From look at my.amazin.horse Sun Feb 2 23:36:42 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Sun, 02 Feb 2020 23:36:42 +0100 Subject: Automatic WKD via keys.openpgp.org Message-ID: <2WY8RUQTR48GK.3HUAIATZ4FXES@my.amazin.horse> Hey folks, I just added an experimental feature to keys.openpgp.org, which enables fully automated, managed WKD for any domain. Usage is super simple: Just set the CNAME record of the "openpgpkey" subdomain to "wkd.keys.openpgp.org". Once that is done, all keys that have verified addresses on keys.openpgp.org for that domain will be automatically available via WKD. The CNAME entry should look like this: > $ drill openpgpkey.example.org > openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org. There is a checker script to see whether the CNAME record looks ok from keys.openpgp.org's point of view: > $ curl https://wkd.keys.openpgp.org/status/\?domain\=openpgpkey.example.org > CNAME lookup ok: openpgpkey.example.org resolves to wkd.keys.openpgp.org This feature isn't publicly documented yet, but I consider it stable enough for public use. I'm still gathering feedback to see how it goes, and so far users have been pretty positive about the feature. It works well for folks who want to publish their keys on WKD, but don't want to go through the hassle of maintaining the directory on their server. (like me, incidentally :) - V From look at my.amazin.horse Mon Feb 3 00:55:52 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Mon, 03 Feb 2020 00:55:52 +0100 Subject: Automatic WKD via keys.openpgp.org In-Reply-To: <2WY8RUQTR48GK.3HUAIATZ4FXES@my.amazin.horse> References: <2WY8RUQTR48GK.3HUAIATZ4FXES@my.amazin.horse> Message-ID: <289U9F4B2ZSZ6.3OWQV2KRN8MOO@my.amazin.horse> Ah, I guess I should have said: If you want to see this mechanism in action, it is deployed for my address. You can test it with commands like: > drill openpgpkey.my.amazin.horse > curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.mugenguild.com' > gpg --no-default-keyring --locate-keys --auto-key-locate clear,nodefault,wkd look at my.amazin.horse > curl --include --head https://openpgpkey.my.amazin.horse/.well-known/openpgpkey/my.amazin.horse/hu/hnjtm6on474983a8w6zwkwruw8brysb5 Cheers :) - V From nick.piper at cgi.com Tue Feb 4 15:54:02 2020 From: nick.piper at cgi.com (Piper, Nick) Date: Tue, 4 Feb 2020 14:54:02 +0000 Subject: [PATCH 1/1] doc: Correction of typo in documentation of KEY_CONSIDERED Message-ID: I have a minor documentation typo patch that I'd like to be considered and committed please: >From 4c9cbe7bc404a3279095599bb830f933cafb4b3a Mon Sep 17 00:00:00 2001 From: Nick Piper Date: Tue, 28 Jan 2020 10:17:09 +0000 Subject: [PATCH 1/1] doc: Correction of typo in documentation of KEY_CONSIDERED --- doc/DETAILS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/DETAILS b/doc/DETAILS index bd00006e9..2c374c345 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -735,7 +735,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: Issued if no senders are usable. *** KEY_CONSIDERED - Issued to explian the lookup of a key. FPR is the hexified + Issued to explain the lookup of a key. FPR is the hexified fingerprint of the primary key. The bit values for FLAGS are: - 1 :: The key has not been selected. -- 2.17.1 From dkg at fifthhorseman.net Wed Feb 12 22:20:32 2020 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 Feb 2020 16:20:32 -0500 Subject: Missing git tag and mailing list announcement for gpg-error 1.37? Message-ID: <87eeuzbizj.fsf@fifthhorseman.net> Hi all-- I note that gpg-error 1.37 appears to have been released in the last week. Thanks for that work! I see no tag for it on https://dev.gnupg.org/source/libgpg-error.git Perhaps the tag was never pushed? I also never noticed an announcement of it on any mailing list -- is this the right mailing list to look for it on? I also don't see it on the archives of gnupg-announce: https://lists.gnupg.org/pipermail/gnupg-announce/ If i should be looking somewhere else, please let me know! It'd be great if whatever automated tooling is used to release a new version of gpg-error could confirm that: - an announcement is sent to the appropriate mailing list - a git tag is pushed to the public-facing git repository Thanks for all the work on GnuPG! Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 13 14:47:26 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Feb 2020 14:47:26 +0100 Subject: Missing git tag and mailing list announcement for gpg-error 1.37? In-Reply-To: <87eeuzbizj.fsf@fifthhorseman.net> (Daniel Kahn Gillmor via Gnupg-devel's message of "Wed, 12 Feb 2020 16:20:32 -0500") References: <87eeuzbizj.fsf@fifthhorseman.net> Message-ID: <87mu9mfvkh.fsf@wheatstone.g10code.de> On Wed, 12 Feb 2020 16:20, Daniel Kahn Gillmor said: > I see no tag for it on https://dev.gnupg.org/source/libgpg-error.git > Perhaps the tag was never pushed? My fault. Just pushed. > - an announcement is sent to the appropriate mailing list I do not send anoouncemnt for such libraries. IIRC, there are automated notification mechanism of the distros to being notified of nee release. > - a git tag is pushed to the public-facing git repository Pushing is still done manually ;-) > Thanks for all the work on GnuPG! Thanks for maintainig the Debian part of it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From mhroncok at redhat.com Thu Feb 13 14:17:29 2020 From: mhroncok at redhat.com (=?UTF-8?Q?Miro_Hron=c4=8dok?=) Date: Thu, 13 Feb 2020 14:17:29 +0100 Subject: [PATCH] gpgme: Add Python 3.9 to the build machinery Message-ID: Patch from https://github.com/gpg/gpgme/pull/4 attached. -- Miro Hron?ok -- Phone: +420777974800 IRC: mhroncok -------------- next part -------------- A non-text attachment was scrubbed... Name: 4.patch Type: text/x-patch Size: 2319 bytes Desc: not available URL: From gniibe at fsij.org Tue Feb 18 08:31:02 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 18 Feb 2020 16:31:02 +0900 Subject: Regular Expression Support Message-ID: <87ftf8e4i1.fsf@iwagami.gniibe.org> Hello, OpenPGP has support of regular expression with trust Signature packets. GnuPG 2.x only supports the feature when it can find regcomp/regexec routines in system library. On Windows, it is not supported. For this issue, I created a task: https://dev.gnupg.org/T4843 And the branch: https://dev.gnupg.org/source/gnupg/history/gniibe%252Fregexp/ My purpose here is to minimize difference between different systems. I'd like to listen opinions from those who actually have use cases. -- From andrewg at andrewg.com Tue Feb 18 10:09:58 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 18 Feb 2020 09:09:58 +0000 Subject: Regular Expression Support In-Reply-To: <87ftf8e4i1.fsf@iwagami.gniibe.org> References: <87ftf8e4i1.fsf@iwagami.gniibe.org> Message-ID: On 18/02/2020 07:31, NIIBE Yutaka wrote: > OpenPGP has support of regular expression with trust Signature packets. > > GnuPG 2.x only supports the feature when it can find regcomp/regexec > routines in system library. On Windows, it is not supported. Isn't this a case of pathological featuritis? If nobody has screamed about the inconsistencies so far, it's a pretty good sign that nobody has any use for it. Burn it. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Tue Feb 18 12:59:26 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 18 Feb 2020 11:59:26 +0000 Subject: Regular Expression Support In-Reply-To: <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> References: <87ftf8e4i1.fsf@iwagami.gniibe.org> <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> Message-ID: On 18/02/2020 11:58, Heiko Schaefer wrote: > So Niibe's work on this would be very beneficial for me. I stand corrected. :-) -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From heiko.schaefer at posteo.de Tue Feb 18 12:58:21 2020 From: heiko.schaefer at posteo.de (Heiko Schaefer) Date: Tue, 18 Feb 2020 12:58:21 +0100 Subject: Regular Expression Support In-Reply-To: References: <87ftf8e4i1.fsf@iwagami.gniibe.org> Message-ID: <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> On 2/18/20 10:09 AM, Andrew Gallagher wrote: > On 18/02/2020 07:31, NIIBE Yutaka wrote: >> OpenPGP has support of regular expression with trust Signature packets. >> >> GnuPG 2.x only supports the feature when it can find regcomp/regexec >> routines in system library. On Windows, it is not supported. > > Isn't this a case of pathological featuritis? If nobody has screamed > about the inconsistencies so far, it's a pretty good sign that nobody > has any use for it. Burn it. I've been working on tooling to help organizations set up signatures between keys so they can more easily use the web of trust. In this context, I plan to use Regular Expression (5.2.3.14) packets. While testing, I recently stumbled over the problem that Windows builds of GnuPG don't support this part of the RFC. So Niibe's work on this would be very beneficial for me. Regards, Heiko From dkg at fifthhorseman.net Wed Feb 19 00:14:12 2020 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 18 Feb 2020 18:14:12 -0500 Subject: [PATCH 1/1] doc: Correction of typo in documentation of KEY_CONSIDERED In-Reply-To: References: Message-ID: <87tv3na3p7.fsf@fifthhorseman.net> On Tue 2020-02-04 14:54:02 +0000, Piper, Nick via Gnupg-devel wrote: > I have a minor documentation typo patch that I'd like to be considered and committed please: Thanks! I've pushed this upstream to the master branch as commit 0e1cbabc0ad4fe2ca9644fffb5cf27b1a8a1509f. I've also cherry-picked it back to the 2.2 branch, so you should see it in the next release of gpg. On master, I followed that commit with cleanup of a handful of other spelling errors I identified. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed Feb 19 22:32:15 2020 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 19 Feb 2020 16:32:15 -0500 Subject: Regular Expression Support In-Reply-To: <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> References: <87ftf8e4i1.fsf@iwagami.gniibe.org> <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> Message-ID: <87k14i9sbk.fsf@fifthhorseman.net> Hi all-- On Tue 2020-02-18 12:58:21 +0100, Heiko Schaefer via Gnupg-devel wrote: > I've been working on tooling to help organizations set up signatures > between keys so they can more easily use the web of trust. > In this context, I plan to use Regular Expression (5.2.3.14) packets. Heiko, it might be useful to point the list toward any documentation you have about how you intend to use regular expressions in the context of organization-based identity certification. There has been a series of problems with the GnuPG implementation of regexps even on those platforms where some portion of regex is implemented, iirc. Knowing which corners of regex (a complicated spec in itself!) are actively supported would be pretty useful. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From heiko.schaefer at posteo.de Wed Feb 19 23:18:36 2020 From: heiko.schaefer at posteo.de (Heiko Schaefer) Date: Wed, 19 Feb 2020 23:18:36 +0100 Subject: Regular Expression Support In-Reply-To: <87k14i9sbk.fsf@fifthhorseman.net> References: <87ftf8e4i1.fsf@iwagami.gniibe.org> <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> <87k14i9sbk.fsf@fifthhorseman.net> Message-ID: > On Tue 2020-02-18 12:58:21 +0100, Heiko Schaefer via Gnupg-devel wrote: >> I've been working on tooling to help organizations set up signatures >> between keys so they can more easily use the web of trust. >> In this context, I plan to use Regular Expression (5.2.3.14) packets. > > Heiko, it might be useful to point the list toward any documentation you > have about how you intend to use regular expressions in the context of > organization-based identity certification. > > There has been a series of problems with the GnuPG implementation of > regexps even on those platforms where some portion of regex is > implemented, iirc. > > Knowing which corners of regex (a complicated spec in itself!) are > actively supported would be pretty useful. Right now I'm using exactly the form of regex that is documented here: https://dev.gnupg.org/source/gnupg/browse/master/g10/trustdb.c;59d49e4a0ac2ed27803507cb7d2c6af166527bd5%241524 So, for my use-case it would be sufficient to have working regexes of the following type on all platforms: "<[^>]+[@.]example\.com>$" (I've verified that the GnuPG build on Debian works as expected for my use-case with this type of regex) Heiko From wk at gnupg.org Thu Feb 20 12:54:07 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 20 Feb 2020 12:54:07 +0100 Subject: [PATCH 1/1] doc: Correction of typo in documentation of KEY_CONSIDERED In-Reply-To: <87tv3na3p7.fsf@fifthhorseman.net> (Daniel Kahn Gillmor via Gnupg-devel's message of "Tue, 18 Feb 2020 18:14:12 -0500") References: <87tv3na3p7.fsf@fifthhorseman.net> Message-ID: <87h7zl79uo.fsf@wheatstone.g10code.de> On Tue, 18 Feb 2020 18:14, Daniel Kahn Gillmor said: > On master, I followed that commit with cleanup of a handful of other > spelling errors I identified. Thanks for that long patch. Please do not apply it to stable, though. Typos in source code comments are not relevant for the users and development is done on master were rarely done typo and grammar fixes for comments are acceptable. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 20 13:06:19 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 20 Feb 2020 13:06:19 +0100 Subject: Regular Expression Support In-Reply-To: <87k14i9sbk.fsf@fifthhorseman.net> (Daniel Kahn Gillmor via Gnupg-devel's message of "Wed, 19 Feb 2020 16:32:15 -0500") References: <87ftf8e4i1.fsf@iwagami.gniibe.org> <80d9940f-c41b-416b-8f97-9cb33818ce8f@posteo.de> <87k14i9sbk.fsf@fifthhorseman.net> Message-ID: <87d0a979ac.fsf@wheatstone.g10code.de> On Wed, 19 Feb 2020 16:32, Daniel Kahn Gillmor said: > There has been a series of problems with the GnuPG implementation of > regexps even on those platforms where some portion of regex is > implemented, iirc. Indeed we have had some problems with that due to our use of non-rfc4880 compliant regex libraries and different assumptions on which regexp are to be used. OpenPGP states: The regular expression uses the same syntax as the Henry Spencer's "almost public domain" regular expression [REGEX] package. A description of the syntax is found in Section 8 below. I doubt that anyone fully checked Henry Spencer's code against the description in section 8 or even against one of the larger regexp implementations. GnuPG stepped things mostly aside by not allowing to enter arbitrary regexps. Aside of OpenPGP GnuPG has the small helper gpg-check-pattern to reject common patterns as password. There we define regexp as /* The pattern is an extended regular expression. */ but I think that it would be okay to use the Spencer code here as well. The sample file list just two examples # German number plates. /^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/ # Dates (very limited, only ISO dates). */ /^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/ which is vanilla extend r.e. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: