From JPClizbe at tx.rr.com Sat Mar 1 00:20:04 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 29 Feb 2008 17:20:04 -0600 Subject: _almost_ working, now a command line question... In-Reply-To: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> References: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> Message-ID: <47C89324.9050204@tx.rr.com> Maury Markowitz wrote: > So after finally deciding to trust that gpg was giving me an accurate > error, and that the passphrase really was wrong, I spend the last week > scaring up someone within the labyrinths that could actually change > the key to the one that we know works. Presto! Working file. > > Lesson learned: You CAN simply copy binary key files from pgp to gpg, > which is really nice. > > All that's left now is to fully automate this, and my Windows CMD > noobishness is an issue. Here's my command line: > > O:\Utilities>echo o:\apricing\pass.txt | o:\utilities\gpg --homedir o:\utilities > \ --passphrase-fd 0 --load-extension o:\utilities\idea.dll -o "o:\apricing\morga > n_cds_20080229.txt" -d "o:\apricing\24476.txt.pgp" > > And here are the results (slightly trimmed to protect the innocent): > > pass.txt absolutely has the right key in it. I tried both | and >, the > later did nothing at all (which I guess makes sense). > > Anything obvious here? You could try --passphrase-file o:\apricing\pass.txt after removing --passphrase-fd This is *very* sensitive to line endings. I had to run dos2unix on the passphrase file before the command would work. DIR or 'ls -l' on the passphrase file should show a length one greater than the character count in the passphrase (just ). Windows will create the file with and the will muck things up. You may also wish to include --batch on the command line. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From richih.mailinglist at gmail.com Sat Mar 1 12:46:40 2008 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Sat, 1 Mar 2008 12:46:40 +0100 Subject: Signing people with only one form of ID? In-Reply-To: <005401c87afa$2db309e0$6401a8c0@T60> References: <2d460de70802271638x6153a5f0w4bb9a355bf1c9889@mail.gmail.com> <47C6205E.2000200@sixdemonbag.org> <001d01c879bc$127fff50$6401a8c0@T60> <2d460de70802290149g51f8f0d2l2be7b76abb72c6fa@mail.gmail.com> <005401c87afa$2db309e0$6401a8c0@T60> Message-ID: <2d460de70803010346k778f049exbbf9be40e54bc9d5@mail.gmail.com> On Fri, Feb 29, 2008 at 6:40 PM, Brian Smith wrote: > > The basic assumption is that a key signing is good and that > > you actually gain something from it. > > That is the assumption that I am challenging. You are not challengging the assumption, you are attacking the implementation :) > > In the US, they are just using credit cards and the ability > > to block money on your account for their own use in stead of > > ID. This is basically an ID with electronic traceability > > (people _know_ you were in X, renting a car. > > And they can look it all up in a central location). > > These are things I want to help change. For some things, you simply need to establish identity. As soon as you leave the 'I have known you since birth and you are tightly knit into my social circle' regions, doing some things, especially ones involving large amounts of money, is simply not feasible. You can challenge that assumption by giving me your car, house & bank accounts. Unless you never go far from your birthplace, or progress very slowly in one direction, you simply need to be able to establish ID. Or you can do the US thing of just taking a pile of [electronic] cash into custody. > There's got to be some mechanism that doesn't require (as much) hope, > and which doesn't require the loss of anonymity, at least for common > uses of PGP like personal email. There are three forms of ID: a) 'This is the same person I have had contact with before.' This can be done via an unsigned key or facial recognition. b) 'This person is known to someone I [have to] trust.' Web of trust, government-issued ID, alias-based eID c) 'I know this person to be X.' You have known them for a very long time, preferably since their birth. As GPG WoT aims to stay in the realm of b), it is, quite literally, impossible to establish anything of use with a). Note that there are schemes that involve GPG and a), but they can not reliably establish identity, only authenticy. > Would better IDs really help? It has got to be hard for a person to say > "I don't trust you or your ID, I'm not going to sign your key." If your full DNA print is being taken at birth, you are implanted with a chip immediately & you are under close, automated surveillance for all your life, this would be the complete solution and 'help', yes. If I had any reasonable doubt as to the validity of someone's ID or if they match the identity on the ID, I would say so, yes. If you are concerned about the social implications, tell them you will sign it and then don't. Chances are that in such a scenario, you will not meet the other person again, anyway. Richard > > > > - Brian > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From email at sven-radde.de Sat Mar 1 13:20:26 2008 From: email at sven-radde.de (Sven Radde) Date: Sat, 01 Mar 2008 13:20:26 +0100 Subject: _almost_ working, now a command line question... In-Reply-To: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> References: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> Message-ID: <1204374026.6658.21.camel@carbon> Hi! Am Freitag, den 29.02.2008, 15:10 -0500 schrieb Maury Markowitz: > O:\Utilities>echo o:\apricing\pass.txt | ... Try "type o:\apricing\pass.txt | ..." if you really want to do it this way. cu, Sven From saravan1 at comp.nus.edu.sg Sun Mar 2 12:40:24 2008 From: saravan1 at comp.nus.edu.sg (Saravanan) Date: Sun, 2 Mar 2008 19:40:24 +0800 Subject: GnuPG Make_Printable_String Remote Buffer Overflow Vulnerability Message-ID: <000a01c87c5a$378800e0$b95d8489@yourf3zsqh74e5> Hi, I have been trying to find an input that will utilize the Make_Printable_String so as to look into the vulnerability.But I am rather unsuccessful at finding such an input. Can advise me on any such input? Thanks. Saravanan -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicholas.cole at gmail.com Sun Mar 2 11:00:56 2008 From: nicholas.cole at gmail.com (Nicholas Cole) Date: Sun, 2 Mar 2008 10:00:56 +0000 Subject: Signing people with only one form of ID? In-Reply-To: <2d460de70803010346k778f049exbbf9be40e54bc9d5@mail.gmail.com> References: <2d460de70802271638x6153a5f0w4bb9a355bf1c9889@mail.gmail.com> <47C6205E.2000200@sixdemonbag.org> <001d01c879bc$127fff50$6401a8c0@T60> <2d460de70802290149g51f8f0d2l2be7b76abb72c6fa@mail.gmail.com> <005401c87afa$2db309e0$6401a8c0@T60> <2d460de70803010346k778f049exbbf9be40e54bc9d5@mail.gmail.com> Message-ID: On Sat, Mar 1, 2008 at 11:46 AM, Richard Hartmann wrote: > On Fri, Feb 29, 2008 at 6:40 PM, Brian Smith wrote: > > > > > The basic assumption is that a key signing is good and that > > > you actually gain something from it. > > > > That is the assumption that I am challenging. > > You are not challengging the assumption, you are attacking the > implementation :) Well, let me attack this problem from another position. :-) I think we need to remember what the purpose of a signature on an OpenPGP is. It is there, first and foremost, to tell the computer "Yes, you should be happy encrypting to this key", for the purpose of avoiding Man in the Middle attacks. (And - as an aside - the purpose of OpenPGP is to make email and other electronic communication on the internet more secure). One of the early mistakes I think the _documentation_ of PGP made was to suggest that one day we might all live in a world where keys would be selected automatically from keyservers, with no effort on the part of the user, and with almost total security. It is with such a dream in mind that people set up key servers, go to key-signing parties and the like, and start worrying about how many passports they need to see before they sign a key. Actually, such a world is probably not possible. But for private users, most of the time, the most important thing is still to check the fingerprint of the key with the intended recipient of secure communications. It is, actually, simple. But that does not mean the web of trust is useless - far from it. OpenPGP lets you represent all sorts of trust models: you can choose trust the root key of a company, university or computer software project, and thereby "trust" all of the people involved in that organisation, for example. But I've never been convinced that the search for the "right" level of id to demand before signing a key is right, nor that going to random keysignings is very useful. OpenPGP can only represent "trust" that already exists. And the truth of the matter is that if I have just met a chap in a bar, I am unlikely to "trust" him to sign any more keys for me, no matter how much he tells me he always looks at passports. So even if I signed his key, I probably wouldn't then trust him to sign other keys that I depended upon. Sorry - that was rather more than I meant to write. Take home message: use OpenPGP to represent "trust" relationships that make sense for your situation, and don't worry about an ideal standard, because one doesn't exist, shouldn't exist, and probably couldn't ever exist. ;-) (I am reminded of this cartoon: http://xkcd.com/386/ ) Best, N From jmoore3rd at bellsouth.net Sun Mar 2 14:14:33 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 02 Mar 2008 08:14:33 -0500 Subject: Signing people with only one form of ID? In-Reply-To: References: <2d460de70802271638x6153a5f0w4bb9a355bf1c9889@mail.gmail.com> <47C6205E.2000200@sixdemonbag.org> <001d01c879bc$127fff50$6401a8c0@T60> <2d460de70802290149g51f8f0d2l2be7b76abb72c6fa@mail.gmail.com> <005401c87afa$2db309e0$6401a8c0@T60> <2d460de70803010346k778f049exbbf9be40e54bc9d5@mail.gmail.com> Message-ID: <47CAA839.9030302@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Nicholas Cole wrote: > But that does not mean the web of trust is useless - far from it. > OpenPGP lets you represent all sorts of trust models: you can choose > trust the root key of a company, university or computer software > project, and thereby "trust" all of the people involved in that > organisation, for example. ID's, Length of Relationship,Key Fingerprint verification etc. are all just individual methods of determining Who has control of a Key. The WoT is only conferred based upon the 'Depth of Trust' conferred with the Signature. PGP refers to this as 'Trusted Introducer' [Black Pencil] and GnuPG displays this 'depth' with a numerical notation. Basic 'Exportable' Signatures [0x10, Yellow Pencil] are as common [& useful] on a Key as a pocket full of business cards after returning from a convention. "Yeah, We met & exchanged some Contact Information." JOHN ;) Timestamp: Sunday 02 Mar 2008, 08:14 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHyqg4AAoJEBCGy9eAtCsPnooH/1PFuFXJfSo9+80HwWxQpyNG AfjETN4e0h0uDalYsUyxq84KK/sDhGN+ChDsgci4gp9t/PBaPWZIj8egyN1PQ4pu AIFYYUjVCSaW7UOJ3Uw8mFDkCEhPpovh4u0rJtT9HmLQ5qBF75o6jyrl5tgy2G9B XOHNpL8MSqok7PjJZTDOlcrk3fNQ3GZreZTkArmIw2HLDHX+f6tge342m1fi44MP Mds0TDwKmyKXagtDavprfx8mB/B+08bKxm4zW4Nk3hLCfmYNvWv793Jc0k9aGOEO mXhuTlKzqz3kGOTqQlxt0HqaLLwY6eaPXc7yRQdo3cwwy77OcmJjU9aJgxJ76tU= =JT+0 -----END PGP SIGNATURE----- From funkdude at gmail.com Mon Mar 3 02:57:20 2008 From: funkdude at gmail.com (nunzky) Date: Sun, 2 Mar 2008 17:57:20 -0800 (PST) Subject: GnuPG (win32) on a USB stick Message-ID: <15796380.post@talk.nabble.com> Hi, I want to keep GnuPG on a USB stick to use at school and on other people's computers (all windows). However, GPG, when run, creates the keyrings and conf files on the HDD (documents and settings\appdata). Is it possible to avoid this behavior and have GnuPG write those files, say, in its own dir on my usb stick? How would I do this? Also, this would probably have to involve me keeping my private key on the usb stick, protected only by a passphrase. How secure is this? Are there any better ways to do it? Thanks in advance. -- View this message in context: http://www.nabble.com/GnuPG-%28win32%29-on-a-USB-stick-tp15796380p15796380.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Mon Mar 3 03:15:20 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 02 Mar 2008 20:15:20 -0600 Subject: GnuPG (win32) on a USB stick In-Reply-To: <15796380.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> Message-ID: <47CB5F38.3070407@sixdemonbag.org> nunzky wrote: > Also, this would probably have to involve me keeping my private key on the > usb stick, protected only by a passphrase. How secure is this? Are there any > better ways to do it? As a rule of thumb, never do any sensitive computer operations on a computer you don't completely trust. If you think the computers in your campus's IT kiosks are safe and pristine, then this idea is probably reasonably good. If you think the computers in the kiosks are exposed to a host of unsafe web browsing habits, malware and stupid users 24/7, you may want to rethink this plan. From JPClizbe at tx.rr.com Mon Mar 3 03:47:34 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Sun, 02 Mar 2008 20:47:34 -0600 Subject: GnuPG (win32) on a USB stick In-Reply-To: <15796380.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> Message-ID: <47CB66C6.1030608@tx.rr.com> nunzky wrote: > Hi, > > I want to keep GnuPG on a USB stick to use at school and on other people's > computers (all windows). However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? > set GNUPGHOME=x:\location\you\want -- John P. Clizbe Inet: JPClizbe (a)tx DAWT rr DAHT con Ginger Bear Networks hkp:\\keyserver.gingerbear.net or Send email with subject help to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From jmoore3rd at bellsouth.net Mon Mar 3 05:39:27 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 02 Mar 2008 23:39:27 -0500 Subject: GnuPG (win32) on a USB stick In-Reply-To: <15796380.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> Message-ID: <47CB80FF.7000507@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 nunzky wrote: > I want to keep GnuPG on a USB stick to use at school and on other people's > computers (all windows). However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? 2 ways are easily available depending upon the size of Your Flash Drive. You could use GPG2GO and do everything from the Command Line or You could simply Copy Your GnuPG Directory/Folder to the Flash Drive and then use the GPGshell Portable Utility [located at the bottom of the Start Menu list] and then run with a GUI. http://www.jumaros.de/rsoft/index.html > Also, this would probably have to involve me keeping my private key on the > usb stick, protected only by a passphrase. How secure is this? Are there any > better ways to do it? How secure is Your passphrase? Robert already covered the issues involved in using an untrusted PC. Also keep in mind that not having control over the PC also means no Control over the Swap File, whether or not any Keyloggers are present, etc. Another consideration is that many Public PC's have the ability to launch any .exe File blocked. This is particularly true in Library's and other places where there is a concern that Students will attempt to install malware, etc. If You are just going to be using the USB Drive for Email then there are Applications like Mobility Email & Portable Thunderbird w/Enigmail + GnuPG. JOHN ;) Timestamp: Sunday 02 Mar 2008, 23:38 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHy4D9AAoJEBCGy9eAtCsPh7gH/0P/dn8rAjzuaExpi5M7sOuQ /uB8A+zJAefcVmWKTWxhY9d27s/PK7hmbYAN8Z2o5adIwgms40Z7qUhK1u0nA9iT ZPD+vZekLVkoRJri3akcQiG6AfaIxqsU5rsDyEX3FWLpHItbONnGZjRSK0qDQUcc LF9Sm99qoDwuKQh2x45Qf8S0cVQTwya6eKTaji1wglTpMnXXLopY8zTItRPw+eL4 EBRdWNkTrxvatqVVRUiHuHSFTERQHVKRSbSl2yqHZUW/BK42XkHiUdbRrVf36rtj G0LC243nwRO0FJf9Re3ETwdgm4Z9H9F5bGHrXit0fhFeVbvTgnVR+DfUKMiwKRU= =Hr+D -----END PGP SIGNATURE----- From email at sven-radde.de Mon Mar 3 07:00:54 2008 From: email at sven-radde.de (Sven Radde) Date: Mon, 03 Mar 2008 07:00:54 +0100 Subject: GnuPG (win32) on a USB stick In-Reply-To: <15796380.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> Message-ID: <47CB9416.3060105@sven-radde.de> Hi! nunzky schrieb: > However, GPG, when run, creates the keyrings and > conf files on the HDD (documents and settings\appdata). Is it possible to > avoid this behavior and have GnuPG write those files, say, in its own dir on > my usb stick? How would I do this? > Try using "--homedir U:\path\to\your\keyrings" as an option to every call to gpg, where U: is the drive letter of your USB stick. > How secure is this? Are there any > better ways to do it? The OpenPGP smartcard might be an idea if you can get it to work on the computers where you want to use GnuPG. While this is better than relying on keyfiles with passphrases (which might easily be sniffed by a keylogger), it still is not 100% secure on a wholly untrustworthy system. Another option would be to boot into a dedicated system from CD. Knoppix or the like. The risk here is a hardware keylogger. Furthermore, depending on the (W)LAN setup, you won't easily have network connectivity and, of course, it is inconvenient. This is the general tradeoff: Security vs. convenience. HTH, Sven From bahamut at digital-signal.net Mon Mar 3 17:32:24 2008 From: bahamut at digital-signal.net (Andrew Berg) Date: Mon, 03 Mar 2008 10:32:24 -0600 Subject: GnuPG (win32) on a USB stick In-Reply-To: <47CB66C6.1030608@tx.rr.com> References: <15796380.post@talk.nabble.com> <47CB66C6.1030608@tx.rr.com> Message-ID: <47CC2818.9020201@digital-signal.net> John Clizbe wrote: > set GNUPGHOME=x:\location\you\want > It would be inconvenient (and inconsiderate to the host machine's owner(s)) to set an environment variable on every machine encountered, wouldn't it? Sven's idea is much better, I think. From vedaal at hush.com Mon Mar 3 17:11:46 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 03 Mar 2008 11:11:46 -0500 Subject: GnuPG (win32) on a USB stick Message-ID: <20080303161147.3A2D015803F@mailserver6.hushmail.com> nunzky (funkdude at gmail.com) wrote on Mon Mar 3 02:57:20 CET 2008 : >Is it possible to avoid this behavior >and have GnuPG write those files, say, >in its own dir on my usb stick? ... >this would probably have to involve >me keeping my private key on the usb stick, >protected only by a passphrase. >How secure is this? >Are there any better ways to do it? in general, the simplest, most secure way, is to keep gnupg on your laptop, and use the usb to transfer files from the public computer to your laptop and back again encrypting and decrypting while directly connected to a public computer, runs a very real risk of having the plaintext stored in some recoverable form on that computer (i would recommend a Toshiba Libretto, that you can literally have physical control over, at all times) http://www.pcmag.com/article2/0,2817,1788012,00.asp if you don't have a laptop, and need to work from a public computer, and a usb, here are some guidelines: [1] generate a new gnupg key, with a comment, 'usb key', and keep this in a separate keyring (not the the keyring with your 'real' secret keys) if you have any concern that this becomes compromised, you can revoke it, without compromising your 'real' keys (this is also a common courtesy to people who send encrypted mail to you they are entrusting their secret/personal correspondence to you, and need to know how much they can 'trust' you 'trust' is this context, refers to 'skill and judgment', not 'integrity' [ you can 'trust' someone with your life and money, but not to drive your BMW, if you don't think they have enough experience with a stickshift ] ) [2] keep the keyrings and the entire gnupg program in a truecrypt container on the usb this has two advantages: (a) it protects your keyrings (b) it allows you to pick a drive letter that will stay the same regardless of the hardware differences of the various public computers (i.e., you can mount the truecrypt container as drive Z, and have all the entries in your gpg.conf refer to z:\gnupg, and never have to change it) truecrypt can be run in traveller mode from a usb, without having it installed on the host computer [3]copy the entire gnupg directory from your home computer, into the truecrypt container [4] put these lines into your gpg.conf file: no-default-keyring keyring z:\gnupg\pubring.gpg secret-keyring z:\gnupg\secring.gpg (use your 'new' keyrings with the special 'usb key') [5] open notepad and types these lines: command com z: cd gnupg save this as gusb.bat in your truecrypt container whenever you want to run gnupg from the usb, (and have already mounted the truecrypt container as drive z:) double-clicking on gusb.bat opens a dos commandline window check it by typing gpg -h if the gnupg version and guide appears, then you're ready [6] minor recommendation, (i don't know how much it would help) get (free) editpad lite: http://www.editpadpro.com/editpadlite.html it can be run from the usb by just copying the file EditPadLite.exe you can compose any correspondence from editpadlite, without using any of the host computers software (e.g. word, wordpad, notepad, etc.), and there 'might' be less chance of the plaintext being saved on the host computer by some file journaling system) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for free information on how to reduce your debt by filing for bankruptcy. http://tagline.hushmail.com/fc/Ioyw6h4elLy0MGS8ZpnSGLSkChVTeOgJgP9vCEPIVuo6a1yK8Ibamr/ From vedaal at hush.com Mon Mar 3 18:36:56 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 03 Mar 2008 12:36:56 -0500 Subject: GnuPG (win32) on a USB stick // forgot a line, sorry // ;-(( Message-ID: <20080303173656.83EF415803E@mailserver6.hushmail.com> vedaal at hush.com (vedaal at hush.com) wrote on Mon Mar 3 17:11:46 CET 2008 : >[5] open notepad and types these lines: >command com >z: >cd gnupg sorry, forgot a line ;-(( it should be: set GNUPGHOME=z:\gnupg command com z: cd gnupg vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Make them pay. If you've been a victim of medical malpractice, click here to contact a lawyer. http://tagline.hushmail.com/fc/Ioyw6h4fOjquaOZyScN9vIuKxVUXKTzlkiXjBy0q0gNJkwzZZsLUpp/ From maury.markowitz at gmail.com Mon Mar 3 17:44:29 2008 From: maury.markowitz at gmail.com (Maury Markowitz) Date: Mon, 3 Mar 2008 11:44:29 -0500 Subject: _almost_ working, now a command line question... In-Reply-To: <5bdbc9050803010647h3725d562i69f1a8387121ba59@mail.gmail.com> References: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> <47C89324.9050204@tx.rr.com> <5bdbc9050803010647h3725d562i69f1a8387121ba59@mail.gmail.com> Message-ID: <5bdbc9050803030844l5630fcf2qcc4a74934f5aa297@mail.gmail.com> Holy smokes, this is much more annoying than I thought possible! Using either the | and < methods of passing in the passphrase works from the CMD window and I can decrypt the file fine. Even cutting and pasting the command string in works fine. But when I shell the exact same line of text (which is where I cut it from) into the VBA Shell command, which I do for literally dozens of tasks, it does not work. GPG puts up the message: Reading passphrase from file descriptor 0 ... And then just sits there. Perhaps I can't call a pipe or redirect in the VBA shell command; if try I'm pretty much sunk unless I can get --passphrase-file to work. And it doesn't. Is --passphrase-file a feature of 2.0 only? If so, is there somewhere where I can get a compiled windows binary of it? Maury From vedaal at hush.com Mon Mar 3 18:53:57 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 03 Mar 2008 12:53:57 -0500 Subject: _almost_ working, now a command line question... Message-ID: <20080303175400.0678F15803E@mailserver6.hushmail.com> Maury Markowitz (maury.markowitz at gmail.com) wrote on Mon Mar 3 17:44:29 CET 2008 : >Reading passphrase from file descriptor 0 ... >And then just sits there. Perhaps I can't call a pipe or redirect in >the VBA shell command; if try I'm pretty much sunk unless I can get >--passphrase-file to work. And it doesn't. try this instead of --passphrase-file --passphrase string where 'string' is your actual passphrase vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Study law at a school near you. Click for more info. http://tagline.hushmail.com/fc/Ioyw6h4fKhB6woOND8XrZNYjtiE674DR6zTihOxTinc29rbkOp7MLd/ From avi.wiki at gmail.com Mon Mar 3 17:54:27 2008 From: avi.wiki at gmail.com (Avi) Date: Mon, 3 Mar 2008 11:54:27 -0500 Subject: GnuPG (win32) on a USB stick Message-ID: <27ee9bfb0803030854h271687b8s8b7cc0e9e15607d7@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Personally, I am using GPGShell, which, once installed, has a small app called Copy2USB that mounts a completely self- contained GnuPG and GPGShell system on the stick, which I take with me. See http://www.jumaros.de/rsoft/index.html Thanks, - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) - GPGshell v3.64 iEYEAREDAAYFAkfMLSoACgkQy6A/RnheoilMIQCdFAq1i1ALaLYrmz8VDG0jwjc2 KNEAn3LMcbkmiMMh8ycp0v/Lsi6kgxrw =6wUh -----END PGP SIGNATURE----- -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 -------------- next part -------------- An HTML attachment was scrubbed... URL: From maury.markowitz at gmail.com Mon Mar 3 20:27:35 2008 From: maury.markowitz at gmail.com (Maury Markowitz) Date: Mon, 3 Mar 2008 14:27:35 -0500 Subject: _almost_ working, now a command line question... In-Reply-To: <20080303175400.0678F15803E@mailserver6.hushmail.com> References: <20080303175400.0678F15803E@mailserver6.hushmail.com> Message-ID: <5bdbc9050803031127x1c43195dr3f4c67cc7d4c6b83@mail.gmail.com> On Mon, Mar 3, 2008 at 12:53 PM, wrote: > --passphrase string > where 'string' is your actual passphrase Worth a try, but: gpg: failed to translate osfhandle 0000004A Maury From SeidlS at schneider.com Mon Mar 3 20:25:58 2008 From: SeidlS at schneider.com (SeidlS at schneider.com) Date: Mon, 3 Mar 2008 13:25:58 -0600 Subject: _almost_ working, now a command line question... In-Reply-To: <20080303175400.0678F15803E@mailserver6.hushmail.com> Message-ID: Vedaal, This works well if your willing to have the passphrase in the code base calling GnuPG, but I'm not allowed to. Instead I will be using a file with the permissions restricted. I will be able to get around this once development is complete, as this is only being tested on my windows machine, but will be deployed to Unix type server where the ---passphrase-file option is supported. Thanks Scott S. Sent by: gnupg-users-bounc To es+seidls=schneid "gnupg" er.com at gnupg.org cc Subject 03/03/2008 11:53 re: _almost_ working, now a AM command line question... Maury Markowitz (maury.markowitz at gmail.com) wrote on Mon Mar 3 17:44:29 CET 2008 : >Reading passphrase from file descriptor 0 ... >And then just sits there. Perhaps I can't call a pipe or redirect in >the VBA shell command; if try I'm pretty much sunk unless I can get >--passphrase-file to work. And it doesn't. try this instead of --passphrase-file --passphrase string where 'string' is your actual passphrase vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Study law at a school near you. Click for more info. http://tagline.hushmail.com/fc/Ioyw6h4fKhB6woOND8XrZNYjtiE674DR6zTihOxTinc29rbkOp7MLd/ _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From JPClizbe at tx.rr.com Mon Mar 3 22:55:08 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 03 Mar 2008 15:55:08 -0600 Subject: GnuPG (win32) on a USB stick In-Reply-To: <47CC2818.9020201@digital-signal.net> References: <15796380.post@talk.nabble.com> <47CB66C6.1030608@tx.rr.com> <47CC2818.9020201@digital-signal.net> Message-ID: <47CC73BC.9020005@tx.rr.com> Andrew Berg wrote: > John Clizbe wrote: >> set GNUPGHOME=x:\location\you\want >> > > It would be inconvenient (and inconsiderate to the host machine's > owner(s)) to set an environment variable on every machine encountered, > wouldn't it? Sven's idea is much better, I think. And it shows a clear lack of understanding to think that a SET command at a Windows command prompt sets an environment variable permanently or globally. The variable exists in the process environment that invoked the command and those processes invoked from it. "Changes made using the SET command are NOT permanent, they apply to the current CMD prompt only and remain only until the CMD window is closed." - http://www.ss64.com/nt/set.html Setting GNUPGHOME is the equivalent of specifying "--homedir U:\path\to\your\keyrings", but without the need to type (and possibly mistype) it every time GnuPG is invoked. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From JPClizbe at tx.rr.com Mon Mar 3 23:23:25 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 03 Mar 2008 16:23:25 -0600 Subject: _almost_ working, now a command line question... In-Reply-To: <5bdbc9050803030844l5630fcf2qcc4a74934f5aa297@mail.gmail.com> References: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> <47C89324.9050204@tx.rr.com> <5bdbc9050803010647h3725d562i69f1a8387121ba59@mail.gmail.com> <5bdbc9050803030844l5630fcf2qcc4a74934f5aa297@mail.gmail.com> Message-ID: <47CC7A5D.8010905@tx.rr.com> Maury Markowitz wrote: > And then just sits there. Perhaps I can't call a pipe or redirect in > the VBA shell command; if try I'm pretty much sunk unless I can get > --passphrase-file to work. And it doesn't. Option order is sometimes important > Is --passphrase-file a feature of 2.0 only? If so, is there somewhere > where I can get a compiled windows binary of it? Been a part of gnupg 1.x for ages. I tested it on XP with GnuPG 1.4.8 gpg --batch --passphrase-file <> --output <> --decrypt <> Here's a test I just did in %TEMP%: gpg --batch --passphrase-file passphr --output ptshowdown.decrpt.bmp --decrypt ptshowdown.bmp.asc gpg: encrypted with 2048-bit ELG-E key, ID EF4010D2, created 2003-03-06 "John P. Clizbe " The passphrase file passphr was created with Cygwin's 'echo -n' There is yet no binary of GnuPG 2.0 for windows -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From neal.dudley at utoledo.edu Mon Mar 3 22:59:31 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Mon, 03 Mar 2008 16:59:31 -0500 Subject: Question on subkeys usage and OpenPGP card. - warning, quite lengthy Message-ID: Why can keys not be signed with a signing subkey rather than a primary signing key? I just learned of this after going to my first signing party. Perhaps I have misunderstood the purpose of subkeys. I have read that it is good practice to create a primary signing key, and then use subkeys on the card. This is the recommended method for setup of the FSFE card, which is just a fancy skin on the OpenPGP card. My problem is that now I have a DSA primary key on trusted media in a safe location, which I have to retrieve for any key signing I want to perform. I cannot simply sign the keys with the signing subkey stored on my OpenPGP card. Are there any security implications for using the same signing key for normal document signing *and* key signing? Would it be any less secure to: 1) generate the primary signing key as a 1024 bit RSA key, 2) create the encryption and authentication keys as 1024 bit RSA subkeys of the signing key, and 3) copy all of these keys to the OpenPGP card? I would also create all the keys using a machine with no network interfaces, booted from a trusted livecd. This procedure should allow me to make a backup copy of my private keys to removable media (usb drive or burn a CD), just in case the card is somehow damaged. It would also afford me the security and usefulness of the card for everyday use (as well as allow me to sign keys using the card). However, then I have to go meet everyone again to sign my new primary signing key. This brings me to my last question. Let us assume that I create a primary signing key with an expiration. I then get that key signed by several people. When the expiration date is near, do I simply create a new signing key and sign it with the original key (before it expires, of course)? Is the new key then considered just as trusted as the original key, which has all the signatures on it? Is there any method for transferring the signatures to the new key, or would the new key have to be resigned by everyone that signed the original? Using the default WoT model, doesn't this mean that every third time the key is renewed, it would not be trusted and would need to be resigned by everyone that signed the previous key? Yes, I have RTFM, and several mailing list postings, but I'm still a bit unclear on these questions. If you are still reading this - thank you for your time! I look forward to your reply. From funkdude at gmail.com Tue Mar 4 00:02:02 2008 From: funkdude at gmail.com (nunzky) Date: Mon, 3 Mar 2008 15:02:02 -0800 (PST) Subject: GnuPG (win32) on a USB stick In-Reply-To: <15796380.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> Message-ID: <15816320.post@talk.nabble.com> Thanks everyone of you, you have greatly enlightened me concerning the security risks associated with my endeavor. I will have to rethink my plans, but for now, I think John's idea of setting GNUPGHOME seems like the best idea to me. However, for convenience, I'd like to maybe use a batch file to set it and open a command prompt. This would require me to be able to set it to a relative path (ie, not have to specify a drive letter, as it will change). Is this possible? As for GPGShell, it seems pretty good, but I'd prefer to just keep my old command line if I can. The last version of GPG2Go I could find is 1.4.1, which seems pretty outdated. Also, the author says it is the exact same thing as the official gnupg except repackaged as a zip. Which doesn't solve the problem of gpg writing to local disks by default. -- View this message in context: http://www.nabble.com/GnuPG-%28win32%29-on-a-USB-stick-tp15796380p15816320.html Sent from the GnuPG - User mailing list archive at Nabble.com. From vedaal at hush.com Tue Mar 4 01:20:31 2008 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 03 Mar 2008 19:20:31 -0500 Subject: GnuPG (win32) on a USB stick Message-ID: <20080304002031.87703D0102@mailserver10.hushmail.com> nunzky (funkdude at gmail.com) wrote on Tue Mar 4 00:02:02 CET 2008 : >However, for convenience, >I'd like to maybe use a batch file to set it and >open a command prompt. >This would require me to be able to set it to a relative path >(ie, not have to specify a drive letter, as it will change). >Is this possible? easily [1] make a directory called GNUPG on your usb, and copy all the gnupg files into it [2] make the following batch file: set GNUPGHOME=gnupg command.com [3] save this .bat file in the GNUPG directory in your usb double-clicking on the .bat file gets you to a command prompt within gnupg, ready for all gpg commands vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link From dshaw at jabberwocky.com Tue Mar 4 01:47:01 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 3 Mar 2008 19:47:01 -0500 Subject: Question on subkeys usage and OpenPGP card. - warning, quite lengthy In-Reply-To: References: Message-ID: <77AA3ACC-961E-4459-B41C-127A9011009E@jabberwocky.com> On Mar 3, 2008, at 4:59 PM, Neal Dudley wrote: > I have read that it is good practice to create a primary signing > key, and > then use subkeys on the card. This is the recommended method for > setup of > the FSFE card, which is just a fancy skin on the OpenPGP card. My > problem > is that now I have a DSA primary key on trusted media in a safe > location, > which I have to retrieve for any key signing I want to perform. I > cannot > simply sign the keys with the signing subkey stored on my OpenPGP > card. > > Are there any security implications for using the same signing key for > normal document signing *and* key signing? There are only minor security implications to this. The main reason why you use the primary key to sign keys (called "certification", by the way) is semantic. Identity in OpenPGP is a key plus a user ID. That key, given the way keys are laid out, is the primary. The primary is what certifies (self signs) the user ID. It is mathematically possible to certify a user ID with a subkey, but semantically that subkey isn't part of your identity, so the certification is not used. > This brings me to my last question. Let us assume that I create a > primary > signing key with an expiration. I then get that key signed by several > people. When the expiration date is near, do I simply create a new > signing > key and sign it with the original key (before it expires, of > course)? Is > the new key then considered just as trusted as the original key, > which has > all the signatures on it? Is there any method for transferring the > signatures to the new key, or would the new key have to be resigned by > everyone that signed the original? Using the default WoT model, > doesn't > this mean that every third time the key is renewed, it would not be > trusted > and would need to be resigned by everyone that signed the previous > key? No, you do not need to make a new key or do anything like that. If and when your key expires, you can simply extend the expiration date as needed. OpenPGP has "soft" key expiration that can be changed at will by the keyholder. David From jmoore3rd at bellsouth.net Tue Mar 4 02:48:19 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 03 Mar 2008 20:48:19 -0500 Subject: GnuPG (win32) on a USB stick In-Reply-To: <15816320.post@talk.nabble.com> References: <15796380.post@talk.nabble.com> <15816320.post@talk.nabble.com> Message-ID: <47CCAA63.1010209@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 nunzky wrote: > The last version of GPG2Go I could find is 1.4.1, which seems pretty > outdated. My Bad. I shall Update the Binaries to 1.4.8 tonight and they should be available by this time tomorrow. I admit that I am abysmally slow as a Maintainer. :-[ If Your USB Drive is large enough I could send You the requisite Files direct for GPG2GO and I won't UPX then which will make for slightly faster access function. GPG2GO was originally designed for use from a 3.5 Floppy Drive. :) JOHN ;) Timestamp: Monday 03 Mar 2008, 20:47 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHzKpiAAoJEBCGy9eAtCsPr9UH/RfywFsaJStYSMgLUcLPx81h hepNlNb3k0WP8y4JgVhfYJaTroqyyxuL4uD7ZsQk2j6P46i6k+Y1LtdAt18/mDIi HEjEyXcI0FhltuvIqd6QvC4dqyCRoFilr8QMWQrlkl7mrpLxHVnB9zfTtsMV+4jZ h7iBbxyfLOzc1i6zHQa2IVKjWPWolhKsCrmdAe0Mli6MBwk6y75RPWupD636bbqa EIM34GYyq6RP6f6zVPjedPURB1nqtyFHCp3wcyPhxk1UB8fns6X93zNF/38xtdl8 NH0FmPfmZ1tg0ShJkgJh45k+JlOzI/3umct90l5DLUDoE9zrGAPfdOb+IKDoF74= =VRzq -----END PGP SIGNATURE----- From SeidlS at schneider.com Mon Mar 3 23:41:26 2008 From: SeidlS at schneider.com (SeidlS at schneider.com) Date: Mon, 3 Mar 2008 16:41:26 -0600 Subject: _almost_ working, now a command line question... In-Reply-To: <47CC7A5D.8010905@tx.rr.com> Message-ID: Can you try it when streaming data to GnuPG? The following command did not work for me: echo TEST |gpg --clearsign -a --passphrase-file passfile Output: Reading passphrase from file descriptor 3 You need a passphrase to unlock the secret key for user: "XXXXXXX" 1024-bit DSA key, ID XXXXXXX, created 2008-01-29 gpg: no default secret key: bad passphrase gpg: [stdin]: clearsign failed: bad passphrase Thanks Scott S John Clizbe To Sent by: Maury Markowitz gnupg-users-bounc , GnuPG es at gnupg.org Users cc 03/03/2008 04:23 Subject PM Re: _almost_ working, now a command line question... Please respond to GnuPG Users Maury Markowitz wrote: > And then just sits there. Perhaps I can't call a pipe or redirect in > the VBA shell command; if try I'm pretty much sunk unless I can get > --passphrase-file to work. And it doesn't. Option order is sometimes important > Is --passphrase-file a feature of 2.0 only? If so, is there somewhere > where I can get a compiled windows binary of it? Been a part of gnupg 1.x for ages. I tested it on XP with GnuPG 1.4.8 gpg --batch --passphrase-file <> --output <> --decrypt <> Here's a test I just did in %TEMP%: gpg --batch --passphrase-file passphr --output ptshowdown.decrpt.bmp --decrypt ptshowdown.bmp.asc gpg: encrypted with 2048-bit ELG-E key, ID EF4010D2, created 2003-03-06 "John P. Clizbe " The passphrase file passphr was created with Cygwin's 'echo -n' There is yet no binary of GnuPG 2.0 for windows -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" (See attached file: signature.asc) _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/octet-stream Size: 672 bytes Desc: not available URL: From JPClizbe at tx.rr.com Tue Mar 4 06:29:47 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 03 Mar 2008 23:29:47 -0600 Subject: _almost_ working, now a command line question... In-Reply-To: References: Message-ID: <47CCDE4B.3080800@tx.rr.com> SeidlS at schneider.com wrote: > Can you try it when streaming data to GnuPG? The following command did not > work for me: > > echo TEST |gpg --clearsign -a --passphrase-file passfile > > Output: > Reading passphrase from file descriptor 3 > > You need a passphrase to unlock the secret key for > user: "XXXXXXX" > 1024-bit DSA key, ID XXXXXXX, created 2008-01-29 > > gpg: no default secret key: bad passphrase > gpg: [stdin]: clearsign failed: bad passphrase Scott, I had the same type of passfile error when I created the file using Windows ECHO which sticks on the end. Does running DIR or ls -l on the passphrase file show it to be longer than it actually is? (Add one byte for end-of-file plus one for CR and another for LF) You can run a hex dump utility such as dump from the cygutils package to verify this. The last bytes will be 0D 0A for CR-LF. You can get cygutils from : http://gnuwin32.sourceforge.net/packages/cygutils.htm If so, running dos2unix on passfile /may/ solve things. It's available from a variety of sources. The GnuWin32 project is a handy source - it's also in the cygutils package. It worked for me with the other batch decrypt problem yesterday, but not yours today. Using the Gnu version of echo with the suppress newline option 'echo -n' to create passfile is also an option, probably the best. echo is part of the coreutils package and is also available from the GnuWin32 project: http://gnuwin32.sourceforge.net/packages/coreutils.htm Using 'echo -n' to create passfile is what worked for me using your command from above. passfile was created with :\path\to\echo -n passphrase > passfile DIR showed passfile to be exactly the same length as the passphrase. C:\WINDOWS\Temp>echo TEST |gpg --clearsign -a --passphrase-file passfile Reading passphrase from file descriptor 3 You need a passphrase to unlock the secret key for user: "John P. Clizbe " 1024-bit DSA key, ID 608D2A10, created 2003-03-06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TEST -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (WinXP Pent3) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. iEYEARECAAYFAkfM0doACgkQHQSsSmCNKhAEJACgwOGzO7EdW2g+4PeTeCmzCnNB e54An06ZsePo75r6qrMO4+5jS87TqM3S =5aOz -----END PGP SIGNATURE----- -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From elmer.espinosa at gmail.com Tue Mar 4 06:34:07 2008 From: elmer.espinosa at gmail.com (Elmer Espinosa) Date: Tue, 4 Mar 2008 13:34:07 +0800 Subject: Command to decrypt the file Message-ID: <78f71be20803032134l70311365o6064502770783b03@mail.gmail.com> I'm new with GNUPG. I used the command gpg -s file to encrypt the file. to decrpyt the file I used gpg -d file, but the output appear only in the command prompt I was to save it in my local disk I've tried adding the path of the file but it doesn't work any can help me with this. Thanks, Elmer -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at sven-radde.de Tue Mar 4 07:06:15 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 04 Mar 2008 07:06:15 +0100 Subject: _almost_ working, now a command line question... In-Reply-To: <47CCDE4B.3080800@tx.rr.com> References: <47CCDE4B.3080800@tx.rr.com> Message-ID: <47CCE6D7.4070100@sven-radde.de> Hi! John Clizbe schrieb: > Using the Gnu version of echo with the suppress newline option 'echo -n' to > create passfile is also an option, probably the best. FWIW, I just created a text file using *notepad*, containing "1234567890" (without pressing enter after that line, and without the quotes) and the length is shown to be exactly 10 bytes (by rightclick-properties and dir). This file can be used as --passphrase-file for a key that I generated to use 1234567890 as passphrase. cu, Sven From neal.dudley at utoledo.edu Tue Mar 4 07:07:19 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Tue, 04 Mar 2008 01:07:19 -0500 Subject: Question on subkeys usage and OpenPGP card. - warning, quite lengthy In-Reply-To: <77AA3ACC-961E-4459-B41C-127A9011009E@jabberwocky.com> Message-ID: Sounds like I should just regenerate a new 1024 bit RSA primary signing key and copy it to the card (and an encryption subkey as well, of course). Thank you for your help! On 3/3/08 7:47 PM, "David Shaw" wrote: > On Mar 3, 2008, at 4:59 PM, Neal Dudley wrote: > >> I have read that it is good practice to create a primary signing >> key, and >> then use subkeys on the card. This is the recommended method for >> setup of >> the FSFE card, which is just a fancy skin on the OpenPGP card. My >> problem >> is that now I have a DSA primary key on trusted media in a safe >> location, >> which I have to retrieve for any key signing I want to perform. I >> cannot >> simply sign the keys with the signing subkey stored on my OpenPGP >> card. >> >> Are there any security implications for using the same signing key for >> normal document signing *and* key signing? > > There are only minor security implications to this. The main reason > why you use the primary key to sign keys (called "certification", by > the way) is semantic. Identity in OpenPGP is a key plus a user ID. > That key, given the way keys are laid out, is the primary. The > primary is what certifies (self signs) the user ID. > > It is mathematically possible to certify a user ID with a subkey, but > semantically that subkey isn't part of your identity, so the > certification is not used. > >> This brings me to my last question. Let us assume that I create a >> primary >> signing key with an expiration. I then get that key signed by several >> people. When the expiration date is near, do I simply create a new >> signing >> key and sign it with the original key (before it expires, of >> course)? Is >> the new key then considered just as trusted as the original key, >> which has >> all the signatures on it? Is there any method for transferring the >> signatures to the new key, or would the new key have to be resigned by >> everyone that signed the original? Using the default WoT model, >> doesn't >> this mean that every third time the key is renewed, it would not be >> trusted >> and would need to be resigned by everyone that signed the previous >> key? > > No, you do not need to make a new key or do anything like that. If > and when your key expires, you can simply extend the expiration date > as needed. OpenPGP has "soft" key expiration that can be changed at > will by the keyholder. > > David > From neal.dudley at utoledo.edu Tue Mar 4 07:10:58 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Tue, 04 Mar 2008 01:10:58 -0500 Subject: Command to decrypt the file In-Reply-To: <78f71be20803032134l70311365o6064502770783b03@mail.gmail.com> Message-ID: On decrypting, add ?--output filename?, or ?-o filename? for the short form, to output to the file ?filename?. On 3/4/08 12:34 AM, "Elmer Espinosa" wrote: > I'm new with GNUPG. I used the command gpg -s file to encrypt the file. to > decrpyt the file I used gpg -d file, but the output appear only in the command > prompt I was to save it in my local disk I've tried adding the path of the > file but it doesn't work any can help me with this. > > Thanks, > Elmer > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at sven-radde.de Tue Mar 4 07:21:47 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 04 Mar 2008 07:21:47 +0100 Subject: Command to decrypt the file In-Reply-To: <78f71be20803032134l70311365o6064502770783b03@mail.gmail.com> References: <78f71be20803032134l70311365o6064502770783b03@mail.gmail.com> Message-ID: <47CCEA7B.8080702@sven-radde.de> Hi! Elmer Espinosa schrieb: > I used the command gpg -s file to encrypt the file. First of all, I am not quite sure whether you just spelled it wrongly here or whether you made a potentially serious mistake. "gpg -s" does *not* encrypt. It signs your file. "gpg -e" encrypts. While the outputs of both operations result in a "scrambled" file (that look pretty "encrypted" for a newbie), the signed one can be opened by anyone with access to your public key. An encrypted one can be opened only by using the private keys of the intended recipient(s). You may have noticed that you were not asked for your passphrase during your decryption attempts... > to decrpyt the file I used gpg -d file, but the output appear only in > the command prompt I was to save it in my local disk Try "gpg -d $file > $filename-to-save-it-under". Or "gpg -d -o $filename-to-save-it-under $file". You don't have to use the "-d" at all, as GnuPG defaults to the right operation (decrypting an encrypted file, verifying a signature, ...). Just try "gpg file". HTH, Sven From jmoore3rd at bellsouth.net Tue Mar 4 07:23:12 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 04 Mar 2008 01:23:12 -0500 Subject: Question on subkeys usage and OpenPGP card. - warning, quite lengthy In-Reply-To: References: Message-ID: <47CCEAD0.10006@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Neal Dudley wrote: > Sounds like I should just regenerate a new 1024 bit RSA primary signing key > and copy it to the card (and an encryption subkey as well, of course). Please do the World [& Yourself] a favor and generate a Revocation Certificate for the Key you May abandon. ;) If You have 'Sent' the old Key to the Keyservers then Please revoke it and "Go Green" by helping the 'Key Landfill' a little bit. :) JOHN 8-) Timestamp: Tuesday 04 Mar 2008, 01:22 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHzOrOAAoJEBCGy9eAtCsPOn4H/A96qvvv9nqskzdHpXA2DP38 D0Hgq5ZUBBOU7/F2C3OfDpXO/S/BPCsS6f8c4F7M6qnAcVLNoh3zJKs8PdVbMeEa vQxFHUMvf0EeRXOHy7Q6n14o8ZUb8f/BRXyzo+skCz8OYfIsXjE6FtDrCie64bQJ 1EKg5uY2wllXFVBCOWO0FlSYG67muIP6WkCsFjlz96brx2ptXbReryCOeIIQFmU4 eff5ygIQsE6r87WVietev3t7foD9/3ZOP2azSGbAbC9aG6IYxooTTGPC+cP5DcK5 htiGgeog1vZfYweevtnf1AY9gmnK/SIdB9thWN5VI3O0AYUfbmP9TKqaHKxCJp4= =nf1n -----END PGP SIGNATURE----- From elmer.espinosa at gmail.com Tue Mar 4 07:43:31 2008 From: elmer.espinosa at gmail.com (Elmer Espinosa) Date: Tue, 4 Mar 2008 14:43:31 +0800 Subject: Command to decrypt the file In-Reply-To: <47CCEA7B.8080702@sven-radde.de> References: <78f71be20803032134l70311365o6064502770783b03@mail.gmail.com> <47CCEA7B.8080702@sven-radde.de> Message-ID: <78f71be20803032243s2e202f17i25acd737fbde5968@mail.gmail.com> Got it thanks Sven. On Tue, Mar 4, 2008 at 2:21 PM, Sven Radde wrote: > Hi! > > Elmer Espinosa schrieb: > > I used the command gpg -s file to encrypt the file. > First of all, I am not quite sure whether you just spelled it wrongly > here or whether you made a potentially serious mistake. > > "gpg -s" does *not* encrypt. It signs your file. "gpg -e" encrypts. > While the outputs of both operations result in a "scrambled" file (that > look pretty "encrypted" for a newbie), the signed one can be opened by > anyone with access to your public key. An encrypted one can be opened > only by using the private keys of the intended recipient(s). You may > have noticed that you were not asked for your passphrase during your > decryption attempts... > > to decrpyt the file I used gpg -d file, but the output appear only in > > the command prompt I was to save it in my local disk > Try "gpg -d $file > $filename-to-save-it-under". Or "gpg -d -o > $filename-to-save-it-under $file". > You don't have to use the "-d" at all, as GnuPG defaults to the right > operation (decrypting an encrypted file, verifying a signature, ...). > Just try "gpg file". > > HTH, Sven > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmoore3rd at bellsouth.net Tue Mar 4 12:37:47 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 04 Mar 2008 06:37:47 -0500 Subject: [RFC] gnupg 1.4.5: old default options file ignored In-Reply-To: References: Message-ID: <47CD348B.7060608@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jari Aalto wrote: > [Please keep CC, I'm not in this list] Please JOIN the List: Gnupg-devel mailing list Gnupg-devel at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-devel I do not 'Say' this to be a Smart-A** but merely to be constructive in suggestions. I, personally, consider it rude to query a Forum for Answers, Feedback and Announce that You have chosen to not participate beyond personal, instant gratification. >:o RANT Concluded! JOHN :-\ Timestamp: Tuesday 04 Mar 2008, 06:37 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHzTSJAAoJEBCGy9eAtCsPjH4H/0TIR7nyyPdSvE0f12A32vKb gQrEL4XP0Hd7hOqIoish5S/c/2xRG17167d5eYU314EXFsKTlskQkBhTeYZWM1wV MYqSgY3mPkjxBXI+Bx4eV0iRIlOFqO78o2XDtfXXrZ2W3XTCgpMzOoH0aGfAem56 BI1RzNi5LrZy6oW/BwggSjwZq2IM920Fu2OzqmKlKRIXhOPUmTWfQ9Sc1Hu1m3lg r9cYX66+I45uNxUvWzfCD7a+RN+9XY4FJb29kLmqw4+pL34DNRtxIghuT7t72+tO q5XNOPVsi+GhuV8+fkmfG6wzlGWaXSeuPvmmt/OOsxU6mKpt3mkzeKcaeMqcTCw= =NNbK -----END PGP SIGNATURE----- From bahamut at digital-signal.net Tue Mar 4 17:02:44 2008 From: bahamut at digital-signal.net (Andrew Berg) Date: Tue, 04 Mar 2008 10:02:44 -0600 Subject: GnuPG (win32) on a USB stick In-Reply-To: <47CC73BC.9020005@tx.rr.com> References: <15796380.post@talk.nabble.com> <47CB66C6.1030608@tx.rr.com> <47CC2818.9020201@digital-signal.net> <47CC73BC.9020005@tx.rr.com> Message-ID: <47CD72A4.1010003@digital-signal.net> John Clizbe wrote: > Andrew Berg wrote: > >> John Clizbe wrote: >> >>> set GNUPGHOME=x:\location\you\want >>> >> It would be inconvenient (and inconsiderate to the host machine's >> owner(s)) to set an environment variable on every machine encountered, >> wouldn't it? Sven's idea is much better, I think. >> > And it shows a clear lack of understanding to think that a SET command at a > Windows command prompt sets an environment variable permanently or globally. The > variable exists in the process environment that invoked the command and those > processes invoked from it. > Actually, it shows that I wasn't thinking quite clearly. For some reason, I was thinking of something quite different. Sorry about that. From nobody at 4096.net Sun Mar 2 19:38:13 2008 From: nobody at 4096.net (Anonymous) Date: Sun, 2 Mar 2008 18:38:13 +0000 (UTC) Subject: Strength of ciphers in PGP? Message-ID: <4371d557d383d1fa49fad73c2da0c4b4@4096.net> Do anyone have links to comparisons of the ciphers traditionally used in PGP (IDEA, CAST5, 3DES). Thank you. From elmer.espinosa at gmail.com Mon Mar 3 02:07:47 2008 From: elmer.espinosa at gmail.com (Elmer Espinosa) Date: Mon, 3 Mar 2008 09:07:47 +0800 Subject: gpg command Message-ID: <78f71be20803021707n76d42c0fh240bd919d0cbcf5e@mail.gmail.com> To whom it may concern, I'm new with GNUPG. I used the command gpg -s file to encrypt the file. to decrpyt the file I used gpg -d file, but the output appear only in the command prompt I was to save it in my local disk I've tried adding the path of the file but it doesn't work any can help me with this. Thanks, Elmer -------------- next part -------------- An HTML attachment was scrubbed... URL: From vl.pavlov at yahoo.com Tue Mar 4 13:24:19 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Tue, 4 Mar 2008 04:24:19 -0800 (PST) Subject: changing location of the home folder from ~/.gnupg to other Message-ID: <15826081.post@talk.nabble.com> hello 2 all i wander is there a way to change location of my home folder, or at least of keyring so that default keyring location is changed any ideas? -- View this message in context: http://www.nabble.com/changing-location-of-the-home-folder-from-%7E-.gnupg-to-other-tp15826081p15826081.html Sent from the GnuPG - User mailing list archive at Nabble.com. From mixmaster at remailer.privacy.at Tue Mar 4 17:17:26 2008 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Tue, 4 Mar 2008 17:17:26 +0100 (CET) Subject: IDEA not always working in GNUPG Message-ID: Hi, I occasionally receive messages encrypted by older PGP versions that are not being decrypted by GNUPG 1.4.7 [scrubbed] gpg filename gpg: assuming IDEA encrypted data Enter passphrase: [scrubbed] gpg: [don't know]: invalid packet (ctb=67) gpg: WARNING: message was not integrity protected gpg: [don't know]: invalid packet (ctb=0a) Here is the output of gpg --version: [scrubbed] gpg --version gpg (GnuPG) 1.4.7 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Is this normal behaviour? I'm getting round by using PGP to decrypt IDEA messages that gpg won't decrypt but gpg does work with some IDEA messages so I can't figure whats wrong. From dshaw at jabberwocky.com Tue Mar 4 17:41:23 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 4 Mar 2008 11:41:23 -0500 Subject: gpg command In-Reply-To: <78f71be20803021707n76d42c0fh240bd919d0cbcf5e@mail.gmail.com> References: <78f71be20803021707n76d42c0fh240bd919d0cbcf5e@mail.gmail.com> Message-ID: <20080304164122.GA1975@jabberwocky.com> On Mon, Mar 03, 2008 at 09:07:47AM +0800, Elmer Espinosa wrote: > To whom it may concern, > > I'm new with GNUPG. I used the command gpg -s file to encrypt the file. to > decrpyt the file I used gpg -d file, but the output appear only in the > command prompt I was to save it in my local disk I've tried adding the path > of the file but it doesn't work any can help me with this. You want the -o option, as in "gpg -o output-goes-here.gpg -e file-to-encrypt" Note that "-s" doesn't encrypt. It signs. David From maury.markowitz at gmail.com Tue Mar 4 17:51:13 2008 From: maury.markowitz at gmail.com (Maury Markowitz) Date: Tue, 4 Mar 2008 11:51:13 -0500 Subject: IDEA? Message-ID: <5bdbc9050803040851u5bb677adqd833dbd03eb9de91@mail.gmail.com> Didn't IDEA's patent expire last year? I notice it's still not in the list unless I load it by hand. Is there something else preventing it from being used? Maury From dshaw at jabberwocky.com Tue Mar 4 17:54:42 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 4 Mar 2008 11:54:42 -0500 Subject: Strength of ciphers in PGP? In-Reply-To: <4371d557d383d1fa49fad73c2da0c4b4@4096.net> References: <4371d557d383d1fa49fad73c2da0c4b4@4096.net> Message-ID: <20080304165442.GB1975@jabberwocky.com> On Sun, Mar 02, 2008 at 06:38:13PM +0000, Anonymous wrote: > Do anyone have links to comparisons of the ciphers traditionally used in > PGP (IDEA, CAST5, 3DES). Thank you. You're not likely to find a comparison between those three ciphers except in the most light sense of the word. Certainly not a "XXXX is better than YYYY" type of thing. The question is just more complicated than that. I'd read these to get the information you want: http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm http://en.wikipedia.org/wiki/CAST5 http://en.wikipedia.org/wiki/3DES David From dshaw at jabberwocky.com Tue Mar 4 17:59:48 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 4 Mar 2008 11:59:48 -0500 Subject: IDEA? In-Reply-To: <5bdbc9050803040851u5bb677adqd833dbd03eb9de91@mail.gmail.com> References: <5bdbc9050803040851u5bb677adqd833dbd03eb9de91@mail.gmail.com> Message-ID: <20080304165948.GC1975@jabberwocky.com> On Tue, Mar 04, 2008 at 11:51:13AM -0500, Maury Markowitz wrote: > Didn't IDEA's patent expire last year? I notice it's still not in the > list unless I load it by hand. Is there something else preventing it > from being used? It's patented until 2010 (2011 in some places). IDEA is effectively dead. I don't mean that as a knock against IDEA - it was a fine cipher for its time, but time has moved on. The only reason to use IDEA is if you want to be compatible with PGP 2 messages. David From dshaw at jabberwocky.com Tue Mar 4 18:01:09 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 4 Mar 2008 12:01:09 -0500 Subject: changing location of the home folder from ~/.gnupg to other In-Reply-To: <15826081.post@talk.nabble.com> References: <15826081.post@talk.nabble.com> Message-ID: <20080304170109.GD1975@jabberwocky.com> On Tue, Mar 04, 2008 at 04:24:19AM -0800, vl.pavlov wrote: > > hello 2 all > > i wander is there a way to change location of my home folder, or at least of > keyring so that default keyring location is changed gpg --homedir /path/to/the/folder or export GNUPGHOME=/path/to/the/folder David From rjh at sixdemonbag.org Tue Mar 4 18:18:10 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 04 Mar 2008 11:18:10 -0600 Subject: Strength of ciphers in PGP? In-Reply-To: <4371d557d383d1fa49fad73c2da0c4b4@4096.net> References: <4371d557d383d1fa49fad73c2da0c4b4@4096.net> Message-ID: <47CD8452.5050104@sixdemonbag.org> Anonymous wrote: > Do anyone have links to comparisons of the ciphers traditionally used in > PGP (IDEA, CAST5, 3DES). Thank you. Yes. IDEA is Godzilla, CAST5 is Moth-Ra and 3DES is MechaGodzilla. They all excel at stomping cities flat and terrorizing inhabitants. All that people in Tokyo need to know about them is "when you see them coming, run for the hills." The above answer is tongue in cheek, but there's a lot of accuracy in it. Unless you're a professional cryptographer, the various cryptanalytic analyses of the OpenPGP cipher suite are going to be pretty much meaningless and unhelpful. For 99% of other people--myself included--it really reduces down to "they are all believed resistant against all known forms of cryptanalysis, and are impractical to brute force." If you really want to go down this road, it would help if you clarified your question a lot. What sort of comparisons? How many operations are involved in an encryption cycle? Decryption cycle? How much processing is involved in key setup? Relative size of code? Hardware requirements? Efficiency? Best known cryptanalytic attacks? Etc., etc. Your question, as phrased, is far too general to give any sort of meaningful answer except "as far as the layman is concerned, they're pretty much identical". From rjh at sixdemonbag.org Tue Mar 4 18:20:37 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 04 Mar 2008 11:20:37 -0600 Subject: IDEA? In-Reply-To: <5bdbc9050803040851u5bb677adqd833dbd03eb9de91@mail.gmail.com> References: <5bdbc9050803040851u5bb677adqd833dbd03eb9de91@mail.gmail.com> Message-ID: <47CD84E5.1070803@sixdemonbag.org> Maury Markowitz wrote: > Didn't IDEA's patent expire last year? 2010, I think. Even once 2010 comes around, there's no point in using it. AES rules the roost for symmetric ciphers nowadays, and for fairly good reasons. From maury.markowitz at gmail.com Tue Mar 4 17:48:57 2008 From: maury.markowitz at gmail.com (Maury Markowitz) Date: Tue, 4 Mar 2008 11:48:57 -0500 Subject: _almost_ working, now a command line question... In-Reply-To: <47CC7A5D.8010905@tx.rr.com> References: <5bdbc9050802291210yb9333ccr4d86c867ba1b5e96@mail.gmail.com> <47C89324.9050204@tx.rr.com> <5bdbc9050803010647h3725d562i69f1a8387121ba59@mail.gmail.com> <5bdbc9050803030844l5630fcf2qcc4a74934f5aa297@mail.gmail.com> <47CC7A5D.8010905@tx.rr.com> Message-ID: <5bdbc9050803040848u6f653c28n3e5114d6be4462e2@mail.gmail.com> On Mon, Mar 3, 2008 at 5:23 PM, John Clizbe wrote: > Been a part of gnupg 1.x for ages. I tested it on XP with GnuPG 1.4.8 > > gpg --batch --passphrase-file <> --output <> --decrypt <> Frigging frig! I had download 1.2.2! Where the heck did I get that?! Everything is working perfectly now. Thanks to everyone that helped this noob get up and running. I'll try to repay the kindness by returning the favor. Maury From neal.dudley at utoledo.edu Tue Mar 4 20:15:22 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Tue, 04 Mar 2008 14:15:22 -0500 Subject: [Junk released by User action] Re: Question on subkeys usage and OpenPGP card. - warning, quite lengthy In-Reply-To: <47CCEAD0.10006@bellsouth.net> Message-ID: Already had the revocations generated, but won't send them to the keyserver until I gen new replacement keys. Thanks for the reminder, but I have it covered. Suppose I should have mentioned that, but I kinda thought it went without saying. On 3/4/08 1:23 AM, "John W. Moore III" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Neal Dudley wrote: >> Sounds like I should just regenerate a new 1024 bit RSA primary signing key >> and copy it to the card (and an encryption subkey as well, of course). > > Please do the World [& Yourself] a favor and generate a Revocation > Certificate for the Key you May abandon. ;) > > If You have 'Sent' the old Key to the Keyservers then Please revoke it > and "Go Green" by helping the 'Key Landfill' a little bit. :) > > JOHN 8-) > Timestamp: Tuesday 04 Mar 2008, 01:22 --500 (Eastern Standard Time) > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9-svn4691: (MingW32) > Comment: Public Key at: http://tinyurl.com/8cpho > Comment: Gossamer Spider Web of Trust: https://www.gswot.org > Comment: Homepage: http://tinyurl.com/yzhbhx > > iQEcBAEBCgAGBQJHzOrOAAoJEBCGy9eAtCsPOn4H/A96qvvv9nqskzdHpXA2DP38 > D0Hgq5ZUBBOU7/F2C3OfDpXO/S/BPCsS6f8c4F7M6qnAcVLNoh3zJKs8PdVbMeEa > vQxFHUMvf0EeRXOHy7Q6n14o8ZUb8f/BRXyzo+skCz8OYfIsXjE6FtDrCie64bQJ > 1EKg5uY2wllXFVBCOWO0FlSYG67muIP6WkCsFjlz96brx2ptXbReryCOeIIQFmU4 > eff5ygIQsE6r87WVietev3t7foD9/3ZOP2azSGbAbC9aG6IYxooTTGPC+cP5DcK5 > htiGgeog1vZfYweevtnf1AY9gmnK/SIdB9thWN5VI3O0AYUfbmP9TKqaHKxCJp4= > =nf1n > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jmoore3rd at bellsouth.net Tue Mar 4 22:04:29 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 04 Mar 2008 16:04:29 -0500 Subject: [Junk released by User action] Re: Question on subkeys usage and OpenPGP card. - warning, quite lengthy In-Reply-To: References: Message-ID: <47CDB95D.6010004@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Neal Dudley wrote: > Already had the revocations generated, but won't send them to the keyserver > until I gen new replacement keys. Thanks for the reminder, but I have it > covered. Suppose I should have mentioned that, but I kinda thought it went > without saying. Sadly, My experience has shown that it doesn't 'go without saying'. :( Interestingly, having become the 'Cyber-Executor' for several Friends I find Myself in the unique position of holding Revocation Certs In escrow for many Keys. :-\ My advice is to treat the 'care' of Keys as One would any other Asset and specify what should be done when inevitable demise occurs. Store the Revocation Certs in a Safe place where they will be found along with written instructions regarding what should be done with them. JOHN ;) Timestamp: Tuesday 04 Mar 2008, 16:04 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHzblbAAoJEBCGy9eAtCsPS/cIAId1eJGHcWjsogA7Bt38Ac0x aX9xho2IvddH5F61D2GtOxV128NIlC8vlW44+HP8alItPlMEF260+mvBzjoMCCOW OWE2NTaA6qGbRVzyMkTCeZRR0IDUp2ejDfEqWNf4SKX1iR/5DfI1VeUh3E0krGSQ NiRtSRCWS5jy0nFpXmI1FuH3l4QWYI6nsupwnaR7NTPmvH1Ua7YFTZUGSjNmgSQr k31SKgc6Jd0i4O3YwYC5QPA6jatsxNgP0MrSKtcIZHBb6v3rECWKWeG9Spi60+36 alhd2IP0vnG2eOtwNwrNRPq8d5u7TVdWqqUq3bzzVZah/m1GYscGUQpTLkhmpYg= =Id85 -----END PGP SIGNATURE----- From kevhilton at gmail.com Thu Mar 6 05:37:18 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Wed, 5 Mar 2008 22:37:18 -0600 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version Message-ID: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> Was wondering if it would be possible to show the actual gpg version with the gpg --version flag when using gpg svn version. It would be nice to show the revision number. thanks -- Kevin Hilton From jmoore3rd at bellsouth.net Thu Mar 6 05:55:06 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Wed, 05 Mar 2008 23:55:06 -0500 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> Message-ID: <47CF792A.4040905@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kevin Hilton wrote: > Was wondering if it would be possible to show the actual gpg version > with the gpg --version flag when using gpg svn version. It would be > nice to show the revision number. Sure it's possible. You just need to provide it in the configure.ac File prior to building. Check My Encrypted Message for an Example. JOHN ;) Timestamp: Wednesday 05 Mar 2008, 23:54 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4691: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJHz3kpAAoJEBCGy9eAtCsP/5MH/1omIFAIbGeRohTnNjfZJ1ht 3fq/ht42yqb09D5/Fw9OMM2PSk44v3DE93knv14mNBEXWDRL9bQwZiTy5kNgyit3 VT+55r+9K1uE6gl1gos2b69ST/tcF1vTq1wLaiyje/K6vKypMI157INbxM0xj0YY a9NVFcDD8w1JR1j7PKiFlGV1ffFF6h619HrH4E0DtplsKzEqrBlDrfmf0mB4M/XY +jlW0I5EopB1zz6ZruxoctJtOLC9ZXL0zcT/OjCctWAqFlMQILWgZITcSw4Trob6 4ipaG/mvQQ/qlZIlmlJdVXywczTnPwekWoIn8kHjTO+lMM+UCnuSiBIB8kdkLbI= =fcga -----END PGP SIGNATURE----- From vl.pavlov at yahoo.com Wed Mar 5 09:38:24 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Wed, 5 Mar 2008 00:38:24 -0800 (PST) Subject: changing location of the home folder from ~/.gnupg to other In-Reply-To: <20080304170109.GD1975@jabberwocky.com> References: <15826081.post@talk.nabble.com> <20080304170109.GD1975@jabberwocky.com> Message-ID: <15845458.post@talk.nabble.com> thank U very much david > export GNUPGHOME=/path/to/the/folder < this command solved the problem David Shaw wrote: > > On Tue, Mar 04, 2008 at 04:24:19AM -0800, vl.pavlov wrote: >> >> hello 2 all >> >> i wander is there a way to change location of my home folder, or at least >> of >> keyring so that default keyring location is changed > > gpg --homedir /path/to/the/folder > or > export GNUPGHOME=/path/to/the/folder > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/changing-location-of-the-home-folder-from-%7E-.gnupg-to-other-tp15826081p15845458.html Sent from the GnuPG - User mailing list archive at Nabble.com. From vl.pavlov at yahoo.com Wed Mar 5 09:42:52 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Wed, 5 Mar 2008 00:42:52 -0800 (PST) Subject: one more question: is there a way to use additional keyring when needed ? Message-ID: <15845592.post@talk.nabble.com> hello again is there a way to set (defaults) gpg to use additional keyring on defined location when needed ? -- View this message in context: http://www.nabble.com/one-more-question%3A-is-there-a-way-to-use-additional-keyring-when-needed---tp15845592p15845592.html Sent from the GnuPG - User mailing list archive at Nabble.com. From vl.pavlov at yahoo.com Wed Mar 5 09:53:08 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Wed, 5 Mar 2008 00:53:08 -0800 (PST) Subject: changing location of the home folder from ~/.gnupg to other In-Reply-To: <20080304170109.GD1975@jabberwocky.com> References: <15826081.post@talk.nabble.com> <20080304170109.GD1975@jabberwocky.com> Message-ID: <15845731.post@talk.nabble.com> ahoy again when i use export GNUPGHOME=/path/to/the/folder my homedir is changed but when i restart my comp. home dir is still ~/gnupg strange... -- View this message in context: http://www.nabble.com/changing-location-of-the-home-folder-from-%7E-.gnupg-to-other-tp15826081p15845731.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Thu Mar 6 18:01:57 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 6 Mar 2008 12:01:57 -0500 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> Message-ID: <20080306170157.GC11319@jabberwocky.com> On Wed, Mar 05, 2008 at 10:37:18PM -0600, Kevin Hilton wrote: > Was wondering if it would be possible to show the actual gpg version > with the gpg --version flag when using gpg svn version. It would be > nice to show the revision number. thanks It seems we forgot to reset the flag after the last release. It's fixed now: $ gpg --version gpg (GnuPG) 1.4.9rc1-svn4701 David From dshaw at jabberwocky.com Thu Mar 6 18:51:25 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 6 Mar 2008 12:51:25 -0500 Subject: one more question: is there a way to use additional keyring when needed ? In-Reply-To: <15845592.post@talk.nabble.com> References: <15845592.post@talk.nabble.com> Message-ID: <20080306175125.GA30317@jabberwocky.com> On Wed, Mar 05, 2008 at 12:42:52AM -0800, vl.pavlov wrote: > > hello again > > is there a way to set (defaults) gpg to use additional keyring on defined > location when needed Sure, just add "keyring the-other-keyring.gpg" to your gpg.conf file or give --keyring on the command line. By default, the keyring is expected to be in your .gnupg directory. If you want, you can give a "/full/path/to/the/keyring.gpg" to the keyring command and then it will look anywhere you like. David From JPClizbe at tx.rr.com Fri Mar 7 00:00:19 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 06 Mar 2008 17:00:19 -0600 Subject: changing location of the home folder from ~/.gnupg to other In-Reply-To: <15845731.post@talk.nabble.com> References: <15826081.post@talk.nabble.com> <20080304170109.GD1975@jabberwocky.com> <15845731.post@talk.nabble.com> Message-ID: <47D07783.8030901@tx.rr.com> vl.pavlov wrote: > ahoy again > > when i use > export GNUPGHOME=/path/to/the/folder > my homedir is changed but when i restart my comp. home dir is still ~/gnupg you'll need to set the environment variable every time you login, usually this is either in .profile or in .bashrc (assuming you're using bash as your shell) -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 658 bytes Desc: OpenPGP digital signature URL: From kevhilton at gmail.com Fri Mar 7 04:58:44 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Thu, 6 Mar 2008 21:58:44 -0600 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> Message-ID: <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> Whats wrong with my version -- I'm getting 1.48 $ gpg --version gpg (GnuPG) 1.4.8-svn4702 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 My configure.ac (at least the top part looks like this:) # Remember to change the version number immediately *after* a release. # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh --force" right before creating a distribution. m4_define([my_version], [1.4.8]) m4_define([my_issvn], [yes]) m4_define([svn_revision], m4_esyscmd([echo -n $((svn info 2>/dev/null \ || echo 'Revision: 0')|sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)])) I'm guessing it should read like this: m4_define([my_version], [1.4.9]) Since Im using the svn sources I would have thought this file would have automatically at least been updated to 1.49 -- or am I missing something. From kevhilton at gmail.com Fri Mar 7 05:14:13 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Thu, 6 Mar 2008 22:14:13 -0600 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> Message-ID: <96c450350803062014j668618bewdb82fbf2c67b5286@mail.gmail.com> Oops, David I see what you meant about updating the flag after the last release -- just updated to the newest svn release and all is well. Thanks $ gpg --version gpg (GnuPG) 1.4.9rc1-svn4705 NOTE: THIS IS A DEVELOPMENT VERSION! From jmoore3rd at bellsouth.net Fri Mar 7 05:19:50 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu, 06 Mar 2008 23:19:50 -0500 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> Message-ID: <47D0C266.30004@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Kevin Hilton wrote: > Whats wrong with my version -- I'm getting 1.48 > Since Im using the svn sources I would have thought this file would > have automatically at least been updated to 1.49 -- or am I missing > something. As David Shaw Posted here earlier; after the release of 1.4.8 there was a failure to re-set the flag to indicate 1.4.9rc1-svn for subsequent SVN releases. This was 'fixed' with svn4703/4 released earlier today. Try building the most current SVN release. :-\ JOHN ;) Timestamp: Thursday 06 Mar 2008, 23:19 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4704: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJH0MJkAAoJEBCGy9eAtCsPXVMH/3QUBt/VFpjquUGySnkhUiIj AlkFuW9GLxLEwuBtjCAsauLc9TVW2Y4kZjVuQUHetvTxHZzozKHw6VW3Z6vSpojp f4+MWg2pmSaCF/a26chGsnCDVnvDt4E15/hUWAv6/x/GzZ4CaUkym+IAh2m3AsMt fbeDOkBd7zLWmBfmGhQaA2SyXaUBIU0cArUsNW+ifNPY8/hPdq+XSBijjjB6O9Jq PBKnacH7b0MNRWto/EvqwUzpEDFElQ0VbNqFYy3HJBZAESHA0dZm9OMvHXU/7uss Vfa5pSVL2Pd+hBEADKg2LTb1mq+5/jhp9697CjiRuk08i6y2Wkx1rQ3fYzrOzCg= =M34q -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Fri Mar 7 10:51:49 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 07 Mar 2008 03:51:49 -0600 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> Message-ID: <47D11035.3060607@tx.rr.com> Kevin Hilton wrote: > Whats wrong with my version -- I'm getting 1.4.8 > > $ gpg --version > gpg (GnuPG) 1.4.8-svn4702 I'm probably going to regret asking this, but why did you build 1.4.8 for rev 4702? Rev 4702 was a change for the trunk, aka GnuPG 2.0. It had nothing at all to do with 1.4. The last check-in before today that affected the 1.4 branch was rev 4691. It seems rather silly to (re)build the 1.4 branch every time the 2.0 trunk changes, but I see a group of Windows folks doing it all the time. At the worst, it leads to the suspicion that folks don't understand the changes in the code that are taking place. Just because one /can/ do something, doesn't necessarily mean one /should/. > Since I'm using the svn sources I would have thought this file would > have automatically at least been updated to 1.4.9 -- or am I missing > something. Changes in the Subversion repository do not magically appear on your computer. You need to update your copy svn co svn://cvs.gnupg.org/gnupg/branches/STABLE-BRANCH-1-4 -r 4704 gnupg14 or similar may help. It's helpful to update at least to the revision that contains the fix you're interested in, which for your original inquiry was 4703. 4704 was cosmetic. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature URL: From kevhilton at gmail.com Fri Mar 7 13:04:35 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Fri, 7 Mar 2008 06:04:35 -0600 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <96c450350803062014j668618bewdb82fbf2c67b5286@mail.gmail.com> References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> <96c450350803062014j668618bewdb82fbf2c67b5286@mail.gmail.com> Message-ID: <96c450350803070404t3e2f21favf648b1bba04a9f6f@mail.gmail.com> Just to clarify I wasn't compiling version 1.48 against rev 4702. The flag in the configure.ac was not updated to reflect the newer version, so it appeared it was version 1.48 when in fact it was 1.49 as has been graciously pointed out to me. Thanks for your help. From tss at iki.fi Sat Mar 8 10:18:30 2008 From: tss at iki.fi (Timo Sirainen) Date: Sat, 08 Mar 2008 11:18:30 +0200 Subject: v1.4.8 --textmode incompatible with earlier versions Message-ID: <1204967910.11220.667.camel@hurina> When signing data with spaces at the end of lines with --textmode (and -a -b --sign), v1.4.8 generates signatures that older releases verify as BAD, and vice versa. I can't seem to find anything related to this with googling or from NEWS or ChangeLog file. Was it changed accidentally? Will this get fixed again in future versions, or should I just stop using --textmode for my emails? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From dshaw at jabberwocky.com Sat Mar 8 14:46:31 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 8 Mar 2008 08:46:31 -0500 Subject: v1.4.8 --textmode incompatible with earlier versions In-Reply-To: <1204967910.11220.667.camel@hurina> References: <1204967910.11220.667.camel@hurina> Message-ID: <2DB1A7E8-F024-4109-9DB9-DBCA52D9EDEE@jabberwocky.com> On Mar 8, 2008, at 4:18 AM, Timo Sirainen wrote: > When signing data with spaces at the end of lines with --textmode (and > -a -b --sign), v1.4.8 generates signatures that older releases > verify as > BAD, and vice versa. > > I can't seem to find anything related to this with googling or from > NEWS > or ChangeLog file. Was it changed accidentally? Will this get fixed > again in future versions, or should I just stop using --textmode for > my > emails? This is not a bug. There was a "buglet" in the original OpenPGP specification around text canonicalization. GnuPG follows the updated spec (RFC-4880) now. To revert to the older spec, use the "--rfc2440- text" for this specific issue, or "--rfc2440" for a full reversion. David From f_philipp at fastmail.net Sun Mar 9 10:37:49 2008 From: f_philipp at fastmail.net (Florian Philipp) Date: Sun, 09 Mar 2008 10:37:49 +0100 Subject: Single Sign On and PAM Message-ID: <1205055469.12557.37.camel@NOTE_GENTOO64.PHHEIMNETZ> Hi list! I'd like to use my login password to automatically decrypt my gpg-keys. With PAM and gpg-agent all pieces should already exist for such a task, someone just have to put the pieces together. Do you know a simple solution for this problem? I've stumbled upon http://pam-ssh.sourceforge.net and according to its man-page, gpg-agent can emulate ssh-agent with "--enable-ssh-support". However, I don't know if they work together all that well and I don't want to waste my time on that matter until someone with more experience tells me that this is the way to go. Thanks in advance! Florian Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From email at sven-radde.de Sun Mar 9 15:05:54 2008 From: email at sven-radde.de (Sven Radde) Date: Sun, 09 Mar 2008 15:05:54 +0100 Subject: OpenPGP card stopped working Message-ID: <1205071554.6429.8.camel@carbon> Hello! I was quite happy with my OpenPGP smartcard under Ubuntu until to the point where it simply stopped working. This is what I currently get: $ gpg -v --card-status gpg: selecting openpgp failed: unknown command gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler Apart from applying the regular patches, the only action I remember that could possibly have an impact on GnuPG was installing the "seahorse" package. However, removing it again did not change anything. Both, card-reader and the card itself run fine under Windows on the same machine. Any ideas? Or, for starters, any hints to produce a more meaningful error message? Thanks in advance, Sven From email at sven-radde.de Sun Mar 9 19:40:32 2008 From: email at sven-radde.de (Sven Radde) Date: Sun, 09 Mar 2008 19:40:32 +0100 Subject: OpenPGP card stopped working In-Reply-To: <502970.67745.qm@web53602.mail.re2.yahoo.com> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> Message-ID: <1205088032.6429.24.camel@carbon> Hi! Thanks for your ideas, Harvey. Am Sonntag, den 09.03.2008, 10:56 -0700 schrieb Harvey Muller: > If pcscd is running, Yes, it is. > then my guess is that there is something wrong with the smartcard driver. > (...) > I'm using a GemPC Twin usb card reader. To get it to work, I only have to install pcscd. Same thing here, only that I have an SCM Microsystems SCR335 reader. Actually, I was somewhat surprised that I had to install PC/SC at all, since says that is is "supported by GnuPG directly". lsusb finds it: $ lsusb ... Bus 003 Device 003: ID 04e6:5115 SCM Microsystems, Inc. SCR335 SmartCard Reader ... While playing with ps, I noticed a seahorse-agent running. When killed, a call to gpg --card-status would hang forever. Maybe this is of importance..? cu, Sven From hlmuller at yahoo.com Sun Mar 9 18:56:55 2008 From: hlmuller at yahoo.com (Harvey Muller) Date: Sun, 9 Mar 2008 10:56:55 -0700 (PDT) Subject: OpenPGP card stopped working Message-ID: <502970.67745.qm@web53602.mail.re2.yahoo.com> > Any ideas? Or, for starters, any hints to produce a more meaningful > error message? Sven, I've used the OpenPGP card recently with Gutsy and the Hardy releases without issue. To troubleshoot you can try: $ ps aux | grep pcscd The above commands should report two lines, one for the grep command, and the other for the running pcscd. If you only get the grep command, then pcscd is not starting and you will have to investigate why, or simply try reinstalling it. If pcscd is running, then my guess is that there is something wrong with the smartcard driver. It this case I would try reinstalling the driver also. I'm using a GemPC Twin usb card reader. To get it to work, I only have to install pcscd. It pulls in the pcsclite and libccid dependencies. Hope this helps, Harv From mkallas at schokokeks.org Sun Mar 9 21:19:55 2008 From: mkallas at schokokeks.org (Michael Kesper) Date: Sun, 9 Mar 2008 21:19:55 +0100 Subject: OpenPGP card stopped working In-Reply-To: <1205088032.6429.24.camel@carbon> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> Message-ID: <20080309201955.GA3917@localhost> Hi, * Sven Radde [2008-03-09 19:40:32 +0100]: > Same thing here, only that I have an SCM Microsystems SCR335 reader. > Actually, I was somewhat surprised that I had to install PC/SC at all, since says that is is "supported by GnuPG directly". pcscd sometimes gives trouble, for example when you try to create keys on the card. For best effect try this howto: http://www.fsfe.org/en/card/howto/card_reader_howto_udev Best wishes Michael -- Free Software Foundation Europe (FSFE) [] (http://fsfeurope.org) Join the Fellowship of FSFE! [][][] (http://fsfe.org/join) Your donation powers our work! [] (http://fsfeurope.org/donate) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From email at sven-radde.de Mon Mar 10 09:22:35 2008 From: email at sven-radde.de (Sven Radde) Date: Mon, 10 Mar 2008 09:22:35 +0100 Subject: OpenPGP card stopped working In-Reply-To: <20080309201955.GA3917@localhost> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> Message-ID: <47D4EFCB.1000608@sven-radde.de> Hi! Michael Kesper schrieb: > pcscd sometimes gives trouble, for example when you try to create keys on the > card. No problem with that, I created my keys off-card and then moved them. I thought this would be the easiest way to have a backup key ready if the card breaks. > For best effect try this howto: > http://www.fsfe.org/en/card/howto/card_reader_howto_udev > This is pretty much what I did to get it working originally. As far as I can tell, everything is still in place (all packages are there, the udev files, too, and I'm in group scard, to summarize it). I used the howto at gnupg.org but it is essentially the same (the one at gnupg.org has a broken link to the gnupg-ccid file but I figured that out quick enough at the time). cu, Sven From vl.pavlov at yahoo.com Mon Mar 10 11:09:01 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Mon, 10 Mar 2008 03:09:01 -0700 (PDT) Subject: one more question: is there a way to use additional keyring when needed ? In-Reply-To: <20080306175125.GA30317@jabberwocky.com> References: <15845592.post@talk.nabble.com> <20080306175125.GA30317@jabberwocky.com> Message-ID: <15950659.post@talk.nabble.com> hello, i wish to use additional keyring from USB stick, (i have keys on .gnupg folder on my stick), but i have troubles, here is my gpg.conf (from ~/.gnupg) default-recipient-self keyserver random.sks.keyserver.penguin.de default-cert-check-level 3 keyserver-options auto-key-retrieve include-revoked include-subkeys no-mangle-dos-filenames no-secmem-warning keyring /media/USB/.gnupg/secring.gpg << this is the new line i wrote but in thunderbird i still have no access to my key from stick probably i did something wrongly David Shaw wrote: > > On Wed, Mar 05, 2008 at 12:42:52AM -0800, vl.pavlov wrote: >> >> hello again >> >> is there a way to set (defaults) gpg to use additional keyring on defined >> location when needed > > Sure, just add "keyring the-other-keyring.gpg" to your gpg.conf file > or give --keyring on the command line. By default, the keyring is > expected to be in your .gnupg directory. If you want, you can give a > "/full/path/to/the/keyring.gpg" to the keyring command and then it > will look anywhere you like. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/one-more-question%3A-is-there-a-way-to-use-additional-keyring-when-needed---tp15845592p15950659.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Mon Mar 10 18:56:19 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 10 Mar 2008 12:56:19 -0500 Subject: one more question: is there a way to use additional keyring when needed ? In-Reply-To: <15950659.post@talk.nabble.com> References: <15845592.post@talk.nabble.com> <20080306175125.GA30317@jabberwocky.com> <15950659.post@talk.nabble.com> Message-ID: <47D57643.5050900@sixdemonbag.org> vl.pavlov wrote: > but in thunderbird i still have no access to my key from stick In Enigmail, I think you mean; Thunderbird itself has no OpenPGP support. This may seem pedantic, but I don't think the Thunderbird crew would like to be blamed for things that are totally outside of their purview. :) The real question is not whether Enigmail can use your USB stick, but whether you can. Plug in your USB stick and open up a command-line window. Try to use your secret key that's on the USB stick. If you can do this, then the bug is in Enigmail and it should be taken to the Enigmail list. If you can't, then the bug is in your setup or your usage of GnuPG. Let us know what happens. From albert at fsfe.org Mon Mar 10 20:31:40 2008 From: albert at fsfe.org (Albert Dengg) Date: Mon, 10 Mar 2008 20:31:40 +0100 Subject: OpenPGP card stopped working In-Reply-To: <47D4EFCB.1000608@sven-radde.de> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> Message-ID: <20080310193140.GA5216@Mjolnir.lan> On Mon, Mar 10, 2008 at 09:22:35AM +0100, Sven Radde wrote: > Hi! > > Michael Kesper schrieb: >> pcscd sometimes gives trouble, for example when you try to create keys on the >> card. > No problem with that, I created my keys off-card and then moved them. > I thought this would be the easiest way to have a backup key ready if > the card breaks. >> For best effect try this howto: >> http://www.fsfe.org/en/card/howto/card_reader_howto_udev >> > This is pretty much what I did to get it working originally. As far as I > can tell, everything is still in place (all packages are there, the udev > files, too, and I'm in group scard, to summarize it). > I used the howto at gnupg.org but it is essentially the same (the one at > gnupg.org has a broken link to the gnupg-ccid file but I figured that > out quick enough at the time). i don't know if it is changed..but last time i looked it did set the permission through a shell script instead of doing it directly in the rules file, that gave me trouble (e.g. timing issues) on some machines. i rewrote the rules file to do it directly and it know works flawlessly on instant on all machines i tried it on. you can find my modified gnupg-ccid.rules at: http://fsfe.org/en/content/download/33133/204727/file/gnupg-ccid.rules (you won't need the shellscript anymore when using it) yours albert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From JPClizbe at tx.rr.com Mon Mar 10 21:18:44 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 10 Mar 2008 15:18:44 -0500 Subject: one more question: is there a way to use additional keyring when needed ? In-Reply-To: <15950659.post@talk.nabble.com> References: <15845592.post@talk.nabble.com> <20080306175125.GA30317@jabberwocky.com> <15950659.post@talk.nabble.com> Message-ID: <47D597A4.6040803@tx.rr.com> vl.pavlov wrote: > hello, > > i wish to use additional keyring from USB stick, (i have keys on .gnupg > folder on my stick), > but i have troubles, here is my gpg.conf (from ~/.gnupg) > > default-recipient-self > keyserver random.sks.keyserver.penguin.de > default-cert-check-level 3 > keyserver-options auto-key-retrieve include-revoked include-subkeys > no-mangle-dos-filenames > no-secmem-warning > keyring /media/USB/.gnupg/secring.gpg << this is the new line i wrote > > probably i did something wrongly Try secret-keyring /media/USB/.gnupg/secring.gpg If you've also moved the other *.gpg files, you'll also need primary-keyring /media/USB/.gnupg/pubring.gpg and trustdb-name /media/USB/.gnupg/trustdb.gpg -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Mar 11 09:13:33 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 11 Mar 2008 09:13:33 +0100 Subject: When using svn version gnupg, why isnt svn version shown with gpg --version In-Reply-To: <47D11035.3060607@tx.rr.com> (John Clizbe's message of "Fri, 07 Mar 2008 03:51:49 -0600") References: <96c450350803052037q47bd23bfrdb79f0bb9823a18a@mail.gmail.com> <96c450350803061958o68b4339ai4156188e0d3130c4@mail.gmail.com> <47D11035.3060607@tx.rr.com> Message-ID: <87d4q1oez6.fsf@wheatstone.g10code.de> On Fri, 7 Mar 2008 10:51, JPClizbe at tx.rr.com said: > Just because one /can/ do something, doesn't necessarily mean one /should/. Let me also add that the SVN verion may contain bugs and may even not compile properly. They are basically for development only. If there is a important fix un unreleased code, please ask and we can post a patch file. BTW, I am not sure whether it is stated somewhere elese than in README.maint: If you build the svn version and post a bug report against this please make sure that you did a svn up form the top directory followed by ./autogen.sh --force the --force is required due to autoconf caching which might not update the revision number in the version string. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From email at sven-radde.de Tue Mar 11 09:33:55 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 11 Mar 2008 09:33:55 +0100 Subject: OpenPGP card stopped working In-Reply-To: <47D56CB1.2020000@t-online.de> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> <47D56CB1.2020000@t-online.de> Message-ID: <47D643F3.2000204@sven-radde.de> Hi! Werner Dittmann schrieb: > I've the same problem with an SCM 535. By running the pcscd in > forgroung with debug enabled I got the follwoing messages: As far as I can tell from its output, pcscd is running normally. Inserting and removing the OpenPGP card prints the appropriate messages. I don't get the "broken pipes". However, executing "gpg --card-status" does not cause pcscd to print anything at all. I would expect some output here, shouldn't I? It appears that GnuPG doesn't even get so far as to communicate with pcscd, before exiting with the error message of my initial post. cu, Sven From email at sven-radde.de Tue Mar 11 09:42:49 2008 From: email at sven-radde.de (Sven Radde) Date: Tue, 11 Mar 2008 09:42:49 +0100 Subject: OpenPGP card stopped working In-Reply-To: <20080310193140.GA5216@Mjolnir.lan> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> <20080310193140.GA5216@Mjolnir.lan> Message-ID: <47D64609.1060607@sven-radde.de> Hi! Albert Dengg schrieb: > i don't know if it is changed..but last time i looked it did set the > > permission through a shell script Yes. It is a script that runs chgrp and chmod on 'something'. > i rewrote the rules file to do it directly and it know works flawlessly > on instant on all machines i tried it on. > Thanks, I will try that tonight. cu, Sven From florian.walther at gmail.com Wed Mar 12 11:03:30 2008 From: florian.walther at gmail.com (Florian Walther) Date: Wed, 12 Mar 2008 11:03:30 +0100 Subject: selecting openpgp failed: ec=6.112 Message-ID: Hi gpg-users, tried to make a detached signature of a tar file today and got this: flow at myhost:/tmp$ gpg --verbose --detach-sign foobar.tar.gz gpg: verwende Vertrauensmodell PGP gpg: Schl?ssel XXXXXXXX: Akzeptiert als vertrauensw?rdiger Schl?ssel gpg: Schl?ssel XXXXXXXX: Akzeptiert als vertrauensw?rdiger Schl?ssel gpg: Schreiben nach 'foobar.tar.gz.sig' gpg: selecting openpgp failed: ec=6.112 gpg: Beglaubigung fehlgeschlagen: Allgemeiner Fehler gpg: signing failed: Allgemeiner Fehler I was not able to find anything about it in the internet, has anyone here an idea what the problem could be? pure encryption works, enigmail works too. but everything with signatures from the command line does not work. Thank you /~flow -- 0x417E9C18 556C BCFF 9118 8915 835B C2C2 3756 3407 417E 9C18 skype:florian.walther From Werner.Dittmann at t-online.de Mon Mar 10 18:15:29 2008 From: Werner.Dittmann at t-online.de (Werner Dittmann) Date: Mon, 10 Mar 2008 18:15:29 +0100 Subject: OpenPGP card stopped working In-Reply-To: <47D4EFCB.1000608@sven-radde.de> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> Message-ID: <47D56CB1.2020000@t-online.de> I've the same problem with an SCM 535. By running the pcscd in forgroung with debug enabled I got the follwoing messages: pcscdaemon.c:294:main() pcscd set to foreground with debug send to stderr pcscdaemon.c:507:main() pcsc-lite 1.4.3 daemon ready. hotplug_libusb.c:454:HPAddHotPluggable() Adding USB device: 001:012 readerfactory.c:1115:RFInitializeReader() Attempting startup of SCM SPR 532 (6020177D) 00 00 using /usr/lib64/readers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.3.0 readerfactory.c:982:RFBindFunctions() Loading IFD Handler 3.0 ifdhandler.c:1239:init_driver() LogLevel: 0x0003 ifdhandler.c:1249:init_driver() DriverOptions: 0x0004 ifdhandler.c:77:IFDHCreateChannelByName() lun: 0, device: usb:04e6/e003:libusb:001:012 ccid_usb.c:229:OpenUSBByName() Manufacturer: Ludovic Rousseau (ludovic.rousseau at free.fr) ccid_usb.c:239:OpenUSBByName() ProductString: Generic CCID driver v1.3.0 ccid_usb.c:245:OpenUSBByName() Copyright: This driver is protected by terms of the GNU Lesser General Public License version 2.1, or (at your option) any later version. ccid_usb.c:393:OpenUSBByName() Found Vendor/Product: 04E6/E003 (SCM SPR 532) ccid_usb.c:395:OpenUSBByName() Using USB bus/device: 001/012 ccid_usb.c:704:ccid_check_firmware() Firmware (4.15) is bogus! but you choosed to use it ccid_usb.c:744:get_data_rates() IFD does not support GET_DATA_RATES request: Broken pipe commands.c:754:CmdPowerOff() ICC Power Off failed: Broken pipe commands.c:754:CmdPowerOff() ICC Power Off failed: Broken pipe commands.c:754:CmdPowerOff() ICC Power Off failed: Broken pipe commands.c:845:CmdGetSlotStatus() ICC Slot Status failed: Broken pipe commands.c:845:CmdGetSlotStatus() ICC Slot Status failed: Broken pipe commands.c:845:CmdGetSlotStatus() ICC Slot Status failed: Broken pipe ifdhandler.c:115:IFDHCreateChannelByName() failed readerfactory.c:1154:RFInitializeReader() Open Port 200000 Failed (usb:04e6/e003:libusb:001) readerfactory.c:1027:RFUnloadReader() Unloading reader driver. readerfactory.c:254:RFAddReader() SCM SPR 532 (6020177D) init failed. pcscdaemon.c:586:signal_trap() Preparing for suicide readerfactory.c:1381:RFCleanupReaders() entering cleaning function pcscdaemon.c:532:at_exit() cleaning /var/run Well, I thought my card reader is defect because of these broken pipe messages. However, it was all of a sudden, but after some updates (YOU on my opensuese 10.3). Maybe there was some new software released that don't like the card readers anymore :-) . Does somebody have any clue about this? Regards, Werner Sven Radde schrieb: > Hi! > > Michael Kesper schrieb: >> pcscd sometimes gives trouble, for example when you try to create keys >> on the >> card. > No problem with that, I created my keys off-card and then moved them. > I thought this would be the easiest way to have a backup key ready if > the card breaks. >> For best effect try this howto: >> http://www.fsfe.org/en/card/howto/card_reader_howto_udev >> > This is pretty much what I did to get it working originally. As far as I > can tell, everything is still in place (all packages are there, the udev > files, too, and I'm in group scard, to summarize it). > I used the howto at gnupg.org but it is essentially the same (the one at > gnupg.org has a broken link to the gnupg-ccid file but I figured that > out quick enough at the time). > > cu, Sven > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From vl.pavlov at yahoo.com Wed Mar 12 11:52:18 2008 From: vl.pavlov at yahoo.com (vl.pavlov) Date: Wed, 12 Mar 2008 03:52:18 -0700 (PDT) Subject: one more question: is there a way to use additional keyring when needed ? In-Reply-To: <47D597A4.6040803@tx.rr.com> References: <15845592.post@talk.nabble.com> <20080306175125.GA30317@jabberwocky.com> <15950659.post@talk.nabble.com> <47D597A4.6040803@tx.rr.com> Message-ID: <16001572.post@talk.nabble.com> hello, i used secret-keyring /media/USB/.gnupg/secring.gpg and everything worked fine, but now enigmail does not recognize ~/.gnupg/secring.gpg as default seckeyring even with this solution i am satisfied, but still i wander is there a way to set additional seckeying from USB stick ? thanx for interest John Clizbe-3 wrote: > > vl.pavlov wrote: >> hello, >> >> i wish to use additional keyring from USB stick, (i have keys on .gnupg >> folder on my stick), >> but i have troubles, here is my gpg.conf (from ~/.gnupg) >> >> default-recipient-self >> keyserver random.sks.keyserver.penguin.de >> default-cert-check-level 3 >> keyserver-options auto-key-retrieve include-revoked include-subkeys >> no-mangle-dos-filenames >> no-secmem-warning >> keyring /media/USB/.gnupg/secring.gpg << this is the new line i wrote >> >> probably i did something wrongly > > Try > > secret-keyring /media/USB/.gnupg/secring.gpg > > If you've also moved the other *.gpg files, you'll also need > > primary-keyring /media/USB/.gnupg/pubring.gpg > > and > > trustdb-name /media/USB/.gnupg/trustdb.gpg > > -- > John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con > Ginger Bear Networks hkp://keyserver.gingerbear.net or > Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net > > "Be who you are and say what you feel because those who mind don't matter > and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/one-more-question%3A-is-there-a-way-to-use-additional-keyring-when-needed---tp15845592p16001572.html Sent from the GnuPG - User mailing list archive at Nabble.com. From sinux at fsfe.org Wed Mar 12 15:55:56 2008 From: sinux at fsfe.org (Sebastien Chassot) Date: Wed, 12 Mar 2008 15:55:56 +0100 Subject: OpenPGP card stopped working In-Reply-To: <47D56CB1.2020000@t-online.de> References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> <47D56CB1.2020000@t-online.de> Message-ID: <1205333756.1007.10.camel@dell.sinux.seb> On Mon, 2008-03-10 at 18:15 +0100, Werner Dittmann wrote: > I've the same problem with an SCM 535. By running the pcscd in > forgroung with debug enabled I got the follwoing messages: > have you tried posting directly the muscle's mailing list ? http://lists.drizzle.com/pipermail/muscle/ Ludovic Rousseau helped me fixing a SCR335 with a patch. He knows pretty good how debug pcscd. You'll maybe get better result ? Hope it help...;) -- Sebastien From email at sven-radde.de Wed Mar 12 20:36:37 2008 From: email at sven-radde.de (Sven Radde) Date: Wed, 12 Mar 2008 20:36:37 +0100 Subject: OpenPGP card stopped working In-Reply-To: <1205071554.6429.8.camel@carbon> References: <1205071554.6429.8.camel@carbon> Message-ID: <1205350597.6290.5.camel@carbon> Hi! Am Sonntag, den 09.03.2008, 15:05 +0100 schrieb Sven Radde: > Apart from applying the regular patches, the only action I remember that > could possibly have an impact on GnuPG was installing the "seahorse" > package. However, removing it again did not change anything. Update: It works again. Simply removing the seahorse package left a "seahorse-agent" process running, which was apparently responsible for the hassle. Only after a reboot that was gone, too... Cheers, my OpenPGP card is back! All that's left is to wonder why seahorse (in particular its agent) breaks a working smartcard setup... cu, Sven From wk at gnupg.org Thu Mar 13 10:46:16 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Mar 2008 10:46:16 +0100 Subject: OpenPGP card stopped working In-Reply-To: <47D56CB1.2020000@t-online.de> (Werner Dittmann's message of "Mon, 10 Mar 2008 18:15:29 +0100") References: <502970.67745.qm@web53602.mail.re2.yahoo.com> <1205088032.6429.24.camel@carbon> <20080309201955.GA3917@localhost> <47D4EFCB.1000608@sven-radde.de> <47D56CB1.2020000@t-online.de> Message-ID: <87iqzrez2v.fsf@wheatstone.g10code.de> On Mon, 10 Mar 2008 18:15, Werner.Dittmann at t-online.de said: > I've the same problem with an SCM 535. By running the pcscd in You probably meant the SCR 355. > ccid_usb.c:704:ccid_check_firmware() Firmware (4.15) is bogus! but you choosed to use it This problem is well known. When using GnuPG with its internal CCID driver that version of thye SCR 335 works fine due to a workaround for the bug. I developed the whole smart card stuff with such a reader and thus there should be no problem. Well, unless you need it for non-GnuPG applications. Maybe we should come up with an IFD on top of GnuPG'd scdaemon ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Mar 13 10:52:01 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Mar 2008 10:52:01 +0100 Subject: selecting openpgp failed: ec=6.112 In-Reply-To: (Florian Walther's message of "Wed, 12 Mar 2008 11:03:30 +0100") References: Message-ID: <87ejafeyta.fsf@wheatstone.g10code.de> On Wed, 12 Mar 2008 11:03, florian.walther at gmail.com said: > flow at myhost:/tmp$ gpg --verbose --detach-sign foobar.tar.gz > gpg: verwende Vertrauensmodell PGP > gpg: Schl?ssel XXXXXXXX: Akzeptiert als vertrauensw?rdiger Schl?ssel > gpg: Schl?ssel XXXXXXXX: Akzeptiert als vertrauensw?rdiger Schl?ssel > gpg: Schreiben nach 'foobar.tar.gz.sig' > gpg: selecting openpgp failed: ec=6.112 Scdaemon tell's you: "Card not present". Sorry, for the plain error codes; using gpg2 should give you a readable error message. Scdaemon is used by gpg if available becuase scdaemon has exclusive access to the reader and thus gpg's internal code can't work directly with the card. Sometimes it happens that scdaemon does not correctly detect a card change. the easiest fix is to pkill scdaemon two times so that it gets restarted by gpg-agent. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Thu Mar 13 10:58:13 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Mar 2008 10:58:13 +0100 Subject: Single Sign On and PAM In-Reply-To: <1205055469.12557.37.camel@NOTE_GENTOO64.PHHEIMNETZ> (Florian Philipp's message of "Sun, 09 Mar 2008 10:37:49 +0100") References: <1205055469.12557.37.camel@NOTE_GENTOO64.PHHEIMNETZ> Message-ID: <87abl3eyiy.fsf@wheatstone.g10code.de> On Sun, 9 Mar 2008 10:37, f_philipp at fastmail.net said: > I'd like to use my login password to automatically decrypt my gpg-keys. > With PAM and gpg-agent all pieces should already exist for such a task, > someone just have to put the pieces together. What you want is Poldi: $ apt-cache show libpam-poldi Package: libpam-poldi Depends: libc6 (>= 2.5), libgcrypt11 (>= 1.2.2), libgpg-error0 (>= 1.4), libusb-0.1-4 (>= 2:0.1.12) Description: PAM module allowing authentication using a OpenPGP smartcard This PAM module will allow you to login, screenlock and validate to services using your GnuPG smartcard. You might have expected to find this with a name of libpam-pgp, libpam-gpg, libpam-openpgp or libpam-gnupg. . This code is considered experimental and needs more testing. It is, however, already used for the daily login. Tag: security::authentication Sources should be on ftp.gnupg.org/gcrypt/alpha - I am not sure right now. > man-page, gpg-agent can emulate ssh-agent with "--enable-ssh-support". That works really weel, I am using it for at least two years now. Daily, for all purposes inclding cron jobs and smartcards. To test it on a system without a running gpg-agent you can do this: $ gpg-agent --daemon --enable-ssh-support sh $ ssh-add -l and it shows you your keys. There is a howto somewhere floating around. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From pubcrawler.com at gmail.com Thu Mar 13 10:52:06 2008 From: pubcrawler.com at gmail.com (pub crawler) Date: Thu, 13 Mar 2008 04:52:06 -0500 Subject: Offloading encryption to crypto card? Message-ID: <4c3149fb0803130252u3b271ffas8dc101e2dd86c95d@mail.gmail.com> We are new to GnuPG.... started using this in the past few weeks. We have large hundred and more megabyte files that we are regularly encrypting and decrypting as needed. Obviously, this takes time- more time than we sometimes like. Will something like the Rainbow Technologies CrytoSwift card help with speeding up GnuPG? Are these cards supported or similar cards from other manufacturers? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From 210525p42015 at denstarfarm.us Thu Mar 13 12:22:40 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Thu, 13 Mar 2008 07:22:40 -0400 Subject: Unable to "create" enigdbug.txt Message-ID: <47D90E80.80502@denstarfarm.us> I noticed this log-error to console, this AM. 2008-03-13 05:48:13.589 enigmail.js: CreateFileStream: Failed to create \desktop/enigdbug.txt Wondering how I can rectify the problem in my OS/X 10.4 sys and wondering where enigmail.js is located since I was unable to find it with a normal search on the Mac here. Thanks From shavital at mac.com Thu Mar 13 13:29:14 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 13 Mar 2008 08:29:14 -0400 Subject: Unable to "create" enigdbug.txt In-Reply-To: <47D90E80.80502@denstarfarm.us> References: <47D90E80.80502@denstarfarm.us> Message-ID: <47D91E1A.8020001@mac.com> Robert D. wrote the following on 3/13/08 7:22 AM: > I noticed this log-error to console, this AM. > > 2008-03-13 05:48:13.589 enigmail.js: CreateFileStream: Failed to create \desktop/enigdbug.txt > > > > Wondering how I can rectify the problem in my OS/X 10.4 sys > > and > > wondering where enigmail.js is located since I was unable to find it with a normal search on the Mac here. > > Thanks In my OS X 10.5.2, enigmail.js is located at: $HOME/Library/Thunderbird/Profiles/string.default/extensions/{string}/components/enigmail.js How to rectify the problem? I have Googled enigdbug.txt macos, found many links mainly to postings by Mac users, but I can't relate them to your problem. Maybe you might try a Google search with your own key words? >From the raw source view of your e-mail, you are running: User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/20080213 Thunderbird/2.0.0.12 Mnenhy/0.7.5.0 Charly MacOS 10.5.2 - MacBook Intel C2Duo - GnuPG 1.4.8 - GPG2 2.0.8 Thunderbird 2.0.0.12- Enigmail 0.95.6 From eocsor at gmail.com Thu Mar 13 12:51:43 2008 From: eocsor at gmail.com (Roscoe) Date: Thu, 13 Mar 2008 21:21:43 +0930 Subject: Offloading encryption to crypto card? In-Reply-To: <4c3149fb0803130252u3b271ffas8dc101e2dd86c95d@mail.gmail.com> References: <4c3149fb0803130252u3b271ffas8dc101e2dd86c95d@mail.gmail.com> Message-ID: Not really answering your question but... openssl could be an option, as I gather that supports a few crypto accelerators. I presume it would use them when calling openssl enc. 2008/3/13 pub crawler : > We are new to GnuPG.... started using this in the past few weeks. > > We have large hundred and more megabyte files that we are regularly > encrypting and decrypting as needed. > > Obviously, this takes time- more time than we sometimes like. > > Will something like the Rainbow Technologies CrytoSwift card help with > speeding up GnuPG? Are these cards > supported or similar cards from other manufacturers? > > Thanks! > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From wk at gnupg.org Thu Mar 13 15:49:13 2008 From: wk at gnupg.org (Werner Koch) Date: Thu, 13 Mar 2008 15:49:13 +0100 Subject: Offloading encryption to crypto card? In-Reply-To: (eocsor@gmail.com's message of "Thu, 13 Mar 2008 21:21:43 +0930") References: <4c3149fb0803130252u3b271ffas8dc101e2dd86c95d@mail.gmail.com> Message-ID: <87y78md6hi.fsf@wheatstone.g10code.de> On Thu, 13 Mar 2008 12:51, eocsor at gmail.com said: > openssl could be an option, as I gather that supports a few crypto > accelerators. I presume it would use them when calling openssl enc. Well, it is about bulk encryption and thus it is an I/O problem. Today's general purpose CPUs are faster than average accelerators. > 2008/3/13 pub crawler : >> We have large hundred and more megabyte files that we are regularly >> encrypting and decrypting as needed. It should be possible to tune gpg for better performance for large amounts of data. Increasing the internal buffers should help. gpg is a general puspose tool and designed to work with a low memory footprint. Another option would be to write a module for doing the bulk encryption part in an optimized way. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From John at Mozilla-Enigmail.org Thu Mar 13 17:24:13 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 13 Mar 2008 11:24:13 -0500 Subject: Unable to "create" enigdbug.txt In-Reply-To: <47D91E1A.8020001@mac.com> References: <47D90E80.80502@denstarfarm.us> <47D91E1A.8020001@mac.com> Message-ID: <47D9552D.7030209@Mozilla-Enigmail.org> Charly Avital wrote: > Robert D. wrote the following on 3/13/08 7:22 AM: >> I noticed this log-error to console, this AM. >> >> 2008-03-13 05:48:13.589 enigmail.js: CreateFileStream: Failed to create \desktop/enigdbug.txt >> Wondering how I can rectify the problem in my OS/X 10.4 sys >> and >> wondering where enigmail.js is located since I was unable to find it with a >> normal search on the Mac here. > > In my OS X 10.5.2, enigmail.js is located at: > > $HOME/Library/Thunderbird/Profiles/string.default/extensions/{string}/components/enigmail.js > > How to rectify the problem? I have Googled enigdbug.txt macos, found > many links mainly to postings by Mac users, but I can't relate them to > your problem. Maybe you might try a Google search with your own key words? > >>From the raw source view of your e-mail, you are running: > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) > Gecko/20080213 Thunderbird/2.0.0.12 Mnenhy/0.7.5.0 The first step I'd take toward rectifying this would probably be to ask on the *Enigmail* list, enigmail at mozdev.org. Folks with plenty of Mac OS X development skills and specific knowledge of Enigmail are there. This really isn't a GnuPG problem. Second, Note: I am *not* an OS X user, /but/ in Enigmail's Advanced Preferences, on the Debugging tab, there is an entry for 'Log Directory'. This is usually set to the location of the user's or system's temp directory, /tmp. I looks like this value is undefined for the OP and Enigmail is left ending up trying to create it on the fall-back default, Desktop. Actually, Enigmail's routine is returning "", an empty string. Desktop would be the OS default. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail . org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or Send email with subject HELP to pgp-public-keys at keyserver.gingerbear.net "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature URL: From 210525p42015 at denstarfarm.us Thu Mar 13 18:45:13 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Thu, 13 Mar 2008 13:45:13 -0400 Subject: Unable to "create" enigdbug.txt In-Reply-To: <47D9552D.7030209@Mozilla-Enigmail.org> References: <47D90E80.80502@denstarfarm.us> <47D91E1A.8020001@mac.com> <47D9552D.7030209@Mozilla-Enigmail.org> Message-ID: <47D96829.90901@denstarfarm.us> John Clizbe said the following: > Second, Note: I am *not* an OS X user, /but/ in Enigmail's Advanced Preferences, > on the Debugging tab, there is an entry for 'Log Directory'. This is usually set > to the location of the user's or system's temp directory, /tmp. thanks re; the enigmail group suggestion, now I *must* go there as whatever messing around I did earlier, suddenly I get a notice that Enigmail failed to initialize From 210525p42015 at denstarfarm.us Thu Mar 13 19:20:57 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Thu, 13 Mar 2008 14:20:57 -0400 Subject: Unable to "create" enigdbug.txt In-Reply-To: <47D96829.90901@denstarfarm.us> References: <47D90E80.80502@denstarfarm.us> <47D91E1A.8020001@mac.com> <47D9552D.7030209@Mozilla-Enigmail.org> <47D96829.90901@denstarfarm.us> Message-ID: <47D97089.8050707@denstarfarm.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert D. said the following: |> suddenly I get a notice that Enigmail | failed to initialize no idea what I did, however, I did a re-install and all is well now. The lesson is keep fingers out of plumb-pie sitting on counter in kitchen. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCgAGBQJH2XCIAAoJEM+FBuO1wKhLJGMQAKq3yPGEerGzTjl5eVEXy7Qr aZcJuJrFc1EwSK4xfIV5aEqb4mQy48tNtbYFx+Zv6iajUOs8bZ1dqDB23U9eZtlj m6bvp/D0hIPm455if6oKPjmcqu9V6AObWkxp9cf+beiAiaWchjLJCNyxHRtsqvCg wELaSMzluXTx9InkhrLrAxQbYYJhUsNmisbwHQMc8Yfkm/JDML+5f0lM5lO2kbha rNj5ZOp6SZBTk4hsYdFUCAkUgWrk1t6JB0IUmM18pS1RgywCmSlayzR3bqeBZjg0 eSX1ffe9VkjzQjletpVKc9Uzpmblum11PpeBQMDsLVGuAhoVIQW1Y9Ewn2o8wI2F FeGPxlT+xmH5zit2fdseu49Z5xyewK7+Blv7wkLKYlpHavz3quz75KxSOZE+pOZe GV53ZWcdh4fAEVM+EuKcLyi05v0izOksV2DH0XsGI9WlE8Maj5ve0pKp7Wgf1xDU CwTaMVz3f0tzveK8wb8i04nTfFMeDlzA5Ge9Rp+srAf+rkMlBDsRTQD19vp6Vb1C HRpZZ4lw4rkBeFbjlVVhJIo/yy7lmWEUoLYbMfKjaf31uqbVHoga8I9czhr4i3W7 UDDLl0+p5nND/v+nCD8FOBQWbIDUUr+rUmEJeVR8jyfqEuF36YrTW0k2dpDix4tS F/hOsmeuSz/r3guLBP7c =QjAn -----END PGP SIGNATURE----- From a24061 at ducksburg.com Thu Mar 13 22:39:36 2008 From: a24061 at ducksburg.com (Adam Funk) Date: Thu, 13 Mar 2008 21:39:36 +0000 Subject: Using gpg-agent like ssh-agent? Message-ID: I work with ssh-agent using ssh-add from the command line: "ssh-add key0 key1 key2" to activate keys (sometimes with -t to set a time limit), and "ssh-add -d key1" or "ssh-add -D" to deactivate them. Is there a similar way to work with gpg-agent? From devnull at Karl-Voit.at Mon Mar 17 16:42:49 2008 From: devnull at Karl-Voit.at (Karl Voit) Date: Mon, 17 Mar 2008 16:42:49 +0100 Subject: How to establish a company web-of-trust Message-ID: <2008-03-17T16-38-52@devnull.Karl-Voit.at> Hi! I want to establish secure email communication in our company (Windows, Outlook, gpg4win). I do not want to maintain a keyserver by myself. My attempt: every employee generates his own keypair and exports the public key to a keyserver. I as the admin downloads his key from the server, compares the ID with the employee and signs the key with the "central company key". Any communication partner can check, wether the key of the employee was signed by our official "company key" which is downloadable from our web site. So far so good - I think. But: what if an employee quits the company? Can I revoke the signature? WinPT (as a key management frontend) does not seem to provide this feature. Thank you for your ideas! -- Karl Voit From devnull at Karl-Voit.at Mon Mar 17 17:23:39 2008 From: devnull at Karl-Voit.at (Karl Voit) Date: Mon, 17 Mar 2008 17:23:39 +0100 Subject: How to establish a company web-of-trust References: <2008-03-17T16-38-52__43933.8797740222$1205768917$gmane$org@devnull.Karl-Voit.at> Message-ID: <2008-03-17T17-22-00@devnull.Karl-Voit.at> * Karl Voit wrote: > > I want to establish secure email communication in our company > (Windows, Outlook, gpg4win). I do not want to maintain a keyserver > by myself. > > My attempt: every employee generates his own keypair and exports the > public key to a keyserver. I as the admin downloads his key from the > server, compares the ID with the employee and signs the key with the > "central company key". > > Any communication partner can check, wether the key of the employee > was signed by our official "company key" which is downloadable from > our web site. > > So far so good - I think. > > But: what if an employee quits the company? Can I revoke the > signature? WinPT (as a key management frontend) does not seem to > provide this feature. I just found out that WinPT does not provide all options that gpg (command line version) provides :-( So my current attempt is: the employee has to add the company key as a revoker and then export it to the keyserver. So the company key is able to revoke any employees key. This seems to be a clean attempt for me now. Any suggestions? -- Karl Voit [X] expressive subjects NOW! From sattva at pgpru.com Mon Mar 17 17:23:22 2008 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Mon, 17 Mar 2008 22:23:22 +0600 Subject: How to establish a company web-of-trust In-Reply-To: <2008-03-17T16-38-52@devnull.Karl-Voit.at> References: <2008-03-17T16-38-52@devnull.Karl-Voit.at> Message-ID: <47DE9AFA.20502@pgpru.com> Karl Voit wrote on 17.03.2008 21:42: > But: what if an employee quits the company? Can I revoke the > signature? <...> Sure! Just $ gpg --edit-key , then select the corresponding UID and issue revsig command. Search gpg man for revsig command for details. -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 505 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Mon Mar 17 18:22:09 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 17 Mar 2008 13:22:09 -0400 Subject: How to establish a company web-of-trust In-Reply-To: <2008-03-17T17-22-00@devnull.Karl-Voit.at> References: <2008-03-17T16-38-52__43933.8797740222$1205768917$gmane$org@devnull.Karl-Voit.at> <2008-03-17T17-22-00@devnull.Karl-Voit.at> Message-ID: <20080317172209.GB22491@jabberwocky.com> On Mon, Mar 17, 2008 at 05:23:39PM +0100, Karl Voit wrote: > * Karl Voit wrote: > > > > I want to establish secure email communication in our company > > (Windows, Outlook, gpg4win). I do not want to maintain a keyserver > > by myself. > > > > My attempt: every employee generates his own keypair and exports the > > public key to a keyserver. I as the admin downloads his key from the > > server, compares the ID with the employee and signs the key with the > > "central company key". > > > > Any communication partner can check, wether the key of the employee > > was signed by our official "company key" which is downloadable from > > our web site. > > > > So far so good - I think. > > > > But: what if an employee quits the company? Can I revoke the > > signature? WinPT (as a key management frontend) does not seem to > > provide this feature. > > I just found out that WinPT does not provide all options that gpg > (command line version) provides :-( > > So my current attempt is: the employee has to add the company key as > a revoker and then export it to the keyserver. So the company key is > able to revoke any employees key. Note that those methods are only useful so long as the communication partner gets the key from your company (a web page, a company keyserver, or the like), and not from a public keyserver or from the employee. The reason for this is that keys or signatures can be 'unrevoked' by a malicious 3rd party (who may or may not be the employee). David From devnull at Karl-Voit.at Mon Mar 17 21:11:30 2008 From: devnull at Karl-Voit.at (Karl Voit) Date: Mon, 17 Mar 2008 21:11:30 +0100 Subject: How to establish a company web-of-trust References: <2008-03-17T16-38-52__43933.8797740222$1205768917$gmane$org@devnull.Karl-Voit.at> <2008-03-17T17-22-00@devnull.Karl-Voit.at> <20080317172209.GB22491__49384.5545257956$1205774710$gmane$org@jabberwocky.com> Message-ID: <2008-03-17T21-08-47@devnull.Karl-Voit.at> * David Shaw wrote: >> >> So my current attempt is: the employee has to add the company key as >> a revoker and then export it to the keyserver. So the company key is >> able to revoke any employees key. > > Note that those methods are only useful so long as the communication > partner gets the key from your company (a web page, a company > keyserver, or the like), and not from a public keyserver or from the > employee. The reason for this is that keys or signatures can be > 'unrevoked' by a malicious 3rd party (who may or may not be the > employee). The official public key from our company is on our company website. Thanks for the hint I forgot to mention. So either with revoking the signature or (or better "and") revoking the key with the "add revoker"-method, the concept is OK. Right? I don't want to get into any troubles in future because I forgot some issue I did not thought of ... :-) -- Karl Voit From neal.dudley at utoledo.edu Mon Mar 17 21:24:34 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Mon, 17 Mar 2008 16:24:34 -0400 Subject: How to establish a company web-of-trust In-Reply-To: <2008-03-17T17-22-00@devnull.Karl-Voit.at> References: <2008-03-17T17-22-00@devnull.Karl-Voit.at> Message-ID: <47DED382.7060600@utoledo.edu> Some points to consider: Regardless of whether or not the company signing key has signed or revoked it's signature on the user's signing key, it is ultimately up to the employee to trust or not trust the other employee's key(s). This is one of the beautiful points of PGP/GPG - there is no third party to dictate who's keys you can trust or not trust. That trust decision is solely up to the user. Please, no one flame me, but it is worth looking at S/MIME and PGP for this issue. Yes, on a purely technical level, we are talking about the same cryptographic algorithms. The difference between S/MIME and PGP, as I understand it, is mainly semantics involving the trust relationships. In S/MIME, a third party dictates to you what is to be trusted or untrusted. In contrast, under PGP the user defines what is to be trusted or not. I'm very interested in this thread, as I'm not clear as to how you could create policies (at least ones that can be enforced) to control trust relationships in a company. This seems to be more a question of office politics than secure email technology. In a small company, this could certainly be handled. Mention the issue at the regular staff meetings, and it remains the user's responsibility to revoke trust in that keypair. By the same token - good luck to you in implementing this if you are referring to a larger company. If you create scripts or otherwise to force employees to check their keyring against some central corporate keyserver, please share. I hope your users are savvy enough to understand what they are doing. If that is the case, so much the better for you, lucky dog! Karl Voit wrote: > * Karl Voit wrote: >> >> I want to establish secure email communication in our company >> (Windows, Outlook, gpg4win). I do not want to maintain a keyserver >> by myself. >> >> My attempt: every employee generates his own keypair and exports the >> public key to a keyserver. I as the admin downloads his key from the >> server, compares the ID with the employee and signs the key with the >> "central company key". >> >> Any communication partner can check, wether the key of the employee >> was signed by our official "company key" which is downloadable from >> our web site. >> >> So far so good - I think. >> >> But: what if an employee quits the company? Can I revoke the >> signature? WinPT (as a key management frontend) does not seem to >> provide this feature. > > I just found out that WinPT does not provide all options that gpg > (command line version) provides :-( > > So my current attempt is: the employee has to add the company key as > a revoker and then export it to the keyserver. So the company key is > able to revoke any employees key. > > This seems to be a clean attempt for me now. > > Any suggestions? > > -- > Karl Voit > [X] expressive > subjects NOW! > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Mon Mar 17 22:06:17 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 17 Mar 2008 17:06:17 -0400 Subject: How to establish a company web-of-trust In-Reply-To: <2008-03-17T21-08-47@devnull.Karl-Voit.at> References: <2008-03-17T16-38-52__43933.8797740222$1205768917$gmane$org@devnull.Karl-Voit.at> <2008-03-17T17-22-00@devnull.Karl-Voit.at> <20080317172209.GB22491__49384.5545257956$1205774710$gmane$org@jabberwocky.com> <2008-03-17T21-08-47@devnull.Karl-Voit.at> Message-ID: <20080317210617.GK22491@jabberwocky.com> On Mon, Mar 17, 2008 at 09:11:30PM +0100, Karl Voit wrote: > * David Shaw wrote: > >> > >> So my current attempt is: the employee has to add the company key as > >> a revoker and then export it to the keyserver. So the company key is > >> able to revoke any employees key. > > > > Note that those methods are only useful so long as the communication > > partner gets the key from your company (a web page, a company > > keyserver, or the like), and not from a public keyserver or from the > > employee. The reason for this is that keys or signatures can be > > 'unrevoked' by a malicious 3rd party (who may or may not be the > > employee). > > The official public key from our company is on our company website. > > Thanks for the hint I forgot to mention. > > So either with revoking the signature or (or better "and") revoking > the key with the "add revoker"-method, the concept is OK. Right? The official public key *and* the employee key must be retrieved from somewhere under your control. You can get away with using public keyservers for this, but it's not a guarantee. David From devnull at Karl-Voit.at Mon Mar 17 23:13:26 2008 From: devnull at Karl-Voit.at (Karl Voit) Date: Mon, 17 Mar 2008 23:13:26 +0100 Subject: How to establish a company web-of-trust References: <2008-03-17T17-22-00@devnull.Karl-Voit.at> <47DED382.7060600__36378.0903084718$1205785753$gmane$org@utoledo.edu> Message-ID: <2008-03-17T22-59-32@devnull.Karl-Voit.at> * Neal Dudley wrote: > Some points to consider: Great :-) Thread is getting even more interesting *g* > Regardless of whether or not the company signing key has signed or > revoked it's signature on the user's signing key, it is ultimately up to > the employee to trust or not trust the other employee's key(s). Absolutely. But we have a quite flat thrust network with one central company key and the employees keys that gets signed with the company key. Our communication partners have to check the signature of our employees keys and its up to our partners that they check from time to time wether there was a change in the relationship between our employees and out company key - I guess this is the most difficult part. > This is > one of the beautiful points of PGP/GPG - there is no third party to > dictate who's keys you can trust or not trust. That trust decision is > solely up to the user. > > Please, no one flame me, but it is worth looking at S/MIME and PGP for > this issue. Yes, on a purely technical level, we are talking about the > same cryptographic algorithms. The difference between S/MIME and PGP, > as I understand it, is mainly semantics involving the trust > relationships. In S/MIME, a third party dictates to you what is to be > trusted or untrusted. In contrast, under PGP the user defines what is > to be trusted or not. Right. But we do not want to use S/MIME for several reasons and our communication partners already are using OpenPGP-messages. So this decision is already done by facts not by arguing. Although I share your point of view. > I'm very interested in this thread, as I'm not clear as to how you could > create policies (at least ones that can be enforced) to control trust > relationships in a company. This seems to be more a question of office > politics than secure email technology. Absolutely. I (as the person responsible for company security) have to check every key that I am signing with the company key. I have to explain the important issues of key management to my employees (non-it people for most of the part). I do this by giving exact instructions with screenshots of every step - WinPT is helping here because it is mouse-oriented :-) So I have to check the proper security in the system - which is this thread-part here - and I have to make sure, that every party understands the system which I do with exact instructions for my employees and for instructions for our partners. I know that there might be some pitfalls concerning employees that sign everything or make other mistakes that can have an influence on our web-of-trust. But the alternative is worse: plain text - oh sorry ... HTML-Emails without encrypting or signing at all. And this has to be considered as the default method in companies these days :-( > In a small company, this could > certainly be handled. Mention the issue at the regular staff meetings, > and it remains the user's responsibility to revoke trust in that > keypair. Well I will see how this turns out. Most of my employees dont want to learn anything at all that is not 100% part of their work. And cryptography is surely not 100% part of their work. Social problem. So this also would imply usage of S/MIME. > By the same token - good luck to you in implementing this if > you are referring to a larger company. 100-250 emplyees will be the target. But not all of them need GPG. > If you create scripts or > otherwise to force employees to check their keyring against some central > corporate keyserver, please share. Sure. But I guess that scripts is not user-friendly enough for my employees :-( > I hope your users are savvy enough > to understand what they are doing. Hehe. > If that is the case, so much the > better for you, lucky dog! Well, good night for tonight ... says the unlucky dog ;-) -- Karl Voit From neal.dudley at utoledo.edu Tue Mar 18 04:11:50 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Mon, 17 Mar 2008 23:11:50 -0400 Subject: How to establish a company web-of-trust In-Reply-To: <2008-03-17T22-59-32@devnull.Karl-Voit.at> References: <2008-03-17T17-22-00@devnull.Karl-Voit.at><47DED382.7060600__36378.0903084718$1205785753$gmane$org@utoledo.edu> <2008-03-17T22-59-32@devnull.Karl-Voit.at> Message-ID: <47DF32F6.9090202@utoledo.edu> Karl Voit wrote: > Our communication partners have to check the signature of our > employees keys and its up to our partners that they check from time > to time wether there was a change in the relationship between our > employees and out company key - I guess this is the most difficult > part. NO - education on using GPG will be the hardest part. If your partners understand using GPG, you're more than half way there. Given that knowledge changes things a bit. Why not generate all the keys *for* your employees - AND immediately generate revocation certificates. If someone leaves, simply send the revocation certificate to those that conversed with that employee (and submit it to your keyserver). > But we do not want to use S/MIME for several reasons and our > communication partners already are using OpenPGP-messages. So this > decision is already done by facts not by arguing. Although I share > your point of view. If I wasn't a proponent of GPG, would I be on this list? ;) I'm impressed with the maturity of this mailing list. Most lists would have exploded into a religious war. Really says something of the caliber of the people on this list. > Absolutely. I (as the person responsible for company security) have > to check every key that I am signing with the company key. I have to > explain the important issues of key management to my employees > (non-it people for most of the part). I do this by giving exact > instructions with screenshots of every step - WinPT is helping here > because it is mouse-oriented :-) ... > I know that there might be some pitfalls concerning employees that > sign everything or make other mistakes that can have an influence on > our web-of-trust. But the alternative is worse: plain text - oh > sorry ... HTML-Emails without encrypting or signing at all. And this > has to be considered as the default method in companies these days > :-( There are some options here. You could use the expert mode in GPG when generating their signing keys to remove the ability to certify with the signing keys to restrict users a bit more. Then they could sign documents, but not keys (if I understand that correctly). Or perhaps signing and encryption subkeys would be appropriate? That would simplify things - one primary signing key to protect. > 100-250 emplyees will be the target. But not all of them need GPG. Only some of them need GPG? Ought to make your life a little easier. ;) > Sure. But I guess that scripts is not user-friendly enough for my > employees :-( Depending on what you are using with/for the MUA to implement the signing and encryption, you could use rules to simplify this for the users. From devnull at Karl-Voit.at Tue Mar 18 08:50:55 2008 From: devnull at Karl-Voit.at (Karl Voit) Date: Tue, 18 Mar 2008 08:50:55 +0100 Subject: How to establish a company web-of-trust References: <2008-03-17T17-22-00@devnull.Karl-Voit.at> <47DED382.7060600__36378.0903084718$1205785753$gmane$org@utoledo.edu> <2008-03-17T22-59-32@devnull.Karl-Voit.at> <47DF32F6.9090202__3627.00138143754$1205810129$gmane$org@utoledo.edu> Message-ID: <2008-03-18T08-38-16@devnull.Karl-Voit.at> * Neal Dudley wrote: > Karl Voit wrote: >> Our communication partners have to check the signature of our >> employees keys and its up to our partners that they check from time >> to time wether there was a change in the relationship between our >> employees and out company key - I guess this is the most difficult >> part. > > NO - education on using GPG will be the hardest part. I was afraid of this sentence :-) > If your partners > understand using GPG, you're more than half way there. I can not assume on this. I am in the automotive business and most of the employees here was studying Mechanical Engineering. So IT-knowldedge is not their primary goal and most of them do not want to learn IT although I try my best to enlight something ... :-) > Given that > knowledge changes things a bit. Why not generate all the keys *for* > your employees - AND immediately generate revocation certificates. If > someone leaves, simply send the revocation certificate to those that > conversed with that employee (and submit it to your keyserver). I thought of that too. I have to admit, that I do not want to generate the keys by myself because I am lazy and we do have four bureau buildings that make physical meetings more difficult and sending keys over the Exchange server is not quite ... good :-) So I tried to generate a system where I can get the keys from the keyservers and check them (correct key-id, added revoker, ...) before signing. >> But we do not want to use S/MIME for several reasons and our >> communication partners already are using OpenPGP-messages. So this >> decision is already done by facts not by arguing. Although I share >> your point of view. > > If I wasn't a proponent of GPG, would I be on this list? ;) > > I'm impressed with the maturity of this mailing list. Most lists would > have exploded into a religious war. Really says something of the > caliber of the people on this list. Sorry, this is my first thread on this list :-) But usually flaming stops after some years working in the real-world-IT-business. I am even working on Windows the whole day (in the company)! =:-| (made an attempt for a flamewar? *ggg*) >> Absolutely. I (as the person responsible for company security) have >> to check every key that I am signing with the company key. I have to >> explain the important issues of key management to my employees >> (non-it people for most of the part). I do this by giving exact >> instructions with screenshots of every step - WinPT is helping here >> because it is mouse-oriented :-) > ... >> I know that there might be some pitfalls concerning employees that >> sign everything or make other mistakes that can have an influence on >> our web-of-trust. But the alternative is worse: plain text - oh >> sorry ... HTML-Emails without encrypting or signing at all. And this >> has to be considered as the default method in companies these days >> :-( > > There are some options here. You could use the expert mode in GPG when > generating their signing keys to remove the ability to certify with the > signing keys to restrict users a bit more. Then they could sign > documents, but not keys (if I understand that correctly). Or perhaps > signing and encryption subkeys would be appropriate? That would > simplify things - one primary signing key to protect. Wow, I did not knew that! I'll have a look at these options but I guess I stick to the revoker-method (also because every day there are more employees that need to use GnuPG right now and I do have a stress in making all these decisions). >> 100-250 emplyees will be the target. But not all of them need GPG. > > Only some of them need GPG? Ought to make your life a little easier. ;) Make my life *possible*! :-) >> Sure. But I guess that scripts is not user-friendly enough for my >> employees :-( > > Depending on what you are using with/for the MUA to implement the > signing and encryption, gpg4win: collection of Windows-tools like gnupg, WinPT (key-mgt), GpGee (Windows-Explorer extension), ... So I am using WinPT and the corresponding Outlook-plugin. > you could use rules to simplify this for the users. I try to do this by giving very detailed instructions with a lot of screenshots on our local intranet webserver. -- Karl Voit From nobody at nymkey.com Wed Mar 12 19:08:22 2008 From: nobody at nymkey.com (Anonymous) Date: Wed, 12 Mar 2008 18:08:22 +0000 (GMT) Subject: Change limits on pubkey lengths? Message-ID: Since RFC4880 is now including symmetric ciphers with 256 bit key lengths like TWOFISH and CAMELLIA, is it time to change the limits in gnupg for pubkey sizes? According to some sources (RSA for example) the "equivalent" assymetric key size would be 15360 bits compared to a symmetric cipher using 256-bit key length. Is it really so bad to set the default to something between 2048 and 4096 and the upper limit to 16K? We know that if the session key is compromised it means one message has been exposed. If the pubkey is factored then all messages encrypted under that key pair are exposed. I know from old posts Werner has been opposed to increasing these limits but am wondering now if he reconsiders based on new chiphers in 4880 and recent events in factoring pubkeys. Sorry if this has already been discussed in the openpgp ietf or elsewhere. I didn't find any hits. Thanks to the gpg dev and user community. From PeterM at netreflex.com Sun Mar 16 19:45:51 2008 From: PeterM at netreflex.com (PeterM) Date: Sun, 16 Mar 2008 14:45:51 -0400 Subject: GnuPH with PHP / install Message-ID: <00d801c88795$fb5bbf70$0200000a@NextLevel> Been searching the web for the last 3 hours inconclusively and hope someone here can advise how-do-to: Trying to access Gnupg on new server with Centos5 and cPanel and PHP5. GnuPG is available in the server's root directory /root/.gnupg which is not accessible with PHP from domain/accounts on the server. I need access to gpg with PHP through accounts on my server such as: /home/first_account/.gnupg /home/other_account/.gnupg through cPanel I can also install(& have) public keys for each domain/account, but cannot access gpg in the server's root directory. Any advice will be greatly appreciated, PM. -------------- next part -------------- An HTML attachment was scrubbed... URL: From oh_xuxinlai at hotmail.com Wed Mar 12 16:35:06 2008 From: oh_xuxinlai at hotmail.com (=?gb2312?B?0OzQxcC0?=) Date: Wed, 12 Mar 2008 23:35:06 +0800 Subject: length of every public key and private key? Message-ID: I am very new to PGP. I know there are pubring.pge and secring.pgp which contains public keys and private keys.i just want to know the stucture of the pubbring.pge and secring.pge and the length of every public key and private key. _________________________________________________________________ ????? MSN ?????????? http://mobile.msn.com.cn/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From community at linuxwochen.at Mon Mar 17 17:18:59 2008 From: community at linuxwochen.at (Albert Dengg) Date: Mon, 17 Mar 2008 17:18:59 +0100 Subject: scdaemon troubles Message-ID: <20080317161859.GA19401@Mjolnir.lan> hi i'm using a opengpg smartcard with gpg for signing, decryption and ssh authentication. after a clean boot everything works fine... but after a suspend to disk under linux using the hibernate script and the kernel suspend option(s) i have the a strange problem ok...at first it does not work... then i kill the scdaemon: now i get the pinentry prompt but afterwards a error message "agent admitted failure to sign with the key" (when i do authentication) now i kill scdaemon again: now everything works as it should... haveing to kill the deamon twice is a bit strange... so my question is, does anybody have a glue what's going on or should i do some debugging myself? tia yours albert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From dshaw at jabberwocky.com Tue Mar 18 17:57:59 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 18 Mar 2008 12:57:59 -0400 Subject: Change limits on pubkey lengths? In-Reply-To: References: Message-ID: <20080318165758.GA458@jabberwocky.com> On Wed, Mar 12, 2008 at 06:08:22PM +0000, Anonymous wrote: > Since RFC4880 is now including symmetric ciphers with 256 bit key > lengths like TWOFISH and CAMELLIA, is it time to change the limits in > gnupg for pubkey sizes? According to some sources (RSA for example) the > "equivalent" assymetric key size would be 15360 bits compared to a > symmetric cipher using 256-bit key length. Is it really so bad to set > the default to something between 2048 and 4096 and the upper limit to > 16K? Camellia is not in RFC4880. It is currently being discussed for its own RFC, though. The only 256-bit ciphers in 4880 are Twofish and AES256, and the default for RSA is already 2048. We'll accept up to 4096 (and of course accept virtually anything generated elsewhere), but when you get much past that, things get problematic: RSA 16k is unbelievably slow, and difficult to work with. It's just too big. A better answer is EC cryptography in OpenPGP, which gives you more security for each bit of space. As it happens, EC is also being discussed for its own RFC at the moment. David From wk at gnupg.org Tue Mar 18 18:10:15 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 18 Mar 2008 18:10:15 +0100 Subject: scdaemon troubles In-Reply-To: <20080317161859.GA19401@Mjolnir.lan> (Albert Dengg's message of "Mon, 17 Mar 2008 17:18:59 +0100") References: <20080317161859.GA19401@Mjolnir.lan> Message-ID: <87eja8556w.fsf@wheatstone.g10code.de> On Mon, 17 Mar 2008 17:18, community at linuxwochen.at said: > so my question is, does anybody have a glue what's going on or should i > do some debugging myself? Sometimes it just happens that the scdaemon doesn't correctly notice the removal of a card. That needs to be debugged. With hibernation this should be pretty clear: scdaemon believes that the card is present and active but because the card has been powered down, it is not active after the resume. What about killing scdaemon from the resume script or better with the suspend script? Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From tmz at pobox.com Tue Mar 18 17:55:31 2008 From: tmz at pobox.com (Todd Zullinger) Date: Tue, 18 Mar 2008 12:55:31 -0400 Subject: GnuPH with PHP / install In-Reply-To: <00d801c88795$fb5bbf70$0200000a@NextLevel> References: <00d801c88795$fb5bbf70$0200000a@NextLevel> Message-ID: <20080318165531.GW1503@inocybe.teonanacatl.org> PeterM wrote: > I need access to gpg with PHP through accounts on my server such as: > /home/first_account/.gnupg > /home/other_account/.gnupg > > through cPanel I can also install(& have) public keys for each > domain/account, but cannot access gpg in the server's root > directory. > > Any advice will be greatly appreciated, You want to use either the GNUPGHOME environment variable or --homedir command line option to tell gpg where to look for it's files. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The only consistent feature in all of your dissatisfying relationships is you. -- Demotivators (www.despair.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From dshaw at jabberwocky.com Wed Mar 19 01:13:59 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 18 Mar 2008 20:13:59 -0400 Subject: length of every public key and private key? In-Reply-To: References: Message-ID: <15B54745-EFA0-4A95-97CE-45A5E698F389@jabberwocky.com> On Mar 12, 2008, at 11:35 AM, ??? wrote: > I am very new to PGP. I know there are pubring.pge and secring.pgp > which contains public keys and private keys. > i just want to know the stucture of the pubbring.pge and secring.pge > and the length of every public key and > private key. http://tools.ietf.org/html/rfc4880 David From hlmuller at yahoo.com Wed Mar 19 03:27:51 2008 From: hlmuller at yahoo.com (Harvey Muller) Date: Tue, 18 Mar 2008 19:27:51 -0700 (PDT) Subject: OpenPGP card stopped working Message-ID: <108138.64897.qm@web53606.mail.re2.yahoo.com> Sven, I think I just bumped into your problem. I've been testing Hardy, and haven't had any problems with the OpenPGP card until now. I have to investigate further, but preliminary results indicate a udev or related problem. In Gutsy, the device is created in /dev, in Hardy it is not. Hardy is still alpha, so I expect breakage. Additionally, I'm using the amd64 version, not i386. This is more a problem for the Ubuntu devs I think than for Werner and gang. So if you are using Hardy, then that may explain your problem. Doesn't seem to be a problem with Gutsy though, just rechecked. Best regards, Harvey From jh at jameshoward.us Wed Mar 19 14:59:40 2008 From: jh at jameshoward.us (James P. Howard, II) Date: Wed, 19 Mar 2008 09:59:40 -0400 Subject: Question about Smart Cards and GPG Message-ID: <20080319135939.GA7165@ivy.phpwebhosting.com> This may seem silly, so forgive me. The SmartCard HOWTO[1] says that the Omnikey CardMan 6121 has been tested and I like a USB dongle solution. Can I put an old SMS card (I have piles from T-Mobile) in this device, blank it, and load a new key? Or does this require a different kind of card? Thank you, James 1. http://gnupg.org/howtos/card-howto/en/smartcard-howto-single.html -- James P. Howard, II jh at jameshoward.us http://jameshoward.us -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From email at sven-radde.de Wed Mar 19 17:16:22 2008 From: email at sven-radde.de (Sven Radde) Date: Wed, 19 Mar 2008 17:16:22 +0100 Subject: Question about Smart Cards and GPG In-Reply-To: <20080319135939.GA7165@ivy.phpwebhosting.com> References: <20080319135939.GA7165@ivy.phpwebhosting.com> Message-ID: <1205943382.6294.3.camel@carbon> Hi! Am Mittwoch, den 19.03.2008, 09:59 -0400 schrieb James P. Howard, II: > Can I put an old SMS card (I have piles from T-Mobile) in this device, > blank it, and load a new key? Or does this require a different kind of > card? The OpenPGP smartcard is totally different from mobile phone SIM cards. See http://www.g10code.de/p-card.html for more information, including vendor contact. cu, Sven From manoj at dotsquares.com Wed Mar 19 12:58:38 2008 From: manoj at dotsquares.com (manoj) Date: Wed, 19 Mar 2008 17:28:38 +0530 Subject: gpg code problem Message-ID: <005301c889b8$935f1910$4100a8c0@manojk> Hi, i ma very new to gnugp or gpg concept want to send signed mails using gpg . for testing perpose i have intalled gpg at my local machine and generated the pulic and private keys . i am trying this using php on windows $res=shell_exec("echo $passphrase | $gpg --passphrase-fd 0 --clearsign 'd:\gp_test\tt.inmp'"); but is not working but when i use on command prompt using same code is working gpg --clearsign 'd:\gp_test\tt.inmp' aftre this i need to enter and i am sked to provide passphrase i put my keys and tghen enter it creates signed file for me at desired place. can you help me please in this what problem in the php code ? please make a cc to my email account while replying ,as i am not a registered user. Thanks Manoj -------------- next part -------------- An HTML attachment was scrubbed... URL: From briandorroh at srcp.com Wed Mar 19 16:25:54 2008 From: briandorroh at srcp.com (bdorroh) Date: Wed, 19 Mar 2008 08:25:54 -0700 (PDT) Subject: Decyrption via scheduled task fails Message-ID: <16144724.post@talk.nabble.com> I'm using v1.4.8 for Windows. I've have a batch file setup to decrypt a file and then to move the decrypted file to another location for further processing. I can successfully decrypt the file by double-clicking my batch file. But when I setup a scheduled task to run it, the decryption fails. I can confirm that the scheduled task is executing, but I can't figure out why the decryption fails as a task. Obviously, I can't see the output. I've tried outputting the results to a file, but it only shows the command executed and not what actually appears on the screen when run manually. Also, i do have the path to GNU set in the windows path statement. Any ideas here? I'm really stuck. -- View this message in context: http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p16144724.html Sent from the GnuPG - User mailing list archive at Nabble.com. From khurram4life at yahoo.com Wed Mar 19 16:45:13 2008 From: khurram4life at yahoo.com (khurram.humayun) Date: Wed, 19 Mar 2008 08:45:13 -0700 (PDT) Subject: urgent gpg help needed with regards to file size. Message-ID: <16145140.post@talk.nabble.com> Hey guys, the problem i am having is that i have been using a script for the longest time to encrypt via this vendors public key. however after they did some maintenance the last 2 week, they are not able to decrypt most of the files i am sending them. i have a large file 10232593860 or 9.5gigs. i then split this file into chunks of 6000000 -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 16:41 fds_20080226_txt_aa -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 16:41 fds_20080226_txt_ab -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 17:10 fds_20080226_txt_ac -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 17:40 fds_20080226_txt_ad -rw-rw-r-- 1 khumayun dev 392593860 Mar 11 17:42 fds_20080226_txt_ae now if i use the my script which has always been working it generates the pgp files jsut fine. but, the vendor reports a rc=32 error. meaning they now cannot decrypt it. ofcouse when i ftp the files its in bin and everything matches. but the only thing i noticed is that when i run each file through a script vs when i run it manually the pgp files created file sizes are different. i am not sure why that is? any help regarding that would be appreciated. when i use the script one of the pgp files generated is cksum fds_20080226_txt_aa.pgp 2992943044 500154558 fds_20080226_txt_aa.pgp when i do the same thing on the command line cksum fds_20080226_txt_aa.pgp 780762217 500154561 fds_20080226_txt_aa.pgp i also know i am using the correct public key because they are in each case are able to decrypt the last file (the smallest size. of course they used to be able to decrypt all the other large size files as well till now) in addition when i run my script 2 times each time it gives different results except for the last file generated in each case. run 1 using script -rw-rw-r-- 1 khumayun dev 500154558 Mar 18 21:32 fds_20080226_txt_aa.pgp -rw-rw-r-- 1 khumayun dev 500156606 Mar 18 21:42 fds_20080226_txt_ab.pgp -rw-rw-r-- 1 khumayun dev 499769818 Mar 18 21:52 fds_20080226_txt_ac.pgp -rw-rw-r-- 1 khumayun dev 500190233 Mar 18 22:02 fds_20080226_txt_ad.pgp -rw-rw-r-- 1 khumayun dev 79674234 Mar 18 22:04 fds_20080226_txt_ae.pgp run 2 using script -rw-rw-r-- 1 khumayun dev 500154562 Mar 11 18:07 fds_20080226_txt_aa.pgp -rw-rw-r-- 1 khumayun dev 500156608 Mar 11 18:21 fds_20080226_txt_ab.pgp -rw-rw-r-- 1 khumayun dev 499769824 Mar 11 18:36 fds_20080226_txt_ac.pgp -rw-rw-r-- 1 khumayun dev 500190236 Mar 11 18:51 fds_20080226_txt_ad.pgp -rw-rw-r-- 1 khumayun dev 79674234 Mar 11 18:56 fds_20080226_txt_ae.pgp notice how the last file is the same in each case and is successfully decrypted. but the other 4 all fail according to the client. your help regarding this matter would be greatly appreciate. thanks guys -- View this message in context: http://www.nabble.com/urgent-gpg-help-needed-with-regards-to-file-size.-tp16145140p16145140.html Sent from the GnuPG - User mailing list archive at Nabble.com. From email at sven-radde.de Thu Mar 20 12:33:26 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 20 Mar 2008 12:33:26 +0100 Subject: gpg code problem In-Reply-To: <005301c889b8$935f1910$4100a8c0@manojk> References: <005301c889b8$935f1910$4100a8c0@manojk> Message-ID: <47E24B86.8000301@sven-radde.de> manoj schrieb: > i am trying this using php on windows > $res=shell_exec("echo $passphrase | $gpg --passphrase-fd 0 > --clearsign 'd:\gp_test\tt.inmp'"); > but is not working What "is not working"? Can you call the GPG executable at all? I.e. try to print the output of "gpg --version" in your PHP page. As a guess, I would assume that you have PHP's "safe mode" activated which limits calls to shell_exec. cu, Sven From mkallas at schokokeks.org Thu Mar 20 13:28:08 2008 From: mkallas at schokokeks.org (Michael Kesper) Date: Thu, 20 Mar 2008 13:28:08 +0100 Subject: Decyrption via scheduled task fails In-Reply-To: <16144724.post@talk.nabble.com> References: <16144724.post@talk.nabble.com> Message-ID: <20080320122808.GB2825@kol06wsthv-it22.kaufhof.net> Hi, On Wed, Mar 19, 2008 at 08:25:54AM -0700, bdorroh wrote: > > I'm using v1.4.8 for Windows. I've have a batch file setup to decrypt a file > and then to move the decrypted file to another location for further > processing. I can successfully decrypt the file by double-clicking my batch > file. But when I setup a scheduled task to run it, the decryption > fails. Did you let the task run with the right user credentials? (Task tab: Run as ...) Best wishes Michael -- Free Software Foundation Europe (FSFE) [] (http://fsfeurope.org) Join the Fellowship of FSFE! [][][] (http://fsfe.org/join) Your donation powers our work! [] (http://fsfeurope.org/donate) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: Digital signature URL: From aolsen at standard.com Thu Mar 20 17:27:27 2008 From: aolsen at standard.com (Alan Olsen) Date: Thu, 20 Mar 2008 09:27:27 -0700 Subject: urgent gpg help needed with regards to file size. In-Reply-To: <16145140.post@talk.nabble.com> Message-ID: <92A893260738B0408497A64189BC1E62032CE4F9@MSEXCHANGE305.corp.standard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of khurram.humayun >Sent: Wednesday, March 19, 2008 8:45 AM >To: gnupg-users at gnupg.org >Subject: urgent gpg help needed with regards to file size. >i also know i am using the correct public key because they are in each case are able to decrypt the last file (the smallest size. of course they used to be >able to decrypt all the other large size files as well till now) How are you transporting the files? If you are using FTP you need to make sure you use BINARY mode for the transfer or it will do nasty things to the file. (You can also encode the data with ascii armor and it will prevent FTP from mangling the data.) >in addition when i run my script 2 times each time it gives different results except for the last file generated in each case. Gpg compresses the files as part of the encryption process. Another thing is if the file is bigger than about 2 gigs or so, older Oses that do not handle large files may truncate the data. -----BEGIN PGP SIGNATURE----- Version: 9.5.3 (Build 5003) wsBVAwUBR+KQeWqdmbpu7ejzAQqxDwf+N3rbm7/CvN+e6XSebopYAdINezi3ZTYs fQZwqSNJYU+LnvCZUmIOw/zziUFsehM9Oiaw8W7molGW9Whq3NL3Mb4rqoYmmUuO EEu4UPK1AMojeVIFa7hxTo9jXEJI8imig1k66JKVek+cWIH11UmdbV/nlhgAfjhO aUiJ2SWbn4UMmL+dahze5xpq7aCufL1qELvmBLFzRLIezmi3Dj5yAmcYglqwPGgJ Lfr/NE2xRTcKdthZ5EMQjlsUZGKHui9F/Ul5HRofq2Nd70A0qKrXzL87cIaabyHN W8AcNM5ivmf/nN8ORAHLFGVKbQKoBQBLm+g2k4MJvC/GzF1RyuOzpA== =GKRM -----END PGP SIGNATURE----- From neal.dudley at utoledo.edu Thu Mar 20 18:56:31 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Thu, 20 Mar 2008 13:56:31 -0400 Subject: Decyrption via scheduled task fails In-Reply-To: References: <16144724.post@talk.nabble.com> <47E25E93.8000906@utoledo.edu> Message-ID: <47E2A54F.2090801@utoledo.edu> I would think we should keep this in the list, such that other people with a similar issue can search the list archives and find this answer. And so others know whether or not it *is* resolved in the end. Hope you don't mind me posting it back to the list. If you try your commands directly from the command line, what happens? Does it complain about syntax? Does it work and produce a log file? Try this: 1. Check the working directory of the scheduled task. Make sure it is set to the folder where the encrypted files are located. Perhaps it is working and just writing everything out to the working directory? 2. Change the job to use full paths for the executables, and redirect the output to a file: echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt Personally, I would leave the --logger-file directive in there even after everything is working properly. That way if there is ever a question in the future, you'll at least have the log to verify what occurred. Once it is working, add a line to be beginning of the script to remove the previous day's log file. Dorroh, Brian wrote: > Sorry to reply directly to you, but I didn't think anyone else would > be interested in this part. I tried adding the --logger-file tag to > the command, but it doesn't seem to work. This is what my pgp.bat > file looks like: > > "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files > c:\path-to-files\*.pgp --logger-file pgp.txt" > > We've specified "*.pgp" instead of "filename".pgp because each day a > new file is placed in that directory with a different, long name. > This was the only way I found to automate the process. But > regardless, nothing gets logged. > > > -----Original Message----- From: Neal Dudley > [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 > AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails > > > Try adding "--logger-file logfilename" to the command. This should > produce a log file named "logfilename", which should give us some > clues as to what is going on here. > > I would guess that GnuPG is expecting a passphrase for the private > key for decryption. Are you using gpg-agent? Another thing to check > is environment variables, as gpg-agent sets three of them. (At least > in a *nix environment it does.) > > Can you rerun the job with the --logger-file, and post the log file? > > > bdorroh wrote: >> >> I'm using v1.4.8 for Windows. I've have a batch file setup to >> decrypt > a file >> and then to move the decrypted file to another location for further >> processing. I can successfully decrypt the file by double-clicking >> my > batch >> file. But when I setup a scheduled task to run it, the decryption > fails. I >> can confirm that the scheduled task is executing, but I can't >> figure > out why >> the decryption fails as a task. Obviously, I can't see the output. >> >> I've tried outputting the results to a file, but it only shows the > command >> executed and not what actually appears on the screen when run > manually. >> Also, i do have the path to GNU set in the windows path statement. >> >> Any ideas here? I'm really stuck. -- View this message in context: >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 > 44724.html >> Sent from the GnuPG - User mailing list archive at Nabble.com. >> >> >> _______________________________________________ Gnupg-users mailing >> list Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > This message (including any attachments) may contain confidential or > otherwise privileged information and is intended only for the > individual(s) to which it is addressed. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. > E-mail transmission cannot be guaranteed to be secured or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message or that arise as a result of e-mail transmission. If > verification is required please request a hard-copy version from the > sender. > > SOURCECORP, Incorporated www.srcp.com > From 210525p42015 at denstarfarm.us Thu Mar 20 18:59:42 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Thu, 20 Mar 2008 13:59:42 -0400 Subject: Help with version gpg-agent on Mac-Tiger Message-ID: <47E2A60E.1040208@denstarfarm.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I am totally unable to figure this out after several days of many hours a day and some great off-list emailing and help. Works on every one else but mine. MacBook-Pro 2.16 core-duo OS/X 10.4.11 Compiled and Re-compiled 2.0.8 using ./configure | make |sudo make install no errors ~ if you manually start gpg-agent and it places S.gpg-agent into a respective .gnupg, then still {1} Thunderbird sees not the secret-key and fails; {2} you are unable to kill agent and remove S.gpg-agent by log-out {3} you are unable to start gpg-agent by log-in I can use 1.4.8 fine and obviously without gpg-agent. I can manually start gpg-agent then start Thunderbird. But Thunderbird will either go into seemingly endless loop, pinwheel then :timeout: ... or it will give error that secret key not available ... is there anyone using Mac OSX 10.4.11 and successfully using gpg-agent with any 2.x version of gpg? And if so, would you mind going into just "how" you did it, probably off-list cuz it's going to get boring for everyone else -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCgAGBQJH4qYNAAoJEM+FBuO1wKhL06sP/RwlwjztLzZmlL1K8I/lVRA8 rZ5LRselHEA8bImXJMVfjlx7VdZWpVSrGrj8M/g4i0F1NDD07lXNeSZR0GLtzIPI rHcBMs3BntKw/khBsXeA66ww7xoP6amVGfyvNqsUvpI5fZEQ7JpfWY3iimRDuIOw udmsZ3EnTjYtnlynbQxr1CLN26udIHULO7Kaao1IVFV5Jp+EApMJh76nol81Ydn7 WBJtlHCQeMpX65dXY9YtXh54uydXt2qW8KgKVJ0z2TgEacgWSEj0p+3qKNQCmnA4 38C9530Z/C0zEWwTWpKjThw/NDu5uIqKI8VBxt+uiE1nlu4wkK8Dae8b5jayuGhY /pZg9CeaAd4Dqdr7bNDIa8XkYTf3E4oCf63cKTE1n2YrjMpuHwmTq5V5UeM99jAB AtLQLKKCp0GMOmgWklAtPzcBNEjk0k6H1VBp7Eu5wRfyv4guwWZNS/MldR0T/Pd8 pMG3vosUY3jXACeSTv68/IkYEnCLttZYnh2ziKfhWS6wbOKeFf586fbP79kVPfeP P9XxVr2e8vO34UXeJcOSg1p9prLadlq9X8KJPrW40ftsS6JHCF123kl6izXWkfVr cNPGUsDqzlY5BgKBHt5pU1hG6rLlx9VtEZN5XOFXpfO0f7ZINnoQEF9xQncU8rVg HhwHCSyn4sMr8q2Aqobs =qk03 -----END PGP SIGNATURE----- From 210525p42015 at denstarfarm.us Thu Mar 20 21:24:08 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Thu, 20 Mar 2008 16:24:08 -0400 Subject: Help with version gpg-agent on Mac-Tiger In-Reply-To: <47E2A60E.1040208@denstarfarm.us> References: <47E2A60E.1040208@denstarfarm.us> Message-ID: <47E2C7E8.4060404@denstarfarm.us> OK .. I followed a couple of leads in google and there were some references to Tiger mentioning liklihood loginwindow and startup items my not be honored. One fix included changing permissions to system and also wheel did that, restarted computer .. tried decrypting one of charly's emails and got the oddest request for passphrase but inside a terminal window. it didn't accept it, put * in a few places and plain-text in others and then TB just hung-up. Tried it again but this time TB just did the time-out after minute or two and error box with gpg stuff and "timeout" trying to get at passphrase. Went back to telling it to use "gpg", which is 1.4.8 and it works again. anyone ? From neal.dudley at utoledo.edu Thu Mar 20 21:28:49 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Thu, 20 Mar 2008 16:28:49 -0400 Subject: Decyrption via scheduled task fails In-Reply-To: References: Message-ID: <47E2C901.2070100@utoledo.edu> Whoops, I missed something - order of arguments may matter, as it apparently is taking the "--logger-file logfile" as more files to decrypt. Try: echo SECRETKEY | gpg --logger-file gpg_logfile.txt --passphrase-fd 0 --decrypt-files c:\mcdown\*.pgp > gpg_output.txt Dorroh, Brian wrote: > When I type the command manually, it still doesn't log. The output is > below. > I'm executing from the directory that contains the BAT files, > C:\loadscripts > > C:\LoadScripts>echo SECRETKEY|gpg --passphrase-fd 0 --decrypt-files > c:\mcdown\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt > Reading passphrase from file descriptor 0 > > You need a passphrase to unlock the secret key for > user: "System Admin (no comment) " > 2048-bit ELG-E key, ID 3211****, created 2008-02-24 (main key ID > 100B****) > > gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 > "System Admin (no comment) " > gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** > gpg: Can't check signature: public key not found > gpg: --logger-file: unknown suffix > gpg: gpg_logfile.txt: unknown suffix > > C:\LoadScripts> > > To answer your questions: > 1) I changed the Start In location for the scheduled task to point to > the location of the encrypted file. Made no difference. > 2) Also tried using full paths to the executable, but the job still > fails. > > -----Original Message----- > From: Neal Dudley [mailto:neal.dudley at utoledo.edu] > Sent: Thursday, March 20, 2008 12:57 PM > To: Dorroh, Brian; GnuPG Users Mailing List > Subject: Re: Decyrption via scheduled task fails > > I would think we should keep this in the list, such that other people > with a similar issue can search the list archives and find this answer. > And so others know whether or not it *is* resolved in the end. Hope > you don't mind me posting it back to the list. > > If you try your commands directly from the command line, what happens? > Does it complain about syntax? Does it work and produce a log file? > > Try this: > 1. Check the working directory of the scheduled task. Make sure it is > set to the folder where the encrypted files are located. Perhaps it is > working and just writing everything out to the working directory? > > 2. Change the job to use full paths for the executables, and redirect > the output to a file: > echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 > --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > > gpg_output.txt > > Personally, I would leave the --logger-file directive in there even > after everything is working properly. That way if there is ever a > question in the future, you'll at least have the log to verify what > occurred. Once it is working, add a line to be beginning of the script > to remove the previous day's log file. > > > Dorroh, Brian wrote: >> Sorry to reply directly to you, but I didn't think anyone else would >> be interested in this part. I tried adding the --logger-file tag to >> the command, but it doesn't seem to work. This is what my pgp.bat >> file looks like: >> >> "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files >> c:\path-to-files\*.pgp --logger-file pgp.txt" >> >> We've specified "*.pgp" instead of "filename".pgp because each day a >> new file is placed in that directory with a different, long name. >> This was the only way I found to automate the process. But >> regardless, nothing gets logged. >> >> >> -----Original Message----- From: Neal Dudley >> [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 >> AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails >> >> >> Try adding "--logger-file logfilename" to the command. This should >> produce a log file named "logfilename", which should give us some >> clues as to what is going on here. >> >> I would guess that GnuPG is expecting a passphrase for the private >> key for decryption. Are you using gpg-agent? Another thing to check >> is environment variables, as gpg-agent sets three of them. (At least >> in a *nix environment it does.) >> >> Can you rerun the job with the --logger-file, and post the log file? >> >> >> bdorroh wrote: >>> >>> I'm using v1.4.8 for Windows. I've have a batch file setup to >>> decrypt >> a file >>> and then to move the decrypted file to another location for further >>> processing. I can successfully decrypt the file by double-clicking >>> my >> batch >>> file. But when I setup a scheduled task to run it, the decryption >> fails. I >>> can confirm that the scheduled task is executing, but I can't >>> figure >> out why >>> the decryption fails as a task. Obviously, I can't see the output. >>> >>> I've tried outputting the results to a file, but it only shows the >> command >>> executed and not what actually appears on the screen when run >> manually. >>> Also, i do have the path to GNU set in the windows path statement. >>> >>> Any ideas here? I'm really stuck. -- View this message in context: >>> >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 >> 44724.html >>> Sent from the GnuPG - User mailing list archive at Nabble.com. >>> >>> >>> _______________________________________________ Gnupg-users mailing >>> list Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> >> This message (including any attachments) may contain confidential or >> otherwise privileged information and is intended only for the >> individual(s) to which it is addressed. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this e-mail by mistake and delete this e-mail from your system. >> E-mail transmission cannot be guaranteed to be secured or error-free >> as information could be intercepted, corrupted, lost, destroyed, >> arrive late or incomplete, or contain viruses. The sender therefore >> does not accept liability for any errors or omissions in the contents >> of this message or that arise as a result of e-mail transmission. If >> verification is required please request a hard-copy version from the >> sender. >> >> SOURCECORP, Incorporated www.srcp.com >> > From steve at srevilak.net Fri Mar 21 01:41:12 2008 From: steve at srevilak.net (Steve Revilak) Date: Thu, 20 Mar 2008 20:41:12 -0400 (EDT) Subject: Help with version gpg-agent on Mac-Tiger In-Reply-To: <47E2A60E.1040208@denstarfarm.us> References: <47E2A60E.1040208@denstarfarm.us> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: Robert D. > is there anyone using Mac OSX 10.4.11 and successfully using gpg-agent with > any 2.x version of gpg? Yes, I've been using gpg 2.0.8 on OSX 10.4.11 for about two months. I built it via the macports "gpg2" package. I use gpg2/gpg-agent in conjunction with Alpine (a curses-based MUA). As a user, one of the first differences you'll see between gpg and gpg2 is they way you're prompted for passphrases. gpg 1.4.8 reads passphrases directly from the terminal, but gpg2 hands the passphrase reading off to a separate program called "pinentry". As I understand things, gpg2 uses GPG_AGENT_INFO to figure out how to talk to gpg-agent, and gpg-agent uses the GPG_TTY environment variable to tell pinentry which tty to grab when prompting for a passphrase. (I suppose gpg2 passes the value of GPG_TTY to the agent?) If anyone can give a more accurate outline of gpg2 -> agent -> pinentry communications, please chime in. The macports gpg2 package only includes pinentry-ncurses. For me, I'd assume that means the passphrase prompt _has_ to come from a terminal. Since I use a curses-based MUA, that's fine. But I don't know how well it would work for a Carbon app like Thunderbird. Did your gpg2 build install any other pinentry programs? You can try running them directly, to see what kind of prompt shows up. Here's a description of pinentry's protocol http://arcib.dowling.edu/cgi-bin/info2html?(pinentry.info.gz)Protocol Another question - are you starting thunderbird in a way that provides access to the GPG_TTY and GPG_AGENT_INFO environment variables? If these environment variables are set in your shell and you start Thunderbird via "open /Applications/Thunderbird.app", then Thunderbird should see them. (~/.MacOSX/environment.plist doesn't seem like a good option for this). gpg-agent's man page gives a pretty good recipie for setting the environment variables. HTH Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (Darwin) iEYEARECAAYFAkfjBCsACgkQX7YJI4BuyDSoOACeMI+UG+dw+7jl1mwW3CunTY2n SVcAoKpooNNFmUwbcb9rjfoP1uE8Nhw8 =HM+Z -----END PGP SIGNATURE----- From steve at srevilak.net Fri Mar 21 01:49:16 2008 From: steve at srevilak.net (Steve Revilak) Date: Thu, 20 Mar 2008 20:49:16 -0400 (EDT) Subject: Decyrption via scheduled task fails In-Reply-To: <16144724.post@talk.nabble.com> References: <16144724.post@talk.nabble.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > From: bdorroh > I'm using v1.4.8 for Windows. I've have a batch file setup to decrypt a file > and then to move the decrypted file to another location for further > processing. I can successfully decrypt the file by double-clicking my batch > file. But when I setup a scheduled task to run it, the decryption fails. I > can confirm that the scheduled task is executing, but I can't figure out why > the decryption fails as a task. Obviously, I can't see the output. > > I've tried outputting the results to a file, but it only shows the command > executed and not what actually appears on the screen when run manually. > Also, i do have the path to GNU set in the windows path statement. Here's something you might try. Let's your scheduled task is calling a.bat. Have it call b.bat, where b.bat is @echo on a.bat > output.txt 2>&1 That should give you stdout and stderr from cmd.exe, as well as gpg.ext. You might also try checking for differences between the set of environment variables your batch file sees under Windows task manager vs the set of environment variables your batch file sees from an interactive login session. Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.8 (Darwin) iEYEARECAAYFAkfjBgwACgkQX7YJI4BuyDQFGwCffgxG/cVH6Ky8GrgtuDWNPrfu FewAn1TxMY2uMdenYO4XyfIF1qA8pZ7c =cevF -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Mar 22 14:27:29 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 22 Mar 2008 13:27:29 +0000 Subject: Help with version gpg-agent on Mac-Tiger In-Reply-To: References: <47E2A60E.1040208@denstarfarm.us> Message-ID: <47E50941.7030904@py-soft.co.uk> Steve Revilak wrote: > The macports gpg2 package only includes pinentry-ncurses. For me, I'd > assume that means the passphrase prompt _has_ to come from a terminal. > Since I use a curses-based MUA, that's fine. But I don't know how > well it would work for a Carbon app like Thunderbird. I have a version of pinentry that works natively on the Mac. It is my intention to split the current mac-gpg2 distribution into separate components and add an intelligent installer. However, I am very busy at the moment so you'll have to put up with the following zip for now - http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.7-TEST1.zip Ben From briandorroh at srcp.com Thu Mar 20 15:34:22 2008 From: briandorroh at srcp.com (bdorroh) Date: Thu, 20 Mar 2008 07:34:22 -0700 (PDT) Subject: Decyrption via scheduled task fails In-Reply-To: <20080320122808.GB2825@kol06wsthv-it22.kaufhof.net> References: <16144724.post@talk.nabble.com> <20080320122808.GB2825@kol06wsthv-it22.kaufhof.net> Message-ID: <16180024.post@talk.nabble.com> Yes, it's running as a domain user with administrative rights on the box. Michael Kesper wrote: > > Hi, > > On Wed, Mar 19, 2008 at 08:25:54AM -0700, bdorroh wrote: >> >> I'm using v1.4.8 for Windows. I've have a batch file setup to decrypt a >> file >> and then to move the decrypted file to another location for further >> processing. I can successfully decrypt the file by double-clicking my >> batch >> file. But when I setup a scheduled task to run it, the decryption >> fails. > > Did you let the task run with the right user credentials? > (Task tab: Run as ...) > > Best wishes > Michael > -- > Free Software Foundation Europe (FSFE) [] (http://fsfeurope.org) > Join the Fellowship of FSFE! [][][] (http://fsfe.org/join) > Your donation powers our work! [] (http://fsfeurope.org/donate) > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p16180024.html Sent from the GnuPG - User mailing list archive at Nabble.com. From khurram4life at yahoo.com Thu Mar 20 15:35:35 2008 From: khurram4life at yahoo.com (khurram.humayun) Date: Thu, 20 Mar 2008 07:35:35 -0700 (PDT) Subject: urgent gpg help needed with regards to file size. In-Reply-To: <16145140.post@talk.nabble.com> References: <16145140.post@talk.nabble.com> Message-ID: <16180083.post@talk.nabble.com> ok here is the script i am using... to encrypt. it just simply splits my large file into 6Million records each and then ecrypts it using the clients public key. its a really small script. #!/bin/ksh cd /load01/infutor/$1/output/ split -l 6000000 fds_$1_txt fds_$1_txt_ for file in $(ls fds_$1_txt_??); do gpg --always-trust -o $file.pgp -e -r FDSolutions $file done khurram.humayun wrote: > > Hey guys, > the problem i am having is that i have been using a script for the > longest time to encrypt via this vendors public key. however after they > did some maintenance the last 2 week, they are not able to decrypt most of > the files i am sending them. > > i have a large file 10232593860 or 9.5gigs. i then split this file into > chunks of 6000000 > -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 16:41 > fds_20080226_txt_aa > -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 16:41 > fds_20080226_txt_ab > -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 17:10 > fds_20080226_txt_ac > -rw-rw-r-- 1 khumayun dev 2460000000 Mar 11 17:40 > fds_20080226_txt_ad > -rw-rw-r-- 1 khumayun dev 392593860 Mar 11 17:42 > fds_20080226_txt_ae > > now if i use the my script which has always been working it generates the > pgp files jsut fine. but, the vendor reports a rc=32 error. meaning they > now cannot decrypt it. ofcouse when i ftp the files its in bin and > everything matches. but the only thing i noticed is that when i run each > file through a script vs when i run it manually the pgp files created file > sizes are different. i am not sure why that is? any help regarding that > would be appreciated. > > when i use the script one of the pgp files generated is > cksum fds_20080226_txt_aa.pgp > 2992943044 500154558 fds_20080226_txt_aa.pgp > > when i do the same thing on the command line > cksum fds_20080226_txt_aa.pgp > 780762217 500154561 fds_20080226_txt_aa.pgp > > > i also know i am using the correct public key because they are in each > case are able to decrypt the last file (the smallest size. of course they > used to be able to decrypt all the other large size files as well till > now) > > in addition when i run my script 2 times each time it gives different > results except for the last file generated in each case. > > run 1 using script > -rw-rw-r-- 1 khumayun dev 500154558 Mar 18 21:32 > fds_20080226_txt_aa.pgp > -rw-rw-r-- 1 khumayun dev 500156606 Mar 18 21:42 > fds_20080226_txt_ab.pgp > -rw-rw-r-- 1 khumayun dev 499769818 Mar 18 21:52 > fds_20080226_txt_ac.pgp > -rw-rw-r-- 1 khumayun dev 500190233 Mar 18 22:02 > fds_20080226_txt_ad.pgp > -rw-rw-r-- 1 khumayun dev 79674234 Mar 18 22:04 > fds_20080226_txt_ae.pgp > > run 2 using script > -rw-rw-r-- 1 khumayun dev 500154562 Mar 11 18:07 > fds_20080226_txt_aa.pgp > -rw-rw-r-- 1 khumayun dev 500156608 Mar 11 18:21 > fds_20080226_txt_ab.pgp > -rw-rw-r-- 1 khumayun dev 499769824 Mar 11 18:36 > fds_20080226_txt_ac.pgp > -rw-rw-r-- 1 khumayun dev 500190236 Mar 11 18:51 > fds_20080226_txt_ad.pgp > -rw-rw-r-- 1 khumayun dev 79674234 Mar 11 18:56 > fds_20080226_txt_ae.pgp > > notice how the last file is the same in each case and is successfully > decrypted. but the other 4 all fail according to the client. > > your help regarding this matter would be greatly appreciate. > > thanks guys > > -- View this message in context: http://www.nabble.com/urgent-gpg-help-needed-with-regards-to-file-size.-tp16145140p16180083.html Sent from the GnuPG - User mailing list archive at Nabble.com. From khurram4life at yahoo.com Thu Mar 20 19:34:36 2008 From: khurram4life at yahoo.com (khurram.humayun) Date: Thu, 20 Mar 2008 11:34:36 -0700 (PDT) Subject: urgent gpg help needed with regards to file size. In-Reply-To: <92A893260738B0408497A64189BC1E62032CE4F9@MSEXCHANGE305.corp.standard.com> References: <16145140.post@talk.nabble.com> <92A893260738B0408497A64189BC1E62032CE4F9@MSEXCHANGE305.corp.standard.com> Message-ID: <16185821.post@talk.nabble.com> 1. i always use binary format when transfering via ftp. but in this case i can safely say that is not what is causing the issue. 2. now i nkow that the encryption process inherently compresses the data. i am just wierded out but the fact that the same public key and file always compress to some different file size each time? i am using the solaris 5.8 and gpg 1.4.7. i am not sure if this os would have those issues with truncating the data? Alan Olsen wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > >>From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of khurram.humayun >>Sent: Wednesday, March 19, 2008 8:45 AM >>To: gnupg-users at gnupg.org >>Subject: urgent gpg help needed with regards to file size. > >>i also know i am using the correct public key because they are in each case are able to decrypt the last file (the smallest size. of course they used to be >able to decrypt all the other large size files as well till now) > > How are you transporting the files? If you are using FTP you need to make > sure you use BINARY mode for the transfer or it will do nasty things to > the file. (You can also encode the data with ascii armor and it will > prevent FTP from mangling the data.) > >>in addition when i run my script 2 times each time it gives different results except for the last file generated in each case. > > Gpg compresses the files as part of the encryption process. > > Another thing is if the file is bigger than about 2 gigs or so, older Oses > that do not handle large files may truncate the data. > > > -----BEGIN PGP SIGNATURE----- > Version: 9.5.3 (Build 5003) > > wsBVAwUBR+KQeWqdmbpu7ejzAQqxDwf+N3rbm7/CvN+e6XSebopYAdINezi3ZTYs > fQZwqSNJYU+LnvCZUmIOw/zziUFsehM9Oiaw8W7molGW9Whq3NL3Mb4rqoYmmUuO > EEu4UPK1AMojeVIFa7hxTo9jXEJI8imig1k66JKVek+cWIH11UmdbV/nlhgAfjhO > aUiJ2SWbn4UMmL+dahze5xpq7aCufL1qELvmBLFzRLIezmi3Dj5yAmcYglqwPGgJ > Lfr/NE2xRTcKdthZ5EMQjlsUZGKHui9F/Ul5HRofq2Nd70A0qKrXzL87cIaabyHN > W8AcNM5ivmf/nN8ORAHLFGVKbQKoBQBLm+g2k4MJvC/GzF1RyuOzpA== > =GKRM > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/urgent-gpg-help-needed-with-regards-to-file-size.-tp16145140p16185821.html Sent from the GnuPG - User mailing list archive at Nabble.com. From BrianDorroh at srcp.com Thu Mar 20 19:34:31 2008 From: BrianDorroh at srcp.com (Dorroh, Brian) Date: Thu, 20 Mar 2008 13:34:31 -0500 Subject: Decyrption via scheduled task fails In-Reply-To: <47E2A54F.2090801@utoledo.edu> References: <16144724.post@talk.nabble.com> <47E25E93.8000906@utoledo.edu> <47E2A54F.2090801@utoledo.edu> Message-ID: When I type the command manually, it still doesn't log. The output is below. I'm executing from the directory that contains the BAT files, C:\loadscripts C:\LoadScripts>echo SECRETKEY|gpg --passphrase-fd 0 --decrypt-files c:\mcdown\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt Reading passphrase from file descriptor 0 You need a passphrase to unlock the secret key for user: "System Admin (no comment) " 2048-bit ELG-E key, ID 3211****, created 2008-02-24 (main key ID 100B****) gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 "System Admin (no comment) " gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** gpg: Can't check signature: public key not found gpg: --logger-file: unknown suffix gpg: gpg_logfile.txt: unknown suffix C:\LoadScripts> To answer your questions: 1) I changed the Start In location for the scheduled task to point to the location of the encrypted file. Made no difference. 2) Also tried using full paths to the executable, but the job still fails. -----Original Message----- From: Neal Dudley [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 12:57 PM To: Dorroh, Brian; GnuPG Users Mailing List Subject: Re: Decyrption via scheduled task fails I would think we should keep this in the list, such that other people with a similar issue can search the list archives and find this answer. And so others know whether or not it *is* resolved in the end. Hope you don't mind me posting it back to the list. If you try your commands directly from the command line, what happens? Does it complain about syntax? Does it work and produce a log file? Try this: 1. Check the working directory of the scheduled task. Make sure it is set to the folder where the encrypted files are located. Perhaps it is working and just writing everything out to the working directory? 2. Change the job to use full paths for the executables, and redirect the output to a file: echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt Personally, I would leave the --logger-file directive in there even after everything is working properly. That way if there is ever a question in the future, you'll at least have the log to verify what occurred. Once it is working, add a line to be beginning of the script to remove the previous day's log file. Dorroh, Brian wrote: > Sorry to reply directly to you, but I didn't think anyone else would > be interested in this part. I tried adding the --logger-file tag to > the command, but it doesn't seem to work. This is what my pgp.bat > file looks like: > > "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files > c:\path-to-files\*.pgp --logger-file pgp.txt" > > We've specified "*.pgp" instead of "filename".pgp because each day a > new file is placed in that directory with a different, long name. > This was the only way I found to automate the process. But > regardless, nothing gets logged. > > > -----Original Message----- From: Neal Dudley > [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 > AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails > > > Try adding "--logger-file logfilename" to the command. This should > produce a log file named "logfilename", which should give us some > clues as to what is going on here. > > I would guess that GnuPG is expecting a passphrase for the private > key for decryption. Are you using gpg-agent? Another thing to check > is environment variables, as gpg-agent sets three of them. (At least > in a *nix environment it does.) > > Can you rerun the job with the --logger-file, and post the log file? > > > bdorroh wrote: >> >> I'm using v1.4.8 for Windows. I've have a batch file setup to >> decrypt > a file >> and then to move the decrypted file to another location for further >> processing. I can successfully decrypt the file by double-clicking >> my > batch >> file. But when I setup a scheduled task to run it, the decryption > fails. I >> can confirm that the scheduled task is executing, but I can't >> figure > out why >> the decryption fails as a task. Obviously, I can't see the output. >> >> I've tried outputting the results to a file, but it only shows the > command >> executed and not what actually appears on the screen when run > manually. >> Also, i do have the path to GNU set in the windows path statement. >> >> Any ideas here? I'm really stuck. -- View this message in context: >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 > 44724.html >> Sent from the GnuPG - User mailing list archive at Nabble.com. >> >> >> _______________________________________________ Gnupg-users mailing >> list Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > This message (including any attachments) may contain confidential or > otherwise privileged information and is intended only for the > individual(s) to which it is addressed. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > Please notify the sender immediately by e-mail if you have received > this e-mail by mistake and delete this e-mail from your system. > E-mail transmission cannot be guaranteed to be secured or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message or that arise as a result of e-mail transmission. If > verification is required please request a hard-copy version from the > sender. > > SOURCECORP, Incorporated www.srcp.com > From BrianDorroh at srcp.com Thu Mar 20 22:03:22 2008 From: BrianDorroh at srcp.com (Dorroh, Brian) Date: Thu, 20 Mar 2008 16:03:22 -0500 Subject: Decyrption via scheduled task fails In-Reply-To: <47E2C901.2070100@utoledo.edu> References: <47E2C901.2070100@utoledo.edu> Message-ID: That seems to work better. It only logged two entries to the gpg_logfile when I let it run as a scheduled task. Here's what it says: gpg: encrypted with ELG-E key, ID 3211**** gpg: decryption failed: secret key not available And just to confirm, this works fine when I just double click the batch file. Here's that output: gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 "System Admin (no comment) " gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** gpg: Can't check signature: public key not found btw, it always throws up that public key error, even though it does decrypt the file. -----Original Message----- From: Neal Dudley [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 3:29 PM To: Dorroh, Brian; GnuPG Users Mailing List Subject: Re: Decyrption via scheduled task fails Whoops, I missed something - order of arguments may matter, as it apparently is taking the "--logger-file logfile" as more files to decrypt. Try: echo SECRETKEY | gpg --logger-file gpg_logfile.txt --passphrase-fd 0 --decrypt-files c:\mcdown\*.pgp > gpg_output.txt Dorroh, Brian wrote: > When I type the command manually, it still doesn't log. The output is > below. > I'm executing from the directory that contains the BAT files, > C:\loadscripts > > C:\LoadScripts>echo SECRETKEY|gpg --passphrase-fd 0 --decrypt-files > c:\mcdown\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt > Reading passphrase from file descriptor 0 > > You need a passphrase to unlock the secret key for > user: "System Admin (no comment) " > 2048-bit ELG-E key, ID 3211****, created 2008-02-24 (main key ID > 100B****) > > gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 > "System Admin (no comment) " > gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** > gpg: Can't check signature: public key not found > gpg: --logger-file: unknown suffix > gpg: gpg_logfile.txt: unknown suffix > > C:\LoadScripts> > > To answer your questions: > 1) I changed the Start In location for the scheduled task to point to > the location of the encrypted file. Made no difference. > 2) Also tried using full paths to the executable, but the job still > fails. > > -----Original Message----- > From: Neal Dudley [mailto:neal.dudley at utoledo.edu] > Sent: Thursday, March 20, 2008 12:57 PM > To: Dorroh, Brian; GnuPG Users Mailing List > Subject: Re: Decyrption via scheduled task fails > > I would think we should keep this in the list, such that other people > with a similar issue can search the list archives and find this answer. > And so others know whether or not it *is* resolved in the end. Hope > you don't mind me posting it back to the list. > > If you try your commands directly from the command line, what happens? > Does it complain about syntax? Does it work and produce a log file? > > Try this: > 1. Check the working directory of the scheduled task. Make sure it is > set to the folder where the encrypted files are located. Perhaps it is > working and just writing everything out to the working directory? > > 2. Change the job to use full paths for the executables, and redirect > the output to a file: > echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 > --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > > gpg_output.txt > > Personally, I would leave the --logger-file directive in there even > after everything is working properly. That way if there is ever a > question in the future, you'll at least have the log to verify what > occurred. Once it is working, add a line to be beginning of the script > to remove the previous day's log file. > > > Dorroh, Brian wrote: >> Sorry to reply directly to you, but I didn't think anyone else would >> be interested in this part. I tried adding the --logger-file tag to >> the command, but it doesn't seem to work. This is what my pgp.bat >> file looks like: >> >> "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files >> c:\path-to-files\*.pgp --logger-file pgp.txt" >> >> We've specified "*.pgp" instead of "filename".pgp because each day a >> new file is placed in that directory with a different, long name. >> This was the only way I found to automate the process. But >> regardless, nothing gets logged. >> >> >> -----Original Message----- From: Neal Dudley >> [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 >> AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails >> >> >> Try adding "--logger-file logfilename" to the command. This should >> produce a log file named "logfilename", which should give us some >> clues as to what is going on here. >> >> I would guess that GnuPG is expecting a passphrase for the private >> key for decryption. Are you using gpg-agent? Another thing to check >> is environment variables, as gpg-agent sets three of them. (At least >> in a *nix environment it does.) >> >> Can you rerun the job with the --logger-file, and post the log file? >> >> >> bdorroh wrote: >>> >>> I'm using v1.4.8 for Windows. I've have a batch file setup to >>> decrypt >> a file >>> and then to move the decrypted file to another location for further >>> processing. I can successfully decrypt the file by double-clicking >>> my >> batch >>> file. But when I setup a scheduled task to run it, the decryption >> fails. I >>> can confirm that the scheduled task is executing, but I can't >>> figure >> out why >>> the decryption fails as a task. Obviously, I can't see the output. >>> >>> I've tried outputting the results to a file, but it only shows the >> command >>> executed and not what actually appears on the screen when run >> manually. >>> Also, i do have the path to GNU set in the windows path statement. >>> >>> Any ideas here? I'm really stuck. -- View this message in context: >>> >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 >> 44724.html >>> Sent from the GnuPG - User mailing list archive at Nabble.com. >>> >>> >>> _______________________________________________ Gnupg-users mailing >>> list Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> >> This message (including any attachments) may contain confidential or >> otherwise privileged information and is intended only for the >> individual(s) to which it is addressed. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this e-mail by mistake and delete this e-mail from your system. >> E-mail transmission cannot be guaranteed to be secured or error-free >> as information could be intercepted, corrupted, lost, destroyed, >> arrive late or incomplete, or contain viruses. The sender therefore >> does not accept liability for any errors or omissions in the contents >> of this message or that arise as a result of e-mail transmission. If >> verification is required please request a hard-copy version from the >> sender. >> >> SOURCECORP, Incorporated www.srcp.com >> > From BrianDorroh at srcp.com Thu Mar 20 22:22:23 2008 From: BrianDorroh at srcp.com (Dorroh, Brian) Date: Thu, 20 Mar 2008 16:22:23 -0500 Subject: Decyrption via scheduled task fails In-Reply-To: <47E2C901.2070100@utoledo.edu> References: <47E2C901.2070100@utoledo.edu> Message-ID: Ok, now I'm getting somewhere. I logged in as the local service account that was running the batch file. When I ran the bath file manually it failed. So I logged back in as my domain account, changed the scheduled job to run as my domain admin account, and then ran the job. This time it worked! So basically the local system account isn't finding the key to decrypt. I sort of remember something about this. Doesn't the GnuPG installer dump the keys in the profile of the account that installed it? I installed GnuPG with my domain admin account, rather than the service account. Is there a simple way to fix this? I guess I could copy my user profile over if nothing else. -----Original Message----- From: Neal Dudley [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 3:29 PM To: Dorroh, Brian; GnuPG Users Mailing List Subject: Re: Decyrption via scheduled task fails Whoops, I missed something - order of arguments may matter, as it apparently is taking the "--logger-file logfile" as more files to decrypt. Try: echo SECRETKEY | gpg --logger-file gpg_logfile.txt --passphrase-fd 0 --decrypt-files c:\mcdown\*.pgp > gpg_output.txt Dorroh, Brian wrote: > When I type the command manually, it still doesn't log. The output is > below. > I'm executing from the directory that contains the BAT files, > C:\loadscripts > > C:\LoadScripts>echo SECRETKEY|gpg --passphrase-fd 0 --decrypt-files > c:\mcdown\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt > Reading passphrase from file descriptor 0 > > You need a passphrase to unlock the secret key for > user: "System Admin (no comment) " > 2048-bit ELG-E key, ID 3211****, created 2008-02-24 (main key ID > 100B****) > > gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 > "System Admin (no comment) " > gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** > gpg: Can't check signature: public key not found > gpg: --logger-file: unknown suffix > gpg: gpg_logfile.txt: unknown suffix > > C:\LoadScripts> > > To answer your questions: > 1) I changed the Start In location for the scheduled task to point to > the location of the encrypted file. Made no difference. > 2) Also tried using full paths to the executable, but the job still > fails. > > -----Original Message----- > From: Neal Dudley [mailto:neal.dudley at utoledo.edu] > Sent: Thursday, March 20, 2008 12:57 PM > To: Dorroh, Brian; GnuPG Users Mailing List > Subject: Re: Decyrption via scheduled task fails > > I would think we should keep this in the list, such that other people > with a similar issue can search the list archives and find this answer. > And so others know whether or not it *is* resolved in the end. Hope > you don't mind me posting it back to the list. > > If you try your commands directly from the command line, what happens? > Does it complain about syntax? Does it work and produce a log file? > > Try this: > 1. Check the working directory of the scheduled task. Make sure it is > set to the folder where the encrypted files are located. Perhaps it is > working and just writing everything out to the working directory? > > 2. Change the job to use full paths for the executables, and redirect > the output to a file: > echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 > --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > > gpg_output.txt > > Personally, I would leave the --logger-file directive in there even > after everything is working properly. That way if there is ever a > question in the future, you'll at least have the log to verify what > occurred. Once it is working, add a line to be beginning of the script > to remove the previous day's log file. > > > Dorroh, Brian wrote: >> Sorry to reply directly to you, but I didn't think anyone else would >> be interested in this part. I tried adding the --logger-file tag to >> the command, but it doesn't seem to work. This is what my pgp.bat >> file looks like: >> >> "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files >> c:\path-to-files\*.pgp --logger-file pgp.txt" >> >> We've specified "*.pgp" instead of "filename".pgp because each day a >> new file is placed in that directory with a different, long name. >> This was the only way I found to automate the process. But >> regardless, nothing gets logged. >> >> >> -----Original Message----- From: Neal Dudley >> [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 >> AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails >> >> >> Try adding "--logger-file logfilename" to the command. This should >> produce a log file named "logfilename", which should give us some >> clues as to what is going on here. >> >> I would guess that GnuPG is expecting a passphrase for the private >> key for decryption. Are you using gpg-agent? Another thing to check >> is environment variables, as gpg-agent sets three of them. (At least >> in a *nix environment it does.) >> >> Can you rerun the job with the --logger-file, and post the log file? >> >> >> bdorroh wrote: >>> >>> I'm using v1.4.8 for Windows. I've have a batch file setup to >>> decrypt >> a file >>> and then to move the decrypted file to another location for further >>> processing. I can successfully decrypt the file by double-clicking >>> my >> batch >>> file. But when I setup a scheduled task to run it, the decryption >> fails. I >>> can confirm that the scheduled task is executing, but I can't >>> figure >> out why >>> the decryption fails as a task. Obviously, I can't see the output. >>> >>> I've tried outputting the results to a file, but it only shows the >> command >>> executed and not what actually appears on the screen when run >> manually. >>> Also, i do have the path to GNU set in the windows path statement. >>> >>> Any ideas here? I'm really stuck. -- View this message in context: >>> >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 >> 44724.html >>> Sent from the GnuPG - User mailing list archive at Nabble.com. >>> >>> >>> _______________________________________________ Gnupg-users mailing >>> list Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> >> This message (including any attachments) may contain confidential or >> otherwise privileged information and is intended only for the >> individual(s) to which it is addressed. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this e-mail by mistake and delete this e-mail from your system. >> E-mail transmission cannot be guaranteed to be secured or error-free >> as information could be intercepted, corrupted, lost, destroyed, >> arrive late or incomplete, or contain viruses. The sender therefore >> does not accept liability for any errors or omissions in the contents >> of this message or that arise as a result of e-mail transmission. If >> verification is required please request a hard-copy version from the >> sender. >> >> SOURCECORP, Incorporated www.srcp.com >> > From ratnikov.alexander at gmail.com Fri Mar 21 09:24:53 2008 From: ratnikov.alexander at gmail.com (Alexander Ratnikov) Date: Fri, 21 Mar 2008 11:24:53 +0300 Subject: Key credentials validation problem Message-ID: <78399edb0803210124h4b8e0c34n56e13c70b47de0ce@mail.gmail.com> Hi, List. As a newbie in GnuPG I desperately need some help. Here's my question. What I have: 1. User Public Key(created in gnupg) What I need: To get using gnupg(or programmatically) key credentials(UserID, KeyID). The problem is that to get info about key I have to place it to the key ring. How to get the info without placing the key to the keyring? Any help is welcome. Thanks in advance. Best wishes, Alexander. P.S. I'm not subscribed to the list, please, forward me the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From BrianDorroh at srcp.com Fri Mar 21 15:09:33 2008 From: BrianDorroh at srcp.com (Dorroh, Brian) Date: Fri, 21 Mar 2008 09:09:33 -0500 Subject: Decyrption via scheduled task fails In-Reply-To: <47E2C901.2070100@utoledo.edu> References: <47E2C901.2070100@utoledo.edu> Message-ID: I finally fixed it. It did turn out to be a profile issue. Since GnuPG was installed with my account rather than the service account used to kick off the scheduled job, the scheduled job of decrypting the file fails. So this morning I copied my user profile over to the service account profile and ran the job. This time the file decrypts without any errors. Thanks to everyone who assisted! -----Original Message----- From: Neal Dudley [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 3:29 PM To: Dorroh, Brian; GnuPG Users Mailing List Subject: Re: Decyrption via scheduled task fails Whoops, I missed something - order of arguments may matter, as it apparently is taking the "--logger-file logfile" as more files to decrypt. Try: echo SECRETKEY | gpg --logger-file gpg_logfile.txt --passphrase-fd 0 --decrypt-files c:\mcdown\*.pgp > gpg_output.txt Dorroh, Brian wrote: > When I type the command manually, it still doesn't log. The output is > below. > I'm executing from the directory that contains the BAT files, > C:\loadscripts > > C:\LoadScripts>echo SECRETKEY|gpg --passphrase-fd 0 --decrypt-files > c:\mcdown\*.pgp --logger-file gpg_logfile.txt > gpg_output.txt > Reading passphrase from file descriptor 0 > > You need a passphrase to unlock the secret key for > user: "System Admin (no comment) " > 2048-bit ELG-E key, ID 3211****, created 2008-02-24 (main key ID > 100B****) > > gpg: encrypted with 2048-bit ELG-E key, ID 3211****, created 2008-02-24 > "System Admin (no comment) " > gpg: Signature made 03/20/08 02:14:53 using DSA key ID 0175**** > gpg: Can't check signature: public key not found > gpg: --logger-file: unknown suffix > gpg: gpg_logfile.txt: unknown suffix > > C:\LoadScripts> > > To answer your questions: > 1) I changed the Start In location for the scheduled task to point to > the location of the encrypted file. Made no difference. > 2) Also tried using full paths to the executable, but the job still > fails. > > -----Original Message----- > From: Neal Dudley [mailto:neal.dudley at utoledo.edu] > Sent: Thursday, March 20, 2008 12:57 PM > To: Dorroh, Brian; GnuPG Users Mailing List > Subject: Re: Decyrption via scheduled task fails > > I would think we should keep this in the list, such that other people > with a similar issue can search the list archives and find this answer. > And so others know whether or not it *is* resolved in the end. Hope > you don't mind me posting it back to the list. > > If you try your commands directly from the command line, what happens? > Does it complain about syntax? Does it work and produce a log file? > > Try this: > 1. Check the working directory of the scheduled task. Make sure it is > set to the folder where the encrypted files are located. Perhaps it is > working and just writing everything out to the working directory? > > 2. Change the job to use full paths for the executables, and redirect > the output to a file: > echo SECRETPASSPHRASE | C:\path-to-WinPT\gpg --passphrase-fd 0 > --decrypt-files C:\path-to-files\*.pgp --logger-file gpg_logfile.txt > > gpg_output.txt > > Personally, I would leave the --logger-file directive in there even > after everything is working properly. That way if there is ever a > question in the future, you'll at least have the log to verify what > occurred. Once it is working, add a line to be beginning of the script > to remove the previous day's log file. > > > Dorroh, Brian wrote: >> Sorry to reply directly to you, but I didn't think anyone else would >> be interested in this part. I tried adding the --logger-file tag to >> the command, but it doesn't seem to work. This is what my pgp.bat >> file looks like: >> >> "echo SECRETPASSPHRASE|gpg --passphrase-fd 0 --decrypt-files >> c:\path-to-files\*.pgp --logger-file pgp.txt" >> >> We've specified "*.pgp" instead of "filename".pgp because each day a >> new file is placed in that directory with a different, long name. >> This was the only way I found to automate the process. But >> regardless, nothing gets logged. >> >> >> -----Original Message----- From: Neal Dudley >> [mailto:neal.dudley at utoledo.edu] Sent: Thursday, March 20, 2008 7:55 >> AM To: Dorroh, Brian Subject: Re: Decyrption via scheduled task fails >> >> >> Try adding "--logger-file logfilename" to the command. This should >> produce a log file named "logfilename", which should give us some >> clues as to what is going on here. >> >> I would guess that GnuPG is expecting a passphrase for the private >> key for decryption. Are you using gpg-agent? Another thing to check >> is environment variables, as gpg-agent sets three of them. (At least >> in a *nix environment it does.) >> >> Can you rerun the job with the --logger-file, and post the log file? >> >> >> bdorroh wrote: >>> >>> I'm using v1.4.8 for Windows. I've have a batch file setup to >>> decrypt >> a file >>> and then to move the decrypted file to another location for further >>> processing. I can successfully decrypt the file by double-clicking >>> my >> batch >>> file. But when I setup a scheduled task to run it, the decryption >> fails. I >>> can confirm that the scheduled task is executing, but I can't >>> figure >> out why >>> the decryption fails as a task. Obviously, I can't see the output. >>> >>> I've tried outputting the results to a file, but it only shows the >> command >>> executed and not what actually appears on the screen when run >> manually. >>> Also, i do have the path to GNU set in the windows path statement. >>> >>> Any ideas here? I'm really stuck. -- View this message in context: >>> >> > http://www.nabble.com/Decyrption-via-scheduled-task-fails-tp16144724p161 >> 44724.html >>> Sent from the GnuPG - User mailing list archive at Nabble.com. >>> >>> >>> _______________________________________________ Gnupg-users mailing >>> list Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> >> This message (including any attachments) may contain confidential or >> otherwise privileged information and is intended only for the >> individual(s) to which it is addressed. If you are not the named >> addressee you should not disseminate, distribute or copy this e-mail. >> Please notify the sender immediately by e-mail if you have received >> this e-mail by mistake and delete this e-mail from your system. >> E-mail transmission cannot be guaranteed to be secured or error-free >> as information could be intercepted, corrupted, lost, destroyed, >> arrive late or incomplete, or contain viruses. The sender therefore >> does not accept liability for any errors or omissions in the contents >> of this message or that arise as a result of e-mail transmission. If >> verification is required please request a hard-copy version from the >> sender. >> >> SOURCECORP, Incorporated www.srcp.com >> > From JPClizbe at tx.rr.com Tue Mar 25 06:08:26 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 25 Mar 2008 00:08:26 -0500 Subject: Decyrption via scheduled task fails In-Reply-To: References: <47E2C901.2070100@utoledo.edu> Message-ID: <47E888CA.6010705@tx.rr.com> Dorroh, Brian wrote: > Ok, now I'm getting somewhere. I logged in as the local service account > that was running the batch file. When I ran the bath file manually it > failed. > So I logged back in as my domain account, changed the scheduled job to > run as my domain admin account, and then ran the job. This time it > worked! > > So basically the local system account isn't finding the key to decrypt. > I sort of remember something about this. Doesn't the GnuPG installer > dump the keys in the profile of the account that installed it? I > installed GnuPG with my domain admin account, rather than the service > account. > > Is there a simple way to fix this? I guess I could copy my user profile > over if nothing else. In the Local Service user's hive create a Registry key: HKCU\Software\GNU\GNUPG Within this key create the following value Type: REG_EXPAND_SZ Name: HomeDir Value: %APPDATA%\GnuPG There are other values, but HomeDir is the more important. The GnuPG installer only creates these values for the user running the installer. Then make sure that the directory %APPDATA%\GnuPG exists and contains the keyring files: pubring.gpg, secring.gpg, and trustdb.gpg; containing the secret key (and its public half) needed for decryption and any public keys needed for verification. Being the Local Service user, this profile is probably also local, so %APPDATA%\GnuPG probably expands to "C:\Documents and Settings\Local Service\Application Data\GnuPG" -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 676 bytes Desc: OpenPGP digital signature URL: From allen.schultz at gmail.com Tue Mar 25 06:55:00 2008 From: allen.schultz at gmail.com (Allen Schultz) Date: Mon, 24 Mar 2008 23:55:00 -0600 Subject: GPG 4 Win / Public Key / Invalid Key on Import Message-ID: <3f34f8420803242255r1bcb6718y3fca62705ba4f905@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My friend is getting an invalid key upon importing my key. I will email a copy of the asc for those who want to try to see if I'm exporting it incorrectly, or she has invalid/corrupt install. She is using 2000 on computer and xp on another. I have xp, and she's been trying it both. Allen Schultz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 iD8DBQFH6JO4Bii+WJwtK7YRAo/pAJwPbKi0nZSoYr84WLIiQ/NwHT6nKwCfV353 kMoIV8e2yN5xfk9eGleSqsQ= =BTlC -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Mar 25 08:31:04 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 25 Mar 2008 03:31:04 -0400 Subject: GPG 4 Win / Public Key / Invalid Key on Import In-Reply-To: <3f34f8420803242255r1bcb6718y3fca62705ba4f905@mail.gmail.com> References: <3f34f8420803242255r1bcb6718y3fca62705ba4f905@mail.gmail.com> Message-ID: <47E8AA38.40409@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Allen Schultz wrote: > My friend is getting an invalid key upon importing my key. I will > email a copy of the asc for those who want to try to see if I'm > exporting it incorrectly, or she has invalid/corrupt install. She is > using 2000 on computer and xp on another. I have xp, and she's been > trying it both. I am unsure about how You could be exporting Your Key incorrectly. I was able to Import Your Key 'automatically' via hkp://pool.sks-keyservers.net but did receive the "invalid Signature" Error. Therefore, I would appreciate Your sending Me Your Key as an attachment via Direct Email. I shall be glad to receive Your Key and compare it with the one retrieved from the Keyservers. What I am noticing at present is that You have a DSA 1024/4096 Key with a 1 year lifespan [as currently configured]. A 4096 encryption sub-Key is not the considered 'Default' for DH/DSS [DSA] Keys so I assume that this was created deliberately. What My Enigmail Console indicates is: gpg: armor header: Hash: SHA1 gpg: armor header: Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0 gpg: original file name='' gpg: Signature made 03/25/08 01:55:04 using DSA key ID 9C2D2BB6 gpg: BAD signature from "Allen Schultz " gpg: textmode signature, digest algorithm SHA1 Is it possible that Your Friend is confusing a 'Bad Sig' with an 'Invalid Key'? JOHN :-\ Timestamp: Tuesday 25 Mar 2008, 03:30 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9-svn4711: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJH6Ko0AAoJEBCGy9eAtCsPiywH/jGsZZQ1P9+0ifoYCyltyLO5 xwwWw16am6FeRN6waWXqwjvx7J14cmhIC6H7Ty7uNYXqsEHgI5NtJLronZFXJ3mU rnXuqXYIos4uRTnPID2szZ1kx1CtknuLwVX+MGZYp7zGcz0Lg1JmyxmKZ+QCAGmY ilRDy2ZbFacFpPquztwLWgjpEp3eUY3ofEL/GIxUQDIaniICXvbqF2LLHb+qUOxw apJuZltREbunQpMMasQ9ANwGQ0X3ohCK7Tvq92RF6PC+QkhSEwiwezd7ChbKSayK bbIaFTsG2PwDIZuXAmVYfs0TIueWNKoNA5PZDznFIklflbIH7XlhRRDJR/wEgjQ= =1pE5 -----END PGP SIGNATURE----- From wk at gnupg.org Wed Mar 26 12:10:34 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Mar 2008 12:10:34 +0100 Subject: [Announce] GnuPG 2.0.9 released Message-ID: <87k5jpzqol.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.9 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.8) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New =========== * Gpgsm always tries to locate missing certificates from a running Dirmngr's cache. * Tweaks for Windows. * The Admin PIN for OpenPGP cards may now be entered with the pinpad. * Improved certificate chain construction. * Extended the PKITS framework. * Fixed a bug in the ambigious name detection. * Fixed possible memory corruption while importing OpenPGP keys (bug introduced with 2.0.8). * Minor bug fixes. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.9 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and ist mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.9.tar.bz2 (3631k) gnupg-2.0.9.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.8-2.0.9.diff.bz2 (114k) A patch file to upgrade a 2.0.8 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.9.tar.bz2 you would use this command: gpg --verify gnupg-2.0.9.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.9.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.9.tar.bz2 and check that the output matches the first line from the following list: 959bdb934e3a72d256bfbd0122d996a73adb5d1f gnupg-2.0.9.tar.bz2 f73c43b468c91a4fbe7e07e37bd5b84a7887b1f0 gnupg-2.0.8-2.0.9.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. The Chinese, German, Polish, Russian, Swedish and Turkish translations are close to be complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG-2. In fact it has been developed along with the KMail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html). Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Marcus, Werner and all other contributors) -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From shavital at mac.com Wed Mar 26 13:54:32 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 26 Mar 2008 08:54:32 -0400 Subject: [Announce] GnuPG 2.0.9 released In-Reply-To: <87k5jpzqol.fsf@wheatstone.g10code.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> Message-ID: <47EA4788.2060502@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote the following on 3/26/08 7:10 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-2 > release: Version 2.0.9 > [...] GnuPG v2.0.9 has been configured as follows: Platform: Darwin (i386-apple-darwin9.2.2) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) $ gpg2 --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Used libraries: gcrypt(1.4.0) Many thanks to The GnuPG Team (David, Marcus, Werner and all other contributors) for their constant work. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH6kdmAAoJEM3GMi2FW4PvT7cH/0XANz1asU+zlPqMkL2wmVV4 jiMUp4sTXetKh+qXZ0KcF+eKMp48K1ELe9By4H3G10ymLH47aQmPM9CO9DlR5y3Y 0y7AD96n8ICpS2LO8+nEPWkjGzhftf05fFMhi6n78aMhUv7s/rbAFntuVIOETHbQ 79mCMMPyEIEh8sPDa29c+KY7Em605jD0xp6N4Dy4lXzRjJNik3lXQamXpDlJcaXq W5S7O9TSTtwjzbO38xv84qw2M72ngmRQfog3PYJRr1cymZyR7bn/7VPHXpjIZwFh Oi5+wg4/ZGh8DUR37ezlFO1LTY/jEyA8NvTzg8XtoGV5cQhUKcNlLqYXWbHfo4g= =vgtO -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Wed Mar 26 01:32:42 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 25 Mar 2008 19:32:42 -0500 Subject: Key credentials validation problem In-Reply-To: <78399edb0803210124h4b8e0c34n56e13c70b47de0ce@mail.gmail.com> References: <78399edb0803210124h4b8e0c34n56e13c70b47de0ce@mail.gmail.com> Message-ID: <47E999AA.9080105@tx.rr.com> Alexander Ratnikov wrote: > Hi, List. > As a newbie in GnuPG I desperately need some help. Here's my question. > What I have: > 1. User Public Key(created in gnupg) > What I need: > To get using gnupg(or programmatically) key credentials(UserID, KeyID). > The problem is that to get info about key I have to place it to the key > ring. How to get the info without placing the key to the keyring? > Any help is welcome. I love these questions that sound like homework problems. gpg --list-packets < 0xdecafbad.asc > Thanks in advance. > Best wishes, Alexander. > P.S. I'm not subscribed to the list, please, forward me the message. Ask here - Get your answer here. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 676 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Mar 26 14:56:01 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Mar 2008 14:56:01 +0100 Subject: Key credentials validation problem In-Reply-To: <47E999AA.9080105@tx.rr.com> (John Clizbe's message of "Tue, 25 Mar 2008 19:32:42 -0500") References: <78399edb0803210124h4b8e0c34n56e13c70b47de0ce@mail.gmail.com> <47E999AA.9080105@tx.rr.com> Message-ID: <873aqdy4ge.fsf@wheatstone.g10code.de> On Wed, 26 Mar 2008 01:32, JPClizbe at tx.rr.com said: > gpg --list-packets < 0xdecafbad.asc or just gpg 0xdecafbad.asc to get an overview. Example: $ gpg 1e42b367.asc pub 2048D/1E42B367 2007-12-31 Werner Koch uid Werner Koch sub 2048R/FA8FE1F9 2008-03-21 [expires: 2011-12-30] Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From gnupg at ethen.de Wed Mar 26 16:11:54 2008 From: gnupg at ethen.de (gnupg at ethen.de) Date: Wed, 26 Mar 2008 16:11:54 +0100 Subject: [Announce] GnuPG 2.0.9 released - make check failed In-Reply-To: <87k5jpzqol.fsf@wheatstone.g10code.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> Message-ID: <200803261611.54443.gnupg@ethen.de> checking for GPG Error - version >= 1.4... yes (1.6) checking for LIBGCRYPT - version >= 1.2.2... yes (1.4.0) checking for LIBASSUAN - version >= 1.0.4... yes (1.0.4) checking for LIBASSUAN pth - version >= 1.0.4... yes (1.0.4) checking for LIBASSUAN - version >= 1.0.1... yes (1.0.4) checking for KSBA - version >= 1.0.2... yes (1.0.3) checking for PTH - version >= 1.3.7... yes GnuPG v2.0.9 has been configured as follows: Platform: GNU/Linux (i686-pc-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) ... =================== All 28 tests passed =================== make[3]: Leaving directory `/dev/shm/gpg/gnupg-2.0.9/tests/openpgp' make[2]: Leaving directory `/dev/shm/gpg/gnupg-2.0.9/tests/openpgp' Making check in . make[2]: Entering directory `/dev/shm/gpg/gnupg-2.0.9/tests' make check-TESTS make[3]: Entering directory `/dev/shm/gpg/gnupg-2.0.9/tests' asschk: cmd_expect_ok: expected OK but got `ERR 50331649 General error ' FAIL: sm-sign+verify FAIL: sm-verify ==================================== 2 of 2 tests failed Please report to bug-gnupg at gnupg.org ==================================== From shavital at mac.com Wed Mar 26 17:02:17 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 26 Mar 2008 12:02:17 -0400 Subject: Graphical problem with pinentry - was: [Announce] GnuPG 2.0.9 released In-Reply-To: <87k5jpzqol.fsf@wheatstone.g10code.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> Message-ID: <47EA7389.5010800@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, After compiling and installing GnuPG 2.0.9, overwriting an existing 2.0.8, the pinentry window that shows (when required) is slightly defective: the last text line shows only its upper part half, *as if* the whole pinentry window had "shrunk". This didn't happen when I compiled and installed 2.0.8 over 2.0.7. It is only a graphical thing, the functioning of gpg-agent itself has not been affected. I am using a pinentry designed by Benjamin Donnachie for use in a Mac environment, that has always performed impeccably till now. I have replaced the existing pinentry with a fresh copy, it is a Mac application, that is called by gpg-agent by a link in the the latter's gpg-agent-conf. This didn't help. Maybe this specific pinentry needs to be re-written, but I would to know, as I asked above, whether there might something different in gpg 2.0.8's code that might affect pinentry *graphically*. Thanks, Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH6nOGAAoJEM3GMi2FW4PvqaIH/20NblDvh4Dba93M9lQlbnf/ E4w2XERyXf9ZSLRdaeMJMr4yMoZS+Ulp4rfTOvjhz/MOFtdZiw73EBUDXaRn+AZi NBa/tHqu6lMaefazwaP0IzDfdZIeS/9DNLdmG6uXUupsQzcitSDPJIoVwZtbxhQk ujV/70J+0Svr8ZHLiVkBn6f9N3+cNOsW3p5D1DROn2g9ckm9Adxop+MVZ5+rj3+J 2F5UjLJ6UgwoH+Ff+YSQ4c1RUT3CSjRpI3Fp87bui6gicX64ryoLfEkg4XYAxNJG huN72YanIF6adx16vT+z6su28ALuigV1M/zGj7NFeMEn1zTT9Msu6OqQK8Xyeoc= =+gDJ -----END PGP SIGNATURE----- From wk at gnupg.org Wed Mar 26 17:38:46 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Mar 2008 17:38:46 +0100 Subject: Graphical problem with pinentry - was: [Announce] GnuPG 2.0.9 released In-Reply-To: <47EA7389.5010800@mac.com> (Charly Avital's message of "Wed, 26 Mar 2008 12:02:17 -0400") References: <87k5jpzqol.fsf@wheatstone.g10code.de> <47EA7389.5010800@mac.com> Message-ID: <87zlslv3s9.fsf@wheatstone.g10code.de> On Wed, 26 Mar 2008 17:02, shavital at mac.com said: > Maybe this specific pinentry needs to be re-written, but I would to > know, as I asked above, whether there might something different in gpg > 2.0.8's code that might affect pinentry *graphically*. Not really. It is just that the text displayed is now longer. I don't know the Mac pinentry and whether it auto-adjusts its size as the GTK pinentries do. The native Windows pinentery for example does not resize and thus the displayed text gets truncated. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Wed Mar 26 17:44:24 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Mar 2008 17:44:24 +0100 Subject: [Announce] GnuPG 2.0.9 released - make check failed In-Reply-To: <200803261611.54443.gnupg@ethen.de> (gnupg@ethen.de's message of "Wed, 26 Mar 2008 16:11:54 +0100") References: <87k5jpzqol.fsf@wheatstone.g10code.de> <200803261611.54443.gnupg@ethen.de> Message-ID: <87ve39v3iv.fsf@wheatstone.g10code.de> On Wed, 26 Mar 2008 16:11, gnupg at ethen.de said: > make[3]: Leaving directory `/dev/shm/gpg/gnupg-2.0.9/tests/openpgp' Strange name for a working directory ;-) > make[3]: Entering directory `/dev/shm/gpg/gnupg-2.0.9/tests' > asschk: cmd_expect_ok: expected OK but got `ERR 50331649 General error > ' > FAIL: sm-sign+verify I meanwhile figured out what the problem is. The tests are not really correct becuase they require a running gpg-agent. You also need to make sure that all libraries are found if they are not installed in a standard place. Try this: $ agent/gpg-agent --daemon sh $ make check If it does work, you may try a "cd tests && make clean" first but with the agent running. For the next release I will change the tests to work properly by using the just build gpg-agent. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shavital at mac.com Wed Mar 26 18:35:21 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 26 Mar 2008 13:35:21 -0400 Subject: [Announce] GnuPG 2.0.9 released In-Reply-To: <200803261611.54443.gnupg@ethen.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> <200803261611.54443.gnupg@ethen.de> Message-ID: <47EA8959.9000507@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've just upgraded to 2.0.9, overwriting an existing 2.0.8. Encountered no problems. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH6olVAAoJEM3GMi2FW4PvMBkH/jtWiaRG4ufwQX3VLyFdYgTw VIADn3vUmmN2aMVoOkSfIN0yArZuXPXRW3XYXsmcViNsH5MmgT3QwyseqDxuiGb+ 68tpJZhmgjBIGpNlExDIYxJ+E83kPheEu3C2YwQD/WRKqvg3YJS9WqNOB6RWM/fJ T9oxc4vcv6b9VyJYlFJ1vUA+yCIi82PC7PV97nBnABJFBtHG8nrBTwzKSl7JnwZU sVPq4UYQJpLVhZr1/PxHPBtvVQ1l17PYj1WAXG6gPVFhpD5khpI6U9UQLYmqAEXH p1+/mrv4CkRs4lFjCGp5HEHCHqkM8hpBQiw7slEDsEt2ODipzMEwmHky1ucckUQ= =ymwK -----END PGP SIGNATURE----- From shavital at mac.com Wed Mar 26 18:37:10 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 26 Mar 2008 13:37:10 -0400 Subject: [Announce] GnuPG 2.0.9 released In-Reply-To: <200803261611.54443.gnupg@ethen.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> <200803261611.54443.gnupg@ethen.de> Message-ID: <47EA89C6.90000@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've just upgraded to 2.0.9, overwriting an existing 2.0.8., under Ubuntu 7.10, running under Parallels in a Macbook with an Intel processor. Encountered no problems. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH6onBAAoJEM3GMi2FW4PvXHYH/i4VGt5Bo5hgjv0xxekvPzkF j6uf0h1yqUtI5hii9YN4l+S5xnD1KrHUQXQWVw69ADueQ/Alga5tIfPthbkiEJSb ZvyYGtA3EMgu26w70cttBaTnMKWySOCWgbLjfn9FYNYVNpT19ivFKPvBJX+A2swJ t1Xs6fjr92ejIIGCz5OCsiDNWNULyAL03PwqRCt1mltA8n2rGUTV1+FpRZweY60h SCbwQwhxoEBeF6tHQz8qC8u7yV+3q9kX4XDww4vU1X/i3w2GpEZSVebutEhXj3jJ VKG6X8mch6MGLo6HqvgzkVA9bJE++4fDrRTJVOXH6LbWC+tJ6D1ceRxtSXoGvdc= =BwyF -----END PGP SIGNATURE----- From wk at gnupg.org Wed Mar 26 19:08:51 2008 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 Mar 2008 19:08:51 +0100 Subject: [Announce] GnuPG 1.4.9 released Message-ID: <8763v9uzm4.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.9. This is a maintenance release to fix a possible vulnerability introduced with 1.4.8. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, samrtcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880 (the recently released update of RFC-2440). Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build and also better portable. In contrast to GnuPG-2 (e.g version 2.0.8) it comes with no support for S/MIME or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.9 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.9.tar.bz2 (3250k) gnupg-1.4.9.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.9.tar.gz (4554k) gnupg-1.4.9.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.8-1.4.9.diff.bz2 (12k) A patch file to upgrade a 1.4.8 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.9.exe (2119k) gnupg-w32cli-1.4.9.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . A new version of Gpg4win, including this version of GnuPG will be available and announced soon. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.9.tar.bz2 you would use this command: gpg --verify gnupg-1.4.9.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.9.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.9.tar.bz2 and check that the output matches the second line from the following list: 826f4bef1effce61c3799c8f7d3cc8313b340b55 gnupg-1.4.9.tar.bz2 52a245d20da70a3f79a2134c8ece3a1d30554ffa gnupg-1.4.9.tar.gz 59ec735f425c37722746be68bf12565e2380362e gnupg-1.4.8-1.4.9.diff.bz2 c2efad983dfe50e6d8007257bad2c76604be389a gnupg-w32cli-1.4.9.exe What's New =========== * Improved AES encryption performance by more than 20% (on ia32). Decryption is also a bit faster. * Fixed possible memory corruption bug in 1.4.8 while importing OpenPGP keys. Internationalization ==================== GnuPG comes with support for 28 languages. Due to a lot of new and changed strings some translations are not entirely complete. The Chinese (Simple and Traditional), Czech, Dutch, French, German, Norwegian, Polish, Romanian, Russian, Spanish, Swedish and Turkish translations are close to be complete. Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html). Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Werner and the other contributors) -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From shavital at mac.com Wed Mar 26 19:58:25 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 26 Mar 2008 14:58:25 -0400 Subject: [Announce] GnuPG 1.4.9 released In-Reply-To: <8763v9uzm4.fsf@wheatstone.g10code.de> References: <8763v9uzm4.fsf@wheatstone.g10code.de> Message-ID: <47EA9CD1.1000908@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote the following on 3/26/08 2:08 PM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG-1 > release: Version 1.4.9. This is a maintenance release to fix a possible > vulnerability introduced with 1.4.8. > [...] Version info: gnupg 1.4.9 Configured for: Darwin (i386-apple-darwin9.2.2) gpg (GnuPG) 1.4.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Thanks to The GnuPG Team (David, Werner and the other contributors) Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH6pzJAAoJEM3GMi2FW4PvNsUH/R3Ng2JhsYxVBFT9npOIz2XI 5HVovpnf7WYZc9WDq6kSxaddYzXimbCqcPX/D67Nc6mw5d9SDRKYsZ2+rXGHFkLU /JNuKhqVOL9xg0cSk4whP3jujz04oxO96Fk1jGxGBkzfJiacEPRSVPrLMo/Tt0qH sYNNmd4ScSYgcSLd4mvG1VTo4utW3J1bO2jUr3kKz86Okzg0ngxec1QWOA0yXQu3 r81sYjLcM6VcN2OzCPgfC317/kktYNxAao/nuqPXXc3LPgePxhSvI5vuw1HzujHB WNtgZAKToKg5uRte9dDfdrKK5C33dW3s1H/sSBI/Ii/cduwAThrVw48XU+vkkro= =biqN -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Wed Mar 26 20:17:41 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 26 Mar 2008 19:17:41 +0000 Subject: Graphical problem with pinentry - was: [Announce] GnuPG 2.0.9 released In-Reply-To: <47EA7389.5010800@mac.com> References: <87k5jpzqol.fsf@wheatstone.g10code.de> <47EA7389.5010800@mac.com> Message-ID: <47EAA155.6060900@py-soft.co.uk> Charly Avital wrote: > It is only a graphical thing, the functioning of gpg-agent itself has > not been affected. Could you please send me a screen capture off list? Ben From 210525p42015 at denstarfarm.us Wed Mar 26 20:20:30 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Wed, 26 Mar 2008 15:20:30 -0400 Subject: [Announce] GnuPG 2.0.9 released In-Reply-To: <47EA89C6.90000@mac.com> References: <87k5jpzqol.fsf@wheatstone.g10code.de> <200803261611.54443.gnupg@ethen.de> <47EA89C6.90000@mac.com> Message-ID: <47EAA1FE.4020804@denstarfarm.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 working fine here. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIcBAEBCgAGBQJH6qH9AAoJEM+FBuO1wKhL5XEP/3XKy/zUomr5ZtpeVOePi4aU rm3xPbnmX0HmNIJQFAfXboS73b3mbTW5/hknbGK7eYqns2Ox2zTpBFgJ63awfuvE Bq8vdblLlWCUKoUMsxQjtFn+9D5WLaa4yS0qDBBfzA7eze0F4FO+knj34hZEbtVL OwryptCz24fZh2/5R4CVvrYDx4Y6TTxD+p/b5CdTCLR0Txozqlv8M8SFOyH95jX6 fZxN6ijBbWYysdGfyMYAC4SlkbXPxIOLhzEO8XqqK5NCChYEAv/CwVX9uaeWIIuU MaldpVr1eR998EDSzuVXmxiGJVVoPQpIGbJPqLzMmUeQyPs+ptpl8UvzNhYFDoHe Bzo1wtwdUiarfegOINzGLuqvLnETceEyuSFl2KhJOEeF797GT8AL+3Ij7fn2p9Y+ 8l92mkUja86cP/hOI8MweSQcr9fWyRJZvrUSte9tqvEAhjoxHQiKQaFmRsmTBoah 0PMhvoDlBViyA+/Db8Pi5GJ206bccvndhx9ZlpcOkSpvoZdcq47sc6ykJr6haNYP ZcUlseVYTKZdRYJlX24o9/8vwzCdJrbyAvYXRfle/E5K7hFEykSNjZA5lU7us7eW qnEN+rHSrL7RfC3eS1ODWrR472CV+8rpAc24zuYF9QO/0L7VmAI9Qj+yVLFuyFCf YrpTELNtEgTvuHtB71Y0 =72IN -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Wed Mar 26 21:11:31 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 26 Mar 2008 20:11:31 +0000 Subject: Graphical problem with pinentry - was: [Announce] GnuPG 2.0.9 released In-Reply-To: <87zlslv3s9.fsf@wheatstone.g10code.de> References: <87k5jpzqol.fsf@wheatstone.g10code.de> <47EA7389.5010800@mac.com> <87zlslv3s9.fsf@wheatstone.g10code.de> Message-ID: <47EAADF3.7020808@py-soft.co.uk> Werner Koch wrote: > Not really. It is just that the text displayed is now longer. I don't > know the Mac pinentry and whether it auto-adjusts its size as the GTK > pinentries do. The native Windows pinentery for example does not resize > and thus the displayed text gets truncated. That's exactly the issue and I /may/ address it in the next release. Ben From andog at gmx.net Wed Mar 26 21:57:33 2008 From: andog at gmx.net (Andreas Grassl) Date: Wed, 26 Mar 2008 21:57:33 +0100 Subject: OpenPGP card stopped working In-Reply-To: <1205350597.6290.5.camel__33833.2466585145$1205350832$gmane$org@carbon> References: <1205071554.6429.8.camel@carbon> <1205350597.6290.5.camel__33833.2466585145$1205350832$gmane$org@carbon> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sven Radde schrieb: > Am Sonntag, den 09.03.2008, 15:05 +0100 schrieb Sven Radde: >> Apart from applying the regular patches, the only action I remember that >> could possibly have an impact on GnuPG was installing the "seahorse" >> package. However, removing it again did not change anything. > > Update: It works again. Simply removing the seahorse package left a > "seahorse-agent" process running, which was apparently responsible for > the hassle. Only after a reboot that was gone, too... > > Cheers, my OpenPGP card is back! > > All that's left is to wonder why seahorse (in particular its agent) > breaks a working smartcard setup... I had the same problem here. Uninstalling seahorse solved my issue. I run Ubuntu 7.10, gpg 1.4.6 and thunderbird 2.0.12 with enigmail 0.95.6. In thunderbird it didn't work to do anything regarding the CryptoCard, $ gpg --card-status gave me the usual info to the card. I didn't perform further tests, but could do it if relevant. gr?sse ando - -- /"\ \ / ASCII Ribbon X against HTML email / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBR+q4uyxC7ZRV6mG1AQLXrAP+NyiHBKScn1GGfu9i0ME57Im55axGKyn0 1feS8t9zXobwzrp+mMJ2OaBQoVtez5RdAbr7be08oK0t2ZOeeJa+qXAFurB4qP5A sBjYKkpKoA/JAqDnk1M2kmpZPFeHh6zPCDGmuoiCPd0OA5bc1QRJAuy2vOGzmkdX bXspp29c0rk= =kFY8 -----END PGP SIGNATURE----- From sh at sourcecode.de Wed Mar 26 22:53:09 2008 From: sh at sourcecode.de (Stephan Hermann) Date: Wed, 26 Mar 2008 22:53:09 +0100 Subject: OpenPGP card stopped working In-Reply-To: References: <1205071554.6429.8.camel@carbon> <1205350597.6290.5.camel__33833.2466585145$1205350832$gmane$org@carbon> Message-ID: <47EAC5C5.5050607@sourcecode.de> Hi, Andreas Grassl wrote: > Sven Radde schrieb: >> Am Sonntag, den 09.03.2008, 15:05 +0100 schrieb Sven Radde: >>> Apart from applying the regular patches, the only action I remember that >>> could possibly have an impact on GnuPG was installing the "seahorse" >>> package. However, removing it again did not change anything. >> Update: It works again. Simply removing the seahorse package left a >> "seahorse-agent" process running, which was apparently responsible for >> the hassle. Only after a reboot that was gone, too... > >> Cheers, my OpenPGP card is back! > >> All that's left is to wonder why seahorse (in particular its agent) >> breaks a working smartcard setup... > > I had the same problem here. Uninstalling seahorse solved my issue. I > run Ubuntu 7.10, gpg 1.4.6 and thunderbird 2.0.12 with enigmail 0.95.6. > In thunderbird it didn't work to do anything regarding the CryptoCard, Seahorse is known to not work with smartcard setup...I had very same the problem. Enigmail you can workaround, you just give him a key id like this "0x!" <-- the "!" is important Just like you do when you want to avoid the use your card (thx to the guys here from the list, who gave me the hint ;)) Regards, \sh From hlmuller at yahoo.com Thu Mar 27 16:34:35 2008 From: hlmuller at yahoo.com (Harvey Muller) Date: Thu, 27 Mar 2008 08:34:35 -0700 (PDT) Subject: OpenPGP card stopped working Message-ID: <288022.45849.qm@web53603.mail.re2.yahoo.com> If you decide not to remove seahorse-agent, for any reason, you can workaround the issue by using the --no-use-agent option with gpg. You still will be unable to decrypt with seahorse agent. HTH, Harvey ----- Original Message ---- > From: Stephan Hermann > To: Andreas Grassl > Cc: gnupg-users at gnupg.org > Sent: Wednesday, March 26, 2008 5:53:09 PM > Subject: Re: OpenPGP card stopped working > > Hi, > > Andreas Grassl wrote: > > Sven Radde schrieb: > >> Am Sonntag, den 09.03.2008, 15:05 +0100 schrieb Sven Radde: > >>> Apart from applying the regular patches, the only action I remember that > >>> could possibly have an impact on GnuPG was installing the "seahorse" > >>> package. However, removing it again did not change anything. > >> Update: It works again. Simply removing the seahorse package left a > >> "seahorse-agent" process running, which was apparently responsible for > >> the hassle. Only after a reboot that was gone, too... > > > >> Cheers, my OpenPGP card is back! > > > >> All that's left is to wonder why seahorse (in particular its agent) > >> breaks a working smartcard setup... > > > > I had the same problem here. Uninstalling seahorse solved my issue. I > > run Ubuntu 7.10, gpg 1.4.6 and thunderbird 2.0.12 with enigmail 0.95.6. > > In thunderbird it didn't work to do anything regarding the CryptoCard, > > Seahorse is known to not work with smartcard setup...I had very same the > problem. > > Enigmail you can workaround, you just give him a key id like this > "0x!" <-- the "!" is important > > > Just like you do when you want to avoid the use your card (thx to the > guys here from the list, who gave me the hint ;)) > > > Regards, > > \sh > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From neal.dudley at utoledo.edu Thu Mar 27 17:39:14 2008 From: neal.dudley at utoledo.edu (Neal Dudley) Date: Thu, 27 Mar 2008 12:39:14 -0400 Subject: Interesting news Article about PGP from SANS. Message-ID: <47EBCDB2.5050808@utoledo.edu> I would think people on this list would be interested in this: http://isc.sans.org/diary.html?storyid=4207&rss All I can say is "wow"... From email at sven-radde.de Thu Mar 27 18:48:43 2008 From: email at sven-radde.de (Sven Radde) Date: Thu, 27 Mar 2008 18:48:43 +0100 Subject: OpenPGP card stopped working In-Reply-To: <288022.45849.qm@web53603.mail.re2.yahoo.com> References: <288022.45849.qm@web53603.mail.re2.yahoo.com> Message-ID: <1206640123.7310.3.camel@carbon> Hi! Am Donnerstag, den 27.03.2008, 08:34 -0700 schrieb Harvey Muller: > If you decide not to remove seahorse-agent, for any reason, > you can workaround the issue by using the --no-use-agent option with gpg. Thanks, putting "no-use-agent" into gpg.conf did the trick. Now I have the nice things of seahorse (such as the Nautilus and gedit integration) and the best thing is: GnuPG still works, including my smartcard ;-) cu, Sven From sbly585 at fastmail.net Thu Mar 27 17:31:00 2008 From: sbly585 at fastmail.net (Scott Blystone) Date: Thu, 27 Mar 2008 12:31:00 -0400 Subject: GnuPG v2.x? Message-ID: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi All, I've been on the list for some time but have thus far been a "lurker", and this is my first post. I have a very basic question. I have seen for quite some time that GPG v2.x has been available. It seems to offer some significant advantages according to what I read. Yet, no one seems to be using it and it seems to be available only in source code. In particular, I have not seen any Mac binaries. Why does it seem that virtually no one is using it? - -- Scott A. Blystone CAcert.org Assurer Thawte Notary GSWoT Introducer Rochester, New York -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: GSWoT:US61 Gossamer Spider Web of Trust www.gswot.org Comment: Scott Blystone Rochester, NY sblystone at gswot.org Comment: Public key available at http://wwwkeys.pgp.net iEYEARECAAYFAkfry8QACgkQi8a/mTXWPY9cJwCgmF35sNT7DTxi7QNWgXF/He6U HxkAn0a/IIOqNGmjvpFICx3WBUoocnXU =yvAA -----END PGP SIGNATURE----- From shavital at mac.com Fri Mar 28 13:20:16 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 28 Mar 2008 08:20:16 -0400 Subject: GnuPG v2.x? In-Reply-To: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> Message-ID: <47ECE280.3030904@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Scott Blystone wrote the following on 3/27/08 12:31 PM: > Hi All, > > I've been on the list for some time but have thus far been a "lurker", > and this is my first post. I have a very basic question. > > I have seen for quite some time that GPG v2.x has been available. It > seems to offer some significant advantages according to what I read. > Yet, no one seems to be using it and it seems to be available only in > source code. In particular, I have not seen any Mac binaries. Why does > it seem that virtually no one is using it? I am using it currently, and have been using it for some time, with gpg-agent. For a binary installer of 2.0.7, please check: mac-gnupg-2.0.7-TEST1.zip - I have tested it and it is fine. It is not enough to run the installer, please read the information contained in the download page, for required complementary files. In the meantime I have updated to 2.0.9, compiling the source code, but downloading the required libraries, that are statically built in the binary installer. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH7OJ6AAoJEM3GMi2FW4PvGIEH/0S9vxn0dNAmNv9+dPj4NNOt Z1JXG+0/5MYhz/k3W7Y3H994kmdb1gkxehW8C4qFJv0JUmWUIatfrFzONiB5RpO7 yitWidwnsvxu+6YVuu+9JjwsCN8uDN5ZFGMh5JAyYcNKt/J0uXHqAwmaMAeLoy7/ uMQdfr1qbEonBLrcpnWTgYU+zQAmEFPP0c622I0GJ697hrB3z+mG2mS9S/FhpG3k zZH3j0CfZadG2MZlGZxK5+NDGVmVz6Q5inRUCY/UtqrUkPUr+ZUKTHPcvPv+mXdN /T5W2+yJr7MPUb5jGL/5C8srAmbltsxWC/J3MbYoejw8ne+JogY7rwylnin9vV8= =0aPu -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Mar 28 16:33:42 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 28 Mar 2008 10:33:42 -0500 Subject: GnuPG v2.x? In-Reply-To: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> Message-ID: <47ED0FD6.4010807@sixdemonbag.org> Scott Blystone wrote: > I've been on the list for some time but have thus far been a > "lurker", and this is my first post. I have a very basic question. Well, you sure did pick an excellent one to start off on. :) > I have seen for quite some time that GPG v2.x has been available. It > seems to offer some significant advantages according to what I read. > ... Why does it seem that virtually no one is using it? You may not get as complete answers as you want here. The GnuPG 2.x authors are on the list, after all, and they are some scarily competent people. Some people who haven't migrated might be afraid to voice their opinions, for fear that people who know more than them will clobber their opinion mercilessly. The GnuPG authors are reasonable human beings. They tend not to do that. In fact, I'm so confident of their willingness to tolerate sincere and reasoned disagreements that I'll give a very complete answer to your question, and one I suspect they will emphatically disagree with. :) * * * * * Computer science, like pretty much any highly technical field, has parts to it that are formally describable in mathematical terms and parts that exist mostly as rules of thumb and handed-down wisdom. I use 1.4.x only because of the latter kind of reasons: particularly, the Small Tools Principle and the Second System Effect. * * * * * The Small Tools Principle: "The more things a program does, the greater the chance it will fail. Tools should be small and do one thing extremely well." GnuPG 1.4.x is purely an OpenPGP application. I didn't like it when it started integrating smartcard functionality, since it seems likely the vast majority of users will not need it, and it seemed like a violation of the Small Tools Principle. When I build my own 1.4.x GnuPG, I typically turn off all the options I don't need. The smaller my trusted codebase, the more reliable the final product will be. GnuPG 2.x is... well, I guess the better question is what is there GnuPG 2.x doesn't do? Its capabilities have expanded significantly. This doesn't sit well with me. I don't need the new capabilities of 2.x; why, then, should I migrate to it? * * * * * The Second System Effect: "When designing the successor to a relatively small, elegant and successful system, there is a tendency to become grandiose in one's success and design an elephantine feature-laden monstrosity." This is a general rule and may not apply to GnuPG 2.x. I don't know if it does. I also don't know if it doesn't. This is not a state of affairs you want in security software. I know wk has said that he was aware of this general rule during 2.x's development, but I don't trust Werner to evaluate the quality of his own code. This is no slight against him. I don't trust _anyone_ to evaluate the quality of his or her own code. When GnuPG 1.0 came out, the very first thing I did was sit down and spend a week going over the code. I wasn't bughunting; I was trying to understand the architecture and design of the system. As GnuPG 1.0 turned into 1.2 and 1.4, I kept track of the changes. I've not yet had the time to study GnuPG 2.x. I don't know the architecture and design. Since I've seen no independent evaluations of 2.x and had no time to personally inspect the code for myself, I feel that I need to consider the possibility that 2.x is an example of the second-system effect. * * * * * ... So what you get to, then, is this. I know GnuPG 1.4.x. It is trusted code and I have given it the looking-at I feel it deserves. I have come to the belief that it (a) obeys the Small Tools Principle and (b) does not suffer from the Second System Effect. I don't know GnuPG 2.x. It's trusted code but I haven't yet been able to give it the looking-at I feel it deserves. I have a nagging doubt about whether it obeys the Small Tools Principle. I do not know whether it's developing the Second System Effect. If I had a couple of weeks to study the 2.x code, these concerns might very well get assuaged, but given I have comps coming up... well, first I have comps, after that I have a nervous breakdown penciled in, and after that... Finally, GnuPG 1.4.x does everything I need it to do and does it quite well. Why should I change? * * * * * ... As two last (and hopefully unnecessary!) words of warning: first, do not interpret any of this as an attack on 2.x. It's not. I have exactly _zero_ evidence of any problems with 2.x. I have questions, sure, but a question is not the same as a problem, and people should not interpret my questions as anything other than what they are. Second, just because I'm this paranoid doesn't mean you should be. Only you get to decide your own security policy. I don't get a vote in what your policy should be, and if you were to give me one, the first thing I'd do after cackling maniacally would be to abstain. _Do not_ fall into the mistake of thinking "well, Rob has some articulated some concerns here, so I'd better stay away." I've articulated some concerns and reasons why I'm staying away. Use your own judgment--don't substitute mine for yours! * * * * * Thank you, Werner, David, and others, for GnuPG 2.x. In time I'll have the time to look at the code and get my questions answered. Until then, thank you for all your hard work, even if I'm not leaping on the bandwagon just yet. :) From sbly585 at fastmail.net Fri Mar 28 16:44:39 2008 From: sbly585 at fastmail.net (Scott Blystone) Date: Fri, 28 Mar 2008 11:44:39 -0400 Subject: GnuPG v2.x? Message-ID: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank-you to all who responded to my questions about v2.x. There were many excellent points made. I need to stay on the v1.x branch as I am using a Mac and would not be able to integrate v2.x with either Apple Mail or Thunderbird. But I'm more content now! :-) - -- Scott Blystone Rochester, NY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: GSWoT:US61 Gossamer Spider Web of Trust www.gswot.org Comment: Scott Blystone Rochester, NY sblystone at gswot.org Comment: Public key available at http://wwwkeys.pgp.net iEYEARECAAYFAkftEmcACgkQi8a/mTXWPY9INwCfdUe+VXhD9vqYyyVM7NFEKuQ0 ApcAn2T1aKQa9eeyaUqVszIw31EPlYg2 =GTrT -----END PGP SIGNATURE----- From wk at gnupg.org Fri Mar 28 16:49:45 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 28 Mar 2008 16:49:45 +0100 Subject: GnuPG v2.x? In-Reply-To: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> (Scott Blystone's message of "Thu, 27 Mar 2008 12:31:00 -0400") References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> Message-ID: <87r6dug86e.fsf@wheatstone.g10code.de> On Thu, 27 Mar 2008 17:31, sbly585 at fastmail.net said: > source code. In particular, I have not seen any Mac binaries. Why does > it seem that virtually no one is using it? I don't know about the Mac. However, all KMail users are more or less required to use it and all modern distros come with GnuPG-2. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Fri Mar 28 16:51:39 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 28 Mar 2008 10:51:39 -0500 Subject: GnuPG v2.x? In-Reply-To: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> Message-ID: <47ED140B.80707@sixdemonbag.org> Scott Blystone wrote: > I need to stay on the v1.x branch as I am using a Mac and would not > be able to integrate v2.x with either Apple Mail or Thunderbird. But > I'm more content now! :-) 2.x can be used on the Mac, and can be integrated with Thunderbird. If you want to use 1.4.x, by all means go right ahead, let me be the last to complain--but use it because it's what you want to use, not because you think you have to use it. :) From ale at pcartwright.com Fri Mar 28 17:12:13 2008 From: ale at pcartwright.com (Paul Cartwright) Date: Fri, 28 Mar 2008 12:12:13 -0400 Subject: GnuPG v2.x? In-Reply-To: <87r6dug86e.fsf@wheatstone.g10code.de> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <87r6dug86e.fsf@wheatstone.g10code.de> Message-ID: <200803281212.13201.ale@pcartwright.com> On Fri March 28 2008, Werner Koch wrote: > > source code. In particular, I have not seen any Mac binaries. Why does ? > > it seem that virtually no one is using it? > > I don't know about the Mac. ?However, all KMail users are more or less > required to use it and all modern distros come with GnuPG-2. I have 1.4.9 only because I downloaded the source and installed it via checkisntall: $ dpkg --list|grep gnupg ii gnupg 1.4.9-1 Package created with checkinstall 1.6.1 I am running Debian Etch, with KDE 3.5.8 and Kmail 1.9.7 is there an easy upgrade path to GnuPG-2 ? -- Paul Cartwright Registered Linux user # 367800 Registered Ubuntu User #12459 From rjh at sixdemonbag.org Fri Mar 28 17:17:43 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 28 Mar 2008 11:17:43 -0500 Subject: GnuPG v2.x? In-Reply-To: <200803281212.13201.ale@pcartwright.com> References: <259C5607-6DAB-47E3-BE3F-1D468CFB92D5@fastmail.net> <87r6dug86e.fsf@wheatstone.g10code.de> <200803281212.13201.ale@pcartwright.com> Message-ID: <47ED1A27.3000504@sixdemonbag.org> Paul Cartwright wrote: > is there an easy upgrade path to GnuPG-2 ? Beyond "sudo apt-get install gnupg2"? (The above works on Ubuntu 7.10, which is generally very comparable to Debian. I have no Debian Etch systems available for testing.) From sbly585 at fastmail.net Fri Mar 28 17:18:04 2008 From: sbly585 at fastmail.net (Scott Blystone) Date: Fri, 28 Mar 2008 12:18:04 -0400 Subject: GnuPG v2.x? In-Reply-To: <47ED140B.80707@sixdemonbag.org> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> <47ED140B.80707@sixdemonbag.org> Message-ID: <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> Robert, I am currently grabbing Mac compiled binaries for the TEST1 version of 2.0.7. How would one integrate v2.x into Thunderbird, though? I think the Enigmail version supports only GPG v1.x. Also, I'm absolutely certain that the Apple Mail plugin for Leopard only supports v1.x. And even it is in mid to late beta status. -- Scott Blystone Rochester, New York On Mar 28, 2008, at 11:51 AM, Robert J. Hansen wrote: > Scott Blystone wrote: >> I need to stay on the v1.x branch as I am using a Mac and would not >> be able to integrate v2.x with either Apple Mail or Thunderbird. But >> I'm more content now! :-) > > 2.x can be used on the Mac, and can be integrated with Thunderbird. > If > you want to use 1.4.x, by all means go right ahead, let me be the last > to complain--but use it because it's what you want to use, not because > you think you have to use it. :) > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Fri Mar 28 17:22:30 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 28 Mar 2008 11:22:30 -0500 Subject: GnuPG v2.x? In-Reply-To: <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> <47ED140B.80707@sixdemonbag.org> <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> Message-ID: <47ED1B46.8070104@sixdemonbag.org> Scott Blystone wrote: > I am currently grabbing Mac compiled binaries for the TEST1 version of > 2.0.7. How would one integrate v2.x into Thunderbird, though? I think > the Enigmail version supports only GPG v1.x. Well, given that I'm part of the Enigmail team... :) http://enigmail.mozdev.org/documentation/index.php "In order to provide the crypto-features, Enigmail requires GnuPG to be installed. We currently recommend GnuPG version 1.4.8 and/or 2.0.8." The Quick Start Guide leads people through the process of installing GnuPG 1.4.x, mostly because we've discovered that to be an easier process than GnuPG 2. However, Enigmail works fine with GnuPG 2, and we have several people who can assist you in getting set up with it. Why not join the Enigmail list? We're a pretty friendly bunch over there. From shavital at mac.com Fri Mar 28 17:25:26 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 28 Mar 2008 12:25:26 -0400 Subject: GnuPG v2.x? In-Reply-To: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> Message-ID: <47ED1BF6.4080705@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Scott Blystone wrote the following on 3/28/08 11:44 AM: > Thank-you to all who responded to my questions about v2.x. There were > many excellent points made. I need to stay on the v1.x branch as I am > using a Mac and would not be able to integrate v2.x with either Apple > Mail or Thunderbird. But I'm more content now! :-) > I am using gpg 2.0.9 integrated with Thunderbird and with Apple Mail, on a Macbook Intel Core 2 Duo. In Thunderbird+Enigmail, the user can switch from v1.4.9 to v2.0.9 on the fly, by changing the gpg path. Which I do when required. This e-mail is signed using gpg 2.0.9. In GPGMail, it requires a CLI. Using a Mac does not prevent you to use gpg v2.* Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJH7RvtAAoJEM3GMi2FW4Pv+ggIAMApyN+uC4uK+6LBbEr0JIo5 F7KJ8YwnfKvJrKBeAv8KHfhdT1D+RMoyT20LUx7bNkPRBfYAavwdUSHh1v53F1VV necUFTz0MWc3OkNQlPVIF5UGZ7XM+CBfuBh0OL4egnftMx2XY+cMIT1KAbzVFBxN pqiTgThmeKq89UJ1ZvA+3KwuASWiPBPtWjq2kwzuT1G8m616fcw6ZLsjVLM6wwkF snfe0gP6lj2x1bKubDw0CUKKhh4VMIaS8TQ1c/pXXuZ6sGlFcQgIyHilC9voHL9q oFceRXHb+sQDM/zwTcGcqn4e58lyBYLgVkVKuUhghDD7npiO00uFHzs7pM2+iEs= =pQn+ -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Fri Mar 28 18:13:58 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 28 Mar 2008 12:13:58 -0500 Subject: GnuPG v2.x? In-Reply-To: <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> <47ED140B.80707@sixdemonbag.org> <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> Message-ID: <47ED2756.7010504@tx.rr.com> Scott Blystone wrote: > Robert, > > I am currently grabbing Mac compiled binaries for the TEST1 version of > 2.0.7. How would one integrate v2.x into Thunderbird, though? I think > the Enigmail version supports only GPG v1.x. Also, I'm absolutely > certain that the Apple Mail plugin for Leopard only supports v1.x. And > even it is in mid to late beta status. OpenPGP --> Preferences. Top box, Files and Directories. Change the full path to gpg to the full path to gpg2. Click OK. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 676 bytes Desc: OpenPGP digital signature URL: From 210525p42015 at denstarfarm.us Fri Mar 28 19:14:30 2008 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Fri, 28 Mar 2008 14:14:30 -0400 Subject: Gnupg and my Mac Message-ID: <47ED3586.6050605@denstarfarm.us> This current line of thought about running gpg2 on the Mac is germane. While I am currently running compiled 2.0.9, thanks to a *lot* of help from Charly, I also want to run it in Apple's Mail.app OK ... here's the rub ...for example, I open Mail and it tells me a series of missives about not finding a recent version of gpg because the current gpg version is 2.0.9 and is not 1.4.x ...OK, DUH I run the gnupg.prefpane 1.2.2 and she tells me to locate gpg svp. I then switch over to Root, logged in ... I am presented with a "Finder" window. Well, gee, the Finder window only shows non-hidden folders ... in the real Finder window, I *can* see /usr/local/bin/gpg2 for I have set a pref to show hidden ...... but the gnupg version of a finder, while I am logged in as *the* system admin, will not show that ... Thus, I am unable to point gnupg at the actual locale of gpg2, or anything for that matter which currently resides in /usr/ ... So, while some people might be running Apple's Mail with a 2.x version, I am unsure how they did it despite already being told. From shavital at mac.com Fri Mar 28 20:01:53 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 28 Mar 2008 15:01:53 -0400 Subject: GnuPG v2.x? In-Reply-To: <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> References: <99D06775-8642-4DDC-83C3-21EC2D8D4CA7@fastmail.net> <47ED140B.80707@sixdemonbag.org> <6386A639-E157-46C0-9DF8-FD589EEB2515@fastmail.net> Message-ID: <27F0121F-D390-4583-A294-B0B672CA0CCA@mac.com> On Mar 28, 2008, at 12:18 PM, Scott Blystone wrote: > Robert, > > I am currently grabbing Mac compiled binaries for the TEST1 version > of 2.0.7. How would one integrate v2.x into Thunderbird, though? As I already indicated in a previous e-mail, you change the path of Enigmail accordingly to use gpg2, on the fly. There's a mailing list for Enigmail users, enigmail at mozdev.org > I think the Enigmail version supports only GPG v1.x. No. > Also, I'm absolutely certain that the Apple Mail plugin for Leopard > only supports v1.x Why are you sure? This e-mail is written in Apple Mail with the GPGMail mailbundle, and it is using gpg2, as you will see in the footers of the signature. > . And even it is in mid to late beta status. It is in beta and it works. > Charly -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 513 bytes Desc: This is a digitally signed message part URL: From shavital at mac.com Fri Mar 28 20:17:41 2008 From: shavital at mac.com (Charly Avital) Date: Fri, 28 Mar 2008 15:17:41 -0400 Subject: gpg 2.* on Apple Mail GPGMail Message-ID: <568E4A7B-86D9-4136-94D3-3E94035DB37E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This is an e-mail composed in Apple Mail with GPGMail d52 for Leopard, using gpg 2.0.9 My previous message to you and to the list of gnupg-users was sent, erroneously, in PGP/MIME format, therefore there were no PGP headers nor footers. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy iQEcBAEBCAAGBQJH7URVAAoJEM3GMi2FW4PvUY4IAJx80Wki7RTOehxVmEoSK9Fn A7229f7qETJR204QhyrsMGkFRJJjMyZbpCHIR45resmyQZTAsmRorOfIgZFCtaYh 0HplZzRdqxi2zhV1vAhcBuuuZ5sjfmAss2mLkGIigBjfXoPJQ3dXy/B/K7Hv73ex OmZtJilETZzN6dnY+cVkYIEcwI98Hmn/GYMP9fiRS4u0bGmDHpXXkZRgHw7IIlwa JOXjj1/P8Cpb6PMXVFjpABPK0Nd9+gX+u8FFiry8WuI3afXVhc2Q4sg7eoiNu0Wd upkXTtIdx7RGhvDtaKC/7mKkZgjsT0rrN7VtdSwzjx7M1NnNAkvGjf/C/gjfVa4= =/uoS -----END PGP SIGNATURE----- From HT- at gmx.de Fri Mar 28 21:24:58 2008 From: HT- at gmx.de (Hendrik Tessendorf) Date: Fri, 28 Mar 2008 21:24:58 +0100 Subject: Installer "gnupg-w32cli-1.4.9.exe" refers to RFC2440 Message-ID: <47ED541A.3050100@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, the win32 installer "gnupg-w32cli-1.4.9.exe" works fine. However, I think it prints inaccurate messages. Installer message: | GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. | | Click Next to continue. | | | | | This is GnuPG version 1.4.9 | built on 2008-03-26 17:47 UTC | file version 1.4.9.8617 Shouldn't this be RFC 4880 instead of 2440 in the text above? Hendrik Tessendorf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEAREKAAYFAkftVBUACgkQuJ8iM7rUo8G3/wCfVWLLS41Iaru33h3opy8+R0Gj OlUAn0rJXysrSU5sXyh6VPbgQyn4CbrG =EOPc -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Sat Mar 29 02:08:05 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Fri, 28 Mar 2008 20:08:05 -0500 Subject: Installer "gnupg-w32cli-1.4.9.exe" refers to RFC2440 In-Reply-To: <47ED541A.3050100@gmx.de> References: <47ED541A.3050100@gmx.de> Message-ID: <47ED9675.2090200@tx.rr.com> Hendrik Tessendorf wrote: > the win32 installer "gnupg-w32cli-1.4.9.exe" works fine. > However, I think it prints inaccurate messages. > > Installer message: > | GnuPG is GNU's tool for secure communication and data storage. It can be > used to encrypt data and to create digital signatures. It includes an advanced > key management facility and is compliant with the proposed OpenPGP Internet > standard as described in RFC2440. > > Shouldn't this be RFC 4880 instead of 2440 in the text above? Probably. Although strict RFC 2440 behavior is possible with the --rfc2440 option Werner, (TRIVIAL) patch follows: $ diff -uarN README~ README --- README~ 2008-03-28 18:54:25 -0500 +++ README 2008-03-28 19:53:12 -0500 @@ -22,7 +22,7 @@ GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant - with the proposed OpenPGP Internet standard as described in RFC2440. + with the proposed OpenPGP Internet standard as described in RFC4880. GnuPG works best on GNU/Linux or *BSD systems. Most other Unices are also supported but are not as well tested as the Free Unices. -- John P. Clizbe Inet: JPClizbe (a) tx DAWT rr DAHT con Ginger Bear Networks hkp://keyserver.gingerbear.net "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 676 bytes Desc: OpenPGP digital signature URL: From Axel.Thimm at ATrpms.net Mon Mar 31 02:46:21 2008 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Mon, 31 Mar 2008 03:46:21 +0300 Subject: gpg-agent/ssh-add asking for passphrase at first usage Message-ID: <20080331004621.GB7497@puariko.nirvana> Hi, some years ago I did create a nice "gpg-agent --enable-ssh-support" setup that would register ssh keys with the agent, but the agent would only ask for the passphrase when ssh would try a connection. Now I upgraded my system and this doesn't work anymore. Unfortunately I didn't document how I had set it up and I can't even find a hint in the gnupg docs. :( Fortunately I have a backup of the old system where I can at least phenomenically investigate it: a) The old system was a Fedora system where I had replaced /usr/bin/ssh-agent with a script: #! /bin/sh exec /usr/bin/gpg-agent \ --enable-ssh-support \ --daemon \ --write-env-file ${HOME}/.gpg-agent-info \ "$@" b) When logging into X11 Fedora would call this script wrapped around gnome-session. Once in a console `ssh-add -l' shows that the key has already been registered (but no passphrase has been asked yet): $ ssh-add -l 1024 95:50:9c:02:fc:71:d6:fb:0c:f6:02:d1:fc:dc:7e:3f .xxx/id_dsa (DSA) c) When an ssh connection is run gpg-agent would be contacted which in turn would fire up the pinentry-program to get the passphrase, which would then only be asked again after the default/max ttls would expire. Now my questions are: - *how* did I set this up to have the key registered, but have the passphrase asked only once it's needed? There is no ssh-add option for a delayed passphrase checking. - *where* did I set this up? I couldn't find anything in the gnome startup that would even call ssh-add. How did gpg-agent know about the location/fingerprint of my key? - *why* did it break with the update? The old system has gnupg 2.0.8 and the new one 2.0.9. But the Changelog doesn't indicate anything that would make these two behave differently. Thanks! -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From tmz at pobox.com Mon Mar 31 06:17:59 2008 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 31 Mar 2008 00:17:59 -0400 Subject: gpg-agent/ssh-add asking for passphrase at first usage In-Reply-To: <20080331004621.GB7497@puariko.nirvana> References: <20080331004621.GB7497@puariko.nirvana> Message-ID: <20080331041759.GG18510@inocybe.teonanacatl.org> Axel Thimm wrote: > some years ago I did create a nice "gpg-agent --enable-ssh-support" > setup that would register ssh keys with the agent, but the agent > would only ask for the passphrase when ssh would try a connection. > > Now I upgraded my system and this doesn't work anymore. What exactly doesn't work? You don't get any password prompt for either your ssh nor gpg keys? Or you get the prompt for both now instead of having your ssh key automatically added? Or something else entirely? > Now my questions are: [...] > - *why* did it break with the update? The old system has gnupg 2.0.8 > and the new one 2.0.9. But the Changelog doesn't indicate anything > that would make these two behave differently. Is the new system running another agent, like the seahorse agent? I think that might be on by default now, and it provides similar functionlity to gpg-agent and ssh-agent. Maybe it's causing problems? That's just my half-educated guess. ;) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Conscience is what hurts when everything else feels so good. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From wk at gnupg.org Mon Mar 31 13:49:28 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 31 Mar 2008 13:49:28 +0200 Subject: Installer "gnupg-w32cli-1.4.9.exe" refers to RFC2440 In-Reply-To: <47ED9675.2090200@tx.rr.com> (John Clizbe's message of "Fri, 28 Mar 2008 20:08:05 -0500") References: <47ED541A.3050100@gmx.de> <47ED9675.2090200@tx.rr.com> Message-ID: <87prtb9kqf.fsf@wheatstone.g10code.de> On Sat, 29 Mar 2008 02:08, JPClizbe at tx.rr.com said: > Probably. Although strict RFC 2440 behavior is possible with the --rfc2440 option Well, yes. But it takes some time to update all documents. Think only of rfc822 and rfc2822 ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From reinhard.mueller at bytewise.at Sun Mar 30 15:52:07 2008 From: reinhard.mueller at bytewise.at (Reinhard =?ISO-8859-1?Q?M=FCller?=) Date: Sun, 30 Mar 2008 15:52:07 +0200 Subject: Siemens card reader Message-ID: <1206885127.5177.5.camel@dublin.local> Hi, I've tried a Siemens S26361-F1260-L801 internal USB card reader with an OpenPGP card. Siemens claims the reader is CCID compatible. After the usual fix of the permissions for the device, "gpg --card-status" works perfectly, but with "gpg --clearsign foo" I get: $ gpg --clearsign foo gpg: Bisher erstellte Signaturen: 8307 Bitte geben Sie die PIN ein [Verarbeitete Signaturen: 8307] gpg: ccid_transceive failed: (0x10009) gpg: apdu_send_simple(0) failed: card inactive gpg: Beglaubigung fehlgeschlagen: Allgemeiner Fehler gpg: foo: clearsign failed: Allgemeiner Fehler Any hint? Thanks, Reinhard