From luca.vincenti at garr.it Mon Dec 2 10:06:30 2024 From: luca.vincenti at garr.it (Luca Vincenti) Date: Mon, 2 Dec 2024 10:06:30 +0100 Subject: Mirroring GnuPG In-Reply-To: <2284314.vFx2qVVIhK@daneel> References: <2284314.vFx2qVVIhK@daneel> Message-ID: <9054631a-b62e-41d5-8dda-31271e7e5f37@garr.it> Hi, thank you for your answer. We do not think that is our problem as the rsync server is still online, the problem is specifically with these files: - /gnupg/g10-0.2.3.tar.gz.pgp.sig - /gnupg/g10-0.2.3.tar.gz.sig - /gnupg/g10-0.2.4.tar.gz.pgp.sig - /gnupg/g10-0.2.5.tar.gz.pgp.sig - /gnupg/g10-0.2.6.tar.gz.pgp.sig - /gnupg/g10-0.2.7.tar.gz.sig Everything else is copied and mirrored correctly. GARR Mirror Service On 28/11/24 17:42, Ingo Kl?cker wrote: > On Mittwoch, 27. November 2024 12:09:36 Mitteleurop?ische Normalzeit Luca > Vincenti via Gnupg-users wrote: >> We at GARR have a mirror service aimed at the Italian community and we >> have been mirroring this project for a while using rsync on this source: >> ftp.gnupg.org::gnupg. > I think you missed this announcement athttps://gnupg.org/ > ``` > Our FTP server has been discontinued (2024-08-20) > > For technical and organisational reasons we recently shutdown our FTP server. > Instead of using ftp.gnupg.org please usehttps://gnupg.org/ftp/ . > ``` > > All FTP mirrors seem to be dead or empty. A couple of HTTP mirrors seem to > mirrorhttps://gnupg.org/ftp/gcrypt . > > Regards, > Ingo -- Luca Vincenti Gruppo IT - Dipartimento Infrastruttura GARR - The Italian Academic and Research Network Via dei Tizii, 6/b - 00185 Roma, Italy Tel: +39 06 4962 2517 Mob: +39 331 1404831 Email:luca.vincenti at garr.it -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Dec 2 13:49:36 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Dec 2024 13:49:36 +0100 Subject: Mirroring GnuPG In-Reply-To: <9054631a-b62e-41d5-8dda-31271e7e5f37@garr.it> (Luca Vincenti via Gnupg-users's message of "Mon, 2 Dec 2024 10:06:30 +0100") References: <2284314.vFx2qVVIhK@daneel> <9054631a-b62e-41d5-8dda-31271e7e5f37@garr.it> Message-ID: <871pyq45cv.fsf@jacob.g10code.de> On Mon, 2 Dec 2024 10:06, Luca Vincenti said: > We do not think that is our problem as the rsync server is still > online, the problem is specifically with these files: As you said: Wrong permissions; which sometimes happends when ssh-ing files from the internal repo - I fixed the permissions. Thanks for reporting. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From ratbag at gmx.com Mon Dec 2 18:52:33 2024 From: ratbag at gmx.com (R.Bag) Date: Mon, 2 Dec 2024 10:52:33 -0700 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: References: Message-ID: I notice in the "release archive" section on the server does not include gnupg 1.4 (i.e., pre 2.x) versions. Could someone kindly point out where these might be available from? TIA., R.Bag From wk at gnupg.org Mon Dec 2 22:23:21 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Dec 2024 22:23:21 +0100 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: (R. Bag via Gnupg-users's message of "Mon, 2 Dec 2024 10:52:33 -0700") References: Message-ID: <87o71t3hkm.fsf@jacob.g10code.de> On Mon, 2 Dec 2024 10:52, R.Bag said: > I notice in the "release archive" section on the server does not > include gnupg 1.4 (i.e., pre 2.x) versions. Could someone kindly > point out where these might be available from? gnupg-1.4.23.tar.bz2 is the latest version. Same place as all other gnupg source tarballs. But pretty please use it only to decrypt old PGP2 style encrypted data. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From ralph at ml.seichter.de Mon Dec 2 22:05:56 2024 From: ralph at ml.seichter.de (Ralph Seichter) Date: Mon, 02 Dec 2024 22:05:56 +0100 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: References: Message-ID: * R.Bag via Gnupg-users: > I notice in the "release archive" section on the server does not > include gnupg 1.4 (i.e., pre 2.x) versions. Correct. I don't know where one might be able to find pre-built GnuPG 1.4 binaries, especially ones which support modern versions of macOS, let alone ARM CPUs. Consider that GnuPG release 1.4.23 dates back to 2018, and the world of Macs has changed a lot since then. -Ralph From ratbag at gmx.com Tue Dec 3 03:55:38 2024 From: ratbag at gmx.com (R.Bag) Date: Mon, 2 Dec 2024 19:55:38 -0700 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: <87o71t3hkm.fsf@jacob.g10code.de> References: <87o71t3hkm.fsf@jacob.g10code.de> Message-ID: > gnupg-1.4.23.tar.bz2 is the latest version. Same place as all other > gnupg source tarballs. But pretty please use it only to decrypt old > PGP2 style encrypted data. We distribute a particular set of symmetrically-encrypted files, and would like to give Apple users the ability to decrypt those using a simple terminal command-line, without the need for them to "install" anything on their computers. We lack the hardware or time to build 1.4 (for OSX); all we can do for such users would be to point them to a trusted source of gpg 1.4.x binary; the same we normally do for our MS Wnidows and Linux users. Thanks again for your help. R. Bag From oberrauc at cit.tum.de Tue Dec 3 13:37:25 2024 From: oberrauc at cit.tum.de (Michael Oberrauch) Date: Tue, 03 Dec 2024 13:37:25 +0100 Subject: Signing Failure with gpg-agent and scdaemon Message-ID: <6541fad0fa50045e5153a6fe6cedb40e2863ea9b.camel@cit.tum.de> Hi everyone, I have the following setup: GPG Key (3 subkeys, one of which is for authentification) on a YubiKey and GPG Agent with SSH Agent support accessing that key to authenticate myself on remote servers. Now, in our organization we user SSH Host Certificates signed by a central Service for easier trust handling. SSH auth did work well as I was always used to, until we updated our VMs to Ubuntu 24.04. The SSH Hostkey registration process did not change and password login was still possible, however, I now got "GPG Agent error" and an aborted and failed signing process when using my SSH Key. After some debugging of the gpg-agent and scdaemon I found, that the data the ssh service wants to have signed for authentification increased drastically in length between 20.04 and 24.04 (why I did not investigate), now it was over 500 bytes, which then lets the check in agent/call-scd.c line 503 [1] fail as the ASSUAN_LINELENGTH defined in assuan.h is only 1002. Has anyone else encountered such a problem before? I did not really find anyone else with a similar problem on the internet. Just to test it locally I adapted and compiled libassuan myself. bumping the afformentioned value to 2002, recompiled the gnupg package and got it to work again. This is, however, just an intermediate solution as this obviously breaks my normal system's packaging and update process. Does anyone know, if there is a reason for this value to be arbitrarily at 1000, especially since it is smaller than the length of data some systems (e.g. ssh) may request to sign. If not, could the ASSUAN_LINELENGTH be increased in future releases? Cheers, Michael [1] For anyone not willing to look up the code: if (indatalen*2 + 50 > DIM(line)) return unlock_scd (ctrl, gpg_error (GPG_ERR_GENERAL)); -- Michael Oberrauch Systemgruppe IT Operations School of Computation, Information, and Technology Technische Universit?t M?nchen Boltzmannstr. 3 85748 Garching b. M?nchen Deutschland https://cit.tum.de oberrauc at cit.tum.de -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 6771 bytes Desc: not available URL: From wk at gnupg.org Tue Dec 3 15:35:22 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Dec 2024 15:35:22 +0100 Subject: Signing Failure with gpg-agent and scdaemon In-Reply-To: <6541fad0fa50045e5153a6fe6cedb40e2863ea9b.camel@cit.tum.de> (Michael Oberrauch via Gnupg-users's message of "Tue, 03 Dec 2024 13:37:25 +0100") References: <6541fad0fa50045e5153a6fe6cedb40e2863ea9b.camel@cit.tum.de> Message-ID: <87a5dc3kd1.fsf@jacob.g10code.de> Hi! On Tue, 3 Dec 2024 13:37, Michael Oberrauch said: > Has anyone else encountered such a problem before? I did not really > find anyone else with a similar problem on the internet. We had a similar problem 12 years ago when 3072 bit keys started to show up. With commit 905b6a36d3ca21b2f619721e1de892398e5eb759 this was fixed for decryption. Signing was in general not a problem because most applications sign only a hash and this fits nicely into the limit. Meanwhile ssh started to do some silly things, like directly signing the host bounding data instead of hashing it first and then sign the hash. This leads to large amounts of to-be-signed data which is in general okay but does not work with all smartcards or readers. This data is large in the context of smartcard and their APDUs. See for example https://dev.gnupg.org/T5931 > Does anyone know, if there is a reason for this value to be arbitrarily > at 1000, especially since it is smaller than the length of data some Arbitrary, so that small static buffer can be used and ppl do not try to abuse the command channel for bulk data. Fix should be easy. Tracked by https://dev.gnupg.org/T7436 Thanks for reporting. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From rjh at sixdemonbag.org Tue Dec 3 23:15:16 2024 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 3 Dec 2024 17:15:16 -0500 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: References: <87o71t3hkm.fsf@jacob.g10code.de> Message-ID: <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> > We distribute a particular set of symmetrically-encrypted files, > and would like to give Apple users the ability to decrypt those > using a simple terminal command-line, without the need for them > to "install" anything on their computers. At risk of sounding disloyal to GnuPG, this isn't a very good use case for GnuPG. Even GnuPG 1.4 is way, way too much hammer for your task. If I was distributing purely symmetrically encrypted files and didn't need sophisticated PKI management or signatures I'd probably use rage. Prebuilt MacOS binaries are available. https://github.com/str4d/rage/releases -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x1E7A94D4E87F91D5.asc Type: application/pgp-keys Size: 1355 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From ratbag at gmx.com Wed Dec 4 00:56:54 2024 From: ratbag at gmx.com (R. Bag) Date: Tue, 3 Dec 2024 16:56:54 -0700 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> References: <87o71t3hkm.fsf@jacob.g10code.de> <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> Message-ID: <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> > even GnuPG 1.4 is way, way too much hammer for your task. Of course it is. But our users know what GnuPG is, and they would, we assume, trust it without any prompting from us. There are many other encryption programs around, perfectly capable of symmetrical encryption where key distribution is not a problem. However, we do not want to be in the position to tell the recipients: Trust ~us~, XYZ is secure to use to send ~your~ secrets over the public net. (we also don't want to tell them: install XYZ on your computer if you want to be able to use what we sent you. We also don't want to bring browsers/serves into play; the files are distributed as e-mail attachments, if the users consider it necessary, they can deal with the stuff on off-line computers. Some of them actually do just that). R. Bag From ralph at ml.seichter.de Wed Dec 4 21:48:56 2024 From: ralph at ml.seichter.de (Ralph Seichter) Date: Wed, 04 Dec 2024 21:48:56 +0100 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> References: <87o71t3hkm.fsf@jacob.g10code.de> <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> Message-ID: * R. Bag via Gnupg-users: > our users know what GnuPG is, and they would, we assume, trust it > without any prompting from us. If your sole goal is to distribute GnuPG encoded files which third parties are going to decode: Are these encoded files historic in nature, or will you be encoding them "fresh" in the future? If it's the latter, why not use modern GnuPG 2.4 (stable) or at least 2.2 (LTS)? Binaries for those are readily available across platforms. Your macOS users can even use package managers like Nix, MacPorts or Homebrew if they don't wish to download a dedicated installer like the one I provide via SourceForge. The only problem I can see is outdated GnuPG vetsion 1.4 getting in the way. -Ralph From rjh at sixdemonbag.org Thu Dec 5 07:28:21 2024 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 5 Dec 2024 01:28:21 -0500 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> References: <87o71t3hkm.fsf@jacob.g10code.de> <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> Message-ID: <81ed032e-8a08-4bed-95fb-7fb894f38cf5@sixdemonbag.org> > But our users know what GnuPG is, and they would, we assume, > trust it without any prompting from us. As a guy who's been supporting users in communications security issues since 1991, please forgive me for sharing some very hard-earned wisdom. Never assume anything about your clients. If something is important enough to affect how they communicate, don't assume: ask. I am too embarrassed to tell you how long it took me to learn that. Please consider learning from my error. > (we also don't want to tell them: install XYZ on your > computer if you want to be able to use what we sent you. You're already doing that. My MacBook didn't come with GnuPG installed. I had to do that myself. If you have a workflow dependency on GnuPG, you are insisting your users install it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x1E7A94D4E87F91D5.asc Type: application/pgp-keys Size: 1355 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Dec 6 11:02:08 2024 From: wk at gnupg.org (Werner Koch) Date: Fri, 06 Dec 2024 11:02:08 +0100 Subject: [Announce] GnuPG 2.5.2 released Message-ID: <87v7vxyvrz.fsf@jacob.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.5.2. This release is the third of a series of public testing releases eventually leading to a new stable version 2.6. We also release a first Beta version of the forthcoming Gpg4win 5.0. The main features in the 2.6 series are improvements for 64 bit Windows and the introduction of a PQC encryption algorithm. Other than PQC support the 2.6 series will not differ a lot from 2.4 because the majority of changes are internal to make use of newer features from the supporting libraries. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.5.2 (2024-12-05) ================================================ [compared to version 2.5.1] * gpg: Add option 16 to --full-gen-key to create ECC+Kyber. [T6638] * gpg: For composite algos add the algo string to the colons listings. [T6638] * gpg: Validate the trustdb after the import of a trusted key. [T7200] * gpg: Exclude expired trusted keys from the key validation process. [T7200] * gpg: Fix a wrong decryption failed status for signed and OCB encrypted messages without a signature verification key. [T7042] * gpg: Retain binary representation for import->export with Ed25519 key signatures. [T7426] * gpg: Fix comparing ed448 to ed25519 with --assert-pubkey-algo. [T7425] * gpg: Avoid a failure exit code for expired ultimately trusted keys. [T7351] * gpg: Emit status error for an invalid ADSK. [T7322] * gpg: Allow the use of an ADSK subkey as ADSK subkey. [T6882] * gpg: Fix --quick-set-expire for V5 subkey fingerprints. [T7298] * gpg: Robust error handling for SCD READKEY. [T7309] * gpg: Fix cv25519 v5 export regression. [T7316] * gpgsm: Nearly fourfold speedup of validated certificate listings. [T7308] * gpgsm: Improvement for some rare P12 files. [rGf50dde6269] * gpgsm: Terminate key listing on output write error. [T6185] * agent: Add option --status to the LISTRUSTED command. [rG4275d5fa7a] * agent: Fix detection of the yet unused trustflag de-vs. [T5079] * agent: Allow ssh to sign data larger than the Assuan line length. [T7436] * keyboxd: Fix a race condition on the database handle. [T7294] * dirmngr: A list of used URLs for loaded CRLs is printed first in the output of the LISTCRL command. [T7337] * scd: More mitigations against lock ups with multiple cards or apps. [T7323, T7402] * gpgtar: Use log-file from common.conf only in --batch mode. [rGb389e04ef5] * gpgtar: Fix directory creation during extraction. [T7380] * gpg-mail-tube: Minor fixes. * gpgconf: Add list flag to trusted-key et al. [T7313] * Implement GNUPG_ASSUME_COMPLIANCE envvar and registry key for testing de-vs compliance mode. [rGb287fb5775,rG7b0be541a9] * Enable additional runtime protections in speedo builds for Windows. [rG39aa206dc5] * Fix a race condition in creating the socket directory. [T7332] * Fix a build problem on macOS (missing unistd.h). [T7193] Release-info: https://dev.gnupg.org/T7289 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary file server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.5.2.tar.bz2 (7959k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.5.2.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.5.2_20241205.exe (5497k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.5.2_20241205.exe.sig The source used to build this 32 bit Windows installer is available at https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.2_20241205.tar.xz (16M) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.5.2_20241205.tar.xz.sig This Windows source tarball may also be used to download all required libraries at once to build a Unix version on any modern system. See the included README but replace the make target "native" by "this-native". For Windows a *Beta* version of Gpg4win, our full featured Gpg4win installer including this version of GnuPG as well as Kleopatra GUI and a PDF editor can be retrieved from here: https://files.gpg4win.org/gpg4win-5.0.0-beta32.exe (43M) https://files.gpg4win.org/gpg4win-5.0.0-beta32.exe.sig with the source code at: https://files.gpg4win.org/gpg4win-5.0.0-beta32.tar.xz (260M) https://files.gpg4win.org/gpg4win-5.0.0-beta32.tar.xz.sig Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.5.2.tar.bz2 you would use this command: gpg --verify gnupg-2.5.2.tar.bz2.sig gnupg-2.5.2.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.5.2.tar.bz2, you run the command like this: sha1sum gnupg-2.5.2.tar.bz2 and check that the output matches the next line: 25697dd115703c4ba7b9d6a1a00ede65a5cbc7cc gnupg-2.5.2.tar.bz2 f85f5ad0c6db370f3497fc2cc1e1da9207cfa21a gnupg-w32-2.5.2_20241205.tar.xz 324a2fa030f1cef1e49d12944b6c3cf34aeef0fd gnupg-w32-2.5.2_20241205.exe 18125b4e12356ba36a99a6c3656a3482fe4218bd gpg4win-5.0.0-beta32.tar.xz 6a62cec9deb77751fd8e0e040a87f35d81e813b6 gpg4win-5.0.0-beta32.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T7289 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Several full-time employed developers and contractors are working exclusively on GnuPG and closely related software like Libgcrypt, GPGME, Kleopatra and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. - Edward Snowden -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From ratbag at gmx.com Fri Dec 6 02:18:42 2024 From: ratbag at gmx.com (R. Bag) Date: Thu, 5 Dec 2024 18:18:42 -0700 Subject: GnuPG 1.4 for OS X / macOS In-Reply-To: <81ed032e-8a08-4bed-95fb-7fb894f38cf5@sixdemonbag.org> References: <87o71t3hkm.fsf@jacob.g10code.de> <2ed3ed4a-aa6e-4d1c-ba5c-f7daf1e5d37f@sixdemonbag.org> <111689c9-317f-471f-a89e-9614ab8744a1@gmx.com> <81ed032e-8a08-4bed-95fb-7fb894f38cf5@sixdemonbag.org> Message-ID: > If something is important > enough to affect how they communicate, don't assume: ask. We asked. They are reluctant to do any "installs" just in order to evaluate our business proposition. > My MacBook didn't come with GnuPG installed. > I had to do that myself. Understood. We would love for Apple to have gpg1 as part of "standard app repertoire" - just as some/many Linux distributions do. That, however, is something we can neither influence nor hope for. > If you have a workflow dependency on GnuPG, you > are insisting your users install it. See above. There is quite a bit of difference between installing an application, and downloading a trusted binary with no dependencies and executing it in the shell. BTW., all we what to do here is to use the same model that we know (based on experience) works perfectly well for MS Windows and Linux users, and make it available to Apple users. R. Bag From edelauna at gmail.com Tue Dec 10 23:04:52 2024 From: edelauna at gmail.com (Elliott de Launay) Date: Tue, 10 Dec 2024 17:04:52 -0500 Subject: gpg-preset-passphrase: caching passphrase failed: Forbidden Message-ID: Hi there, I'm having a hard time finding resources to help me troubleshoot the following error > gpg-preset-passphrase: problem setting the gpg-agent options > gpg-preset-passphrase: caching passphrase failed: Forbidden when I try to preset password via: $ /usr/lib/gnupg2/gpg-preset-passphrase -c ${myKeyGripe} < ${fileWithPassword} I do not have a `~/.gnupg/gpg.conf` ``` #~/.gnupg/gpg-agent.conf allow-preset-passphrase batch ``` Reloading the agent via `gpg-connect-agent reloadagent /bye`, results in > gpg-connect-agent: connection to agent is in restricted mode > ERR 67109115 Forbidden However I'm able to list, import and export keys fine? Is there some config that needs to be updated so that the agent does not operate in restricted mode? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Dec 11 09:41:16 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 11 Dec 2024 09:41:16 +0100 Subject: gpg-preset-passphrase: caching passphrase failed: Forbidden In-Reply-To: (Elliott de Launay via Gnupg-users's message of "Tue, 10 Dec 2024 17:04:52 -0500") References: Message-ID: <878qsmy5lf.fsf@jacob.g10code.de> On Tue, 10 Dec 2024 17:04, Elliott de Launay said: > Reloading the agent via `gpg-connect-agent reloadagent /bye`, results in BTW, "gpgconf --reload gpg-agent" is a frontend for this. >> gpg-connect-agent: connection to agent is in restricted mode >> ERR 67109115 Forbidden You are using a remote connection - that is your agent is running on another machine via ssh forwarding of the local socket. For security reasons certain commands are not allowed. Go to the machine where the agent is running and run gpg-preset-passphrase over there. See also https://wiki.gnupg.org/AgentForwarding Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From fg.gnupg at shimps.de Tue Dec 17 17:00:42 2024 From: fg.gnupg at shimps.de (Frank Guthausen) Date: Tue, 17 Dec 2024 17:00:42 +0100 Subject: External Debian apt repository Message-ID: <20241217170042.742643b7@incubator.example.net> Hello. While Debian is shipping GnuPG 2.2 even in sid[1] and starting to play with 2.4 in experimental[2], Ubuntu has been shipping the newer Version even in 24.04 LTS noble[3]. However, I haven't digged into patching yet and don't know what was changed and why they change things. I set up a Debian apt repository on my domain[4] with a precompiled version of upstream vanilla code. Usage requires a sources.list.d file and a keyrings file. Both files are available via download from the website. The fingerprint of the signing key is 2BBD 6FF0 68FE F790 5A53 1348 ECB5 3FD1 8ACC CF7C and the key was created today. There are two packages available: shimps-gnupg - GnuPG 2.4.7 shipping the extracted tarball and compiled binaries in /opt/shimps (126M) shimps-gnupg-ng - GnuPG 2.5.2 shipping speedo compiled binaries only in /opt/local/shimps (32M) including libraries The dependencies and missing recommendations are far from optimal and improvement is on the todo list, but I wanted to offer the repository as a (pre-)christmas surprise. Please feel free to test and suggest improvements. Even in the file ``shimps.list'' there is an annoying string ``./vanilla'' instead of ``vanilla'' which I need to debug. Maybe a trick in .htaccess to get rid of an error message. [1] https://packages.debian.org/sid/gnupg [2] https://packages.debian.org/experimental/gnupg [3] https://packages.ubuntu.com/noble/gnupg [4] https://software.shimps.net/ -- kind regards Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: