From konstantin at linuxfoundation.org Wed Jun 1 23:52:24 2022 From: konstantin at linuxfoundation.org (Konstantin Ryabitsev) Date: Wed, 1 Jun 2022 17:52:24 -0400 Subject: Error importing fetching key from wkd In-Reply-To: References: <6ba2f00166ce2ce5146dfd8a087758f4f5b6e1f9.camel@googlemail.com> <8735gty0h9.fsf@wheatstone.g10code.de> <4c297d6a298758101f4cca0995a6100c46ec0157.camel@googlemail.com> Message-ID: <20220601215224.jldxka47gqn5vu22@meerkat.local> On Tue, May 31, 2022 at 12:17:05PM -0400, Todd Zullinger via Gnupg-users wrote: > Hello again, > > I wrote: > > Dirk Gottschalk via Gnupg-users wrote: > >> A workaround for this is to download the SRPM, remove the > >> line '--disable-brainpool' and rebuild the package. > > > > Ahh, excellent. That's a relatively recent change. It's > > available in the Fedora (and RHEL) libgcrypt-1.10 packages > > which I believe are only in the freshly released Fedora 36 > > and RHEL 9. > > For the future, you can now rebuild the libgcrypt rpm from > Fedora 36 with brainpool support without having to edit the > spec file manually?. You can pass `--with brainpool` to the > rpmbuild command, e.g.: > > rpmbuild -rb --with brainbpool /path/to/libcgrypt.src.rpm > > Hopefully that makes life just a little easier for folks > using Fedora who want or need brainpool support. FYI, I also provide gnupg22-static and gnupg23-static packages that can be rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9): https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/ They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and others). -Konstantin From tmz at pobox.com Thu Jun 2 02:43:07 2022 From: tmz at pobox.com (Todd Zullinger) Date: Wed, 1 Jun 2022 20:43:07 -0400 Subject: Error importing fetching key from wkd In-Reply-To: <20220601215224.jldxka47gqn5vu22@meerkat.local> References: <6ba2f00166ce2ce5146dfd8a087758f4f5b6e1f9.camel@googlemail.com> <8735gty0h9.fsf@wheatstone.g10code.de> <4c297d6a298758101f4cca0995a6100c46ec0157.camel@googlemail.com> <20220601215224.jldxka47gqn5vu22@meerkat.local> Message-ID: Konstantin Ryabitsev via Gnupg-users wrote: > FYI, I also provide gnupg22-static and gnupg23-static packages that can be > rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9): > > https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/ > > They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and > others). Thanks Konstantin! On EL8/9, I needed to disable the debugsource packages for a sucessful build: %define _debugsource_template %{nil} I only tested builds of gnupg23-static on EL8/9, but the gnupg22-static package looks like it would need the same treatment. Of course, the difference in algorithm support between upstream and EL8/9 is much smaller than it was on EL7. (Here's to seeing the differences disappear entirely.) -- Todd -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From gnupg at shoran-und-alira.de Thu Jun 2 15:04:31 2022 From: gnupg at shoran-und-alira.de (Frank) Date: Thu, 02 Jun 2022 15:04:31 +0200 Subject: gnupg-users@gnupg.org Message-ID: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> Hello, a couple of questions: 1 What is the difference between gnupg2 and gnupg-2.X.X? 2 How do I obtain a compability between gnupg2 and gnupg-2.x.x? I am currently facing a conundrum with the AIX Toolbox dependencies. It is looking for gnupg2 but currently my compilation is as gnupg. And I do not want to install the version from the Toolbox, when I have a working package that is more up2date. I tried the easiest method of changing the name, but that is not the only problem, because the tar-file still comes in gnupg-2.x.x format. Do I need to rename that every time? Is there another workaround or fix I can use? (linking/provides) Kind regards Frank From rjh at sixdemonbag.org Thu Jun 2 18:37:36 2022 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 2 Jun 2022 12:37:36 -0400 Subject: gnupg-users@gnupg.org In-Reply-To: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> Message-ID: > 1 What is the difference between gnupg2 and gnupg-2.X.X? Possibly quite a lot. GnuPG exists in three different branches. For sake of simplicity I'll call them "modern", "standard", and "classic". Modern: GnuPG 2.3 and later. Standard: GnuPG 2.2 Classic: GnuPG 1.4 The differences among them are principally what version of the OpenPGP standard they track. OpenPGP has been around for decades. The Modern branch has some bells and whistles the other two lack (principally authenticated encryption, which *technically* exists in the other two, but the Modern branch does it in a technically superior way). Standard and Classic are roughly equivalent in terms of features, but Standard exists to support desktop environments, while Classic may be more useful in standalone server environments. We would like to see Classic go away and move everything to Modern, but that's not possible right now. Maybe not ever. > It is looking for gnupg2 but currently my compilation is as gnupg. If you're downloading the 2.2 or 2.3 branches, you can set the executable name by passing a flag to ./configure. I think it's "--program-suffix=2" will add a 2 to the end of all the binaries created by GnuPG. Or, to just set the name of the gpg binary to gpg2, use "--enable-gpg-is-gpg2". Hope this helps. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From gnupg at shoran-und-alira.de Fri Jun 3 10:27:48 2022 From: gnupg at shoran-und-alira.de (Frank) Date: Fri, 03 Jun 2022 10:27:48 +0200 Subject: gnupg2 vs gnupg In-Reply-To: References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> Message-ID: <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> First and foremost, sorry, for the f'up on the subject.... I changed it now, to a bit more relevant subject >> 1 What is the difference between gnupg2 and gnupg-2.X.X? > > Possibly quite a lot. GnuPG exists in three different branches. > For sake of simplicity I'll call them "modern", "standard", and > "classic". > > Modern: GnuPG 2.3 and later. > Standard: GnuPG 2.2 > Classic: GnuPG 1.4 > > The differences among them are principally what version of the > OpenPGP standard they track. OpenPGP has been around for decades. > The Modern branch has some bells and whistles the other two lack > (principally authenticated encryption, which *technically* exists in > the other two, but the Modern branch does it in a technically > superior way). > > Standard and Classic are roughly equivalent in terms of features, > but Standard exists to support desktop environments, while Classic > may be more useful in standalone server environments. > > We would like to see Classic go away and move everything to Modern, > but that's not possible right now. Maybe not ever. > >> It is looking for gnupg2 but currently my compilation is as gnupg. > > If you're downloading the 2.2 or 2.3 branches, you can set the > executable name by passing a flag to ./configure. I think it's > "--program-suffix=2" will add a 2 to the end of all the binaries > created by GnuPG. Or, to just set the name of the gpg binary to > gpg2, use "--enable-gpg-is-gpg2". > It seems not as much the binary name seemed the problem but the dnf/yum/rpm dependency. It was looking to install a gnupg2 packet while there is a gnupg packet already installed. Hence my try to rename everything to gnupg2 but that does not work for the source tarball. But all gnupg-2.x.x are basically gnupg2, no matter how I name the binary, right? Can I generate both binaries (gpg AND gpg2)? Does linking work? For now I solved that problem with a 'Provides:' clause in my .SPEC file. And currently I am stuck at the next problem. With the 'Provides:' clause the dnf did recognize my gpg as valid and updated/installed all other files. But now I have a non-working dnf # dnf Traceback (most recent call last): File "/opt/freeware/bin/dnf", line 57, in from dnf.cli import main File "/opt/freeware/lib/python3.7/site-packages/dnf/__init__.py", line 32, in import dnf.base File "/opt/freeware/lib/python3.7/site-packages/dnf/base.py", line 29, in import libdnf.transaction File "/opt/freeware/lib/python3.7/site-packages/libdnf/__init__.py", line 3, in from . import common_types File "/opt/freeware/lib/python3.7/site-packages/libdnf/common_types.py", line 13, in from . import _common_types ImportError: rtld: 0712-001 Symbol _GLOBAL__AIXI_libgpg_error_so was referenced from module /opt/freeware/lib/python3.7/site-packages/libdnf/_common_types.so(), but a runtime definition of the symbol was not found. rtld: 0712-001 Symbol _GLOBAL__AIXD_libgpg_error_so was referenced from module /opt/freeware/lib/python3.7/site-packages/libdnf/_common_types.so(), but a runtime definition of the symbol was not found. > Hope this helps. :) It definitely does, thanks. Hope you can help me a bit more. Kind regards Frank From rjh at sixdemonbag.org Fri Jun 3 14:51:39 2022 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 3 Jun 2022 08:51:39 -0400 Subject: gnupg2 vs gnupg In-Reply-To: <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> Message-ID: <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> > It seems not as much the binary name seemed the problem but the > dnf/yum/rpm dependency. Here's where I hate to sound like a jerk, but I can't help you. I'm not an AIX guy and I don't do packaging for it. This is a packaging issue, not a GnuPG one. :( There might be an AIX person on the list who can help, but I'm unable to. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From gnupg at shoran-und-alira.de Fri Jun 3 15:11:17 2022 From: gnupg at shoran-und-alira.de (Frank) Date: Fri, 03 Jun 2022 15:11:17 +0200 Subject: gnupg2 vs gnupg In-Reply-To: <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> Message-ID: <20220603151117.Horde.rW1psE13ZOGjat0HR4v6Aw1@webmail.df.eu> > Here's where I hate to sound like a jerk, but I can't help you. I'm > not an AIX guy and I don't do packaging for it. This is a packaging > issue, not a GnuPG one. :( > > There might be an AIX person on the list who can help, but I'm unable to. No worries, sometimes it is just like that. And you are not a jerk, because it is not your wheelhouse. In parallel I am hitting the IBM OpenSource Community and got an answer that I find discouraging: >> The libraries compiled with xlc won't provide some of the symbols >> which gcc built libraries needs. >> But it can work the other way around. >> To resolve the current issue you would need to have the Toolbox >> dependent libraries installed or build the dependent libraries with >> gcc. I admit, I do not understand what they are saying with 'gcc compiled symbols'. Is here anyone who knows anything about that? And most preferably, how to make xlc or xlclang++ generate those symbols? Kind regards Frank From gnupg at shoran-und-alira.de Fri Jun 3 18:05:36 2022 From: gnupg at shoran-und-alira.de (Frank) Date: Fri, 03 Jun 2022 18:05:36 +0200 Subject: configure script ELF visibility In-Reply-To: <20220603151117.Horde.rW1psE13ZOGjat0HR4v6Aw1@webmail.df.eu> References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> <20220603151117.Horde.rW1psE13ZOGjat0HR4v6Aw1@webmail.df.eu> Message-ID: <20220603180536.Horde.jz3Aj3rXBgJnfvvAJZRsGQ9@webmail.df.eu> Hi, can someone explain the configure script to me? I am still looking for a way to make my libgpg-error and libassuan (see gnupg2 vs gnupg) work with the 'darn' IBM dnf compilation. And I am currently eyeing at the 'ELF visibility' check in the configure script. I do not understand, what or how it intends to test. I cannot find confdefs.h or conftest.* to see what a manual compile would result in. According to IBMs Webpage xlC/C++ supports visibility. https://www.ibm.com/docs/en/xl-c-and-cpp-aix/16.1?topic=performance-using-visibility-attributes-extension Maybe it should be looking like this? if ${CC-cc} -Werror -qvisibility -S conftest.c -o conftest.s \ If my amateurish tries are correct the grep would look (maybe) different: .globl foo{RW},hidden .globl bar{RW},protected Though I noticed earlier that the -Werror seems to be not supported with cc, xlc, xlC, xlc++ they only support -qhalt={i,w,e,s} only xlclang++ seems to support it. see https://www.ibm.com/docs/cs/xl-c-and-cpp-aix/16.1?topic=descriptions-qhalt-werror If I am on the wrong path, just tell me. Kind regards Frank From angel at pgp.16bits.net Mon Jun 6 02:30:33 2022 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Mon, 06 Jun 2022 00:30:33 +0000 Subject: configure script ELF visibility In-Reply-To: <20220603180536.Horde.jz3Aj3rXBgJnfvvAJZRsGQ9@webmail.df.eu> References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> <20220603151117.Horde.rW1psE13ZOGjat0HR4v6Aw1@webmail.df.eu> <20220603180536.Horde.jz3Aj3rXBgJnfvvAJZRsGQ9@webmail.df.eu> Message-ID: On 2022-06-03 at 18:05 +0200, Frank wrote: > Hi, > > can someone explain the configure script to me? > I am still looking for a way to make my libgpg-error and libassuan > (see gnupg2 vs gnupg) work with the 'darn' IBM dnf compilation. (...) It's not the Right Way?, but since you apparently already have a working gnupg package, you could create a dummy package containing no files (hopefully that won't fail compiling) that provides that gnupg2 dependency so that whatever package needs it is happy. If their gnupg2 package uses gpg2 as binary name a manual symlink would suffice (but I wouldn't be surprised if gnupg2 package installed it with gpg name) Regards From tech at eden.one Wed Jun 8 10:13:40 2022 From: tech at eden.one (Jan Eden) Date: Wed, 8 Jun 2022 10:13:40 +0200 Subject: gpg auto-locate-key selects expired/revoked key Message-ID: Hi, I just configured WKD on my server, and gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user at domain.com works as expected for most of my uid/key combos, except for one address (olduser at domain.com) which is linked to both a current and a revoked key. The output of the above command looks like this: gpg: Note: RFC4880bis features are enabled. gpg: using pgp trust model gpg: pub rsa4096/68FD03F8C6AB1DE4 2016-06-15 Old User gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST gpg: key 68FD03F8C6AB1DE4: "Old Nickname " not changed gpg: pub ed25519/7CD4656792B3A1F9 2022-06-06 Old User gpg: key 7CD4656792B3A1F9: "Old User " not changed gpg: Total number processed: 2 gpg: unchanged: 2 gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST gpg: automatically retrieved 'olduser at domain.com' via WKD pub rsa4096 2016-06-15 [SC] [revoked: 2022-06-07] 51585E1318770F501D3CBDE968FD03F8C6AB1DE4 uid [ revoked] Old Nickname uid [ revoked] Old User uid [ revoked] Old Nickname2 sub rsa4096 2016-06-15 [E] [revoked: 2022-06-07] Even though olduser at domain.com is the primary uid for the new key, gpg shows the other uid for this key (newname at domain.com). This is odd, but irrelevant. But then gpg proceeds to select the revoked key which is somehow available via WKD. The WKD test at https://metacode.biz/openpgp/web-key-directory delivers similar results, but at least it displays the fingerprints of both the current and the revoked key. Two questions: - Which WKD server hosts my expired/revoked key such that it takes precedence over my own WKD server at domain.com? - Why does gpg select an expired/revoked key over a valid key? Thanks, Jan From temp at janeden.net Wed Jun 8 08:46:43 2022 From: temp at janeden.net (Jan Eden) Date: Wed, 8 Jun 2022 08:46:43 +0200 Subject: gpg auto-locate-key selects expired/revoked key Message-ID: Hi, I just configured WKD on my server, and gpg -v --auto-key-locate clear,wkd,nodefault --locate-key user at domain.com works as expected for most of my uid/key combos, except for one address (olduser at domain.com) which is linked to both a current and a revoked key. The output of the above command looks like this: gpg: Note: RFC4880bis features are enabled. gpg: using pgp trust model gpg: pub rsa4096/68FD03F8C6AB1DE4 2016-06-15 Old User gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST gpg: key 68FD03F8C6AB1DE4: "Old Nickname " not changed gpg: pub ed25519/7CD4656792B3A1F9 2022-06-06 Old User gpg: key 7CD4656792B3A1F9: "Old User " not changed gpg: Total number processed: 2 gpg: unchanged: 2 gpg: auto-key-locate found fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx gpg: Note: signature key 68FD03F8C6AB1DE4 expired Mon Jun 14 18:12:44 2021 CEST gpg: automatically retrieved 'olduser at domain.com' via WKD pub rsa4096 2016-06-15 [SC] [revoked: 2022-06-07] 51585E1318770F501D3CBDE968FD03F8C6AB1DE4 uid [ revoked] Old Nickname uid [ revoked] Old User uid [ revoked] Old Nickname2 sub rsa4096 2016-06-15 [E] [revoked: 2022-06-07] Even though olduser at domain.com is the primary uid for the new key, gpg shows the other uid for this key (newname at domain.com). This is odd, but irrelevant. But then gpg proceeds to select the revoked key which is somehow available via WKD. The WKD test at https://metacode.biz/openpgp/web-key-directory delivers similar results, but at least it displays the fingerprints of both the current and the revoked key. Two questions: - Which WKD server hosts my expired/revoked key such that it takes precedence over my own WKD server at domain.com? - Why does gpg select an expired/revoked key over a valid key? Thanks, Jan From andrewg at andrewg.com Wed Jun 8 23:51:51 2022 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 8 Jun 2022 22:51:51 +0100 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: Message-ID: On 8 Jun 2022, at 07:46, Jan Eden via Gnupg-users wrote: > > - Which WKD server hosts my expired/revoked key such that it takes precedence > over my own WKD server at domain.com ? > - Why does gpg select an expired/revoked key over a valid key? I suspect the issue is that your WKD is serving both keys (as you can see from the output of the metacode checker) but GnuPG expects just one key to be served, and so is consuming the first (which is the expired one) and ignoring the second. Try replacing the file on the WKD server with one that contains just the current key? A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From tech at eden.one Thu Jun 9 08:11:01 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 08:11:01 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: Message-ID: On 2022-06-08 22:51, Andrew Gallagher via Gnupg-users wrote: > On 8 Jun 2022, at 07:46, Jan Eden via Gnupg-users wrote: > > > > - Which WKD server hosts my expired/revoked key such that it takes precedence > > over my own WKD server at domain.com ? > > - Why does gpg select an expired/revoked key over a valid key? > > I suspect the issue is that your WKD is serving both keys (as you can see from the output of the metacode checker) but GnuPG expects just one key to be served, and so is consuming the first (which is the expired one) and ignoring the second. Try replacing the file on the WKD server with one that contains just the current key? Thanks for the hint! I followed the instructions at https://shibumi.dev/posts/how-to-setup-your-own-wkd-server/, and unintentionally exported all keys for the address (gpg --no-armor --export $uid) instead of specifying the key id. Now I corrected the mistake, and all is well. - Jan PS. The key used to sign your message seems to be expired. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From wk at gnupg.org Thu Jun 9 09:49:39 2022 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Jun 2022 09:49:39 +0200 Subject: configure script ELF visibility In-Reply-To: <20220603180536.Horde.jz3Aj3rXBgJnfvvAJZRsGQ9@webmail.df.eu> (Frank's message of "Fri, 03 Jun 2022 18:05:36 +0200") References: <20220602150431.Horde.YFF_YeJ_cH03zH4XaqHyrQ8@webmail.df.eu> <20220603102748.Horde.c1Xxf30yDmknPNJ3kiAItw2@webmail.df.eu> <9bbef24a-6c52-ea6d-4fd1-ad605e8fa76c@sixdemonbag.org> <20220603151117.Horde.rW1psE13ZOGjat0HR4v6Aw1@webmail.df.eu> <20220603180536.Horde.jz3Aj3rXBgJnfvvAJZRsGQ9@webmail.df.eu> Message-ID: <87mtemgtt8.fsf@wheatstone.g10code.de> On Fri, 3 Jun 2022 18:05, Frank said: > And I am currently eyeing at the 'ELF visibility' check in the > configure script. That is pretty old code from 2007. I do not remember any details; it is possible that this is based on Uli Drepper's original paper. it was originally implemented for Libgcrypt - but the code is the same. > I cannot find confdefs.h or conftest.* to see what a manual compile > would result in. If the conftests runs into an error, it is dumped to the config.log. If I want to debug such things, I usually have the configure script to stop right after the test. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Jun 9 10:40:28 2022 From: wk at gnupg.org (Werner Koch) Date: Thu, 09 Jun 2022 10:40:28 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: (Jan Eden via Gnupg-users's message of "Thu, 9 Jun 2022 08:11:01 +0200") References: Message-ID: <87ilpagrgj.fsf@wheatstone.g10code.de> On Thu, 9 Jun 2022 08:11, Jan Eden said: > Now I corrected the mistake, and all is well. I don't think this is your mistake. We need to do something about it. Tracked at https://dev.gnupg.org/T6023 BTW, to ignore local keys and update from WKD (or whatever has been configured) you can use --locate-external-key which is available since 2.2.17. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From andrewg at andrewg.com Thu Jun 9 12:37:08 2022 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 9 Jun 2022 11:37:08 +0100 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: Message-ID: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> On 09/06/2022 07:11, Jan Eden wrote: > PS. The key used to sign your message seems to be expired. That could be because you already had my key in your keyring and it wasn't recently (i.e. in the last 18 months) refreshed. What does it say if you incant the following? ``` gpg --refresh-key 0xFB73E21AF1163937 ``` A -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From tech at eden.one Thu Jun 9 12:50:16 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 12:50:16 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> References: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> Message-ID: On 2022-06-09 11:37, Andrew Gallagher wrote: > On 09/06/2022 07:11, Jan Eden wrote: > > PS. The key used to sign your message seems to be expired. > > That could be because you already had my key in your keyring and it > wasn't recently (i.e. in the last 18 months) refreshed. What does it say > if you incant the following? > > ``` > gpg --refresh-key 0xFB73E21AF1163937 > ``` jan ~ % gpg --refresh-key 0xFB73E21AF1163937 gpg: refreshing 1 key from hkp://pgp.surf.nl gpg: key FB73E21AF1163937: "Andrew Gallagher " not changed gpg: Total number processed: 1 gpg: unchanged: 1 - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From tech at eden.one Thu Jun 9 12:52:43 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 12:52:43 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: <87ilpagrgj.fsf@wheatstone.g10code.de> References: <87ilpagrgj.fsf@wheatstone.g10code.de> Message-ID: On 2022-06-09 10:40, Werner Koch wrote: > On Thu, 9 Jun 2022 08:11, Jan Eden said: > > > Now I corrected the mistake, and all is well. > > I don't think this is your mistake. We need to do something about it. > Tracked at https://dev.gnupg.org/T6023 > > BTW, to ignore local keys and update from WKD (or whatever has been > configured) you can use --locate-external-key which is available since > 2.2.17. Thank you (both for the task and the suggestion)! Best, Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From andrewg at andrewg.com Thu Jun 9 13:08:06 2022 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 9 Jun 2022 12:08:06 +0100 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> Message-ID: <1e59d4a3-71b2-5d77-1458-8e95f93a5e70@andrewg.com> On 09/06/2022 11:50, Jan Eden wrote: > jan ~ % gpg --refresh-key 0xFB73E21AF1163937 > gpg: refreshing 1 key from hkp://pgp.surf.nl > gpg: key FB73E21AF1163937: "Andrew Gallagher " not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 You're using the pgp.surf.nl keyserver, but it has been broken for some time (it's currently lagging by about 360 thousand keys). pgp.surf.nl was configured by default in some previous releases of gnupg but has since been replaced. You should edit dirmngr.conf and change your default keyserver to e.g. keys.openpgp.org or keyserver.ubuntu.com (other keyservers are available, see https://spider.pgpkeys.eu). Example: ``` % more ~/.gnupg/dirmngr.conf keyserver hkps://pgpkeys.eu ``` A -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From tech at eden.one Thu Jun 9 13:20:51 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 13:20:51 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: <1e59d4a3-71b2-5d77-1458-8e95f93a5e70@andrewg.com> References: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> <1e59d4a3-71b2-5d77-1458-8e95f93a5e70@andrewg.com> Message-ID: On 2022-06-09 12:08, Andrew Gallagher wrote: > On 09/06/2022 11:50, Jan Eden wrote: > > jan ~ % gpg --refresh-key 0xFB73E21AF1163937 > > gpg: refreshing 1 key from hkp://pgp.surf.nl > > gpg: key FB73E21AF1163937: "Andrew Gallagher " not changed > > gpg: Total number processed: 1 > > gpg: unchanged: 1 > > You're using the pgp.surf.nl keyserver, but it has been broken for some > time (it's currently lagging by about 360 thousand keys). pgp.surf.nl > was configured by default in some previous releases of gnupg but has > since been replaced. > > You should edit dirmngr.conf and change your default keyserver to e.g. > keys.openpgp.org or keyserver.ubuntu.com (other keyservers are > available, see https://spider.pgpkeys.eu). > > Example: > > ``` > % more ~/.gnupg/dirmngr.conf > keyserver hkps://pgpkeys.eu > ``` I had configured hkp://keys.gnupg.net in gpg.conf (no separate dirmngr.conf). Switching to keys.openpgp.org had the desired effect: jan ~ % gpg --refresh-key 0xFB73E21AF1163937 gpg: refreshing 1 key from hkp://keys.openpgp.org gpg: key FB73E21AF1163937: "Andrew Gallagher " 8 new signatures gpg: Total number processed: 1 gpg: new signatures: 8 Thanks, Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From andrewg at andrewg.com Thu Jun 9 14:01:34 2022 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 9 Jun 2022 13:01:34 +0100 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> <1e59d4a3-71b2-5d77-1458-8e95f93a5e70@andrewg.com> Message-ID: On 09/06/2022 12:20, Jan Eden wrote: > I had configured hkp://keys.gnupg.net in gpg.conf (no separate > dirmngr.conf). Switching to keys.openpgp.org had the desired effect: keys.gnupg.net has not existed for a few years now, but for backwards compatibility gnupg silently maps it to the hardcoded default server. So setting keys.gnupg.net in your config effectively does nothing... A -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From azbigdogs at gmx.com Thu Jun 9 17:38:04 2022 From: azbigdogs at gmx.com (Mark) Date: Thu, 9 Jun 2022 08:38:04 -0700 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: <832d4ad8-d09b-4964-2b66-7198a4c1f4ae@andrewg.com> <1e59d4a3-71b2-5d77-1458-8e95f93a5e70@andrewg.com> Message-ID: I just looked at what Kleopatra has it set for and it has it set for hkp://keys.gnupg.net as well. I'm guessing that is no longer the best choice? On 6/9/2022 5:01 AM, Andrew Gallagher via Gnupg-users wrote: > On 09/06/2022 12:20, Jan Eden wrote: >> I had configured hkp://keys.gnupg.net in gpg.conf (no separate >> dirmngr.conf). Switching to keys.openpgp.org had the desired effect: > keys.gnupg.net has not existed for a few years now, but for backwards > compatibility gnupg silently maps it to the hardcoded default server. So > setting keys.gnupg.net in your config effectively does nothing... > > A > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- PGP Key Upon Request From kloecker at kde.org Thu Jun 9 21:40:46 2022 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 09 Jun 2022 21:40:46 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: Message-ID: <2564383.k3LOHGUjKi@daneel> On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote: > I just looked at what Kleopatra has it set for and it has it set for > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best > choice? Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` returns as value for `keyserver`. So it depends on the version of GnuPG you are using. The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com. As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to the default keyserver. For a short while, hkp://keys.gnupg.net was mapped to hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2 version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs. Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as not setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good choice. It's much better not to set a keyserver at all and go with the default. Even for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want to use a specific keyserver. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From tech at eden.one Thu Jun 9 22:13:32 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 22:13:32 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: <2564383.k3LOHGUjKi@daneel> References: <2564383.k3LOHGUjKi@daneel> Message-ID: On 2022-06-09 21:40, Ingo Kl?cker wrote: > On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote: > > I just looked at what Kleopatra has it set for and it has it set for > > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best > > choice? > > Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` returns > as value for `keyserver`. So it depends on the version of GnuPG you are using. > The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com. > > As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to the > default keyserver. For a short while, hkp://keys.gnupg.net was mapped to > hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to > hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name > keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2 > version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs. > > Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as not > setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you > are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good choice. > It's much better not to set a keyserver at all and go with the default. Even > for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want > to use a specific keyserver. That's interesting, because I had configured hkp://keys.gnupg.net in gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to refresh Andrew's keys. Only after changing the keyserver option to hkp://keys.openpgp.org, I received the updated keys. `gpgconf --list-options dirmngr` returns hkps://keyserver.ubuntu.com, though. - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From tech at eden.one Thu Jun 9 22:29:52 2022 From: tech at eden.one (Jan Eden) Date: Thu, 9 Jun 2022 22:29:52 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: <2564383.k3LOHGUjKi@daneel> Message-ID: On 2022-06-09 22:13, Jan Eden via Gnupg-users wrote: > > On 2022-06-09 21:40, Ingo Kl?cker wrote: > > On Donnerstag, 9. Juni 2022 17:38:04 CEST Mark via Gnupg-users wrote: > > > I just looked at what Kleopatra has it set for and it has it set for > > > hkp://keys.gnupg.net as well. I'm guessing that is no longer the best > > > choice? > > > > Kleopatra 3.1.21.220401 uses whatever `gpgconf --list-options dirmngr` returns > > as value for `keyserver`. So it depends on the version of GnuPG you are using. > > The default returned by gpgconf 2.3.6 is hkps://keyserver.ubuntu.com. > > > > As Andrew wrote, hkp://keys.gnupg.net is mapped internally by dirmngr to the > > default keyserver. For a short while, hkp://keys.gnupg.net was mapped to > > hkp://pgp.surf.nl while hkps://keys.gnupg.net was mapped to > > hkps://keyserver.ubuntu.com. Since 2.3.5 all URLs with domain name > > keys.gnupg.net are mapped to hkps://keyserver.ubuntu.com. The latest 2.2 > > version still uses hkp://pgp.surf.nl for non-TLS keys.gnupg.net URLs. > > > > Conclusion: For GnuPG 2.3.5 and later hkp://keys.gnupg.net is as good as not > > setting a keyserver or as setting it to hkps://keyserver.ubuntu.com. If you > > are using a recent GnuPG 2.2, then hkp://keys.gnupg.net is not a good choice. > > It's much better not to set a keyserver at all and go with the default. Even > > for GnuPG 2.3.5 not setting keyserver is the way to go unless you really want > > to use a specific keyserver. > > That's interesting, because I had configured hkp://keys.gnupg.net in > gpg.conf (deprecated, I know) with GnuPG 2.3.4 and was not able to > refresh Andrew's keys. Only after changing the keyserver option to > hkp://keys.openpgp.org, I received the updated keys. > > `gpgconf --list-options dirmngr` returns hkps://keyserver.ubuntu.com, > though. Sorry, the output of gpgconf referred to a changed configuration. This is what happens for me with GnuPG 2.3.4: value for `keyserver` in gpg.conf ? keyserver used with `--refresh-key` hkp://keys.gnupg.net ? hkp://pgp.surf.nl hkp://keys.openpgp.org ? hkp://keys.openpgp.org [empty] ? hkps://keyserver.ubuntu.com - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From kloecker at kde.org Thu Jun 9 22:43:53 2022 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 09 Jun 2022 22:43:53 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: Message-ID: <3425750.V25eIC5XRa@daneel> On Donnerstag, 9. Juni 2022 22:29:52 CEST Jan Eden via Gnupg-users wrote: > Sorry, the output of gpgconf referred to a changed configuration. This > is what happens for me with GnuPG 2.3.4: > > value for `keyserver` in gpg.conf ? keyserver used with `--refresh-key` > hkp://keys.gnupg.net ? hkp://pgp.surf.nl > hkp://keys.openpgp.org ? hkp://keys.openpgp.org > [empty] ? hkps://keyserver.ubuntu.com Which matches what I wrote. Additionally you should see hkps://keys.gnupg.net ? hkps://keyserver.ubuntu.com Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From bronger at physik.rwth-aachen.de Fri Jun 10 20:44:04 2022 From: bronger at physik.rwth-aachen.de (Torsten Bronger) Date: Fri, 10 Jun 2022 20:44:04 +0200 Subject: Cannot import private key into gpgsm Message-ID: <87y1y4xssr.fsf@physik.rwth-aachen.de> Hall?chen! For signing emails, I requested an S/MIME certificate using the German academic DFN service. At the end of this process, I get a .p12 file (PKCS12). I can convert this file to PEM using openssl pkcs12 -in TorstenBronger.p12 -nodes -out /tmp/temp.pem In the PEM file, I can see four certificates (my own and the chain) and the private key. But importing the .p12 file into gpgsm fails: $ gpgsm --import TorstenBronger.p12 gpgsm: data error at "data.objectidentifier", offset 67 gpgsm: error at "bag-sequence", offset 49 gpgsm: error parsing or decrypting the PKCS#12 file gpgsm: total number processed: 0 It does not matter whether or not I removed the password from the key using the roundtripping described in https://serverfault.com/a/633820/47303. Moreover, neither git.scc.kit.edu/-/snippets/572 nor importing into and re-exporting from Firefox change anything. The error message is the same afterwards. Writing only the certificates to a PEM, I seem to be able to import them into gpgsm?s database (along with the public key?). But the private key is missing. One source said that gpg and gpgsm share the same database at least for private keys. But I get an import error trying to import the PEM file with only the key into gpg. How can I successfully import the certificates and the key into gpgsm? Regards, Torsten. P.S.: This is basically a copy of https://superuser.com/questions/1725832/gpgsm-cannot-import-private-key. If I get an answer here which is not put by the answerer themselves to superuser.com, I will update superuser.com. -- Torsten Bronger From home2fin at icloud.com Sat Jun 11 16:24:11 2022 From: home2fin at icloud.com (Linus Virtanen) Date: Sat, 11 Jun 2022 14:24:11 -0000 Subject: question of verifying signatures Message-ID: <8dd6c74f-e014-4ab6-a835-fc9f10003e7a@me.com> hii try to verify GPG signature of mutiple applications on windows but i failed.a friend of mine tried and failed. He said that you do not need verify GPG signature.He says it is waste of time.?is it really necessary to verify GPG signature?if it is necessary, would you tell me why?thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckeader at disroot.org Sun Jun 12 01:52:47 2022 From: ckeader at disroot.org (ckeader) Date: Sun, 12 Jun 2022 00:52:47 +0100 Subject: Cannot import private key into gpgsm In-Reply-To: <87y1y4xssr.fsf@physik.rwth-aachen.de> References: <87y1y4xssr.fsf@physik.rwth-aachen.de> Message-ID: > One source said that gpg and gpgsm share the same database at least > for private keys. But I get an import error trying to import the > PEM file with only the key into gpg. > > How can I successfully import the certificates and the key into > gpgsm? FWIW, I've never been able to import the S/MIME cert from $WORK into gnupg/gpgsm straight. I've had to go via thunderbird import -> export > gpgsm import to become functional. Not sure why, maybe CRLF was an issue, but I never investigated as I have a working process. From johndoe65534 at mail.com Sun Jun 12 08:15:15 2022 From: johndoe65534 at mail.com (john doe) Date: Sun, 12 Jun 2022 08:15:15 +0200 Subject: question of verifying signatures In-Reply-To: <8dd6c74f-e014-4ab6-a835-fc9f10003e7a@me.com> References: <8dd6c74f-e014-4ab6-a835-fc9f10003e7a@me.com> Message-ID: On 6/11/2022 4:24 PM, Linus Virtanen via Gnupg-users wrote: > hii try to verify GPG signature of mutiple applications on windows but i > failed.a friend of mine tried and failed. He said that you do not need > verify GPG signature.He says it is waste of time.?is it really necessary > to verify GPG signature?if it is necessary, would you tell me why?thank > you. It is up to you to decide if you want to verify a GPG signature. To verify a signature it is required to import a public key, look for instructions on the site from which you downloaded what is to be verified. -- John Doe From wk at gnupg.org Mon Jun 13 18:25:23 2022 From: wk at gnupg.org (Werner Koch) Date: Mon, 13 Jun 2022 18:25:23 +0200 Subject: Cannot import private key into gpgsm In-Reply-To: <87y1y4xssr.fsf@physik.rwth-aachen.de> (Torsten Bronger's message of "Fri, 10 Jun 2022 20:44:04 +0200") References: <87y1y4xssr.fsf@physik.rwth-aachen.de> Message-ID: <8735g8cyz0.fsf@wheatstone.g10code.de> Hi! please let us known your GnuPG versions and your OS. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From 2458099 at gmail.com Mon Jun 13 18:39:23 2022 From: 2458099 at gmail.com (Gilberto F da Silva) Date: Mon, 13 Jun 2022 13:39:23 -0300 Subject: Cannot import private key into gpgsm In-Reply-To: <8735g8cyz0.fsf@wheatstone.g10code.de> References: <87y1y4xssr.fsf@physik.rwth-aachen.de> <8735g8cyz0.fsf@wheatstone.g10code.de> Message-ID: ??? Slackware64 15 slack15 at darkstar:~/.config$ gpg --version gpg (GnuPG) 1.4.23 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Algoritmos suportados: Chave p?blica: RSA, RSA-E, RSA-S, ELG-E, DSA Cifra: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, ?????? CAMELLIA128, CAMELLIA192, CAMELLIA256 Dispers?o: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compress?o: Uncompressed, ZIP, ZLIB, BZIP2 slack15 at darkstar:~/.config$ Werner Koch via Gnupg-users wrote: > Hi! > > please let us known your GnuPG versions and your OS. > > > Shalom-Salam, > > Werner > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0.png Type: image/png Size: 311376 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: OpenPGP digital signature URL: From jcb62281 at gmail.com Tue Jun 14 00:19:57 2022 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Mon, 13 Jun 2022 17:19:57 -0500 Subject: Cannot import private key into gpgsm In-Reply-To: References: <87y1y4xssr.fsf@physik.rwth-aachen.de> <8735g8cyz0.fsf@wheatstone.g10code.de> Message-ID: <62A7B80D.2080703@gmail.com> Gilberto F da Silva via Gnupg-users wrote: > Slackware64 15 > > slack15 at darkstar:~/.config$ gpg --version > gpg (GnuPG) 1.4.23 > [...] I may be misunderstanding, but I do not think that GPG 1.4.x ever even supported X.509 at all. Maybe you also have a gpg2 command? Maybe there is another gpg somewhere else on the machine? -- Jacob From bronger at physik.rwth-aachen.de Tue Jun 14 08:36:31 2022 From: bronger at physik.rwth-aachen.de (Torsten Bronger) Date: Tue, 14 Jun 2022 08:36:31 +0200 Subject: Cannot import private key into gpgsm In-Reply-To: (ckeader via Gnupg-users's message of "Sun, 12 Jun 2022 00:52:47 +0100") References: <87y1y4xssr.fsf@physik.rwth-aachen.de> Message-ID: <871qvrah00.fsf@physik.rwth-aachen.de> Hall?chen! ckeader via Gnupg-users writes: > [...] > >> How can I successfully import the certificates and the key into >> gpgsm? > > FWIW, I've never been able to import the S/MIME cert from $WORK > into gnupg/gpgsm straight. I've had to go via thunderbird import > -> export > gpgsm import to become functional. Not sure why, maybe > CRLF was an issue, but I never investigated as I have a working > process. Thunderbird can export secret keys, too? Mine (91.9.1) exports only certificates, in PEM or PKCS7 format. Regards, Torsten. -- Torsten Bronger From bronger at physik.rwth-aachen.de Tue Jun 14 08:38:20 2022 From: bronger at physik.rwth-aachen.de (Torsten Bronger) Date: Tue, 14 Jun 2022 08:38:20 +0200 Subject: Cannot import private key into gpgsm In-Reply-To: <8735g8cyz0.fsf@wheatstone.g10code.de> (Werner Koch's message of "Mon, 13 Jun 2022 18:25:23 +0200") References: <87y1y4xssr.fsf@physik.rwth-aachen.de> <8735g8cyz0.fsf@wheatstone.g10code.de> Message-ID: <87wndj92cj.fsf@physik.rwth-aachen.de> Hall?chen! Werner Koch writes: > please let us known your GnuPG versions and your OS. gpgsm (GnuPG) 2.2.27 libgcrypt 1.9.4 libksba 1.6.0-unknown ? Supported algorithms: Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256 Pubkey: RSA, ECC Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL On Ubuntu 22.04. Regards, Torsten. -- Torsten Bronger From wk at gnupg.org Tue Jun 14 09:50:21 2022 From: wk at gnupg.org (Werner Koch) Date: Tue, 14 Jun 2022 09:50:21 +0200 Subject: Cannot import private key into gpgsm In-Reply-To: <87wndj92cj.fsf@physik.rwth-aachen.de> (Torsten Bronger's message of "Tue, 14 Jun 2022 08:38:20 +0200") References: <87y1y4xssr.fsf@physik.rwth-aachen.de> <8735g8cyz0.fsf@wheatstone.g10code.de> <87wndj92cj.fsf@physik.rwth-aachen.de> Message-ID: <87ilp3bs5e.fsf@wheatstone.g10code.de> On Tue, 14 Jun 2022 08:38, Torsten Bronger said: > Hall?chen! > > Werner Koch writes: > >> please let us known your GnuPG versions and your OS. > > gpgsm (GnuPG) 2.2.27 Please update to 2.2.35 which * gpgsm: Fix parsing of certain PKCS#12 files. [T5793] See https://dev.gnupg.org/T5793 . It is likely that you parsing problem is also solved with this updated. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From 2458099 at gmail.com Tue Jun 14 00:44:07 2022 From: 2458099 at gmail.com (Gilberto F da Silva) Date: Mon, 13 Jun 2022 19:44:07 -0300 Subject: Cannot import private key into gpgsm In-Reply-To: <62A7B80D.2080703@gmail.com> References: <87y1y4xssr.fsf@physik.rwth-aachen.de> <8735g8cyz0.fsf@wheatstone.g10code.de> <62A7B80D.2080703@gmail.com> Message-ID: Jacob Bachmeyer wrote: > Gilberto F da Silva via Gnupg-users wrote: >> ??? Slackware64 15 >> >> slack15 at darkstar:~/.config$ gpg --version >> gpg (GnuPG) 1.4.23 >> [...] > > > I may be misunderstanding, but I do not think that GPG 1.4.x ever even > supported X.509 at all.? Maybe you also have a gpg2 command?? Maybe > there is another gpg somewhere else on the machine? > > > -- Jacob I have 3 Linux distributions installed on the computer. In openSUSE Tumbleweed the result is different when using gpg --version. openSUSE Tumbleweed tumbleweed at localhost:~> gpg --version gpg (GnuPG) 2.3.4 libgcrypt 1.9.4-unknown Copyright (C) 2021 Free Software Foundation, Inc. License GNU GPL-3.0-or-later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/tumbleweed/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, ??????? CAMELLIA128, CAMELLIA192, CAMELLIA256 AEAD: EAX, OCB Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 tumbleweed at localhost:~> -- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature_2.gif Type: image/gif Size: 91125 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: OpenPGP digital signature URL: From artur.brzozowski at protonmail.com Fri Jun 17 14:23:48 2022 From: artur.brzozowski at protonmail.com (artur.brzozowski) Date: Fri, 17 Jun 2022 12:23:48 +0000 Subject: Supervised gpg-agent on FreeBSD Message-ID: <3ed0n7MHwQwn7JV1bc-eW6kAUJIB-OhfkZ2LKjlRtWwFXvqXyt3DGPwalXmcXiYFlKDtFHazevoSgnjI_274RsKXQO1MURpzzKN1PFHHn-8=@protonmail.com> Hello. I've been trying to get gpg-agent running under supervision using FreeBSD's native daemon(8) [1] The description for the utility states the following: The daemon utility detaches itself from the controlling terminal and executes the program specified by its arguments. Privileges may be lowered to the specified user. The output of the daemonized process may be redirected to syslog and to a log file. This requires that the program executed by daemon(8) stays attached to the parent process - the daemon(8) supervisor. Looking at gpg-agent(1) [2] options, I see a choice between: --server - but it uses stdin instead of a socket for communication (not sure if desirable) --daemon - but it detaches itself from the spawning process (undesirable) --supervised - seemingly fitting, but may require some utilities specific to GNU/Linux I usually run my services using the following template: /usr/sbin/daemon -f -P "${pidfile_supervisor}" -p "${pidfile_daemon}" -r -- gpg-agent --server|--supervised|--daemon "-f" redirects standard input, standard output and standard error to /dev/null "-P" sets the path to the supervisor/daemon(8) pidfile "-p" likewise, but for the child/gpg-agent "-r" instructs the supervisor to restart the child process if it terminates This brings me to my question: Is there a way to run gpg-agent in the foreground (like for --server or --supervisor), but keep it listening to the standard socket (unlike --server)? Or, in other words, like gpg-agent --daemon, but without the detachment, so that it can stay glued to the daemon(8) process. As a reference, I run Emacs in such way without any trouble - a simple "daemon [options...] -- emacs --fg-daemon" suffices in that case. ~Artur [1] https://www.freebsd.org/cgi/man.cgi?daemon(8) [2] https://www.freebsd.org/cgi/man.cgi?gpg-agent(1) -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Jun 17 16:26:41 2022 From: wk at gnupg.org (Werner Koch) Date: Fri, 17 Jun 2022 16:26:41 +0200 Subject: Supervised gpg-agent on FreeBSD In-Reply-To: <3ed0n7MHwQwn7JV1bc-eW6kAUJIB-OhfkZ2LKjlRtWwFXvqXyt3DGPwalXmcXiYFlKDtFHazevoSgnjI_274RsKXQO1MURpzzKN1PFHHn-8=@protonmail.com> (artur brzozowski via Gnupg-users's message of "Fri, 17 Jun 2022 12:23:48 +0000") References: <3ed0n7MHwQwn7JV1bc-eW6kAUJIB-OhfkZ2LKjlRtWwFXvqXyt3DGPwalXmcXiYFlKDtFHazevoSgnjI_274RsKXQO1MURpzzKN1PFHHn-8=@protonmail.com> Message-ID: <871qvn74da.fsf@wheatstone.g10code.de> On Fri, 17 Jun 2022 12:23, artur.brzozowski said: > I've been trying to get gpg-agent running under supervision using > FreeBSD's native daemon(8) [1] Please don't do that. The --supervised option has been deprecated recently because it conflicts with GnuPG's internal management of daemon processes. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From project at gnuhacker.org Sat Jun 18 02:14:34 2022 From: project at gnuhacker.org (GH) Date: Sat, 18 Jun 2022 02:14:34 +0200 Subject: loopback issue signing git commits Message-ID: <875ykyakut.fsf@gnu.org> Hi, I use gnupg in a remote server, I connect to via ssh I config gnupg as loopback, it ask me my gpg passwd in the command line or in my emacs minibuffer when I use magit but when I commit in git, I sign my commits, but gpg ask me the passwd with GUI pinentry (in the remote server) In remote ssh connection I cant insert that password please, help My config is: in ~/.gnupg/gpg.conf use-agent pinentry-mode loopback in ~/.gnupg/gpg-agent.conf allow-emacs-pinentry allow-loopback-pinentry in ~/.gitconfig [user] name = GH email = project at gnuhacker.org signingkey = ECA4C5D86C7D8215 [commit] gpgsign = true From tech at eden.one Sun Jun 19 09:17:10 2022 From: tech at eden.one (Jan Eden) Date: Sun, 19 Jun 2022 09:17:10 +0200 Subject: gpg auto-locate-key selects expired/revoked key In-Reply-To: References: <87ilpagrgj.fsf@wheatstone.g10code.de> Message-ID: On 2022-06-09 12:52, Jan Eden via Gnupg-users wrote: > On 2022-06-09 10:40, Werner Koch wrote: > > On Thu, 9 Jun 2022 08:11, Jan Eden said: > > > > > Now I corrected the mistake, and all is well. > > > > I don't think this is your mistake. We need to do something about it. > > Tracked at https://dev.gnupg.org/T6023 > > > > BTW, to ignore local keys and update from WKD (or whatever has been > > configured) you can use --locate-external-key which is available since > > 2.2.17. > > Thank you (both for the task and the suggestion)! Following up on this issue: I now use the command suggested at https://wiki.gnupg.org/WKDHosting with a filter for the revoked key's fingerprint: gpg --list-options show-only-fpr-mbox -k '@eden.one' | grep -v zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz | gpg-wks-client -v --directory /var/www/html/site/.well-known/openpgpkey --install-key As I have only a single key to exclude, this is a viable solution for me. - Jan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From theaetetos at tutanota.com Wed Jun 22 18:34:45 2022 From: theaetetos at tutanota.com (theaetetos at tutanota.com) Date: Wed, 22 Jun 2022 18:34:45 +0200 (CEST) Subject: SSH_AUTH_SOCK - to set or not to set? Message-ID: Hello, I have trouble understanding the socket aspect of the ssh support in GnuPG. I use the following setup (only including the relevant lines): --- *FILE: ~/.profile export GNUPGHOME="$XDG_DATA_HOME"/gnupg GPG_TTY="$(tty)"; export GPG_TTY # unset SSH_AGENT_PID # export SSH_AUTH_SOCK="$GNUPGHOME"/S.gpg-agent.ssh *FILE:"$GNUPGHOME"/gpg-agent.conf enable-ssh-support #(other options skipped) *FILE: window manager init script gpgconf --launch gpg-agent --- If I leave the ssh unset/export lines commented out in the ~/.profile file, SSH_AUTH_SOCK ends up unset and I cannot use the the gpg-agent as my ssh-agent. On page 14 of the GnuPG Manual (version 2.3.3, October 2021), under 2.5 Examples, we read that if we enable the support for the ssh-agent, we also need to tell ssh about it by adding the following snippet to our init script: unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi I don't understand the condition being checked, but I gather the whole thing is simply a more robust version of my ~/.profile two-liner. Meanwhile, the first sentence of the gpg-agent(1) man page for the --enable-ssh-support option,which I set in my gpg-agent.conf, tells us: The OpenSSH Agent protocol is always enabled, but gpg-agent will only set the SSH_AUTH_SOCK variable if this flag is given. So should 'SSH_AUTH_SOCK' be set by the user or can gpg-agent indeed take care of that? Best, Patrizio From dgouttegattat at incenp.org Wed Jun 22 22:19:46 2022 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Wed, 22 Jun 2022 21:19:46 +0100 Subject: SSH_AUTH_SOCK - to set or not to set? In-Reply-To: References: Message-ID: <3358946.LZWGnKmheA@borealin.local.incenp.org> On Wednesday, 22 June 2022 17:34:45 BST theaetetos--- via Gnupg-users wrote: > unset SSH_AGENT_PID > if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then > export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" > fi > > I don't understand the condition being checked, but I gather the whole > thing is simply a more robust version of my ~/.profile two-liner. Yes. `gnupg_SSH_AUTH_SOCK_by` is set by the agent at the same time as `SSH_AUTH_SOCK`. By checking that variable instead of `SSH_AUTH_SOCK` directly, you avoid the case where `SSH_AUTH_SOCK` has already (incorrectly) been set by something else (for example by an earlier profile script). The `gpgconf` thing is to make sure `SSH_AUTH_SOCK` is always set to the correct path, because you should not assume the socket will always be in GnuPG?s home directory. With modern GnuPG versions it is normally somewhere under [/var]/run. > Meanwhile, the first sentence of the gpg-agent(1) man page for the > --enable-ssh-support option,which I set in my gpg-agent.conf, tells > us: The OpenSSH Agent protocol is always enabled, but gpg-agent will > only set the SSH_AUTH_SOCK variable if this flag is given. > > So should 'SSH_AUTH_SOCK' be set by the user or can gpg-agent indeed > take care of that? In most cases you should set `SSH_AUTH_SOCK` yourself in your profile script. There are two cases where the sentence you are referring to in gpg-agent(1) is relevant: 1) You use gpg-agent to spawn a new program (e.g. a shell): $ gpg-agent --enable-ssh-support --daemon /bin/sh In that case, the agent will take care of exporting `SSH_AUTH_SOCK` before spawning the shell, so it does not need to be done in the shell?s profile script. 2) You invoke gpg-agent in a profile script like this: eval $(gpg-agent --sh --enable-ssh-support daemon) In this case, the agent will print to stdout the appropriate `export SSH_AUTH_SOCK` stanza, which will then be evaluated by the `eval` command, resulting in the variable being exported in the shell?s environment. This used to be a pretty standard way of both starting the agent *and* making sure the environment variables SSH_AUTH_SOCK and GPG_AGENT_INFO were set, back in the times before the start-on-demand mechanism was devised. Nowadays, with the start-on-demand mechanism (which made GPG_AGENT_INFO obsolete), I don?t think there?s any compelling reason to still use that method, but it?s still there. Hope that helps, - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From theaetetos at tutanota.com Thu Jun 23 23:41:54 2022 From: theaetetos at tutanota.com (theaetetos at tutanota.com) Date: Thu, 23 Jun 2022 23:41:54 +0200 (CEST) Subject: SSH_AUTH_SOCK - to set or not to set? In-Reply-To: <3358946.LZWGnKmheA@borealin.local.incenp.org> References: <3358946.LZWGnKmheA@borealin.local.incenp.org> Message-ID: Hi, Damien. Jun 22, 2022, 20:19 by dgouttegattat at incenp.org: > Yes. `gnupg_SSH_AUTH_SOCK_by` is set by the agent at the same time as > `SSH_AUTH_SOCK` (...) > The `gpgconf` thing is to make sure `SSH_AUTH_SOCK` is always set to > the correct path (...). Thank you for the explanation... > In most cases you should set `SSH_AUTH_SOCK` yourself in your profile > script. ...and for this important clarification. > 2) You invoke gpg-agent in a profile script like this: > eval $(gpg-agent --sh --enable-ssh-support daemon) > Nowadays, with the start-on-demand mechanism (which made > GPG_AGENT_INFO obsolete), I don?t think there?s any compelling reason > to still use that method, but it?s still there. Still, as indicated in the man page for gpg-agent under the --enable-ssh-support option, ssh queries cannot themselves launch the gpg-agent, so the agent needs to be started explicitly (creating the socket) if one expects to initiate any SSH connections before said agent can be autostarted by a gpg request.? For that, I just use `gpgconf --launch gpg-agent` in my init script, and of course I will be setting the SSH_AUTH_SOCK as required. >Hope that helps, You've been most helpful. Thank you once again. Best regards, Patrizio From angel at pgp.16bits.net Fri Jun 24 02:02:47 2022 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Fri, 24 Jun 2022 02:02:47 +0200 Subject: loopback issue signing git commits In-Reply-To: <875ykyakut.fsf@gnu.org> References: <875ykyakut.fsf@gnu.org> Message-ID: On 2022-06-18 at 02:14 +0200, GH wrote: > Hi, > > I use gnupg in a remote server, I connect to via ssh > > I config gnupg as loopback, it ask me my gpg passwd in the command > line or in my emacs minibuffer when I use magit > > but when I commit in git, I sign my commits, but gpg ask me the > passwd > with GUI pinentry (in the remote server) > > In remote ssh connection I cant insert that password > > please, help What's the full gpg command line being run by git? I suspect it may be overriding some setting. Rather than using loopback to read it, I think it might be more apprpopriate to configure it to use pinentry-curses Regards From minasargyrou at outlook.com Fri Jun 24 22:47:55 2022 From: minasargyrou at outlook.com (Minas Argyrou) Date: Fri, 24 Jun 2022 20:47:55 +0000 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM Message-ID: I am tring it get GnuPG to work with my SmartCard-HSM 4K on Windows, using the GP4Win bundle. Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it DOES recognise the YubiKey 5 NFC in BOTH PIV and Openpgp Card apps. When trying to use the GPA.exe alternative, it just freezes when I click on the "smartcards" button; not sure if it's related. Trying to debug this, using CMD: scdaemon --server serialno I get the following result: > scdaemon[xxxxx]: detected reader 'ACS ACR38U 0' scdaemon[xxxxx]: > reader slot 0: not connected scdaemon[xxxxx]: pcsc_control failed: > invalid PC/SC error code (0x1) scdaemon[xxxxx]: > pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547 > scdaemon[xxxxx]: reader slot 0: active protocol: T1 scdaemon[xxxxx]: > slot 0: ATR=3bde18ff8191fe1fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > scdaemon[xxxxx]: error parsing PrKDF record: Invalid object > scdaemon[xxxxx]: no supported card application found: Invalid object S > PINCACHE_PUT 0// ERR 100696144 No such device Below I am including my configuration files. scdaemon.conf ###+++--- GPGConf ---+++### verbose verbose verbose verbose verbose verbose verbose verbose verbose disable-ccid ###+++--- GPGConf ---+++### 09/06/y22 23:29:33 GTB Daylight Time # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. #pcsc-shared I have tried all possible combinations with `disable-ccid` and `pcsc-shared` and nothing works. gpgagent.conf ###+++--- GPGConf ---+++### enable-extended-key-format ignore-cache-for-signing no-allow-external-cache no-allow-loopback-pinentry grab pinentry-timeout 10 verbose verbose verbose verbose verbose verbose verbose verbose verbose ssh-fingerprint-digest SHA384 ###+++--- GPGConf ---+++### 18/04/y22 07:30:51 GTB Daylight Time # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. enable-putty-support enable-ssh-support use-standard-socket default-cache-ttl 600 max-cache-ttl 7200 gpgsm.conf ###+++--- GPGConf ---+++### auto-issuer-key-retrieve enable-crl-checks enable-ocsp verbose verbose verbose verbose verbose verbose verbose verbose verbose include-certs -1 cipher-algo AES256 ###+++--- GPGConf ---+++### 01/04/y22 19:10:26 GTB Daylight Time # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. I was never able to get the SC-HSM to work with GnuPG, even though it is supposedly supported. This is the current time I am trying to figure it out. This time, I haven't played with anything else than scdaemon.conf, but, as far as I can tell, the SC-HSM didn't work even with the defaults on a fresh install. The card otherwise works nicely with everything else. Any help would be greatly appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6027 bytes Desc: not available URL: From kloecker at kde.org Sat Jun 25 13:08:49 2022 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sat, 25 Jun 2022 13:08:49 +0200 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM In-Reply-To: References: Message-ID: <13047961.uLZWGnKmhe@daneel> On Freitag, 24. Juni 2022 22:47:55 CEST Minas Argyrou via Gnupg-users wrote: > I am tring it get GnuPG to work with my SmartCard-HSM 4K on Windows, using > the GP4Win bundle. > > Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it DOES > recognise the YubiKey 5 NFC in BOTH PIV and Openpgp Card apps. Every smart card and every smart card reader is different and therefore it's sheer luck if scdaemon (and thus Kleopatra which relies entirely on scdaemon) supports a smart card or a reader that is not explicitly supported. > When trying to use the GPA.exe alternative, it just freezes when I click on > the "smartcards" button; not sure if it's related. Maybe GPA doesn't handle the errors that scdaemon reports correctly. In any case, GPA is not actively developed or maintained anymore (https:// dev.gnupg.org/source/gpa/history/master/). > I was never able to get the SC-HSM to work with GnuPG, even though it is > supposedly supported. I'm not sure this is correct. According to `man scdaemon` some "SmartCard-HSM card application" is supported, but `man scdaemon` goes on "The SmartCard-HSM cards requires a card reader that supports Extended Length APDUs.". This implies that scdaemon supports some "SmartCard-HSM" that is available as a smart card which needs to be inserted into a smart card reader. Your SC-HSM 4K seems to be a USB token, i.e. it includes a smart card reader. I guess it's _not_ supported by scdaemon and/or pcsc. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From liste at secarica.ro Sat Jun 25 14:29:32 2022 From: liste at secarica.ro (Cristian =?UTF-8?Q?Secar=C4=83?=) Date: Sat, 25 Jun 2022 15:29:32 +0300 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM In-Reply-To: References: Message-ID: <20220625152932.00004c98@secarica.ro> ?n data de Fri, 24 Jun 2022 20:47:55 +0000, Minas Argyrou via Gnupg-users a scris: > When trying to use the GPA.exe alternative, it just freezes when I > click on the "smartcards" button; not sure if it's related. Since Gpg4win 4.0.x, GPA freezes when clicking on toolbar Card icon. You can try version Gpg4win 3.1.16, which has a still working GPA card manager. Cristi -- Cristian Secar? https://www.secarica.ro From rhettbohling at gmail.com Sun Jun 26 03:58:22 2022 From: rhettbohling at gmail.com (Rhett) Date: Sat, 25 Jun 2022 21:58:22 -0400 Subject: Gnupg-users Digest, Vol 225, Issue 8 In-Reply-To: References: Message-ID: Help Unsubscribe On Fri, Jun 24, 2022 at 6:21 PM wrote: > Send Gnupg-users mailing list submissions to > gnupg-users at gnupg.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.gnupg.org/mailman/listinfo/gnupg-users > or, via email, send a message with subject or body 'help' to > gnupg-users-request at gnupg.org > > You can reach the person managing the list at > gnupg-users-owner at gnupg.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Gnupg-users digest..." > > > Today's Topics: > > 1. Re: loopback issue signing git commits (?ngel) > 2. gpa.exe hungs when click on "smartcards" AND scdaemon cannot > recognise SC-HSM (Minas Argyrou) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 24 Jun 2022 02:02:47 +0200 > From: ?ngel > To: gnupg-users at gnupg.org > Subject: Re: loopback issue signing git commits > Message-ID: > > Content-Type: text/plain; charset="ISO-8859-15" > > On 2022-06-18 at 02:14 +0200, GH wrote: > > Hi, > > > > I use gnupg in a remote server, I connect to via ssh > > > > I config gnupg as loopback, it ask me my gpg passwd in the command > > line or in my emacs minibuffer when I use magit > > > > but when I commit in git, I sign my commits, but gpg ask me the > > passwd > > with GUI pinentry (in the remote server) > > > > In remote ssh connection I cant insert that password > > > > please, help > > What's the full gpg command line being run by git? I suspect it may be > overriding some setting. > Rather than using loopback to read it, I think it might be more > apprpopriate to configure it to use pinentry-curses > > Regards > > > > > ------------------------------ > > Message: 2 > Date: Fri, 24 Jun 2022 20:47:55 +0000 > From: Minas Argyrou > To: "gnupg-users at gnupg.org" > Cc: Minas Argyrou > Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot > recognise SC-HSM > Message-ID: > < > AM6PR06MB443824203DCEC58FA7BBA26FC1B49 at AM6PR06MB4438.eurprd06.prod.outlook.com > > > > Content-Type: text/plain; charset="utf-8" > > I am tring it get GnuPG to work with my SmartCard-HSM 4K on Windows, using > the > GP4Win bundle. > > Kleopatra doesn't recognise the SC-HSM 4K at all, even though, it DOES > recognise the YubiKey 5 NFC in BOTH PIV and Openpgp Card apps. > > When trying to use the GPA.exe alternative, it just freezes when I click > on > the "smartcards" button; not sure if it's related. > > Trying to debug this, using CMD: > > scdaemon --server > serialno > > I get the following result: > > > > scdaemon[xxxxx]: detected reader 'ACS ACR38U 0' scdaemon[xxxxx]: > > reader slot 0: not connected scdaemon[xxxxx]: pcsc_control failed: > > invalid PC/SC error code (0x1) scdaemon[xxxxx]: > > pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547 > > scdaemon[xxxxx]: reader slot 0: active protocol: T1 scdaemon[xxxxx]: > > slot 0: ATR=3bde18ff8191fe1fxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > > scdaemon[xxxxx]: error parsing PrKDF record: Invalid object > > scdaemon[xxxxx]: no supported card application found: Invalid object S > > PINCACHE_PUT 0// ERR 100696144 No such device > > Below I am including my configuration files. > > scdaemon.conf > > > > ###+++--- GPGConf ---+++### > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > disable-ccid > ###+++--- GPGConf ---+++### 09/06/y22 23:29:33 GTB Daylight Time > # GPGConf edited this configuration file. > # It will disable options before this marked block, but it will > # never change anything below these lines. > > #pcsc-shared > > I have tried all possible combinations with `disable-ccid` and > `pcsc-shared` > and nothing works. > > > gpgagent.conf > > > ###+++--- GPGConf ---+++### > enable-extended-key-format > ignore-cache-for-signing > no-allow-external-cache > no-allow-loopback-pinentry > grab > pinentry-timeout 10 > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > ssh-fingerprint-digest SHA384 > ###+++--- GPGConf ---+++### 18/04/y22 07:30:51 GTB Daylight Time > # GPGConf edited this configuration file. > # It will disable options before this marked block, but it will > # never change anything below these lines. > > enable-putty-support > enable-ssh-support > use-standard-socket > default-cache-ttl 600 > max-cache-ttl 7200 > > gpgsm.conf > > > ###+++--- GPGConf ---+++### > auto-issuer-key-retrieve > enable-crl-checks > enable-ocsp > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > verbose > include-certs -1 > cipher-algo AES256 > ###+++--- GPGConf ---+++### 01/04/y22 19:10:26 GTB Daylight Time > # GPGConf edited this configuration file. > # It will disable options before this marked block, but it will > # never change anything below these lines. > > I was never able to get the SC-HSM to work with GnuPG, even though it is > supposedly supported. This is the current time I am trying to figure it > out. > This time, I haven't played with anything else than scdaemon.conf, but, as > far > as I can tell, the SC-HSM didn't work even with the defaults on a fresh > install. > > The card otherwise works nicely with everything else. Any help would be > greatly appreciated! > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220624/30971d48/attachment.html > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 6027 bytes > Desc: not available > URL: < > https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220624/30971d48/attachment.bin > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > > > ------------------------------ > > End of Gnupg-users Digest, Vol 225, Issue 8 > ******************************************* > -------------- next part -------------- An HTML attachment was scrubbed... URL: From liste at secarica.ro Sun Jun 26 13:28:55 2022 From: liste at secarica.ro (Cristian =?UTF-8?Q?Secar=C4=83?=) Date: Sun, 26 Jun 2022 14:28:55 +0300 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM In-Reply-To: References: <20220625152542.00003c6a@secarica.ro> Message-ID: <20220626142855.00001dcc@secarica.ro> ?n data de Sun, 26 Jun 2022 09:59:43 +0000, Minas Argyrou a scris: > Do you, by any chance, know about the SC-HSM not being recognized for > S/MIME? Much appreciated! No, sorry. Perhaps this is application-dependent ? Just a clue from this Outlook-related issue: https://github.com/OpenSC/OpenSC/issues/755 Cristi -- Cristian Secar? https://www.secarica.ro From patrick at enigmail.net Sun Jun 26 18:12:19 2022 From: patrick at enigmail.net (Patrick Brunschwig) Date: Sun, 26 Jun 2022 18:12:19 +0200 Subject: Looking for new Maintainer for gpgOSX Message-ID: <69d13c70-ef12-1092-2368-c46d17fcacf8@enigmail.net> gpgOSX is a free pre-packaged install-able distribution of standard GnuPG 2.x for macOS. I am maintaining it since the release of GnuPG 2.1.0 back in 2014. As many of you know, I'm also maintaining Enigmail. Since OpenPGP support is part of Thunderbird, my involvement with Enigmail has reduced a lot, and so has my involvement with GnuPG. Furthermore, I don't have a Mac anymore, and it has become more and more difficult and cumbersome to continue maintaining and building gpgOSX. I am therefore looking for someone who would want to step in and take over the project. If you're interested, then please get in touch with me. Thanks, Patrick -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 834 bytes Desc: OpenPGP digital signature URL: From minasargyrou at outlook.com Sun Jun 26 11:59:43 2022 From: minasargyrou at outlook.com (Minas Argyrou) Date: Sun, 26 Jun 2022 09:59:43 +0000 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM In-Reply-To: <20220625152542.00003c6a@secarica.ro> References: <20220625152542.00003c6a@secarica.ro> Message-ID: Hello, Wow, thanks for the clarification, I didn't know about that problem in the newer versions! Do you, by any chance, know about the SC-HSM not being recognized for S/MIME? Much appreciated! Minas -----Original Message----- From: Cristian Secar? Sent: Saturday, 25 June, 2022 15:26 To: gnupg-users at gnupg.org Cc: Minas Argyrou Subject: Re: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM ?n data de Fri, 24 Jun 2022 20:47:55 +0000, Minas Argyrou via Gnupg-users a scris: > When trying to use the GPA.exe alternative, it just freezes when I > click on the "smartcards" button; not sure if it's related. Since Gpg4win 4.0.x, GPA freezes when clicking on toolbar Card icon. You can try version Gpg4win 3.1.16, which has a still working GPA card manager. Cristi -- Cristian Secar? mobil: +40 722 570015 https://www.secarica.ro -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6027 bytes Desc: not available URL: From project at gnuhacker.org Mon Jun 27 00:11:42 2022 From: project at gnuhacker.org (GH) Date: Mon, 27 Jun 2022 00:11:42 +0200 Subject: loopback issue signing git commits In-Reply-To: (=?utf-8?Q?=22=C3=81ngel=22's?= message of "Fri, 24 Jun 2022 02:02:47 +0200") References: <875ykyakut.fsf@gnu.org> Message-ID: <87r13b3wip.fsf@gnu.org> ?ngel writes: > What's the full gpg command line being run by git? I suspect it may be > overriding some setting. I just do "git commit" From wk at gnupg.org Mon Jun 27 15:55:15 2022 From: wk at gnupg.org (Werner Koch) Date: Mon, 27 Jun 2022 15:55:15 +0200 Subject: gpa.exe hungs when click on "smartcards" AND scdaemon cannot recognise SC-HSM In-Reply-To: (Minas Argyrou via Gnupg-users's message of "Fri, 24 Jun 2022 20:47:55 +0000") References: Message-ID: <87y1xi1a9o.fsf@wheatstone.g10code.de> On Fri, 24 Jun 2022 20:47, Minas Argyrou said: >> scdaemon[xxxxx]: detected reader 'ACS ACR38U 0' scdaemon[xxxxx]: Never got them to run properly. Just stay way from this reader type. > I was never able to get the SC-HSM to work with GnuPG, even though it is > supposedly supported. This is the current time I am trying to figure it out. I have samples here but unfortnately did not came around to test them. However, there are updates to the pkcs#15 handling in the latest GnuPG releases. You may want to check that you are using 2.2.35 or 2.3.6. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: