From kloecker at kde.org Mon Jan 1 21:10:01 2024 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Mon, 01 Jan 2024 21:10:01 +0100 Subject: gpg --card-status In-Reply-To: References: <12356199.O9o76ZdvQC@daneel> Message-ID: <2726234.mvXUDI8C0e@daneel> On Montag, 1. Januar 2024 20:33:28 CET Matthias Apitz wrote: > It seems from the man page that only '#' is documented: Must be an older version. The manual page of GnuPG 2.4.3 reads: ?K List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command ??export?secret?subkeys). A > after these tags indicate that the key is stored on a smartcard. See also ??list?keys. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From guru at unixarea.de Mon Jan 1 20:33:28 2024 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 1 Jan 2024 20:33:28 +0100 Subject: gpg --card-status In-Reply-To: <12356199.O9o76ZdvQC@daneel> References: <12356199.O9o76ZdvQC@daneel> Message-ID: El d?a domingo, diciembre 31, 2023 a las 05:34:42p. m. +0100, Ingo Kl?cker escribi?: > On Samstag, 30. Dezember 2023 23:30:39 CET Felix E. Klee wrote: > > Line 25: ?sec>? means secret primary key. Where does the key ID come > > from? Is it read from the card? Or it read from the public key ring on > > disk? > > > > Line 27: ?ssb>? means secret sub key. > > > > Line 29: ?ssb#? means secret sub key, but without the matching secret > > key on the card. This I just learned from Ingo Kl?cker in another > > thread. > > The meaning of ">" and "#" is documented in the description of the command > `--list-secret-keys` in the manual page of gpg. > > Regards, > Ingo It seems from the man page that only '#' is documented: man gpg ... --list-secret-keys -K List all keys from the secret keyrings, or just the ones given on the command line. A # after the letters sec means that the secret key is not usable (for example, if it was created via --export-secret-subkeys). What does '>' means? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From johndoe65534 at mail.com Tue Jan 2 09:40:20 2024 From: johndoe65534 at mail.com (john doe) Date: Tue, 2 Jan 2024 09:40:20 +0100 Subject: OT: Best way to send e-mails to a recipient that does know encryption Message-ID: Hi, I need to send personal infos to a recipient who has no idea what encryption is nor is able to decrypt an encrypted e-mail. I do not want to use Gmail to send that kind of informations and I'm comtemplating using posteo.de. Is this any better? In other words, how do you use e-mails with a recipient that should be able to open and reply to e-mails as usual. Sorry for being OT. -- John Doe From guru at unixarea.de Tue Jan 2 12:44:27 2024 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 2 Jan 2024 12:44:27 +0100 Subject: gpg --card-status In-Reply-To: <2726234.mvXUDI8C0e@daneel> References: <12356199.O9o76ZdvQC@daneel> <2726234.mvXUDI8C0e@daneel> Message-ID: El d?a lunes, enero 01, 2024 a las 09:10:01p. m. +0100, Ingo Kl?cker escribi?: > On Montag, 1. Januar 2024 20:33:28 CET Matthias Apitz wrote: > > It seems from the man page that only '#' is documented: > > Must be an older version. The manual page of GnuPG 2.4.3 reads: You are correct: $ gpg --version | grep ^gpg gpg (GnuPG) 1.4.23 $ man gpg | col -b | grep -A5 -- -K -K List all keys from the secret keyrings, or just the ones given on the command line. A # after the letters sec means that the secret key is not usable (for example, if it was created via --export-secret-subkeys). $ gpg2 --version | grep ^gpg gpg (GnuPG) 2.4.3 $ man gpg2 | col -b | grep -A5 -- -K -K List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command --export-secret-subkeys). A > after these ... Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From lists at lrose.de Tue Jan 2 12:16:15 2024 From: lists at lrose.de (LuKaRo) Date: Tue, 2 Jan 2024 12:16:15 +0100 Subject: OT: Best way to send e-mails to a recipient that does know encryption In-Reply-To: References: Message-ID: > I do not want to use Gmail to send that kind of informations and I'm > comtemplating using posteo.de. > > Is this any better? I'd argue of course it's better. Google openly admits reading your e-mail, so other mail providers that respect your privacy should be preferred. I particularly like posteo.de, because the 1?/month fee is still very cheap but makes clear that they have a different business model that doesn't involve customer data. Furthermore, they deploy a very sophisticated solution that makes it technically impossible to match payment data or IP addresses to mailboxes, and even fought (and won!) a lawsuit against the German authorities that wanted to force posteo to hand out customer data (which they don't even collect). However, while this will surely be an improvement over providers like Google, it doesn't solve the encryption problem. While providers like posteo make it easy for laypeople to use encryption, for example by providing good instructions and supporting gpg encryption in their webclient, you'd probably still need to help a layperson in setting up their gpg keys, either in thunderbird or in the webclient of a provider supporting this. So if the person is willing to try encryption, you're probably best off by helping them doing it before sending your personal information. Hope that helps a bit, lukaro From kloecker at kde.org Tue Jan 2 15:23:28 2024 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Tue, 02 Jan 2024 15:23:28 +0100 Subject: OT: Best way to send e-mails to a recipient that does know encryption In-Reply-To: References: Message-ID: <2172977.irdbgypaU6@daneel> On Dienstag, 2. Januar 2024 12:16:15 CET LuKaRo wrote: > > I do not want to use Gmail to send that kind of informations and I'm > > comtemplating using posteo.de. > > > > Is this any better? > > I'd argue of course it's better. Google openly admits reading your > e-mail, so other mail providers that respect your privacy should be > preferred. I particularly like posteo.de, because the 1?/month fee is > still very cheap but makes clear that they have a different business > model that doesn't involve customer data. Furthermore, they deploy a > very sophisticated solution that makes it technically impossible to > match payment data or IP addresses to mailboxes, and even fought (and > won!) a lawsuit against the German authorities that wanted to force > posteo to hand out customer data (which they don't even collect). Posteo will release data to authorities if they are forced to do so by a judicial order. See their transparency reports for details: https://posteo.de/en/site/transparency_report I'm still using Posteo. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From fa-ml at ariis.it Tue Jan 2 14:18:47 2024 From: fa-ml at ariis.it (Francesco Ariis) Date: Tue, 2 Jan 2024 14:18:47 +0100 Subject: OT: Best way to send e-mails to a recipient that does know encryption In-Reply-To: References: Message-ID: Il 02 gennaio 2024 alle 09:40 john doe via Gnupg-users ha scritto: > In other words, how do you use e-mails with a recipient that should be > able to open and reply to e-mails as usual. If email is not a strict requirement, two Matrix can be set up to have an encrypted conversation, same with XMPP ?F From felix.klee at inka.de Tue Jan 2 23:06:59 2024 From: felix.klee at inka.de (Felix E. Klee) Date: Tue, 2 Jan 2024 23:06:59 +0100 Subject: gpg --card-status In-Reply-To: References: Message-ID: On Sat, Dec 30, 2023 at 11:30?PM Felix E. Klee wrote: > Example output with line numbers: > > 01 Reader ...........: Yubico YubiKey CCID 00 00 > 02 Application ID ...: D2760001240103040006186980150000 > 03 Application type .: OpenPGP > 04 Version ..........: 3.4 > 05 Manufacturer .....: Yubico > 06 Serial number ....: 18698015 > 07 Name of cardholder: [not set] > 08 Language prefs ...: [not set] > 09 Salutation .......: > 10 URL of public key : [not set] > 11 Login data .......: [not set] > 12 Signature PIN ....: not forced > 13 Key attributes ...: rsa4096 rsa4096 rsa4096 > 14 Max. PIN lengths .: 127 127 127 > 15 PIN retry counter : 3 0 3 > 16 Signature counter : 0 > 17 KDF setting ......: off > 18 Signature key ....: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E > D589 > 19 created ....: 2023-06-29 03:50:43 > 20 Encryption key....: DBBD 3239 D0F1 4326 808D FC8F 7CC0 2D68 D2E3 > 1736 > 21 created ....: 2023-06-29 03:50:43 > 22 Authentication key: 7A0F E73D DB74 4F0F 9734 1DA7 1BE3 49D1 1B6E > D589 > 23 created ....: 2023-06-29 03:50:43 > 24 General key info..: pub rsa4096/1BE349D11B6ED589 2023-06-29 > Felix E. Klee (YubiKey) > 25 sec> rsa4096/1BE349D11B6ED589 created: 2023-06-29 expires: > never > 26 card-no: 0006 18698015 > 27 ssb> rsa4096/7CC02D68D2E31736 created: 2023-06-29 expires: > never > 28 card-no: 0006 18698015 > 29 ssb# rsa4096/32B106F6877CC64B created: 2023-11-22 expires: > never Thanks for all the input! My current state of knowledge is: * Lines 18, 20, 22: Fingerprints identifying the secret keys stored on the card. A fingerprint is an SHA-1 hash of: corresponding public key + some meta data The fingerprints displayed on these lines are stored on the card. * Lines 25, 27, 29: Information about availability of secret keys on the card. The numbers are long key IDs. A long key ID is the last 16 characters of a fingerprint. The fingerprints displayed on these lines are generated from the public keys stored on disk. Here: - sec: Secret primary key - ssb: Secret sub key - >: Secret key is available on the card - #: Secret key is missing from the card For a summary concerning how the fingerprints are calculated, I found: https://blog.djoproject.net/2020/05/03/main-differences-between-a-gnupg-fingerprint-a-ssh-fingerprint-and-a-keygrip/ Please correct me where I?m wrong! From vedaal at nym.hush.com Wed Jan 3 05:10:55 2024 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 02 Jan 2024 23:10:55 -0500 Subject: OT: Best way to send e-mails to a recipient that does know encryption In-Reply-To: <2172977.irdbgypaU6@daneel> References: <2172977.irdbgypaU6@daneel> Message-ID: On 1/2/2024 at 9:26 AM, "Ingo Kl?cker" wrote: >Posteo will release data to authorities if they are forced to do >so by a >judicial order. See their transparency reports for details: >https://posteo.de/en/site/transparency_report > >I'm still using Posteo. ===== Another option is Hushmail. It allows to send encrypted mail to someone who has no encryption experience and to any email address. The Receiver agrees on a passphrase with the Sender, and the Sender sends the encrypted email. The Receiver gets a notice in whatever email he/she is using, with a link to a site on the hushmail server. The Receiver clicks on a link, and Hushmail requests a passphrase. Only 3 attempts are allowed. The message is erased on the 4th try. The message is also erased after 72 hours from the time it is sent. If the passphrase is correct, it displays the plaintext of the message. Again, if you are suspected of being a terrorist or a human trafficker, and Law Enforcement gets a convincing order, they will release your information. They are based in Canada. Price is 49 US$ / year. Allows for unlimited aliases, (that haven't already been taken). If anyone wants to try out the encryption, please send me an email, and tell me what you want your passphrase to be. vedaal From felix.klee at inka.de Fri Jan 5 10:07:07 2024 From: felix.klee at inka.de (Felix E. Klee) Date: Fri, 5 Jan 2024 10:07:07 +0100 Subject: Cannot export SSH public key In-Reply-To: References: <12329793.O9o76ZdvQC@daneel> <874jhedjz4.fsf@jacob.g10code.de> <2f37ba49338c0858e9dfbb6f8396d202d2091ac0.camel@posteo.de> Message-ID: On Fri, Nov 24, 2023 at 9:09?AM Felix E. Klee wrote: > In addition, I need: > > gpg-connect-agent updatestartuptty /bye or otherwise, I get no PIN entry dialog / prompt From wk at gnupg.org Fri Jan 5 14:42:58 2024 From: wk at gnupg.org (Werner Koch) Date: Fri, 05 Jan 2024 14:42:58 +0100 Subject: Cannot export SSH public key In-Reply-To: (Felix E. Klee's message of "Fri, 5 Jan 2024 10:07:07 +0100") References: <12329793.O9o76ZdvQC@daneel> <874jhedjz4.fsf@jacob.g10code.de> <2f37ba49338c0858e9dfbb6f8396d202d2091ac0.camel@posteo.de> Message-ID: <87o7dz3nh9.fsf@jacob.g10code.de> On Fri, 5 Jan 2024 10:07, Felix E. Klee said: >> gpg-connect-agent updatestartuptty /bye > > or otherwise, I get no PIN entry dialog / prompt That is right. The ssh-agent protocol has no means to tell the ssh-agent or gpg-agent some important environment cariabales, like the current tty or DISPLAY. I can't remember what ssh-askpass (?) works but for GnUPG, gpg-agent uses the tty/display from where it was launched if it does not know anything else updatestartuptty tells gpg-agent that it should assume that the tty/display whenre gpg-connect-agent was run should be the new default. Fixing this in the ssh-agent protocol would be easy and I actually implemented this but did not found the time to keep on nagging them to include my patch to pass arbitrary envvars over the ssh-agent protocol. The gnupg part has long been implemented: https://dev.gnupg.org/rG224e26cf7b67f22bb0140133eac6b4ad24f3b1b7 and somewhere on the openssh ML one should find my patch. I am so used to run the updatestartuptty that I don't even think about this. It is the first thing I do when I ssh into my laptop. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From ming at imkuang.com Fri Jan 5 14:25:28 2024 From: ming at imkuang.com (Ming Kuang) Date: Fri, 5 Jan 2024 21:25:28 +0800 Subject: typo in section 7.4.3 of the gpgme manual Message-ID: <001501da3fda$a7cd7010$f7685030$@imkuang.com> Hi, I noticed a typo when reading the gpgme manual via "info gpgme" on my Ubuntu 22.04 (libgpgme-dev 1.16.0-1.2ubuntu4.1) It also exists in the latest HTML web reference manual (edition 1.23.2): https://www.gnupg.org/documentation/manuals/gpgme/Setting-the-Sender.html > The function gpgme_set_sender specifies the sender address for use in > sign and verify operations. address is expected to be the ?addr-spec? > part of an address but **my also be** a complete mailbox address, in > ... I think it should be "may also be" instead of "my also be" :) -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From felix.klee at inka.de Fri Jan 5 21:58:37 2024 From: felix.klee at inka.de (Felix E. Klee) Date: Fri, 5 Jan 2024 21:58:37 +0100 Subject: Cannot export SSH public key In-Reply-To: <87o7dz3nh9.fsf@jacob.g10code.de> References: <12329793.O9o76ZdvQC@daneel> <874jhedjz4.fsf@jacob.g10code.de> <2f37ba49338c0858e9dfbb6f8396d202d2091ac0.camel@posteo.de> <87o7dz3nh9.fsf@jacob.g10code.de> Message-ID: On Fri, Jan 5, 2024 at 2:43?PM Werner Koch wrote: > That is right. The ssh-agent protocol has no means to tell the > ssh-agent or gpg-agent some important environment cariabales, like the > current tty or DISPLAY. Interesting, thanks for the look behind the scenes! > I am so used to run the updatestartuptty that I don't even think about > this. It is the first thing I do when I ssh into my laptop. I have to do it twice, though, until it works. In my `~/.bashrc` I have: gpg-connect-agent updatestartuptty /bye Right after logging in (auto login on Ubuntu / WSL 2), I get: gpg-connect-agent: no running gpg-agent - starting '/usr/bin/gpg-agent' gpg-connect-agent: waiting for the agent to come up ... (5s) gpg-connect-agent: connection to agent established That looks good, but somehow it doesn?t work: $ ssh some_server sign_and_send_pubkey: signing failed for RSA "cardno:18 698 015" from agent: agent refused operation sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation felix at some_server: Permission denied (publickey). After starting `tmux`, which runs `gpg-connect-agent` again, everything works fine. I get the PIN entry dialog, and I can connect by SSH. This is a non-issue, not really worth debugging. I start `tmux` every time anyhow. From wk at gnupg.org Mon Jan 15 08:30:28 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Jan 2024 08:30:28 +0100 Subject: typo in section 7.4.3 of the gpgme manual In-Reply-To: <001501da3fda$a7cd7010$f7685030$@imkuang.com> (Ming Kuang via Gnupg-users's message of "Fri, 5 Jan 2024 21:25:28 +0800") References: <001501da3fda$a7cd7010$f7685030$@imkuang.com> Message-ID: <87fryzoxyj.fsf@jacob.g10code.de> On Fri, 5 Jan 2024 21:25, Ming Kuang said: > I think it should be "may also be" instead of "my also be" :) Fixed. Thanks. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From philipp at knutschmidt.de Mon Jan 15 09:25:01 2024 From: philipp at knutschmidt.de (Philipp Schmidt) Date: Mon, 15 Jan 2024 09:25:01 +0100 (CET) Subject: Trouble with GPG Cards for SSH when using FIDO2 Message-ID: <565947777.172595.1705307101462@ox91.mailbox.org> Hello Everybody, since some update, about 2 Month ago, I started to run into trouble using my both yubi Keys. To be precise: I have setup gpg such that the ssh auth Agent can access the keys. That worked for a long time. For example: `ssh-add -L` always displayed both public keys. As mentioned before, now I am running into trouble, but not right from the start. As far as I could observe that, it happens always after I used one of the keys for a FIDO2 Authentification. After that `ssh-add -L` doesn't display any more keys and `gpg --card-status` says: ``` gpg: selecting card failed: No such device gpg: OpenPGP card not available: No such device ``` event though the keys are inserted. In such a case, the only thing that helps is a reboot. I really would like to provide more details, but I really do not know where to start. Basiline: - Everything works fine until I use one of the keys for FIDO2 - Afterwards I cannot restore the service without a reboot I am running Arch Linux with a new Kernel and GPG version 2.4.3 Thanks in ahead for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: public.asc Type: application/pgp-keys Size: 1753 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 475 bytes Desc: not available URL: From t.schneider at disroot.org Mon Jan 15 15:20:43 2024 From: t.schneider at disroot.org (t.schneider at disroot.org) Date: Mon, 15 Jan 2024 15:20:43 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails Message-ID: <8528fffc97477ccc49541c399b9a179b@disroot.org> Hello, in the past I used Windows 10 + Smartcard + MobaXterm for SSH public key authentication w/o problems incl. SSH forward. Now I have a new device with Windows 11, and I want to use the same Smartcard for SSH public key authentication using Win 11 (native) SSH client. Therfore I installed - Gpg4win 4.2 (latest version) - PowerShell 7 (latest version) - PuTTY 0.8 (latest version) and configured gpg.conf and gpg-agent.conf. I don't intend to install git BASH assuming PowerShell 7 provides a working shell. I can run gpg --card-status and ssh-add -L w/o problems, means I can display all information stored on my Smartcard and the SSH public key (key ends with "cardno:0005_000080CE". However when I try to connect to a SSH server public key authentication fails. I found this statement when searching for a solution: "[...] The ssh-pageant provides the same kind of functionality to ssh but, as opposed to ssh-agent, does speak the PuTTY protocol. This enables ssh to speak with the gpg-agent via the ssh-pageant.[...]" Can you please advise how to fix this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Jan 15 17:04:41 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Jan 2024 17:04:41 +0100 Subject: Trouble with GPG Cards for SSH when using FIDO2 In-Reply-To: <565947777.172595.1705307101462@ox91.mailbox.org> (Philipp Schmidt's message of "Mon, 15 Jan 2024 09:25:01 +0100 (CET)") References: <565947777.172595.1705307101462@ox91.mailbox.org> Message-ID: <87ttneoa5i.fsf@jacob.g10code.de> On Mon, 15 Jan 2024 09:25, Philipp Schmidt said: > - Everything works fine until I use one of the keys for FIDO2 > - Afterwards I cannot restore the service without a reboot Try to add pscs-shared to scdaemon.conf and gpgconf -R scdaemon. Does this change anything? If not, add log-file /foo/scd.log debug ipc,reader,card to scdaemon.conf and check the log file or send it to me. Make sure that you did not enter the PIN as it would show up in the log. If this does not give any hints, adding "debug cardio" will give even more verbose output. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Mon Jan 15 17:36:23 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Jan 2024 17:36:23 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails In-Reply-To: <8528fffc97477ccc49541c399b9a179b@disroot.org> (Thomas via Gnupg-users's message of "Mon, 15 Jan 2024 15:20:43 +0100") References: <8528fffc97477ccc49541c399b9a179b@disroot.org> Message-ID: <87ply2o8oo.fsf@jacob.g10code.de> Hi! I am not 100% sure whether I did understand you correctly: You are in Windows 11 and want to use its native OpenSSH client to connect to some other ssh server. Why do you need Putty, which has an integrated but different ssh implementation? For Putty you had *enable-putty-support* in your gpg-agent.conf. For the native client you need to add *enable-w32-openssh-support* to your gpg-agent.conf. Better disable the Putty support; I am not sure whether there are any conflicts. Take care, alhough me and my scripts ssh into Windows10 and 11 boxes quite often, the other way around is not that well tested. For debugging options, please see my other mail from today. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From t.schneider at disroot.org Mon Jan 15 20:03:19 2024 From: t.schneider at disroot.org (Thomas Schneider) Date: Mon, 15 Jan 2024 20:03:19 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails In-Reply-To: <87ply2o8oo.fsf@jacob.g10code.de> References: <8528fffc97477ccc49541c399b9a179b@disroot.org> <87ply2o8oo.fsf@jacob.g10code.de> Message-ID: Hello Werner, thanks for your reply. Your understanding is correct: From Win 11 to any other (Linux) server using SSH. Actually I installed PuTTY only because of this statement (I found in my research): "[...] The ssh-pageant provides the same kind of functionality to ssh but, as opposed to ssh-agent, does speak the PuTTY protocol. This enables ssh to speak with the gpg-agent via the ssh-pageant.[...]" And ssh-pageant is not available for Win 11, but pageant is included in PuTTY. Could you please share some details of your working setup (scripts connecting from Win 10/11 to other servers using SSH). THX Thomas Am 15.01.24 um 17:36 schrieb Werner Koch via Gnupg-users: > Hi! > > I am not 100% sure whether I did understand you correctly: > > You are in Windows 11 and want to use its native OpenSSH client to > connect to some other ssh server. > > Why do you need Putty, which has an integrated but different ssh > implementation? > > For Putty you had *enable-putty-support* in your gpg-agent.conf. For > the native client you need to add *enable-w32-openssh-support* to your > gpg-agent.conf. Better disable the Putty support; I am not sure whether > there are any conflicts. > > Take care, alhough me and my scripts ssh into Windows10 and 11 boxes > quite often, the other way around is not that well tested. > > For debugging options, please see my other mail from today. > > > Shalom-Salam, > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue Jan 16 18:50:23 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Jan 2024 18:50:23 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails In-Reply-To: (Thomas Schneider via Gnupg-users's message of "Mon, 15 Jan 2024 20:03:19 +0100") References: <8528fffc97477ccc49541c399b9a179b@disroot.org> <87ply2o8oo.fsf@jacob.g10code.de> Message-ID: <878r4pnp5s.fsf@jacob.g10code.de> On Mon, 15 Jan 2024 20:03, Thomas Schneider said: > And ssh-pageant is not available for Win 11, but pageant is included > in PuTTY. I didn't implemented or tested the newer --enable-w32-openssh-support so I don't have first have experience. However, Windows comes with an sssh server and an client, which are slighly modified OpenSSH versions. Thus you should be able to simply run c:\ ssh -v snowden at hawaii.nsa.gov The ssh diagnostics enabled with -v should show you what's going on and whether ssh tries to use an ssh-agent implementation. You need to start gpg-agent first, of course: gpgconf --launch gpg-agent or run any gpg command or kleopatra, etc.) > Could you please share some details of your working setup (scripts > connecting from Win 10/11 to other servers using SSH). Okay, let's try it: I just installed a gpg4win 4.3.0-beta and tried it on my testbox (Windows 10.0 build 19045) using my regular token: debug1: Next authentication method: publickey debug1: Offering public key: cardno:FFFE_xxxxxxx ED25519 SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent debug1: Server accepts key: cardno:FFFE_xxxxxxx ED25519 SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent debug1: Authentication succeeded (publickey). Authenticated to ftp.gnupg.org ([217.69.76.55]:22). But that should also work with your gpg4win version. >> the native client you need to add *enable-w32-openssh-support* to your Oops, the option is actually *enable-win32-openssh-support*. I try to get it into the Kleopatra config dialog with gnupg 2.4.4 - right now kleopatra can only enable the Unix style ssh support. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From t.schneider at disroot.org Wed Jan 17 08:22:49 2024 From: t.schneider at disroot.org (t.schneider at disroot.org) Date: Wed, 17 Jan 2024 08:22:49 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails In-Reply-To: <878r4pnp5s.fsf@jacob.g10code.de> References: <8528fffc97477ccc49541c399b9a179b@disroot.org> <87ply2o8oo.fsf@jacob.g10code.de> <878r4pnp5s.fsf@jacob.g10code.de> Message-ID: <510e7b0640e66764c5988af297512f53@disroot.org> Hello, accidently I identified the root cause for this issue. I executed this SSH command: ssh I didn't use ssh @ on purpose because I'm used to use the same user on remoteserver as on client. After executing SSH command ssh @ gpg-agent works as expected and I can login with public key. One may consider this as a bug, however I'm happy that I found a solution for my issue. Now I can proceed to next issue: SSH forward Thanks for your great support! Thomas Am 2024-01-16 18:50, schrieb Werner Koch: > On Mon, 15 Jan 2024 20:03, Thomas Schneider said: > >> And ssh-pageant is not available for Win 11, but pageant is included >> in PuTTY. > > I didn't implemented or tested the newer --enable-w32-openssh-support > so > I don't have first have experience. However, Windows comes with an > sssh > server and an client, which are slighly modified OpenSSH versions. > Thus > you should be able to simply run > > c:\ ssh -v snowden at hawaii.nsa.gov > > The ssh diagnostics enabled with -v should show you what's going on and > whether ssh tries to use an ssh-agent implementation. > > You need to start gpg-agent first, of course: > > gpgconf --launch gpg-agent > > or run any gpg command or kleopatra, etc.) > >> Could you please share some details of your working setup (scripts >> connecting from Win 10/11 to other servers using SSH). > > Okay, let's try it: I just installed a gpg4win 4.3.0-beta and tried it > on my testbox (Windows 10.0 build 19045) using my regular token: > > debug1: Next authentication method: publickey > debug1: Offering public key: cardno:FFFE_xxxxxxx ED25519 > SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent > debug1: Server accepts key: cardno:FFFE_xxxxxxx ED25519 > SHA256:tXYM7ne2kI+ZUw7jGii9LBhoz8uB0ucKv28OSSW6a/g agent > debug1: Authentication succeeded (publickey). > Authenticated to ftp.gnupg.org ([217.69.76.55]:22). > > But that should also work with your gpg4win version. > > the native client you need to add *enable-w32-openssh-support* to your Oops, the option is actually *enable-win32-openssh-support*. I try to get it into the Kleopatra config dialog with gnupg 2.4.4 - right now kleopatra can only enable the Unix style ssh support. Shalom-Salam, Werner -------------- next part -------------- An HTML attachment was scrubbed... URL: From falko.strenzke at mtg.de Wed Jan 17 14:01:08 2024 From: falko.strenzke at mtg.de (Falko Strenzke) Date: Wed, 17 Jan 2024 14:01:08 +0100 Subject: running gpg-agent in foreground Message-ID: <8f959cce-e014-44f1-9ae4-48e286abdc22@mtg.de> I would like to run my development version of GPG-agent under valgrind. As I understand it, for that purpose I have to run it in the foreground, i.e. in server mode. However, whenever I launch it as ./bin/gpg-agent --homedir ? --log-file agent.log --server --debug-all then, when I launch a private key operation via the gpg application, a new agent is started (in daemon mode) and used by gpg and I find no way to get the agent launched in server mode to ever process anything. In contrast, if I start it with the same command line, except for using daemon mode, i.e., ./bin/gpg-agent --homedir ? --log-file agent.log --daemon --debug-all then the gpg application always connects to it like expected. Any ideas how I can launch the agent in the foreground so that the gpg application will connect to it? - Falko -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke at mtg.de Web: mtg.de Follow us ------------------------------------------------------------------------ MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: J?rgen Ruf (CEO), Tamer Kemer?z Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: rzB7RpA8MsN8UOb4.png Type: image/png Size: 4018 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: RpOgHYtyQ6wBvkib.png Type: image/png Size: 14587 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: LU9Nb6NFHWo3V0MQ.png Type: image/png Size: 13185 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xD1AC7C9C72A60A61.asc Type: application/pgp-keys Size: 3139 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Jan 17 17:56:42 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Jan 2024 17:56:42 +0100 Subject: running gpg-agent in foreground In-Reply-To: <8f959cce-e014-44f1-9ae4-48e286abdc22@mtg.de> (Falko Strenzke's message of "Wed, 17 Jan 2024 14:01:08 +0100") References: <8f959cce-e014-44f1-9ae4-48e286abdc22@mtg.de> Message-ID: <87r0ifnbjp.fsf@jacob.g10code.de> On Wed, 17 Jan 2024 14:01, Falko Strenzke said: > I would like to run my development version of GPG-agent under valgrind. As I > understand it, for that purpose I have to run it in the foreground, i.e. in > server mode. However, whenever I launch it as No, that will not work for you. I recommend this: cd /my/test/directory GNUPGHOME=`pwd` gpg-agent --daemon /bin/sh This way you can easily start gpg-agent via valgrind. Instead of running a shell directly you may also use a script instead of /bin/sh: --8<---------------cut here---------------start------------->8--- #!/bin/sh SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) export SSH_AUTH_SOCK cat >setup-tests.ini <<'EOF' PS1="$(echo "$PS1" | sed 's,\\\$ $,(GnuPGTest)\\\$ ,')" export HISTCONTROL=ignoreboth export HISTFILE=$(pwd)/.bash_history EOF exec bash --init-file setup-tests.ini --8<---------------cut here---------------end--------------->8--- which gives you a dedicated prompt so that you can easily see that you are in a test environment. For logging put "log-file socket://" into common.conf and run watchgnupg --time-only --homedir /my/test/directory in another terminal. Add --force to take over the logging socket. Useful debug options for gpg-agent.conf are "debug ipc". Use "gpg-agent --debug help" to get a list of all debug options. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Wed Jan 17 17:59:18 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Jan 2024 17:59:18 +0100 Subject: Win 11 + Smarcard: SSH public key authentication fails In-Reply-To: <510e7b0640e66764c5988af297512f53@disroot.org> (Thomas via Gnupg-users's message of "Wed, 17 Jan 2024 08:22:49 +0100") References: <8528fffc97477ccc49541c399b9a179b@disroot.org> <87ply2o8oo.fsf@jacob.g10code.de> <878r4pnp5s.fsf@jacob.g10code.de> <510e7b0640e66764c5988af297512f53@disroot.org> Message-ID: <87mst3nbfd.fsf@jacob.g10code.de> On Wed, 17 Jan 2024 08:22, Thomas said: > I didn't use ssh @ on purpose because I'm used to > use the same user on remoteserver as on client. Common problem for me too when I ssh into a Windows box where I use a different user name on purpose ;-). This way you don't accidently login into a testbox and run commands not intended for that box. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From falko.strenzke at mtg.de Thu Jan 18 07:24:22 2024 From: falko.strenzke at mtg.de (Falko Strenzke) Date: Thu, 18 Jan 2024 07:24:22 +0100 Subject: running gpg-agent in foreground In-Reply-To: <87r0ifnbjp.fsf@jacob.g10code.de> References: <8f959cce-e014-44f1-9ae4-48e286abdc22@mtg.de> <87r0ifnbjp.fsf@jacob.g10code.de> Message-ID: Thanks, the first approach seems to work fine for me. - Falko Am 17.01.24 um 17:56 schrieb Werner Koch: > On Wed, 17 Jan 2024 14:01, Falko Strenzke said: >> I would like to run my development version of GPG-agent under valgrind. As I >> understand it, for that purpose I have to run it in the foreground, i.e. in >> server mode. However, whenever I launch it as > No, that will not work for you. I recommend this: > > cd /my/test/directory > GNUPGHOME=`pwd` gpg-agent --daemon /bin/sh > > This way you can easily start gpg-agent via valgrind. Instead of > running a shell directly you may also use a script instead of /bin/sh: > > --8<---------------cut here---------------start------------->8--- > #!/bin/sh > > SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) > export SSH_AUTH_SOCK > cat >setup-tests.ini <<'EOF' > PS1="$(echo "$PS1" | sed 's,\\\$ $,(GnuPGTest)\\\$ ,')" > export HISTCONTROL=ignoreboth > export HISTFILE=$(pwd)/.bash_history > EOF > exec bash --init-file setup-tests.ini > --8<---------------cut here---------------end--------------->8--- > > which gives you a dedicated prompt so that you can easily see that you > are in a test environment. > > For logging put "log-file socket://" into common.conf and > run > > watchgnupg --time-only --homedir /my/test/directory > > in another terminal. Add --force to take over the logging socket. > Useful debug options for gpg-agent.conf are "debug ipc". Use > "gpg-agent --debug help" to get a list of all debug options. > > > Salam-Shalom, > > Werner > -- *MTG AG* Dr. Falko Strenzke Executive System Architect Phone: +49 6151 8000 24 E-Mail: falko.strenzke at mtg.de Web: mtg.de MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany Commercial register: HRB 8901 Register Court: Amtsgericht Darmstadt Management Board: J?rgen Ruf (CEO), Tamer Kemer?z Chairman of the Supervisory Board: Dr. Thomas Milde This email may contain confidential and/or privileged information. If you are not the correct recipient or have received this email in error, please inform the sender immediately and delete this email.Unauthorised copying or distribution of this email is not permitted. Data protection information: Privacy policy -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xD1AC7C9C72A60A61.asc Type: application/pgp-keys Size: 3139 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From leocoogan at mailfence.com Fri Jan 19 20:19:40 2024 From: leocoogan at mailfence.com (Leo Coogan) Date: Fri, 19 Jan 2024 14:19:40 -0500 Subject: gpg: signing failed: Bad secret key Message-ID: When I run `git commit -m` on nixos, I receive this error: ``` error: gpg failed to sign the data: [GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2 [GNUPG:] BEGIN_SIGNING H10 gpg: signing failed: Bad secret key [GNUPG:] FAILURE sign 67108871 gpg: signing failed: Bad secret key fatal: failed to write commit object ``` Here's my git config: ``` [user] email =leocoogan at existential.beauty name = Leo Coogan signingkey = C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B #signingkey = 3D7F617CDE5C9A9B [commit] gpgsign = true ``` And here's `gpg -k`: ``` /home/lcoogan/.gnupg/pubring.kbx -------------------------------- pub ed25519 2023-03-03 [SC] [expires: 2025-03-02] C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B uid [ultimate] Leo Coogan (Personal) uid [ultimate] Leo Coogan (Personal GPG key) sub cv25519 2023-03-03 [E] [expires: 2025-03-02] ``` The same error happens when I write to a file with `pass`: ``` > pass insert test An entry already exists for test. Overwrite it? [y/N] y Enter password for test: Retype password for test: error: gpg failed to sign the data: [GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2 [GNUPG:] BEGIN_SIGNING H10 gpg: signing failed: Bad secret key [GNUPG:] FAILURE sign 67108871 gpg: signing failed: Bad secret key fatal: failed to write commit object ``` Really not sure what I'm supposed to do. I looked up the error, but I didn't find any sources that had this exact error, 'bad secret key'. This only happens on my nixos machine. My other machine I run fedora on has never had signing errors. Any help, advice, or suggestions would be greatly appreciated. I've had this issue for several months, but I've put it off. -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Sat Jan 20 21:26:43 2024 From: wk at gnupg.org (Werner Koch) Date: Sat, 20 Jan 2024 21:26:43 +0100 Subject: gpg: signing failed: Bad secret key In-Reply-To: (Leo Coogan via Gnupg-users's message of "Fri, 19 Jan 2024 14:19:40 -0500") References: Message-ID: <87le8jlpj0.fsf@jacob.g10code.de> On Fri, 19 Jan 2024 14:19, Leo Coogan said: > When I run `git commit -m` on nixos, I receive this error: For debugging add "verbose" to ~/.gnupg/gpg.conf . This should give you more information what's up. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From leocoogan at mailfence.com Sun Jan 21 19:03:50 2024 From: leocoogan at mailfence.com (Leo Coogan) Date: Sun, 21 Jan 2024 13:03:50 -0500 Subject: Fwd: gpg: signing failed: Bad secret key In-Reply-To: <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> References: <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> Message-ID: <70410762-4e68-4663-a9ec-a9a059c750c0@mailfence.com> Oops, I meant to 'reply-all'. -------- Forwarded Message -------- Subject: Re: gpg: signing failed: Bad secret key Date: Sun, 21 Jan 2024 13:02:40 -0500 From: Leo Coogan To: Werner Koch with `verbose` added to ~/.gnupg/gpg.conf: ``` > git commit -m test error: gpg failed to sign the data: gpg: enabled compatibility flags: [GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2 gpg: writing to stdout [GNUPG:] BEGIN_SIGNING H10 gpg: signing failed: Bad secret key [GNUPG:] FAILURE sign 67108871 gpg: signing failed: Bad secret key fatal: failed to write commit object ``` ``` > pass insert test An entry already exists for test. Overwrite it? [y/N] y Enter password for test: Retype password for test: gpg: enabled compatibility flags: gpg: using pgp trust model gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B gpg: automatically retrieved 'leocoogan at existential.beauty' via Local gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B gpg: This key belongs to us gpg: reading from '[stdin]' gpg: writing to '/home/lcoogan/.password-store/test.gpg' gpg: ECDH/AES256.OCB encrypted for: "63D14EA6FDB00D9F Leo Coogan (Personal) " error: gpg failed to sign the data: gpg: enabled compatibility flags: [GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2 gpg: writing to stdout [GNUPG:] BEGIN_SIGNING H10 gpg: signing failed: Bad secret key [GNUPG:] FAILURE sign 67108871 gpg: signing failed: Bad secret key fatal: failed to write commit object ``` And on my Fedora machine were the command runs successfully: ``` > pass insert test An entry already exists for test. Overwrite it? [y/N] y Enter password for test: Retype password for test: gpg: enabled compatibility flags: gpg: using pgp trust model gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B gpg: automatically retrieved 'leocoogan at existential.beauty' via Local gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B gpg: This key belongs to us gpg: reading from '[stdin]' gpg: writing to '/home/lcoogan/.password-store/test.gpg' gpg: ECDH/AES256.OCB encrypted for: "63D14EA6FDB00D9F Leo Coogan (Personal) " [master 6800a72] Add given password for test to store. ?1 file changed, 0 insertions(+), 0 deletions(-) ``` Not sure if that helps much. On 1/20/24 15:26, Werner Koch wrote: > On Fri, 19 Jan 2024 14:19, Leo Coogan said: >> When I run `git commit -m` on nixos, I receive this error: > For debugging add "verbose" to ~/.gnupg/gpg.conf . This should give you > more information what's up. > > > Shalom-Salam, > > Werner > -------------- next part -------------- An HTML attachment was scrubbed... URL: From leocoogan at mailfence.com Tue Jan 23 18:38:37 2024 From: leocoogan at mailfence.com (Leo Coogan) Date: Tue, 23 Jan 2024 12:38:37 -0500 Subject: gpg: signing failed: Bad secret key In-Reply-To: <87bk9dlset.fsf@jacob.g10code.de> References: <87le8jlpj0.fsf@jacob.g10code.de> <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> <87bk9dlset.fsf@jacob.g10code.de> Message-ID: <8b415759-9933-4176-8c29-070765848e83@mailfence.com> This is Nixos. I don't believe I have two binaries of gpg. My Nixos config contains: ```nix ??????? programs.gnupg.agent = { ??????????????? enable = true; ??????????????? enableSSHSupport = true; ??????? }; ``` and the package pinentry-gnome is installed. I did `which` gpg and gpg2, and gpg2 was a symlink to gpg. So I don't believe I have another binary of gpg. ``` > gpg -K --with-subkey-fingerprint --with-keygrip? \ ???????? --list-options show-pref-verbose? \ ???????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2>&1| wl-copy gpg: enabled compatibility flags: gpg: using pgp trust model sec#? ed25519 2023-03-03 [SC] [expires: 2025-03-02] ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B ????? Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB uid?????????? [ultimate] Leo Coogan (Personal) ????????????? Cipher: AES256, AES192, AES, 3DES ????????????? AEAD: OCB ????????????? Digest: SHA512, SHA384, SHA256, SHA224, SHA1 ????????????? Compression: ZLIB, BZIP2, ZIP, Uncompressed ????????????? Features: MDC, AEAD, Keyserver no-modify uid?????????? [ultimate] Leo Coogan (Personal GPG key) ????????????? Cipher: AES256, AES192, AES, 3DES ????????????? AEAD: OCB ????????????? Digest: SHA512, SHA384, SHA256, SHA224, SHA1 ????????????? Compression: ZLIB, BZIP2, ZIP, Uncompressed ????????????? Features: MDC, AEAD, Keyserver no-modify ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] ????? 143454E3276F11C51D01B35363D14EA6FDB00D9F ????? Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21 ``` On 1/22/24 02:48, Werner Koch wrote: > Hi! > >> [GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2 >> gpg: writing to stdout >> [GNUPG:] BEGIN_SIGNING H10 >> gpg: signing failed: Bad secret key > Plase run > > gpg -K --with-subkey-fingerprint --with-keygrip \ > --list-options show-pref-verbose \ > C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B > > > Is there a second gpg binary on your system? > > Is that Debian? > > > Salam-Shalom, > > Werner > > From wk at gnupg.org Wed Jan 24 18:37:03 2024 From: wk at gnupg.org (Werner Koch) Date: Wed, 24 Jan 2024 18:37:03 +0100 Subject: gpg: signing failed: Bad secret key In-Reply-To: <8b415759-9933-4176-8c29-070765848e83@mailfence.com> (Leo Coogan's message of "Tue, 23 Jan 2024 12:38:37 -0500") References: <87le8jlpj0.fsf@jacob.g10code.de> <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> <87bk9dlset.fsf@jacob.g10code.de> <8b415759-9933-4176-8c29-070765848e83@mailfence.com> Message-ID: <87ttn2iqf4.fsf@jacob.g10code.de> On Tue, 23 Jan 2024 12:38, Leo Coogan said: > sec#? ed25519 2023-03-03 [SC] [expires: 2025-03-02] > ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B > ????? Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB You don't have a signing key. Ther primary key has been taken offline ('#') and can thus not be used for signing. > ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] > ????? 143454E3276F11C51D01B35363D14EA6FDB00D9F > ????? Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21 The subkey is not capable of signing (by usage flags and algorithm). Did you had another signing subkey and that one expired? Add --list-options show-unusable-subkeys to the listing command to check. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From leocoogan at mailfence.com Wed Jan 24 22:05:53 2024 From: leocoogan at mailfence.com (Leo Coogan) Date: Wed, 24 Jan 2024 16:05:53 -0500 Subject: gpg: signing failed: Bad secret key In-Reply-To: <87ttn2iqf4.fsf@jacob.g10code.de> References: <87le8jlpj0.fsf@jacob.g10code.de> <920c23fa-9bcf-41a1-82c8-307aa2bf81dd@mailfence.com> <87bk9dlset.fsf@jacob.g10code.de> <8b415759-9933-4176-8c29-070765848e83@mailfence.com> <87ttn2iqf4.fsf@jacob.g10code.de> Message-ID: Here's the command run on my fedora machine: ``` > gpg -K? --list-options show-unusable-subkeys /home/lcoogan/.gnupg/pubring.kbx -------------------------------- sec?? ed25519 2023-03-03 [SC] [expires: 2025-03-02] ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B uid?????????? [ultimate] Leo Coogan (Personal) uid?????????? [ultimate] Leo Coogan (Personal GPG key) ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] ``` and on my nixos machine: ``` > gpg -K? --list-options show-unusable-subkeys gpg: enabled compatibility flags: gpg: using pgp trust model /home/lcoogan/.gnupg/pubring.kbx -------------------------------- sec#? ed25519 2023-03-03 [SC] [expires: 2025-03-02] ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B uid?????????? [ultimate] Leo Coogan (Personal) uid?????????? [ultimate] Leo Coogan (Personal GPG key) ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] ``` It looks like there's only that non-functioning signing subkey. Huh. Do I need to create a new signing subkey? On 1/24/24 12:37, Werner Koch wrote: > On Tue, 23 Jan 2024 12:38, Leo Coogan said: > >> sec#? ed25519 2023-03-03 [SC] [expires: 2025-03-02] >> ????? C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B >> ????? Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB > You don't have a signing key. Ther primary key has been taken offline > ('#') and can thus not be used for signing. > >> ssb?? cv25519 2023-03-03 [E] [expires: 2025-03-02] >> ????? 143454E3276F11C51D01B35363D14EA6FDB00D9F >> ????? Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21 > The subkey is not capable of signing (by usage flags and algorithm). > > Did you had another signing subkey and that one expired? > Add > > --list-options show-unusable-subkeys > > to the listing command to check. > > > Salam-Shalom, > > Werner > From kloecker at kde.org Thu Jan 25 13:05:12 2024 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 25 Jan 2024 13:05:12 +0100 Subject: gpg: signing failed: Bad secret key In-Reply-To: References: <87ttn2iqf4.fsf@jacob.g10code.de> Message-ID: <12370805.O9o76ZdvQC@daneel> On Mittwoch, 24. Januar 2024 22:05:53 CET Leo Coogan via Gnupg-users wrote: > It looks like there's only that non-functioning signing subkey. Huh. Do > I need to create a new signing subkey? Copy the content of ~/.gnupg/private-keys-v1.d from your fedora machine to your nixox machine (after making a backup) to restore the missing secret key. Regards, Ingo > On 1/24/24 12:37, Werner Koch wrote: > > On Tue, 23 Jan 2024 12:38, Leo Coogan said: > >> sec# ed25519 2023-03-03 [SC] [expires: 2025-03-02] > >> > >> C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B > >> Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB > > > > You don't have a signing key. Ther primary key has been taken offline > > ('#') and can thus not be used for signing. > > > >> ssb cv25519 2023-03-03 [E] [expires: 2025-03-02] > >> > >> 143454E3276F11C51D01B35363D14EA6FDB00D9F > >> Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21 > > > > The subkey is not capable of signing (by usage flags and algorithm). > > > > Did you had another signing subkey and that one expired? > > Add > > > > --list-options show-unusable-subkeys > > > > to the listing command to check. > > > > > > Salam-Shalom, > > > > Werner > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Jan 25 17:26:55 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Jan 2024 17:26:55 +0100 Subject: [Announce] GnuPG 2.4.4 released Message-ID: <87le8didkg.fsf@jacob.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG release: version 2.4.4. This version fixes a couple of bugs, comes with some new features. A smartcard related security bug is also fixed and a tool to check for this flaw is provided. See below for details. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.4.4 =================================== * gpg: Do not keep an unprotected smartcard backup key on disk. See https://gnupg.org/blog/20240125-smartcard-backup-key.html for a security advisory. [T6944] * gpg: Allow to specify seconds since Epoch beyond 2038 on 32-bit platforms. [T6736] * gpg: Fix expiration time when Creation-Date is specified. [T5252] * gpg: Add support for Subkey-Expire-Date. [rG96b69c1866] * gpg: Add option --with-v5-fingerprint. [T6705] * gpg: Add sub-option ignore-attributes to --import-options. [rGd4976e35d2] * gpg: Add --list-filter properties sig_expires/sig_expires_d. [rGbf662d0f93af] * gpg: Fix validity of re-imported keys. [T6399] * gpg: Report BEGIN_ status before examining the input. [T6481] * gpg: Don't try to compress a read-only keybox. [T6811] * gpg: Choose key from inserted card over a non-inserted card. [T6831] * gpg: Allow to create revocations even with non-compliant algos. [T6929] * gpg: Fix regression in the Revoker keyword of the parameter file. [T6923] * gpg: Improve error message for expired default keys. [T4704] * gpgsm: Add --always-trust feature. [T6559] * gpgsm: Support ECC certificates in de-vs mode. [T6802] * gpgsm: Major rewrite of the PKCS#12 parser. [T6536] * gpgsm: No not show the pkcs#12 passphrase in debug output. [T6654] * keyboxd: Timeout on failure to get the database lock. [T6838] * agent: Update the key stubs only if really modified. [T6829] * scd: Add support for certain Starcos 3.2 cards. [rG5304c9b080] * scd: Add support for CardOS 5.4 cards. [rG812f988059] * scd: Add support for D-Trust 4.1/4.4 cards. [rG0b85a9ac09] * scd: Add support for Smartcafe Expert 7.0 cards. [T6919] * scd: Add a length check for a new PIN. [T6843] * tpm: Fix keytotpm handling in the agent. [rG9909f622f6] * tpm: Fixes for the TPM test suite. [T6052] * dirmngr: Avoid starting a second instance on Windows via GPGME based launching. [T6833] * dirmngr: New option --ignore-crl-extensions. [T6545] * dirmngr: Support config value "none" to disable the default keyserver. [T6708] * dirmngr: Implement automatic proxy detection on Windows. [T5768] * dirmngr: Fix handling of the HTTP Content-Length. [rGa5e33618f4] * dirmngr: Add code to support proxy authentication using the Negotiation method on Windows. [T6719] * gpgconf: Add commands --lock and --unlock. [rG93b5ba38dc] * gpgconf: Add keyword socketdir to gpgconf.ctl. [rG239c1fdc28] * gpgconf: Adjust the -X command for the new VERSION file format. [T6918] * wkd: Use export-clean for gpg-wks-client's --mirror and --create commands. [rG2c7f7a5a278c] * wkd: Make --add-revocs the default in gpg-wks-client. New option --no-add-revocs. [rG10c937ee68] * Remove duplicated backslashes when setting the homedir. [T6833] * Ignore attempts to remove the /dev/null device. [T6556] * Improve advisory file lock retry strategy. [T3380] * Improve the speedo build system for Unix. [T6710] Release-info: https://dev.gnupg.org/T6578 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.4.tar.bz2 (7701k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.4.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.4_20240125.exe (5407k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.4.4_20240125.exe.sig The source used to build this Windows installer can be found in the same directory with a ".tar.xz" suffix. A new release of the full featured Gpg4win installer including this version of GnuPG is available here: https://files.gpg4win.org/gpg4win-4.3.0.exe (34M) https://files.gpg4win.org/gpg4win-4.3.0.exe.sig https://files.gpg4win.org/gpg4win-4.3.0.tar.xz (219M) https://files.gpg4win.org/gpg4win-4.3.0.tar.xz.sig Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.4.4.tar.bz2 you would use this command: gpg --verify gnupg-2.4.4.tar.bz2.sig gnupg-2.4.4.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.4.4.tar.bz2, you run the command like this: sha1sum gnupg-2.4.4.tar.bz2 and check that the output matches the next line: 228b3984325fdeebc5e3f2d165c6419a5ebc28de gnupg-2.4.4.tar.bz2 1be67fe7a98c313d3767554cd48517735d20b7b9 gnupg-w32-2.4.4_20240125.tar.xz 9773a6baae99353aa63d08dba6e643cbecc75de5 gnupg-w32-2.4.4_20240125.exe 6e8ac03208caf76d6e487f8554f2bd607a1b9192 gpg4win-4.3.0.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T6578 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Several full-time employed developers and contractors are working exclusively on GnuPG and closely related software like Libgcrypt, GPGME, Kleopatra and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped with donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. - Edward Snowden -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From ralph at ml.seichter.de Fri Jan 26 20:47:17 2024 From: ralph at ml.seichter.de (Ralph Seichter) Date: Fri, 26 Jan 2024 20:47:17 +0100 Subject: [Announce] GnuPG for OS X 2.4.4 Message-ID: <87il3fubay.fsf@ra.horus-it.com> GnuPG for OS X / macOS release 2.4.4 is now available for download via https://sourceforge.net/p/gpgosx/docu/Download/ . The disk image signature key is available via public keyservers, and it can also be downloaded from https://www.seichter.de/pgp/gpgosx-signing.asc . pub ed25519/FD56297D9833FF7F 2022-07-07 [SC] [expires: 2027-07-06] Key fingerprint = EAB0 FE4F F793 D9E7 028E C8E2 FD56 297D 9833 FF7F uid [ultimate] Ralph Seichter (GnuPG for OS X signing key) GnuPG 2.4.x is installed in /usr/local/gnupg-2.4 instead of the formerly hardcoded directory /usr/local/gnupg-2.2. This enables installing both stable and LTS releases of GnuPG for OS X side by side, for advanced users' needs. The one caveat is that the latest installation will replace existing soft links in /usr/local/{bin,lib}. Please use absolute paths like /usr/local/gnupg-2.2/bin/gpg2 if necessary. Enjoy. -Ralph