From johanw at vulcan.xs4all.nl Fri Sep 1 00:20:48 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Sep 1 01:25:45 2006 Subject: Problem with gpg --batch --gen-key In-Reply-To: Message-ID: <200608312220.k7VMKmTN016722@vulcan.xs4all.nl> You, =?iso-8859-15?Q?Bj=F6rn_Mayer?=, wrote: > I am trying to generate a key from within a Java application. Everything seems to go right, > but at the beginning, everything stops. I have no idea what could be wrong... > Anyone of you guys? Looks to me you're running out of random data. I don't know how to solve that on win32. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rjh at sixdemonbag.org Fri Sep 1 01:37:54 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Sep 1 01:36:27 2006 Subject: Problem with gpg --batch --gen-key In-Reply-To: <200608312220.k7VMKmTN016722@vulcan.xs4all.nl> References: <200608312220.k7VMKmTN016722@vulcan.xs4all.nl> Message-ID: <44F772D2.8040509@sixdemonbag.org> Johan Wevers wrote: > Looks to me you're running out of random data. I don't know how to > solve that on win32. Not necessarily. GnuPG 1.4.2-1.4.4 (at least) are known to have problems when scripted from Java, mostly dealing with I/O operations randomly blocking. I know I've complained about this a couple of times on the list; might be worth searching the archives to see if anyone else has solutions to it. From willems.luc at pandora.be Sat Sep 2 20:38:07 2006 From: willems.luc at pandora.be (Luc Willems) Date: Sat Sep 2 22:26:14 2006 Subject: Can't read belgium eID card using gpgsm Message-ID: <200609022038.07550.willems.luc@pandora.be> Hello, I'm in the process of trying out my new belgium eID card with different tools under linux. It works fine with my browser (some government sites use the new card) , the linux tools provided by the government , i can use the pkcs15 tools from opensc to read the card but gpgsm cant read the card :-( i upgraded all tooling to following versions : opensc = 0.11.0 pcsc-lite = 1.3.1 libksba = 0.9.15-3 gnupg = 1.9.22 run gpgsm --learn-card , i get errors reading the card. trying to use scdaemon manually i get following error : luc@lieve:~> scdaemon --server scdaemon[6024]: NOTE: this is a development version! scdaemon[6024]: DBG: failed to open `/dev/cmx0': No such file or directory scdaemon[6024]: DBG: failed to open `/dev/cmx1': No such file or directory OK GNU Privacy Guard's Smartcard server ready scdaemon[6024]: updating status of slot 0 to 0x0007 RESET OK LEARN scdaemon[6024]: pcsc_transmit failed: not transacted (0x80100016) scdaemon[6024]: apdu_send_simple(0) failed: general error scdaemon[6024]: pcsc_transmit failed: not transacted (0x80100016) scdaemon[6024]: apdu_send_simple(0) failed: general error scdaemon[6024]: no supported card application found: Card error ERR 100663404 Card error Is support for the belgium eid not fully ready ? luc From cpollock at earthlink.net Mon Sep 4 03:27:24 2006 From: cpollock at earthlink.net (Chris) Date: Mon Sep 4 04:55:41 2006 Subject: Sig shows as bad in sent mail folder Message-ID: <200609032027.24244.cpollock@earthlink.net> This may be a lame question, but, is there any reason that in my sent mail folder the sig on outgoing messages show up as bad? Message was signed by cpollock@earthlink.net (Key ID: 0xE372A7DA98E6705C). Warning: The signature is bad. Message was signed by cpollock@earthlink.net (Key ID: 0xE372A7DA98E6705C). The signature is valid and the key is ultimately trusted. -- Chris 20:22:35 up 17 days, 3:05, 1 user, load average: 0.13, 0.10, 0.09 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060903/8f388809/attachment.pgp From mailinglists at futureware.at Fri Sep 1 17:22:58 2006 From: mailinglists at futureware.at (Philipp =?iso-8859-1?q?G=FChring?=) Date: Mon Sep 4 10:43:51 2006 Subject: Batch Options Message-ID: <200609011723.00270.mailinglists@futureware.at> Hi, Is it possible to put automatic answers into the gnupg config file? Something like "set sign_uid.okay = yes" in the .gnupg/gpg.conf That way, those options could be set as a profile in the configuration, and they could be automatically used in -batch mode. Best regards, Philipp G?hring From peter at palfrader.org Mon Sep 4 19:42:48 2006 From: peter at palfrader.org (Peter Palfrader) Date: Mon Sep 4 19:41:13 2006 Subject: minimize not cleaning up broken binding sigs Message-ID: <20060904174248.GH18446@asteria.noreply.org> I notice that gpg (1.4.6-svn4217) does only clean signatures from UIDs, not from subkeys: | Command> minimize | User ID "Peter Palfrader": 605 signatures removed | [..] | | weasel@asteria:~/tmp/g$ gpg --list-sigs | ./pubring.gpg | ------------- | pub 1024D/94C09C7F 1999-11-10 | uid Peter Palfrader | sig 3 N 94C09C7F 2006-08-03 Peter Palfrader [..] | uid [jpeg image of size 7974] | sig 3 N 94C09C7F 2006-08-03 Peter Palfrader | sub 1024D/AFA44BDD 2003-07-09 [expires: 2008-08-02] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C09C7F 2006-08-03 Peter Palfrader | sub 2048g/E8F4A328 2003-07-09 [expires: 2008-08-02] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C00910 2005-06-05 [User ID not found] | sig 94C09C7F 2006-08-03 Peter Palfrader Should it clean those broken binding sigs by '94C00910' too? Cheers, Peter -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ From wk at gnupg.org Wed Sep 6 11:07:18 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 6 11:11:33 2006 Subject: Can't read belgium eID card using gpgsm In-Reply-To: <200609022038.07550.willems.luc@pandora.be> (Luc Willems's message of "Sat, 2 Sep 2006 20:38:07 +0200") References: <200609022038.07550.willems.luc@pandora.be> Message-ID: <871wqpjrcp.fsf@wheatstone.g10code.de> On Sat, 2 Sep 2006 20:38, Luc Willems said: > It works fine with my browser (some government sites use the new card) , the > linux tools provided by the government , i can use the pkcs15 tools from > opensc to read the card but gpgsm cant read the card :-( I have two developers card here and they really work fine. > luc@lieve:~> scdaemon --server > scdaemon[6024]: NOTE: this is a development version! > scdaemon[6024]: DBG: failed to open `/dev/cmx0': No such file or directory > scdaemon[6024]: DBG: failed to open `/dev/cmx1': No such file or directory > OK GNU Privacy Guard's Smartcard server ready > scdaemon[6024]: updating status of slot 0 to 0x0007 > > RESET > OK > LEARN > scdaemon[6024]: pcsc_transmit failed: not transacted (0x80100016) That is a driver problem. Please run scdaemon --server --debug-ccid-driver and make sure that no other scdaemon is runing. You also need to sto pcscd. Then enter LEARN --force and watch the output. Salam-Shalom, Werner From yohman at gwi.net Wed Sep 6 13:54:13 2006 From: yohman at gwi.net (C Yohman) Date: Wed Sep 6 16:25:38 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows Message-ID: <44FEB6E5.1090409@gwi.net> How do I do this? From JPClizbe at comcast.net Wed Sep 6 19:28:48 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Sep 6 19:28:31 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <44FEB6E5.1090409@gwi.net> References: <44FEB6E5.1090409@gwi.net> Message-ID: <44FF0550.4030009@comcast.net> C Yohman wrote: > How do I do this? Not exactly a GnuPG-Users level question, Unless you have a specific requirement to build your own binaries, you will find it much easier sticking to the prebuilt installer. Most any system administrator or developer with a background in building POSIX-type software should be able to handle it without too much difficulty. It is certainly much easier now than it was three years ago. If you are looking to use any version of Microsoft's Visual Studio, forget it. The official method is cross-compiling on a Debian system for win32. To build natively on win32, one would normally start by Googling gnupg+win32+building. Here's a short summary of the steps needed. First thing you need is a build environment. 1) Go to the MinGW project at Sourceforge. Install the following packages at a minimum: a) gcc-core-3.4.5-20060117-1.tar.gz b) binutils-2.17.50-20060824-1.tar.gz c) mingw-runtime-3.10.tar.gz d) w32api-3.7.tar.gz e) mingw-utils-0.3.tar.gz The current version numbers may differ from those above 2) You need a shell to execute configure, make and possibly autotools so install MSYS from the same site. 3) Now head to the GnuWin32 project (also at SourceForge). Download and install into the MinGW root: a) bzip2-1.0.3-1-bin.zip b) bzip2-1.0.3-1-lib.zip c) gettext-0.14.4-bin.zip d) gettext-0.14.4-dep.zip e) gettext-0.14.4-lib.zip f) libiconv-1.9.2-1-bin.zip g) libiconv-1.9.2-1-lib.zip h) readline-5.0-bin.zip i) readline-5.0-lib.zip j) zlib-1.2.3-bin.zip k) zlib-1.2.3-lib.zip The current version numbers may differ from those above. Alternatively, you could download the source and build these yourself using your just installed MinGW/MSYS software. 4) Goto http://curl.haxx.se/download.html and download and install the current curl (7.15.4) IIRC. Can't help with the exact file to download as I built (openssl and) curl myself Now you are ready to grab the source and compile it. Using your browser or ftp client download the GnuPG-1.4.5 source and signature files. Verify the source tarball. Open a MSYS shell window 1) Extract the source tar xjf /path/to/gnupg-1.4.5.tar.bz2 or tar xzf /path/to/gnupg-1.4.5.tar.gz Depending on which version you download 2) cd gnupg-1.4.5 3) ./configure 4) make If all went well, running the command 'g10/gpg --version' from the top level source directory will return something similar to: $ g10/gpg --version gpg (GnuPG) 1.4.5 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: C:/Documents and Settings/username/Application Data/GnuPG Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 You may find detailed step-by-step instructions at Carlo Bianco's "Building GnuPG for Win32 using MinGW" page, but he takes extra steps that IMO are unnecessary. The only one I've ever used is patching the one test under make check. (http://www.google.com/search?q=gnupg+building+win32) -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060906/d8a79888/signature.pgp From willems.luc at pandora.be Wed Sep 6 21:06:20 2006 From: willems.luc at pandora.be (Luc Willems) Date: Wed Sep 6 21:08:43 2006 Subject: Can't read belgium eID card using gpgsm In-Reply-To: <871wqpjrcp.fsf@wheatstone.g10code.de> References: <200609022038.07550.willems.luc@pandora.be> <871wqpjrcp.fsf@wheatstone.g10code.de> Message-ID: <200609062106.20351.willems.luc@pandora.be> On Wednesday 06 September 2006 11:07, Werner Koch wrote: > On Sat, 2 Sep 2006 20:38, Luc Willems said: > > It works fine with my browser (some government sites use the new card) , > > the linux tools provided by the government , i can use the pkcs15 tools > > from opensc to read the card but gpgsm cant read the card :-( > > I have two developers card here and they really work fine. > > > luc@lieve:~> scdaemon --server > > scdaemon[6024]: NOTE: this is a development version! > > scdaemon[6024]: DBG: failed to open `/dev/cmx0': No such file or > > directory scdaemon[6024]: DBG: failed to open `/dev/cmx1': No such file > > or directory OK GNU Privacy Guard's Smartcard server ready > > scdaemon[6024]: updating status of slot 0 to 0x0007 > > > > RESET > > OK > > LEARN > > scdaemon[6024]: pcsc_transmit failed: not transacted (0x80100016) > > That is a driver problem. Please run > > scdaemon --server --debug-ccid-driver > > and make sure that no other scdaemon is runing. You also need to sto > pcscd. Then enter > > LEARN --force > > and watch the output. > hello werner , I tried your suggestion and it didn't help. My card reader is a ACR38 USB Reader . I noticed that when is stop the pcscd , the active led keep flashing the same way as when there is no card inserted. When is run without pcscd i get follow loggin : scdaemon -v --server --debug-ccid-drive --debug-all --log-file ~/sc.log 2006-09-06 20:54:13 scdaemon[23241] handler for fd -1 started 2006-09-06 20:54:13 scdaemon[23241] PC/SC OPEN failed: no service scdaemon[23241.0x8094f88] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[23241.0x8094f88] DBG: <- LEARN --force 2006-09-06 20:54:17 scdaemon[23241] PC/SC OPEN failed: no service scdaemon[23241.0x8094f88] DBG: -> ERR 100663404 Card error 2006-09-06 20:54:19 scdaemon[23241] SIGINT received - immediate shutdown 2006-09-06 20:54:19 scdaemon[23241] scdaemon (GnuPG) 1.9.19 stopped no service scdaemon[23241.0x8094f88] DBG: -> ERR 100663404 Card error 2006-09-06 20:54:19 scdaemon[23241] SIGINT received - immediate shutdown 2006-09-06 20:54:19 scdaemon[23241] scdaemon (GnuPG) 1.9.19 stopped I have the impression that the internal ccid driver is not recognising my USB card reader ( idVendor=072f, idProduct=9000 ) when i do the same with pcscd running , i get 2006-09-06 20:57:32 scdaemon[23314] handler for fd -1 started 2006-09-06 20:57:32 scdaemon[23314] reader slot 0: active protocol: 2006-09-06 20:57:32 scdaemon[23314] slot 0: ATR=3B 98 13 40 0A A5 03 01 01 01 AD 13 11 scdaemon[23314.0x8094f88] DBG: -> OK GNU Privacy Guard's Smartcard server ready 2006-09-06 20:57:34 scdaemon[23314] updating status of slot 0 to 0x0007 scdaemon[23314.0x8094f88] DBG: <- LEARN --force 2006-09-06 20:57:37 scdaemon[23314] pcsc_transmit failed: not transacted (0x80100016) 2006-09-06 20:57:37 scdaemon[23314] apdu_send_simple(0) failed: general error 2006-09-06 20:57:38 scdaemon[23314] pcsc_transmit failed: not transacted (0x80100016) 2006-09-06 20:57:38 scdaemon[23314] apdu_send_simple(0) failed: general error 2006-09-06 20:57:39 scdaemon[23314] pcsc_transmit failed: not transacted (0x80100016) 2006-09-06 20:57:39 scdaemon[23314] apdu_send_simple(0) failed: general error 2006-09-06 20:57:39 scdaemon[23314] no supported card application found: Card error scdaemon[23314.0x8094f88] DBG: -> ERR 100663404 Card error 2006-09-06 20:57:43 scdaemon[23314] SIGINT received - immediate shutdown 2006-09-06 20:57:43 scdaemon[23314] scdaemon (GnuPG) 1.9.19 stopped when i execute the LEARN command , i see some activity on the reader but this ends with this failure. you can see this in the logging where the error appears around 3 seconds after the learn command Is it possible to use gpg2sm with the pcscd stack for reading the card ? luc From qed at tiscali.it Wed Sep 6 22:34:25 2006 From: qed at tiscali.it (Qed) Date: Wed Sep 6 22:32:47 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <44FF0550.4030009@comcast.net> References: <44FEB6E5.1090409@gwi.net> <44FF0550.4030009@comcast.net> Message-ID: <44FF30D1.3030304@tiscali.it> On 09/06/2006 07:28 PM, John Clizbe wrote: [..snip..] > The official method is cross-compiling on a Debian system for win32. To build > natively on win32, one would normally start by Googling gnupg+win32+building. [..snip..] Maybe Cygwin would be easier, it worked for me in the past. -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! From clbianco at tiscalinet.it Thu Sep 7 00:19:14 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Sep 7 00:18:31 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows References: <44FEB6E5.1090409@gwi.net> <44FF0550.4030009__11440.9007052474$1157563999$gmane$org@comcast.net> Message-ID: Il /06 set 2006/, *John Clizbe* ha scritto: > C Yohman wrote: >> How do I do this? > > Not exactly a GnuPG-Users level question, Unless you have a > specific requirement to build your own binaries, you will find it > much easier sticking to the prebuilt installer. I absolutely agree on this point. [...] > First thing you need is a build environment. > > 1) Go to the MinGW project at Sourceforge. Install the following > packages at a minimum: > a) gcc-core-3.4.5-20060117-1.tar.gz > b) binutils-2.17.50-20060824-1.tar.gz > c) mingw-runtime-3.10.tar.gz > d) w32api-3.7.tar.gz > e) mingw-utils-0.3.tar.gz > > The current version numbers may differ from those above Note: mingw-runtime-3.10 will not work (i.e. GnuPG will not build at all), unless you apply a small patch to random.c. You have to rename "times.h" into "time.h" in line 49 (see point 4.3 of my tutorial and also the message by Joe Vender on gnupg-devel mailing list: If you do not want to patch the source files, you must use MinGW Runtime 3.9... :-/ ... until a couple of "ifdef"s will be added to random.c in the official source tarball. ;-) [...] > 3) Now head to the GnuWin32 project (also at SourceForge). > Download and install into the MinGW root: > a) bzip2-1.0.3-1-bin.zip > b) bzip2-1.0.3-1-lib.zip > c) gettext-0.14.4-bin.zip > d) gettext-0.14.4-dep.zip > e) gettext-0.14.4-lib.zip > f) libiconv-1.9.2-1-bin.zip > g) libiconv-1.9.2-1-lib.zip > h) readline-5.0-bin.zip > i) readline-5.0-lib.zip > j) zlib-1.2.3-bin.zip > k) zlib-1.2.3-lib.zip > > The current version numbers may differ from those above. > Alternatively, you could download the source and build these > yourself using your just installed MinGW/MSYS software. It is better to avoid readline, because it may give problems. That's why I took it away completely from the new versions of my tutorial. By the way, not all libraries are required. If you are performing a "minimal" build (like in this case) and you are interested to English language only, only bzip2 is really required. > 4) Goto http://curl.haxx.se/download.html and download and install > the current curl (7.15.4) IIRC. Can't help with the exact file to > download as I built (openssl and) curl myself I have built openssl myself too, and I just realized (thanks to Joe Vender for pointing this out to me) that things goes a bit different for those who downloaded the pre-built openssl libraries... :-/ I will have to heavily rewrite the curl-relevant part of the tutorial (i.e. point 3.4). Anyway, I hope libcurl is still optional for keyserver helpers, isn't it? > You may find detailed step-by-step instructions at Carlo Bianco's > "Building GnuPG for Win32 using MinGW" page, but he takes extra > steps that IMO are unnecessary. Do you mean in the "Minimal" build or in the "Complete" one? > The only one I've ever used is patching the one > test under make check. Which is actually the only one "extra" step in the minimal build... ;-) ... and which I hope someday will be included in the official tarball, allowing me to remove 2 images from my tutorial! ;-)) -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From blueness at gmx.net Thu Sep 7 04:02:59 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Sep 7 05:55:31 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <44FEB6E5.1090409@gwi.net> References: <44FEB6E5.1090409@gwi.net> Message-ID: <151144480.20060907040259@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Wed, 06 Sep 2006, at 07:54:13 -0400, when C wrote: > How do I do this? You have instructions here on how to compile the official version, CVS version and CVS version with some additions, both in MSYS and Cygwin environments. Alternative link is . - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s), otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRP990bSpHvHEUtv8AQgtUwgAkZ+SPVydrOfRTxS+tq2iOzS5YzfGTQht mXSPFyQQimnaixnWPVLVOtddc7TQfeRHC1yg1hq8JHiR1WBs9wrwSllBoHLvO9b/ D5LaWguWQapT2MPHZgVJWDLyvhuX2t2jG38Rbso36JB6G3Ig0IDxDYSRaD4IT2Zl YRYcfq17shhVMZSCkGfzVwivEkusNoxxZA341oTcvtcujgFcn1r5V/U3AOf9GkSt T9dYnYbkApqMuXEHljmx8wcJACRuGasf9RhbaFdhY22rEMPcQZ6dYCsMy0QKnQkd UGNNBcHry5bXPUjL9DlhqWxrJTQxNmEMuo1NUeRhRB/7d5daLFwhBg== =xr/X -----END PGP SIGNATURE----- From wk at gnupg.org Thu Sep 7 08:55:01 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 7 08:56:32 2006 Subject: Can't read belgium eID card using gpgsm In-Reply-To: <200609062106.20351.willems.luc@pandora.be> (Luc Willems's message of "Wed, 6 Sep 2006 21:06:20 +0200") References: <200609022038.07550.willems.luc@pandora.be> <871wqpjrcp.fsf@wheatstone.g10code.de> <200609062106.20351.willems.luc@pandora.be> Message-ID: <87d5a8go8q.fsf@wheatstone.g10code.de> On Wed, 6 Sep 2006 21:06, Luc Willems said: > I tried your suggestion and it didn't help. My card reader is a ACR38 USB > Reader . Ah yes. I forgot to tell you that. I also have one of these readers as destributed with the BELPIC card. They are crippled CCID alike readers and I have not made the GnupG internal driver to work with them. Given the low prices of good and compliant readers it is IMHO not worth the effort. I am not sure but IIRC, Ludovic Rousseau recently anounced that his libccid (as used by pcscd) works with this reader. So you would need to get the latest version of it and check it out. > I noticed that when is stop the pcscd , the active led keep flashing the same > way as when there is no card inserted. Get a real reader ;-) > I have the impression that the internal ccid driver is not recognising my USB It also seems that you have not compiled scdaemon with support for CCID. The libusb-dev package is required at build time to include this support. A this is a common problem I now print a wrning when libusb is not available. > 2006-09-06 20:57:32 scdaemon[23314] handler for fd -1 started > 2006-09-06 20:57:32 scdaemon[23314] reader slot 0: active protocol: > 2006-09-06 20:57:32 scdaemon[23314] slot 0: ATR=3B 98 13 40 0A A5 03 01 01 01 --debug 2048 enables more debugging. In particular all card I/O gets logged even with the pc/sc driver. Shalom-Salam, Werner From wk at gnupg.org Thu Sep 7 09:02:53 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 7 09:06:26 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: (Carlo Luciano Bianco's message of "Thu, 07 Sep 2006 00:19:14 +0200") References: <44FEB6E5.1090409@gwi.net> <44FF0550.4030009__11440.9007052474$1157563999$gmane$org@comcast.net> Message-ID: <878xkwgnvm.fsf@wheatstone.g10code.de> On Thu, 7 Sep 2006 00:19, Carlo Luciano Bianco said: > ... and which I hope someday will be included in the official tarball, > allowing me to remove 2 images from my tutorial! ;-)) I am sorry, but we won't officially support building on Windows. The requirements are pretty clear: You need a POSIX system to build gpg or to cross-build it for Windows. Supporting another build platform is not a good idea as it will cost too much maintenance time. Any additional ifdef or include files increase the risk of portability problems. Please fix the mingw kit for Windows to be up to what the cross-compile mingw kit is up to. There are several Live-CDROMs available which could easily be enhanced to provide a complete tool-cahhin for building GNU software on Windows. Thus you only need to boot your (virtual) box and have a working environment. This is far easier than tweaking all these Windows POSIX wannabe emulations. Salam-Shalom, Werner From sven_radde at web.de Wed Sep 6 19:11:36 2006 From: sven_radde at web.de (Sven Radde) Date: Thu Sep 7 11:00:14 2006 Subject: Beginner's smartcard questions Message-ID: <44FF0148.6050700@web.de> Hi! I intend to buy an OpenPGP card and I have some questions regarding its use unter WinXP, particularly in combination with my new (and yet untested) banking card. Is there any difference in the required hardware to access both cards? In other words, will the card-readers sold at http://www.kernelconcepts.de/products/security-en.shtml also support my banking-card (german HBCI) or, vice-versa, can I expect GnuPG to support the card-reader recommended by my bank ("cyber Jack" devices by ReinerSCT)? Are there any caveats in general regarding the card-readers at kernelconcepts.de under Windows? In particular, I stumbled over the "Supported by GnuPG *via PC/SC drivers*" in the description of the Omnikey CM4040 PCMCIA device). Sorry for insisting, but before spending actual money, I want to be sure it works. One more question: When using a class-3 reader, what (if any) information does GnuPG display on it? I wonder how much added security I would get from a class-3 reader in comparison to one without display. I understand that a class-2 reader will prevent sniffing of the PIN in case my PC is infected with a trojan. Having never been infected by malware (AFAIK ;-)), I might as well go for the aforementioned PCMCIA reader for convenience. Thanks for your insights, Sven Radde From clbianco at tiscalinet.it Thu Sep 7 13:31:10 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Sep 7 13:29:58 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows References: <44FEB6E5.1090409@gwi.net> <44FF0550.4030009__11440.9007052474$1157563999$gmane$org@comcast.net> <878xkwgnvm.fsf__43235.2944779724$1157613009$gmane$org@wheatstone.g10code.de> Message-ID: Il /07 set 2006/, *Werner Koch* ha scritto: > On Thu, 7 Sep 2006 00:19, Carlo Luciano Bianco said: > >> ... and which I hope someday will be included in the official >> tarball, allowing me to remove 2 images from my tutorial! ;-)) > > I am sorry, but we won't officially support building on Windows. I understand your point of view, Werner. -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From clbianco at tiscalinet.it Thu Sep 7 13:25:25 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Sep 7 13:33:29 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> Message-ID: Il /07 set 2006/, *Mica Mijatovic* ha scritto: > Was Wed, 06 Sep 2006, at 07:54:13 -0400, > when C wrote: > >> How do I do this? > > You have instructions here on > how to compile the official version, CVS version and CVS version > with some additions, both in MSYS and Cygwin environments. Very interesting page, thanks for the link! By the way, I have to point out a small mistake in the credits in the "PGP signed HTML" page ... ;-) I am not the author of the pages stored at , nor of the "OpenPGP Digitally Signed HTML" tutorial. The author is TJL73, which is a different person from myself and which deserves all the credits for the "OpenPGP Digitally Signed HTML" tutorial. TJL73 wrote his tutorial in Italian and asked me to translate it in English, and so I am just the (poor!) English translator of the tutorial... ;-) -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From smolinski at de.ibm.com Thu Sep 7 10:02:22 2006 From: smolinski at de.ibm.com (Holger Smolinski) Date: Thu Sep 7 13:55:46 2006 Subject: Holger Smolinski/Germany/IBM is on vacation until 08/18 Message-ID: I will be out of the office starting 19.08.2006 and will not return until 17.09.2006. I will respond when I have returned. In regard of disk mirroring my backup is Stefan Weinhuber (wein@de.ibm.com). In any other matter pls contact Steffen Thoss (thoss@de.ibm.com) From prashmohan at gmail.com Thu Sep 7 14:23:46 2006 From: prashmohan at gmail.com (Prashanth Mohan) Date: Thu Sep 7 15:55:29 2006 Subject: Unable to find secret key Message-ID: <45000F52.1060304@gmail.com> Hello, I am able to encrypt my messages using GPG, but i am not able to decrypt them. I have only 1 secret key in my keyring. I also tried passing the keyid with the decrypt command. It still says it cant find my secret key. What am I doing wrong? /tmp$ gpg -K /home/prash/.gnupg/secring.gpg ------------------------------ sec 1024D/E4B6F212 2005-07-01 uid Prashanth Mohan uid Prashanth Mohan uid Prashanth Mohan /tmp$ cat > abc << EOF > Hello... This is a test for decrypting encrypted text using GPG > EOF /tmp$ gpg -ev abc You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: Prashanth gpg: using classic trust model gpg: using subkey 219D771B instead of primary key E4B6F212 gpg: This key belongs to us Current recipients: 2048g/219D771B 2006-02-02 "Prashanth Mohan " Enter the user ID. End with an empty line: gpg: reading from `abc' gpg: writing to `abc.gpg' gpg: ELG-E/AES256 encrypted for: "219D771B Prashanth Mohan " /tmp$ gpg -vd abc.gpg gpg: public key is 219D771B gpg: using subkey 219D771B instead of primary key E4B6F212 gpg: encrypted with 2048-bit ELG-E key, ID 219D771B, created 2006-02-02 "Prashanth Mohan " gpg: decryption failed: secret key not available Thank You, -- Prashanth Mohan http://prashblog.com From willems.luc at pandora.be Thu Sep 7 22:21:26 2006 From: willems.luc at pandora.be (Luc Willems) Date: Thu Sep 7 22:25:19 2006 Subject: Can't read belgium eID card using gpgsm In-Reply-To: <87d5a8go8q.fsf@wheatstone.g10code.de> References: <200609022038.07550.willems.luc@pandora.be> <200609062106.20351.willems.luc@pandora.be> <87d5a8go8q.fsf@wheatstone.g10code.de> Message-ID: <200609072221.27081.willems.luc@pandora.be> On Thursday 07 September 2006 08:55, Werner Koch wrote: > On Wed, 6 Sep 2006 21:06, Luc Willems said: > > I tried your suggestion and it didn't help. My card reader is a ACR38 USB > > Reader . > > Ah yes. I forgot to tell you that. I also have one of these readers > as destributed with the BELPIC card. They are crippled CCID alike > readers and I have not made the GnupG internal driver to work with > them. Given the low prices of good and compliant readers it is IMHO > not worth the effort. while trying the ccid driver , i noticed that the ACR38 has 2 kind of readers , a ccid reader and one using the pcsc driver. mine was not a ccid (ACR38U) so a couldn't use this one. i than update mu pcsc driver but still no success > > I am not sure but IIRC, Ludovic Rousseau recently anounced that his > libccid (as used by pcscd) works with this reader. So you would need > to get the latest version of it and check it out. > > > I noticed that when is stop the pcscd , the active led keep flashing the > > same way as when there is no card inserted. > > Get a real reader ;-) this one is given for "free" by our goverment to children on the age of 12/13 so my daughter got one when she got here eID card. I would not expect "high" quality but this one will be used allot here in belgium. > --debug 2048 enables more debugging. In particular all card I/O gets > logged even with the pc/sc driver. > while testing with the beidgui ( a gui to read the Eid card) i could read the card a few seconds after using this gui ??? after some testing , i disabled the beidbelgium.be-beidpcscd daemon. Don't ask me what it is or do but it seems to block exclusive access to the card reader. after this step , gpgsm --learn-card worked. I tested it to sign a file and used KMail to send mail that where signed by the Eid card. :-) thanks for the support luc From blueness at gmx.net Thu Sep 7 22:57:32 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Sep 7 22:58:53 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> Message-ID: <1631875664.20060907225732@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Thu, 07 Sep 2006, at 13:25:25 +0200, when Carlo wrote: > By the way, I have to point out a small mistake in the credits in > the "PGP signed HTML" page > ... ;-) > I am not the author of the pages stored at > , nor of the "OpenPGP > Digitally Signed HTML" tutorial. The author is TJL73, which is a > different person from myself and which deserves all the credits for > the "OpenPGP Digitally Signed HTML" tutorial. TJL73 wrote his > tutorial in Italian and asked me to translate it in English, > and so I am just the (poor!) English translator of the tutorial... > ;-) Thanks for pointing this oversight of mine out, it will be fi...oh, it's already fixed! (-: For some reasons I can't establish now, I got at the time wrong impression that conversely was the case, namely that TJL73 is translator into Italian. Maybe because of that "anche" (in the "Pagina disponsibile anche in"), or simply for I was reading several documents at once (one of them being your GPG build tutorial) of very similar writing style. Be that as it may, I am glad that I did correct this. It might be pretty unpleasant thing sometimes. Thanks again. *** And when I'm already at the desk, just a brief note that if a source code is being delivered as well, to the users, then it tends to mean that matters of compiling become regular topic on a user list too. Besides, I love the Werner's signing off with the "Happy Hacking" when he's announcing some new piece, of this and that, denoting again that users here are involved, in general, in a bit more than just an installation/use of the software. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s), otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRQCHu7SpHvHEUtv8AQhrXAf/SNsxDqUOUmLunYak1TUykfD9L/i4CSNf RJFEJWQKcEd6DID53GV9ah/Jto3ktk7sR5AeU/smbBEF0nLT+gOBFGeK99/3v3C4 dqNpUq0rP9tNpnUknlhjRNyLIlmVWxuGE2fi61qIflH6+06MQ1XVb9UTUFngZ2zu wfULVAbl1boReZl3v+5Tn/EKTOUySgF75LU1DDJK24yQ9Pi7IpHNp4W1OwLN06lv PjWqHZB8vC6MgZW6MGPRE4PW64Bjd2Xq7hXgUhbrQLrgOUVu5mpGQiP7tJoco+jv NF75V6m/aDVDX0o7KJVVrkRJ1jthX0DhVqJfkLExWz2tS6nS+sfr+A== =0YMF -----END PGP SIGNATURE----- From wk at gnupg.org Fri Sep 8 08:23:35 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 8 08:27:02 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <1631875664.20060907225732@gmx.net> (Mica Mijatovic's message of "Thu, 7 Sep 2006 22:57:32 +0200") References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> Message-ID: <87k64eev14.fsf@wheatstone.g10code.de> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: > And when I'm already at the desk, just a brief note that if a source > code is being delivered as well, to the users, then it tends to mean > that matters of compiling become regular topic on a user list too. It is just fine to talk about compiling problems here. Just make sure that you indicate when you try to compile for Windows on a Windows box [1]. > Pretty easy. You only need to take the po/gnupg.pot file, copy it to po/en.po, translate just that string, add "en" to po/LINGUAS and build. Salam-Shalom, Werner [1] I can't imagine that anyone will ever try to compile on Windows for a Unix box. From bob at xyzzy.org.uk Fri Sep 8 12:04:22 2006 From: bob at xyzzy.org.uk (Bob Dunlop) Date: Fri Sep 8 12:02:53 2006 Subject: Enabling smart card PIN cache ? Message-ID: <20060908100422.GA16735@xyzzy.org.uk> Hi, Please, what am I missing ? I'm running gpg-agent as follows: /usr/bin/gpg-agent --enable-ssh-support --daemon /home/XXX/.xsession and have the appropriate enviroment variables set. My ~/.gnupg/gpg-agent.conf contains: # Gpg-agent configuration # Enable SSH support (should be done on command line) enable-ssh-support # Set two hour PIN cache timeouts default-cache-ttl-ssh 7200 default-cache-ttl 7200 max-cache-ttl-ssh 7200 max-cache-ttl 7200 # Allow setting of the PIN by an external agent allow-preset-passphrase I execute the equivalent of echo "PRESET_PASSPHRASE -1 " | gpg-connect-agent in a startup script and see no error. Yet each and every call to ssh or scp prompts me for a PIN :( Please someone tell me the trick to enabling the PIN cache. -- Bob Dunlop From wk at gnupg.org Fri Sep 8 14:35:44 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 8 14:41:39 2006 Subject: Enabling smart card PIN cache ? In-Reply-To: <20060908100422.GA16735@xyzzy.org.uk> (Bob Dunlop's message of "Fri, 8 Sep 2006 11:04:22 +0100") References: <20060908100422.GA16735@xyzzy.org.uk> Message-ID: <87ac5aedsv.fsf@wheatstone.g10code.de> On Fri, 8 Sep 2006 12:04, Bob Dunlop said: > echo "PRESET_PASSPHRASE -1 " | gpg-connect-agent > > in a startup script and see no error. Yet each and every call to > ssh or scp prompts me for a PIN :( Actually there is no caching at all for smartcards. Smartcards usually don'tneed it because they "cache" the PIN's internally (actually you use the PIN to get the card into another state and the card's application mat or may not change that state. The OpenPGP card for example always changes it back to pin-required for the fist key, unless you have changed that using the --card-edit:forcesig command. However, I can see your problem. As a solution I can only imagine to add a special feature to allow for PIN caching. I'll think about this, please give me til Monday and best watch the commit list. Salam-Shalom, Werner From r.post at sara.nl Fri Sep 8 13:07:45 2006 From: r.post at sara.nl (Remco Post) Date: Fri Sep 8 14:55:54 2006 Subject: Enabling smart card PIN cache ? In-Reply-To: <20060908100422.GA16735@xyzzy.org.uk> References: <20060908100422.GA16735@xyzzy.org.uk> Message-ID: <45014F01.6080107@sara.nl> Bob Dunlop wrote: > Hi, > > Please, what am I missing ? > > I'm running gpg-agent as follows: > > /usr/bin/gpg-agent --enable-ssh-support --daemon /home/XXX/.xsession > > and have the appropriate enviroment variables set. > My ~/.gnupg/gpg-agent.conf contains: > > # Gpg-agent configuration > > # Enable SSH support (should be done on command line) > enable-ssh-support > > # Set two hour PIN cache timeouts > default-cache-ttl-ssh 7200 > default-cache-ttl 7200 > max-cache-ttl-ssh 7200 > max-cache-ttl 7200 > > # Allow setting of the PIN by an external agent > allow-preset-passphrase > > I execute the equivalent of > > echo "PRESET_PASSPHRASE -1 " | gpg-connect-agent > > in a startup script and see no error. Yet each and every call to > ssh or scp prompts me for a PIN :( > > > Please someone tell me the trick to enabling the PIN cache. > gpg-agent for some reason does not cache pins for smartcards.... I've never seen it work eiter. -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From mike.keighley at adarelexicon.com Fri Sep 8 16:32:10 2006 From: mike.keighley at adarelexicon.com (mike.keighley@adarelexicon.com) Date: Fri Sep 8 17:55:40 2006 Subject: codeset conversion issue with GnuPG 1.4.x on HP-UX 11.0 Message-ID: Yesterday I was building GnuPG 1.4.5 on HP-UX 11.0 using a creaky-but-working old gcc 3.2 I noticed a message towards the end of the make, which also occurs during normal operation. I have been seeing this message since v1.4.2.2, but not on 1.0.6, 1.0.7 or 1.2.6 firebird:/tmp [24] $ gpg --encrypt --recipient xxx@xxxx.xxx --armor --output handlers.gpg handlers.txt gpg: conversion from `utf-8' to `iso88591' not available A similar message is seen with almost any GnuPG operation (--decrypt --encrypt --list-key etc.) I am guessing that this is related to codeset conversion using "iconv" ? My codeset is indeed iso8859 pt1: firebird:/tmp [29] $ echo $LC_ALL en_GB.iso88591 ... and I seem to recall reading that GnuPG uses utf-8 internally ? So, it is not unreasonable if it is trying to convert between the two. If I change codeset, the notice/warning/whatever changes to match: firebird:/tmp [32] $ LC_ALL=C firebird:/tmp [33] $ gpg --list-key 9C0EC441 gpg: conversion from `utf-8' to `roman8' not available My first thought was that GnuPG had not built with the necessary iconv support, but config.log suggests it has: firebird:/opt/compile/gnupg-1.4.5 [45] $ grep -i iconv config.log configure:1990: checking whether the new iconv based code is requested configure:12869: checking for iconv configure:13002: checking for iconv declaration extern size_t iconv (iconv_t cd, char * *inbuf, size_t *inbytesleft, ch ar * *outbuf, size_t *outbytesleft); | #define HAVE_ICONV 1 | #define ICONV_CONST above 2 lines repeated dozens of times | #define HAVE_ICONV 1 | #define ICONV_CONST | #define USE_GNUPG_ICONV 1 am_cv_func_iconv=yes am_cv_lib_iconv=no am_cv_proto_iconv='extern size_t iconv (iconv_t cd, char * *inbuf, size_t *inbyt esleft, char * *outbuf, size_t *outbytesleft);' am_cv_proto_iconv_arg1='' LIBICONV='' LTLIBICONV='' #define HAVE_ICONV 1 #define ICONV_CONST #define USE_GNUPG_ICONV 1 My next thought (based on LIBICONV= blank and USE_GNUPG_ICONV 1) was that maybe configure is failing to detect the native HP iconv library, or doesn't know about HP iconv and wants GNU iconv, failing which it uses an internal iconv, which maybe doesn't support en_GB.iso88591 and similar ? I have no idea how to verify any of these suppositions though, or how to persuade configure/make to detect iconv correctly. Any pointers most welcome please. TIA. -- Mike From veronatif at free.fr Fri Sep 8 20:59:23 2006 From: veronatif at free.fr (Alain Bench) Date: Fri Sep 8 23:25:49 2006 Subject: codeset conversion issue with GnuPG 1.4.x on HP-UX 11.0 In-Reply-To: References: Message-ID: <20060908185922.GB13116@free.fr> Hello Mike, On Friday, September 8, 2006 at 15:32:10 +0100, Mike Keighley wrote: > GnuPG 1.4.5 on HP-UX 11.0 [...] > gpg: conversion from `utf-8' to `iso88591' not available The HP iconv has non-standard names for charsets. It knows the UTF-8 charset only by the name "utf8". While GnuPG hardcodes "utf-8". If you are root, tweak the /usr/lib/nls/iconv/config.iconv file to add an "utf-8" to "utf8" alias. > firebird:/tmp [29] $ echo $LC_ALL > en_GB.iso88591 By the way: LANG alone suffices to set a value for all locale categories. Do not use LC_ALL, unless you have a Good Reason. Bye! Alain. -- Software should be written to deal with every conceivable error RFC 1122 / Robustness Principle From supraexpress at globaleyes.net Sat Sep 9 04:54:57 2006 From: supraexpress at globaleyes.net (User1001) Date: Sat Sep 9 04:53:48 2006 Subject: dump/dd/tar + gpg > tape = file write error Message-ID: When attempting to back up a filesystem with GPG to encrypt the stream, the result (so far) has always been: gpg: /dev/sa0: write error: Invalid argument gpg: iobuf_flush failed on close: file write error no matter what method (dump, dd, tar, etc.) was used to create the "dump stream". It appears to occur only at the end of the "dump stream". Different options for dd (conv=notrunc conv=osync) don't make any difference. Using the "--batch" option for GPG doesn't make any difference. Is there a way to correct this (without creating any new files)? From ussenterprise at babylonfarms.com Fri Sep 8 17:59:13 2006 From: ussenterprise at babylonfarms.com (Troy) Date: Sat Sep 9 11:13:36 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <87k64eev14.fsf@wheatstone.g10code.de> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> Message-ID: <45019351.5080606@babylonfarms.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote: > On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: > >> > > Pretty easy. You only need to take the po/gnupg.pot file, copy it to > po/en.po, translate just that string, add "en" to po/LINGUAS and > build. > I achieved a desired output by changing the the file g10/mainproc.c and compiled it using MSYS, only because I could not find po/gnupg.pot file to do translations. Can you tell me what problems I may run into and where exactly to find the gnupg.pot file -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4246-wT192-tlw-p4 (MingW32) Comment: http://www.babylonfarms.com/secure/0xF8180E9E_pub.asc iQEVAwUBRQGTTnWqn5z4GA6eAQhhnAf/bk+wKZKHaQjWLWuJFvS+8xxlLHUVS7BE RJ8AsQry1FcKdWwRT+bZk3aMsNL1iVY1eMhx6EMXbAxJ9x1WR+MHbLnbF6aBw7d5 7+tfN07H3QR0sdfGEq+o7Tp80hEokIfcwol9KchNXr0w5JDHGmQki2lu4iALwmBu mawIk5ivkBbnVzA9bFDdP8m2oK8At0IcPCgjK12MOwH4Yy8p4zs+fpKtg89E+x/O j391zVX2lR1YPBS8p0/BU7tq1i70G6Zp5KFzrIdPni3sy0nb9yh0ijjg+DAC2tKQ mGxyr7h2lSGm5LJrioGth7YKybDFU45Pz4sJX9deZ++J5dDMYAwDpQ== =edyt -----END PGP SIGNATURE----- From blueness at gmx.net Sat Sep 9 17:16:32 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Sat Sep 9 17:21:27 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <45019351.5080606@babylonfarms.com> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> <45019351.5080606@babylonfarms.com> Message-ID: <1362691537.20060909171632@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Fri, 08 Sep 2006, at 10:59:13 -0500, when Troy wrote: > Werner Koch wrote: >> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: >> >>> >> >> Pretty easy. You only need to take the po/gnupg.pot file, copy it to >> po/en.po, translate just that string, add "en" to po/LINGUAS and >> build. > I achieved a desired output by changing the the file g10/mainproc.c > and compiled it using MSYS, > only because I could not find po/gnupg.pot file to do translations. > Can you tell me what problems I may run into and where exactly to > find the gnupg.pot file gnupg.pot file is in the /po directory of compressed /gnupg-x.x.x directory with source files, looking from MSYS/Cygwin/Linux, or in \po folder of compressed \gnupg-x.x.x folder with source files, looking from a Winblows' file manager. What problems you may run into... I don't know. That was the reason I was not clear as to which one to modify, since there are 42 of them (minus ChangeLog in /g10 and non English ones in /po) having the same string/phrase. (-: - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRQLaz7SpHvHEUtv8AQjZvAgAk5y4MeToNy+3z7p8eiJEKEtsQ64omMRe AigFxOMl+LRWJ1dsDBMsHXlIKez30QLEHzSen6VJ56bRfRbZv0eBo7x4Gf/mKrxX OjMkS0NvhFWfMUXmfgLjqgSseNP3MvdXolr3DSBcJK/yXkREoBY1aNK3EPY4xENC vDF/B9kOLHAfxyiim9BTHpAk608iM9PBTCyt+ij8bm5IuwOLS0Ujce3seLFFlVtB R+lbmyrhRNqC9ur+yp2JLWS1w1HMRZ4xh60y9fZSayv0/DOFmYeZoGEooZMw165j 23IfU1z4T7eWZoySZp7B0BbiO6SzsvFQN5/x7OG0OvfPkKj0/YjXIw== =psek -----END PGP SIGNATURE----- From stuff at babylonfarms.com Sat Sep 9 18:36:14 2006 From: stuff at babylonfarms.com (Troy) Date: Sat Sep 9 19:55:56 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <1362691537.20060909171632@gmx.net> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> <45019351.5080606@babylonfarms.com> <1362691537.20060909171632@gmx.net> Message-ID: <4502ED7E.6070807@babylonfarms.com> Mica Mijatovic wrote: > Was Fri, 08 Sep 2006, at 10:59:13 -0500, > when Troy wrote: > >> Werner Koch wrote: >>> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: >>> >>>> >>> Pretty easy. You only need to take the po/gnupg.pot file, copy it to >>> po/en.po, translate just that string, add "en" to po/LINGUAS and >>> build. > >> I achieved a desired output by changing the the file g10/mainproc.c >> and compiled it using MSYS, >> only because I could not find po/gnupg.pot file to do translations. >> Can you tell me what problems I may run into and where exactly to >> find the gnupg.pot file > > gnupg.pot file is in the /po directory of compressed /gnupg-x.x.x > directory with source files, looking from MSYS/Cygwin/Linux, or in \po > folder of compressed \gnupg-x.x.x folder with source files, looking from > a Winblows' file manager. > > What problems you may run into... I don't know. > > That was the reason I was not clear as to which one to modify, since > there are 42 of them (minus ChangeLog in /g10 and non English ones in > /po) having the same string/phrase. (-: > Then Assuming I'm correct... using SVN files The change would take place in the g10/mainproc.c because in the SVN files there is no gnupg.pot file g10/mainproc.c:1681 g10/mainproc.c:1729 c-format msgid "Good signature from \"%s\"" msgstr "" because in the SVN files there is no gnupg.pot file I can only guess that there would be some translation problems should I try to compile a version other than "en" would this be correct? Troy From stuff at babylonfarms.com Sat Sep 9 18:28:26 2006 From: stuff at babylonfarms.com (Troy) Date: Sat Sep 9 19:56:04 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <1362691537.20060909171632@gmx.net> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> <45019351.5080606@babylonfarms.com> <1362691537.20060909171632@gmx.net> Message-ID: <4502EBAA.2090409@babylonfarms.com> Mica Mijatovic wrote: > Was Fri, 08 Sep 2006, at 10:59:13 -0500, > when Troy wrote: > >> Werner Koch wrote: >>> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: >>> >>>> >>> Pretty easy. You only need to take the po/gnupg.pot file, copy it to >>> po/en.po, translate just that string, add "en" to po/LINGUAS and >>> build. > >> I achieved a desired output by changing the the file g10/mainproc.c >> and compiled it using MSYS, >> only because I could not find po/gnupg.pot file to do translations. >> Can you tell me what problems I may run into and where exactly to >> find the gnupg.pot file > > gnupg.pot file is in the /po directory of compressed /gnupg-x.x.x > directory with source files, looking from MSYS/Cygwin/Linux, or in \po > folder of compressed \gnupg-x.x.x folder with source files, looking from > a Winblows' file manager. > > What problems you may run into... I don't know. > > That was the reason I was not clear as to which one to modify, since > there are 42 of them (minus ChangeLog in /g10 and non English ones in > /po) having the same string/phrase. (-: > Then Assuming I'm correct... using SVN files The change would take place in the g10/mainproc.c because in the SVN files there is no gnupg.pot file g10/mainproc.c:1681 g10/mainproc.c:1729 c-format msgid "Good signature from \"%s\"" msgstr "" because in the SVN files there is no gnupg.pot file I can only guess that there would be some translation problems should I try to compile a version other than "en" would this be correct? Troy From jw at raven.inka.de Sun Sep 10 22:44:58 2006 From: jw at raven.inka.de (Josef Wolf) Date: Sun Sep 10 23:55:34 2006 Subject: Need non-writable --homedir Message-ID: <20060910204458.GC20567@raven.wolf.local> Hello! I need a setup where the user running "gpg -e -r foobar" is not able to modify keyring contents. I tried: # chown -R root:user ~user/.gnupg # chmod -R o=rwX,g=rX,o= ~user/.gnupg Unfortunately, this don't work because gpg does some write operations in its .gnupg directory: 1. It locks the keyring. --lock-never will avoid this. Is it safe to use --lock-never as long as it is guaranteed that _only_ "gpg -e" is ever run? No key generation, no imports, no signung. Only "gpg -e". Is this safe? 2. There's the random_seed file. It is modified at every run. How can I handle this? I bet it would be a security problem should someone be able to read this file. Would it be possible to put it into a different directory? 3. gpg writes temporary files into ~/.gnupg while encrypting. Any ideas? From jw at raven.inka.de Mon Sep 11 00:16:50 2006 From: jw at raven.inka.de (Josef Wolf) Date: Mon Sep 11 00:18:28 2006 Subject: Need non-writable --homedir Message-ID: <20060910221650.GA6798@raven.wolf.local> Hello! I need a setup where the user running "gpg -e -r foobar" is not able to modify keyring contents. I tried: # chown -R root:user ~user/.gnupg # chmod -R o=rwX,g=rX,o= ~user/.gnupg Unfortunately, this don't work because gpg does some write operations in its .gnupg directory: 1. It locks the keyring. --lock-never will avoid this. Is it safe to use --lock-never as long as it is guaranteed that _only_ "gpg -e" is ever run? No key generation, no imports, no signung. Only "gpg -e". Is this safe? 2. There's the random_seed file. It is modified at every run. How can I handle this? I bet it would be a security problem should someone be able to read this file. Would it be possible to put it into a different directory? 3. gpg writes temporary files into ~/.gnupg while encrypting. Any ideas? From rjh at sixdemonbag.org Mon Sep 11 00:36:33 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Sep 11 00:34:56 2006 Subject: Need non-writable --homedir In-Reply-To: <20060910221650.GA6798@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> Message-ID: <45049371.7040800@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Josef Wolf wrote: > 1. It locks the keyring. --lock-never will avoid this. Is it safe > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" > is ever run? No key generation, no imports, no signung. Only > "gpg -e". Is this safe? Locking is a concurrency mechanism. As such, as long as you can guarantee that only one process will ever use the keyring, you should be fine regardless of what you do. Concurrent encryptions should be safe as well. > 2. There's the random_seed file. It is modified at every run. With good reason. Random number generation is important, and if you keep the same seed values it's possible for the same values to be generated, in which case it's not very random at all. > Any ideas? My first idea, and I think the best suggestion, is to look into rearchitecting your solution so that this kind of lockdown isn't necessary. Barring that, I'll defer other suggestions to the core GnuPG developers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFBJNwAAoJELcA9IL+r4EJcV0IAL8cFTdKEQynS7jeImVniClH HbHl7blwQR0ROfJ8zI4HcUAzM7iWNsDQ5LeYhdoHY0cZOZz2OGWttwohNUzhfnRi LDyOcnmA6Ws8IVIApcnBfATI+24+XWX61kqTCmpu1s/40NX8vuLhHMNFCCU9X0p0 0c9zwkwkqr6YKmwUcze0PTmYDlsiyHeUxKBK2/ULNkEhzs6VJFwLPMb2weTFTg3h zZenoVFwt45wSd9Pjzhd7UhIFJFrhqtNcRg5XQ7d1agbXQWx1U+Y2CgOPazH6456 rtdx7a+Jk9JR3DDSS8IqM0qKaGZLir5gTKz7KtAVdCd6wi33LdLkGMe/MahaigU= =HHcf -----END PGP SIGNATURE----- From martin at linux-ip.net Sun Sep 10 23:38:14 2006 From: martin at linux-ip.net (Martin A. Brown) Date: Mon Sep 11 01:25:37 2006 Subject: ANN: pine-gpg-filter: another pine + GPG filter utility Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings GnuPG and Pine users, I'm announcing a newly developed pine and gpg wrapper utility, which accommodates encryption, clear-signing, decryption and verification, specifically integrated with pine to handle multiple roles. I am releasing pine-gpg-filter [0] under the GPL. I have been using gpg and pine for many years. Until recently, I found the functionality of the pinepg package [1] adequate. Now, however, I am using multiple roles from the same pine session with increasing frequency. Brief description ================= The distinguishing characteristic of this package (when compared against similar pine and gpg wrappers) is its ability to handle multiple roles or identities automatically (i.e. different keys for different email addresses). Unlike some of the other pine and gpg wrappers, this one performs no passphrase caching (consider using gpg-agent in gnupg2). Once I started using roles within pine a bit more extensively, I found the integration of pine role and key ID management more difficult. Thus was born another pine and gpg wrapper script (see links below for a collection of other such tools). The utility is available as a tarball, source RPM and noarch RPM, and I welcome any feedback or bug reports. - -Martin [0] http://linux-ip.net/software/#pine-gpg-filter pine-gpg-filter [1] http://quantumlab.net/pine_privacy_guard/ pinepg [2] http://hany.sk/~hany/software/pinepgp/ pinepgp [3] http://user.cs.tu-berlin.de/~gator/pgp4pine/ PGP4Pine (PAPP) [4] http://dougbarton.net/FreeBSD/Downloads/ Pine PGP Filters [5] http://pgpenvelope.sourceforge.net/ pgpenvelope - -- Martin A. Brown http://linux-ip.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFBIXMHEoZD1iZ+YcRAhiVAKDx/NmC79l+XfD3kmAnwmNPcPby5gCgygMj u65/FsXvYS5UZbiK3gpP594= =y82y -----END PGP SIGNATURE----- From r.post at sara.nl Mon Sep 11 08:14:14 2006 From: r.post at sara.nl (Remco Post) Date: Mon Sep 11 08:52:15 2006 Subject: Need non-writable --homedir In-Reply-To: <20060910221650.GA6798@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> Message-ID: <4504FEB6.5050601@sara.nl> Josef Wolf wrote: > Hello! > > I need a setup where the user running "gpg -e -r foobar" is not able to > modify keyring contents. I tried: > > # chown -R root:user ~user/.gnupg > # chmod -R o=rwX,g=rX,o= ~user/.gnupg > > Unfortunately, this don't work because gpg does some write operations > in its .gnupg directory: > > 1. It locks the keyring. --lock-never will avoid this. Is it safe > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" > is ever run? No key generation, no imports, no signung. Only > "gpg -e". Is this safe? > > 2. There's the random_seed file. It is modified at every run. How can > I handle this? I bet it would be a security problem should someone > be able to read this file. Would it be possible to put it into a > different directory? > > 3. gpg writes temporary files into ~/.gnupg while encrypting. > > Any ideas? > use --keyring, --secret-keyring together with --no-default-keyring (see the manpage) to store the keyrings on some ro media/place and leave the homedir alone? You could even put that in the users (ro) gpg.conf. > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Mon Sep 11 09:32:04 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 11 09:36:30 2006 Subject: Need non-writable --homedir In-Reply-To: <20060910221650.GA6798@raven.wolf.local> (Josef Wolf's message of "Mon, 11 Sep 2006 00:16:50 +0200") References: <20060910221650.GA6798@raven.wolf.local> Message-ID: <87ejui6eq3.fsf@wheatstone.g10code.de> On Mon, 11 Sep 2006 00:16, Josef Wolf said: > 1. It locks the keyring. --lock-never will avoid this. Is it safe > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" If the keyrings are read-only, there is no need for locking. Thus --lock-never is safe. > 2. There's the random_seed file. It is modified at every run. How can > I handle this? I bet it would be a security problem should someone > be able to read this file. Would it be possible to put it into a > different directory? Out of performance reasons it is better to have the random seed file and it should be writable. Twehre isno way to have it inanother directory. Thus it is better to follow Remco Post's suggestionhand have only the keyrings at a different location. > 3. gpg writes temporary files into ~/.gnupg while encrypting. No, it does not. At least not if the keyrings are read-only and locking is disabled. The temporary files you encounter are from keyring write operations or locking. Shalom-Salam, Werner From mike.keighley at adarelexicon.com Mon Sep 11 20:42:50 2006 From: mike.keighley at adarelexicon.com (mike.keighley@adarelexicon.com) Date: Mon Sep 11 20:41:20 2006 Subject: codeset conversion issue with GnuPG 1.4.x on HP-UX 11.0 Message-ID: On Fri, 8 Sep 2006 19:33, Werner Koch said: > It is possible that the iconv detection does not work. > And yes, we are falling back to an internal iconv replacement. > Look into util/strgutil.c: > You might want to just add a line > || !ascii_strcasecmp (newset, "88591" ) Yes, that does the trick nicely, thanks. I had trouble understanding the way the ifs and the ifdefs were interleaved, but I got there in the end. On Friday, September 8, 2006 at 19:59:10 +0100, Alain Bench wrote: > If you are root, tweak the /usr/lib/nls/iconv/config.iconv file > to add an "utf-8" to "utf8" alias. ... and that also does the trick nicely ! With this, and without Werner's tweak, cd = iconv_open (full_newset, "utf-8"); (where full_newset="iso88591" as returned by nl_langinfo via newset) ... no longer seems to throw an error. Since Alain's fix does not involve changing your source, I will go with that one, thanks to both of you. > By the way: LANG alone suffices to set a value for all locale > categories. Do not use LC_ALL, unless you have a Good Reason. Yes, I do have a Good Reason, but thanks for mentioning it anyway. -- Mike. From kwh at upb.de Mon Sep 11 18:30:39 2006 From: kwh at upb.de (=?ISO-8859-15?Q?=22K=2E_W=2E_Holzwei=DFig=22?=) Date: Mon Sep 11 21:25:30 2006 Subject: Problem mit gpgcard Message-ID: <45058F2F.6070402@upb.de> Hi. I am having a problem with my smartcard. I am running Suse 10.1 and my card has worked previously under Suse 10.0. Here is my debug log. Can anybody give me an advice? Cheers! Kai gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120617208494:0) gpg: DBG: ccid-driver: idVendor: 04E6 idProduct: 5115 bcdDevice: 0518 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 1 5.0V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4000 gpg: DBG: ccid-driver: dwMaxiumumClock 12000 gpg: DBG: ccid-driver: bNumClockSupported 0 gpg: DBG: ccid-driver: dwDataRate 9600 bps gpg: DBG: ccid-driver: dwMaxDataRate 307200 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 0 gpg: DBG: ccid-driver: dwMaxIFSD 252 gpg: DBG: ccid-driver: dwSyncProtocols 00000000 gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000100BA gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: TPDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 263 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: CALLING USB_CLEAR_HALT gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: reader slot 0: using ccid driver gpg: DBG: send apdu: c=00 i=A4 p0=04 p1=00 lc=6 le=-1 gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: apdu_send_simple(0) failed: card inactive gpg: DBG: ccid-driver: status: 01 error: 00 octet[9]: 01 data: gpg: DBG: ccid-driver: idVendor: 04E6 idProduct: 5115 bcdDevice: 0518 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 1 5.0V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4000 gpg: DBG: ccid-driver: dwMaxiumumClock 12000 gpg: DBG: ccid-driver: bNumClockSupported 0 gpg: DBG: ccid-driver: dwDataRate 9600 bps gpg: DBG: ccid-driver: dwMaxDataRate 307200 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 0 gpg: DBG: ccid-driver: dwMaxIFSD 252 gpg: DBG: ccid-driver: dwSyncProtocols 00000000 gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000100BA gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: TPDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 263 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 Please insert the card and hit return or enter 'c' to cancel: From jw at raven.inka.de Mon Sep 11 21:49:42 2006 From: jw at raven.inka.de (Josef Wolf) Date: Mon Sep 11 21:48:36 2006 Subject: Need non-writable --homedir In-Reply-To: <45049371.7040800@sixdemonbag.org> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> Message-ID: <20060911194942.GA22329@raven.wolf.local> Thanks for your response, Robert! On Sun, Sep 10, 2006 at 05:36:33PM -0500, Robert J. Hansen wrote: > Josef Wolf wrote: > > 1. It locks the keyring. --lock-never will avoid this. Is it safe > > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" > > is ever run? No key generation, no imports, no signung. Only > > "gpg -e". Is this safe? > > Locking is a concurrency mechanism. As such, as long as you can > guarantee that only one process will ever use the keyring, you should be > fine regardless of what you do. > > Concurrent encryptions should be safe as well. OK. > > 2. There's the random_seed file. It is modified at every run. > > With good reason. Random number generation is important, and if you > keep the same seed values it's possible for the same values to be > generated, in which case it's not very random at all. I wondered why /dev/random is not used. It seems that "gpg -e --no-random-seed-file --lock-never -r foobar" does what I want. With this, only a warning about trustdb not beeing writable is issued. Can I safely ignore this warning? Does --no-random-seed-file force /dev/random to be used? > > Any ideas? > > My first idea, and I think the best suggestion, is to look into > rearchitecting your solution so that this kind of lockdown isn't > necessary. I think my architecture should be OK. But I'm open for suggestions. Here's a (simplified, bacause it is OT on this list) description of what I try to do: The goal is to make backups over the network (similar to amanda). For this I set up an account named "backupserver" on the server and a "backupclient" on the client. Backupserver's public key is copied to backupclient@client:~/.ssh/authorized_keys. Backupserver initiates a backup via $ ssh backupclient@client sudo /usr/local/bin/sendbackup >out sendbackup runs gnutar as root and gpg as backupclient. To make sure that backupserver@server is not able to request unencrypted data, I need to make sure that backupclient is not able to modify the keyring. Please drop me a note if you see any flaws in such a setup. From rjh at sixdemonbag.org Mon Sep 11 22:27:59 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Sep 11 22:26:32 2006 Subject: Need non-writable --homedir In-Reply-To: <20060911194942.GA22329@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> Message-ID: <4505C6CF.7010704@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Josef Wolf wrote: > I wondered why /dev/random is not used. A few reasons, any one of which would be sufficient. 1. /dev/random isn't available on all platforms. GnuPG's random number generator is. 2. /dev/random is exhaustible. This is a Bad And Wrong for crypto applications. 3. /dev/random is, as I understand it, an ad-hoc design. Many people who need crypto software need vetted, certified designs (even if the software itself isn't certified). E.g., some people may require ANSI X9.17 RNG. With a software RNG, it's fairly easy to just drop in whatever RNG you need. > It seems that "gpg -e --no-random-seed-file --lock-never -r foobar" > does what I want. With this, only a warning about trustdb not beeing > writable is issued. Can I safely ignore this warning? I'm not sure what can cause the trustdb to be updated, I'm sorry. For instance, if GnuPG sees that the system clock has advanced to the point where a key has expired, does GnuPG cause the trustdb to be updated? Etcetera. For this question, you're going to have to ask the GnuPG developers, since it depends on GnuPG internals. That said, my intuition--and beware of taking anyone's intuition too seriously--is that as long as you avoid modifying operations, the warning will be insignificant. > Does --no-random-seed-file force /dev/random to be used? Platform-dependent. Obviously, --no-random-seed-file won't force /dev/random to be used if you're on a system that has no /dev/random (e.g., Win32). You need to tell us the precise system environment before we can really answer these kinds of questions. > sendbackup runs gnutar as root and gpg as backupclient. To make sure > that backupserver@server is not able to request unencrypted data, I > need to make sure that backupclient is not able to modify the > keyring. I'm having a cognitive disconnect here. How does the _client's_ inability to modify the keyring affect the _server's_ ability to request unencrypted data? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFBcbPAAoJELcA9IL+r4EJ8A4IAKDsehJWrfvDSHhgHEo/3bm2 QjuBJpRDr2X9Ramsxp/Zed8b+Yi55JxJ8IsawGuDCZuOfQrnXK+ew+K8Etg8gHmh R4RbDCDyFofH0zVoRVvfEGRpYfXbE3Q+S4bvSBjbyg2MukS/0NwWxlndTM2414B6 aiNgzY26BJs429RaoEbh48QxNcco+PDSAsY8IK4Wz4yjnDjkmguUnai3pCqwmlA/ 9Qw2hYFiifBRu6lqFH1O0GLd1N9bvcJVyhz8LmjMCYuVTvDx6YxUtXg3fSl5zMo5 aC6NLrrRwNZegM02eLccQeyFCogwNCFq7RkMyUJlTjf16vIRG/NyCRvaSvbhF3Q= =pS3l -----END PGP SIGNATURE----- From jw at raven.inka.de Mon Sep 11 23:10:29 2006 From: jw at raven.inka.de (Josef Wolf) Date: Mon Sep 11 23:18:40 2006 Subject: Need non-writable --homedir In-Reply-To: <4505C6CF.7010704@sixdemonbag.org> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> Message-ID: <20060911211029.GB22329@raven.wolf.local> On Mon, Sep 11, 2006 at 03:27:59PM -0500, Robert J. Hansen wrote: > Josef Wolf wrote: > 1. /dev/random isn't available on all platforms. GnuPG's random number > generator is. Don't most unices have /dev/random nowadays? I never planned to run this thing on a windows box :) > 2. /dev/random is exhaustible. This is a Bad And Wrong for crypto > applications. Hmm, the only drawback I see is a slowdown. The application will just hang and wait for more entropy to arrive. But I don't see how security would be compromised by emptying /dev/random. Or will gpg fall back to something bad in such a situation? Would it be better to have a random_seed lying around there? Isn't it better to be slow than unsecure? How many random data does gpg consume when encrypting? > 3. /dev/random is, as I understand it, an ad-hoc design. Many people > who need crypto software need vetted, certified designs (even if the > software itself isn't certified). E.g., some people may require ANSI > X9.17 RNG. With a software RNG, it's fairly easy to just drop in > whatever RNG you need. Ough... I always thought /dev/random has the highest possible quality. How can a RNG be more random than real entropy? > > Does --no-random-seed-file force /dev/random to be used? > > Platform-dependent. Obviously, --no-random-seed-file won't force > /dev/random to be used if you're on a system that has no /dev/random > (e.g., Win32). You need to tell us the precise system environment > before we can really answer these kinds of questions. Sorry, forgot that. It is supposed to run on linux. > > sendbackup runs gnutar as root and gpg as backupclient. To make sure > > that backupserver@server is not able to request unencrypted data, I > > need to make sure that backupclient is not able to modify the > > keyring. > > I'm having a cognitive disconnect here. How does the _client's_ > inability to modify the keyring affect the _server's_ ability to request > unencrypted data? The server has shell access via ssh to backupclient@client. He can create its own keyring and replace the one on client's account. The requested backup is encrypted with backupserver's key now. The attack is similar to a MITM attack. This is why I want the keyring be modifiable only by root@client. Basically, I want the setup to be secure even if backupclient's account should be compromised. I think this strategy will not do any harm. From mrwchandler84 at yahoo.com Mon Sep 11 22:28:26 2006 From: mrwchandler84 at yahoo.com (Donald Wayne Chandler) Date: Mon Sep 11 23:55:40 2006 Subject: Cardreader installation Message-ID: <4505C6EA.1070505@yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I switched from XP to Ubuntu 6.06, now the SCR338 cardreader built into the keyboard doesn't work. ~$ gpg --card-status gpg: selecting openpgp failed: ec=6.108 gpg: OpenPGP card not available: general error lsusb reports: Bus 004 Device 001: ID 0000:0000 Bus 001 Device 005: ID 04e6:5151 SCM Microsystems, Inc. (keyboard) Bus 001 Device 004: ID 046d:c00e Logitech, Inc. M-BJ69 Optical Wheel Mouse Bus 001 Device 003: ID 05e3:0604 Genesys Logic, Inc. USB 1.1 Hub Bus 001 Device 001: ID 0000:0000 Bus 003 Device 001: ID 0000:0000 Bus 002 Device 001: ID 0000:0000 Any help will be greatly appreciated. Wayne -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBcbqkf1GiUoANSwRA7MuAKDSq1IhvW2waJZW2/jLJjN0TcP8LgCg1nm8 uNsvynmVHwhyl0krqtGJneA= =lUn3 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Sep 12 00:28:25 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Sep 12 00:26:43 2006 Subject: Need non-writable --homedir In-Reply-To: <20060911211029.GB22329@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> Message-ID: <4505E309.2050200@sixdemonbag.org> Josef Wolf wrote: > Don't most unices have /dev/random nowadays? I never planned to run > this thing on a windows box :) GnuPG has been ported to many platforms. BeOS, OpenVMS, Win32, and many more that have no /dev/random. > Hmm, the only drawback I see is a slowdown. The application will > just hang and wait for more entropy to arrive. As Daniel Keys Moran wrote in _The Last Dancer_, the mark of a half-assed software design is its inability to fail gracefully. Most software today would be lucky to be even half of that. GnuPG may fail well in that situation. But will _all_ your applications fail well in that situation? Especially ones which can't afford to block for minutes until the /dev/random pool replenishes? Being a good software citizen means being sparing in your use of limited systemwide resources. Thus, apps should avoid using /dev/random unless there's a clear and critical need. >> 3. /dev/random is, as I understand it, an ad-hoc design. Many >> people who need crypto software need vetted, certified designs >> (even if the software itself isn't certified). E.g., some people >> may require ANSI X9.17 RNG. With a software RNG, it's fairly easy >> to just drop in whatever RNG you need. > > Ough... I always thought /dev/random has the highest possible > quality. How can a RNG be more random than real entropy? Again, you're missing the point. If /dev/random is set up to be access for a radioisotope RNG on one system, you have absolutely no guarantee it'll be a radioisotope RNG on all systems. You have absolutely no guarantee it'll be a radioisotope RNG even on all UNIX systems. Depending on how often you upgrade your hardware, you may not even be able to guarantee it's a radioisotope RNG on _your_ system. GnuPG has no control over how each UNIX handles /dev/random. If GnuPG has no control over that, then GnuPG isn't going to rely on that. GnuPG _can_ rely on its own internal pseudorandom number generator. And thus, it gets a random seed from some believed-good source (varies from platform to platform), and successive calls to the PRNG just use that instead. You need to recognize that GnuPG is not a Linux-only platform, and considerable work has gone into it to make it work on as many platforms as possible. This means disregarding certain OS features that would tie it narrowly to one specific operating system. From blueness at gmx.net Tue Sep 12 00:59:01 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Tue Sep 12 01:00:22 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <4502EBAA.2090409@babylonfarms.com> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> <45019351.5080606@babylonfarms.com> <1362691537.20060909171632@gmx.net> <4502EBAA.2090409@babylonfarms.com> Message-ID: <823773322.20060912005901@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Sat, 09 Sep 2006, at 11:28:26 -0500, when Troy wrote: >>> Werner Koch wrote: >>>> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: >>>>> >>>> Pretty easy. You only need to take the po/gnupg.pot file, copy it to >>>> po/en.po, translate just that string, add "en" to po/LINGUAS and >>>> build. Troy: >>> I achieved a desired output by changing the the file g10/mainproc.c >>> and compiled it using MSYS, >>> only because I could not find po/gnupg.pot file to do translations. >>> Can you tell me what problems I may run into and where exactly to >>> find the gnupg.pot file Mica: >> gnupg.pot file is in the /po directory of compressed /gnupg-x.x.x >> directory with source files, looking from MSYS/Cygwin/Linux, or in \po >> folder of compressed \gnupg-x.x.x folder with source files, looking from >> a Winblows' file manager. >> >> What problems you may run into... I don't know. >> >> That was the reason I was not clear as to which one to modify, since >> there are 42 of them (minus ChangeLog in /g10 and non English ones in >> /po) having the same string/phrase. (-: > Then Assuming I'm correct... > using SVN files > The change would take place in the g10/mainproc.c > because in the SVN files there is no gnupg.pot file > g10/mainproc.c:1681 g10/mainproc.c:1729 > c-format > msgid "Good signature from \"%s\"" > msgstr "" > because in the SVN files there is no gnupg.pot file Yes, you are correct here, I was concentrated on the release version too much, omitting thus the CVS/SVN ones; there's no this file there. > I can only guess that there would be some translation problems should > I try to compile a version other than "en" would this be correct? As much as I myself could take insight into and understand this mechanism, you are correct on this one too. In other, "localized", files, I suppose the English part is (just) the model that has to be translated, and thus not executed/displayed, while translated part is executed/displayed. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRQXqNLSpHvHEUtv8AQiFjwgArw3N1udMwRbm+6vyShs6vo9Dd9J8gdtN +C8rdrjc6rtOkQ06ZGcWj/BQCxNwPbjTRjIFQNZig48E8bq8D5vtxt6ocpts+u9W 4CKDDi5CpetnFbIpswj+1eoSz5Nv9tzg9GIrRzCq+D1s6uvkhnUkATAvAKTgvddQ 7Suo+yA6KHzl7WX5zFO7XystWUeLNwcmel3LSQIv0JtdwTwNJdz1Is70nkE7czuY l5OmY/9n7PZwha0jsh9S4/zBJhJHojrHFJPVOoGiyrByBcpp8ozZYxglIhsGUg8x d/tQkXCyzHXwvR0A8EVWc0Ly9MM/myMHqhzY/7SFtCNdba6iQAC83Q== =Ud8C -----END PGP SIGNATURE----- From joerg at schmitz-linneweber.de Tue Sep 12 08:44:11 2006 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Tue Sep 12 10:25:34 2006 Subject: Beginner's smartcard questions In-Reply-To: <44FF0148.6050700@web.de> References: <44FF0148.6050700@web.de> Message-ID: <200609120844.17171.joerg@schmitz-linneweber.de> Hi! Am Mittwoch, 6. September 2006 19:11 schrieb Sven Radde: > Hi! > > I intend to buy an OpenPGP card and I have some questions regarding its use > unter WinXP, particularly in combination with my new (and yet untested) > banking card. Is there any difference in the required hardware to access > both cards? Yes! > In other words, will the card-readers sold at > http://www.kernelconcepts.de/products/security-en.shtml also support my > banking-card (german HBCI) or, Probably not. :-( > vice-versa, can I expect GnuPG to support > the card-reader recommended by my bank ("cyber Jack" devices by ReinerSCT)? Sure not! Esp. the "CyberJack" is known to be problematic (at least) with OpenGPG cards... > Are there any caveats in general regarding the card-readers at > kernelconcepts.de under Windows? In particular, I stumbled over the > "Supported by GnuPG *via PC/SC drivers*" in the description of the Omnikey > CM4040 PCMCIA device). Sorry for insisting, but before spending actual > money, I want to be sure it works. I think most of them will work under Win, You'll have to look for drivers for your special application... > One more question: When using a class-3 reader, what (if any) information > does GnuPG display on it? Nothing > I wonder how much added security I would get from > a class-3 reader in comparison to one without display. With GnuPG nothing. (But I think the difference between class 2 and 3 is not only the display but here in Germany the "clearance" to do "binay cashing" via e.g. GeldKarte and the like...) > I understand that a > class-2 reader will prevent sniffing of the PIN in case my PC is infected > with a trojan. Not with GnuPG. With *some* HomeBanking applications, your PIN will never reach "the system" (Win) and thus will be save. Salut, J?rg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 ?7e8b fcf4 2053 d7fa 4512 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060912/b435c7a9/attachment-0001.pgp From jw at raven.inka.de Tue Sep 12 20:42:39 2006 From: jw at raven.inka.de (Josef Wolf) Date: Tue Sep 12 20:48:52 2006 Subject: Need non-writable --homedir In-Reply-To: <4505E309.2050200@sixdemonbag.org> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> <4505E309.2050200@sixdemonbag.org> Message-ID: <20060912184239.GC22329@raven.wolf.local> On Mon, Sep 11, 2006 at 05:28:25PM -0500, Robert J. Hansen wrote: > Josef Wolf wrote: > > Don't most unices have /dev/random nowadays? I never planned to run > > this thing on a windows box :) > GnuPG has been ported to many platforms. BeOS, OpenVMS, Win32, and many > more that have no /dev/random. I know. And this is good. But I am asking as a gnupg user, not as a developer. That's why I asked on the gnupg-users list instead of the developer list ;-) While gnupg runs on many platforms, I know that my application will run only on unix-like systems. At least in the next couple of years. I don't think I need to bother about systems I never used and probably will never use. (I've never seen BeOS, I played a little bit with VMS at high school about 20 years ago, I use Win only at work, because that's company-policy) > > Hmm, the only drawback I see is a slowdown. The application will > > just hang and wait for more entropy to arrive. > > As Daniel Keys Moran wrote in _The Last Dancer_, the mark of a > half-assed software design is its inability to fail gracefully. Most > software today would be lucky to be even half of that. > > GnuPG may fail well in that situation. But will _all_ your applications > fail well in that situation? Especially ones which can't afford to > block for minutes until the /dev/random pool replenishes? Well, that's why I asked how many random data gnupg consumes when encrypting. AFAIK, having random_seed be accessible to unauthorized people is not acceptable. Thus I have no choice, I just _have_ to use the --no-random-seed-file option. Unfortunately, the man page don't explain where the random data comes from when this option is used and what are the consequences to randomness quality. This is why I asked how gnupg will behave with this option. I still have no idea > Being a good software citizen means being sparing in your use of limited > systemwide resources. Thus, apps should avoid using /dev/random unless > there's a clear and critical need. For one, I still don't know whether --no-random-seed-file will cause /dev/random to be used at all. Further, it would be good to know how many data will be consumed. > >> 3. /dev/random is, as I understand it, an ad-hoc design. Many > >> people who need crypto software need vetted, certified designs > >> (even if the software itself isn't certified). E.g., some people > >> may require ANSI X9.17 RNG. With a software RNG, it's fairly easy > >> to just drop in whatever RNG you need. > > > > Ough... I always thought /dev/random has the highest possible > > quality. How can a RNG be more random than real entropy? > > Again, you're missing the point. > > If /dev/random is set up to be access for a radioisotope RNG on one > system, you have absolutely no guarantee it'll be a radioisotope RNG on > all systems. You have absolutely no guarantee it'll be a radioisotope > RNG even on all UNIX systems. Depending on how often you upgrade your > hardware, you may not even be able to guarantee it's a radioisotope RNG > on _your_ system. I never had a radioisotope RNG and I will probably never have such a beast. On an average system /dev/random collects entropy from keystrokes, mouse events, network traffic and such things. > GnuPG has no control over how each UNIX handles /dev/random. If GnuPG > has no control over that, then GnuPG isn't going to rely on that. On my system gnupg relies on /dev/random when keys are generated. > GnuPG _can_ rely on its own internal pseudorandom number generator. And > thus, it gets a random seed from some believed-good source (varies from > platform to platform), and successive calls to the PRNG just use that > instead. So it relies on /dev/random when generating keys but can't rely on it when actually encrypting? Doesn't sound very consequent to me. > You need to recognize that GnuPG is not a Linux-only platform, and > considerable work has gone into it to make it work on as many platforms > as possible. I have no doubts about this. But I still don't have any clue what consequences --no-random-seed-file has. Will encryption process block? Will the random data be of bad quality? From dshaw at jabberwocky.com Tue Sep 12 21:05:08 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Sep 12 21:03:41 2006 Subject: Need non-writable --homedir In-Reply-To: <20060912184239.GC22329@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> <4505E309.2050200@sixdemonbag.org> <20060912184239.GC22329@raven.wolf.local> Message-ID: <20060912190508.GA13661@jabberwocky.com> On Tue, Sep 12, 2006 at 08:42:39PM +0200, Josef Wolf wrote: > AFAIK, having random_seed be accessible to unauthorized people is > not acceptable. Thus I have no choice, I just _have_ to use the > --no-random-seed-file option. Unfortunately, the man page don't > explain where the random data comes from when this option is used > and what are the consequences to randomness quality. This is why I > asked how gnupg will behave with this option. I still have no idea It is harmless to use --no-random-seed-file. If you use it, GnuPG will just get randomness from whatever your random source is. The only difference is that it won't have a seed to start from, so it will run a little slower. > > You need to recognize that GnuPG is not a Linux-only platform, and > > considerable work has gone into it to make it work on as many platforms > > as possible. > > I have no doubts about this. But I still don't have any clue what > consequences --no-random-seed-file has. Will encryption process block? > Will the random data be of bad quality? Encryption shouldn't block. Key generation might (key generation tries to use higher quality randomness). The random data used with --no-random-seed-file is just as good as the random data otherwise: it just takes longer to get to it. David From rjh at sixdemonbag.org Tue Sep 12 21:10:57 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue Sep 12 21:09:23 2006 Subject: Need non-writable --homedir In-Reply-To: <20060912184239.GC22329@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> <4505E309.2050200@sixdemonbag.org> <20060912184239.GC22329@raven.wolf.local> Message-ID: <45070641.4070001@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I apologize if this email seems snarky. However, I'm getting tired of repeating the same answers over and over again. Josef Wolf wrote: >>> Don't most unices have /dev/random nowadays? I never planned to >>> run this thing on a windows box :) >> >> GnuPG has been ported to many platforms. BeOS, OpenVMS, Win32, and >> many more that have no /dev/random. > > I know. And this is good. But I am asking as a gnupg user, not as a > developer. Your question is predicated on a "well, I'm on UNIX with a /dev/random, so why doesn't GnuPG just use /dev/random for everything?" You got an accurate answer to your question. If you can't understand the answer, then perhaps you should re-think the questions you're asking. > I know that my application will run only on unix-like systems. Ah, yes, UNIX Programmer's Disease. I suggest you look into getting cured. If you care only about UNIX systems, that's your lookout. It's not the lookout of the GnuPG developers. >> GnuPG may fail well in that situation. But will _all_ your >> applications fail well in that situation? Especially ones which >> can't afford to block for minutes until the /dev/random pool >> replenishes? > > Well, that's why I asked how many random data gnupg consumes when > encrypting. Please re-read my answer. GnuPG _doesn't_ diminish /dev/random when encrypting, because it uses its own pseudorandom number generator, which is why it uses random_seed. The reason why it doesn't use /dev/random is because it's being a good citizen and not using up limited resources, when it can do the same job without using up any of that limited resource. > AFAIK, having random_seed be accessible to unauthorized people is not > acceptable. Thus I have no choice You always have a choice. I'd suggest rearchitecting your solution. Your current solution does not strike me as particularly sound. > I never had a radioisotope RNG and I will probably never have such a > beast. On an average system /dev/random collects entropy from > keystrokes, mouse events, network traffic and such things. Please consider this very carefully: _GnuPG has absolutely no way of knowing the internals of /dev/random._ None. Nada. Zilch. Zero. GnuPG doesn't know, doesn't care. Also, please consider this very carefully, too: _There is no such thing as an 'average' GnuPG system._ What's an average GnuPG system? Is it BeOS? Win32? Debian GNU/Linux? Fedora? FreeBSD? OS X? >> GnuPG has no control over how each UNIX handles /dev/random. If >> GnuPG has no control over that, then GnuPG isn't going to rely on >> that. > > On my system gnupg relies on /dev/random when keys are generated. Because it has no other choice. It needs highest-quality random values, and it can block indefinitely until those values are available. (In fact, it warns you it might block for a while.) When encrypting messages it _does_ have a choice, and so it chooses the option with the least impact on limited system resources. > So it relies on /dev/random when generating keys but can't rely on it > when actually encrypting? Doesn't sound very consequent to me. See above. > I have no doubts about this. But I still don't have any clue what > consequences --no-random-seed-file has. Will encryption process > block? Will the random data be of bad quality? While I am certain answers exist to be found, I am not certain the answers will do you much good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFBwZBAAoJELcA9IL+r4EJaVUH/3Er4alOB7hkKE1uO1dQNzJc 30IKEzjuykGuAhLFnhap0dtRGX3RfBAQOkyrEcHDg0LLAsX5gLNUy7th/0PLxSOU E2fQGMA530zG6qVKqx7iwbMmnq+nUymNekIqBTTFS03vkQm84AOzO72U4FRa9uVv WRzrSxw5CNO7e/WnOsavvLt/rMpAHKbxTEgz7IpCHNRR3v/A+B5lJfq5+jdJQMg3 sqVK8pc9Lc5E/HQfCWWgmebxNrYWRj6q/XU4v4yPU529dn0YaLYVdCAZF0EPBg7h qfz7hicPzScTdBh4t1tW57YobkwQuOdwGd8x4QAlB6OpJal6oQpKNVdWj6s2ufs= =faU9 -----END PGP SIGNATURE----- From jw at raven.inka.de Tue Sep 12 23:09:37 2006 From: jw at raven.inka.de (Josef Wolf) Date: Tue Sep 12 23:08:30 2006 Subject: Need non-writable --homedir In-Reply-To: <20060912190508.GA13661@jabberwocky.com> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> <4505E309.2050200@sixdemonbag.org> <20060912184239.GC22329@raven.wolf.local> <20060912190508.GA13661@jabberwocky.com> Message-ID: <20060912210937.GD22329@raven.wolf.local> On Tue, Sep 12, 2006 at 03:05:08PM -0400, David Shaw wrote: > On Tue, Sep 12, 2006 at 08:42:39PM +0200, Josef Wolf wrote: > > > AFAIK, having random_seed be accessible to unauthorized people is > > not acceptable. Thus I have no choice, I just _have_ to use the > > --no-random-seed-file option. Unfortunately, the man page don't > > explain where the random data comes from when this option is used > > and what are the consequences to randomness quality. This is why I > > asked how gnupg will behave with this option. I still have no idea > > It is harmless to use --no-random-seed-file. If you use it, GnuPG > will just get randomness from whatever your random source is. The > only difference is that it won't have a seed to start from, so it will > run a little slower. [ ... ] > Encryption shouldn't block. Key generation might (key generation > tries to use higher quality randomness). The random data used with > --no-random-seed-file is just as good as the random data otherwise: it > just takes longer to get to it. Thanks, David! That's exaclty the answer I was looking for. It is no problem for me should it be slower. Backups run automated at night, so there's no point in squeezing out the last millisecond. From jw at raven.inka.de Wed Sep 13 21:55:20 2006 From: jw at raven.inka.de (Josef Wolf) Date: Wed Sep 13 21:59:10 2006 Subject: Need non-writable --homedir In-Reply-To: <45070641.4070001@sixdemonbag.org> References: <20060910221650.GA6798@raven.wolf.local> <45049371.7040800@sixdemonbag.org> <20060911194942.GA22329@raven.wolf.local> <4505C6CF.7010704@sixdemonbag.org> <20060911211029.GB22329@raven.wolf.local> <4505E309.2050200@sixdemonbag.org> <20060912184239.GC22329@raven.wolf.local> <45070641.4070001@sixdemonbag.org> Message-ID: <20060913195520.GE22329@raven.wolf.local> On Tue, Sep 12, 2006 at 02:10:57PM -0500, Robert J. Hansen wrote: > I apologize if this email seems snarky. Robert, please get a beer and calm down. > However, I'm getting tired of repeating the same answers over and over > again. If you find yourself repeating the same answers, chances are that you keep answering the wrong questions. (just kidding :) > Josef Wolf wrote: > >>> Don't most unices have /dev/random nowadays? I never planned to > >>> run this thing on a windows box :) > >> > >> GnuPG has been ported to many platforms. BeOS, OpenVMS, Win32, and > >> many more that have no /dev/random. > > > > I know. And this is good. But I am asking as a gnupg user, not as a > > developer. > > Your question is predicated on a "well, I'm on UNIX with a /dev/random, > so why doesn't GnuPG just use /dev/random for everything?" To be precise, I asked "I wondered why /dev/random is not used" exactly _once_ after your explanation why random_seed is important. From context it should be clear that this was meant as a _possible_ alternative to the random_seed method. I never said that it should be used for everything. After that, I kept asking _whether_ it will be used. Notice the semantic difference? Then you said that data from /dev/random has bad quality. For me, this was Bad News, because I always assumed that /dev/random is the highest quality average people (those who can't afford radioisotope, like me) can get. From that, a second discussion, entirely unrelated to gnupg, evolved. Please don't confuse the two independent topics. BTW: _You_ asked me to tell you what platform I use before you can answer the question. You should not be very surprised that I start getting platform specific after that. > > I know that my application will run only on unix-like systems. > > Ah, yes, UNIX Programmer's Disease. I suggest you look into getting cured. I don't force you to use my application, so what exactly is your problem here? I don't know whether windows have something like sudo, or how to properly drop privileges, and many other things. So why should I bother to port it to a system I don't know? Should anybody be interested to run it on a system I don't use or know, then it's up to him to port it on whatever system he likes. This is a pretty common idiom in the open-source world: if something don't fit your needs, you are free to fix it yourself. I don't ask you to port your applications to any of the wired systems I use. And I don't say you are suffering from any desease for your decision on that. BTW: Actually, I _do_ programming for non-unix (embedded systems mostly), so portability is usually a high priority for me. > If you care only about UNIX systems, that's your lookout. > > It's not the lookout of the GnuPG developers. I never questioned _that_... > >> GnuPG may fail well in that situation. But will _all_ your > >> applications fail well in that situation? Especially ones which > >> can't afford to block for minutes until the /dev/random pool > >> replenishes? > > > > Well, that's why I asked how many random data gnupg consumes when > > encrypting. > > Please re-read my answer. > > GnuPG _doesn't_ diminish /dev/random when encrypting, because it uses > its own pseudorandom number generator, which is why it uses random_seed. Still no answer to what happens when random_seed is to be avoided. From the beginning of the thread I have made clear that I want to avoid the random_seed file and you keep explaining me what the intent of this file is. > > AFAIK, having random_seed be accessible to unauthorized people is not > > acceptable. Thus I have no choice > > You always have a choice. I'd suggest rearchitecting your solution. Oh, you already mentioned that. And I responded that I'm open for suggestions. > Your current solution does not strike me as particularly sound. You keep talking in riddles. What exaclty is wrong with my current solution? I will be happy to fix it if you can tell me what's wrong. > > I never had a radioisotope RNG and I will probably never have such a > > beast. On an average system /dev/random collects entropy from > > keystrokes, mouse events, network traffic and such things. > > Please consider this very carefully: > > _GnuPG has absolutely no way of knowing the internals of /dev/random._ > > None. Nada. Zilch. Zero. GnuPG doesn't know, doesn't care. > > Also, please consider this very carefully, too: > > _There is no such thing as an 'average' GnuPG system._ > > What's an average GnuPG system? Is it BeOS? Win32? Debian GNU/Linux? > Fedora? FreeBSD? OS X? Hey, why have you removed the quotes? From the context, it should be clear that the topic of this part of the mail was the quality of randomness sources and had nothing to do with gnupg. Is it by intent that you misunderstand me? > >> GnuPG has no control over how each UNIX handles /dev/random. If > >> GnuPG has no control over that, then GnuPG isn't going to rely on > >> that. > > > > On my system gnupg relies on /dev/random when keys are generated. > > Because it has no other choice. It needs highest-quality random values, > and it can block indefinitely until those values are available. (In > fact, it warns you it might block for a while.) Ough... Two mails ago you stated that the quality of /dev/random is poor (or at least not guaranteed) and now you turn 180 degrees and tell it's highest-quality. You keep confusing me.. > > I have no doubts about this. But I still don't have any clue what > > consequences --no-random-seed-file has. Will encryption process > > block? Will the random data be of bad quality? > > While I am certain answers exist to be found, I am not certain the > answers will do you much good. Well, David gave me the answer. Now you made me wondering what might be wrong with his answer... Would you please give a hint? From clbianco at tiscalinet.it Thu Sep 14 01:20:09 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Sep 14 01:19:05 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732__27644.0509515398$1157663021$gmane$org@gmx.net> Message-ID: Sorry for my delay in the reply, but I am currently at a meeting outside Italy and my internet connection capabilities are a bit less than usual... Il /07 set 2006/, *Mica Mijatovic* ha scritto: > For some reasons I can't establish now, I got at the time wrong > impression that conversely was the case, namely that TJL73 is > translator into Italian. Well... Actually I do not need an Italian translator... At least, not yet! ;-) > Maybe because of that "anche" (in the > "Pagina disponsibile anche in"), or simply for I was reading > several documents at once (one of them being your GPG build > tutorial) Yes, in that case, instead, I deserve the credits for the tutorial itself, beside being also the official English translator... ;-) > of very similar writing style. After many years discussing together everyday on it.comp.sicurezza.pgp and it.comp.sicurezza.crittografia usenet groups, maybe we started to write in a similar way... ;-) > And when I'm already at the desk, just a brief note that if a > source code is being delivered as well, to the users, then it > tends to mean that matters of compiling become regular topic on a > user list too. I agree, but here we are dealing with building on a not-officially-supported platform, that's why I emphsized (and is also clearly written in my tutorial) that the procedure is not for every user... -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From mujyo at comcast.net Thu Sep 14 00:34:45 2006 From: mujyo at comcast.net (jgm) Date: Thu Sep 14 01:55:36 2006 Subject: Need non-writable --homedir In-Reply-To: <20060913195520.GE22329@raven.wolf.local> References: <20060910221650.GA6798@raven.wolf.local> <45070641.4070001@sixdemonbag.org> <20060913195520.GE22329@raven.wolf.local> Message-ID: <200609131534.45385.mujyo@comcast.net> On Wednesday 13 September 2006 12:55 pm, Josef Wolf wrote: > On Tue, Sep 12, 2006 at 02:10:57PM -0500, Robert J. Hansen wrote: > > I apologize if this email seems snarky. > > Robert, please get a beer and calm down. > > > However, I'm getting tired of repeating the same answers over and over > > again. > >>>>snip Josef, don't troll! While I'm only a lurker, I have to say your last email was the most vitriolic-loaded post I've ever read here and really goes against the overall helpful and peaceful tone set here by Werner, David, and the many other fine people who keep this list and gpg going. Please leave the baiting and so on out of gnupg-users, as it's really unpleasant. Anyway: relax (as you said yourself). Thanks for reading, ~haruki From blueness at gmx.net Thu Sep 14 15:02:39 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Sep 14 15:02:30 2006 Subject: Compiling GnuPG 1.4.5 for Windows on Windows In-Reply-To: <87k64eev14.fsf@wheatstone.g10code.de> References: <44FEB6E5.1090409@gwi.net> <151144480.20060907040259__37816.359246108$1157601599$gmane$org@gmx.net> <1631875664.20060907225732@gmx.net> <87k64eev14.fsf@wheatstone.g10code.de> Message-ID: <521964942.20060914150239@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Fri, 08 Sep 2006, at 08:23:35 +0200, when Werner wrote: > On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: >> And when I'm already at the desk, just a brief note that if a source >> code is being delivered as well, to the users, then it tends to mean >> that matters of compiling become regular topic on a user list too. > It is just fine to talk about compiling problems here. Just make sure > that you indicate when you try to compile for Windows on a Windows > box [1]. Okay.[1a] >> > Pretty easy. You only need to take the po/gnupg.pot file, copy it to > po/en.po, translate just that string, add "en" to po/LINGUAS and > build. Thanks for this, Werner. ________________________ > [1] I can't imagine that anyone will ever try to compile on Windows > for a Unix box. [1a] That would be pretty perverse verily, perhaps for educational purposes only. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRQlS6bSpHvHEUtv8AQj8gAf6AjCT4+GVhZyvi5lXbs0/pybLIxA22wVS BDpM+b/IsF85LHVJur13YHwoHYG3vJlx0jJNdVRP6C6VcUipQuSuKCXIcGzWXAEM +lx9ePmclkzBi+HZRGNohqnQJedp69FVSh647fpS+joIIY7eR5prjJnhkeFpszfd cdFr8nlkP8leHQir0TCK0kZzXrSDh+gguqaEfqmvxoCC5swKSMsaIN3r8CUP0kM1 3TYQ/LUW+wArK5RVo0GMWJuIVwZgwaX9UBYHn933JvemzWndo/6dfcuiJe4huwO6 iyORRh/TW2apHCZLoyMGms8IQT+7LPPlPtNOVxxL/1uZTcoCvWNBCw== =FkTG -----END PGP SIGNATURE----- From wk at gnupg.org Thu Sep 14 16:50:39 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 14 17:43:08 2006 Subject: [Announce] libgpg-error 1.4 released Message-ID: <87y7smec3k.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From supraexpress at globaleyes.net Sun Sep 10 05:30:20 2006 From: supraexpress at globaleyes.net (User1001) Date: Thu Sep 14 17:52:48 2006 Subject: dump/dd/tar + gpg > tape = file write error In-Reply-To: <20060909060957.GA17466@xyzzy.org.uk> References: <20060909060957.GA17466@xyzzy.org.uk> Message-ID: <450386CC.2080603@globaleyes.net> Thanks for the suggestion. Your "pipeline assumption" was correct. I have an Exabyte SCSI-3 tape drive which is faster than most DAT drives, so it is worth it to see if I can get "encrypted backups" to work easily enough. Next - I will be experimenting with encrypting backups via ISO (CD images), and will probably need a similar pipeline. Bob Dunlop wrote: > Hi, > > On Fri, Sep 08 at 09:54, User1001 wrote: >> When attempting to back up a filesystem with GPG to encrypt the stream, >> the result (so far) has always been: >> >> gpg: /dev/sa0: write error: Invalid argument >> gpg: iobuf_flush failed on close: file write error >> >> no matter what method (dump, dd, tar, etc.) was used to create the "dump >> stream". It appears to occur only at the end of the "dump stream". >> Different options for dd (conv=notrunc conv=osync) don't make any >> difference. Using the "--batch" option for GPG doesn't make any difference. >> >> Is there a way to correct this (without creating any new files)? > > It's difficult to know what you're actually doing without some example > of the command pipeline you're using. > > I'm guessing it's something like this: > > dd,tar,etc to create archive | gpg -e -r ID > /dev/sa0 > > If so the problem is that many tape device drivers are not the friendliest > for standard applications to write to. Drivers tend to be fussy about > block sizes, have very primative seek capability if any and do strange > things at EOF. > > The trick I'd suggest is to use dd on the output side of gpg as a buffer > for the tape mechanism. You should need to do no conversion other than > possibly pad the final block. I'd also make sure the tape is rewound > before you start. Hence: > > mt -f /dev/sa0 rewind > dd,tar,etc to create archive | gpg -e -r ID | dd bs=4096 of=/dev/sa0 conv=sync > > > ps. This is from memory. The last tape drive I possess has been sitting > in the recycle/spares pile for several years now. From johanw at vulcan.xs4all.nl Thu Sep 14 22:26:45 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Sep 14 22:30:13 2006 Subject: Need non-writable --homedir In-Reply-To: <20060910204458.GC20567@raven.wolf.local> Message-ID: <200609142026.k8EKQjXm011043@vulcan.xs4all.nl> Josef Wolf wrote: >I need a setup where the user running "gpg -e -r foobar" is not able to >modify keyring contents. I tried: > > # chown -R root:user ~user/.gnupg > # chmod -R o=rwX,g=rX,o= ~user/.gnupg You'd better use chattr -i on it. > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" > is ever run? No key generation, no imports, no signung. Only > "gpg -e". Is this safe? Of course, the file can't become corrupt and it has no influence on files you sign and/or encrypt. > 2. There's the random_seed file. It is modified at every run. How can > I handle this? chattr -i the keyring files but leave out the random_seed. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From oskar at rbgi.net Fri Sep 15 20:03:37 2006 From: oskar at rbgi.net (Oskar L.) Date: Fri Sep 15 20:02:47 2006 Subject: Structure of pubring.gpg In-Reply-To: <87veol12ht.fsf@wheatstone.g10code.de> References: <2174.62.142.192.136.1156221677.squirrel@mail.rbgi.net> <87veol12ht.fsf@wheatstone.g10code.de> Message-ID: <3254.62.142.192.136.1158343417.squirrel@mail.rbgi.net> >> Why are the keys in pubring.gpg in the order in witch they were >> imported? > > pubring.gpg is an internal data structure of gpg and only to be used > by gpg. If you want to export import stuff, you need to use the gpg > commands --import or --export. Yes, I know how to import and export keys. But I was wondering why gpg does not arrange the keys automatically by ID or by something else. I think it is bad that in the unfortunate case that someone gets hold of my keyrings they can see in what order I have imported the keys. It would also be convenient if you would get a sorted list with --list-keys. Oskar > Shalom-Salam, > > Werner From nospam_maschoch at compuserve.com Sun Sep 17 15:31:47 2006 From: nospam_maschoch at compuserve.com (Martin Schoch) Date: Sun Sep 17 15:43:35 2006 Subject: Synchronize keyrings Message-ID: Hi I have secure/public keyrings on two different systems (Windows and Linux). How to easily synchronize the to keyrings? On both systems I insert up and now some new public keys - but they should be available on both systems. -- ms From JPClizbe at comcast.net Mon Sep 18 03:04:11 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Sep 18 03:04:04 2006 Subject: Synchronize keyrings In-Reply-To: References: Message-ID: <450DF08B.6030602@comcast.net> Martin Schoch wrote: > Hi > > I have secure/public keyrings on two different systems (Windows and > Linux). How to easily synchronize the to keyrings? On both systems I > insert up and now some new public keys - but they should be available > on both systems. > If you're signing keys with local signatures include --import-options import-local-sigs before --import or in each machine's gpg.conf On the windows box gpg --import pubring.gpg.linux On the linux box gpg --import pubring.gpg.windows I'll leave it to you to decide the best way to get each of the public keyring files copied to the other machine. Just make sure you don't overwrite one of the files when copying. BTW, this also works for the secret keyring, secring.gpg. #include There is no guarantee that this will continue to work. The keyring storage format is up to the implementation authors and is subject to change. The canonical approach is to export, transfer, then import. -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060917/82266648/signature-0001.pgp From anogeorgeo at softhome.net Mon Sep 18 04:02:36 2006 From: anogeorgeo at softhome.net (anogeorgeo@softhome.net) Date: Mon Sep 18 04:21:30 2006 Subject: Option file setting of cipher and hash not global? Message-ID: Hi, --I hope this is not a double post, forgive me if it is-- My system: Windows XP Home SP2 GnuPG 1.4.5 I wish to have GnuPG automatically use the cipher algo TWOFISH and hash algo RIPEMD-160 for all keys that are created. I have these settings in my "gpg.conf": cipher-algo TWOFISH digest-algo RIPEMD160 s2k-cipher-algo TWOFISH s2k-digest-algo RIPEMD160 But when I create a new key and use "showpref" I find the key is using the cipher AES256 and the hash SHA1. Is it possible to make all keys use TWOFISH and RIPEMD-160 by default? Also, is there a batch command that will automatically process the "setpref" command after "gpg --edit-key {key@email.com}" is processed? I tried using the following batch file but it prompts to "Command>" after processing "gpg --edit-key {key@email.com}": --- cd "C:\Program Files\GnuPG" gpg --edit-key {key@email.com} setpref S10 S9 S3 H3 H10 H9 Z2 Z1 --- Thank you, Anothony From anogeorgeo at softhome.net Mon Sep 18 02:32:48 2006 From: anogeorgeo at softhome.net (anogeorgeo@softhome.net) Date: Mon Sep 18 04:21:40 2006 Subject: Option file setting for cipher and hash not global? Message-ID: Hi, My system: Windows XP Home SP2 GnuPG 1.4.5 I wish to have GnuPG automatically use the cipher algo TWOFISH and hash algo RIPEMD-160 for all keys that are created. I have these settings in my "gpg.conf": cipher-algo TWOFISH digest-algo RIPEMD160 s2k-cipher-algo TWOFISH s2k-digest-algo RIPEMD160 But when I create a new key and use "showpref" I find the key is using the cipher AES256 and the hash SHA1. Is it possible to make all keys use TWOFISH and RIPEMD-160 by default? Also, is there a batch command that will automatically process the "setpref" command after "gpg --edit-key {key@email.com}" is processed? I tried using the following batch file but it prompts to "Command>" after processing "gpg --edit-key {key@email.com}": --- cd "C:\Program Files\GnuPG" gpg --edit-key {key@email.com} setpref S10 S9 S3 H3 H10 H9 Z2 Z1 --- Thank you, Anothony From dshaw at jabberwocky.com Mon Sep 18 05:39:20 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 18 05:37:45 2006 Subject: Option file setting for cipher and hash not global? In-Reply-To: References: Message-ID: <20060918033920.GB27425@jabberwocky.com> On Sun, Sep 17, 2006 at 06:32:48PM -0600, anogeorgeo@softhome.net wrote: > Hi, > > My system: > Windows XP Home SP2 > GnuPG 1.4.5 > > I wish to have GnuPG automatically use the cipher algo TWOFISH and hash > algo RIPEMD-160 for all keys that are created. > > I have these settings in my "gpg.conf": > cipher-algo TWOFISH > digest-algo RIPEMD160 > s2k-cipher-algo TWOFISH > s2k-digest-algo RIPEMD160 > > But when I create a new key and use "showpref" I find the key is using the > cipher AES256 and the hash SHA1. > > Is it possible to make all keys use TWOFISH and RIPEMD-160 by default? I think you're asking for this: default-preference-list TWOFISH RIPEMD160 However, note that this controls what other people use when encrypting to you, and not what ciphers you use when encrypting to them. Also note that if you only accept TWOFISH and RIPEMD160, you're going to get a lot (perhaps even most) of your encrypted messages actually encrypted with 3DES. TWOFISH is not as common as other ciphers (like AES), and a sender without TWOFISH will fail over to 3DES. David From laurent.jumet at skynet.be Mon Sep 18 08:33:21 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Mon Sep 18 08:32:54 2006 Subject: Option file setting for cipher and hash not global? References: Message-ID: <006e01c6daec$6b6ab490$2eacf351@zebu> Hello anogeorgeo@softhome.net ! > I wish to have GnuPG automatically use the cipher algo TWOFISH and hash > algo RIPEMD-160 for all keys that are created. > > I have these settings in my "gpg.conf": > cipher-algo TWOFISH > digest-algo RIPEMD160 > s2k-cipher-algo TWOFISH > s2k-digest-algo RIPEMD160 > > But when I create a new key and use "showpref" I find the key is using the > cipher AES256 and the hash SHA1. > > Is it possible to make all keys use TWOFISH and RIPEMD-160 by default? > > Also, is there a batch command that will automatically process the > "setpref" command after "gpg --edit-key {key@email.com}" is processed? I > tried using the following batch file but it prompts to "Command>" after > processing "gpg --edit-key {key@email.com}": > I think you should use those options in the GPG.CONF file: (Those are mine, of course you may choose your own). default-preference-list S7 S10 S3 S4 S2 H3 H2 H1 Z3 Z2 Z1 Z0 personal-cipher-preferences S7 S10 S3 S4 S2 personal-digest-preferences H3 H2 H1 personal-compress-preferences Z3 Z2 Z1 -- Laurent Jumet KeyID: 0xCFAF704C From laurent.jumet at skynet.be Mon Sep 18 08:36:04 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Mon Sep 18 08:35:44 2006 Subject: GPG 1.4.5 algorythms... Message-ID: Hello ! ?????????????????????????????????????????????????????????? ? Cipher-Algos: ? Digest-Algos: ? Compress-Algos: ? ?????????????????????????????????????????????????????????? ? ? ? Z0 Uncompressed ? ? S1 IDEA ? H1 MD5 ? Z1 ZIP ? ? S2 3DES ? H2 SHA1 ? Z2 ZLIB ? ? S3 CAST5 ? H3 RIPEMD160 ? Z3 BZIP2 ? ? S4 BLOWFISH ? ? ? ? ? ? ? ? ? H6 TIGER192 ? ? ? S7 AES ? ? ? ? S8 AES192 ? H8 SHA256 ? ? ? S9 AES256 ? H9 SHA384 ? ? ? S10 TWOFISH ? H10 SHA512 ? ? ? ? H11 SHA224 ? ? ?????????????????????????????????????????????????????????? -- Laurent Jumet KeyID: 0xCFAF704C From v.makauskas at pzu.lt Mon Sep 18 12:19:36 2006 From: v.makauskas at pzu.lt (Vidas Makauskas) Date: Mon Sep 18 13:51:29 2006 Subject: PGP 6.5.8 - PGP 7.7.4 compatability with gpg 1.4.2 Message-ID: <000001c6db0b$f15cc5b0$8400010a@pzu.lt> Hi, I've been crypting files with gpg 1.2.2 on SUSE8.2 distribution. Partners use PGP 6.5.8 - PGP 7.7.4 for decrypting. I need transfer crypting to SuseEnterpriseServer10 with gpg 1.4.2 by default in distribution. Problem is, that partners can't decrypt my files now. Before encryption i export secret key from SUSE8.2: gpg --armor --export-secret-keys SECRET >SECRET.ASC and import to SLES10. gpg --import SECRET.ASC gpg --import PARTNER.PKR - public key Our partners cant't decrypt my files now. PGP use DH/DSS 1024-4096 GPG use DSA and ElGamal 1024-2048 How can I check used key formats and change by default? How can I be sure what i use DSA and ElGamal 1024-2048 by default? I check ability to uninstall gpg1.4.2 and install gpg1.2.2, And get many affected SLES10 packets by requirements: pattern:base-10-51.20.i586 has missing dependencies pattern:gnome-10-51.20.i586 has missing dependencies pattern:apparmor-10-51.20.i586 has missing dependencies pattern:SUSE-Linux-Enterprise-Server-i386-10-0.i686 has missing dependencies pattern:x11-10-51.20.i586 has missing dependencies pattern:print-server-10-51.20.i586 has missing dependencies yast2-xml-2.13.2-1.3.i586 has missing dependencies cups-1.1.23-40.6.i586 has missing dependencies rpm-4.4.2-43.4.i586 has missing dependencies kernel-smp-2.6.16.21-0.8.i586 has missing dependencies libzypp-1.2.0-1.21.i586 has missing dependencies ghostscripts-library-8.15.2rc1-20.4.i586 has missing dependencies rug-7.1.1.0-18.23.i586 has missing dependencies gpg2-1.9.18-17.2.i586 has missing dependencies net-snmp-5.3.0.1-25.2.i586 has missing dependencies gpgme-1.0.3-16.2.i586 has missing dependencies hplip-hpijs-0.9.7-19.2.i586 has missing dependencies and many many yast2 packets There fore I'm affraid downgrade gpg. Does I break system if uninstall 1.4.2 and install 1.2.2 packets only. How can i resolve compatability? Vidas Makauskas Programuotojas, IT departamentas Tel.:(5)2490920 From alphasigmax at gmail.com Mon Sep 18 14:37:02 2006 From: alphasigmax at gmail.com (Alphax) Date: Mon Sep 18 14:35:47 2006 Subject: PGP 6.5.8 - PGP 7.7.4 compatability with gpg 1.4.2 In-Reply-To: <000001c6db0b$f15cc5b0$8400010a@pzu.lt> References: <000001c6db0b$f15cc5b0$8400010a@pzu.lt> Message-ID: <450E92EE.2050807@gmail.com> Vidas Makauskas wrote: > Hi, > I've been crypting files with gpg 1.2.2 on SUSE8.2 distribution. > Partners use PGP 6.5.8 - PGP 7.7.4 for decrypting. > > I need transfer crypting to SuseEnterpriseServer10 with gpg 1.4.2 by default > in distribution. > Problem is, that partners can't decrypt my files now. > > Before encryption i export secret key from SUSE8.2: > gpg --armor --export-secret-keys SECRET >SECRET.ASC > > and import to SLES10. > gpg --import SECRET.ASC > gpg --import PARTNER.PKR - public key > > Our partners cant't decrypt my files now. > PGP use DH/DSS 1024-4096 > GPG use DSA and ElGamal 1024-2048 > How can I check used key formats and change by default? > How can I be sure what i use DSA and ElGamal 1024-2048 by default? > There are compatibility options you can set in GPG via either the command line or ~/.gnupg/gpg.conf (-- is removed for config files): Use --pgp6 or --pgp7 depending on which version of PGP they are using. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060918/60ad8bab/signature.pgp From wk at gnupg.org Mon Sep 18 15:20:02 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 18 15:26:49 2006 Subject: GnuPG 1.9.23 released Message-ID: <877j01cnwd.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of GnuPG 1.9.23 - the branch of GnuPG heading towards a GnuPG 2.0 and featuring the OpenPGP as well as the S/MIME protocol. This is a BETA release and not suitable for production use! Noteworthy changes in version 1.9.23 (2006-09-18) ------------------------------------------------- * Regular man pages for most tools are now build directly from the Texinfo source. * The gpg code from 1.4.5 has been fully merged into this release. For production use of OpenPGP the gpg version 1.4.5 is still recommended. Note, that gpg will be installed under the name gpg2 to allow coexisting with an 1.4.x gpg. * API change in gpg-agent's pkdecrypt command. Thus an older gpgsm may not be used with the current gpg-agent. * The scdaemon will now call a script on reader status changes. * gpgsm now allows file descriptor passing for "INPUT", "OUTPUT" and "MESSAGE". * The gpgsm server may now output a key listing to the output file handle. This needs to be enabled using "OPTION list-to-output=1". * The --output option of gpgsm has now an effect on list-keys. * New gpgsm commands --dump-chain and list-chain. * gpg-connect-agent has new options to utilize descriptor passing. * A global trustlist may now be used. See doc/examples/trustlist.txt. * When creating a new pubring.kbx keybox common certificates are imported. Note, that gpg2 is now build by default and may actually be used. There are some minor things missing but most people should not be affected by this. Please test this release and report bugs. If you are a translator, please do not yet start with translations but wait for the first release candidate which is planned for early October. You may download it from one of the mirrors as listed at http://www.gnupg.org/download/mirrors.html or direct from the master server ftp://ftp.gnupg.org: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.23.tar.bz2 (2227k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.23.tar.bz2.sig or as a patch against the previous release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.22-1.9.23.diff.bz2 (495k) For help on installing or running GnuPG 1.9 you should send mail to the gnupg-users mailing list or to one of the country specific lists. See http://www.gnupg.org/documentation/mailing-lists.html . Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. Happy hacking, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20060918/e185bcef/attachment.pgp From anogeorgeo at softhome.net Mon Sep 18 19:33:52 2006 From: anogeorgeo at softhome.net (anogeorgeo@softhome.net) Date: Mon Sep 18 19:32:12 2006 Subject: Compatability option question (pgp2) Message-ID: Hi, I am cuirous about the available compatability options for PGP used within gpg.conf. If I add "pgp2" to my gpg.conf will GnuPG only use the settings associated with "pgp2" when I am encrypting to a key made with PGP 2.x, 6.x, etc? Or, would "pgp2" over-ride other settings I have in gpg.conf? Thank you, Anothony From wk at gnupg.org Tue Sep 19 15:01:05 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 19 15:24:58 2006 Subject: [Announce] GnuPG Logo Contest Message-ID: <87ac4w9fji.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From yohman at gwi.net Tue Sep 19 19:34:02 2006 From: yohman at gwi.net (C Yohman) Date: Tue Sep 19 19:32:31 2006 Subject: Gnupg-users Digest, Vol 36, Issue 8 Message-ID: <45102A0A.4000002@gwi.net> Carlo's instructions worked. Thank you to everyone else. It works, except it failed one test. Is that test important? *OUTPUT* make check-TESTS make[2]: Entering directory `/home/Chance/gnupg-1.4.5/checks' gpg (GnuPG) 1.4.5 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: . Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 PASS: version.test PASS: mds.test PASS: decrypt.test PASS: decrypt-dsa.test PASS: sigs.test PASS: sigs-dsa.test PASS: encrypt.test PASS: encrypt-dsa.test PASS: seat.test PASS: clearsig.test PASS: encryptp.test PASS: detach.test PASS: armsigs.test PASS: armencrypt.test PASS: armencryptp.test PASS: signencrypt.test PASS: signencrypt-dsa.test PASS: armsignencrypt.test PASS: armdetach.test PASS: armdetachm.test PASS: detachm.test PASS: genkey1024.test PASS: conventional.test FAIL: conventional-mdc.test PASS: multisig.test PASS: verify.test PASS: armor.test ================================== 1 of 27 tests failed Please report to bug-gnupg@gnu.org ================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/home/Chance/gnupg-1.4.5/checks' make[1]: *** [check-am] Error 2 make[1]: Leaving directory `/home/Chance/gnupg-1.4.5/checks' > ------------------------------ > > Message: 2 > Date: Thu, 14 Sep 2006 15:02:39 +0200 > From: Mica Mijatovic > Subject: Re: Compiling GnuPG 1.4.5 for Windows on Windows > To: Werner Koch > Message-ID: <521964942.20060914150239@gmx.net> > Content-Type: text/plain; charset=us-ascii > > Was Fri, 08 Sep 2006, at 08:23:35 +0200, > when Werner wrote: > >>> On Thu, 7 Sep 2006 22:57, Mica Mijatovic said: > >>>> And when I'm already at the desk, just a brief note that if a source >>>> code is being delivered as well, to the users, then it tends to mean >>>> that matters of compiling become regular topic on a user list too. > >>> It is just fine to talk about compiling problems here. Just make sure >>> that you indicate when you try to compile for Windows on a Windows >>> box [1]. > > Okay.[1a] > >>>> > >>> Pretty easy. You only need to take the po/gnupg.pot file, copy it to >>> po/en.po, translate just that string, add "en" to po/LINGUAS and >>> build. > > Thanks for this, Werner. > > > ________________________ > >>> [1] I can't imagine that anyone will ever try to compile on Windows >>> for a Unix box. > > [1a] That would be pretty perverse verily, perhaps for educational > purposes only. > > -- > Mica > ~~~ For personal mail please use my address as it is *exactly* given > in my "From" field, otherwise it will not reach me. ~~~ > GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ > http://tronogi.tripod.com/pgp/pgpkeys/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060919/9bc9667a/signature.pgp From wk at gnupg.org Tue Sep 19 21:13:28 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 19 21:16:43 2006 Subject: Manuals online Message-ID: <87hcz37jqf.fsf@wheatstone.g10code.de> Hi, In case you need access to GnuPG etc. manuals, you may now go to http://www.gnupg.org/documentation/manuals/ . Not very pretty yet and not integrated in the website but it is a start. Publishing the latest manuals is now a mere "make online" ;-) I still need to figure out how to convince makeinfo to insert a proper css link and not to inline its own css stuff. Salam-Shalom, Werner From blueness at gmx.net Wed Sep 20 02:40:14 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Wed Sep 20 02:43:24 2006 Subject: [Announce] GnuPG Logo Contest In-Reply-To: <87ac4w9fji.fsf@wheatstone.g10code.de> References: <87ac4w9fji.fsf@wheatstone.g10code.de> Message-ID: <545415814.20060920024014@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Tue, 19 Sep 2006, at 15:01:05 +0200, when Werner wrote: > Hi! > After 8 years the time has come to modernize the GnuPG logo and to > work on a new layout of the website. > We appreciate Thomas L?ffelholz's Gnus-guarding-the-door logo which > has served us for a long time. However, GnuPG has moved forward and > is not anymore a plain OpenPGP application but features other > protocols as well (S/MIME and partly Secure Shell). Further, the > current logo is too detailed to be used as an icon or to be printed on > a t-shirt. Thus we want to have a new modern logo. > To get to such a logo we try something new: We ask you to donate to > the logo contest and then offer the collected funds to the winner of > that contest. > Here are the rules for the contest: > * Submissions should be send by mail to logo-contest at gnupg dot org. > Sending just an URL is recommended. At least one PNG scaled to 300 > pixel on one axis is required. Sending a design concept is > appreciated. > * The design should convey the message of freedom and privacy. It > must not exploit or offend anyone's sex, race or religion, be > obscene or propagate violence. > * The logo shall be available in a free format (bitmap or vector) and > eventually made available in source form, modifiable using Free > Software (xcf, fig, etc.). The submitter's name and snail mail > address is required for exchanging legal papers. > * The winning submitter must agree to assign the copyright to the FSF > and attach no other restrictions to the use of the logo. All > submitters must declare that they do not infringe the rights of > another party and that publishing their logos for the purpose of > this contest is acceptable. > * The contest runs until *October 31, 2006*. A jury will then select > the winning submission. The winner will receive 50% of the > collected funds. The three top rated submitters are eligible for a > gnupg dot org mail alias. Done! A very nice fresh almost ultra modern logo I myself would like to see on my T-shirt (and I am very picky as to my T-shirts, just to mention, willing not to wear just anything -- especially not on a dressy evening occasions), or as a badge or whatever a logo could appear on. There is a certain problem though, I am afraid... I know how to make a picture, indeed, but axis this and axis that I have not a slight idea about. Is there perhaps some manual for this? I work in Gimp, if that is of significance. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRRCN7LSpHvHEUtv8AQj7wAf+JC5aOAJ/h9lqso20kT1aOdDBJcpEgTng vUF7T2mO6fTsHT7yh4+zp/yRuKKhQAkfbdsVSPdcodfZYOpOPDEzacv1fPv2uIzC xNzfmqO1N4Vy0FgorOW6FEnrliT6N4Xbk3lwlJJiK7z4mlWbc988pFHSt4NQ4S8U n0toIHEZ4lZrG5LkwjtzE9Xj25f8UvzgONhd9YKT9gMR7lnlZmoUnE8XQDjdXoeq GdZTKpoxvTY8L9gDVBQinJ2u0h5ptBS6Vs2tB/z1qpDt1enEL/CX4trsu4Jg9z36 hLt2i6Kh7gcv6/rOC23a3W2MmSLtEvcggO+j9PluJhZnJKWSDpABLw== =u9Yy -----END PGP SIGNATURE----- From bdesham at gmail.com Wed Sep 20 03:06:19 2006 From: bdesham at gmail.com (Benjamin Esham) Date: Wed Sep 20 04:51:40 2006 Subject: [Announce] GnuPG Logo Contest In-Reply-To: <545415814.20060920024014@gmx.net> References: <87ac4w9fji.fsf@wheatstone.g10code.de> <545415814.20060920024014@gmx.net> Message-ID: Mica Mijatovic wrote: > Done! > > A very nice fresh almost ultra modern logo I myself would like to > see on > my T-shirt (and I am very picky as to my T-shirts, just to mention, > willing not to wear just anything -- especially not on a dressy > evening > occasions), or as a badge or whatever a logo could appear on. > > There is a certain problem though, I am afraid... I know how to make a > picture, indeed, but axis this and axis that I have not a slight idea > about. Hi Mica, I believe what Werner meant was that your submitted image should be at least 300 pixels wide or 300 pixels tall. (Of course, the bigger the better :-)) HTH, -- Benjamin D. Esham bdesham@gmail.com | AIM: bdesham128 | Jabber: same as e-mail -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060919/10092c41/PGP.pgp From alphasigmax at gmail.com Wed Sep 20 07:10:08 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 20 07:12:26 2006 Subject: Gnupg-users Digest, Vol 36, Issue 8 In-Reply-To: <45102A0A.4000002@gwi.net> References: <45102A0A.4000002@gwi.net> Message-ID: <4510CD30.9050107@gmail.com> C Yohman wrote: > Carlo's instructions worked. Thank you to everyone else. It works, > except it failed one test. Is that test important? > It's a known issue with building on MSYS. The problem/fix is as follows: > If you get 'FAIL: conventional-mdc.test' during the check phase of the > build the problem is caused by dd.exe from coreutils-bin v5.3.0 > Sometimes the test passes sometimes fails. > You will need the Cygwin version of dd.exe; you can get it from coreutils-5.2.1.bin.zip at http://tinyurl.com/jrjmw (Yahoo Groups). Mica has put up the relevant instructions and files at http://blueness.port5.com/gpgcvs/ based on the trial-and-error that a number of people went through to get "native" building on W32 to work. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060920/73644384/signature.pgp From r.post at sara.nl Wed Sep 20 08:03:53 2006 From: r.post at sara.nl (Remco Post) Date: Wed Sep 20 08:02:38 2006 Subject: gpg-agent and pinentry MacOS Message-ID: <4510D9C9.1090707@sara.nl> Hi All, yeaterday I installed Ben's packages for gnupg v2 and pinentry on macos X. They absolutely work as expected, tnx Ben! But, as others (and I) have noted, gpg-agent does not cache pinentries for ssh authentication, which basically means that you'll have to enter your pin every time you connect to a remote host. Not to long ago Werner responded that he would think about a change in gpg-agent to facilitate this. Now I was wondering what Werner has thought up? -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Wed Sep 20 08:34:19 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 20 08:36:36 2006 Subject: [Announce] GnuPG Logo Contest In-Reply-To: (Benjamin Esham's message of "Tue, 19 Sep 2006 21:06:19 -0400") References: <87ac4w9fji.fsf@wheatstone.g10code.de> <545415814.20060920024014@gmx.net> Message-ID: <8764fj59n8.fsf@wheatstone.g10code.de> On Wed, 20 Sep 2006 03:06, Benjamin Esham said: > I believe what Werner meant was that your submitted image should be at > least 300 pixels wide or 300 pixels tall. (Of course, the bigger the Well, it shall be either 300 pixels wide or tall - not smaller or larger. This only to make it easier to compare seleveral drafts. It would be somewhat unfair to compare a 2048*1024 logo with a 64*32 logo. It also helps me in that I don't need to scale logos to a unique size. Salam-Shalom, Werner From wk at gnupg.org Wed Sep 20 08:38:00 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 20 08:41:51 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <4510D9C9.1090707@sara.nl> (Remco Post's message of "Wed, 20 Sep 2006 08:03:53 +0200") References: <4510D9C9.1090707@sara.nl> Message-ID: <871wq759h3.fsf@wheatstone.g10code.de> On Wed, 20 Sep 2006 08:03, Remco Post said: > connect to a remote host. Not to long ago Werner responded that he would > think about a change in gpg-agent to facilitate this. Now I was > wondering what Werner has thought up? I can't remember the problem. I am using a card based as well as a disk based ssh key the whole day and the caching just works. There used to be a problem solved with gnupg 1.9.21 (June 20). Shalom-Salam, Werner From r.post at sara.nl Wed Sep 20 08:54:07 2006 From: r.post at sara.nl (Remco Post) Date: Wed Sep 20 08:52:38 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <871wq759h3.fsf@wheatstone.g10code.de> References: <4510D9C9.1090707@sara.nl> <871wq759h3.fsf@wheatstone.g10code.de> Message-ID: <4510E58F.4000307@sara.nl> Werner Koch wrote: > On Wed, 20 Sep 2006 08:03, Remco Post said: > >> connect to a remote host. Not to long ago Werner responded that he would >> think about a change in gpg-agent to facilitate this. Now I was >> wondering what Werner has thought up? > > I can't remember the problem. I am using a card based as well as a > disk based ssh key the whole day and the caching just works. > > There used to be a problem solved with gnupg 1.9.21 (June 20). > ok, excellent. I guess my memory isn't perfect then and this must be it. Now I was wondering.... at work I'm more or less forced to use a windows based x-terminal (exceed on win xp), has anybody done for windows (win pinentry?) like what Ben has done for the Mac? Of course this would only solve half the problem, but still, it would be a big step forward. > > Shalom-Salam, > > Werner > > -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Wed Sep 20 09:24:58 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 20 09:26:34 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <4510E58F.4000307@sara.nl> (Remco Post's message of "Wed, 20 Sep 2006 08:54:07 +0200") References: <4510D9C9.1090707@sara.nl> <871wq759h3.fsf@wheatstone.g10code.de> <4510E58F.4000307@sara.nl> Message-ID: <87venj3sqd.fsf@wheatstone.g10code.de> On Wed, 20 Sep 2006 08:54, Remco Post said: > x-terminal (exceed on win xp), has anybody done for windows (win pinentry?) > like what Ben has done for the Mac? Of course this would only solve half the > problem, but still, it would be a big step forward. The pinentry tarball also comes with a Windows versions. This version is far form being well tested but we once had some success. Anyway, the GnuPG 2 port for Windows we did 2 years ago was not compelete and I am not sure whether it still builds. Recall that Mac OS X is a Unix system wheres Windows is very different from Unix. Salam-Shalom, Werner From benjamin at py-soft.co.uk Wed Sep 20 16:37:25 2006 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed Sep 20 16:36:18 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <4510D9C9.1090707@sara.nl> References: <4510D9C9.1090707@sara.nl> Message-ID: <45115225.6010207@py-soft.co.uk> Remco Post wrote: > yeaterday I installed Ben's packages for gnupg v2 and pinentry on macos > X. They absolutely work as expected, tnx Ben! That's great news! :-) > But, as others (and I) have noted, gpg-agent does not cache pinentries > for ssh authentication, which basically means that you'll have to enter > your pin every time you connect to a remote host. N I think that's been fixed in the latest version. Unfortunately, I was busy packaging up 1.4.5 and haven't had chance to look at gpg2 again. I'll try to get a "proper" package for gpg2 done over the next week or so. Take care, Ben From r.post at sara.nl Wed Sep 20 16:53:03 2006 From: r.post at sara.nl (Remco Post) Date: Wed Sep 20 16:51:45 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <45115225.6010207@py-soft.co.uk> References: <4510D9C9.1090707@sara.nl> <45115225.6010207@py-soft.co.uk> Message-ID: <451155CF.3020308@sara.nl> Benjamin Donnachie wrote: > I think that's been fixed in the latest version. Unfortunately, I was > busy packaging up 1.4.5 and haven't had chance to look at gpg2 again. > I'll try to get a "proper" package for gpg2 done over the next week or so. > cool, thanks. > Take care, > > Ben -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From rjh at sixdemonbag.org Thu Sep 21 14:59:06 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu Sep 21 14:57:49 2006 Subject: DSA2 In-Reply-To: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> Message-ID: <45128C9A.8040906@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Nicholas Cole wrote: > I am right that this is not a new algorithm as such, The problem with describing anything as a 'new algorithm' is, where do you draw the line for new? Changing just one line in a specification could be enough to categorize something as 'new', if you wanted to define it that way. It's more apt to say that DSA2 is very closely related to the original DSA. DSA2 is a logical outgrowth of the older DSA specification. > it is just the old one with longer key sizes? And better hash algorithms. > And that the only reason it has been restricted to 1024 in the past > is a US standard? DSA is part of a United States FIPS (Federal Information Processing Standard). In this FIPS a scheme called DSS, the Digital Signature Standard, is defined. DSS specifies that DSA with SHA-1 will be used for all signatures. > Or was there any fear that a larger key size with that algorithm > would not provide security? At the time DSA was designed, 1024 bits of the Discrete Logarithm Problem was widely considered to be enough for all practical purposes. It isn't considered to be so any longer and various attacks are being discovered against SHA-1 (which DSS requires to be used with DSA), so a revised FIPS was put out addressing these two concerns. > Is the new upper limit of 3072 bits picked for any particular reason? Because this is the new upper limit in the FIPS. If you're asking why the FIPS chose 3072-bit keys as the upper limit, I suspect their reasoning is that attacking 3072-bit DLP is a pipe dream now and for the foreseeable future. For whatever it's worth, some critics of OpenPGP point to the lack of a hash function firewall in DSA and DSA2 keys as a big unresolved security issue. These critics are of the opinion the RSA signature specification is better-defined. While I haven't looked at the spec enough to see if DSA2 still lacks a hash function firewall, the criticism should probably be brought up and considered, especially if you're thinking of migrating your key to a different signature algorithm. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFEoyaAAoJELcA9IL+r4EJcswH/i9vvGkGRWBaSg8sgDkDMKAm EW+qYDo/HTm/QW5xRJtlM4AuaFwLIHGE222hGFhRKRXwris0wlCJCWV7dpVQbr61 LaNbpijkznpYv/sMweX5upIlC3g796yeVyKnkQKZB13j8Uayt5J0JVslyh/Sunb9 VuV0IbLEqjuN/+uYOm6Y1zKicHh6mn+2o2LSINGC854vg8LHJxpd1r+80yhvcVMl AdwyAcUeUGi5C70ejB+xr273QKNAUZTHf8xDb2E8NbUET8mD8nJY/KdpMB0rttbc E2cVjeGrGkBXfJG1cLH1QOTQInqXVK6J6BUcA5hvlEw+7Dxkp4tciK40/msT74E= =HZUZ -----END PGP SIGNATURE----- From npcole at yahoo.co.uk Thu Sep 21 16:41:32 2006 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Thu Sep 21 18:21:47 2006 Subject: DSA2 In-Reply-To: <45128C9A.8040906@sixdemonbag.org> Message-ID: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> --- "Robert J. Hansen" wrote: [snip] > For whatever it's worth, some critics of OpenPGP > point to the lack of a > hash function firewall in DSA and DSA2 keys as a big > unresolved security > issue. These critics are of the opinion the RSA > signature specification > is better-defined. While I haven't looked at the > spec enough to see if > DSA2 still lacks a hash function firewall, the > criticism should probably > be brought up and considered, especially if you're > thinking of migrating > your key to a different signature algorithm. Dear Robert, Thanks for this. What is a "hash function firewall", for those of us who are mere mortals? :) Best, N ___________________________________________________________ Inbox full of spam? Get leading spam protection and 1GB storage with All New Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html From rjh at sixdemonbag.org Thu Sep 21 20:47:50 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu Sep 21 20:46:17 2006 Subject: DSA2 In-Reply-To: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> References: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> Message-ID: <4512DE56.9000808@sixdemonbag.org> Nicholas Cole wrote: > Thanks for this. What is a "hash function firewall", > for those of us who are mere mortals? :) In the real world we don't sign an entire message with our private key. Instead we take a hash of the message and sign the hash. Then we post the original message and our signature. Other people can hash the original message and compare it against our signed hash. If the two compare identically, then clearly it's a good signature, right? But there's one detail we're handwaving. How do you know what hash algorithm to use? There has to be some piece of data telling you "use SHA512" or "use SHA-1" or... Let's think of an attack against this scheme. Let's say that our message format puts _in the message_ "use SHA-512" or whatever, and there's no data _in the signature_ about what hash was used. Let's also say that I'm using a good hash algorithm, RIPEMD-128 [*]. How could we you the fact our format puts the hash data in the message to your advantage? Hmm. Well, you could use a very weak hash algorithm, such as MD4 [**]. You take a good signature off a message I've already signed, and you construct a forged message whose MD4 hash comes out identical to the RIPEMD-128 hash of my original (good) message. "Hi!" the message now reads. "This is Rob, and I'd like to donate megabucks to the Society of Evil Geniuses Working Together For a Better Tomorrow. Please empty my bank account. Hail Eris! Hail Discordia! Oh, and use MD4 to verify this message." You then take your forged message to the bank. They verify the (forged) signature to recover the original hash value. _They have no way of knowing it was originally a RIPEMD-128 hash_. So when they MD4-hash the message and see it's identical to the hash value in the signature, the bank takes it as a valid digital signature and empties my bank account. That's what it means for a signature scheme to lack a hash function firewall. A good hash function firewall makes this impossible. A hash function firewall means the signature carries data about itself, protected by a digital signature to make it tamper-resistant. If, in our previous example, the signature said "use RIPEMD-128", the bank would know to use the right hash algorithm... a strong one, resistant to cryptanalytic attacks. Without a hash function firewall, any critical compromise of any hash algorithm in the signature system puts the entire system in jeopardy. With a hash function firewall, only signatures using that compromised hash algorithm are jeopardized. This is why some critics think signing keys need to support firewalling. I don't know off the top of my head whether DSA supports firewalled hash functions or not. I believe that the last time I checked the spec, I came to the conclusion it did not. RSA signing keys, on the other hand, do support firewalling. This entire post has been a tremendous simplification of an esoteric area of cryptology. There are a great many nuances to the subject. I also haven't taken a magnifying glass to the OpenPGP spec in at least eighteen months, maybe more; things may have changed since then. Corrections from people who are up-to-date on the latest revision of the spec are always appreciated. [*] RIPEMD-128 is a 128-bit shortening of RIPEMD-160. It is at present believed cryptographically secure. It shouldn't be confused with RIPEMD, an earlier 128-bit hash, which is no longer considered cryptographically secure. [**] You can create collisions in MD4 with pen and paper. I'm not sure if MD4 is really weak enough for this example, but it's just a thought experiment, so let's assume it is. From alphasigmax at gmail.com Fri Sep 22 02:44:50 2006 From: alphasigmax at gmail.com (Alphax) Date: Fri Sep 22 02:43:51 2006 Subject: DSA2 In-Reply-To: <4512DE56.9000808@sixdemonbag.org> References: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> <4512DE56.9000808@sixdemonbag.org> Message-ID: <45133202.6000202@gmail.com> Robert J. Hansen wrote: > I don't know off the top of my head whether DSA supports firewalled hash > functions or not. I believe that the last time I checked the spec, I > came to the conclusion it did not. > > RSA signing keys, on the other hand, do support firewalling. > Interesting. I'm looking at the "official" (November 1998) RFC 2440 and it's not immediately obvious that this is the case; although both the Version 3 and Version 4 signature packet formats say that the hash algorithm is part of the body of the packet, it says of RSA signatures: > With RSA signatures, the hash value is encoded as described in PKCS-1 > section 10.1.2, "Data encoding", producing an ASN.1 value of type > DigestInfo, and then padded using PKCS-1 block type 01 [RFC2313]. > This requires inserting the hash value as an octet string into an > ASN.1 structure. The object identifier for the type of hash being > used is included in the structure. The hexadecimal representations > for the currently defined hash algorithms are: Note that it's also not immediately obvious what the format of the signature packet used in a clearsigned message is... I haven't looked at the "working draft" of the RFC but hopefully it's a lot clearer than the published version. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060922/6d5120c0/signature-0001.pgp From rjh at sixdemonbag.org Fri Sep 22 03:22:39 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Sep 22 03:21:03 2006 Subject: DSA2 In-Reply-To: <45133202.6000202@gmail.com> References: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> <4512DE56.9000808@sixdemonbag.org> <45133202.6000202@gmail.com> Message-ID: <45133ADF.8090708@sixdemonbag.org> Alphax wrote: > Interesting. I'm looking at the "official" (November 1998) RFC 2440 and > it's not immediately obvious that this is the case; although both the > Version 3 and Version 4 signature packet formats say that the hash > algorithm is part of the body of the packet, it says of RSA signatures: If memory serves, the HFF is part of PKCS-1, which OpenPGP references heavily for its implementation of RSA signatures. ObWarning: I haven't studied it closely in quite some time. My memory may well be in error. From johnmoore3rd at joimail.com Fri Sep 22 05:15:25 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Sep 22 05:14:12 2006 Subject: DSA2 In-Reply-To: <45133202.6000202@gmail.com> References: <20060921144132.7744.qmail@web26705.mail.ukl.yahoo.com> <4512DE56.9000808@sixdemonbag.org> <45133202.6000202@gmail.com> Message-ID: <4513554D.4090206@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Alphax wrote: > Note that it's also not immediately obvious what the format of the > signature packet used in a clearsigned message is... I haven't looked at > the "working draft" of the RFC but hopefully it's a lot clearer than the > published version. If clarity is your goal; 2440bis isn't going to provide it. DSA2 is covered in the current Revision, but a 'Firewall Hash' is *not* present within or available for DSA Keys. The DSA2 Hash(s) are truncated versions of existing Hash algorithms. They 'work' the same as existing DSA Hash functions. JOHN ;) Timestamp: Thursday 21 Sep 2006, 23:14 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4250: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFE1VLAAoJEBCGy9eAtCsPIooH/ixL0YLtxOO6382m0JYANckW XpII+TUQOmUtrHPktyEKRkX6lzaNKWZQFZIR0Sva63GfU1M7dXVkQW1LjoEBISat ISIIpnbKBcb7cEa9VY+Ro/YcC/EOBL4vNpHuKdNNMF7vVMoqEYNVkU+8GQ/7V+6+ SpQPWyaz9byPz6SpdaFK2cVlD7rTe+NYdRXom88CBLOl+hJuZ6ONCihEG3pEHgg9 wn0RzH/XUmlkr+h0iL/9PnKxLFpr6UQs8H7cYEyvfTUo9kHLBYyU4MY/41TnNV/R 9PJ5xLP/bkjjuh2xRg1qiB7GzEbKrGbmAFRwOVLeW/MAI8znOCZmmHaT/Rb60e8= =ASt2 -----END PGP SIGNATURE----- From eleuteri at myrealbox.com Fri Sep 22 06:30:00 2006 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Fri Sep 22 08:51:44 2006 Subject: Strange gnupg problem Message-ID: <000701c6ddff$c45324a0$0302a8c0@enterprise> Hi, Running gnupg version 1.4.5 under Windows 2000. Installed on top of an earlier pre-gpg4win instance. When creating a new subkey for encryption it all seems to go well, but after saving the key, the new subkey is not listed anymore. I've tried to create the new subkey twice, from the --edit-key prompt, with success both times, but once I enter "save" and do a --list-key or another --edit-key the newly created subkey is no longer there. Any clues? --David. From r.post at sara.nl Fri Sep 22 11:21:30 2006 From: r.post at sara.nl (Remco Post) Date: Fri Sep 22 11:20:33 2006 Subject: gpg-agent and pinentry MacOS In-Reply-To: <083743079D8BF041B38B3E2BE77A6F530A64C6EB@hwdsaddc.msdc.hcltech.com> References: <083743079D8BF041B38B3E2BE77A6F530A64C6EB@hwdsaddc.msdc.hcltech.com> Message-ID: <4513AB1A.9050601@sara.nl> Santhosh.G, ISDC Chennai wrote: > Can anyone tell me is there any way to decrypt a file without giving the > passphrase at all.....plz help > WHY??? The whole purpose of encrypting a file is to add a barrier, a layer of authentication, before it can be read. Now, I guess you could potentially create a 'no security'-key... one not protected by a passphrase, but you might as well not encrypt at all. > -----Original Message----- > From: gnupg-users-bounces+santhoshg=hcl.in@gnupg.org > [mailto:gnupg-users-bounces+santhoshg=hcl.in@gnupg.org] On Behalf Of > Werner Koch > > Sent: Wednesday, September 20, 2006 12:08 PM > To: Remco Post > Cc: gnupg-users@gnupg.org > Subject: Re: gpg-agent and pinentry MacOS > > On Wed, 20 Sep 2006 08:03, Remco Post said: > >> connect to a remote host. Not to long ago Werner responded that he would >> think about a change in gpg-agent to facilitate this. Now I was >> wondering what Werner has thought up? > > I can't remember the problem. I am using a card based as well as a > disk based ssh key the whole day and the caching just works. > > There used to be a problem solved with gnupg 1.9.21 (June 20). > > > Shalom-Salam, > > Werner > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint: 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From hidekis at gmail.com Fri Sep 22 10:16:50 2006 From: hidekis at gmail.com (Hideki Saito) Date: Fri Sep 22 12:21:42 2006 Subject: GnuPG discussion chat Message-ID: Hello, I've like to let you know that I have set up, as a part of GnuPG News Japan operation, the chat group on the service called Lingr. http://www.lingr.com/room/bmMry0UzI5W It is more or less on the topic, but might be nice and casual place for people to get quick answers to questions they may have. I've also setup English room as well, http://www.lingr.com/room/dnvEziIa6PE It works pretty well for webchat. Give it a try! -- Hideki Saito From j.lysdal at gmail.com Fri Sep 22 17:23:29 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Fri Sep 22 17:21:48 2006 Subject: subkeys.... Message-ID: <9afe34fe0609220823g675086f4w4ddebd77756715e9@mail.gmail.com> When a key expires, does it mean that subkeys are also expired? -- Jorgen Ch. Lysdal / 0x13CA0C06 From laurent.jumet at skynet.be Fri Sep 22 17:43:43 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri Sep 22 18:43:45 2006 Subject: subkeys.... In-Reply-To: <9afe34fe0609220823g675086f4w4ddebd77756715e9@mail.gmail.com> Message-ID: Hello ! "J?rgen Lysdal" wrote: > When a key expires, does it mean that subkeys are also expired? The key below seems to expire in 2010 while its subkey never expire: === Begin Anders Eriksson (0x6D448760) pub.asc === -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 mQGiBEQg8VYRBACOOXStH4ZhRLmGUDXghrFzlB/UU7Hkcitgkdr/HQeStKC3JRit pwqVvbpGe0y7v1EAXhvxt0GJ8JTNY6E5420O2fThOyKjaf5RoKAzRDb/GnCtuhv2 uvcOFQXR4pLGMekjeqr2GljFD4+CZCQxdHH7gyHoMYzLjqtH5v/py3O5PwCguwbj IK+gJwYyAP6U7hDlkUb7UyMD/j/8HlR0ySvhEIN5zu0f647Rat04uK9v+oqZe084 DVJhmiCpaNn6S4blfMMCxZAWtC7Np/C24c+/fwIVoUkwC60qN7nHUUTUWOBEWYOI 8nv+x8ZzoULRGY25DHRc2eKsBh2CZYUPNrR3++CGFOiLjpMlG9Kdf1jc/hKrvaks klI1A/0cbOuNtwG064repJ1IdB6xtswppCyIdb2oGYA8PWen4vI3xRihWaXGSKBI SIKJO/W88aQlBvZ/Rt08Pfxvfkw8TaJs4E2PCKHGrSV/S6aiwggUJHGYPmaJHn/5 87bkVM7sy9V5glZVH7dSK+qWQM2t42K/DjRgptBsp/kV0wj/hbQkQW5kZXJzIEVy aWtzc29uIDxhbmRlcnNAb3N0bGluZy5jb20+iF0EExECAB0FAkQg8dUFCQeGH/8F CwcKAwQDFQMCAxYCAQIXgAAKCRB28dAybUSHYOnMAJ9+CwLVNFS8WjokFZMKh0c7 KU2tpQCeNmiz4ASuGnIPODdD0gjs4aD0jym5AQ0ERCDxWRAEANGRh5WFIq1TmCD9 FgOuNRGFzANg1kLfOqsvW6GXROXREsR31HFmZ8DSly5eTjYNs9hO49HRqVTeDkyq 83KHnaBGik24fqV7yUx2l4ER0imBM7eepcVJwUE5HIm2gU+rqbrFVBmT/fle7UlS jGLLlhmjnSJV3o4kEpLFhlj9d/i7AAMFA/0WSfLjRlD75+Eg1CC8pb0xtaYtq2mR 4MNsFsFkdforC4218q/2Zjx1iU+Qyjg+KWPW/V0QCqKJy5wArl/lOPgIN2oP+UOq FMOxYV7iRq3x+D82ntlJhTwUAlS0ifHmJ/q8vkhAHVeVo3NSqJgKJWQX3kwJIomx qYbOYDmd5S+se4hGBBgRAgAGBQJEIPFZAAoJEHbx0DJtRIdgz9IAmwUeNJMDnkve Yi110dFf68sB5WC3AKCBmS4Gt9VmbynUsvYsAHz/7Xb9cw== =Ypr/ -----END PGP PUBLIC KEY BLOCK----- === End Anders Eriksson (0x6D448760) pub.asc === -- Laurent Jumet KeyID: 0xCFAF704C From kwh at upb.de Sat Sep 23 13:30:51 2006 From: kwh at upb.de (=?ISO-8859-15?Q?=22K=2E_W=2E_Holzwei=DFig=22?=) Date: Sat Sep 23 14:28:36 2006 Subject: HELP: Smartcard inactive Message-ID: <45151AEB.1060704@upb.de> Hi. I have been trying to get my GnuPG Smartcard to work on Suse 10.1 . I have had that thing working before on Suse 10.0. When I am trying to access the card I get: apdu_send_simple(0) failed: card inactive. When I insert another Smartcard, the green light of my SC-Reader flashes for a second though, whereas this doesn't happen with the GnuPG SmartCard. Here is my log. Can anybody tell me what the problem is? Cheers! Kai gpg: DBG: ccid-driver: using CCID reader 0 (ID=04E6:5115:21120617208494:0) gpg: DBG: ccid-driver: idVendor: 04E6 idProduct: 5115 bcdDevice: 0518 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 1 5.0V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4000 gpg: DBG: ccid-driver: dwMaxiumumClock 12000 gpg: DBG: ccid-driver: bNumClockSupported 0 gpg: DBG: ccid-driver: dwDataRate 9600 bps gpg: DBG: ccid-driver: dwMaxDataRate 307200 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 0 gpg: DBG: ccid-driver: dwMaxIFSD 252 gpg: DBG: ccid-driver: dwSyncProtocols 00000000 gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000100BA gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: TPDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 263 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: CALLING USB_CLEAR_HALT gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: reader slot 0: using ccid driver gpg: DBG: send apdu: c=00 i=A4 p0=04 p1=00 lc=6 le=-1 gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: apdu_send_simple(0) failed: card inactive gpg: DBG: ccid-driver: status: 01 error: 00 octet[9]: 01 data: gpg: DBG: ccid-driver: idVendor: 04E6 idProduct: 5115 bcdDevice: 0518 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 1 5.0V gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4000 gpg: DBG: ccid-driver: dwMaxiumumClock 12000 gpg: DBG: ccid-driver: bNumClockSupported 0 gpg: DBG: ccid-driver: dwDataRate 9600 bps gpg: DBG: ccid-driver: dwMaxDataRate 307200 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 0 gpg: DBG: ccid-driver: dwMaxIFSD 252 gpg: DBG: ccid-driver: dwSyncProtocols 00000000 gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000100BA gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto voltage selection gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: TPDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 263 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 Please insert the card and hit return or enter 'c' to cancel: From edhe at verizon.net Sat Sep 23 18:49:28 2006 From: edhe at verizon.net (Edward) Date: Sat Sep 23 18:47:50 2006 Subject: retrieving data with a new username Message-ID: <6464199.post@talk.nabble.com> I used gpg to back-up my data. I had disk problems. I reformatted the disk; and am now using a different username. When I try 'sudo gpg -d hebrews.....tqz | tar -xzvpP' I get the error 'Cant open file. No such file or directory'; enenthough it is showing what I would see if I had done 'sudo gpg -d hebrews....tqz | tar -tz' -- View this message in context: http://www.nabble.com/retrieving-data-with-a-new-username-tf2323486.html#a6464199 Sent from the GnuPG - User mailing list archive at Nabble.com. From qed at tiscali.it Sun Sep 24 16:46:38 2006 From: qed at tiscali.it (Qed) Date: Sun Sep 24 16:45:03 2006 Subject: DSA2 In-Reply-To: References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> Message-ID: <45169A4E.40702@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 09/23/2006 03:15 PM, Carlo Luciano Bianco wrote: [..snip..] > So my point is: what is the real advantage of "DSA2" over RSA > (if any, beside being the US standard)? Smaller, much smaller, signatures(on certification this is a desiderable property). [..snip..] > And therefore, even better, what is the present status of adding to > GnuPG an "official" ECC keys support? ECC are not part in RFC2440 nor there's a plan to include them. - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFFppNH+Dh0Dl5XacRA2hNAJ97CLMV2MysdOOGZ1cEb8FL6rzjsQCcDouJ 3FPV8wJgukLVivsjPqU/LPE= =yfHe -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Sep 24 17:08:32 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 24 17:07:59 2006 Subject: DSA2 In-Reply-To: <45169A4E.40702@tiscali.it> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> Message-ID: <45169F70.1000600@gmail.com> Qed wrote: > On 09/23/2006 03:15 PM, Carlo Luciano Bianco wrote: > [..snip..] >> So my point is: what is the real advantage of "DSA2" over RSA >> (if any, beside being the US standard)? > Smaller, much smaller, signatures(on certification this is a desiderable > property). > > [..snip..] >> And therefore, even better, what is the present status of adding to >> GnuPG an "official" ECC keys support? > ECC are not part in RFC2440 nor there's a plan to include them. You're wrong. 9.1. Public Key Algorithms ID Algorithm -- --------- 1 - RSA (Encrypt or Sign) 2 - RSA Encrypt-Only 3 - RSA Sign-Only 16 - Elgamal (Encrypt-Only), see [ELGAMAL] 17 - DSA (Digital Signature Standard) 18 - Reserved for Elliptic Curve 19 - Reserved for ECDSA 20 - Elgamal (Encrypt or Sign) 21 - Reserved for Diffie-Hellman (X9.42, as defined for IETF-S/MIME) 100 to 110 - Private/Experimental algorithm. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060925/b5b1cd7f/signature.pgp From qed at tiscali.it Sun Sep 24 17:29:01 2006 From: qed at tiscali.it (Qed) Date: Sun Sep 24 17:27:14 2006 Subject: DSA2 In-Reply-To: <45169F70.1000600@gmail.com> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> Message-ID: <4516A43D.3060808@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 09/24/2006 05:08 PM, Alphax wrote: >>> And therefore, even better, what is the present status of adding to >>> GnuPG an "official" ECC keys support? >> ECC are not part in RFC2440 nor there's a plan to include them. > > You're wrong. > > 9.1. Public Key Algorithms > ID Algorithm > -- --------- > 18 - Reserved for Elliptic Curve > 19 - Reserved for ECDSA I haven't seen much traffic on ietf-openpg mailing list about this issue, maybe the last message about ECC was in 2001. ECC is not a priority task for RCF2440, do you think this statement is more acceptable? - -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFFqQ9H+Dh0Dl5XacRA4AoAJ4zCkgaAAQnxfrUCvWsszQhIzzS5QCdFf3j QbefLZjj996fzJUlFx59s20= =1ym9 -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Sep 24 17:34:12 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 24 17:32:43 2006 Subject: DSA2 In-Reply-To: <4516A43D.3060808@tiscali.it> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> Message-ID: <4516A574.9060406@gmail.com> Qed wrote: > On 09/24/2006 05:08 PM, Alphax wrote: >>>> And therefore, even better, what is the present status of adding to >>>> GnuPG an "official" ECC keys support? >>> ECC are not part in RFC2440 nor there's a plan to include them. >> You're wrong. > >> 9.1. Public Key Algorithms >> ID Algorithm >> -- --------- >> 18 - Reserved for Elliptic Curve >> 19 - Reserved for ECDSA > I haven't seen much traffic on ietf-openpg mailing list about this > issue, maybe the last message about ECC was in 2001. > ECC is not a priority task for RCF2440, do you think this statement is > more acceptable? Yes. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060925/fb136c5a/signature.pgp From wk at gnupg.org Sun Sep 24 19:48:57 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Sep 24 19:51:47 2006 Subject: DSA2 In-Reply-To: <45169F70.1000600@gmail.com> (alphasigmax@gmail.com's message of "Mon, 25 Sep 2006 00:38:32 +0930") References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> Message-ID: <87eju117g6.fsf@wheatstone.g10code.de> On Sun, 24 Sep 2006 17:08, Alphax said: > 18 - Reserved for Elliptic Curve > 19 - Reserved for ECDSA > 21 - Reserved for Diffie-Hellman (X9.42, > as defined for IETF-S/MIME) Reserved does not mean it is in the standard. It is merely an internal remark that we once considered to use this number for the algorithm. Shalom-Salam, Werner From ryan at malayter.com Sun Sep 24 23:02:54 2006 From: ryan at malayter.com (Ryan Malayter) Date: Mon Sep 25 00:51:41 2006 Subject: DSA2 In-Reply-To: <4516A43D.3060808@tiscali.it> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> Message-ID: <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> On 9/24/06, Qed wrote: > I haven't seen much traffic on ietf-openpg mailing list about this > issue, maybe the last message about ECC was in 2001. > ECC is not a priority task for RCF2440, do you think this statement is > more acceptable? As far as I know, Certicom and others control many patents related to ECC in the USA, Canada, and several other jurisdictions. Which is probably why there is no effort to add these to an "open standard" such as PGP that might then be patent-encumbered. The OpenSSL project recetly added ECC to its portfolio of algorithms, though, so someone must have done the investigatory work to determine that the OpenSSL implementation was not patented. -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From JPClizbe at comcast.net Mon Sep 25 06:51:40 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Sep 25 06:58:12 2006 Subject: DSA2 In-Reply-To: <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> Message-ID: <4517605C.8040303@comcast.net> Ryan Malayter wrote: > On 9/24/06, Qed wrote: >> I haven't seen much traffic on ietf-openpg mailing list about this >> issue, maybe the last message about ECC was in 2001. >> ECC is not a priority task for RCF2440, do you think this statement is >> more acceptable? There were a couple messages last year on the [cryptography] mailing list wrt ECC and patents: http://www.mail-archive.com/cryptography@metzdowd.com/msg04965.html http://www.mail-archive.com/cryptography@metzdowd.com/msg04970.html > As far as I know, Certicom and others control many patents related to > ECC in the USA, Canada, and several other jurisdictions. Which is > probably why there is no effort to add these to an "open standard" > such as PGP that might then be patent-encumbered. Patents are a major roadblock to ECC's wider acceptance. Even the NSA opted to avoid any patent-related problems by licensing 26 MQV-based ECC patents from Certicom in a US$25 million deal. According to the NSA's web site: "Despite the many advantages of elliptic curves and despite the adoption of elliptic curves by many users, many vendors and academics view the intellectual property environment surrounding elliptic curves as a major roadblock to their implementation and use. Various aspects of elliptic curve cryptography have been patented by a variety of people and companies around the world. Notably the Canadian company, Certicom Inc. holds over 130 patents related to elliptic curves and public key cryptography in general." - http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm > The OpenSSL project recently added ECC to its portfolio of algorithms, > though, so someone must have done the investigatory work to determine > that the OpenSSL implementation was not patented. Actually the ECC code in OpenSSL was supplied by Sun and is patented by Sun. Sun contributed the code in 2002, but it was not made part of OpenSSL until 2005, as part of OpenSSL 0.9.8. On the patented code, Sun says: Q7: What about the patented technology in the contributed code? Sun acknowledges that it has some patented ECC technology in the contributed code. Sun grants to OpenSSL users the right to make use of the contributed patented technology in the context of OpenSSL. Sun does not intend to assert its patent rights associated with the code that was delivered to the OpenSSL project. Sun simply asks that anyone holding patents associated with the same code agree not to assert them against Sun in return. Sun does not forbid people from using the donated code on the basis of whether or not they make this promise. - http://research.sun.com/projects/crypto/FrequenlyAskedQuestions.html -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060924/c9e0c383/signature.pgp From areiner at tph.tuwien.ac.at Sun Sep 24 23:54:52 2006 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Mon Sep 25 13:21:36 2006 Subject: retrieving data with a new username In-Reply-To: <6464199.post@talk.nabble.com> References: <6464199.post@talk.nabble.com> Message-ID: <86wt7tszf7.fsf@willehalm.reiner> [Edward , Sat, 23 Sep 2006 09:49:28 -0700 (PDT)]: > I used gpg to back-up my data. I had disk problems. I reformatted the disk; > and am now using a different username. When I try 'sudo gpg -d > hebrews.....tqz | tar -xzvpP' I get the error 'Cant open file. No such file > or directory'; enenthough it is showing what I would see if I had done > 'sudo gpg -d hebrews....tqz | tar -tz' As you see the correct output, the problem cannot be with gpg. Instead, it must be tar that complains. Could it be that the tar archive has absolute paths in it? HTH, Albert. From henkdebruijn at wanadoo.nl Mon Sep 25 16:33:15 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Mon Sep 25 16:31:32 2006 Subject: svn version (4262) not building under Windows with MSYS and Cygwin Message-ID: <18864827.20060925163315@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Is this the right group to talk about this? - -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System version 3.85.03 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4261HdB-dynamic-with-IDEA-Tiger192 (Cygwin/MingW32) iQEVAwUBRRfomxHuy+60ZN0PAQrPmAf/fEU7FysZUiWdOQtHSZKb7Mx9j4roVxGh zgVBEgilRxIFz7q3ZXNvtFXXuFYJfYOWVhCAMRlcwZQkokZxBMxBfRIrX9SQmiU2 QHA52hWpIW/0XgeWKy8gQtlX16/dxEJcFcmt+NHWODiJamgeJvLo0FkSWzu4oQqq T79dlYW0z6qpRIJDTpvdXQTeKHRdzjVq5lHx4cPIJKIX1YsLOryNINp0ItAguwz0 uXEkmn3PCQqxR/FVWzr6kBCtmRPX9UhrpW6QiNqO37+gkHSTuOtBmsT5cRqTkYAJ BIU41j+91Z9kqhR6mVpS20zgw7JY203Agn3Y7UkfdwUgJr3nqZMiRA== =xrN7 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Sep 25 17:21:21 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 25 17:26:45 2006 Subject: svn version (4262) not building under Windows with MSYS and Cygwin In-Reply-To: <18864827.20060925163315@wanadoo.nl> (Henk M. de Bruijn's message of "Mon, 25 Sep 2006 16:33:15 +0200") References: <18864827.20060925163315@wanadoo.nl> Message-ID: <87y7s8ug3y.fsf@wheatstone.g10code.de> On Mon, 25 Sep 2006 16:33, Henk M. de Bruijn said: > Is this the right group to talk about this? Trunk? Not expected to build or run under Windows. Salam-Shalom, Werner From henkdebruijn at wanadoo.nl Mon Sep 25 17:41:53 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Mon Sep 25 17:39:56 2006 Subject: svn version (4262) not building under Windows with MSYS and Cygwin In-Reply-To: <87y7s8ug3y.fsf@wheatstone.g10code.de> References: <18864827.20060925163315@wanadoo.nl> <87y7s8ug3y.fsf@wheatstone.g10code.de> Message-ID: <371716678.20060925174153@wanadoo.nl> On Mon, 25 Sep 2006 17:21:21 +0200GMT (25-9-2006, 17:21 +0200, where I live), Werner Koch wrote: > On Mon, 25 Sep 2006 16:33, Henk M. de Bruijn said: >> Is this the right group to talk about this? > Trunk? Not expected to build or run under Windows. I think I lost track for a moment. In my enthousiasm I trying to build... -- gr?tzi, Henk ______________________________________________________________________ The Bat! Natural E-Mail System version 3.85.03 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust From blueness at gmx.net Tue Sep 26 17:05:29 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Tue Sep 26 17:13:57 2006 Subject: [Announce] GnuPG Logo Contest In-Reply-To: <8764fj59n8.fsf@wheatstone.g10code.de> References: <87ac4w9fji.fsf@wheatstone.g10code.de> <545415814.20060920024014@gmx.net> <8764fj59n8.fsf@wheatstone.g10code.de> Message-ID: <1299577306.20060926170529@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Wed, 20 Sep 2006, at 08:34:19 +0200, when Werner wrote: > On Wed, 20 Sep 2006 03:06, Benjamin Esham said: >> I believe what Werner meant was that your submitted image should be at >> least 300 pixels wide or 300 pixels tall. (Of course, the bigger the > Well, it shall be either 300 pixels wide or tall - not smaller or > larger. This only to make it easier to compare seleveral drafts. It > would be somewhat unfair to compare a 2048*1024 logo with a 64*32 > logo. It also helps me in that I don't need to scale logos to a > unique size. Okay; I thank to both of you, Werner and Benjamin. -- Yiiik, it's already 26th! Well, the submission with the URL to PNGs, design concept and technical data has been sent (with no obscenities...this time (-, ), so we'll see what will happen... Good luck to all. (-: - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ "Children must be taught how to think, not what to think." -- Margaret Mead -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn-4217 <>o<> tiger192 (Cygwin/MinGW32) iQEVAwUBRRlBt7SpHvHEUtv8AQjIAAgArNnX71+mpMAfUN78NwTeTl151JGmfEzU NI9dZY9MV5Pz8m7y18AITy27yLvHxDrtfT16G4Y4paOor7bKIDrlRyOsUh1WwoJt 3gT4t1GQKXtQxLGdyE8WMf8rlTvu49j55yvcw2GuE7Orfydwanv2koNDkZ7Vbm1b yQmF2WkG/E+A8Kn4KmPVQaZU+gcJaOIc+w1c0BC5myTBzWNB+MbPSXXvr8GJ4FG9 +0do9uxx0b0xBNibY1HB5U1rEIkMP9S+V5q3poaC03bQo4mzlAlqErTYEZp2Zdsx hPa0hR91VOLAbUyX4C/EMCdUdBy50o/XY6huLCd8fz8ZaVnKecSe4Q== =kVhe -----END PGP SIGNATURE----- From clbianco at tiscalinet.it Tue Sep 26 23:59:02 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Wed Sep 27 01:31:01 2006 Subject: DSA2 References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702__32337.9667512656$1159109453$gmane$org@tiscali.it> Message-ID: Il /24 set 2006/, *Qed* ha scritto: > On 09/23/2006 03:15 PM, Carlo Luciano Bianco wrote: > [..snip..] >> So my point is: what is the real advantage of "DSA2" over RSA >> (if any, beside being the US standard)? > Smaller, much smaller, signatures(on certification this is a > desiderable property). OK, I agree. This is a real advantage which I did not consider, thanks for the clarification. -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From clbianco at tiscalinet.it Wed Sep 27 00:08:31 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Wed Sep 27 01:38:26 2006 Subject: DSA2 References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> <4517605C.8040303__40604.7906996266$1159160554$gmane$org@comcast.net> Message-ID: Il /25 set 2006/, *John Clizbe* ha scritto: > There were a couple messages last year on the [cryptography] > mailing list wrt ECC and patents: Thank you very much for the links, they are very interesting! > Actually the ECC code in OpenSSL was supplied by Sun and is > patented by Sun. Sun contributed the code in 2002, but it was not > made part of OpenSSL until 2005, as part of OpenSSL 0.9.8. On the > patented code, Sun says: > > Q7: What about the patented technology in the contributed code? > > Sun acknowledges that it has some patented ECC technology in > the contributed code. > > Sun grants to OpenSSL users the right to make use of the > contributed patented technology in the context of OpenSSL. Well... Does this mean that we can link GnuPG to OpenSSL library for ECC subroutines and stay safe from patent problems? If so, this can be a temporary solution (of course, if OpenSSL license is compatible with GnuPG one)... -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From robert.wyatt at mail.utexas.edu Wed Sep 27 00:23:46 2006 From: robert.wyatt at mail.utexas.edu (Robert T Wyatt) Date: Wed Sep 27 01:51:47 2006 Subject: three computers and one secret key? Message-ID: <4519A872.9020601@mail.utexas.edu> Hi folks, I'm new to the list. I live and work in Austin, TX. I've been trying to find this answer and have tried various things but I'm not having any luck. The only thing I'm sure of is that this can't be an original question, so I apologize for that and for not having found the answer already. I set up macgpg and enigmail on my home computer (running Mac OS 10.4.7) and it is working great (with SeaMonkey and Thunderbird). Now I would like to use the same secret key on both of my work computers, one is Mac OS 10.3.9 and the other is Windows XP. Both of these computers also have SeaMonkey and Thunderbird installed. Ooh, I think I just got the Mac to work by (securely) moving my at-home .gnupg folder into place on the work computer and reinstalling the enigmail extension. Oh darn, it almost works but it gives an error when sending mail: Error - bad passphrase. So what am I supposed to be doing? Assuming it can be done, how do I export my secret key for use on other computers? Do I have to use a memory stick or other portable device to make this work? Is it possible (and prudent) to put it on a server somewhere in a secure fashion? Thanks much for any pointers, Robert From rjh at sixdemonbag.org Wed Sep 27 02:21:46 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed Sep 27 02:20:03 2006 Subject: three computers and one secret key? In-Reply-To: <4519A872.9020601@mail.utexas.edu> References: <4519A872.9020601@mail.utexas.edu> Message-ID: <4519C41A.2040605@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert T Wyatt wrote: > So what am I supposed to be doing? Assuming it can be done, how do I > export my secret key for use on other computers? Do I have to use a > memory stick or other portable device to make this work? Is it possible > (and prudent) to put it on a server somewhere in a secure fashion? Open up a Terminal window (Terminal is in your Applications/Utilities folder) and type the following: gpg --armor --export-secret-key [your key ID] > priv.asc gpg --armor --export [your key ID] > pub.asc mkdir mykeys mv priv.asc pub.asc mykeys zip -r ~/Desktop/mykeys.zip mykeys rm -rf mykeys This will create a zipfile on your desktop called mykeys.zip. Copy that to your other machines and unzip it there. You'll find inside it the files "pub.asc" and "priv.asc". On your other Macs, copy it to your desktop and unzip it. Then open up another Terminal window there and type: gpg --import-secret-key ~/Desktop/mykeys/priv.asc gpg --import ~/Desktop/mykeys/pub.asc gpg --edit-key [your key ID] trust This last line will start up a GnuPG key edit menu. Type '5', then 'y', then type 'save'. Your key is now copied to your other Mac, and trusted on your other machine, too. WARNING: I'm giving you shell commands here. Do not _ever_ follow random shell commands you get from unknown people on the Internet. You can really screw up your computer that way. Wait for other people on the list to take a look at what I'm telling you to do, and wait for a consensus as to whether I'm giving you good advice or bad advice. And yes, there really are such losers on the Internet as who try to get people to do stupid things that will damage their own machine. That said, Terminal is an incredibly powerful and useful tool, and it's worth your time to learn it, if you haven't already. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFGcQZAAoJELcA9IL+r4EJxE8H/2ygpx8XJuXL3AEE8wx0m6S5 diERU4O6jsmLpYOcx9Ar/lOiOZjALBZkVE4bDBAKxwx46AME+os+L7wGjhiPlpEK 7VCWcFWvgA5uFo3Fy3AITxYYEG5jX7uNz1ZXAQ3jPzLrkczVeA+cOBvvnA82Wequ Qp1094Ul0SQbV5jNcfAfTqGsKn5VBqApvxP3DbGhh5fc6feVa07qYYwRpnezINCC c/vkovUOcrCdEq9BhnHqqxs4S8UyIr3ixtsoHSr07TVPWTjuQPluVROdsKC2vWbF e+x3u1EG6u0w0NxzuKkAHcpLevq7zkjTLt74pD0iib5QLqwcC4E2AfaLj6juIW8= =ZMSs -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Sep 27 02:26:17 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 27 02:24:33 2006 Subject: DSA2 In-Reply-To: References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> <4517605C.8040303__40604.7906996266$1159160554$gmane$org@comcast.net> Message-ID: <20060927002617.GA28262@jabberwocky.com> On Wed, Sep 27, 2006 at 12:08:31AM +0200, Carlo Luciano Bianco wrote: > Il /25 set 2006/, *John Clizbe* ha scritto: > > > There were a couple messages last year on the [cryptography] > > mailing list wrt ECC and patents: > > Thank you very much for the links, they are very interesting! > > > Actually the ECC code in OpenSSL was supplied by Sun and is > > patented by Sun. Sun contributed the code in 2002, but it was not > > made part of OpenSSL until 2005, as part of OpenSSL 0.9.8. On the > > patented code, Sun says: > > > > Q7: What about the patented technology in the contributed code? > > > > Sun acknowledges that it has some patented ECC technology in > > the contributed code. > > > > Sun grants to OpenSSL users the right to make use of the > > contributed patented technology in the context of OpenSSL. > > Well... Does this mean that we can link GnuPG to OpenSSL library for > ECC subroutines and stay safe from patent problems? If so, this can > be a temporary solution (of course, if OpenSSL license is compatible > with GnuPG one)... No, the licenses are not compatible. We had quite a problem (and are still fixing the fallout) with even a small license exception to allow linking the LDAP and CURL keyserver helpers to OpenSSL for ldaps and https. Plus there are the patent issues, which raise a very large headache for Free software in general. In any event, it doesn't matter even if the licenses were compatible: OpenPGP does not have ECC in it. GnuPG won't support ECC until the OpenPGP standard specifies it. I don't see that happening any time soon, especially given the patent issues. David From robert.wyatt at mail.utexas.edu Wed Sep 27 18:39:04 2006 From: robert.wyatt at mail.utexas.edu (Robert T Wyatt) Date: Wed Sep 27 18:37:29 2006 Subject: three computers and one secret key? In-Reply-To: <4519C41A.2040605@sixdemonbag.org> References: <4519A872.9020601@mail.utexas.edu> <4519C41A.2040605@sixdemonbag.org> Message-ID: <451AA928.7080201@mail.utexas.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert, Thank you very much for your help. I believe that I have both (all three really) working now. It seems that on MacOS 10.3.9 I needed to disable the OpenPGP option "Use gpg-agent for passphrase handling." (The enigmail error mentioned a problem accessing gpg-agent.) Additionally, since it is using gpg 1.4.1, the command is a little different: gpg --secret-keyring --no-default-keyring ~/path/to/mykeys/priv.asc On the PC (running gpg 1.4.5--with no man pages apparently), I moved the files to: C:\Documents and Settings\username\Application Data\gnupg ... and renamed them to pubring.asc and secring.asc. Issuing gpg --import on each file appropriately created the correct pubring.gpg and secring.gpg that I needed. Do I have a volunteer to accept an encrypted message from me so that I can verify it's working? (Does it make sense to ask this question? Can sending an encrypted message to someone other than myself verify this any better than just sending one to myself--which I know works?) Thanks, Robert - -- Robert T Wyatt Assistant Registrar Registration and Room Scheduling (M5504) The University of Texas at Austin phone (512) 475-7602 fax (512) 475-7515 Robert J. Hansen wrote: > Robert T Wyatt wrote: >> So what am I supposed to be doing? Assuming it can be done, how do I >> export my secret key for use on other computers? Do I have to use a >> memory stick or other portable device to make this work? Is it possible >> (and prudent) to put it on a server somewhere in a secure fashion? > > Open up a Terminal window (Terminal is in your Applications/Utilities > folder) and type the following: > > > > gpg --armor --export-secret-key [your key ID] > priv.asc > gpg --armor --export [your key ID] > pub.asc > mkdir mykeys > mv priv.asc pub.asc mykeys > zip -r ~/Desktop/mykeys.zip mykeys > rm -rf mykeys > > > > This will create a zipfile on your desktop called mykeys.zip. Copy that > to your other machines and unzip it there. You'll find inside it the > files "pub.asc" and "priv.asc". > > On your other Macs, copy it to your desktop and unzip it. Then open up > another Terminal window there and type: > > > > gpg --import-secret-key ~/Desktop/mykeys/priv.asc > gpg --import ~/Desktop/mykeys/pub.asc > gpg --edit-key [your key ID] trust > > > > This last line will start up a GnuPG key edit menu. Type '5', then 'y', > then type 'save'. > > Your key is now copied to your other Mac, and trusted on your other > machine, too. > > > > WARNING: I'm giving you shell commands here. Do not _ever_ follow > random shell commands you get from unknown people on the Internet. You > can really screw up your computer that way. Wait for other people on > the list to take a look at what I'm telling you to do, and wait for a > consensus as to whether I'm giving you good advice or bad advice. > > And yes, there really are such losers on the Internet as who try to get > people to do stupid things that will damage their own machine. > > That said, Terminal is an incredibly powerful and useful tool, and it's > worth your time to learn it, if you haven't already. :) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFGqkYsFMntyigSLMRAhwRAJ9ACb9uFz0M3OYoKLNHeSIE5uCGsgCgjliJ 50e5Nx8BA9mzgAY1NNr3Jqk= =HBXM -----END PGP SIGNATURE----- From clbianco at tiscalinet.it Thu Sep 28 00:56:49 2006 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Thu Sep 28 00:58:22 2006 Subject: DSA2 References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> <4517605C.8040303__40604.7906996266$1159160554$gmane$org@comcast.net> <20060927002617.GA28262__2510.2142397829$1159316883$gmane$org@jabberwocky.com> Message-ID: Il /27 set 2006/, *David Shaw* ha scritto: > On Wed, Sep 27, 2006 at 12:08:31AM +0200, Carlo Luciano Bianco > wrote: >> Well... Does this mean that we can link GnuPG to OpenSSL library >> for ECC subroutines and stay safe from patent problems? If so, >> this can be a temporary solution (of course, if OpenSSL license >> is compatible with GnuPG one)... > > No, the licenses are not compatible. I was afraid of something like that... :-/ > We had quite a problem (and > are still fixing the fallout) with even a small license exception > to allow linking the LDAP and CURL keyserver helpers to OpenSSL > for ldaps and https. Do you mean I would better change my tutorial to use only libcurl with no SSL support? > Plus there are the patent issues, which raise a very large > headache for Free software in general. I see... > In any event, it doesn't matter even if the licenses were > compatible: OpenPGP does not have ECC in it. But ECC could be included in the new RFC2440-bis draft currently being written, that's why I have asked about the status... > GnuPG won't support > ECC until the OpenPGP standard specifies it. Of course... > I don't see that > happening any time soon, especially given the patent issues. I see, this is the real problem... :-/ -- | ICQ UIN: 109517158 Carlo Luciano Bianco | Home page: ______________________|________________________________________________ GnuPG RSAv4 4096 - Fingerprint:FA68CF697EA63865AAFA805F68703AD40609D743 From dshaw at jabberwocky.com Thu Sep 28 05:05:45 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 28 05:04:09 2006 Subject: DSA2 In-Reply-To: References: <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> <4517605C.8040303__40604.7906996266$1159160554$gmane$org@comcast.net> <20060927002617.GA28262__2510.2142397829$1159316883$gmane$org@jabberwocky.com> Message-ID: <20060928030545.GA13728@jabberwocky.com> On Thu, Sep 28, 2006 at 12:56:49AM +0200, Carlo Luciano Bianco wrote: > > We had quite a problem (and > > are still fixing the fallout) with even a small license exception > > to allow linking the LDAP and CURL keyserver helpers to OpenSSL > > for ldaps and https. > > Do you mean I would better change my tutorial to use only libcurl > with no SSL support? It's okay. We changed the license terms for the keyserver helpers so they can legally link to OpenSSL. David From dtt at ifgf.org Thu Sep 28 08:53:22 2006 From: dtt at ifgf.org (dtt) Date: Thu Sep 28 06:51:15 2006 Subject: Unattended sign and encrypt a file using a script Message-ID: <451b7162.ee.1f88.1311689353@ifgf.org> A newbie question: My bank asked me to upload a file signed and encrypted. When I do gpg --armor --sign -r -o -e it always ask for a passphrase. Since I am going to upload this file daily, how can I do the signing unattendedly thru a script ? I created a signature file mysignature.sig using gpg --detach-sign, how can I use it in the signing process without gpg prompting me to enter a passphrase ? Thanks David T From wk at gnupg.org Thu Sep 28 09:53:50 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 28 09:56:56 2006 Subject: DSA2 In-Reply-To: (Carlo Luciano Bianco's message of "Thu, 28 Sep 2006 00:56:49 +0200") References: <20060921123803.85621.qmail@web26709.mail.ukl.yahoo.com> <20060921130605.GB3928@jabberwocky.com> <45169A4E.40702@tiscali.it> <45169F70.1000600@gmail.com> <4516A43D.3060808@tiscali.it> <5d7f07420609241402r44ef21em2bf80df62a04aa7f@mail.gmail.com> <4517605C.8040303__40604.7906996266$1159160554$gmane$org@comcast.net> <20060927002617.GA28262__2510.2142397829$1159316883$gmane$org@jabberwocky.com> Message-ID: <87u02sjuk1.fsf@wheatstone.g10code.de> On Thu, 28 Sep 2006 00:56, Carlo Luciano Bianco said: > But ECC could be included in the new RFC2440-bis draft currently > being written, that's why I have asked about the status... The ID is already at the RFC editor and thus close to be published. Anyway we have discussed this within the WG several times and it is not likely that it will change anytime soon. Salam-Shalom, Werner From DanielLipkie at lipkie.com Sat Sep 30 22:09:33 2006 From: DanielLipkie at lipkie.com (Daniel Lipkie) Date: Sat Sep 30 23:51:37 2006 Subject: Can not download "GnuPG 1.4.5 compiled for Microsoft Windows" Message-ID: <000001c6e4cc$593a6ba0$0f02a8c0@D800> I've tried clicking on "FTP" on page http://www.gnupg.org/(en)/download/index.html from both FireFox and IExplorer. I've tried opening a cmd window and doing ftp to ftp.gnupg.org and can't get a connection. Ping ftp.gnupg.org responds with 217.69.76.44. I have no problems opening ftp connection to other places on the web. What am I overlooking and doing wrong? It has been a long time since I downloaded GnuPG (i.e.. I'm using v 1.2.3 and would like to upgrade to 1.4.5). Daniel Lipkie mailto: DanielLipkie@lipkie.com From beispielsweise at googlemail.com Mon Sep 25 18:59:46 2006 From: beispielsweise at googlemail.com (Eike Herzbach) Date: Sun Oct 1 16:31:12 2006 Subject: Create a key without subkey? Message-ID: <42c7f83c0609250959n3819597ah1011c49d57b37ff0@mail.gmail.com> Hi, How do I generate an encryption key with gnupg? I tried some options but it always generates me a sign-only key with an encryption subkey. I need to receive encrypted financial data from a system that uses PGP5. When I send in my key to that system it outputs me the following: ----[PGP Ausgabeprotokoll]---- Adding keys: Key ring: 'eike@example.com' Type Bits KeyID Created Expires Algorithm Use pub 1024 0xAF7B19C4 2006-09-25 ---------- DSS Sign only sub 2048 0x508FA9D7 2006-09-25 ---------- Diffie-Hellman uid Eike Herzbach Later when the system tries to send me an encrypted message it fails and says that it can't encrypt with a Sign-only key. (I guess it is not able to use the subkey and only sees the 'outer' key) Is there a way to fix this in GnuPG? Or do I have to get PGP5 to generate such a key? Regards, Eike From dtt at ifgf.org Thu Sep 28 00:23:40 2006 From: dtt at ifgf.org (dtt) Date: Sun Oct 1 16:31:18 2006 Subject: Unattended sign and encrypt a file using a script Message-ID: <451af9ec.fb.775c.1998455908@ifgf.org> A newbie question: My bank asked me to upload a file signed and encrypted. When I do gpg --armor --sign -r -o -e it always ask for a passphrase. Since I am going to upload this file daily, how can I do the signing unattendedly thru a script ? I created a signature file mysignature.sig using gpg --detach-sign, how can I use it in the signing process without gpg prompting me to enter a passphrase ? Thanks David T From naanivardhan at gmail.com Thu Sep 28 19:48:03 2006 From: naanivardhan at gmail.com (naani) Date: Sun Oct 1 16:31:21 2006 Subject: help needed Message-ID: <451C0AD3.3090802@gmail.com> respected sir/madam, recently i have downloaded enigmail for thunderbird 1.5.0.7. i am clueless regarding version to be downloaded. i have come to know that version has to be downloaded according to the operating system. my system configuration is windows xp professional version 5.1.2600 system type : x86-based pc. please help me to decide about the file to be downloaded. please specify the name precisely and any other files to be downloaded. i am awaiting for your reply. vishnuvardhan.