From ilf at zeromail.org Wed Aug 2 16:31:19 2023 From: ilf at zeromail.org (ilf) Date: Wed, 2 Aug 2023 16:31:19 +0200 Subject: GPGME: disable S/MIME (signature verification) Message-ID: Hi How can I disable S/MIME or S/MIME signature verification in GPGME? Many Mutt users use GPGME, but few verify S/MIME signatures. In these cases, the check is useless. It's also annoying, because it can take around 25 seconds to timeout and fail. See the relevant thread over on mutt-users: http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20230724/004259.html Thanks -- ilf If you upload your address book to "the cloud", I don't want to be in it. From kloecker at kde.org Wed Aug 2 20:00:22 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 02 Aug 2023 20:00:22 +0200 Subject: GPGME: disable S/MIME (signature verification) In-Reply-To: References: Message-ID: <1870762.tdWV9SEqCh@daneel> On Mittwoch, 2. August 2023 16:31:19 CEST ilf wrote: > How can I disable S/MIME or S/MIME signature verification in GPGME? > > Many Mutt users use GPGME, but few verify S/MIME signatures. In these > cases, the check is useless. It's also annoying, because it can take > around 25 seconds to timeout and fail. Add disable-dirmngr to your gpgsm.conf. This won't disable S/MIME signature verification, but it disables expensive online checks. The alternative in GpgME is https://gnupg.org/documentation/manuals/gpgme/Offline-Mode.html#Offline-Mode Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From ilf at zeromail.org Wed Aug 2 20:53:46 2023 From: ilf at zeromail.org (ilf) Date: Wed, 2 Aug 2023 20:53:46 +0200 Subject: GPGME: disable S/MIME (signature verification) In-Reply-To: <1870762.tdWV9SEqCh@daneel> References: <1870762.tdWV9SEqCh@daneel> Message-ID: Thanks. But those sound like they affect OpenPGP, too. Sorry, I didn't make this explicit in my first mail: But I want to use OpenPGP with all features, including Dirmngr. I just don't want to use S/MIME. Ingo Kl?cker: > Add disable-dirmngr to your gpgsm.conf. > This won't disable S/MIME signature verification, but it disables expensive > online checks. The alternative in GpgME is > https://gnupg.org/documentation/manuals/gpgme/Offline-Mode.html#Offline-Mode -- ilf If you upload your address book to "the cloud", I don't want to be in it. From kloecker at kde.org Wed Aug 2 21:26:03 2023 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 02 Aug 2023 21:26:03 +0200 Subject: GPGME: disable S/MIME (signature verification) In-Reply-To: References: <1870762.tdWV9SEqCh@daneel> Message-ID: <5964830.lOV4Wx5bFT@daneel> On Mittwoch, 2. August 2023 20:53:46 CEST ilf wrote: > Ingo Kl?cker: > > Add disable-dirmngr to your gpgsm.conf. > > This won't disable S/MIME signature verification, but it disables > > expensive > > online checks. The alternative in GpgME is > > https://gnupg.org/documentation/manuals/gpgme/Offline-Mode.html#Offline-Mo > > de > > Thanks. But those sound like they affect OpenPGP, too. > > Sorry, I didn't make this explicit in my first mail: But I want to use > OpenPGP with all features, including Dirmngr. I just don't want to use > S/MIME. It shouldn't. OpenPGP is handled by gpg which has it's own config file. gpgsm.conf is only used by gpgsm which deals with S/MIME. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From felix.klee at inka.de Thu Aug 3 09:04:26 2023 From: felix.klee at inka.de (Felix E. Klee) Date: Thu, 3 Aug 2023 15:04:26 +0800 Subject: YubiKey/OpenPGP card connection issues for non-root user Message-ID: Recently I set up a YubiKey 5C NFC, and when I connect it to my Linux system (running in VMware under Windows), it sometimes takes minutes to be able to use. I.e. it can take forever until I get a successful response from: gpg --card-status OTOH I can immediately get a response when I run the above command as root. Now I notice that the occasional connection issues I have with the OpenPGP card in my SCM SPR332 are similar. Furthermore, it happens that the YubiKey or the card reader suddenly disappear for the ordinary user, although that is rare. I have set up udev rules for both. But it seems that sometimes they don't trigger, or only with a long delay. [felix at felix-arch ~]$ cd /etc/udev/rules.d/ [felix at felix-arch rules.d]$ cat 70-yubikey.rules # YubiKey Support # ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0404", MODE="660", GROUP="scard" [felix at felix-arch rules.d]$ cat 71-gnupg-ccid.rules # GPG SmartCard Reader Support # ACTION=="add", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="04e6", ENV{ID_MODEL_ID}=="e003", MODE="660", GROUP="scard" Even without udev rules, I think I should have access to the devices, because I'm in group `scard`: [felix at felix-arch ~]$ ls /dev/bus/usb/002/011 /dev/bus/usb/002/011 [felix at felix-arch ~]$ ls -l /dev/bus/usb/002/011 crw-rw---- 1 root scard 189, 138 Aug 3 14:56 /dev/bus/usb/002/011 [felix at felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device [felix at felix-arch ~]$ groups scanner saned uucp optical lp audio wheel felix scard plugdev [felix at felix-arch ~]$ lsusb Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 004: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 003 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 003 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 002: ID 0e0f:0002 VMware, Inc. Virtual USB Hub Bus 002 Device 011: ID 1050:0404 Yubico.com Yubikey 4/5 CCID Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub How do I fix that? I am happy to substitute the udev rules with a timer, or to call some command to give permissions every time I want to use the YubiKey or the OpenPGP card. I just would like the whole process to be more reliable. Currently, it?s extremely frustrating. From ilf at zeromail.org Thu Aug 3 12:00:08 2023 From: ilf at zeromail.org (ilf) Date: Thu, 3 Aug 2023 12:00:08 +0200 Subject: GPGME: disable S/MIME (signature verification) In-Reply-To: <5964830.lOV4Wx5bFT@daneel> References: <1870762.tdWV9SEqCh@daneel> <5964830.lOV4Wx5bFT@daneel> Message-ID: That seems to work nicely. Thanks! Ingo Kl?cker: > It shouldn't. OpenPGP is handled by gpg which has it's own config file. > gpgsm.conf is only used by gpgsm which deals with S/MIME. -- ilf If you upload your address book to "the cloud", I don't want to be in it. From mcr+ietf at sandelman.ca Thu Aug 3 15:28:02 2023 From: mcr+ietf at sandelman.ca (Michael Richardson) Date: Thu, 03 Aug 2023 09:28:02 -0400 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: References: Message-ID: <31363.1691069282@localhost> Felix E. Klee wrote: > system (running in VMware under Windows), it sometimes takes minutes to > [felix at felix-arch ~]$ ls /dev/bus/usb/002/011 /dev/bus/usb/002/011 I think you need to make sure that it's not VMware that's failing to plug the device through in a timely manner. dmesg -w Would confirm that it's getting there. You say that you can get it working as root. How does --card-status know which USB device to use? Does it perhaps scan through all devices? I wonder if it is getting stuck on some other device that it hasn't got permission? > How do I fix that? > I am happy to substitute the udev rules with a timer, or to call some > command to give permissions every time I want to use the YubiKey or the > OpenPGP card. I just would like the whole process to be more reliable. > Currently, it?s extremely frustrating. !-indeed. -- Michael Richardson . o O ( IPv6 I?T consulting ) Sandelman Software Works Inc, Ottawa and Worldwide -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 515 bytes Desc: not available URL: From felix.klee at inka.de Sat Aug 5 06:10:13 2023 From: felix.klee at inka.de (Felix E. Klee) Date: Sat, 5 Aug 2023 12:10:13 +0800 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: <31363.1691069282@localhost> References: <31363.1691069282@localhost> Message-ID: On Thu, Aug 3, 2023 at 9:28?PM Michael Richardson wrote: > I think you need to make sure that it's not VMware that's failing to > plug the device through in a timely manner. I have configured the VMware guest to automatically take over these devices from the Windows 10 host: usb.autoConnect.device0 = "0x04e6:0xe003" [?] usb.autoConnect.device7 = "0x1050:0x0404" > dmesg -w I just played around. After unplugging the YubiKey, I connected the SPR332: [felix at felix-arch ~]$ sudo dmesg -w [?] [ 5135.728320] usb 2-1: new full-speed USB device number 6 using uhci_hcd [ 5136.137546] usb 2-1: New USB device found, idVendor=04e6, idProduct=e003, bcdDevice= 7.01 [ 5136.137551] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=5 [ 5136.137553] usb 2-1: Product: SPRx32 USB Smart Card Reader [ 5136.137554] usb 2-1: Manufacturer: SCM Microsystems Inc. [ 5136.137555] usb 2-1: SerialNumber: 51271741200012 ^C [felix at felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device [felix at felix-arch ~]$ sudo gpg --card-status Reader ...........: SCM Microsystems Inc. SPR 532 [CCID Interface] (51271741200012) 00 00 Application ID ...: D2760001240103030005000064D50000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: ZeitControl Serial number ....: 000064D5 Name of cardholder: Felix Klee Language prefs ...: en Salutation .......: Mr. URL of public key : https://sks-keyservers.net/pks/lookup?op=get&search=0x5EF8B6017F668171259945D6BEF6EFD38FE8DCA0 Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 3 3 Signature counter : 10 KDF setting ......: off Signature key ....: 5EF8 B601 7F66 8171 2599 45D6 BEF6 EFD3 8FE8 DCA0 created ....: 2016-12-17 10:49:18 Encryption key....: 27BF BB40 70FC 6351 189E 79FE 04FD F78D 1679 DD94 created ....: 2016-12-17 10:49:18 Authentication key: [none] General key info..: pub rsa4096/BEF6EFD38FE8DCA0 2016-12-17 Felix E. Klee sec> rsa4096/BEF6EFD38FE8DCA0 created: 2016-12-17 expires: 2020-11-10 card-no: 0005 000064D5 ssb> rsa4096/04FDF78D1679DD94 created: 2016-12-17 expires: 2020-11-10 card-no: 0005 000064D5 [felix at felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device As you can see, I can connect to it as root but not as regular user. Sometimes connection as regular user works, sometimes not. Sometimes I just have to wait for a while, can be minutes, and then it works. I also tried killing root?s gpg-agent, to avoid conflicts with that of the user, but that didn?t help either. Furthermore, even if udev doesn?t trigger, I should have rw access to the device file (it?s an SPR332, not sure why it says SPR532): [felix at felix-arch ~]$ lsusb | grep SPR532 Bus 002 Device 006: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard Reader [felix at felix-arch ~]$ ls -l /dev/bus/usb/002/006 crw-rw---- 1 root scard 189, 133 Aug 5 12:02 /dev/bus/usb/002/006 [felix at felix-arch ~]$ groups scanner saned uucp optical lp audio wheel felix scard plugdev [felix at felix-arch ~]$ gpg --card-status gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device Why does it work as root but not as regular user? Any suggestion for a fix, even if crude, is welcome! From gniibe at fsij.org Mon Aug 7 03:00:27 2023 From: gniibe at fsij.org (NIIBE Yutaka) Date: Mon, 07 Aug 2023 10:00:27 +0900 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: References: <31363.1691069282@localhost> Message-ID: <87a5v38y50.fsf@akagi.fsij.org> Hello, Please note that I don't have any experience using scdaemon in a guest OS of GNU/Linux. So, my answer may be wrong/irrelevant. "Felix E. Klee" wrote: > [felix at felix-arch ~]$ sudo gpg --card-status > Reader ...........: SCM Microsystems Inc. SPR 532 [CCID Interface] > (51271741200012) 00 00 Please note that there may be two methods to access the device in scdaemon: * in-stock CCID driver of scdaemon * the PC/SC service Your output shows that you are connecting the smartcard reader through the PC/SC service. If it's not your intention and your scdaemon has support of in-stock CCID driver, I'd recommend not to use the PC/SC service. Perhaps, simply uninstall pcscd. That's because it's simpler for scdaemon. It's easier to configure and debug, if your purpose is only for use of OpenPGP smartcard. If you have a reason using PC/SC service (say, for example, you need the service for other applications and other cards, as well as your use of OpenPGP smartcard for GnuPG), please make sure that you configure the PC/SC service correctly. You should test and make sure, by a normal user, if you can access your cards by the PC/SC service correctly. * * * Also, I'm afraid that you are using older GnuPG. In GnuPG 2.2, scdaemon had a feature to fallback to the PC/SC service, when access to in-stock CCID driver doesn't go well. The feature is disabled in 2.4. In GnuPG 2.4, when scdaemon has support of in-stock CCID driver, to use the PC/SC service, you need manually configure scdaemon with "disable-ccid" (no use of in-stock CCID driver). -- From wk at gnupg.org Mon Aug 7 09:29:09 2023 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Aug 2023 09:29:09 +0200 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: (Felix E. Klee's message of "Sat, 5 Aug 2023 12:10:13 +0800") References: <31363.1691069282@localhost> Message-ID: <87sf8v2tve.fsf@wheatstone.g10code.de> On Sat, 5 Aug 2023 12:10, Felix E. Klee said: > I also tried killing root?s gpg-agent, to avoid conflicts with that of > the user, but that didn?t help either. Right a second scdaemon might have grabbed the device. If you don't need it as root put into root's gpg-agent.conf "disable-scdaemon". Another option is to put pcsc-shared into /etc/gnupg/scdaemon.conf and to install pcscd. The drawback is that there might be some hiccup with OpenPGP cards and PIN requests (because we cache the verification status in scdaemon for the sake of older OpenPGP cards) and if you change the data on a card the other scdaemon's won't see the change. We are currently considering whether to chnage scdameon to a system service or implement some kind of syncing. > Why does it work as root but not as regular user? The root's scdaemon has access to the device. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From felix.klee at inka.de Tue Aug 8 09:18:20 2023 From: felix.klee at inka.de (Felix E. Klee) Date: Tue, 8 Aug 2023 15:18:20 +0800 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: <87a5v38y50.fsf@akagi.fsij.org> References: <31363.1691069282@localhost> <87a5v38y50.fsf@akagi.fsij.org> Message-ID: On Mon, Aug 7, 2023 at 9:00?AM NIIBE Yutaka wrote: > Please note that there may be two methods to access the device in > scdaemon: > > * in-stock CCID driver of scdaemon > * the PC/SC service > > Your output shows that you are connecting the smartcard reader through > the PC/SC service. Interesting. I assume the problem is down to a race-condition with the two competing for access. That would explain its apparent randomness. > If it's not your intention and your scdaemon has support of in-stock > CCID driver, I'd recommend not to use the PC/SC service. Perhaps, > simply uninstall pcscd. I prefer not to, because: I may install the PC/SC service again in the future and then I likely will have forgotten about our conversation here. > If you have a reason using PC/SC service (say, for example, you need > the service for other applications and other cards, as well as your > use of OpenPGP smartcard for GnuPG), please make sure that you > configure the PC/SC service correctly. Indeed it was not properly set up: [felix at felix-arch ~]$ opensc-tool -l No smart card readers found. I added a Polkit rule following the [instructions][1] for PC/SC: [root at felix-arch ~]# cat /etc/polkit-1/rules.d/01-pcscd.rules polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "felix") { return polkit.Result.YES; } }); Now it works: [felix at felix-arch ~]$ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico YubiKey CCID 00 00 I should see in the upcoming days whether that solves the issue. Thank you! [1]: https://github.com/LudovicRousseau/PCSC/blob/master/doc/README.polkit From felix.klee at inka.de Tue Aug 8 09:20:21 2023 From: felix.klee at inka.de (Felix E. Klee) Date: Tue, 8 Aug 2023 15:20:21 +0800 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: <87sf8v2tve.fsf@wheatstone.g10code.de> References: <31363.1691069282@localhost> <87sf8v2tve.fsf@wheatstone.g10code.de> Message-ID: On Mon, Aug 7, 2023 at 3:30?PM Werner Koch wrote: > > I also tried killing root?s gpg-agent, to avoid conflicts with that > > of the user, but that didn?t help either. > > Right a second scdaemon might have grabbed the device. If you don't > need it as root put into root's gpg-agent.conf "disable-scdaemon". > > Another option is to put > > pcsc-shared Thanks, good to know about this option. However, I hope that fixing PC/SC access has solved the issue. See my other message. From felix.klee at inka.de Wed Aug 9 13:56:56 2023 From: felix.klee at inka.de (Felix E. Klee) Date: Wed, 9 Aug 2023 19:56:56 +0800 Subject: YubiKey/OpenPGP card connection issues for non-root user In-Reply-To: References: <31363.1691069282@localhost> <87a5v38y50.fsf@akagi.fsij.org> Message-ID: The issue persists. Sometimes the readers (just now the YubiKey) are not visible to the user. But they are always to root k. I then disabled the PC/SC daemon: [felix at felix-arch ~]$ sudo systemctl disable pcscd Removed "/etc/systemd/system/sockets.target.wants/pcscd.socket". [felix at felix-arch ~]$ sudo systemctl stop pcscd Warning: Stopping pcscd.service, but it can still be activated by: pcscd.socket Afterwards, `gpg --card-status` immediately showed the card status to the ordinary user. However, this solution is not good. As I mentioned before, I may want to use PC/SC in the future, and I may also just accidentally re-enable it. So it would be better to have a solution where the PC/SC daemon does not cause some race condition. From dvr at fastmail.fm Sat Aug 12 04:45:58 2023 From: dvr at fastmail.fm (Daniel Rostovtsev) Date: Fri, 11 Aug 2023 22:45:58 -0400 Subject: nPth signature Message-ID: Hi gnupg-users, I think that nPth is might be signed with an expired signature. Is this a problem? Thanks! P.S. I downloaded from https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2 and https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2.sig This is what I see when I run > gpg ?-verify npth-1.6.tar.bz2.sig When I run with a trusted gpg. gpg: assuming signed data in 'npth-1.6.tar.bz2' gpg: Signature made Mon Jul 16 07:37:23 2018 UTC gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [expired] gpg: Note: This key has expired! Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jscott at posteo.net Sat Aug 12 07:56:17 2023 From: jscott at posteo.net (John Scott) Date: Sat, 12 Aug 2023 05:56:17 +0000 Subject: Resurrecting the Monkeysphere =?UTF-8?Q?=F0=9F=90=92?= Message-ID: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> Hi GnuPG-ers, I'm bringing back to life the Monkeysphere project which has fizzled upstream. I love the concept and am willing to rewrite major components and, more importantly, provide guides and integrations to make the experiment successful. What is the Monkeyspherian way of doing things, you may ask? Monkeysphere is all about taking an OpenPGP key and using it in other public key cryptosystems. This has the benefit that the OpenPGP PKI can be leveraged. GnuPG already supports this concept somewhat, allowing you to use the raw public key in OpenPGP keys for X.509 certificates and OpenSSH. I want to push the concept further. Imagine this: the same raw public key from an OpenPGP key being used for TLS. Without having to do anything, solely because the keys are the same, you automatically have proof that the owner of the OpenPGP key has control over the TLS service! If you ask me, I think DANE is the future for most ordinary TLS needs, but the Monkeysphere can be used with it to prove that the person you know as "John Scott" actually controls the service as opposed to mere domain validation. The best part is that this doesn't require using the TLS for raw public keys extension, although that would be a good hint to a client that they should check their OpenPGP key stores: an ordinary X.509 certificate-using TLS service may well still use the same raw public key as an OpenPGP key, so we have full backwards compatibility and interoperability with existing clients! Another example I want to experiment with is using the same raw public key from OpenPGP key for a Tor onion service. This would prove that an individual controls an onion service. Or since DNSSEC is unavailable, we could take OpenPGP keys with a Tor onion service component in its user ID, or the same with an X.509 certificate, and automatically mark it as trusted if the Curve25519 key used for the OpenPGP/X.509 key material matches what the onion hostname is supposed to use. I hope the possibilities excite some folks! Please let me know if you are interested in helping or if you have any public experimental services. Sincerely, John -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part URL: From ming at imkuang.com Sat Aug 12 08:09:26 2023 From: ming at imkuang.com (Ming Kuang) Date: Sat, 12 Aug 2023 14:09:26 +0800 Subject: nPth signature In-Reply-To: References: Message-ID: <003401d9cce3$8d63c9f0$a82b5dd0$@imkuang.com> On 2023-08-12 10:45, Daniel Rostovtsev via Gnupg-users wrote? > Hi gnupg-users, > > I think that nPth is might be signed with an expired signature. > Is this a problem? > > Thanks! > > P.S. > I downloaded from https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2 and https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2.sig > This is what I see when I run > >> gpg ---verify npth-1.6.tar.bz2.sig > > When I run with a trusted gpg. > > gpg: assuming signed data in 'npth-1.6.tar.bz2' > gpg: Signature made Mon Jul 16 07:37:23 2018 UTC > gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 > gpg: Good signature from "Werner Koch (dist sig)" [expired] > gpg: Note: This key has expired! > Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Here's a note about these old expired keys: https://www.gnupg.org/signature_key.html The key with fingerprint 4F25 E3B6 is not listed on that page, but I checked that it is indeed included in that old public key block: https://gnupg.org/devel/old-signature-keys.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From cai.0407 at gmail.com Sat Aug 12 08:09:21 2023 From: cai.0407 at gmail.com (Kosuke Kaizuka) Date: Sat, 12 Aug 2023 15:09:21 +0900 Subject: nPth signature In-Reply-To: References: Message-ID: <5d4f64c4-e3e3-4e2f-ae6f-32f3933a8c38@gmail.com> Hi, On 2023/08/12 11:45, Daniel Rostovtsev via Gnupg-users wrote: > I think that nPth is might be signed with an expired signature. > > Is this a problem? No problem. > I downloaded from https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2 > ?and > https://gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2.sig > > > > This is what I see when I run > > > > gpg ?-verify npth-1.6.tar.bz2.sig > > > When I run with a trusted gpg. > > > > gpg: assuming signed data in 'npth-1.6.tar.bz2' > > gpg: Signature made Mon Jul 16 07:37:23 2018 UTC > > gpg:? ? ? ? ? ? ? ? using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 > > gpg: Good signature from "Werner Koch (dist sig)" [expired] > > gpg: Note: This key has expired! > > Primary key fingerprint: D869 2123 C406 5DEA 5E0F? 3AB5 249B 39D2 4F25 E3B6 The release date of nPth 1.6 is 2018-07-16 and the files were signed on the same day. On 2018-07-16, the key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 was valid and not expired yet. -- Kosuke Kaizuka -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From fa-ml at ariis.it Sat Aug 12 08:48:30 2023 From: fa-ml at ariis.it (Francesco Ariis) Date: Sat, 12 Aug 2023 08:48:30 +0200 Subject: Resurrecting the =?utf-8?Q?Monkeyspher?= =?utf-8?B?ZSDwn5CS?= In-Reply-To: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> References: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> Message-ID: Hello John, Il 12 agosto 2023 alle 05:56 John Scott via Gnupg-users ha scritto: > I'm bringing back to life the Monkeysphere project which has fizzled upstream. I love the concept and am willing to rewrite major components and, more importantly, provide guides and integrations to make the experiment successful. > > What is the Monkeyspherian way of doing things, you may ask? Monkeysphere is all about taking an OpenPGP key and using it in other public key cryptosystems. This has the benefit that the OpenPGP PKI can be leveraged. GnuPG already supports this concept somewhat, allowing you to use the raw public key in OpenPGP keys for X.509 certificates and OpenSSH. Thanks for posting here! It seems really an interesting project. I am not technically versed enough to help but I would like to follow development. Is there any repository, or site, or blog we can follow to get news about this? ?F From jscott at posteo.net Sat Aug 12 10:30:48 2023 From: jscott at posteo.net (John Scott) Date: Sat, 12 Aug 2023 08:30:48 +0000 Subject: Resurrecting the Monkeysphere =?UTF-8?Q?=F0=9F=90=92?= In-Reply-To: References: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> Message-ID: <58462dfe3eed644aa569146d7684a02abee0769f.camel@posteo.net> On Sat, 2023-08-12 at 08:48 +0200, Francesco Ariis wrote: > Is there any repository, or site, or blog we can follow to get news about this? Great question! I don't have access to the old repository, mailing list, and bug trackers yet, but here are some places where you can keep track of things. Until I get access to the old resources, you can follow me at?@jscott at fosstodon.org (https://fosstodon.org/@jscott on the Web) or subscribe to the RSS feed https://fosstodon.org/@jscott.rss but that obviously might encompass more generic topics. I am a Debianite and I'm on my way to becoming an official maintainer (woo!), so I'm going to wear two hats and maintain Monkeysphere upstream and downstream. For Debian Monkeysphere news you can check out the Debian Package Tracker at https://tracker.debian.org/pkg/monkeysphere which lets you 'Subscribe' to get emails on activity, they've got an RSS feed, or you can check out the Debian Git repo on Salsa which also allows email subscription and has RSS feeds https://salsa.debian.org/pkg-privacy-team/monkeysphere Reduce, reuse, and recycle: why make a fresh public key pair when you can reduce, reuse, and recycle one you've already got? That's what it's all about, not even necessarily about OpenPGP, but OpenPGP does happen to be the most versatile cryptosystem (supports a lot of trust models and configurations) which makes it the most appealing target. My vision for Monkeysphere is to make it a cluster of scripts, conversion utilities, and above all inspiration to innovative application development where the current gaps are. Thanks for your interest! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part URL: From jcb62281 at gmail.com Sun Aug 13 04:47:28 2023 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Sat, 12 Aug 2023 21:47:28 -0500 Subject: Resurrecting the Monkeysphere =?UTF-8?B?8J+Qkg==?= In-Reply-To: <58462dfe3eed644aa569146d7684a02abee0769f.camel@posteo.net> References: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> <58462dfe3eed644aa569146d7684a02abee0769f.camel@posteo.net> Message-ID: <64D84440.30907@gmail.com> John Scott via Gnupg-users wrote: > Reduce, reuse, and recycle: why make a fresh public key pair when you can reduce, reuse, and recycle one you've already got? Simple: to limit the exposure of the corresponding private key and the work required to rotate any given keypair. Closely related, if different applications use different cryptographic keypairs (i.e. subkeys) you also have some indication where your private key got leaked based on which subkey was compromised. This could be very important for tracking down an unknown exploit, since it tells you where to start looking. OpenPGP does have a solution to this problem (subkeys) that I hope Monkeysphere will fully support. Will there be support for importing, say, a Tor onion service keypair onto an OpenPGP certificate as a subkey? (Obviously, tying Tor onion services to OpenPGP certificates blows the whole "anonymous" thing to bits, but Tor onion services have other uses, too.) Or, perhaps more practically, importing an existing OpenSSH keypair as an OpenPGP subkey? -- Jacob From jscott at posteo.net Sun Aug 13 05:06:49 2023 From: jscott at posteo.net (John Scott) Date: Sun, 13 Aug 2023 03:06:49 +0000 Subject: Resurrecting the Monkeysphere =?UTF-8?Q?=F0=9F=90=92?= In-Reply-To: <64D84440.30907@gmail.com> References: <3342622a790fd731b671ebb2493651b572858fc3.camel@posteo.net> <58462dfe3eed644aa569146d7684a02abee0769f.camel@posteo.net> <64D84440.30907@gmail.com> Message-ID: <2ba70f92182cc3f886e9d221707bfbe08780d571.camel@posteo.net> On Sat, 2023-08-12 at 21:47 -0500, Jacob Bachmeyer wrote: > Will there be support for importing, say, a Tor onion service keypair onto an OpenPGP certificate as a subkey? That is one of the first things I plan to work on. > Or, perhaps more practically, importing an existing OpenSSH keypair as an OpenPGP subkey? That too is a priority. I've got a lot to learn especially when it comes to RFC 4880 (OpenPGP), but I'll make it happen. On the contrary, Monkeysphere has previously had an emphasis on using OpenPGP keys for hostname verification for SSH, which I think is not worthy of effort since that's what DNSSEC and DANE are for. Unless someone can make a good argument, I will be dropping this from the scope of the project. Anywho, you made some good arguments why excessive key reuse might be a bad thing. That's why thinking of things in terms of subkeys is absolutely the way to go, so you can have as many as you want to diversify risk, but have them all under your master key umbrella. Some things will be harder than others to attain. For example, GnuPG already makes it pretty easy to go from OpenPGP to OpenSSH, X.509 to OpenPGP, and OpenPGP to X.509, and so transitively X.509 to OpenSSH. I just now deployed a new TLS certificate for johnscott.me that uses an OpenPGP subkey I just added. It's still an X.509 certificate, still signed by Let's Encrypt, and still has DANE (TLSA) records published, so it's fully compatible with the conventional way of doing things. Monkeysphere will be more than just tooling; it'll also be documentation, so I can share how I pulled that off. It will also be plugins and hooks into existing applications and widely-deployed libraries. A priority will be libcurl. libcurl is very versatile and allows registering callback functions so you can do your own TLS certificate examination for example, so making a library of procedures that has functions for common Monkeyspherian use cases shouldn't be too hard. In fact, I want to show off that I'm now using an OpenPGP subkey for TLS on johnscott.me as of a few minutes ago, so I'm motivated to make a libcurl demo happen in the next few days. As always, thank you for your interest. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part URL: From ipstream at onionmail.org Wed Aug 23 15:57:31 2023 From: ipstream at onionmail.org (isp_stream) Date: Wed, 23 Aug 2023 13:57:31 +0000 Subject: Dear sirs and ladies Message-ID: <8765cb33-194d-e068-d0b6-21c2f157074f@onionmail.org> Dear sirs and ladies! Thank you for this wonderful software. I need to generate a: -CA Certificate -User certificate - Private key For jami. Is this possible woth gnupg? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From stuartl at longlandclan.id.au Wed Aug 23 22:07:38 2023 From: stuartl at longlandclan.id.au (Stuart Longland) Date: Thu, 24 Aug 2023 06:07:38 +1000 Subject: Dear sirs and ladies In-Reply-To: <8765cb33-194d-e068-d0b6-21c2f157074f@onionmail.org> References: <8765cb33-194d-e068-d0b6-21c2f157074f@onionmail.org> Message-ID: On 23/8/23 23:57, isp_stream via Gnupg-users wrote: > I need to generate a: > > -CA Certificate > > -User certificate > > - Private key > > For jami. Is this possible woth gnupg? No, you need `openssl` for that. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. From wk at gnupg.org Thu Aug 24 11:54:13 2023 From: wk at gnupg.org (Werner Koch) Date: Thu, 24 Aug 2023 11:54:13 +0200 Subject: Dear sirs and ladies In-Reply-To: (Stuart Longland via Gnupg-users's message of "Thu, 24 Aug 2023 06:07:38 +1000") References: <8765cb33-194d-e068-d0b6-21c2f157074f@onionmail.org> Message-ID: <87a5uglq9m.fsf@jacob.g10code.de> On Thu, 24 Aug 2023 06:07, Stuart Longland said: > No, you need `openssl` for that. Actually you can do that as well with GnuPG. gpgsm --gen-key creates either a CSR or a self-signed cert. You can build a CA with it. This requires a parameter file. For example create a file wiki.example.org.parm: --8<---------------cut here---------------start------------->8--- Key-Type: RSA Key-Length: 2048 Key-Usage: sign, encrypt Name-DN: CN=wiki,O=example,C=org Name-DNS: wiki.example.org Serial: random Issuer-DN: CN=MY-ROOT-CA,O=example,C=DE Signing-Key: 184977136DA4D5C90C202F22E3812012ABCD7174 --8<---------------cut here---------------end--------------->8--- The signing key is the keygrip of the ROOT-CA. Now run gpgsm --gen-key --batch -a -o wiki.example.org.pem wiki.example.org.parm (usually you won't use a passphrase) and then run gpgsm --import wiki.example.org.pem To export the private key you may use gpgsm --export-secret-key-raw -a wiki.example.org > wiki.example.org-key.pem All from memory - I should write a proper HOWTO. We use this for all internal certificates here in the company with the ROOT-CA's key stored on a smartcard. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From xyz938 at onionmail.org Fri Aug 25 14:59:22 2023 From: xyz938 at onionmail.org (xyz938) Date: Fri, 25 Aug 2023 12:59:22 +0000 Subject: 32768-bit key In-Reply-To: References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org> Message-ID: -----BEGIN PGP MESSAGE----- hF4DqiTMgbiu0IsSAQdAIxIXDZNcIaFZZGs3nr+2bd3yzmDQkBl7eksKX5ETqRIw 3u7QaS5QiuVOr1ZF7rKAx5hetVbe2NfvByBLs8Xw5hVI0VDGZ2/L62jf0QXnrWuk 0sAiAVNO9kiUE9BvGsvc4ksmZQ76Q7QjFysUe+flDJn5fXTM2nwE2D639PPiigRu puCOR/YolulNzHmK0wP7XV80r4+9p7Tz3wqfOja1kODModoclYnfh+IYgC5KXxtA VdzgFLpBh7Wnt6WYdTlIrg/YBOOh/xcAMS+apKwcd32OJgWhdodXlKkMSF5Fo6Tw 23SUsNSovl+rCkNZZXROwjfMfuXiwlyr8zB3jEi5RCNrPHWaArQfFdCNnbxz+QqU F5a3fDJVa7A9FS96ZvQ9cYUNNZNKRPRsS2xcTwpExyMUnX9J6A== =elyn -----END PGP MESSAGE----- > On Monday, 10. July 2023 1:08, Robert J. Hansen via Gnupg-users > [/webmail/send?to=gnupg-users at gnupg.org] wrote: > > > > > How do I upp the limit of the RSA-key to 32768? > > First, come up with a reason why you need one. > > A 2048-bit key is hypothesized to possess about 112 bits of entropy; a > 3072-bit key, about 128; a 16k-bit, about 256. You very rapidly reach a point > of dramatically diminishing returns. A 32k key gives you essentially nothing > in terms of resistance to cryptanalysis, while making it impossible for the > rest of the OpenPGP ecosystem to work with you because your public certificate > is so unreasonably large. > > > The TailsOS team has a key that's wy over 16384-bit. > > I suggest filing a bug report with them and asking them why they ignore the > best practices of cryptography. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- mJMEZOilahMFK4EEACMEIwQAS2GD2MfSdbbTF01a9scxGzaDFIIFwbdU8+P6CjTo fPNk6aNyj7Z+vsd5EAzbCtW2y8i8qFTGbBSdEjOqJJWJ/9YA9H11lwkP5DJH7HP1 oeU1ueaRn7i6KGKgeZ/EbESpdAb0o9bGSOhf+7Sz+fQFL/l7rE3SePJ168TxLnFI WN9tL6+0HXh5ejkzOCA8eHl6OTM4QG9uaW9ubWFpbC5vcmc+iNQEExMKADgWIQSX 5bcxxFM/iufQwoBQqUqOViracQUCZOilagIbAwULCQgHAwUVCgkICwUWAgMBAAIe AQIXgAAKCRBQqUqOViracc6+AgkBEV2MwsdaQaeOUHLEEgusIQPXc2nIg6MFlTzs e1UY7ciqqZFmiDUKyznDwgmibiqpWEadVEKVh2cEaw8RVc6/RmwCCQGpYppu2yAN 0Rv2X2rPMfanoLTay3C3aQyciA6y0G2eLnb/BSyonptAmGMc8/vUenzmoJTjXF/y NAS6GzLblyp2+7iXBGTopWoSBSuBBAAjBCMEAeEZXPGk7N2NhZS2ktjZEV2QQjvJ aCWJD1PUrNucBXY+q1eV/1AX+n/nhqqV2uvkOsf6JOxPervYPNx3T/s7RTgOAHAU SeM9OoSKyWSrPkAnjFDFcW6nai9HMXzrBtAcGZnQCa2GuuBtPe6/yWcVT1l/iria X4HVSITYTcj8s5HgFTLIAwEKCYi7BBgTCgAgFiEEl+W3McRTP4rn0MKAUKlKjlYq 2nEFAmTopWoCGwwACgkQUKlKjlYq2nGaQAIGPQGRai1VQMiiYYkJ6Lmyz6dR/+Lg Ivs+tQ8n8qyKoSlRq38B2LetkzJcH5X9prYvzlMdWOeCimtzrNu1va9KnL8CCQHP cQKJIjrLE8O2qQ8Ri+tcCiKBA9iNvV9GcrPzwDxQprT1n2m/okhJ3uoIgy1nafRE M55Mk8CTspY2ExvFmSgKaA== =CXDM -----END PGP PUBLIC KEY BLOCK----- From xyz938 at onionmail.org Fri Aug 25 18:37:15 2023 From: xyz938 at onionmail.org (xyz938) Date: Fri, 25 Aug 2023 16:37:15 +0000 Subject: Sirs: Message-ID: Please. Where do I change in the code to create a 32764 bit key? How do I hide the fact that the key is 32764 on the keyserver? Thank you. xyz938 (they might shoot me if they find out who i am - whoami) -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Fri Aug 25 20:18:22 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 25 Aug 2023 19:18:22 +0100 Subject: Sirs: In-Reply-To: <9E67DE30-FA25-42B4-8778-671660C3A456@andrewg.com> References: <9E67DE30-FA25-42B4-8778-671660C3A456@andrewg.com> Message-ID: <026B3C12-BDAE-46CD-B780-4D5DADD2323D@andrewg.com> On 25 Aug 2023, at 19:09, Andrew Gallagher wrote: > > ?On 25 Aug 2023, at 18:23, xyz938 via Gnupg-users wrote: >> >> How do I hide the fact that the key is 32764 on the keyserver? > > You can?t. That?s like trying to publish a book written in Chinese without letting anyone know that it is written in Chinese. BTW, hockeypuck probably won?t accept a public key that large anyway, as the self-sig will most likely not validate (I have not tested this though). A From andrewg at andrewg.com Fri Aug 25 20:09:47 2023 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 25 Aug 2023 19:09:47 +0100 Subject: Sirs: In-Reply-To: References: Message-ID: <9E67DE30-FA25-42B4-8778-671660C3A456@andrewg.com> On 25 Aug 2023, at 18:23, xyz938 via Gnupg-users wrote: > > How do I hide the fact that the key is 32764 on the keyserver? You can?t. That?s like trying to publish a book written in Chinese without letting anyone know that it is written in Chinese. A From ipstream at onionmail.org Sat Aug 26 10:27:55 2023 From: ipstream at onionmail.org (isp_stream) Date: Sat, 26 Aug 2023 08:27:55 +0000 Subject: Dear sirs and ladies! Message-ID: Dear sirs and ladies! Thank you for this great software and (Mr. Zimmerman as well). May I use wildcards i.e (.*) to decrypt several .asc files i.e 30 files encrypted with the same asymmetrical key? Thank you.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ipstream at onionmail.org Sat Aug 26 10:32:24 2023 From: ipstream at onionmail.org (isp_stream) Date: Sat, 26 Aug 2023 08:32:24 +0000 Subject: Dear sirs and ladies In-Reply-To: <87a5uglq9m.fsf@jacob.g10code.de> References: <87a5uglq9m.fsf@jacob.g10code.de> <8765cb33-194d-e068-d0b6-21c2f157074f@onionmail.org> Message-ID: You are a very helpful person. Thank you sir. > On Thursday, 24. August 2023 9:54, Werner Koch via Gnupg-users > [/webmail/send?to=gnupg-users at gnupg.org] wrote: > > > > On Thu, 24 Aug 2023 06:07, Stuart Longland said: > > > No, you need `openssl` for that. > > Actually you can do that as well with GnuPG. > > gpgsm --gen-key > > creates either a CSR or a self-signed cert. You can build a CA with it. > This requires a parameter file. For example create a file > wiki.example.org.parm: > > --8<---------------cut here---------------start------------->8--- > Key-Type: RSA > Key-Length: 2048 > Key-Usage: sign, encrypt > Name-DN: CN=wiki,O=example,C=org > Name-DNS: wiki.example.org > Serial: random > Issuer-DN: CN=MY-ROOT-CA,O=example,C=DE > Signing-Key: 184977136DA4D5C90C202F22E3812012ABCD7174 > --8<---------------cut here---------------end--------------->8--- > > The signing key is the keygrip of the ROOT-CA. > > Now run > > gpgsm --gen-key --batch -a -o wiki.example.org.pem wiki.example.org.parm > > (usually you won't use a passphrase) and then run > > gpgsm --import wiki.example.org.pem > > To export the private key you may use > > gpgsm --export-secret-key-raw -a wiki.example.org > wiki.example.org-key.pem > > All from memory - I should write a proper HOWTO. We use this for all > internal certificates here in the company with the ROOT-CA's key stored > on a smartcard. > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From 230825.effweh at erine.email Sat Aug 26 17:15:44 2023 From: 230825.effweh at erine.email (230825.effweh at erine.email) Date: Sat, 26 Aug 2023 17:15:44 +0200 Subject: Decrypting multiple files with one single command? (was: Dear sirs and ladies!) In-Reply-To: References: Message-ID: <20230826151544.GF23072@kugelfisch.zuhause.test> isp_stream via Gnupg-users - gnupg-users at gnupg.org at Sat., 2023-08-26 08:27:55+0000: > May I use wildcards i.e (.*) to decrypt several .asc files i.e > 30 files encrypted with the same asymmetrical key? > Yes. Look in the docs for the option ?--multifile?: You can combine it with ?--decrypt?. But it is not clear where the decrypted output goes. Regards, Friedhelm -------------- next part -------------- A non-text attachment was scrubbed... Name: 230825.effweh.asc Type: application/pgp-keys Size: 3451 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 512 bytes Desc: not available URL: From rjh at sixdemonbag.org Sun Aug 27 04:28:26 2023 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 26 Aug 2023 22:28:26 -0400 Subject: 32768-bit key In-Reply-To: References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org> Message-ID: <6a21c364-69e9-90cf-d8ab-06164fb5b2fc@sixdemonbag.org> I will not answer encrypted messages posted to the list. This is a public mailing list. Signatures are fine, but encrypted person-to-person messages are not. Also, please do not send HTML email to the list. Many of the people you hope will read your email refuse to read HTML email. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From ipstream at onionmail.org Sun Aug 27 08:42:46 2023 From: ipstream at onionmail.org (isp_stream) Date: Sun, 27 Aug 2023 06:42:46 +0000 Subject: 32768-bit key In-Reply-To: <6a21c364-69e9-90cf-d8ab-06164fb5b2fc@sixdemonbag.org> References: <6a21c364-69e9-90cf-d8ab-06164fb5b2fc@sixdemonbag.org> <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org> Message-ID: My name is Snowden. And I cannot send a decrypted version of the mail. > On Sunday, 27. August 2023 2:28, Robert J. Hansen via Gnupg-users > [/webmail/send?to=gnupg-users at gnupg.org] wrote: > > > > I will not answer encrypted messages posted to the list. This is a public > mailing list. Signatures are fine, but encrypted person-to-person messages are > not. > > Also, please do not send HTML email to the list. Many of the people you hope > will read your email refuse to read HTML email. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From johndoe65534 at mail.com Sun Aug 27 14:08:02 2023 From: johndoe65534 at mail.com (john doe) Date: Sun, 27 Aug 2023 14:08:02 +0200 Subject: OT: Re: 32768-bit key In-Reply-To: References: <6a21c364-69e9-90cf-d8ab-06164fb5b2fc@sixdemonbag.org> <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org> Message-ID: On 8/27/23 08:42, isp_stream via Gnupg-users wrote: > I do not get the point of this thread, please stop. -- John Doe From rjh at sixdemonbag.org Sun Aug 27 18:24:09 2023 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 27 Aug 2023 12:24:09 -0400 Subject: 32768-bit key In-Reply-To: References: <6a21c364-69e9-90cf-d8ab-06164fb5b2fc@sixdemonbag.org> <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org> Message-ID: <5dc858cb-9db3-b532-a9a7-286e426c1deb@sixdemonbag.org> > My name is Snowden. I don't care. > And I cannot send a decrypted version of the mail. Then please learn how to do so. To recap: 1. There is no point in a 32kbit RSA key. 2. For that reason, GnuPG doesn't allow you to generate one. 3. I will not help you do something that has no point. 4. Do not send encrypted messages to the mailing list. 5. Do not sent HTML messages to the mailing list. I hope I am being clear. If you have further questions that are not completely answered above, we look forward to hearing them. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From ipstream at onionmail.org Tue Aug 29 12:20:05 2023 From: ipstream at onionmail.org (isp_stream) Date: Tue, 29 Aug 2023 10:20:05 +0000 Subject: Signature Message-ID: May I ask why you bring an attached signature in your e-mails and how you make one in gnupg? Thank you ispstream -------------- next part -------------- An HTML attachment was scrubbed... URL: From fa-ml at ariis.it Tue Aug 29 13:28:11 2023 From: fa-ml at ariis.it (Francesco Ariis) Date: Tue, 29 Aug 2023 13:28:11 +0200 Subject: Signature In-Reply-To: References: Message-ID: Il 29 agosto 2023 alle 10:20 isp_stream via Gnupg-users ha scritto: > May I ask why you bring an attached signature in your e-mails and how you make > one in gnupg? Why: you want to assure the content of the email were not tampered with. How: it is taken care of by the client, you don?t manually sign and attach the signature ? at leas I am not, using `mutt`. Start from your mail client documentation and you should be on the right track! ?F From andrewammerlaan at gentoo.org Wed Aug 30 11:54:30 2023 From: andrewammerlaan at gentoo.org (Andrew Ammerlaan) Date: Wed, 30 Aug 2023 11:54:30 +0200 Subject: Gentoo's Portage: Best ways to keep binary package signing key unlocked? Message-ID: Hi all, In order to allow users to verify binary packages Gentoo's portage offers the option to sign any generated binary packages after installation. For this to work the configured signing key is unlocked once before a job starts, and it should then remain unlocked until portage completes the job. Currently the way this is accomplished involves periodically signing /dev/null, code snippet below: self.GPG_unlock_command = self.GPG_signing_base_command.replace( "[PORTAGE_CONFIG]", f"--homedir {self.signing_gpg_home} " f"--digest-algo {self.digest_algo} " f"--local-user {self.signing_gpg_key} " "--output - /dev/null", ) Recently we fixed a bug[1][2] in this code that caused /dev/null to be removed if GnuPG failed to unlock the key. This however prompted the question if there is not a more elegant way to do this. Signing /dev/null feels like more of a hack then an actual solution to keeping the key unlocked until portage finishes. Therefore I would like to ask you if you have any better ideas to do this? Best regards, Andrew [1] https://bugs.gentoo.org/912808 [2] https://github.com/gentoo/portage/commit/9d278330839049a818ba9f1e3985c7e502c63451 From 2458099 at gmail.com Wed Aug 30 16:28:02 2023 From: 2458099 at gmail.com (Gilberto F da Silva) Date: Wed, 30 Aug 2023 11:28:02 -0300 Subject: Signature In-Reply-To: References: Message-ID: Je Tue, Aug 29, 2023 at 10:20:05AM +0000, isp_stream via Gnupg-users skribis: >May I ask why you bring an attached signature in your e-mails and how you make >one in gnupg? I use mutt and somewhere in its config files I made this tweak. -- Stela dato:2.460.187,102 Loka tempo:2023-08-30 11:27:05 Merkredo Mageia 9 -==- O camelo ? um animal que, depois de passar dias sem comer nem beber, consegue passar pelo fundo de uma agulha e entrar facilmente no reino dos c?us. -- Mill?r Fernandes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: not available URL: From 2458099 at gmail.com Wed Aug 30 16:32:26 2023 From: 2458099 at gmail.com (Gilberto F da Silva) Date: Wed, 30 Aug 2023 11:32:26 -0300 Subject: Signature In-Reply-To: References: Message-ID: Je Tue, Aug 29, 2023 at 01:28:11PM +0200, Francesco Ariis skribis: >Il 29 agosto 2023 alle 10:20 isp_stream via Gnupg-users ha scritto: >> May I ask why you bring an attached signature in your e-mails and how you make >> one in gnupg? > >Why: you want to assure the content of the email were not tampered with. > >How: it is taken care of by the client, you don?t manually sign and attach >the signature ? at leas I am not, using `mutt`. >Start from your mail client documentation and you should be on the >right track! >?F It is getting harder and harder to use GnuPG with email as webmail is used more and more. -- Stela dato:2.460.187,105 Loka tempo:2023-08-30 11:31:46 Merkredo Mageia 9 -==- Subitamente, me dei conta de que aquela pequena ervilha, bela e azul, era a Terra. Estiquei meu polegar e fechei um olho. E meu polegar tapou completamente o planeta Terra. Eu n?o me senti um gigante, mas muito, muito pequeno. -- Neil Armstrong -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 390 bytes Desc: not available URL: From wk at gnupg.org Thu Aug 31 16:35:13 2023 From: wk at gnupg.org (Werner Koch) Date: Thu, 31 Aug 2023 16:35:13 +0200 Subject: Gentoo's Portage: Best ways to keep binary package signing key unlocked? In-Reply-To: (Andrew Ammerlaan via Gnupg-users's message of "Wed, 30 Aug 2023 11:54:30 +0200") References: Message-ID: <871qfjgtzy.fsf@jacob.g10code.de> On Wed, 30 Aug 2023 11:54, Andrew Ammerlaan said: > Signing /dev/null feels like more of a hack then an actual solution to > keeping the key unlocked until portage finishes. Therefore I would > like to ask you if you have any better ideas to do this? Don't use a passphrase or better use remote signing from your desktop and not on a server. See wiki.gnupg.org on how to use a remobe gpg-agent. Another option is to use gpg-preset-passphrase (installed to libexec). Use gpg -K --with-keygrip YOURSIGNINGKEY to find the keygrip; then use gpg-preset-passphrase --preset KEYGRIP and enter the passphrase followed by a LF (or provide to stdin). This puts the passphrase into gpg-agent's cache with no timeout. The --forget option might not work right now, thus you better use gpgconf --reload gpg-agent to flush gpg-agent's cache. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: