From wk at gnupg.org Tue Jul 4 17:12:12 2023
From: wk at gnupg.org (Werner Koch)
Date: Tue, 04 Jul 2023 17:12:12 +0200
Subject: [Announce] GnuPG 2.4.3 released
Message-ID: <87fs63emnn.fsf@wheatstone.g10code.de>
Hello!
We are pleased to announce the availability of a new stable GnuPG
release: version 2.4.3. This version fixes some minor bugs and
improves the performance on Windows. See below for details.
What is GnuPG
=============
The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.
GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories. GnuPG itself is a command line tool with features for easy
integration with other applications. The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages. A wealth of frontend applications and libraries
making use of GnuPG are available. As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.
GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.
Noteworthy changes in version 2.4.3
===================================
* gpg: Set default expiration date to 3 years. [T2701]
* gpg: Add --list-filter properties "key_expires" and
"key_expires_d". [T6529]
* gpg: Emit status line and proper diagnostics for write errors.
[T6528]
* gpg: Make progress work for large files on Windows. [T6534]
* gpg: New option --no-compress as alias for -z0.
* gpgsm: Print PROGRESS status lines. Add new --input-size-hint.
[T6534]
* gpgsm: Support SENDCERT_SKI for --call-dirmngr. [rG701a8b30f0]
* gpgsm: Major rewrite of the PKCS#12 parser. [T6536]
* gpgtar: New option --no-compress.
* dirmngr: Extend the AD_QUERY command. [rG207c99567c]
* dirmngr: Disable the HTTP redirect rewriting. [T6477]
* dirmngr: New option --compatibility-flags. [rGbf04b07327]
* dirmngr: New option --ignore-crl-extensions. [T6545]
* wkd: Use export-clean for gpg-wks-client's --mirror and --create
commands. [rG2c7f7a5a27]
* wkd: Make --add-revocs the default in gpg-wks-client. New option
--no-add-revocs. [rG10c937ee68]
* scd: Make signing work for Nexus cards. [rGb83d86b988]
* scd: Fix authentication with Administration Key for PIV.
[rG25b59cf6ce]
Release-info: https://dev.gnupg.org/T6509
Getting the Software
====================
Please follow the instructions found at or
read on:
GnuPG may be downloaded from one of the GnuPG mirror sites or direct
from its primary FTP server. The list of mirrors can be found at
. Note that GnuPG is not
available at ftp.gnu.org.
The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.3.tar.bz2 (7179k)
https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.3.tar.bz2.sig
An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.3_20230704.exe (5324k)
https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.3_20230704.exe.sig
The source used to build this Windows installer can be found in the same
directory with a ".tar.xz" suffix.
A new release of Gpg4win including this version of GnuPG will soon be
announced via the usual channels.
Checking the Integrity
======================
In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:
* If you already have a version of GnuPG installed, you can simply
verify the supplied signature. For example to verify the signature
of the file gnupg-2.4.3.tar.bz2 you would use this command:
gpg --verify gnupg-2.4.3.tar.bz2.sig gnupg-2.4.3.tar.bz2
This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by one or more of the release signing keys. Make sure that
this is a valid key, either by matching the shown fingerprint
against a trustworthy list of valid release signing keys or by
checking that the key has been signed by trustworthy other keys.
See the end of this mail for information on the signing keys.
* If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file gnupg-2.4.3.tar.bz2, you run the command like this:
sha1sum gnupg-2.4.3.tar.bz2
and check that the output matches the next line:
79a60c8e415e3daaa33d0546398174252a56f7ac gnupg-2.4.3.tar.bz2
d1e689712c7b1e0959fc3e1282198bfd35688bd4 gnupg-w32-2.4.3_20230704.tar.xz
677527d18ed95b1ba2476efbfbfdb43703bb26ca gnupg-w32-2.4.3_20230704.exe
Internationalization
====================
This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Italian,
Japanese, Norwegian, Polish, Russian, Turkish, and Ukrainian
being almost completely translated.
Documentation and Support
=========================
The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in the manual. The manual is also available
online at
https://gnupg.org/documentation/manuals/gnupg/
or can be downloaded as PDF at
https://gnupg.org/documentation/manuals/gnupg.pdf
You may also want to search the GnuPG mailing list archives or ask on
the gnupg-users mailing list for advise on how to solve problems. Most
of the new features are around for several years and thus enough public
experience is available. https://wiki.gnupg.org has user contributed
information around GnuPG and relate software.
In case of build problems specific to this release please first check
https://dev.gnupg.org/T6509 for updated information.
Please consult the archive of the gnupg-users mailing list before
reporting a bug: https://gnupg.org/documentation/mailing-lists.html.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at https://bugs.gnupg.org. If you need commercial
support go to https://gnupg.com or https://gnupg.org/service.html.
If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.
Job Opportunity
===============
We are looking for an experienced technical person for the g10 Code
office in Erkrath. Your duties would be help with system administration
and to extend our technical support team. Although we are running
completely on free software, most of our customers are running Windows;
thus experience with Windows management will be of advantage as well as
a reasonable proficiency in German. If you are interested in a full
time employment please contact us my mail.
Thanks
======
Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
and has mostly been financed by donations. Several full-time employed
developers and contractors are working exclusively on GnuPG and closely
related software like Libgcrypt, GPGME, Kleopatra and Gpg4win.
Fortunately, and this is still not common with free software, we have
established a way of financing the development while keeping all our
software free and freely available for everyone. Our model is similar
to the way RedHat manages RHEL and Fedora: Except for the actual binary
of the MSI installer for Windows and client specific configuration
files, all the software is available under the GNU GPL and other Open
Source licenses. Thus customers may even build and distribute their own
version of the software as long as they do not use our trademarks
GnuPG Desktop? or GnuPG VS-Desktop?.
We like to thank all the nice people who are helping the GnuPG project,
be it testing, coding, translating, suggesting, auditing, administering
the servers, spreading the word, answering questions on the mailing
lists, or helped with donations.
*Thank you all*
Your GnuPG hackers
p.s.
This is an announcement only mailing list. Please send replies only to
the gnupg-users at gnupg.org mailing list.
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions. The keys are also signed by the long term keys of
their respective owners. Current releases are signed by one or more
of these four keys:
rsa3072 2017-03-17 [expires: 2027-03-15]
5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)
ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)
ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
Niibe Yutaka (GnuPG Release Key)
brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208
GnuPG.com (Release Signing Key 2021)
The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.
--
Arguing that you don't care about the right to privacy because you have
nothing to hide is no different from saying you don't care about free
speech because you have nothing to say. - Edward Snowden
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce
From ralph at ml.seichter.de Tue Jul 4 18:29:34 2023
From: ralph at ml.seichter.de (Ralph Seichter)
Date: Tue, 04 Jul 2023 18:29:34 +0200
Subject: [Announce] GnuPG for OS X 2.4.3
Message-ID: <87o7krtzbl.fsf@ra.horus-it.com>
GnuPG for OS X / macOS release 2.4.3 is now available for download via
https://sourceforge.net/p/gpgosx/docu/Download/ .
The disk image signature key is available via public keyservers, and it
can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc .
pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06]
Key fingerprint = EAB0 FE4F F793 D9E7 028E C8E2 FD56 297D 9833 FF7F
uid [ultimate] Ralph Seichter (GnuPG for OS X signing key)
GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly
hardcoded directory /usr/local/gnupg-2.2. This enables installing both
stable and LTS releases of GnuPG for OS X side by side, for advanced
users' needs.
The one caveat is that the latest installation will replace existing
soft links in /usr/local/{bin,lib}. Please use absolute paths like
/usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy.
-Ralph
From bernhard at intevation.de Wed Jul 5 10:59:49 2023
From: bernhard at intevation.de (Bernhard Reiter)
Date: Wed, 5 Jul 2023 10:59:49 +0200
Subject: Question - GPG - No Secret Keys
In-Reply-To:
References:
Message-ID: <202307051059.56593.bernhard@intevation.de>
Hi Rafael,
Am Freitag 16 Juni 2023 19:50:43 schrieb Alberti, Rafael Ricardo via
Gnupg-users:
> On May 15 2023, we installed and were looking at using GPG a server.
which operating system and if you are running GNU/Linux, which distribution
are you using?
> We created the proper Public and Private key and Pass Phrase. The
> decryption and encryption was working well for a few weeks until on June
> 13, 2023 the decryption failed.
>
> Upon review, we received a "No Secret Key" error - nothing changed on the
> machine. We also noticed that the Public and Private key were no longer
> visible in the armor i.e. Gpg -list-keys {returned blank}
>
> What would cause the keys to be removed? We did notice that an install
> of GPG occurred on the server on June 13.
>
> Can a GPG Auto Update remove the Keys inside the Armor ?
It MUST not. So if this update did, it would be a defect of the packaging
(or the updating process in general).
> If so, how can we disable GPG Auto Update feature
Depends on which update service you were using.
GnuPG is available for many platforms and can be installed by many means.
> After much review, and "by chance" we re-imported the Public.key and the
> TrustDb.Key and the Armor was repopulated with the old Key information and
> the decryption started to work again
Good to know that you had a working backup (that is recommended practice). :)
Best Regards
Bernhard
--
https://intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL:
From villapla+gnupg-users at uji.es Fri Jul 7 11:19:47 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Fri, 7 Jul 2023 11:19:47 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
Message-ID:
Hi,
I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
single "YubiKey 5 USB (5.4.3) [CCID]".
The issue comes when I plug more than one Yubikey.
I can use "gpg --card-status all" to retrieve the information of all
connected Yubikeys or "gpg --card-status ID" (where ID is the value from
field "Application ID") to retrieve the information of a pacific Yubikey.
I have tried to do the same with "gpg --card-edit" but this command does
not support passing the ID of a specific Yubikey and it always selects the
last plugged Yubikey.
So, is there a way to select a specific Yubikey for the "gpg --card-edit"
command?
Thanks in advance,
Juanjo
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bernd at kr217.de Fri Jul 7 10:59:17 2023
From: bernd at kr217.de (Bernd Naumann)
Date: Fri, 7 Jul 2023 10:59:17 +0200
Subject: Looking for keyserver software without any validation or fancy
features
Message-ID: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
Hi *,
For a test setup / proof of concent / lab, I'm looking for a pretty
simple keyserver implementation.
I don't need any form of validation, web ui, etc.
At least I want to be able to disable send mail validation, federation,
web server, and what not.
I just want to be able to send and receive keys to/from a server.
All machines in this setup are running Debian 11 or 12.
hagrid and huckeypuck are total overkill, and at least hagrid is not
even /intended/ to be "self hosted".
I have seen https://github.com/SKS-Keyserver/sks-keyserver but still
have to check it out if it really suites my needs.
`gpg-wks-server` has to send and receive verification mails, right?
I would like to avoid having to configure a mail-server and mail-clients.
Are there any other options?
I would like to not take `cp` and `scp` as an option, I'm doing this
already...
Thanks.
Bernd
From kloecker at kde.org Fri Jul 7 12:05:23 2023
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Fri, 07 Jul 2023 12:05:23 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
References:
Message-ID: <13309951.uLZWGnKmhe@daneel>
On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote:
> I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> single "YubiKey 5 USB (5.4.3) [CCID]".
>
> The issue comes when I plug more than one Yubikey.
>
> I can use "gpg --card-status all" to retrieve the information of all
> connected Yubikeys or "gpg --card-status ID" (where ID is the value from
> field "Application ID") to retrieve the information of a pacific Yubikey.
>
> I have tried to do the same with "gpg --card-edit" but this command does
> not support passing the ID of a specific Yubikey and it always selects the
> last plugged Yubikey.
>
> So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> command?
You may have luck with setting a specific reader-port (see `man scdaemon`).
But, unless you need to use the command line, it's probably much easier to use
Kleopatra which supports multiple card readers and multiple card apps
(OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything
`gpg --card-edit` or the new gpg-card tool support.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL:
From wk at gnupg.org Fri Jul 7 12:21:39 2023
From: wk at gnupg.org (Werner Koch)
Date: Fri, 07 Jul 2023 12:21:39 +0200
Subject: Looking for keyserver software without any validation or fancy
features
In-Reply-To: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de> (Bernd Naumann's
message of "Fri, 7 Jul 2023 10:59:17 +0200")
References: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
Message-ID: <87pm54auoc.fsf@wheatstone.g10code.de>
On Fri, 7 Jul 2023 10:59, Bernd Naumann said:
> For a test setup / proof of concent / lab, I'm looking for a pretty
> simple keyserver implementation.
Use an LDAP server; this is the most flexible and best supported way to
store keys.
https://www.gnupg.org/blog/20201018-gnupg-and-ldap.html
> `gpg-wks-server` has to send and receive verification mails, right?
> I would like to avoid having to configure a mail-server and mail-clients.
gpg-wks-server is about key enrollment via mail and web. A simpler
setup is by using gpg-wks-client to create Web Key Directory locally and
then upload it.
gpg --list-options show-only-fpr-mbox | gpg-wks-client --install-key
or if you already got an LDAP:
https://gnupg.com/kb/mirror-ldap-to-wkd.html
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
From villapla+gnupg-users at uji.es Fri Jul 7 12:26:20 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Fri, 7 Jul 2023 12:26:20 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <13309951.uLZWGnKmhe@daneel>
References:
<13309951.uLZWGnKmhe@daneel>
Message-ID:
On Fri, Jul 7, 2023 at 12:07?PM Ingo Kl?cker wrote:
>
> On Freitag, 7. Juli 2023 11:19:47 CEST Juanjo via Gnupg-users wrote:
> > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> > single "YubiKey 5 USB (5.4.3) [CCID]".
> >
> > The issue comes when I plug more than one Yubikey.
> >
> > I can use "gpg --card-status all" to retrieve the information of all
> > connected Yubikeys or "gpg --card-status ID" (where ID is the value from
> > field "Application ID") to retrieve the information of a pacific Yubikey.
> >
> > I have tried to do the same with "gpg --card-edit" but this command does
> > not support passing the ID of a specific Yubikey and it always selects the
> > last plugged Yubikey.
> >
> > So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> > command?
>
> You may have luck with setting a specific reader-port (see `man scdaemon`).
I have already tried this with no success.
> But, unless you need to use the command line, it's probably much easier to use
> Kleopatra which supports multiple card readers and multiple card apps
> (OpenPGP, PIV) per reader out of the box. Kleopatra doesn't support everything
> `gpg --card-edit` or the new gpg-card tool support.
I will take a look at this.
> Regards,
> Ingo
Thanks for your fast response Ingo.
Regards,
Juanjo
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
From bernd at kr217.de Fri Jul 7 12:53:23 2023
From: bernd at kr217.de (Bernd Naumann)
Date: Fri, 7 Jul 2023 12:53:23 +0200
Subject: Looking for keyserver software without any validation or fancy
features
In-Reply-To: <87pm54auoc.fsf@wheatstone.g10code.de>
References: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
<87pm54auoc.fsf@wheatstone.g10code.de>
Message-ID: <70feec1c-11c4-c14d-ea87-35c0da252e5d@kr217.de>
On 07.07.23 12:21, Werner Koch wrote:
> https://www.gnupg.org/blog/20201018-gnupg-and-ldap.html
Thanks, I will have a look into it.
From wk at gnupg.org Fri Jul 7 13:10:27 2023
From: wk at gnupg.org (Werner Koch)
Date: Fri, 07 Jul 2023 13:10:27 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
(Juanjo via Gnupg-users's message of "Fri, 7 Jul 2023 11:19:47 +0200")
References:
Message-ID: <87lefsasf0.fsf@wheatstone.g10code.de>
On Fri, 7 Jul 2023 11:19, Juanjo said:
> I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> single "YubiKey 5 USB (5.4.3) [CCID]".
You should get a recent version. Even Fedora comes with 2.4.0
> So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> command?
GnuPG 2.3 and later supports several readers and thus the reader-port
option of scdaemon is not really useful anymore. Please have a look at
gpg-card [1], this new tool will eventually replace gpg --card-edit but
it is different because it supports all kind of cards. There is even a
yubikey control command. It depends on what you actually want to do.
Shalom-Salam,
Werner
[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
From andrewg at andrewg.com Fri Jul 7 13:51:04 2023
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Fri, 7 Jul 2023 12:51:04 +0100
Subject: Looking for keyserver software without any validation or fancy
features
In-Reply-To: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
References: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
Message-ID: <37C25E81-08C1-46FB-A056-92EC2A1D4A1E@andrewg.com>
An HTML attachment was scrubbed...
URL:
From villapla+gnupg-users at uji.es Fri Jul 7 14:22:46 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Fri, 7 Jul 2023 14:22:46 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <87lefsasf0.fsf@wheatstone.g10code.de>
References:
<87lefsasf0.fsf@wheatstone.g10code.de>
Message-ID:
On Fri, Jul 7, 2023 at 1:12?PM Werner Koch wrote:
>
> On Fri, 7 Jul 2023 11:19, Juanjo said:
>
> > I'm using "gpg (GnuPG) 2.3.3" on AlmaLinux 9 and it works fine with a
> > single "YubiKey 5 USB (5.4.3) [CCID]".
>
> You should get a recent version. Even Fedora comes with 2.4.0
OK, I will try to recompile gnupg RPM from Fedora sources.
> > So, is there a way to select a specific Yubikey for the "gpg --card-edit"
> > command?
>
> GnuPG 2.3 and later supports several readers and thus the reader-port
> option of scdaemon is not really useful anymore. Please have a look at
> gpg-card [1], this new tool will eventually replace gpg --card-edit but
> it is different because it supports all kind of cards. There is even a
> yubikey control command. It depends on what you actually want to do.
I will take a look at gpg-card.
Our setup is very simple, we disabled all NFC Applications on the
Yubikey and also disabled all USB applications except OPENPGP.
Then we generate a PGP certificate on Yubikey and use it to access our
servers via SSH (by using the ability of gpg-agent to act as
ssh-agent).
This works fine with a single Yubikey, but we wanted to have more than
one connected at the same time in order to batch-configure them and
even to try to use multiple SSH key authentication in specific target
servers.
> Shalom-Salam,
>
> Werner
Thanks for your fast response, Werner.
Regards,
Juanjo
> [1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
From wk at gnupg.org Fri Jul 7 14:53:06 2023
From: wk at gnupg.org (Werner Koch)
Date: Fri, 07 Jul 2023 14:53:06 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
(Juanjo via Gnupg-users's message of "Fri, 7 Jul 2023 14:22:46 +0200")
References:
<87lefsasf0.fsf@wheatstone.g10code.de>
Message-ID: <87bkgnc28d.fsf@wheatstone.g10code.de>
On Fri, 7 Jul 2023 14:22, Juanjo said:
> This works fine with a single Yubikey, but we wanted to have more than
> one connected at the same time in order to batch-configure them and
> even to try to use multiple SSH key authentication in specific target
Most of the time I am using several Yubikeys and other smardcards. Some
even remotely. For example I use an SSH connection with socket
forwarding to out build server. Over that connection I provide access
to an Authenticode token, my release key and ssh keys on tokens.
I should eventually describe the environment. As a starter:
"no-autostart" in common.conf on the build box, gpg-card with "verify"
to unlock keys on the desktop for remote use by the build process
(Authenticode), and some keywords in the private key files (Use-for-p11,
Use-for-ssh).
To create keys, use gpg-card which can easily be scripted. Examples:
$ gpg-card list D2760001240100000006154932830000 \
-- yubikey disable nfc all \
-- yubikey disable usb otp u2f piv oath fido2 \
-- yubikey list
OTP no no
U2F no no
OPGP yes no
PIV no no
OATH no no
FIDO2 no no
$ gpg-card
[...]
gpg/card> help generate
GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
Create a new key on a card.
Use --force to overwrite an existing key.
Use "help" for ALGO to get a list of known algorithms.
For OpenPGP cards several algos may be given.
Note that the OpenPGP key generation is done interactively
unless a single ALGO or KEYREF are given.
[Supported by: OpenPGP, PIV]
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL:
From mcr at sandelman.ca Fri Jul 7 20:32:15 2023
From: mcr at sandelman.ca (Michael Richardson)
Date: Fri, 07 Jul 2023 14:32:15 -0400
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <87bkgnc28d.fsf@wheatstone.g10code.de>
References:
<87lefsasf0.fsf@wheatstone.g10code.de>
<87bkgnc28d.fsf@wheatstone.g10code.de>
Message-ID: <2133.1688754735@localhost>
Werner Koch via Gnupg-users wrote:
> On Fri, 7 Jul 2023 14:22, Juanjo said:
>> This works fine with a single Yubikey, but we wanted to have more than
>> one connected at the same time in order to batch-configure them and
>> even to try to use multiple SSH key authentication in specific target
> Most of the time I am using several Yubikeys and other smardcards.
> Some even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
> I should eventually describe the environment.
Yes please.
Could it go into a wiki page or something that people can comment on and/or amend?
The need for more secure, and more reproduceable code-signing environments is
becoming critical. Today, tcpdump.org, for instance, has a rather old
code-signing key, and we want to replace it with some hardware token, but we
really don't know what exactly to use,and don't want to be on the bleeding
edge here.
> As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files
> (Use-for-p11, Use-for-ssh).
> To create keys, use gpg-card which can easily be scripted. Examples:
> $ gpg-card list D2760001240100000006154932830000 \ -- yubikey
> disable nfc all \ -- yubikey disable usb otp u2f piv oath fido2 \ --
> yubikey list OTP no no U2F no no OPGP yes no PIV no no OATH no no FIDO2
> no no
> $ gpg-card [...] gpg/card> help generate GENERATE [--force]
> [--algo=ALGO{+ALGO2}] KEYREF
> Create a new key on a card. Use --force to overwrite an existing
> key. Use "help" for ALGO to get a list of known algorithms. For
> OpenPGP cards several algos may be given. Note that the OpenPGP key
> generation is done interactively unless a single ALGO or KEYREF are
> given. [Supported by: OpenPGP, PIV]
Thank you.
Which model of Yubikey are you using?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL:
From xyz938 at onionmail.org Sun Jul 9 16:15:17 2023
From: xyz938 at onionmail.org (xyz938)
Date: Sun, 09 Jul 2023 14:15:17 +0000
Subject: 32768-bit key
Message-ID: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
Dear sirs and ladies.
I've compiled GnuPG as per instructions on your home page. Thank you.
The max size of my key is 16384-bits.
How do I upp the limit of the RSA-key to 32768?
The TailsOS team has a key that's wy over 16384-bit.
Thank you.
Best regards
xyz938
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rjh at sixdemonbag.org Mon Jul 10 03:08:29 2023
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 9 Jul 2023 21:08:29 -0400
Subject: 32768-bit key
In-Reply-To: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
Message-ID:
> How do I upp the limit of the RSA-key to 32768?
First, come up with a reason why you need one.
A 2048-bit key is hypothesized to possess about 112 bits of entropy; a
3072-bit key, about 128; a 16k-bit, about 256. You very rapidly reach a
point of dramatically diminishing returns. A 32k key gives you
essentially nothing in terms of resistance to cryptanalysis, while
making it impossible for the rest of the OpenPGP ecosystem to work with
you because your public certificate is so unreasonably large.
> The TailsOS team has a key that's wy over 16384-bit.
I suggest filing a bug report with them and asking them why they ignore
the best practices of cryptography.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x1DCBDC01B44427C7.asc
Type: application/pgp-keys
Size: 7660 bytes
Desc: OpenPGP public key
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL:
From tmz at pobox.com Mon Jul 10 05:04:47 2023
From: tmz at pobox.com (Todd Zullinger)
Date: Sun, 9 Jul 2023 23:04:47 -0400
Subject: 32768-bit key
In-Reply-To:
References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
Message-ID:
Robert J. Hansen via Gnupg-users wrote:
>> The TailsOS team has a key that's wy over 16384-bit.
>
> I suggest filing a bug report with them and asking them why they ignore the
> best practices of cryptography.
I don't know that there's anything to file a bug about. I
don't see any non-rsa4096 keys on the Tails website:
https://tails.net/doc/about/openpgp_keys/
--
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
From villapla+gnupg-users at uji.es Mon Jul 10 10:48:07 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Mon, 10 Jul 2023 10:48:07 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <87bkgnc28d.fsf@wheatstone.g10code.de>
References:
<87lefsasf0.fsf@wheatstone.g10code.de>
<87bkgnc28d.fsf@wheatstone.g10code.de>
Message-ID:
On Fri, Jul 7, 2023 at 2:54?PM Werner Koch wrote:
>
> On Fri, 7 Jul 2023 14:22, Juanjo said:
>
> > This works fine with a single Yubikey, but we wanted to have more than
> > one connected at the same time in order to batch-configure them and
> > even to try to use multiple SSH key authentication in specific target
>
> Most of the time I am using several Yubikeys and other smardcards. Some
> even remotely. For example I use an SSH connection with socket
> forwarding to out build server. Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
>
> I should eventually describe the environment. As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files (Use-for-p11,
> Use-for-ssh).
>
> To create keys, use gpg-card which can easily be scripted. Examples:
>
> $ " list D2760001240100000006154932830000 \
> -- yubikey disable nfc all \
> -- yubikey disable usb otp u2f piv oath fido2 \
> -- yubikey list
> OTP no no
> U2F no no
> OPGP yes no
> PIV no no
> OATH no no
> FIDO2 no no
OK, we are currently using Yubico "ykman" to do this job, it's nice
that "gpg-card" can configure this natively.
There are other setting managed via "ykman" not provided by "gpg-card" :
* The number of PIN retry attempts: ykman openpgp access set-retries
* The touch policy: ykman openpgp keys set-touch
> $ gpg-card
> [...]
> gpg/card> help generate
> GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
>
> Create a new key on a card.
> Use --force to overwrite an existing key.
> Use "help" for ALGO to get a list of known algorithms.
> For OpenPGP cards several algos may be given.
> Note that the OpenPGP key generation is done interactively
> unless a single ALGO or KEYREF are given.
> [Supported by: OpenPGP, PIV]
According to gpg-card [1], only the LIST command accepts parameter [n]
to select a specific Yubikey (via card number --provided by "gpg-card
list --cards"--- or serial number).
But playing a little more with gpg-card (still version 2.3.3) I have
noticed that the LIST command "changes" the default card for the
following commands in the same invocations, so I can achieve my
initial goal:
$ gpg-card list D2760001240100000006154932830000 -- generate
$ gpg-card list D2760001240100000006154932830000 -- passwd pinref
where "pinref" is the numeric menu entry you use in interactive mode:
$ gpg-card
Reader ...........: Yubico YubiKey CCID 02 00
Card type ........: yubikey
Card firmware ....: 5.4.3
[...]
gpg/card> passwd
OpenPGP card no. XX YY ZZZ detected
1 - change the PIN
2 - unblock and set new a PIN
3 - change the Admin PIN
4 - set the Reset Code
Q - quit
Your selection? Q
gpg/card> Q
$
Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
used to change from default rsa2048 to rsa4096.
Werner, thanks for your help, but I think we are going to use the
gnupg version shipped with AlmaLinux 9 and configure the Yubikey one
by one.
Regards,
Juanjo
> Salam-Shalom,
>
> Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html
From bernhard at intevation.de Mon Jul 10 15:52:26 2023
From: bernhard at intevation.de (Bernhard Reiter)
Date: Mon, 10 Jul 2023 15:52:26 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <2133.1688754735@localhost>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
Message-ID: <202307101552.26529.bernhard@intevation.de>
Michael,
Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson:
> ? ? > I should eventually describe the environment.
>
> Yes please.
> Could it go into a wiki page or something that people can comment on and/or
> amend?
feel free to open a page with the info that Werner has already given on
https://wiki.gnupg.org
Regards,
Bernhard
--
https://intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL:
From andrewg at andrewg.com Mon Jul 10 17:53:45 2023
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Mon, 10 Jul 2023 16:53:45 +0100
Subject: Looking for keyserver software without any validation or fancy
features
In-Reply-To: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
References: <32ff1d91-b7e2-237a-1fac-3f684f806ed9@kr217.de>
Message-ID:
(resending because the previous mail went out HTML-only, apologies)
Hi, Bernd.
> hagrid and huckeypuck are total overkill,
(Disclaimer: I?m one of the hockeypuck contributors)
If you have docker-compose installed, it?s *very* easy to spin up a test instance of hockeypuck, see the README at https://github.com/hockeypuck/hockeypuck
You will need a non-empty keydump to start with, but you can export a single key to a file with the suffix ?.gpg? and it should suffice.
> and at least hagrid is not
> even /intended/ to be "self hosted".
I?m pretty sure you can self-host hagrid, although I haven?t tested it.
> I have seen https://github.com/SKS-Keyserver/sks-keyserver but still
> have to check it out if it really suites my needs.
SKS-keyserver is very similar to hockeypuck (hockeypuck was first developed as an SKS-keyserver replacement). It does have the ability for a quick-build that serves static files directly without ingesting them into a database in advance, however you will still probably have to build the ptree (at least in its default configuration). It also has an unofficial docker image at https://registry.hub.docker.com/r/zhusj/sks
> Are there any other options?
https://github.com/PennockTech/openpgpkey-control comes to mind.
A
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
From rjh at sixdemonbag.org Mon Jul 10 21:26:10 2023
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 10 Jul 2023 15:26:10 -0400
Subject: 32768-bit key
In-Reply-To:
References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
Message-ID: <55d9760f089656d7c2cf7ec603897b3b@sixdemonbag.org>
> I don't know that there's anything to file a bug about. I
> don't see any non-rsa4096 keys on the Tails website:
One of their certificates has a Curve-25519 subkey. I wonder if that's
what the original poster saw, and mistook it for being a 25,519-bit
subkey.
From tmz at pobox.com Mon Jul 10 23:45:51 2023
From: tmz at pobox.com (Todd Zullinger)
Date: Mon, 10 Jul 2023 17:45:51 -0400
Subject: 32768-bit key
In-Reply-To: <55d9760f089656d7c2cf7ec603897b3b@sixdemonbag.org>
References: <5531a432-afa1-ed6c-78cc-d4ea89f4c59c@onionmail.org>
<55d9760f089656d7c2cf7ec603897b3b@sixdemonbag.org>
Message-ID:
Robert J. Hansen via Gnupg-users wrote:
>> I don't know that there's anything to file a bug about. I
>> don't see any non-rsa4096 keys on the Tails website:
>
> One of their certificates has a Curve-25519 subkey. I wonder if that's what
> the original poster saw, and mistook it for being a 25,519-bit subkey.
Ahh, that's a very good guess. I missed that sub key while I
was skimming the list of keys.
--
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
From dclarke at blastwave.org Wed Jul 12 00:53:05 2023
From: dclarke at blastwave.org (Dennis Clarke)
Date: Tue, 11 Jul 2023 18:53:05 -0400
Subject: Strange message seen on FreeBSD 14.0 amd64
Message-ID: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
Dear GnuPG type folks :
I don't know what this means. Can we just compile with a decent C
compiler such as the LLVM/Clang in FreeBSD ?
/*
Please not that your compiler does not support the GCC style
aligned attribute. Using this software may evoke bus errors.
*/
I saw that on a FreeBSD 14.0 server after a neat configure :
hydra$
hydra$ ./configure --prefix=/opt/bw \
> --disable-silent-rules --enable-dependency-tracking \
> --enable-static --enable-shared --disable-asm \
> --disable-aesni-support --disable-shaext-support \
> --disable-pclmul-support --disable-sse41-support \
> --disable-drng-support --disable-avx-support \
> --disable-avx2-support --disable-O-flag-munging \
> --disable-optimization --without-gnu-ld \
> --with-libgpg-error-prefix=/opt/bw --without-pth-prefix 2>&1 | tee
../libgcrypt-1.10.2_FreeBSD14_amd64.001.config.log
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... build-aux/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether /usr/local/bin/gmake sets $(MAKE)... yes
checking whether /usr/local/bin/gmake supports nested variables... yes
checking build system type... x86_64-unknown-freebsd14.0
checking host system type... x86_64-unknown-freebsd14.0
checking whether to enable maintainer-specific portions of Makefiles... no
checking whether /usr/local/bin/gmake supports nested variables...
(cached) yes
checking whether /usr/local/bin/gmake supports the include directive...
yes (GNU style)
checking for gcc... /usr/bin/cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether /usr/bin/cc accepts -g... yes
checking for /usr/bin/cc option to accept ISO C89... none needed
checking whether /usr/bin/cc understands -c and -o together... yes
checking dependency style of /usr/bin/cc... gcc3
checking how to run the C preprocessor... /usr/bin/cc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking whether /usr/local/bin/gmake sets $(MAKE)... (cached) yes
checking for gcc... (cached) /usr/bin/cc
checking whether we are using the GNU C compiler... (cached) yes
checking whether /usr/bin/cc accepts -g... (cached) yes
checking for /usr/bin/cc option to accept ISO C89... (cached) none needed
checking whether /usr/bin/cc understands -c and -o together... (cached) yes
checking dependency style of /usr/bin/cc... (cached) gcc3
checking how to run the C preprocessor... /usr/bin/cc -E
checking dependency style of /usr/bin/cc... gcc3
checking for library containing strerror... none required
checking for gawk... (cached) nawk
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by /usr/bin/cc...
/usr/local/bin/x86_64-unknown-freebsd14.0-ld
checking if the linker (/usr/local/bin/x86_64-unknown-freebsd14.0-ld) is
GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/local/bin/nm -B
checking the name lister (/usr/local/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 393216
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... no
checking how to convert x86_64-unknown-freebsd14.0 file names to
x86_64-unknown-freebsd14.0 format... func_convert_file_noop
checking how to convert x86_64-unknown-freebsd14.0 file names to
toolchain format... func_convert_file_noop
checking for /usr/local/bin/x86_64-unknown-freebsd14.0-ld option to
reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/local/bin/nm -B output from /usr/bin/cc
object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if /usr/bin/cc supports -fno-rtti -fno-exceptions... yes
checking for /usr/bin/cc option to produce PIC... -fPIC -DPIC
checking if /usr/bin/cc PIC flag -fPIC -DPIC works... yes
checking if /usr/bin/cc static flag -static works... yes
checking if /usr/bin/cc supports -c -o file.o... yes
checking if /usr/bin/cc supports -c -o file.o... (cached) yes
checking whether the /usr/bin/cc linker
(/usr/local/bin/x86_64-unknown-freebsd14.0-ld) supports shared
libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... freebsd14.0 ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... no
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for windres... no
checking whether byte ordering is bigendian... no
checking size of unsigned short... 2
checking size of unsigned int... 4
checking size of unsigned long... 8
checking size of unsigned long long... 8
checking size of void *... 8
checking for uintptr_t... yes
checking for UINT64_C... yes
checking size of uint64_t... 8
checking which symmetric ciphers to include... arcfour blowfish cast5
des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147
chacha20 sm4
checking which public-key ciphers to include... dsa elgamal rsa ecc
checking which message digests to include... crc gostr3411-94 md4 md5
rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3
checking which key derivation functions to include... s2k pkdf2 scrypt
checking which random module to use... default
checking whether use of /dev/random is requested... yes
checking whether the experimental random daemon is requested... no
checking whether MPI and cipher assembler modules are requested... no
checking whether memory guard is requested... no
checking whether to run large data tests... no
checking whether 'soft' HW feature bits are forced on... no
checking whether use of capabilities is requested... no
checking whether a HMAC binary check is requested... no
checking whether jitter entropy support is requested... yes
checking whether padlock support is requested... yes
checking whether AESNI support is requested... no
checking whether SHAEXT support is requested... no
checking whether PCLMUL support is requested... no
checking whether SSE4.1 support is requested... no
checking whether DRNG support is requested... no
checking whether AVX support is requested... no
checking whether AVX2 support is requested... no
checking whether NEON support is requested... yes
checking whether ARMv8 Crypto Extension support is requested... yes
checking whether PPC crypto support is requested... yes
checking whether a -O flag munging is requested... no
checking whether a instrumentation (-fprofile, -fsanitize) munging is
requested... yes
checking whether to enable AMD64 as(1) feature detection... yes
checking for gpg-error-config... /opt/bw/bin/gpg-error-config
checking for gpgrt-config... /opt/bw/bin/gpgrt-config
configure: Use gpgrt-config with /opt/bw/lib as gpg-error-config
checking for GPG Error - version >= 1.27... yes (1.47)
checking for pthread_create in -lpthread... yes
checking for library containing setsockopt... none required
checking for library containing setsockopt... (cached) none required
checking for unistd.h... (cached) yes
checking sys/auxv.h usability... yes
checking sys/auxv.h presence... yes
checking for sys/auxv.h... yes
checking sys/random.h usability... yes
checking sys/random.h presence... yes
checking for sys/random.h... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for size_t... yes
checking for pid_t... yes
checking for byte... no
checking for ushort... yes
checking for u16... no
checking for u32... no
checking for u64... no
checking for sys/socket.h... yes
checking for socklen_t... yes
checking for __builtin_bswap32... yes
checking for __builtin_bswap64... yes
checking for __builtin_ctz... yes
checking for __builtin_ctzl... yes
checking for __builtin_clz... yes
checking for __builtin_clzl... yes
checking for __sync_synchronize... yes
checking whether the variable length arrays are supported... yes
checking whether the visibility attribute is supported... yes
checking for broken visibility attribute... no
checking for broken alias attribute... no
checking if gcc supports -fvisibility=hidden... yes
checking whether the GCC style aligned attribute is supported... no
checking whether the GCC style packed attribute is supported... no
checking whether the GCC style may_alias attribute is supported... no
checking whether 'asm' assembler keyword is supported... no
checking whether '__asm__' assembler keyword is supported... yes
checking whether inline assembly memory barrier is supported... yes
checking whether GCC assembler is compatible for ARM assembly
implementations... n/a
checking whether GCC assembler is compatible for ARMv8/Aarch64 assembly
implementations... n/a
checking whether GCC assembler supports for CFI directives... no
checking whether GCC assembler supports for ELF directives... yes
checking for _ prefix in compiled symbols... no
checking architecture and mpi assembler functions... disabled
checking whether compiler supports 'ms_abi' function attribute... no
checking whether compiler supports 'sysv_abi' function attribute... no
checking whether GCC inline assembler supports SSSE3 instructions... n/a
checking whether GCC inline assembler supports PCLMUL instructions... n/a
checking whether GCC inline assembler supports SHA Extensions
instructions... n/a
checking whether GCC inline assembler supports SSE4.1 instructions... n/a
checking whether GCC inline assembler supports AVX instructions... n/a
checking whether GCC inline assembler supports AVX2 instructions... n/a
checking whether GCC inline assembler supports VAES and VPCLMUL
instructions... n/a
checking whether GCC inline assembler supports BMI2 instructions... n/a
checking whether GCC assembler handles division correctly... yes
checking whether GCC assembler is compatible for amd64 assembly
implementations... n/a
checking whether GCC assembler is compatible for Intel syntax assembly
implementations... n/a
checking whether compiler is configured for ARMv6 or newer
architecture... n/a
checking whether GCC inline assembler supports NEON instructions... n/a
checking whether GCC inline assembler supports AArch32 Crypto Extension
instructions... n/a
checking whether GCC inline assembler supports AArch64 NEON
instructions... n/a
checking whether GCC inline assembler supports AArch64 Crypto Extension
instructions... n/a
checking whether compiler supports PowerPC AltiVec/VSX intrinsics... n/a
checking whether GCC inline assembler supports PowerPC
AltiVec/VSX/crypto instructions... n/a
checking whether GCC inline assembler supports PowerISA 3.00
instructions... n/a
checking whether GCC inline assembler supports zSeries instructions... n/a
checking whether GCC inline assembler supports zSeries vector
instructions... n/a
checking for vprintf... yes
checking for _doprnt... no
checking for stpcpy... yes
checking for strcasecmp... yes
checking for strtoul... yes
checking for memmove... yes
checking for stricmp... no
checking for atexit... yes
checking for raise... yes
checking for strerror... yes
checking for rand... yes
checking for mmap... yes
checking for getpagesize... yes
checking for sysconf... yes
checking for waitpid... yes
checking for wait4... yes
checking for gettimeofday... yes
checking for getrusage... yes
checking for gethrtime... no
checking for clock_gettime... yes
checking for syslog... yes
checking for syscall... yes
checking for fcntl... yes
checking for ftruncate... yes
checking for flockfile... yes
checking for getauxval... no
checking for elf_aux_info... yes
checking for explicit_bzero... yes
checking for explicit_memset... no
checking for getentropy... yes
checking for mlock... yes
checking for sysconf... (cached) yes
checking for getpagesize... (cached) yes
checking whether mlock is broken... no
checking for getpid... yes
checking for clock... yes
checking for random device... yes
configure: checking for cc features
checking if gcc supports -fno-delete-null-pointer-checks... yes
checking whether non excutable stack support is requested... yes
checking whether assembler supports --noexecstack option... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating m4/Makefile
config.status: creating compat/Makefile
config.status: creating mpi/Makefile
config.status: creating cipher/Makefile
config.status: creating random/Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating src/gcrypt.h
config.status: creating src/libgcrypt-config
config.status: creating src/libgcrypt.pc
config.status: creating src/versioninfo.rc
config.status: creating tests/Makefile
config.status: creating tests/hashtest-256g
config.status: creating tests/basic-disable-all-hwf
config.status: creating config.h
config.status: linking mpi/generic/mpih-add1.c to mpi/mpih-add1.c
config.status: linking mpi/generic/mpih-sub1.c to mpi/mpih-sub1.c
config.status: linking mpi/generic/mpih-mul1.c to mpi/mpih-mul1.c
config.status: linking mpi/generic/mpih-mul2.c to mpi/mpih-mul2.c
config.status: linking mpi/generic/mpih-mul3.c to mpi/mpih-mul3.c
config.status: linking mpi/generic/mpih-lshift.c to mpi/mpih-lshift.c
config.status: linking mpi/generic/mpih-rshift.c to mpi/mpih-rshift.c
config.status: linking mpi/generic/mpi-asm-defs.h to mpi/mpi-asm-defs.h
config.status: executing depfiles commands
config.status: executing libtool commands
config.status: executing gcrypt-conf commands
Libgcrypt v1.10.2 has been configured as follows:
Platform: FreeBSD (x86_64-unknown-freebsd14.0)
Hardware detection module: none
Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
serpent rfc2268 seed camellia idea
salsa20
gost28147 chacha20 sm4
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool
stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Try using jitter entropy: yes
Using linux capabilities: no
FIPS module version:
Try using Padlock crypto: n/a
Try using AES-NI crypto: n/a
Try using Intel SHAEXT: n/a
Try using Intel PCLMUL: n/a
Try using Intel SSE4.1: n/a
Try using DRNG (RDRAND): n/a
Try using Intel AVX: n/a
Try using Intel AVX2: n/a
Try using ARM NEON: n/a
Try using ARMv8 crypto: n/a
Try using PPC crypto: n/a
Please not that your compiler does not support the GCC style
aligned attribute. Using this software may evoke bus errors.
hydra$
So what does that mean ? I *must* use GCC to compile this source ?
--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
From jscott at posteo.net Wed Jul 12 02:05:09 2023
From: jscott at posteo.net (John Scott)
Date: Wed, 12 Jul 2023 00:05:09 +0000
Subject: Strange message seen on FreeBSD 14.0 amd64
In-Reply-To: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
References: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
Message-ID:
> Please not[e] that your compiler does not support the GCC style aligned attribute. Using this software may evoke bus errors.
I'd like to pose the question of why GnuPG should use the non-standard aligned attribute anyway, when to the best of my knowledge, the same functionality is supported in C11 with the alignas operator. Perhaps this was just overlooked? If support for pre-C11 GCC is a concern, maybe a wrapper macro could choose whichever method is supported.
I hope this can be considered as a solution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5880 bytes
Desc: not available
URL:
From jcb62281 at gmail.com Wed Jul 12 03:30:41 2023
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Tue, 11 Jul 2023 20:30:41 -0500
Subject: Strange message seen on FreeBSD 14.0 amd64
In-Reply-To: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
References: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
Message-ID: <64AE0241.6020607@gmail.com>
Dennis Clarke via Gnupg-users wrote:
>
> Dear GnuPG type folks :
>
> I don't know what this means. Can we just compile with a decent C
> compiler such as the LLVM/Clang in FreeBSD ?
>
>
> [...]
>
> Libgcrypt v1.10.2 has been configured as follows:
>
> [...]
>
> Please not that your compiler does not support the GCC style
> aligned attribute. Using this software may evoke bus errors.
>
> hydra$
>
>
> So what does that mean ? I *must* use GCC to compile this source ?
It means that the sources use a GNU extension that configure has
detected that Clang does not properly implement. The specific example
cited ("aligned") should be non-critical for you, since you are running
on AMD64 and that architecture does not actually require proper
alignment. The resultant executables should work in your case, but at
reduced performance (unaligned accesses are permitted on x86-64, but are
slower than aligned accesses) unless SSE (which *does* have hard
alignment requirements) is used. Since I note that you are disabling
the use of assembler modules, SSE will probably *not* be used in your
executable.
In short, try it---if it works for you, great! If GPG crashes with
SIGBUS, try rebuilding it with GCC before reporting a bug in GPG. If it
works when built with GCC, you have found a bug (a missing feature that
Clang claims to have) in Clang. Clang typically defines __GNUC__, thus
claiming to support GNU extensions, so this is a bug in Clang if your
Clang-compiled GPG does not work.
-- Jacob
From dclarke at blastwave.org Wed Jul 12 10:39:29 2023
From: dclarke at blastwave.org (Dennis Clarke)
Date: Wed, 12 Jul 2023 04:39:29 -0400
Subject: Strange message seen on FreeBSD 14.0 amd64
In-Reply-To: <64AE0241.6020607@gmail.com>
References: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
<64AE0241.6020607@gmail.com>
Message-ID: <8f5bcd49-8d07-88bd-6bc3-d2f55b82a659@blastwave.org>
On 7/11/23 21:30, Jacob Bachmeyer wrote:
> Dennis Clarke via Gnupg-users wrote:
>>
>> Dear GnuPG type folks :
>>
>> ??? I don't know what this means. Can we just compile with a decent C
>> ?compiler such as the LLVM/Clang in FreeBSD ?
>>
>>
>> [...]
>>
>> ??????? Libgcrypt v1.10.2 has been configured as follows:
>>
>> [...]
>>
>> ?? Please not that your compiler does not support the GCC style
>> ?? aligned attribute. Using this software may evoke bus errors.
>>
>> hydra$
>>
>>
>> So what does that mean ? I *must* use GCC to compile this source ?
>
> It means that the sources use a GNU extension that configure has
> detected that Clang does not properly implement.? The specific example
> cited ("aligned") should be non-critical for you, since you are running
> on AMD64 and that architecture does not actually require proper
> alignment.? The resultant executables should work in your case, but at
> reduced performance (unaligned accesses are permitted on x86-64, but are
> slower than aligned accesses) unless SSE (which *does* have hard
> alignment requirements) is used.? Since I note that you are disabling
> the use of assembler modules, SSE will probably *not* be used in your
> executable.
>
> In short, try it---if it works for you, great!? If GPG crashes with
> SIGBUS, try rebuilding it with GCC before reporting a bug in GPG.? If it
> works when built with GCC, you have found a bug (a missing feature that
> Clang claims to have) in Clang.? Clang typically defines __GNUC__, thus
> claiming to support GNU extensions, so this is a bug in Clang if your
> Clang-compiled GPG does not work.
>
>
> -- Jacob
>
Wonderful! Thank you for the detailed reply as well as the comfort that
this should "just work"(tm) or not. I did disable the asm goodies as I
wanted to easily ( trivially? ) be able to single step around in there
with gdb.
So then, phasers on stun and I will go forth with reckless abandon and
see what dumps core and SIGSEGBEER. Or not.
--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
Belt and suspenders suggested.
From csh at bluehome.net Wed Jul 12 05:28:36 2023
From: csh at bluehome.net (Caleb Herbert)
Date: Tue, 11 Jul 2023 22:28:36 -0500
Subject: Failed to use GPG key for SSH
Message-ID: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
I've followed the guide at
https://opensource.com/article/19/4/gpg-subkeys-ssh before, with
success. But lately, I haven't been able to use SSH.
I'll try to provide enough info below.
OS: Fedora Silverblue 38
[caleb at farnsworth ~]$ gpg --list-secret-keys
/var/home/caleb/.gnupg/pubring.kbx
----------------------------------
sec# rsa3072 2023-06-29 [SC]
631CC434A56B5CBDFF21234697643795FA3E4BCE
uid [ultimate] Caleb Herbert
ssb# rsa3072 2023-06-29 [E]
ssb# rsa2048 2023-06-29 [A]
[caleb at farnsworth ~]$ ls -la ~/.gnupg/
total 76
drwx------. 1 caleb caleb 230 Jul 11 21:59 .
drwx------. 1 caleb caleb 378 Jul 11 19:55 ..
drw-------. 1 caleb caleb 14 Jul 9 02:26 crls.d
-rw-------. 1 caleb caleb 19 Jul 8 22:00 gpg-agent.conf
drw-------. 1 caleb caleb 88 Jul 8 22:00 openpgp-revocs.d
drw-------. 1 caleb caleb 264 Jul 8 22:00 private-keys-v1.d
-rw-------. 1 caleb caleb 6498 Jul 9 00:37 pubring.kbx
-rw-------. 1 caleb caleb 2718 Jul 8 22:00 pubring.kbx~
-rw-------. 1 caleb caleb 600 Jul 11 19:46 random_seed
-rw-------. 1 caleb caleb 758 Jul 11 21:59 sshcontrol
-rw-------. 1 caleb caleb 49152 Jul 8 22:00 tofu.db
-rw-------. 1 caleb caleb 1280 Jul 8 22:00 trustdb.gpg
[caleb at farnsworth ~]$ cat .gnupg/gpg-agent.conf
enable-ssh-support
[caleb at farnsworth ~]$ tail .bashrc
if [ -f "$rc" ]; then
. "$rc"
fi
done
fi
unset rc
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
[caleb at farnsworth ~]$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-
ssh-socket)
[caleb at farnsworth ~]$ gpgconf --launch gpg-agent
[caleb at farnsworth ~]$ ssh-add -L
The agent has no identities.
--
Caleb Herbert
https://bluehome.net/csh/
From bernd at kr217.de Wed Jul 12 11:43:57 2023
From: bernd at kr217.de (Bernd Naumann)
Date: Wed, 12 Jul 2023 11:43:57 +0200
Subject: Failed to use GPG key for SSH
In-Reply-To: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
References: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
Message-ID: <77be0ed5-5524-ab96-0df1-7cac4c08171a@kr217.de>
On 12.07.23 05:28, Caleb Herbert wrote:
> [caleb at farnsworth ~]$ export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-
> ssh-socket)
> [caleb at farnsworth ~]$ gpgconf --launch gpg-agent
> [caleb at farnsworth ~]$ ssh-add -L
> The agent has no identities.
>
Hi Caleb,
But you have the correct keygrip in `~/.gnupg/sshcontrol`?
(Don't nail me on details, but my impression was, that /sometimes/ a
kill on the gpg-agent is necessary, however `gpgconf --reload` should be
enough.)
From tlikonen at iki.fi Wed Jul 12 12:55:51 2023
From: tlikonen at iki.fi (Teemu Likonen)
Date: Wed, 12 Jul 2023 13:55:51 +0300
Subject: Failed to use GPG key for SSH
In-Reply-To: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
References: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
Message-ID: <877cr54cw8.fsf@iki.fi>
* 2023-07-11 22:28:36-0500, Caleb Herbert wrote:
> But lately, I haven't been able to use SSH.
> sec# rsa3072 2023-06-29 [SC]
> 631CC434A56B5CBDFF21234697643795FA3E4BCE
> uid [ultimate] Caleb Herbert
> ssb# rsa3072 2023-06-29 [E]
> ssb# rsa2048 2023-06-29 [A]
Secret keys are missing from this keyring, tells the "#" mark. Text
"sec#" means that the primary secret key is missing and "ssb#" tells the
same about secret subkeys. Those should read as "sec" and "ssb", without
the "#" mark, or "sec>" or "ssb>" if the key data is actually on a smart
card.
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
URL:
From csh at bluehome.net Wed Jul 12 15:10:22 2023
From: csh at bluehome.net (Caleb Herbert)
Date: Wed, 12 Jul 2023 08:10:22 -0500
Subject: Failed to use GPG key for SSH
In-Reply-To: <877cr54cw8.fsf@iki.fi>
References: <9e5f9c785e639ffed6f1c402ca23d74559ddbfa7.camel@bluehome.net>
<877cr54cw8.fsf@iki.fi>
Message-ID:
On Wed, 2023-07-12 at 13:55 +0300, Teemu Likonen wrote:
> Secret keys are missing from this keyring, tells the "#" mark. Text
> "sec#" means that the primary secret key is missing and "ssb#" tells
> the
> same about secret subkeys. Those should read as "sec" and "ssb",
> without
> the "#" mark, or "sec>" or "ssb>" if the key data is actually on a
> smart
> card.
>
That doesn't sound good. But I can decrypt and encrypt mail, and
connect to SSH, now that I've restarted gpg-agent.
--
Caleb Herbert
https://bluehome.net/csh/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL:
From bernd at kr217.de Thu Jul 13 21:51:00 2023
From: bernd at kr217.de (Bernd Naumann)
Date: Thu, 13 Jul 2023 21:51:00 +0200
Subject: get OpenPGP pubkeys authenticated using German personal ID
Message-ID: <34adbf9d-fc10-4eae-a521-ad684f49d57c@kr217.de>
/* I don't know how to reply to a previous thread, which predates my
joining on the list. That's why I'm starting a new one. */
I want to share my experience with that service, and have a general
question or two regarding the web-of-trust model.
First: I'm impressed. It (more or less) just works...
...with a GNU/Linux desktop. In Germany! ;) I would have not expected
that, to be honest.
(I have a german ID card (BPA) with the "ePA"-function enabled...)
On an Arch GNU/Linux PC, using Firefox, and with the AusweisApp2 via
flatpak, and an Android phone with the AusweisApp2 from the Google Play
Store, the "remote access" -- using the phone as an NFC card reader --
just worked without issues. IF you just follow the instructions and read
before you click... as always and often.
Procedure is easy and fast-forward:
start the AusweisApp2 on both devices; and start the remote access;
goto the website and start the process;
proof your identity with the ePA;
upload your key; select a uid;
get the mail.
Repeat if you have more the one uid...
Regarding the criticism from Andrew Gallagher on 1 Jun 2023, at 12:23:
> This is not best practice. Normally when email verification is being
performed, the gated action (such as certification, account creation
etc.) is not done until after a (time-bound!) challenge/response
succeeds. This places too much emphasis on verification of the
(non-unique) ?real name? component of the UserID, and not enough on the
machine-readable email address.
>
> This opens up more fundamental questions about the meaning of
signatures over RFC822 UserIDs - do they validate the ?real name?, the
email address, or some combination of the two? For example, an
email-validating CA may only check the email address part, treating the
?real name? as little more than a comment; while Governikus appear to be
doing it the other way around. It is of course up to the receiver to
decide how to interpret signatures, but it only compounds the problem
when not only is the signer?s trustworthiness in question, but also
their intent. How do you interpret the validity of a claim when it?s not
even clear what the claim is?
If a person, say "Max Mustermann", generates a PGP key with the uid "Max
Mustermann "; yes I assume Governikus would
still sign the key, because the Real Name corresponds,
but isn't this signature totally worthless? Because:
Max will probably never get the mail with the signature.
And Olaf has now the signed public key, but he is missing the secret
key. Or not? So is this really an /practical/ issue?
(I want to exclude I'm do not overseeing, or missing something out.)
Another related question:
If we can attest, that the ePA is somehow secure and can not be forged,
then the validation of the identity is pretty good, or not?
/* At least it's far better then a passport validation done by
unqualified personal. If I attend the cryptoparty at FOSDEM, I'm pretty
sure I would not be able to tell if this Italian or French passport is
real or not. */
And a last one:
Why shouldn't I give Governikus (864E 8B95 1ECF C04A F2BB 233E 5E5C
CCB4 A4BF 43D7) a trust-signature with a depth of 2, so I can trust
signatures they made? I have not found such info or recommendation on
their website, but the use-case is probably present?
And btw: Are their any *public* OpenPGP CAs out their?
(Not openpgp-ca.org which you can selfhost and stuff, but rather an
entity checking and validating Person/ID/Key and so forth...)
Thanks and greetings,
Bernd
From bernhard at intevation.de Fri Jul 14 09:16:49 2023
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 14 Jul 2023 09:16:49 +0200
Subject: Strange message seen on FreeBSD 14.0 amd64
In-Reply-To: <8f5bcd49-8d07-88bd-6bc3-d2f55b82a659@blastwave.org>
References: <45d4eb5b-78a3-bedc-b198-63e32c0e8702@blastwave.org>
<64AE0241.6020607@gmail.com>
<8f5bcd49-8d07-88bd-6bc3-d2f55b82a659@blastwave.org>
Message-ID: <202307140916.49481.bernhard@intevation.de>
Am Mittwoch 12 Juli 2023 10:39:29 schrieb Dennis Clarke via Gnupg-users:
> ?Thank you for the detailed reply as well as the comfort that
> this should "just work"(tm) or not.
On gnupg-devel, Niibe wrote that Clang 16 works for him
asking for the version of clang that may have given you issues:
https://lists.gnupg.org/pipermail/gnupg-devel/2023-July/035390.html
Bernhard
--
https://intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL:
From villapla+gnupg-users at uji.es Fri Jul 14 12:06:57 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Fri, 14 Jul 2023 12:06:57 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <202307101552.26529.bernhard@intevation.de>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
Message-ID:
On Mon, Jul 10, 2023 at 3:54?PM Bernhard Reiter wrote:
>
> Michael,
>
> Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson:
> > > I should eventually describe the environment.
> >
> > Yes please.
> > Could it go into a wiki page or something that people can comment on and/or
> > amend?
>
> feel free to open a page with the info that Werner has already given on
> https://wiki.gnupg.org
This may be a good starting point: https://github.com/drduh/YubiKey-Guide
In fact, there I finally found how to set the default Yubikey used by
"gpg --card-edit" when you have multiple keys inserted (remember
AlmaLinux9, gnupg2-2.3.3-2.el9_0.x86_64):
$ ykman list
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137XXX
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137YYY
YubiKey 5 NFC (5.4.3) [CCID] Serial: 18137ZZZ
$
$ gpg --card-status | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 03 00
Application ID ...: D276000124010000000618137XX0000
Serial number ....: 18137XXX
$
$ gpg --card-status all | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 03 00
Application ID ...: D276000124010000000618137XXX0000
Serial number ....: 18137XXX
Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Serial number ....: 18137YY
Reader ...........: Yubico YubiKey CCID 00 00
Application ID ...: D276000124010000000618137ZZZ0000
Serial number ....: 18137ZZ
$
$
$ gpg-connect-agent 'SCD SERIALNO help' /bye
[...]
# SERIALNO [--demand=] [--all] []
[...]
$
$ gpg-connect-agent 'scd serialno
--demand=D276000124010000000618137YYY0000' /bye
S SERIALNO D276000124010000000618137YYY0000
OK
$
$ gpg --card-status | grep -E "^Reader|^Application ID|^Serial number"
Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Serial number ....: 18137YYY
$
$ gpg --card-edit
Reader ...........: Yubico YubiKey CCID 02 00
Application ID ...: D276000124010000000618137YYY0000
Application type .: OpenPGP
Version ..........: 0.0
Manufacturer .....: Yubico
Serial number ....: 18137YYY
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 5 5 5
Signature counter : 4
KDF setting ......: on
UIF setting ......: Sign=on Decrypt=on Auth=on
Signature key ....: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
Encryption key....: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
Authentication key: ABCD 1234 ....
created ....: 2023-07-14 07:48:45
General key info..:
pub rsa4096/...
sec> rsa4096/XYZ987... created: 2023-07-14 expires: never
card-no: 0006 18137YYY
ssb> rsa4096/XYZ987... created: 2023-07-14 expires: never
card-no: 0006 18137YYY
ssb> rsa4096/XYZ987... created: 2023-07-14 expires: never
card-no: 0006 18137YYY
gpg/card> admin
Admin commands are allowed
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
[...]
>
> Regards,
> Bernhard
Regards,
Juanjo
> --
> https://intevation.de/~bernhard +49 541 33 508 3-3
> Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
> Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
From villapla+gnupg-users at uji.es Mon Jul 17 09:01:30 2023
From: villapla+gnupg-users at uji.es (Juanjo)
Date: Mon, 17 Jul 2023 09:01:30 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <18187.1689449793@localhost>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
Message-ID:
On Sat, Jul 15, 2023 at 9:36?PM Michael Richardson wrote:
>
>
> Juanjo via Gnupg-users wrote:
> >> should eventually describe the environment.
> >> >
> >> > Yes please. > Could it go into a wiki page or something that people
> >> can comment on and/or > amend?
> >>
> >> feel free to open a page with the info that Werner has already given
> >> on https://wiki.gnupg.org
>
> > This may be a good starting point:
> > https://github.com/drduh/YubiKey-Guide
>
> "Keys stored on YubiKey are non-exportable (as opposed to file-based keys
> that are stored on disk) and are convenient for everyday use. "
>
> In my case, I want the same key on multiple devices, which 3 to 5 core
> members of an open source project will hold.
> (I am also considering if we want a higher security key which would be secret
> split across those keys, but we aren't building a CA here, but..)
>
> Is that possible with these devices?
>
> In some cases keys can be transfered in an encrypted form for another device,
> but not recovered by outsiders.
We use keys generated into the yubikey, but I think the wiki
YubiKey-Guide in my previous e-mail just covers your use case:
generate GPG keys outside the Yubikey, backup them, and then transfer
the generated keys to a single or multiple Yubikeys.
Regards,
Juanjo
From mcr at sandelman.ca Sat Jul 15 21:36:33 2023
From: mcr at sandelman.ca (Michael Richardson)
Date: Sat, 15 Jul 2023 15:36:33 -0400
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
Message-ID: <18187.1689449793@localhost>
Juanjo via Gnupg-users wrote:
>> should eventually describe the environment.
>> >
>> > Yes please. > Could it go into a wiki page or something that people
>> can comment on and/or > amend?
>>
>> feel free to open a page with the info that Werner has already given
>> on https://wiki.gnupg.org
> This may be a good starting point:
> https://github.com/drduh/YubiKey-Guide
"Keys stored on YubiKey are non-exportable (as opposed to file-based keys
that are stored on disk) and are convenient for everyday use. "
In my case, I want the same key on multiple devices, which 3 to 5 core
members of an open source project will hold.
(I am also considering if we want a higher security key which would be secret
split across those keys, but we aren't building a CA here, but..)
Is that possible with these devices?
In some cases keys can be transfered in an encrypted form for another device,
but not recovered by outsiders.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL:
From andrewg at andrewg.com Mon Jul 17 17:36:39 2023
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Mon, 17 Jul 2023 16:36:39 +0100
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <18187.1689449793@localhost>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
Message-ID:
On 15 Jul 2023, at 20:36, Michael Richardson wrote:
>
> Juanjo via Gnupg-users wrote:
>
>> This may be a good starting point:
>> https://github.com/drduh/YubiKey-Guide
>
> "Keys stored on YubiKey are non-exportable (as opposed to file-based keys
> that are stored on disk) and are convenient for everyday use. "
>
> In my case, I want the same key on multiple devices, which 3 to 5 core
> members of an open source project will hold.
> (I am also considering if we want a higher security key which would be secret
> split across those keys, but we aren't building a CA here, but..)
>
> Is that possible with these devices?
>
> In some cases keys can be transfered in an encrypted form for another device,
> but not recovered by outsiders.
This is not possible with a Yubikey. If you want the same (sub)keys on multiple devices you must generate them on your laptop and copy them to each device in turn, remembering not to delete until you?re done.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
From mcr+ietf at sandelman.ca Mon Jul 17 19:36:02 2023
From: mcr+ietf at sandelman.ca (Michael Richardson)
Date: Mon, 17 Jul 2023 13:36:02 -0400
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
Message-ID: <18475.1689615362@localhost>
Andrew Gallagher wrote:
>> Juanjo via Gnupg-users wrote:
>>
>>> This may be a good starting point:
>>> https://github.com/drduh/YubiKey-Guide
>>
>> "Keys stored on YubiKey are non-exportable (as opposed to file-based
>> keys that are stored on disk) and are convenient for everyday use. "
>>
>> In my case, I want the same key on multiple devices, which 3 to 5 core
>> members of an open source project will hold. (I am also considering
>> if we want a higher security key which would be secret split across
>> those keys, but we aren't building a CA here, but..)
>>
>> Is that possible with these devices?
>>
>> In some cases keys can be transfered in an encrypted form for another
>> device, but not recovered by outsiders.
> This is not possible with a Yubikey. If you want the same (sub)keys on
> multiple devices you must generate them on your laptop and copy them to
> each device in turn, remembering not to delete until you?re done.
okay, so in this case we are using the Yubikey only as a storage, equivalent
essentially to a USB storage? Or does it still do crypto on the device?
--
Michael Richardson . o O ( IPv6 I?T consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 515 bytes
Desc: not available
URL:
From andrewg at andrewg.com Tue Jul 18 11:11:46 2023
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 18 Jul 2023 10:11:46 +0100
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <18475.1689615362@localhost>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
<18475.1689615362@localhost>
Message-ID:
On 17 Jul 2023, at 18:36, Michael Richardson wrote:
>
> Andrew Gallagher wrote:
>>> Juanjo via Gnupg-users wrote:
>>>
>>> "Keys stored on YubiKey are non-exportable (as opposed to file-based
>>> keys that are stored on disk) and are convenient for everyday use. "
>>>
>>> In my case, I want the same key on multiple devices, which 3 to 5 core
>>> members of an open source project will hold. (I am also considering
>>> if we want a higher security key which would be secret split across
>>> those keys, but we aren't building a CA here, but..)
>>>
>>> Is that possible with these devices?
>>>
>>> In some cases keys can be transfered in an encrypted form for another
>>> device, but not recovered by outsiders.
>
>> This is not possible with a Yubikey. If you want the same (sub)keys on
>> multiple devices you must generate them on your laptop and copy them to
>> each device in turn, remembering not to delete until you?re done.
>
> okay, so in this case we are using the Yubikey only as a storage, equivalent
> essentially to a USB storage? Or does it still do crypto on the device?
The yubikey performs cryptography on the device, but does have a small amount of flash memory to store the private key material. The yubikey does not provide any method to copy the private key material back off that storage, it can only be overwritten or used by the yubikey?s own processor.
A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL:
From mcr at sandelman.ca Thu Jul 20 03:47:49 2023
From: mcr at sandelman.ca (Michael Richardson)
Date: Wed, 19 Jul 2023 21:47:49 -0400
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
<18475.1689615362@localhost>
Message-ID: <13930.1689817669@localhost>
Andrew Gallagher wrote:
> The yubikey performs cryptography on the device, but does have a small
> amount of flash memory to store the private key material. The yubikey
> does not provide any method to copy the private key material back off
> that storage, it can only be overwritten or used by the yubikey?s own
> processor.
So I can generate the key on laptop, copy it to multiple yubikey, and do the
crypto on the device, and the yubikey won't let the private key out again.
Once I destroy the copy on my laptop, them I'm good.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL:
From klaus at vink-slott.dk Mon Jul 24 20:36:37 2023
From: klaus at vink-slott.dk (Klaus Vink Slott)
Date: Mon, 24 Jul 2023 20:36:37 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To: <13930.1689817669@localhost>
References:
<87bkgnc28d.fsf@wheatstone.g10code.de> <2133.1688754735@localhost>
<202307101552.26529.bernhard@intevation.de>
<18187.1689449793@localhost>
<18475.1689615362@localhost>
<13930.1689817669@localhost>
Message-ID:
On 20.07.2023 kl. 03.47 Michael Richardson wrote:
>
> Andrew Gallagher wrote: The yubikey
> > does not provide any method to copy the private key material back off
> > that storage..
>
> So I can generate the key on laptop, copy it to multiple yubikey, and do the
> crypto on the device, and the yubikey won't let the private key out again.
> Once I destroy the copy on my laptop, them I'm good.
Right, although I would recommend to copy key onto two keys, in case you
loose your primary key or it breaks for some reason.
Another possibility is to keep the "generator pc" on a safe place.
--
Klaus
From xyz938 at onionmail.org Tue Jul 25 18:31:24 2023
From: xyz938 at onionmail.org (xyz938)
Date: Tue, 25 Jul 2023 16:31:24 +0000
Subject: Dear sirs and ladies
Message-ID: <5d1f53e0-d88d-5f3e-d3db-2d30a991c714@onionmail.org>
Dear sirs and ladies!
I have installed Nethogs. I noticed sent traffic always matches recieved traffic
almost at a 100/100 basis.
This traffic pattern never occurs in Debian surveying traffic with nethogs. I am
curious as to why if I may ask?
Thank you.
Best regards
XYZ
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From wk at gnupg.org Thu Jul 27 18:07:19 2023
From: wk at gnupg.org (Werner Koch)
Date: Thu, 27 Jul 2023 18:07:19 +0200
Subject: "gpg --card-edit" with multiple card readers (Yubikey)
In-Reply-To:
(Juanjo via Gnupg-users's message of "Mon, 10 Jul 2023 10:48:07
+0200")
References:
<87lefsasf0.fsf@wheatstone.g10code.de>
<87bkgnc28d.fsf@wheatstone.g10code.de>
Message-ID: <87tttpbao8.fsf@wheatstone.g10code.de>
On Mon, 10 Jul 2023 10:48, Juanjo said:
> There are other setting managed via "ykman" not provided by "gpg-card" :
> * The number of PIN retry attempts: ykman openpgp access set-retries
> * The touch policy: ykman openpgp keys set-touch
Easy to add; do you want to file a feature request over at dev.gnupg.org
?
> Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
> used to change from default rsa2048 to rsa4096.
You don't need it because this is now done on the fly (might require to
enter the Admin PIN twice, though). See also
gpg/card> help generate
GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
Create a new key on a card.
Use --force to overwrite an existing key.
Use "help" for ALGO to get a list of known algorithms.
For OpenPGP cards several algos may be given.
Note that the OpenPGP key generation is done interactively
unless a single ALGO or KEYREF are given.
[Supported by: OpenPGP, PIV]
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: