key. It's up to you to keep track of which of your multiple smartcards
> provide
> the needed secret key.
>
> Regards,
> Ingo
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


Ok, many thanks for the explanation! Then this means that I should "just"
wait for 2.3 :) . Hope this
comes to the next Ubuntu LTS release :) .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210330/4e95a5fb/attachment.html>

From wk at gnupg.org  Tue Mar 30 19:54:02 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 30 Mar 2021 19:54:02 +0200
Subject: recommended way to use several smartcards with the same private
 key
In-Reply-To: <13486713.M6zQPPQBt1@breq> ("Ingo
 \=\?utf-8\?Q\?Kl\=C3\=B6cker\=22's\?\= message of "Mon, 29
 Mar 2021 22:52:53 +0200")
References: <CABro6ganATVr9BAByxQBJwEW=N0iPOQLQi2MjqQ7R4se+W0WyA@mail.gmail.com>
 <13486713.M6zQPPQBt1@breq>
Message-ID: <871rbwh6it.fsf@wheatstone.g10code.de>

On Mon, 29 Mar 2021 22:52, Ingo Kl?cker said:

> This may or may not work with a recent version of gpg 2.2 already because 
> quite a few things were backported to the 2.2 series.

No, this has not been backported because it was a larger structural
change.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210330/45b6b07d/attachment.sig>

From stefan.vasilev at posteo.ru  Wed Mar 31 22:28:45 2021
From: stefan.vasilev at posteo.ru (Stefan Vasilev)
Date: Wed, 31 Mar 2021 22:28:45 +0200
Subject: We shall value email usage
In-Reply-To: <202103250954.01860.bernhard@intevation.de>
References: <202103231036.59847.bernhard@intevation.de>
 <e688b23c-196e-4ac6-6590-88e385bd7c9b@posteo.ru>
 <202103250954.01860.bernhard@intevation.de>
Message-ID: <3b9f6e5a-2fe0-e355-39d2-7cb349e8a83f@posteo.ru>


Bernhard Reiter wrote:
>
> Am Mittwoch 24 M?rz 2021 16:15:16 schrieb Stefan Vasilev via Gnupg-users:
>> Bernhard Reiter wrote:
>>> What I observe is that knowledge and practive of email usage
>>> is declining. I notice it in many little things
>> This is quite normal, because millions of people nowadays are using
>> modern web based email clients
> Most webclients I have seen, are not as usable as native clients.
> But this is no excuse for not using email in a good way. :)
>
>> and those have with Gmail etc. the option to use OpenPGP
>> too. GnuPG with add-ons for a MUAs seems therefore a bit outdated
>> and is probably mostly used among Mailing List members.
> Yes, there is a perception of "outdatedness".
> Maybe it is needed to show the advantages to make it look modern.
> A tool that is more effective should be modern.
>
> Of course, email belong to many, a proprietary messenger to one vendor,
> guess who has more marketing money. ;)
>
>> An exception might be the new Thunderbird, with
>> OpenPGP support.
> The choise of implementing a pre-standard way of protected headers
> and making it the default without way to disable it, was doing email and
> secure email a disservice in my opionion. :(
>
The more I think about GnuPG with email MUA usage I strongly believe 
that the Industry has better

options than email, especially when it comes to decentralised and 
confidential communications.


Hopefully the Industry will take a look at affordable hardware based 
encrypted Fax comms for

the little individual or small business owner.


https://www.tccsecure.com/Products/voice-fax-data-encryption/CSD3324spf-detail.aspx


Hardware based AES/DH crypto phones (no smartphones) would be a welcome 
addition too.

Or that the OpenPGP community revives PGPfone, for free Internet calls, 
at least ...


Regards

Stefan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4500 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210331/1d3feb00/attachment-0001.bin>