From wk at gnupg.org Fri Feb 2 10:02:57 2024 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2024 10:02:57 +0100 Subject: Trouble with GPG Cards for SSH when using FIDO2 In-Reply-To: <1683713947.70629.1706857473605@ox75.mailbox.org> (Philipp Schmidt's message of "Fri, 2 Feb 2024 08:04:33 +0100 (CET)") References: <565947777.172595.1705307101462@ox91.mailbox.org> <87ttneoa5i.fsf@jacob.g10code.de> <1683713947.70629.1706857473605@ox75.mailbox.org> Message-ID: <87v877dyri.fsf@jacob.g10code.de> Hi! I would suggest that you put debug ipc log-file /foo/bar/agent.log into gpg-agent.conf and debug cardio log-file /foo/bar/scd.log into scdaemon.conf and restart them all (gpgconf -K all). You way of course also run watchgnupg to see a combined log but sepearte log files are good enough. The ssh handler has no dedicated debug statements and thus any debug level is sufficient to see errors in the logs. If you don't see anything in the logs you either need to use a socket proxt (somewhere in the gnupg source is one) or add debug statements to command-ssh.c. My guess is that the scdaemon log gives some hints. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From philipp at knutschmidt.de Fri Feb 2 08:04:33 2024 From: philipp at knutschmidt.de (Philipp Schmidt) Date: Fri, 2 Feb 2024 08:04:33 +0100 (CET) Subject: Trouble with GPG Cards for SSH when using FIDO2 In-Reply-To: <87ttneoa5i.fsf@jacob.g10code.de> References: <565947777.172595.1705307101462@ox91.mailbox.org> <87ttneoa5i.fsf@jacob.g10code.de> Message-ID: <1683713947.70629.1706857473605@ox75.mailbox.org> Hello Werner, thanks a lot for your reply and all the useful commands. Please excuse the late reply, but this one is getting me crazy since I am not able to create a situation in which I can reliably reproduce the failure. I guess that is due to OS updates as well. Here are some of the edgy cases: - When I launch a bash right after startup `ssh-add -L` displays all the keys and they remain even after the usage of FIDO - When I come back from Lunch - waking up the box from logout - the keys are gone, even with the bash still open. - In case the keys are gone, none of the scripts you provided change anything. Maybe that is helpful here: The code from my `.bashrc`: ``` export GPG_TTY="$(tty)" export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent ``` Adding `pscs-shared` completely breaks it, and it stops working. I will further try to clearly reproduce it. Any hints are welcome. THANKS FOR HELP! Best Philipp > Werner Koch hat am 15.01.2024 17:04 CET geschrieben: > > > On Mon, 15 Jan 2024 09:25, Philipp Schmidt said: > > > - Everything works fine until I use one of the keys for FIDO2 > > - Afterwards I cannot restore the service without a reboot > > Try to add > > pscs-shared > > to scdaemon.conf and gpgconf -R scdaemon. Does this change anything? > If not, add > > log-file /foo/scd.log > debug ipc,reader,card > > to scdaemon.conf and check the log file or send it to me. Make sure > that you did not enter the PIN as it would show up in the log. If this > does not give any hints, adding "debug cardio" will give even more > verbose output. > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein Philipp Schmidt?(Diplom-Designer)?|?knutschmidt.de (http://knutschmidt.de) | philipp at knutschmidt.de?|?+49 176 23 43 27 79 -------------- next part -------------- A non-text attachment was scrubbed... Name: public.asc Type: application/pgp-keys Size: 1753 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From dp4dp7 at gmail.com Sat Feb 3 15:35:20 2024 From: dp4dp7 at gmail.com (witchy) Date: Sat, 3 Feb 2024 23:35:20 +0900 Subject: Regarding the expiration of the signed data in npth-1.6.tar.bz2 Message-ID: Hi! I am trying to install npth which is needed to build gpg. I noticed that the npth signature data has expired. Is it possible to have it signed again? Sorry for my poor English, but I would appreciate it if you could check. Thank you in advance for your cooperation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From bwalzer at 59.ca Sat Feb 3 17:31:41 2024 From: bwalzer at 59.ca (Bruce Walzer) Date: Sat, 3 Feb 2024 10:31:41 -0600 Subject: Regarding the expiration of the signed data in npth-1.6.tar.bz2 In-Reply-To: References: Message-ID: On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote: [...] > I noticed that the npth signature data has expired. Why is anyone signing software with expiring keys anyway? I have ranted against the practice of PGP key expiry in general[1] but this seems particularly harmful. GnuPG contributes to this problem by generating expiring keys by default. [1] https://articles.59.ca/doku.php?id=pgpfan:expire Bruce From jb-gnumlists at wisemo.com Mon Feb 5 15:01:52 2024 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Mon, 5 Feb 2024 15:01:52 +0100 Subject: Regarding the expiration of the signed data in npth-1.6.tar.bz2 In-Reply-To: References: Message-ID: <256635c1-cf71-2da8-ac2f-a3a096a21e28@wisemo.com> On 2024-02-03 17:31, Bruce Walzer wrote: > On Sat, Feb 03, 2024 at 11:35:20PM +0900, witchy via Gnupg-users wrote: > [...] >> I noticed that the npth signature data has expired. > Why is anyone signing software with expiring keys anyway? I have > ranted against the practice of PGP key expiry in general[1] but this > seems particularly harmful. GnuPG contributes to this problem by > generating expiring keys by default. > > [1] https://articles.59.ca/doku.php?id=pgpfan:expire > > Some software signing systems handle this by adding a trusted timestamp signature telling signature checkers to check validity "as of" the certified timestamp. This is particularly common for X.509 signature systems where the certificates themselves expire every few years . There is an RFC for how to do it and I have figured out how it is actually done for proprietary Microsoft formats (its only a few deviations from the RFCs implemented by gpgsm). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From bernhard at intevation.de Tue Feb 6 17:51:43 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 6 Feb 2024 17:51:43 +0100 Subject: Regarding the expiration of the signed data in npth-1.6.tar.bz2 In-Reply-To: References: Message-ID: <202402061751.51426.bernhard@intevation.de> Hi Witchy, Am Samstag 03 Februar 2024 15:35:20 schrieb witchy via Gnupg-users: > I am trying to install npth which is needed to build gpg. > I noticed that the npth signature data has expired. that is okay, if you downloaded stuff from https://www.gnupg.org/download/index.html nPth 1.6 2018-07-16 293k download download LANG=C gpg --verify npth-1.6.tar.bz2.sig gpg: assuming signed data in 'npth-1.6.tar.bz2' gpg: Signature made Mon Jul 16 09:37:23 2018 CEST gpg: using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 gpg: Good signature from "Werner Koch (dist sig)" [expired] gpg: Note: This key has expired! That messsage shows that the signature is fine at the time it was made in principle. You can additionally check the pubkey: LANG=C gpg -kv "D8692123C4065DEA5E0F3AB5249B39D24F25E3B6" gpg: Note: signature key 249B39D24F25E3B6 expired Fri Dec 31 12:00:07 2021 CET pub rsa2048/249B39D24F25E3B6 2011-01-12 [SC] [expired: 2021-12-31] D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 uid [ expired] Werner Koch (dist sig) sub rsa2048/F58A5868AC87C71A 2011-01-12 [A] [expired: 2019-12-31] That should be good enough. > Is it possible to have it signed again? At least if a new release is done, that release would be freshly signed. So far I haven't seen renewed signatures from GnuPG devs, which makes it unlikely they sign the nPth release from 2018 again. Regards, Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Feb 7 09:14:32 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 Feb 2024 09:14:32 +0100 Subject: Regarding the expiration of the signed data in npth-1.6.tar.bz2 In-Reply-To: <202402061751.51426.bernhard@intevation.de> (Bernhard Reiter via Gnupg-users's message of "Tue, 6 Feb 2024 17:51:43 +0100") References: <202402061751.51426.bernhard@intevation.de> Message-ID: <87il30d72v.fsf@jacob.g10code.de> On Tue, 6 Feb 2024 17:51, Bernhard Reiter said: > So far I haven't seen renewed signatures from GnuPG devs, which makes it > unlikely they sign the nPth release from 2018 again. Right, we will soon do a new release with some fixes for AIX and to modernize tyhe build system. In theory we could re-sign old stuff but for most packages the latest releases are fresh enough. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From guru at unixarea.de Fri Feb 9 15:36:02 2024 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 9 Feb 2024 15:36:02 +0100 Subject: Second OpenPGP-card Message-ID: I do use an OpenPGP-card, bought from Purism in one of my L5 mobiles and I want to buy a second one for my other L5. I use two L5, one in Europe, the other in Cuba with a cuban SIM card. I could buy the 2nd card in Purism to, but would have to pay $65 shipping fee for the $15 card. So, can I buy this card here in Europe or even in Germany? Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism at pureos:~$ find .password-store/ -type f | wc -l 373 If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From andrewg at andrewg.com Fri Feb 9 15:48:43 2024 From: andrewg at andrewg.com (andrewg) Date: Fri, 09 Feb 2024 14:48:43 +0000 Subject: Second OpenPGP-card In-Reply-To: References: Message-ID: <82d064f4e7153b622e25ce87f5072a26@andrewg.com> On 2024-02-09 14:36, Matthias Apitz wrote: > > Next question: Can I transfer somehow the key from one card to the > other to use the same encrypted files foo.gpg from my password store: > > purism at pureos:~$ find .password-store/ -type f | wc -l > 373 No, the entire point of an openpgp card is that you can't copy the key material off it (otherwise it would have no advantages over a thumb drive). I always recommend that people generate their key material on a removable encrypted drive and then copy it onto the card, keeping a backup copy on the encrypted drive. Otherwise you run the risk of data loss when your card breaks or is lost. > If not, I could with a script decrypt all the files in this tree and > encrypt them again after setup the card. But, it would be better just > copy the files over by SCP, also when passwords get added or updated. It would depend on how `pass` works, whether there are any particular parameters that need to be supplied with the encryption command. Perhaps best to ask the `pass` maintainers about support for re-encryption in general - the process shouldn't depend on whether or not you're using a card. A From juergen at bruckner.email Fri Feb 9 18:22:16 2024 From: juergen at bruckner.email (Juergen BRUCKNER) Date: Fri, 9 Feb 2024 18:22:16 +0100 Subject: Second OpenPGP-card In-Reply-To: References: Message-ID: Hello Matthias, Am 09.02.24 um 15:36 schrieb Matthias Apitz: > So, can I buy this card here in Europe or even in Germany? yes you can buy this Card also in Europe: https://www.floss-shop.de https://www.cryptoshop.com or you can also buy a USB/NFC-Device at Nitrokey https://nitrokey.com I hope this helps. Best regards Juergen -- /?\ No | \ / HTML | Juergen Bruckner X in | juergen at bruckner.email / \ Mail | -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3482 bytes Desc: Kryptografische S/MIME-Signatur URL: From mlist_e9e869bc at manycementmutable.anonaddy.com Sun Feb 11 02:05:52 2024 From: mlist_e9e869bc at manycementmutable.anonaddy.com (mlist_e9e869bc at manycementmutable.anonaddy.com) Date: Sun, 11 Feb 2024 01:05:52 +0000 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? Message-ID: Hello all, I'm trying to import a key generated from GPG 2.4.4 to 2.2.27 but unsuccessful. Upon importing, it returns `gpg: no valid OpenPGP data found.` I tried with compliance options but it does nothing. Command I used: - export: `gpg -a --export-secret-subkey | gpg -a -c --cipher-algo AES --force-mdc -o ` - import: `gpg --decrypt -o - keys.sec.asc | gpg --import -` What else I can do? I can't update the GPG version because one of my import device is an Android phone which stuck at 2.2.27 for quite a long time. Regards, Hartman -------------- next part -------------- An HTML attachment was scrubbed... URL: From kloecker at kde.org Sun Feb 11 19:08:10 2024 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sun, 11 Feb 2024 19:08:10 +0100 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: References: Message-ID: <6021024.lOV4Wx5bFT@daneel> On Sonntag, 11. Februar 2024 02:05:52 CET mlist_e9e869bc--- via Gnupg-users wrote: > I'm trying to import a key generated from GPG 2.4.4 to 2.2.27 but > unsuccessful. > > Upon importing, it returns `gpg: no valid OpenPGP data found.` > > I tried with compliance options but it does nothing. > > Command I used: > > - export: `gpg -a --export-secret-subkey | gpg -a -c > --cipher-algo AES --force-mdc -o ` > - import: `gpg --decrypt -o - keys.sec.asc | gpg --import -` > > What else I can do? I can't update the GPG version because one of my > import device is an Android phone which stuck at 2.2.27 for quite a long > time. Are you sure that the problem isn't the decryption? I checked the code and this error message is emitted by the armor/dearmor code. My guess is that the decryption fails and therefore outputs nothing and importing nothing results exactly in the above error message: ``` $ echo "" | gpg --import - gpg: no valid OpenPGP data found. gpg: Total number processed: 0 ``` Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From mlist_e9e869bc at manycementmutable.anonaddy.com Sun Feb 11 21:28:28 2024 From: mlist_e9e869bc at manycementmutable.anonaddy.com (mlist_e9e869bc at manycementmutable.anonaddy.com) Date: Sun, 11 Feb 2024 20:28:28 +0000 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: <6021024.lOV4Wx5bFT@daneel> References: <6021024.lOV4Wx5bFT@daneel> Message-ID: <0baca38e714308e190e28a4547faa0d9@manycementmutable.anonaddy.com> On 11/02/2024 18:09, IngoKl?cker 'kloecker at kde.org' wrote: > Are you sure that the problem isn't the decryption? I checked the code and > this error message is emitted by the armor/dearmor code. My guess is that the > decryption fails and therefore outputs nothing and importing nothing results > exactly in the above error message: > ``` > $ echo "" | gpg --import - > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > ``` > > Regards, > Ingo Hello Ingo, Thanks for the reply. It seems like the update I sent yesterday didn't went out. Apologize for being a noob on mailing list. The problem is in the certify signature. For some reason a certify signature is done in Version 5, instead of Version 4 like other parts of the key. With that certify signature removed, I can import the secret key to GPG 2.2.27 no problem. Now the unrelated decryption. It actually decrypt nicely to an armoured PGP private key block. However, it just not importable even with GPG 2.4.4. I guess the data with in is corrupted but no way to verify. Regards, Hartman -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Feb 13 10:56:37 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 13 Feb 2024 10:56:37 +0100 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: <0baca38e714308e190e28a4547faa0d9@manycementmutable.anonaddy.com> (mlist e9e869bc's message of "Sun, 11 Feb 2024 20:28:28 +0000") References: <6021024.lOV4Wx5bFT@daneel> <0baca38e714308e190e28a4547faa0d9@manycementmutable.anonaddy.com> Message-ID: <87cyt0bsbu.fsf@jacob.g10code.de> On Sun, 11 Feb 2024 20:28, mlist_e9e869bc--- said: > signature is done in Version 5, instead of Version 4 like other parts of > the key. With that certify signature removed, I can import the secret > key to GPG 2.2.27 no problem. Can you please try to import that key (with the v5 key signature) using a current 2.2. version (2.2.42)? Or you can send me the public key by private mail so that I can check what's going on. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Tue Feb 13 11:04:31 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 13 Feb 2024 11:04:31 +0100 Subject: Second OpenPGP-card In-Reply-To: (Matthias Apitz's message of "Fri, 9 Feb 2024 15:36:02 +0100") References: Message-ID: <875xysbryo.fsf@jacob.g10code.de> On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > So, can I buy this card here in Europe or even in Germany? floss-shop.de > If not, I could with a script decrypt all the files in this tree and > encrypt them again after setup the card. But, it would be better just > copy the files over by SCP, also when passwords get added or updated. Actually we have an open task for re-encryption: https://dev.gnupg.org/T1825 For small messages this is easy but there is no easy solution for large data. A detached encryption packet is a theoretical option. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From klaus+gnupg at ethgen.ch Tue Feb 13 12:47:13 2024 From: klaus+gnupg at ethgen.ch (Klaus Ethgen) Date: Tue, 13 Feb 2024 12:47:13 +0100 Subject: Second OpenPGP-card In-Reply-To: References: Message-ID: Hi, Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > Next question: Can I transfer somehow the key from one card to the > other to use the same encrypted files foo.gpg from my password store: > > purism at pureos:~$ find .password-store/ -type f | wc -l > 373 Well, pass has its mechanism itself. Just reinit your store with both keys and it should reencrypt them. I did that in the past with subdirs (where you can have different keys). Regards Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 688 bytes Desc: not available URL: From guru at unixarea.de Tue Feb 13 14:32:04 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 13 Feb 2024 14:32:04 +0100 Subject: Second OpenPGP-card In-Reply-To: <875xysbryo.fsf@jacob.g10code.de> References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. The files of the password store are very small, normal two lines like secret Username: guru at unixarea.de Is this code already available for testing? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From jb-gnumlists at wisemo.com Tue Feb 13 15:40:12 2024 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Tue, 13 Feb 2024 15:40:12 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: On 2024-02-13 14:32, Matthias Apitz wrote: > El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > >> On Fri, 9 Feb 2024 15:36, Matthias Apitz said: >> >>> So, can I buy this card here in Europe or even in Germany? >> floss-shop.de > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > to Micro-SIM format. And I will not cut it itself because it must fit > exactly in the internal reader slot behint the battery, or it will not > come out anyore. Because the GPG specific code installed on the card is FLOSS, you might be able to buy blank cards in the desired form factor and install the code yourself, provided the parts (code and card) can be legally transported to Cuba despite US sanctions. In particular,? the Card Operating System or runtime may be of US origin and thus subject to sanctions. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From guru at unixarea.de Tue Feb 13 16:57:29 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 13 Feb 2024 16:57:29 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: El d?a martes, febrero 13, 2024 a las 03:40:12p. m. +0100, Jakob Bohm via Gnupg-users escribi?: > On 2024-02-13 14:32, Matthias Apitz wrote: > > El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > Because the GPG specific code installed on the card is FLOSS, you might be > able to > buy blank cards in the desired form factor and install the code yourself, > provided > the parts (code and card) can be legally transported to Cuba despite US > sanctions. > In particular,? the Card Operating System or runtime may be of US origin and > thus > subject to sanctions. I live in Europa and travel often to Cuba. Where could I get a blank card MicroSIM, the code and a manual how to flash it into the card? matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From mlist_e9e869bc at manycementmutable.anonaddy.com Tue Feb 13 15:50:55 2024 From: mlist_e9e869bc at manycementmutable.anonaddy.com (mlist_e9e869bc at manycementmutable.anonaddy.com) Date: Tue, 13 Feb 2024 14:50:55 +0000 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: <87cyt0bsbu.fsf@jacob.g10code.de> References: <6021024.lOV4Wx5bFT@daneel> <0baca38e714308e190e28a4547faa0d9@manycementmutable.anonaddy.com> <87cyt0bsbu.fsf@jacob.g10code.de> Message-ID: <46a9095abe599fe7d69a1690d09f493d@manycementmutable.anonaddy.com> On 13/02/2024 09:57, Werner Koch 'wk at gnupg.org' wrote: > Can you please try to import that key (with the v5 key signature) using > a current 2.2. version (2.2.42)? Or you can send me the public key by > private mail so that I can check what's going on. > > > Salam-Shalom, > > Werner > I couldn't find a distro with 2.2.42 so I have to compile it myself. I'm using Docker with ubuntu:latest. In conclusion, the import failed. ``` $ gpg --version gpg (GnuPG) 2.2.42 libgcrypt 1.9.4 Copyright (C) 2023 g10 Code GmbH License GNU GPL-3.0-or-later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /root/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, ??????? CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed $ gpg --import PUBLIC_v5_certify.asc gpg: packet(2) with unknown version 5 gpg: read_block: read error: Invalid packet gpg: import from 'PUBLIC_v5_certify.asc' failed: Invalid keyring gpg: Total number processed: 0 ``` Is wk at gnupg.org the private email I can send the public key to you? I'm willing to send you a copy to examine but not publicly as that's (now I remember) a result of a dumb experiment. Regards, Hartman From hfollmann at itcfollmann.com Tue Feb 13 15:57:17 2024 From: hfollmann at itcfollmann.com (Henning Follmann) Date: Tue, 13 Feb 2024 09:57:17 -0500 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > So, can I buy this card here in Europe or even in Germany? > > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > to Micro-SIM format. And I will not cut it itself because it must fit > exactly in the internal reader slot behint the battery, or it will not > come out anyore. > I do not know who you talked to but they offer their cards with a ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the corners with sandpaper. That is the exact size you are looking for. You also could buy a nitrokey starter. this is basically a smartcard reader with a smartcard in a clam shell. You can just pry the shell open and take the smartcard out. Their other keys are tamper proofed (embedded in resin). =H -- Henning Follmann | hfollmann at itcfollmann.com From guru at unixarea.de Tue Feb 13 17:32:42 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 13 Feb 2024 17:32:42 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: El d?a martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribi?: > On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > > El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > > > > floss-shop.de > > > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > > > I do not know who you talked to but they offer their cards with a > ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the > corners with sandpaper. > That is the exact size you are looking for. No. The card sizes are: Standard SIM: 15 x 25mm. Micro SIM: 12 x 15mm. Nano SIM: 8.8 x 12.3mm. We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From dirkx at webweaving.org Tue Feb 13 17:42:39 2024 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Tue, 13 Feb 2024 17:42:39 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: <3026076D-9BCC-4B5D-B8A3-09AEBE6FB4BE@webweaving.org> > On 13 Feb 2024, at 17:32, Matthias Apitz wrote: > > El d?a martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribi?: > >> On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: >>> El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: >>> >>>> On Fri, 9 Feb 2024 15:36, Matthias Apitz said: >>>> >>>>> So, can I buy this card here in Europe or even in Germany? >>>> >>>> floss-shop.de >>> >>> I've contacted floss-shop.de. They can not provide (i.e. cut) the card >>> to Micro-SIM format. And I will not cut it itself because it must fit >>> exactly in the internal reader slot behint the battery, or it will not >>> come out anyore. >>> >> I do not know who you talked to but they offer their cards with a >> ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the >> corners with sandpaper. >> That is the exact size you are looking for. > > No. The card sizes are: > > Standard SIM: 15 x 25mm. > Micro SIM: 12 x 15mm. > Nano SIM: 8.8 x 12.3mm. > > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. In that case - you want this device: https://www.bol.com/nl/nl/p/mmobiel-universele-3-in-1-standaard-micro-sim-cutter-nano-sim-kaart-knipper-inclusief-3-sim-adapters-1-sim-pin/9200000067066058/ https://www.amazon.com/2024-Card-Cutter-Standard-Micro/dp/B0CJGVX82H And you do not need to cut 'that' accurate at all (in fact - cutting it with a scalpel or simply use sharp scirros an take care not to bend the chip bit - is very doable). Dw. -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Tue Feb 13 23:04:00 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 13 Feb 2024 17:04:00 -0500 Subject: Second OpenPGP-card In-Reply-To: References: Message-ID: El d?a martes, febrero 13, 2024 a las 12:47:13 +0100, Klaus Ethgen escribi?: > Hi, > > Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > > Next question: Can I transfer somehow the key from one card to the > > other to use the same encrypted files foo.gpg from my password store: > > > > purism at pureos:~$ find .password-store/ -type f | wc -l > > 373 > > Well, pass has its mechanism itself. Just reinit your store with both > keys and it should reencrypt them. > > I did that in the past with subdirs (where you can have different keys). Hi Klaus, I do not fully understand the procedure. Actually the .password-store/ is encrypted with the gpg-key-A on the phone L5, number 1. When I now create on the phone number 2 with the other OpenPGP card a gpg-key-B, and transfer the .password-store/ by SCP to this phone number 2, and run there: pass init gpg-key-B How 'pass' (i.e. gnupg) can decrypt the files of the .password-store/ without having access to the OpenPGP card in phone 1 to re-encrypt them with gpg-key-B? Could you or someone please be so kind and clarify this? Thanks in advance. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From bernhard at intevation.de Wed Feb 14 11:24:27 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 14 Feb 2024 11:24:27 +0100 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: <46a9095abe599fe7d69a1690d09f493d@manycementmutable.anonaddy.com> References: <87cyt0bsbu.fsf@jacob.g10code.de> <46a9095abe599fe7d69a1690d09f493d@manycementmutable.anonaddy.com> Message-ID: <202402141124.28045.bernhard@intevation.de> Am Dienstag 13 Februar 2024 15:50:55 schrieb mlist_e9e869bc--- via Gnupg-users: > Is wk at gnupg.org the private email I can send the public key to you? Yes, that is one of Werner's pubkeys. The following will get his pubkey by WKD on the command line: gpg --locate-keys --auto-key-locate clear,nodefault,wkd wk at gnupg.org > I'm willing to send you a copy to examine but not publicly as that's > (now I remember) a result of a dumb experiment. -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Feb 15 10:45:53 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 15 Feb 2024 10:45:53 +0100 Subject: Incompatible secret key format between 2.4.4 and 2.2.27? In-Reply-To: <202402141124.28045.bernhard@intevation.de> (Bernhard Reiter via Gnupg-users's message of "Wed, 14 Feb 2024 11:24:27 +0100") References: <87cyt0bsbu.fsf@jacob.g10code.de> <46a9095abe599fe7d69a1690d09f493d@manycementmutable.anonaddy.com> <202402141124.28045.bernhard@intevation.de> Message-ID: <87mss283hq.fsf@jacob.g10code.de> On Wed, 14 Feb 2024 11:24, Bernhard Reiter said: > The following will get his pubkey by WKD on the command line: > gpg --locate-keys --auto-key-locate clear,nodefault,wkd wk at gnupg.org FWIW, gpg --locate-external-key wk at gnupg.org is much easier that the abvove long list of options. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From bernhard at intevation.de Thu Feb 15 11:48:14 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 15 Feb 2024 11:48:14 +0100 Subject: How to get a pubkey with WKD (Re: Incompatible secret key format between 2.4.4 and 2.2.27?) In-Reply-To: <87mss283hq.fsf@jacob.g10code.de> References: <202402141124.28045.bernhard@intevation.de> <87mss283hq.fsf@jacob.g10code.de> Message-ID: <202402151148.20943.bernhard@intevation.de> Am Donnerstag 15 Februar 2024 10:45:53 schrieb Werner Koch: > The following will get his pubkey by WKD on the command line: > > ?gpg ?--locate-keys --auto-key-locate clear,nodefault,wkd wk at gnupg.org > > FWIW, > > ? gpg --locate-external-key wk at gnupg.org > > is much easier that the abvove long list of options. FWIW But it does not get the current version of the pubkey in some circumstances. And the long version works in a few more elder GnuPG versions. ;) Bernhard -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Feb 15 15:35:11 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 15 Feb 2024 15:35:11 +0100 Subject: How to get a pubkey with WKD (Re: Incompatible secret key format between 2.4.4 and 2.2.27?) In-Reply-To: <202402151148.20943.bernhard@intevation.de> (Bernhard Reiter via Gnupg-users's message of "Thu, 15 Feb 2024 11:48:14 +0100") References: <202402141124.28045.bernhard@intevation.de> <87mss283hq.fsf@jacob.g10code.de> <202402151148.20943.bernhard@intevation.de> Message-ID: <87eddd94o0.fsf@jacob.g10code.de> On Thu, 15 Feb 2024 11:48, Bernhard Reiter said: > But it does not get the current version of the pubkey in some circumstances. Example? I am not zware of it. > And the long version works in a few more elder GnuPG versions. ;) Since 2.2.17 from summer 2019 - 5 years passed since then with a couple of CVEs. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 15 15:49:31 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 15 Feb 2024 15:49:31 +0100 Subject: Second OpenPGP-card In-Reply-To: (Matthias Apitz's message of "Tue, 13 Feb 2024 17:32:42 +0100") References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: <87a5o19404.fsf@jacob.g10code.de> On Tue, 13 Feb 2024 17:32, Matthias Apitz said: > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. I simply uses scissors to cut them out and those cards work. Granted I don't use the Librem regulary (if at all), but the card was not that of a problem. Well, I had planty of old cards to try ;-) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From juergen at bruckner.email Thu Feb 15 18:42:00 2024 From: juergen at bruckner.email (Juergen BRUCKNER) Date: Thu, 15 Feb 2024 18:42:00 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Hello Matthias, Am 13.02.24 um 17:32 schrieb Matthias Apitz: > We need here 'Microm SIM'. And I talked to the owner of floss-shop. They > do not offer a way to pop out Micro SIM. I don't know exactly how the situation about this is in Germany. But here in Austria many mobile phone shops have a SIM card punch with which you can punch out a micro-SIM or nano-SIM from a standard-SIM. Maybe this helps regards Juergen -- /?\ No | \ / HTML | Juergen Bruckner X in | juergen at bruckner.email / \ Mail | -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3482 bytes Desc: Kryptografische S/MIME-Signatur URL: From philipp at knutschmidt.de Fri Feb 16 10:16:40 2024 From: philipp at knutschmidt.de (Philipp Schmidt) Date: Fri, 16 Feb 2024 10:16:40 +0100 (CET) Subject: Trouble with GPG Cards for SSH when using FIDO2 In-Reply-To: <87v877dyri.fsf@jacob.g10code.de> References: <565947777.172595.1705307101462@ox91.mailbox.org> <87ttneoa5i.fsf@jacob.g10code.de> <1683713947.70629.1706857473605@ox75.mailbox.org> <87v877dyri.fsf@jacob.g10code.de> Message-ID: <1140028491.247773.1708075000242@ox77.mailbox.org> Hello Werner, thanks again for your Help! I found some errors in the logs of `~/.gnupg/gpg-agend.log` which you can find in the attachments. By accident I stumbled over a solution which maybe give some idea what might go wrong, but which is wired in nature as well: Running `gpgconf -K all` and `systemctl restart pcscd` doesn't change anything immediately - but after a while (Minutes i guess) `ssh-add -L` then yields the keys. When that has happened I can even remove / add one/both of my keys and everything is updated accordingly. The confusing part is that it takes time until it works again, so maybe that Information can nail down the issue a little? Best and thanks for Help, Philipp > Werner Koch hat am 02.02.2024 10:02 CET geschrieben: > > > Hi! > > I would suggest that you put > > debug ipc > log-file /foo/bar/agent.log > > into gpg-agent.conf and > > debug cardio > log-file /foo/bar/scd.log > > into scdaemon.conf and restart them all (gpgconf -K all). You way of > course also run watchgnupg to see a combined log but sepearte log files > are good enough. The ssh handler has no dedicated debug statements and > thus any debug level is sufficient to see errors in the logs. If you > don't see anything in the logs you either need to use a socket proxt > (somewhere in the gnupg source is one) or add debug statements to > command-ssh.c. My guess is that the scdaemon log gives some hints. > > > Shalom-Salam, > > Werner > > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein Philipp Schmidt?(Diplom-Designer)?|?knutschmidt.de (http://knutschmidt.de) | philipp at knutschmidt.de?|?+49 176 23 43 27 79 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From soyeomul at doraji.xyz Sat Feb 17 06:52:17 2024 From: soyeomul at doraji.xyz (Byunghee HWANG) Date: Sat, 17 Feb 2024 14:52:17 +0900 Subject: private-key backup Message-ID: Hellow, this is my first time greeting you. I'm using GnuPG under Gnome desktop in Debian Sid. I have a question. Where is the safest place to store the private-key? Are there any best practices for this? Thanks in advance! Sincerely, Byunghee from South Korea -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From fa-ml at ariis.it Sat Feb 17 10:13:22 2024 From: fa-ml at ariis.it (Francesco Ariis) Date: Sat, 17 Feb 2024 10:13:22 +0100 Subject: private-key backup In-Reply-To: References: Message-ID: Hello Byunghee, Il 17 febbraio 2024 alle 14:52 Byunghee HWANG ha scritto: > I have a question. Where is the safest place to store the private-key? > Are there any best practices for this? Do you mean backups? If so, having at least two backup copies of your private key is good practice: - A copy on mass storage. - A copy printed on paper (ASCII armoured) [1] Those two copies should be stored in different places to minimise risks. I would also copy/print your revocation certificate. Does this help? ?F [1] I actually did this by hand and if you have one of the modern `ed25519` keys it does not even take that long. http://www.ariis.it/static/articles/handwritten-pgp-key/page.html From jb-gnumlists at wisemo.com Sat Feb 17 12:04:35 2024 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Sat, 17 Feb 2024 12:04:35 +0100 Subject: Second OpenPGP-card In-Reply-To: <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> References: <875xysbryo.fsf@jacob.g10code.de> <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Message-ID: On 2024-02-15 18:42, Juergen BRUCKNER via Gnupg-users wrote: > Hello Matthias, > > Am 13.02.24 um 17:32 schrieb Matthias Apitz: >> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They >> do not offer a way to pop out Micro SIM. > > I don't know exactly how the situation about this is in Germany. But > here in Austria many mobile phone shops have a SIM card punch with > which you can punch out a micro-SIM or nano-SIM from a standard-SIM. > In some other countries, the mobile providers issues SIMs that are pre-punched to pop out either of the 3 small sim sizes from a full credit-card sized card where key information like the PUK code and serial number are printed. More generally, there is no guarantee that hardware cards not sold through mobile phone carriers keep the actual chip/electronics within the nano-sim area near the middle of the contacts, most notably, NFC compatible cards will often have the NFC antenna outside that area, and it's a matter of luck if the contact card functionality works after cutting on any given hardware model. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From juergen at bruckner.email Sat Feb 17 12:37:43 2024 From: juergen at bruckner.email (Juergen BRUCKNER) Date: Sat, 17 Feb 2024 12:37:43 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Message-ID: Hello Jacob, Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: [...] >> I don't know exactly how the situation about this is in Germany. But >> here in Austria many mobile phone shops have a SIM card punch with >> which you can punch out a micro-SIM or nano-SIM from a standard-SIM. >> > In some other countries, the mobile providers issues SIMs that are > pre-punched to pop out either of the 3 small sim sizes from a full > credit-card sized card where key information like the PUK code and > serial number are printed. > > More generally, there is no guarantee that hardware cards not sold > through mobile phone carriers keep the actual chip/electronics within > the nano-sim area near the middle of the contacts, most notably, NFC > compatible cards will often have the NFC antenna outside that area, > and it's a matter of luck if the contact card functionality works > after cutting on any given hardware model. > We are not talking about 'normal SIM cards' for use by mobile telephony but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This also doesn't have NFC functionality, so it can be punched fairly safely. You just have to do it right best regards Juergen [1] https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4 -- /?\ No | \ / HTML | Juergen Bruckner X in | juergen at bruckner.email / \ Mail | -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3482 bytes Desc: Kryptografische S/MIME-Signatur URL: From soyeomul at doraji.xyz Sat Feb 17 11:59:45 2024 From: soyeomul at doraji.xyz (Byunghee HWANG) Date: Sat, 17 Feb 2024 19:59:45 +0900 Subject: private-key backup In-Reply-To: References: Message-ID: Hellow Francesco, On Sat, 2024-02-17 at 10:13 +0100, Francesco Ariis wrote: > Hello Byunghee, > > Il 17 febbraio 2024 alle 14:52 Byunghee HWANG ha scritto: > > I have a question. Where is the safest place to store the private- > > key? > > Are there any best practices for this? > > Do you mean backups? > If so, having at least two backup copies of your private key is good > practice: > - A copy on mass storage. > - A copy printed on paper (ASCII armoured) [1] > > Those two copies should be stored in different places to minimise > risks. Oh.. Good guidance, thanks! > I would also copy/print your revocation certificate. > Does this help? Yes, rev-key thanks! > [1] I actually did this by hand and if you have one of the modern > ??? `ed25519` keys it does not even take that long. > ??? http://www.ariis.it/static/articles/handwritten-pgp-key/page.html I'm reading now it is so professional writing i think. And i'm old guy so it takes time to learn new thing (ed25519). Someday far later, i would be consideration about ed25519. Have a good day ^^^ (?????) Thanks, Byunghee from South Korea -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From leocoogan at mailfence.com Sun Feb 18 18:13:15 2024 From: leocoogan at mailfence.com (Leo Coogan) Date: Sun, 18 Feb 2024 12:13:15 -0500 Subject: [SOLVED] gpg: signing failed: Bad secret key In-Reply-To: <87ttn2iqf4.fsf@jacob.g10code.de> References: <87le8jlpj0.fsf@jacob.g10code.de> <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> <87bk9dlset.fsf@jacob.g10code.de> <8b415759-9933-4176-8c29-070765848e83@mailfence.com> <87ttn2iqf4.fsf@jacob.g10code.de> Message-ID: <3cc18840-b017-403f-985b-b9094bf866cd@mailfence.com> I solved my issue so I'm posting this for the benefit of users who might have the same issue. I solved my issue my generating a new key pair because there seemed to be no way to work around the incompatibility that caused the key to not be able to sign on my NixOS machine. I'm not sure what caused this, but it's solved now. On 1/24/24 12:37, Werner Koch wrote: > On Tue, 23 Jan 2024 12:38, Leo Coogan said: > >> sec#? ed25519 2023-03-03 [SC] [expires: 2025-03-02] >> ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B >> ????? Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB > You don't have a signing key. Ther primary key has been taken offline > ('#') and can thus not be used for signing. > >> ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] >> ????? 143454E3276F11C51D01B35363D14EA6FDB00D9F >> ????? Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21 > The subkey is not capable of signing (by usage flags and algorithm). > > Did you had another signing subkey and that one expired? > Add > > --list-options show-unusable-subkeys > > to the listing command to check. > > > Salam-Shalom, > > Werner > From jb-gnumlists at wisemo.com Tue Feb 20 17:20:38 2024 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Tue, 20 Feb 2024 17:20:38 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Message-ID: On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: > Hello Jacob, > > Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: > [...] >>> I don't know exactly how the situation about this is in Germany. But >>> here in Austria many mobile phone shops have a SIM card punch with >>> which you can punch out a micro-SIM or nano-SIM from a standard-SIM. >>> >> In some other countries, the mobile providers issues SIMs that are >> pre-punched to pop out either of the 3 small sim sizes from a full >> credit-card sized card where key information like the PUK code and >> serial number are printed. >> >> More generally, there is no guarantee that hardware cards not sold >> through mobile phone carriers keep the actual chip/electronics within >> the nano-sim area near the middle of the contacts, most notably, NFC >> compatible cards will often have the NFC antenna outside that area, >> and it's a matter of luck if the contact card functionality works >> after cutting on any given hardware model. >> > > We are not talking about 'normal SIM cards' for use by mobile > telephony but rather about the OpenPGP Smart Card V3.4 in SIM format > [1]. This also doesn't have NFC functionality, so it can be punched > fairly safely. You just have to do it right > Exactly, and there is no easy way of knowing if the cards used by floss-shop havechip parts outside the nano-sim boundary, which is smaller than the contact area on ID000 cards (seriously possible), nor if those cards are internally multi-chip constructs (rare but possible). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From juergen at bruckner.email Tue Feb 20 18:03:00 2024 From: juergen at bruckner.email (Juergen BRUCKNER) Date: Tue, 20 Feb 2024 18:03:00 +0100 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Message-ID: Am 20.02.24 um 17:20 schrieb Jakob Bohm via Gnupg-users: > On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote: >> Hello Jacob, >> >> Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users: >> [...] >>>> I don't know exactly how the situation about this is in Germany. But >>>> here in Austria many mobile phone shops have a SIM card punch with >>>> which you can punch out a micro-SIM or nano-SIM from a standard-SIM. >>>> >>> In some other countries, the mobile providers issues SIMs that are >>> pre-punched to pop out either of the 3 small sim sizes from a full >>> credit-card sized card where key information like the PUK code and >>> serial number are printed. >>> >>> More generally, there is no guarantee that hardware cards not sold >>> through mobile phone carriers keep the actual chip/electronics within >>> the nano-sim area near the middle of the contacts, most notably, NFC >>> compatible cards will often have the NFC antenna outside that area, >>> and it's a matter of luck if the contact card functionality works >>> after cutting on any given hardware model. >>> >> >> We are not talking about 'normal SIM cards' for use by mobile >> telephony but rather about the OpenPGP Smart Card V3.4 in SIM format >> [1]. This also doesn't have NFC functionality, so it can be punched >> fairly safely. You just have to do it right >> > Exactly, and there is no easy way of knowing if the cards used by > floss-shop havechip parts outside the nano-sim boundary, which is > smaller than the contact area on ID000 cards (seriously possible), > nor if those cards are internally multi-chip constructs (rare but > possible). > Thats true! Point for you ;) regards Juergen -- /?\ No | \ / HTML | Juergen Bruckner X in | juergen at bruckner.email / \ Mail | -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3482 bytes Desc: Kryptografische S/MIME-Signatur URL: From philip.colmer at linaro.org Wed Feb 21 10:56:38 2024 From: philip.colmer at linaro.org (Philip Colmer) Date: Wed, 21 Feb 2024 09:56:38 +0000 Subject: Trying to get PKA working Message-ID: Hello all I'm using gpg 2.2.19: $ gpg --version gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/ubuntu/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 I've followed the instructions I found at https://gushi.org/make-dns-cert/HOWTO.html to publish a public key via a TXT record in DNS but, when I get to the testing step of: echo "foo" | gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt --armor --auto-key-locate pka -r you at you.com (where you at you.com is the address to be tested) then I get: error retrieving '' via PKA: No name I've tried testing it against the author's details (danm at prime.gushi.org) but I get the same "No name" error. There wasn't a configuration file in place for gpg so I created one with just this entry: auto-key-locate pka Should there be other entries in that file? Is that why I'm getting the "No name error"? Thank you. Regards Philip From wk at gnupg.org Wed Feb 21 12:39:36 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Feb 2024 12:39:36 +0100 Subject: Trying to get PKA working In-Reply-To: (Philip Colmer via Gnupg-users's message of "Wed, 21 Feb 2024 09:56:38 +0000") References: Message-ID: <87o7ca3v2f.fsf@jacob.g10code.de> Hi! Please don't use PKA. Any remaining support will be removed anyway. The Web Key Directory is a far better and easiert way to get certificates. In fact it is enabled by default and used transparently in Kleopatra and with the Windows GpgOL plugin. Other Unix mailers might also have support for it. https://wiki.gnupg.org/WKD But take care; this is a wiki and information may be a bit confusing. For example I would suggest to use the gpg-wks-client command --install-key or even --mirror to prepare a local copy of the WKD and then sync this to the server. This way you don't need to install the web Key Server stuff etc. Testing is a mere gpg --locate-external-key -v foo at example.org Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From philip.colmer at linaro.org Wed Feb 21 16:52:19 2024 From: philip.colmer at linaro.org (Philip Colmer) Date: Wed, 21 Feb 2024 15:52:19 +0000 Subject: Trying to get PKA working In-Reply-To: <87o7ca3v2f.fsf@jacob.g10code.de> References: <87o7ca3v2f.fsf@jacob.g10code.de> Message-ID: Thank you, Werner, for your helpful reply. One thing I would like to check. You said that gpg --locate-external-key -v foo at example.org can be used to test this, and that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use gpg --homedir "$(mktemp -d)" --verbose --locate-keys your.email at example.org ... and this doesn't work. Should I be concerned? Do I need to change something for the latter example to work? Or is that deprecated now and your example is the valid one? Regards Philip On Wed, 21 Feb 2024 at 11:39, Werner Koch wrote: > > Hi! > > Please don't use PKA. Any remaining support will be removed anyway. > The Web Key Directory is a far better and easiert way to get > certificates. In fact it is enabled by default and used transparently > in Kleopatra and with the Windows GpgOL plugin. Other Unix mailers > might also have support for it. > > https://wiki.gnupg.org/WKD > > But take care; this is a wiki and information may be a bit confusing. > For example I would suggest to use the gpg-wks-client command > --install-key or even --mirror to prepare a local copy of the WKD and > then sync this to the server. This way you don't need to install the > web Key Server stuff etc. > > Testing is a mere > > gpg --locate-external-key -v foo at example.org > > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein From wk at gnupg.org Wed Feb 21 17:16:57 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Feb 2024 17:16:57 +0100 Subject: Hints on how to check for a WKD key (was: Trying to get PKA working) In-Reply-To: (Philip Colmer via Gnupg-users's message of "Wed, 21 Feb 2024 15:52:19 +0000") References: <87o7ca3v2f.fsf@jacob.g10code.de> Message-ID: <875xyh4wsm.fsf_-_@jacob.g10code.de> On Wed, 21 Feb 2024 15:52, Philip Colmer said: > that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use > gpg --homedir "$(mktemp -d)" --verbose --locate-keys > your.email at example.org ... and this doesn't work. Its a wiki and ppl change it at will and worse nobody checks and updates it. The above seems to be an old idea to make sure tha the key does not yet exist. In contrast to --locate-key --locate-external-key loads the key from external resources even if it already exists. Thus this is a refresh key function. Some folks don't like to clutter their keyring with more keys and thus use a temporary GNUPGHOME directory (i..e --homedir). For me the above works: $ gpg --homedir "$(mktemp -d)" --verbose --locate-keys wk at gnupg.org [...] gpg: pub ed25519/63113AE866587D0A 2018-09-28 wk at gnupg.org gpg: key 63113AE866587D0A: public key "wk at gnupg.org" imported gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to the agent established gpg: Total number processed: 1 gpg: imported: 1 gpg: auto-key-locate found fingerprint AEA84EDCF01AD86C4701C85C63113AE866587D0A gpg: automatically retrieved 'wk at gnupg.org' via WKD pub ed25519 2018-09-28 [SC] [expires: 2027-01-31] AEA84EDCF01AD86C4701C85C63113AE866587D0A uid [ unknown] wk at gnupg.org sub cv25519 2018-09-28 [E] [expired: 2022-01-31] sub ed25519 2020-08-04 [S] sub brainpoolP384r1 2021-06-28 [E] [expires: 2027-01-10] Another way to test is $ gpg-wks-client check -v wk at gnupg.org gpg-wks-client: public key for 'wk at gnupg.org' found via WKD gpg-wks-client: fingerprint: AEA84EDCF01AD86C4701C85C63113AE866587D0A gpg-wks-client: user-id: wk at gnupg.org gpg-wks-client: created: Mon 01 Oct 2018 05:39:07 PM CEST gpg-wks-client: addr-spec: wk at gnupg.org This is develpment version, you need to use the classical thing though: $ gpg-wks-client --check -v wk at gnupg.org If you add --debug=ipc you can actually see what has been requested from the server. Without any option you just get an returns status for scripting. Now someone(tm) should update the wiki. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From vuori at notcom.org Thu Feb 22 04:48:30 2024 From: vuori at notcom.org (Valtteri Vuorikoski) Date: Thu, 22 Feb 2024 12:48:30 +0900 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <07a8400c-118e-4b3b-8887-de8cca48b507@bruckner.email> Message-ID: Some Javacards are available in at least larger SIM form factors. IIRC the NXP J3H145 was available SIM-cut from Smartcard Focus at some point, but it has been a while since I ordered one. If it's an option for you to install an OpenPGP applet such as SmartPGP (https://github.com/github-af/SmartPGP) on such card, Javacards might be an easier avenue than cutting the official card. I have a couple of NXP cards and SmartPGP appeared to work fine when I tried it, but I mostly use them with a PIV applet so not sure about the state of functionality with current (2.4-era) GnuPG versions. -Valtteri From bernhard at intevation.de Thu Feb 22 15:37:14 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 22 Feb 2024 15:37:14 +0100 Subject: How to get a pubkey with WKD In-Reply-To: <87eddd94o0.fsf@jacob.g10code.de> References: <202402151148.20943.bernhard@intevation.de> <87eddd94o0.fsf@jacob.g10code.de> Message-ID: <202402221537.24378.bernhard@intevation.de> Am Donnerstag 15 Februar 2024 15:35:11 schrieb Werner Koch via Gnupg-users: > On Thu, 15 Feb 2024 11:48, Bernhard Reiter said: > > But it does not get the current version of the pubkey in some > > circumstances. > > Example? ?I am not zware of it. Testing with 2.4.4 and 2.2.34 gpg --locate-external-keys bernhard at intevation.de got me my pubkey in all cases. So you are correct, it works for those version. For Debian GNU/Linux oldstable, it still is 2.2.27, though and 2.2.19 for Ubuntu GNU/Linux 20.04LTS. -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Thu Feb 22 15:45:55 2024 From: bernhard at intevation.de (Bernhard Reiter) Date: Thu, 22 Feb 2024 15:45:55 +0100 Subject: Hints on how to check for a WKD key (was: Trying to get PKA working) In-Reply-To: <875xyh4wsm.fsf_-_@jacob.g10code.de> References: <875xyh4wsm.fsf_-_@jacob.g10code.de> Message-ID: <202402221545.56361.bernhard@intevation.de> Am Mittwoch 21 Februar 2024 17:16:57 schrieb Werner Koch via Gnupg-users: > On Wed, 21 Feb 2024 15:52, Philip Colmer said: > > that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use > > gpg --homedir "$(mktemp -d)" --verbose --locate-keys > > your.email at example.org ... and this doesn't work. > > Its a wiki and ppl change it at will and worse nobody checks and updates > it. *cough* I do check and update it on a few places, but not everywhere. (And help is always appreciated.) The above example as it is in the wiki still works as a test with 2.2.40. And it is indicated as test. Note that for the test somebody is not really importing the pubkey. What did not work? > $ gpg-wks-client --check -v wk at gnupg.org > > If you add --debug=ipc you can actually see what has been requested from > the server. Without any option you just get an returns status for > scripting. I've added the second test method as well. -- https://intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Feb 22 16:43:20 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Feb 2024 16:43:20 +0100 Subject: How to get a pubkey with WKD In-Reply-To: <202402221537.24378.bernhard@intevation.de> (Bernhard Reiter via Gnupg-users's message of "Thu, 22 Feb 2024 15:37:14 +0100") References: <202402151148.20943.bernhard@intevation.de> <87eddd94o0.fsf@jacob.g10code.de> <202402221537.24378.bernhard@intevation.de> Message-ID: <87wmqw33on.fsf@jacob.g10code.de> On Thu, 22 Feb 2024 15:37, Bernhard Reiter said: > For Debian GNU/Linux oldstable, it still is 2.2.27, though > and 2.2.19 for Ubuntu GNU/Linux 20.04LTS. --locate-external-keys was introduced with 2.2.17. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From mwrochna at gmail.com Fri Feb 23 22:59:57 2024 From: mwrochna at gmail.com (Marcin Wrochna) Date: Fri, 23 Feb 2024 22:59:57 +0100 Subject: symmetric passphrase with remote (extra, restricted) gpg-agent Message-ID: Hi! I'm using gpg remotely over ssh by forwarding my local agent-extra-socket as my remote's regular agent-socket. I use it with a (local) nitrokey mostly without problems for signing: on the remote I can use `gpg --sign`, it asks for the PIN with a GUI pinentry popping up on my local desktop and even uses it with the local nitrokey card. However, I cannot make `gpg --symmetric` encryption work on the remote, as it tells me getting a passphrase is "Forbidden". Is it possible at all? I can't find any documentation about what is actually 'restricted' by the restricted mode of the extra socket. Or must I use two agents (one forwarded, one local to the remote), and if so, is there any guide as to how to do that? I don't care much about passphrase cache, I just want to encrypt a file by entering a passphrase with whatever pinentry. Thanks for any pointers, Marcin --- Logs ----- Local gpg version: 2.4.3, Remote gpg version: 2.2.27 Remote output: ``` $ gpg -vvv --symmetric tmp.txt gpg: using character set 'utf-8' gpg: connection to agent is in restricted mode gpg: problem with the agent: Forbidden gpg: error creating passphrase: Operation cancelled gpg: symmetric encryption of 'tmp.txt' failed: Operation cancelled ``` Local gpg-agent logs when trying from remote: ``` 2024-02-23 22:11:07 gpg-agent[132208]DBG: chan_10 -> OK Pleased to meet you, process 132243 <- RESET -> OK <- OPTION ttyname=/dev/pts/7 -> ERR 67109115 Forbidden <- GETINFO restricted -> OK <- GETINFO version -> D 2.4.3 -> OK <- OPTION allow-pinentry-notify -> ERR 67109115 Forbidden <- OPTION agent-awareness=2.1.0 -> OK <- GETINFO s2k_count S2K calibration: 44149760 -> 101ms -> D 44149760 -> OK <- GETINFO cmd_has_option GET_PASSPHRASE repeat -> OK <- GETINFO cmd_has_option GET_PASSPHRASE newsymkey -> OK <- GET_PASSPHRASE --data --repeat=1 --check --newsymkey -- SE3EC318CC514D3C1 X X Enter+passphrase%0A command 'GET_PASSPHRASE' failed: Forbidden -> ERR 67109115 Forbidden <- [eof] ``` Local gpg-agent logs when doing gpg --symmetric locally: ``` 2024-02-23 22:44:48 gpg-agent[132208] DBG: chan_10 -> OK Pleased to meet you, process 134008 <- RESET -> OK <- OPTION ttyname=/dev/pts/7 -> OK <- OPTION ttytype=xterm-256color -> OK <- OPTION display=:0 -> OK <- OPTION xauthority=/run/user/1000/xauth_hZahio -> OK <- OPTION putenv=XMODIFIERS=@im=none -> OK <- OPTION putenv=WAYLAND_DISPLAY=wayland-0 -> OK <- OPTION putenv=XDG_SESSION_TYPE=wayland -> OK <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus -> OK <- OPTION lc-ctype=en_US.UTF-8 -> OK <- OPTION lc-messages=en_US.UTF-8 -> OK <- GETINFO version -> D 2.4.3 -> OK <- OPTION allow-pinentry-notify -> OK <- OPTION agent-awareness=2.1.0 -> OK <- GETINFO s2k_count -> D 44149760 -> OK <- GETINFO cmd_has_option GET_PASSPHRASE repeat -> OK <- GETINFO cmd_has_option GET_PASSPHRASE newsymkey -> OK <- GET_PASSPHRASE --data --repeat=1 --check --newsymkey -- S545B95646F9BD365 X X Enter+passphrase%0A agent_get_cache 'S545B95646F9BD365'.0 (mode 3) ... ... miss starting a new PIN Entry connection to PIN entry established -> INQUIRE PINENTRY_LAUNCHED 134010 qt 1.2.1 /dev/pts/7 xterm-256color :0 20620/1000/5 1000/1000 0 <- END starting a new PIN Entry connection to PIN entry established -> INQUIRE PINENTRY_LAUNCHED 134027 qt 1.2.1 /dev/pts/7 xterm-256color :0 20620/1000/5 1000/1000 0 <- END agent_put_cache 'S545B95646F9BD365'.0 (mode 3) requested ttl=0 -> [[Confidential data not shown]] -> OK <- [eof] ``` From guru at unixarea.de Mon Feb 26 13:17:08 2024 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 26 Feb 2024 13:17:08 +0100 Subject: Second OpenPGP-card In-Reply-To: <875xysbryo.fsf@jacob.g10code.de> References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de Only for the record: Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de can't cut out the Micro-SIM size. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. I have here an example file of an entry 'test' in my .password-storage: purism at pureos:~$ pass test ???????????????????????????????????????????????? ? Please unlock the card ? ? ? ? Number: 0005 0000A6FE ? ? Holder: Matthias Apitz ? ? ? ? PIN ________________________________________ ? ? ? ? ? ???????????????????????????????????????????????? secret purism at pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism at pureos:~$ gpg -da .password-store/test.gpg ???????????????????????????????????????????????? ? Please unlock the card ? ? ? ? Number: 0005 0000A6FE ? ? Holder: Matthias Apitz ? ? ? ? PIN ________________________________________ ? ? ? ? ? ???????????????????????????????????????????????? gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From wk at gnupg.org Mon Feb 26 15:13:50 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Feb 2024 15:13:50 +0100 Subject: symmetric passphrase with remote (extra, restricted) gpg-agent In-Reply-To: (Marcin Wrochna via Gnupg-users's message of "Fri, 23 Feb 2024 22:59:57 +0100") References: Message-ID: <87y1b71ffl.fsf@jacob.g10code.de> Hi again! you may want to try the attached patch. It is against the current 2.4 head but should apply also to somewhat older versions. If this solves your problem, it can go into 2.4.5 soon. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-agent-Allow-GET_PASSPHRASE-in-restricted-mode.patch Type: text/x-diff Size: 1986 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Mon Feb 26 16:18:24 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Feb 2024 16:18:24 +0100 Subject: symmetric passphrase with remote (extra, restricted) gpg-agent In-Reply-To: (Marcin Wrochna via Gnupg-users's message of "Fri, 23 Feb 2024 22:59:57 +0100") References: Message-ID: <87r0gz1cfz.fsf@jacob.g10code.de> On Fri, 23 Feb 2024 22:59, Marcin Wrochna said: > However, I cannot make `gpg --symmetric` encryption work on the remote, > as it tells me getting a passphrase is "Forbidden". Right. It does not sund like a good idea to give the server access to your local password store (in gpg-agent). This way the server might get access to any password sored in the cache. You need to look at the code in gnupg/agent/commands.c - search for the function cmd_get_passphrase. The first statement there is if (ctrl->restricted) return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); The function (test with gpg-connect-agent and "help get_passphrase") has an option --no-ask which only returns value from the cache or errors out. What we might do is another option (e.g. --only-query) to only popup the pinentry and return the value. Maybe this can be the default for a restricted connection. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Mon Feb 26 17:06:27 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Feb 2024 17:06:27 +0100 Subject: symmetric passphrase with remote (extra, restricted) gpg-agent In-Reply-To: <87r0gz1cfz.fsf@jacob.g10code.de> (Werner Koch via Gnupg-users's message of "Mon, 26 Feb 2024 16:18:24 +0100") References: <87r0gz1cfz.fsf@jacob.g10code.de> Message-ID: <87msrn1a7w.fsf@jacob.g10code.de> Hi! sorry, for the wrong order of the messages, I simply forgot to sent them yesterday. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From jcb62281 at gmail.com Tue Feb 27 01:40:26 2024 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Mon, 26 Feb 2024 18:40:26 -0600 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> Message-ID: <65DD2F7A.8070609@gmail.com> Matthias Apitz wrote: > [...] > Said/showed that, I can't imagine that, when I SCP the file > .password-store/test.gpg to another mobile with another OpenPGP card, > that this system would be able to decrypt the file and reencrypt it > again with the new card. Correct. You must first copy the *new* public key to the *old* system and re-encrypt the password store to *both* public keys on the *old* system, then transfer the encrypted blobs to the new system. If you want to continue to use both cards, you will also need to copy the *old* public key to the *new* system and arrange for it to also encrypt the password store to *both* keys. Once that is done, you may use any method to synchronize the encrypted blobs between the systems and you will have your passwords on both systems. While you are here, this is a good time to remind you to regularly check the list of public keys used with your password store. If Mallory can sneak *his* key onto that list, he will be able to get your passwords! -- Jacob From guru at unixarea.de Tue Feb 27 10:07:20 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 27 Feb 2024 10:07:20 +0100 Subject: Second OpenPGP-card In-Reply-To: <65DD2F7A.8070609@gmail.com> References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> Message-ID: El d?a lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribi?: > Matthias Apitz wrote: > > [...] > > Said/showed that, I can't imagine that, when I SCP the file > > .password-store/test.gpg to another mobile with another OpenPGP card, > > that this system would be able to decrypt the file and reencrypt it > > again with the new card. > > Correct. You must first copy the *new* public key to the *old* system and > re-encrypt the password store to *both* public keys on the *old* system, > then transfer the encrypted blobs to the new system. > ... Thanks for the clarification and clear instruction. > While you are here, this is a good time to remind you to regularly check the > list of public keys used with your password store. If Mallory can sneak > *his* key onto that list, he will be able to get your passwords! It says: purism at pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx ------------------------------- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6................... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] What makes me wonder it the last modification date of the file: purism at pureos:~$ ls -l /home/purism/.gnupg/pubring.kbx -rw------- 1 purism purism 172324 feb 1 11:13 /home/purism/.gnupg/pubring.kbx I've never done anything with this and expected it also at date 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From wk at gnupg.org Tue Feb 27 10:55:04 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Feb 2024 10:55:04 +0100 Subject: Second OpenPGP-card In-Reply-To: (Matthias Apitz's message of "Tue, 27 Feb 2024 10:07:20 +0100") References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> Message-ID: <877ciq1bbb.fsf@jacob.g10code.de> On Tue, 27 Feb 2024 10:07, Matthias Apitz said: > I've never done anything with this and expected it also at date > 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). The pubring.kbx is used for various things. For example we also store "ephemeral keys" for X.509 (those we receive via mail) which are not used due to an incomplete chain. There is a cleanup process running every few hours to remove them. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From jcb62281 at gmail.com Wed Feb 28 03:52:55 2024 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Tue, 27 Feb 2024 20:52:55 -0600 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> Message-ID: <65DEA007.4090905@gmail.com> Matthias Apitz wrote: > El d?a lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribi?: > > >> Matthias Apitz wrote: >> >>> [...] >>> Said/showed that, I can't imagine that, when I SCP the file >>> .password-store/test.gpg to another mobile with another OpenPGP card, >>> that this system would be able to decrypt the file and reencrypt it >>> again with the new card. >>> >> Correct. You must first copy the *new* public key to the *old* system and >> re-encrypt the password store to *both* public keys on the *old* system, >> then transfer the encrypted blobs to the new system. >> ... >> > > Thanks for the clarification and clear instruction. > You are welcome. >> While you are here, this is a good time to remind you to regularly check the >> list of public keys used with your password store. If Mallory can sneak >> *his* key onto that list, he will be able to get your passwords! >> > > It says: > > purism at pureos:~$ gpg --list-keys > /home/purism/.gnupg/pubring.kbx > ------------------------------- > pub rsa2048 2021-10-30 [SC] > 336EB96892FE9FE7F6................... > uid [ultimate] Matthias Apitz (GnuPG CCID L5) > sub rsa2048 2021-10-30 [A] > sub rsa2048 2021-10-30 [E] > > [...] Are you sure that *that* is the list of public keys used by pass(1)? It almost certainly is not, since GPG's public key collection is meant to collect keys for a variety of uses. For example, sending encrypted emails or verifying signatures. You probably do not want your password store encrypted to everyone you correspond with! Therefore, pass(1) almost certainly has its own list of keys stored somewhere else. Your regular public key was probably copied to that list when you initialized the password store. That is the list that you need to regularly check, lest Mallory be able to sneak his key onto it. That list is *also* where you need to add your new public key in order to migrate your password store. Lastly, I know that you are using a smartcard, but you are storing long-lived (and presumably valuable) authentication tokens here. Does the card support RSA4096 or at least RSA3072? If so, I would strongly recommend migrating to longer keys, as RSA2048 is currently the shortest not probably already broken by increasing conventional computing power to throw at factoring. If I understand correctly, this is the reason that DSA is obsolete: DSA (to support smartcard implementations) specifies exactly one allowed key length: 1024 bits. While DSA uses discrete logarithms, the discrete logarithm and factoring problems have a mathematical equivalence that means a factoring algorithm can be used to derive a solution to the discrete logarithm problem and /vice versa/. Accordingly, RSA1024 is now considered sufficiently dubious that some implementations no longer support it, such as the go-crypto/openpgp library used by the newer "hockeypuck" keyserver software, which led to an interesting recent thread on gnupg-devel and bunch of old keys effectively falling out of the Web of Trust. -- Jacob From guru at unixarea.de Wed Feb 28 07:21:31 2024 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 28 Feb 2024 07:21:31 +0100 Subject: Second OpenPGP-card In-Reply-To: <65DEA007.4090905@gmail.com> References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> Message-ID: El d?a martes, febrero 27, 2024 a las 08:52:55 -0600, Jacob Bachmeyer via Gnupg-users escribi?: > > It says: > > > > purism at pureos:~$ gpg --list-keys > > /home/purism/.gnupg/pubring.kbx > > ------------------------------- > > pub rsa2048 2021-10-30 [SC] > > 336EB96892FE9FE7F6................... > > uid [ultimate] Matthias Apitz (GnuPG CCID L5) > > sub rsa2048 2021-10-30 [A] > > sub rsa2048 2021-10-30 [E] > > > > [...] > > Are you sure that *that* is the list of public keys used by pass(1)? It > almost certainly is not, since GPG's public key collection is meant to > collect keys for a variety of uses. For example, sending encrypted emails > or verifying signatures. You probably do not want your password store > encrypted to everyone you correspond with! > > Therefore, pass(1) almost certainly has its own list of keys stored > somewhere else. Your regular public key was probably copied to that list > when you initialized the password store. That is the list that you need to > regularly check, lest Mallory be able to sneak his key onto it. That list > is *also* where you need to add your new public key in order to migrate your > password store. > > ... It must be *that* list pass(1) is using, because: purism at pureos:~$ ls -ld .gnu* drwx------ 5 purism purism 4096 Feb 28 05:59 .gnupg purism at pureos:~$ env | grep GNU GNUPGHOME=/home/purism/.gnupg purism at pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism at pureos:~$ gpg -da .password-store/test.gpg (it ask for the card's PIN on the L5 display desktop) gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret purism at pureos:~$ cat .password-store/.gpg-id CCID L5 I'm attaching the shell script /usr/bin/pass; the code for the "init" command of pass(1) starts at line 300 and I don't see that any other key is used then the one in GNUPGHOME. If I understand this correctly if any other public key would be added to the file /home/purism/.gnupg/pubring.kbx, pass(1) would only use the key "CCID L5" to encrypt any new object stored in ~/.password-store and not the public key of Mallory. Am I wrong? I will consider your hints about RSA4096 when initializing the new second card. Thanks for them. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. -------------- next part -------------- #!/usr/bin/env bash # Copyright (C) 2012 - 2018 Jason A. Donenfeld . All Rights Reserved. # This file is licensed under the GPLv2+. Please see COPYING for more information. umask "${PASSWORD_STORE_UMASK:-077}" set -o pipefail GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" ) GPG="gpg" export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}" which gpg2 &>/dev/null && GPG="gpg2" [[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" ) PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}" EXTENSIONS="${PASSWORD_STORE_EXTENSIONS_DIR:-$PREFIX/.extensions}" X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}" CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}" GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}" CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:graph:]}" CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}" export GIT_CEILING_DIRECTORIES="$PREFIX/.." # # BEGIN helper functions # set_git() { INNER_GIT_DIR="${1%/*}" while [[ ! -d $INNER_GIT_DIR && ${INNER_GIT_DIR%/*}/ == "${PREFIX%/}/"* ]]; do INNER_GIT_DIR="${INNER_GIT_DIR%/*}" done [[ $(git -C "$INNER_GIT_DIR" rev-parse --is-inside-work-tree 2>/dev/null) == true ]] || INNER_GIT_DIR="" } git_add_file() { [[ -n $INNER_GIT_DIR ]] || return git -C "$INNER_GIT_DIR" add "$1" || return [[ -n $(git -C "$INNER_GIT_DIR" status --porcelain "$1") ]] || return git_commit "$2" } git_commit() { local sign="" [[ -n $INNER_GIT_DIR ]] || return [[ $(git -C "$INNER_GIT_DIR" config --bool --get pass.signcommits) == "true" ]] && sign="-S" git -C "$INNER_GIT_DIR" commit $sign -m "$1" } yesno() { [[ -t 0 ]] || return 0 local response read -r -p "$1 [y/N] " response [[ $response == [yY] ]] || exit 1 } die() { echo "$@" >&2 exit 1 } verify_file() { [[ -n $PASSWORD_STORE_SIGNING_KEY ]] || return 0 [[ -f $1.sig ]] || die "Signature for $1 does not exist." local fingerprints="$($GPG $PASSWORD_STORE_GPG_OPTS --verify --status-fd=1 "$1.sig" "$1" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG \([A-F0-9]\{40\}\) .* \([A-F0-9]\{40\}\)$/\1\n\2/p')" local fingerprint found=0 for fingerprint in $PASSWORD_STORE_SIGNING_KEY; do [[ $fingerprint =~ ^[A-F0-9]{40}$ ]] || continue [[ $fingerprints == *$fingerprint* ]] && { found=1; break; } done [[ $found -eq 1 ]] || die "Signature for $1 is invalid." } set_gpg_recipients() { GPG_RECIPIENT_ARGS=( ) GPG_RECIPIENTS=( ) if [[ -n $PASSWORD_STORE_KEY ]]; then for gpg_id in $PASSWORD_STORE_KEY; do GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) GPG_RECIPIENTS+=( "$gpg_id" ) done return fi local current="$PREFIX/$1" while [[ $current != "$PREFIX" && ! -f $current/.gpg-id ]]; do current="${current%/*}" done current="$current/.gpg-id" if [[ ! -f $current ]]; then cat >&2 <<-_EOF Error: You must run: $PROGRAM init your-gpg-id before you may use the password store. _EOF cmd_usage exit 1 fi verify_file "$current" local gpg_id while read -r gpg_id; do GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) GPG_RECIPIENTS+=( "$gpg_id" ) done < "$current" } reencrypt_path() { local prev_gpg_recipients="" gpg_keys="" current_keys="" index passfile local groups="$($GPG $PASSWORD_STORE_GPG_OPTS --list-config --with-colons | grep "^cfg:group:.*")" while read -r -d "" passfile; do local passfile_dir="${passfile%/*}" passfile_dir="${passfile_dir#$PREFIX}" passfile_dir="${passfile_dir#/}" local passfile_display="${passfile#$PREFIX/}" passfile_display="${passfile_display%.gpg}" local passfile_temp="${passfile}.tmp.${RANDOM}.${RANDOM}.${RANDOM}.${RANDOM}.--" set_gpg_recipients "$passfile_dir" if [[ $prev_gpg_recipients != "${GPG_RECIPIENTS[*]}" ]]; then for index in "${!GPG_RECIPIENTS[@]}"; do local group="$(sed -n "s/^cfg:group:$(sed 's/[\/&]/\\&/g' <<<"${GPG_RECIPIENTS[$index]}"):\\(.*\\)\$/\\1/p" <<<"$groups" | head -n 1)" [[ -z $group ]] && continue IFS=";" eval 'GPG_RECIPIENTS+=( $group )' # http://unix.stackexchange.com/a/92190 unset "GPG_RECIPIENTS[$index]" done gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/^sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" fi current_keys="$(LC_ALL=C $GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | sed -n 's/^gpg: public key is \([A-F0-9]\+\)$/\1/p' | LC_ALL=C sort -u)" if [[ $gpg_keys != "$current_keys" ]]; then echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }" $GPG -d "${GPG_OPTS[@]}" "$passfile" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile_temp" "${GPG_OPTS[@]}" && mv "$passfile_temp" "$passfile" || rm -f "$passfile_temp" fi prev_gpg_recipients="${GPG_RECIPIENTS[*]}" done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0) } check_sneaky_paths() { local path for path in "$@"; do [[ $path =~ /\.\.$ || $path =~ ^\.\./ || $path =~ /\.\./ || $path =~ ^\.\.$ ]] && die "Error: You've attempted to pass a sneaky path to pass. Go home." done } # # END helper functions # # # BEGIN platform definable # clip() { # This base64 business is because bash cannot store binary data in a shell # variable. Specifically, it cannot store nulls nor (non-trivally) store # trailing new lines. local sleep_argv0="password store sleep on display $DISPLAY" pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5 local before="$(xclip -o -selection "$X_SELECTION" 2>/dev/null | $BASE64)" echo -n "$1" | xclip -selection "$X_SELECTION" || die "Error: Could not copy data to the clipboard" ( ( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" ) local now="$(xclip -o -selection "$X_SELECTION" | $BASE64)" [[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now" # It might be nice to programatically check to see if klipper exists, # as well as checking for other common clipboard managers. But for now, # this works fine -- if qdbus isn't there or if klipper isn't running, # this essentially becomes a no-op. # # Clipboard managers frequently write their history out in plaintext, # so we axe it here: qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory &>/dev/null echo "$before" | $BASE64 -d | xclip -selection "$X_SELECTION" ) >/dev/null 2>&1 & disown echo "Copied $2 to clipboard. Will clear in $CLIP_TIME seconds." } qrcode() { if [[ -n $DISPLAY || -n $WAYLAND_DISPLAY ]]; then if type feh >/dev/null 2>&1; then echo -n "$1" | qrencode --size 10 -o - | feh -x --title "pass: $2" -g +200+200 - return elif type gm >/dev/null 2>&1; then echo -n "$1" | qrencode --size 10 -o - | gm display -title "pass: $2" -geometry +200+200 - return elif type display >/dev/null 2>&1; then echo -n "$1" | qrencode --size 10 -o - | display -title "pass: $2" -geometry +200+200 - return fi fi echo -n "$1" | qrencode -t utf8 } tmpdir() { [[ -n $SECURE_TMPDIR ]] && return local warn=1 [[ $1 == "nowarn" ]] && warn=0 local template="$PROGRAM.XXXXXXXXXXXXX" if [[ -d /dev/shm && -w /dev/shm && -x /dev/shm ]]; then SECURE_TMPDIR="$(mktemp -d "/dev/shm/$template")" remove_tmpfile() { rm -rf "$SECURE_TMPDIR" } trap remove_tmpfile EXIT else [[ $warn -eq 1 ]] && yesno "$(cat <<-_EOF Your system does not have /dev/shm, which means that it may be difficult to entirely erase the temporary non-encrypted password file after editing. Are you sure you would like to continue? _EOF )" SECURE_TMPDIR="$(mktemp -d "${TMPDIR:-/tmp}/$template")" shred_tmpfile() { find "$SECURE_TMPDIR" -type f -exec $SHRED {} + rm -rf "$SECURE_TMPDIR" } trap shred_tmpfile EXIT fi } GETOPT="getopt" SHRED="shred -f -z" BASE64="base64" # # END platform definable # # # BEGIN subcommand functions # cmd_version() { cat <<-_EOF ============================================ = pass: the standard unix password manager = = = = v1.7.3 = = = = Jason A. Donenfeld = = Jason at zx2c4.com = = = = http://www.passwordstore.org/ = ============================================ _EOF } cmd_usage() { cmd_version echo cat <<-_EOF Usage: $PROGRAM init [--path=subfolder,-p subfolder] gpg-id... Initialize new password storage and use gpg-id for encryption. Selectively reencrypt existing passwords using new gpg-id. $PROGRAM [ls] [subfolder] List passwords. $PROGRAM find pass-names... List passwords that match pass-names. $PROGRAM [show] [--clip[=line-number],-c[line-number]] pass-name Show existing password and optionally put it on the clipboard. If put on the clipboard, it will be cleared in $CLIP_TIME seconds. $PROGRAM grep [GREPOPTIONS] search-string Search for password files containing search-string when decrypted. $PROGRAM insert [--echo,-e | --multiline,-m] [--force,-f] pass-name Insert new password. Optionally, echo the password back to the console during entry. Or, optionally, the entry may be multiline. Prompt before overwriting existing password unless forced. $PROGRAM edit pass-name Insert a new password or edit an existing password using ${EDITOR:-editor}. $PROGRAM generate [--no-symbols,-n] [--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length] Generate a new password of pass-length (or $GENERATED_LENGTH if unspecified) with optionally no symbols. Optionally put it on the clipboard and clear board after $CLIP_TIME seconds. Prompt before overwriting existing password unless forced. Optionally replace only the first line of an existing file with a new password. $PROGRAM rm [--recursive,-r] [--force,-f] pass-name Remove existing password or directory, optionally forcefully. $PROGRAM mv [--force,-f] old-path new-path Renames or moves old-path to new-path, optionally forcefully, selectively reencrypting. $PROGRAM cp [--force,-f] old-path new-path Copies old-path to new-path, optionally forcefully, selectively reencrypting. $PROGRAM git git-command-args... If the password store is a git repository, execute a git command specified by git-command-args. $PROGRAM help Show this text. $PROGRAM version Show version information. More information may be found in the pass(1) man page. _EOF } cmd_init() { local opts id_path="" opts="$($GETOPT -o p: -l path: -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -p|--path) id_path="$2"; shift 2 ;; --) shift; break ;; esac done [[ $err -ne 0 || $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..." [[ -n $id_path ]] && check_sneaky_paths "$id_path" [[ -n $id_path && ! -d $PREFIX/$id_path && -e $PREFIX/$id_path ]] && die "Error: $PREFIX/$id_path exists but is not a directory." local gpg_id="$PREFIX/$id_path/.gpg-id" set_git "$gpg_id" if [[ $# -eq 1 && -z $1 ]]; then [[ ! -f "$gpg_id" ]] && die "Error: $gpg_id does not exist and so cannot be removed." rm -v -f "$gpg_id" || exit 1 if [[ -n $INNER_GIT_DIR ]]; then git -C "$INNER_GIT_DIR" rm -qr "$gpg_id" git_commit "Deinitialize ${gpg_id}${id_path:+ ($id_path)}." fi rmdir -p "${gpg_id%/*}" 2>/dev/null else mkdir -v -p "$PREFIX/$id_path" printf "%s\n" "$@" > "$gpg_id" local id_print="$(printf "%s, " "$@")" echo "Password store initialized for ${id_print%, }${id_path:+ ($id_path)}" git_add_file "$gpg_id" "Set GPG id to ${id_print%, }${id_path:+ ($id_path)}." if [[ -n $PASSWORD_STORE_SIGNING_KEY ]]; then local signing_keys=( ) key for key in $PASSWORD_STORE_SIGNING_KEY; do signing_keys+=( --default-key $key ) done $GPG "${GPG_OPTS[@]}" "${signing_keys[@]}" --detach-sign "$gpg_id" || die "Could not sign .gpg_id." key="$($GPG --verify --status-fd=1 "$gpg_id.sig" "$gpg_id" 2>/dev/null | sed -n 's/^\[GNUPG:\] VALIDSIG [A-F0-9]\{40\} .* \([A-F0-9]\{40\}\)$/\1/p')" [[ -n $key ]] || die "Signing of .gpg_id unsuccessful." git_add_file "$gpg_id.sig" "Signing new GPG id with ${key//[$IFS]/,}." fi fi reencrypt_path "$PREFIX/$id_path" git_add_file "$PREFIX/$id_path" "Reencrypt password store using new GPG id ${id_print%, }${id_path:+ ($id_path)}." } cmd_show() { local opts selected_line clip=0 qrcode=0 opts="$($GETOPT -o q::c:: -l qrcode::,clip:: -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -q|--qrcode) qrcode=1; selected_line="${2:-1}"; shift 2 ;; -c|--clip) clip=1; selected_line="${2:-1}"; shift 2 ;; --) shift; break ;; esac done [[ $err -ne 0 || ( $qrcode -eq 1 && $clip -eq 1 ) ]] && die "Usage: $PROGRAM $COMMAND [--clip[=line-number],-c[line-number]] [--qrcode[=line-number],-q[line-number]] [pass-name]" local pass local path="$1" local passfile="$PREFIX/$path.gpg" check_sneaky_paths "$path" if [[ -f $passfile ]]; then if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $? echo "$pass" | $BASE64 -d else [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location '$selected_line' is not a number." pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +${selected_line} | head -n 1)" || exit $? [[ -n $pass ]] || die "There is no password to put on the clipboard at line ${selected_line}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" elif [[ $qrcode -eq 1 ]]; then qrcode "$pass" "$path" fi fi elif [[ -d $PREFIX/$path ]]; then if [[ -z $path ]]; then echo "Password Store" else echo "${path%\/}" fi tree -C -l --noreport "$PREFIX/$path" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' # remove .gpg at end of line, but keep colors elif [[ -z $path ]]; then die "Error: password store is empty. Try \"pass init\"." else die "Error: $path is not in the password store." fi } cmd_find() { [[ $# -eq 0 ]] && die "Usage: $PROGRAM $COMMAND pass-names..." IFS="," eval 'echo "Search Terms: $*"' local terms="*$(printf '%s*|*' "$@")" tree -C -l --noreport -P "${terms%|*}" --prune --matchdirs --ignore-case "$PREFIX" | tail -n +2 | sed -E 's/\.gpg(\x1B\[[0-9]+m)?( ->|$)/\1\2/g' } cmd_grep() { [[ $# -lt 1 ]] && die "Usage: $PROGRAM $COMMAND [GREPOPTIONS] search-string" local passfile grepresults while read -r -d "" passfile; do grepresults="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | grep --color=always "$@")" [[ $? -ne 0 ]] && continue passfile="${passfile%.gpg}" passfile="${passfile#$PREFIX/}" local passfile_dir="${passfile%/*}/" [[ $passfile_dir == "${passfile}/" ]] && passfile_dir="" passfile="${passfile##*/}" printf "\e[94m%s\e[1m%s\e[0m:\n" "$passfile_dir" "$passfile" echo "$grepresults" done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' -print0) } cmd_insert() { local opts multiline=0 noecho=1 force=0 opts="$($GETOPT -o mef -l multiline,echo,force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -m|--multiline) multiline=1; shift ;; -e|--echo) noecho=0; shift ;; -f|--force) force=1; shift ;; --) shift; break ;; esac done [[ $err -ne 0 || ( $multiline -eq 1 && $noecho -eq 0 ) || $# -ne 1 ]] && die "Usage: $PROGRAM $COMMAND [--echo,-e | --multiline,-m] [--force,-f] pass-name" local path="${1%/}" local passfile="$PREFIX/$path.gpg" check_sneaky_paths "$path" set_git "$passfile" [[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?" mkdir -p -v "$PREFIX/$(dirname -- "$path")" set_gpg_recipients "$(dirname -- "$path")" if [[ $multiline -eq 1 ]]; then echo "Enter contents of $path and press Ctrl+D when finished:" echo $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." elif [[ $noecho -eq 1 ]]; then local password password_again while true; do read -r -p "Enter password for $path: " -s password || exit 1 echo read -r -p "Retype password for $path: " -s password_again || exit 1 echo if [[ $password == "$password_again" ]]; then echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." break else die "Error: the entered passwords do not match." fi done else local password read -r -p "Enter password for $path: " -e password echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." fi git_add_file "$passfile" "Add given password for $path to store." } cmd_edit() { [[ $# -ne 1 ]] && die "Usage: $PROGRAM $COMMAND pass-name" local path="${1%/}" check_sneaky_paths "$path" mkdir -p -v "$PREFIX/$(dirname -- "$path")" set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" tmpdir #Defines $SECURE_TMPDIR local tmp_file="$(mktemp -u "$SECURE_TMPDIR/XXXXXX")-${path//\//-}.txt" local action="Add" if [[ -f $passfile ]]; then $GPG -d -o "$tmp_file" "${GPG_OPTS[@]}" "$passfile" || exit 1 action="Edit" fi ${EDITOR:-editor} "$tmp_file" [[ -f $tmp_file ]] || die "New password not saved." $GPG -d -o - "${GPG_OPTS[@]}" "$passfile" 2>/dev/null | diff - "$tmp_file" &>/dev/null && die "Password unchanged." while ! $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" "$tmp_file"; do yesno "GPG encryption failed. Would you like to try again?" done git_add_file "$passfile" "$action password for $path using ${EDITOR:-editor}." } cmd_generate() { local opts qrcode=0 clip=0 force=0 characters="$CHARACTER_SET" inplace=0 pass opts="$($GETOPT -o nqcif -l no-symbols,qrcode,clip,in-place,force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -n|--no-symbols) characters="$CHARACTER_SET_NO_SYMBOLS"; shift ;; -q|--qrcode) qrcode=1; shift ;; -c|--clip) clip=1; shift ;; -f|--force) force=1; shift ;; -i|--in-place) inplace=1; shift ;; --) shift; break ;; esac done [[ $err -ne 0 || ( $# -ne 2 && $# -ne 1 ) || ( $force -eq 1 && $inplace -eq 1 ) || ( $qrcode -eq 1 && $clip -eq 1 ) ]] && die "Usage: $PROGRAM $COMMAND [--no-symbols,-n] [--clip,-c] [--qrcode,-q] [--in-place,-i | --force,-f] pass-name [pass-length]" local path="$1" local length="${2:-$GENERATED_LENGTH}" check_sneaky_paths "$path" [[ $length =~ ^[0-9]+$ ]] || die "Error: pass-length \"$length\" must be a number." [[ $length -gt 0 ]] || die "Error: pass-length must be greater than zero." mkdir -p -v "$PREFIX/$(dirname -- "$path")" set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" [[ $inplace -eq 0 && $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?" read -r -n $length pass < <(LC_ALL=C tr -dc "$characters" < /dev/urandom) [[ ${#pass} -eq $length ]] || die "Could not generate password from /dev/urandom." if [[ $inplace -eq 0 ]]; then echo "$pass" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted." else local passfile_temp="${passfile}.tmp.${RANDOM}.${RANDOM}.${RANDOM}.${RANDOM}.--" if { echo "$pass"; $GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n +2; } | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile_temp" "${GPG_OPTS[@]}"; then mv "$passfile_temp" "$passfile" else rm -f "$passfile_temp" die "Could not reencrypt new password." fi fi local verb="Add" [[ $inplace -eq 1 ]] && verb="Replace" git_add_file "$passfile" "$verb generated password for ${path}." if [[ $clip -eq 1 ]]; then clip "$pass" "$path" elif [[ $qrcode -eq 1 ]]; then qrcode "$pass" "$path" else printf "\e[1mThe generated password for \e[4m%s\e[24m is:\e[0m\n\e[1m\e[93m%s\e[0m\n" "$path" "$pass" fi } cmd_delete() { local opts recursive="" force=0 opts="$($GETOPT -o rf -l recursive,force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -r|--recursive) recursive="-r"; shift ;; -f|--force) force=1; shift ;; --) shift; break ;; esac done [[ $# -ne 1 ]] && die "Usage: $PROGRAM $COMMAND [--recursive,-r] [--force,-f] pass-name" local path="$1" check_sneaky_paths "$path" local passdir="$PREFIX/${path%/}" local passfile="$PREFIX/$path.gpg" [[ -f $passfile && -d $passdir && $path == */ || ! -f $passfile ]] && passfile="${passdir%/}/" [[ -e $passfile ]] || die "Error: $path is not in the password store." set_git "$passfile" [[ $force -eq 1 ]] || yesno "Are you sure you would like to delete $path?" rm $recursive -f -v "$passfile" set_git "$passfile" if [[ -n $INNER_GIT_DIR && ! -e $passfile ]]; then git -C "$INNER_GIT_DIR" rm -qr "$passfile" set_git "$passfile" git_commit "Remove $path from store." fi rmdir -p "${passfile%/*}" 2>/dev/null } cmd_copy_move() { local opts move=1 force=0 [[ $1 == "copy" ]] && move=0 shift opts="$($GETOPT -o f -l force -n "$PROGRAM" -- "$@")" local err=$? eval set -- "$opts" while true; do case $1 in -f|--force) force=1; shift ;; --) shift; break ;; esac done [[ $# -ne 2 ]] && die "Usage: $PROGRAM $COMMAND [--force,-f] old-path new-path" check_sneaky_paths "$@" local old_path="$PREFIX/${1%/}" local old_dir="$old_path" local new_path="$PREFIX/$2" if ! [[ -f $old_path.gpg && -d $old_path && $1 == */ || ! -f $old_path.gpg ]]; then old_dir="${old_path%/*}" old_path="${old_path}.gpg" fi echo "$old_path" [[ -e $old_path ]] || die "Error: $1 is not in the password store." mkdir -p -v "${new_path%/*}" [[ -d $old_path || -d $new_path || $new_path == */ ]] || new_path="${new_path}.gpg" local interactive="-i" [[ ! -t 0 || $force -eq 1 ]] && interactive="-f" set_git "$new_path" if [[ $move -eq 1 ]]; then mv $interactive -v "$old_path" "$new_path" || exit 1 [[ -e "$new_path" ]] && reencrypt_path "$new_path" set_git "$new_path" if [[ -n $INNER_GIT_DIR && ! -e $old_path ]]; then git -C "$INNER_GIT_DIR" rm -qr "$old_path" 2>/dev/null set_git "$new_path" git_add_file "$new_path" "Rename ${1} to ${2}." fi set_git "$old_path" if [[ -n $INNER_GIT_DIR && ! -e $old_path ]]; then git -C "$INNER_GIT_DIR" rm -qr "$old_path" 2>/dev/null set_git "$old_path" [[ -n $(git -C "$INNER_GIT_DIR" status --porcelain "$old_path") ]] && git_commit "Remove ${1}." fi rmdir -p "$old_dir" 2>/dev/null else cp $interactive -r -v "$old_path" "$new_path" || exit 1 [[ -e "$new_path" ]] && reencrypt_path "$new_path" git_add_file "$new_path" "Copy ${1} to ${2}." fi } cmd_git() { set_git "$PREFIX/" if [[ $1 == "init" ]]; then INNER_GIT_DIR="$PREFIX" git -C "$INNER_GIT_DIR" "$@" || exit 1 git_add_file "$PREFIX" "Add current contents of password store." echo '*.gpg diff=gpg' > "$PREFIX/.gitattributes" git_add_file .gitattributes "Configure git repository for gpg file diff." git -C "$INNER_GIT_DIR" config --local diff.gpg.binary true git -C "$INNER_GIT_DIR" config --local diff.gpg.textconv "$GPG -d ${GPG_OPTS[*]}" elif [[ -n $INNER_GIT_DIR ]]; then tmpdir nowarn #Defines $SECURE_TMPDIR. We don't warn, because at most, this only copies encrypted files. export TMPDIR="$SECURE_TMPDIR" git -C "$INNER_GIT_DIR" "$@" else die "Error: the password store is not a git repository. Try \"$PROGRAM git init\"." fi } cmd_extension_or_show() { if ! cmd_extension "$@"; then COMMAND="show" cmd_show "$@" fi } SYSTEM_EXTENSION_DIR="/usr/lib/password-store/extensions" cmd_extension() { check_sneaky_paths "$1" local user_extension system_extension extension [[ -n $SYSTEM_EXTENSION_DIR ]] && system_extension="$SYSTEM_EXTENSION_DIR/$1.bash" [[ $PASSWORD_STORE_ENABLE_EXTENSIONS == true ]] && user_extension="$EXTENSIONS/$1.bash" if [[ -n $user_extension && -f $user_extension && -x $user_extension ]]; then verify_file "$user_extension" extension="$user_extension" elif [[ -n $system_extension && -f $system_extension && -x $system_extension ]]; then extension="$system_extension" else return 1 fi shift source "$extension" "$@" return 0 } # # END subcommand functions # PROGRAM="${0##*/}" COMMAND="$1" case "$1" in init) shift; cmd_init "$@" ;; help|--help) shift; cmd_usage "$@" ;; version|--version) shift; cmd_version "$@" ;; show|ls|list) shift; cmd_show "$@" ;; find|search) shift; cmd_find "$@" ;; grep) shift; cmd_grep "$@" ;; insert|add) shift; cmd_insert "$@" ;; edit) shift; cmd_edit "$@" ;; generate) shift; cmd_generate "$@" ;; delete|rm|remove) shift; cmd_delete "$@" ;; rename|mv) shift; cmd_copy_move "move" "$@" ;; copy|cp) shift; cmd_copy_move "copy" "$@" ;; git) shift; cmd_git "$@" ;; *) cmd_extension_or_show "$@" ;; esac # power down the OpenPGP card # guru at unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 From wk at gnupg.org Wed Feb 28 10:32:43 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 Feb 2024 10:32:43 +0100 Subject: Second OpenPGP-card In-Reply-To: <65DEA007.4090905@gmail.com> (Jacob Bachmeyer via Gnupg-users's message of "Tue, 27 Feb 2024 20:52:55 -0600") References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> Message-ID: <87le75ylvo.fsf@jacob.g10code.de> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > Therefore, pass(1) almost certainly has its own list of keys stored pass stores the fingerprints of the keys in a .gpg-id file and allows to set different ones per directories. > logarithm problem and /vice versa/. Accordingly, RSA1024 is now > considered sufficiently dubious that some implementations no longer > support it, such as the go-crypto/openpgp library used by the newer Which is a Bad Idea because it is up to the user or their implementation to decide which keys are trustworthy. Being able to revoke rsa1024 keys is a useful feature. Although MD5 (PGP2) can be considered as fully broken, rsa1024 is not in general broken. But ist is pretty fashionable to use an easy to exploit OS (e.g. not using the latest Linux kernel) and musing about RSA key strength. Keep Shamir's law in mind. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From guru at unixarea.de Wed Feb 28 10:55:58 2024 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 28 Feb 2024 10:55:58 +0100 Subject: Second OpenPGP-card In-Reply-To: <87le75ylvo.fsf@jacob.g10code.de> References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> Message-ID: El d?a mi?rcoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribi?: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > > Therefore, pass(1) almost certainly has its own list of keys stored > > pass stores the fingerprints of the keys in a .gpg-id file and allows to > set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism at pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism at pureos:~$ cat .password-store/.gpg-id CCID L5 matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From wk at gnupg.org Wed Feb 28 17:30:21 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 Feb 2024 17:30:21 +0100 Subject: Second OpenPGP-card In-Reply-To: (Matthias Apitz's message of "Wed, 28 Feb 2024 10:55:58 +0100") References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> Message-ID: <87edcwzh42.fsf@jacob.g10code.de> On Wed, 28 Feb 2024 10:55, Matthias Apitz said: > purism at pureos:~$ cat .password-store/.gpg-id > CCID L5 Which means that it encrypts to "CCID L5". pass parses this using while read -r gpg_id; do gpg_id="${gpg_id%%#*}" # strip comment [[ -n $gpg_id ]] || continue GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) GPG_RECIPIENTS+=( "$gpg_id" ) done The good thing with pass is that it is easy to read. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From jcb62281 at gmail.com Thu Feb 29 00:40:07 2024 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Wed, 28 Feb 2024 17:40:07 -0600 Subject: Second OpenPGP-card In-Reply-To: <87le75ylvo.fsf@jacob.g10code.de> References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> Message-ID: <65DFC457.6030903@gmail.com> Werner Koch wrote: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > [...] >> logarithm problem and /vice versa/. Accordingly, RSA1024 is now >> considered sufficiently dubious that some implementations no longer >> support it, such as the go-crypto/openpgp library used by the newer >> > > Which is a Bad Idea because it is up to the user or their implementation > to decide which keys are trustworthy. Being able to revoke rsa1024 keys > is a useful feature. Although MD5 (PGP2) can be considered as fully > broken, rsa1024 is not in general broken. > Agreed; I was not endorsing that position, but I see that I should have said "apparently considered" to make that a bit more clear. I trust that GPG will continue to support the shorter RSA keys for the foreseeable future. > But ist is pretty fashionable to use an easy to exploit OS (e.g. not > using the latest Linux kernel) and musing about RSA key strength. Keep > Shamir's law in mind. Or even Windows, which remains disturbingly common in applications that probably need far less attack surface, like industrial control systems... (Is the stupidity of management a main driver of Shamir's law?) -- Jacob From jcb62281 at gmail.com Thu Feb 29 00:41:01 2024 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Wed, 28 Feb 2024 17:41:01 -0600 Subject: Second OpenPGP-card In-Reply-To: References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> Message-ID: <65DFC48D.6060104@gmail.com> Matthias Apitz wrote: > El d?a mi?rcoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribi?: > >> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: >> >> >>> Therefore, pass(1) almost certainly has its own list of keys stored >>> >> pass stores the fingerprints of the keys in a .gpg-id file and allows to >> set different ones per directories. >> > > Werner, > > I have only one .gpg-id file on my L5 mobile in my password-store: > > purism at pureos:~$ find .password-store/ -name .gpg-id > .password-store/.gpg-id > > purism at pureos:~$ cat .password-store/.gpg-id > CCID L5 > That .gpg-id file would be the list I was talking about. It seems that pass(1) stores the actual keys on your main GPG keyring, but keeps a list of /which/ keys should be able to decrypt passwords separately. (Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in your environment: if set, it overrides the search for a .gpg-id file.) There is also a facility for maintaining GPG signatures on those .gpg-id files, which would make sneaking in Mallory's key far more difficult if you were to use it. I suspect that the pass(1) manpage has more information and may be interesting reading. Overall, this seems to be a good design. I would also suggest using the key fingerprints instead of names when you reencrypt your password store, as I suspect that your new and old smartcard keys may have similar names. As Werner mentioned, you can also have different .gpg-id files for different parts of your password store, if you wanted some passwords to only be available with certain smartcards. -- Jacob From wk at gnupg.org Thu Feb 29 11:06:09 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 29 Feb 2024 11:06:09 +0100 Subject: Second OpenPGP-card In-Reply-To: <65DFC457.6030903@gmail.com> (Jacob Bachmeyer via Gnupg-users's message of "Wed, 28 Feb 2024 17:40:07 -0600") References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> <65DFC457.6030903@gmail.com> Message-ID: <87a5njzisu.fsf@jacob.g10code.de> On Wed, 28 Feb 2024 17:40, Jacob Bachmeyer said: > Or even Windows, which remains disturbingly common in applications > that probably need far less attack surface, like industrial control > systems... (Is the stupidity of management a main driver of Shamir's > law?) Often true but the real problem is software complexity. Also: developers are being paid for their work and thus they tend to keep themself in business by requiring software changes all the time. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 29 11:16:19 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 29 Feb 2024 11:16:19 +0100 Subject: Second OpenPGP-card In-Reply-To: <65DFC48D.6060104@gmail.com> (Jacob Bachmeyer via Gnupg-users's message of "Wed, 28 Feb 2024 17:41:01 -0600") References: <875xysbryo.fsf@jacob.g10code.de> <65DD2F7A.8070609@gmail.com> <65DEA007.4090905@gmail.com> <87le75ylvo.fsf@jacob.g10code.de> <65DFC48D.6060104@gmail.com> Message-ID: <875xy7zibw.fsf@jacob.g10code.de> On Wed, 28 Feb 2024 17:41, Jacob Bachmeyer said: > As Werner mentioned, you can also have different .gpg-id files for > different parts of your password store, if you wanted some passwords > to only be available with certain smartcards. FWIW: The C3S uses pass for their teams and meik wrote a script to manage such a password store: https://github.com/C3S/passtore Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From kloecker at kde.org Thu Feb 29 13:40:53 2024 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 29 Feb 2024 13:40:53 +0100 Subject: Second OpenPGP-card In-Reply-To: <87edcwzh42.fsf@jacob.g10code.de> References: <87edcwzh42.fsf@jacob.g10code.de> Message-ID: <2320106.ElGaqSPkdT@daneel> On Mittwoch, 28. Februar 2024 17:30:21 CET Werner Koch via Gnupg-users wrote: > On Wed, 28 Feb 2024 10:55, Matthias Apitz said: > > purism at pureos:~$ cat .password-store/.gpg-id > > CCID L5 > > Which means that it encrypts to "CCID L5". pass parses this using > > while read -r gpg_id; do > gpg_id="${gpg_id%%#*}" # strip comment > [[ -n $gpg_id ]] || continue > GPG_RECIPIENT_ARGS+=( "-r" "$gpg_id" ) > GPG_RECIPIENTS+=( "$gpg_id" ) > done > > The good thing with pass is that it is easy to read. "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I add a (secondary) user ID "CCID L5" to my key and trick Matthias into importing it won't pass start encrypting their passwords for my key? My ~/.password-store/.gpg-id contains the fingerprint of my password encryption key. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From guru at unixarea.de Thu Feb 29 14:07:32 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 29 Feb 2024 14:07:32 +0100 Subject: Second OpenPGP-card In-Reply-To: <2320106.ElGaqSPkdT@daneel> References: <87edcwzh42.fsf@jacob.g10code.de> <2320106.ElGaqSPkdT@daneel> Message-ID: El d?a jueves, febrero 29, 2024 a las 01:40:53 +0100, Ingo Kl?cker escribi?: > "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If I > add a (secondary) user ID "CCID L5" to my key and trick Matthias into > importing it won't pass start encrypting their passwords for my key? > > My ~/.password-store/.gpg-id contains the fingerprint of my password encryption > key. Mine too now: purism at pureos:~$ gpg --list-keys --fingerprint /home/purism/.gnupg/pubring.kbx ------------------------------- pub rsa2048 2021-10-30 [SC] 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] purism at pureos:~$ cat .password-store/.gpg-id 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 Thanks for this hint. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland.