From joke at seiken.de Thu Jul 1 10:21:29 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 1 Jul 2010 10:21:29 +0200 Subject: How to sign a remote repository, i.e. forward agent Message-ID: <201007011021.31538.joke@seiken.de> Here is some kind of suggestion which might be helpful in your case. If I need to do signing or encrypting on remote hosts I use ssh to execute the signing command on a other remote machine in this case my local machine. It doesn't work in any case but in some cases like git tag signing, email signing or signing of files. On the machine you want to do the signing/encrypting job create a wrapper shell-script called gpg. Put it somewhere first in path so the application which wants to call gpg calls the wrapper script instead. If you can specify which command to use point directly to the wrapper script. The wrapper script should execute the gpg command on your local machine using ssh like this. #!/bin/sh ssh username at address.to.your.local.host /path/to/gpg_executable $* The wrapper script will use ssh to run gpg "at home" where you keep your secret keys. This kind of wrapping script is very limited. The application which wants to sign/encrypt something needs to pass the input data via stdin to gpg. Ssh will transfer the data back home run the gpg command there and send it back. If your application wants to call gpg in a way like this it doesn't work: gpg --sign input.temp --output output.temp But you could obviously rewrite the wrapper script like this. #!/bin/sh cat $2 | ssh username at address.to.your.local.host /path/to/gpg_executable \ $* > $4 You need to do some testing how your application calls gpg. On Tuesday 29 June 2010 21:40:37 Carsten Aulbert wrote: > Hi all (please cc me on any reply), > > this question has come up here in the past but I've never found *any* reply > so far. > > My problem is relatively simple. We provide a (Debian) repository for our > colleagues as well as ourselves and would like to sign it (for the experts: > reprepro's export option). Of course one could either copy around the > secret keyring and start the agent remotely or type the passphrase many > times, but straight from the FAQ this is not a good idea(TM). > > Now the notorious question: Does anyone know how to forward the agent's > socket to the remote machine? I've briefly tried socat (remote unix socket > to tcp port, ssh tunnel of this port and then socat again to link the > forwarded port to the existing socket) but so far to no avail. > > Anyone with an idea how to accomplish this? > > Thanks a lot in advance > > Carsten -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From jrollins at finestructure.net Thu Jul 1 12:41:07 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Thu, 01 Jul 2010 06:41:07 -0400 Subject: How to sign a remote repository, i.e. forward agent In-Reply-To: <201006292140.39911.carsten.aulbert@aei.mpg.de> References: <201006292140.39911.carsten.aulbert@aei.mpg.de> Message-ID: <871vbnwkl8.fsf@servo.finestructure.net> On Tue, 29 Jun 2010 21:40:37 +0200, Carsten Aulbert wrote: > My problem is relatively simple. We provide a (Debian) repository for our > colleagues as well as ourselves and would like to sign it (for the experts: > reprepro's export option). Of course one could either copy around the secret > keyring and start the agent remotely or type the passphrase many times, but > straight from the FAQ this is not a good idea(TM). > > Now the notorious question: Does anyone know how to forward the agent's socket > to the remote machine? I've briefly tried socat (remote unix socket to tcp > port, ssh tunnel of this port and then socat again to link the forwarded port > to the existing socket) but so far to no avail. Hey, Carsten. It just occurred to me that maybe you could use sshfs to accomplish this. You could mount the needed reprepro directory locally with sshfs, and then sign the needed files locally without having to actually move the files around or forward the gnupg agent. I just tried signing something over an sshfs mount and it seemed to work fine. sshfs is fabulous. hth. jamie. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From l.mitchell at heywood.co.uk Thu Jul 1 09:30:56 2010 From: l.mitchell at heywood.co.uk (Leslie Mitchell) Date: Thu, 1 Jul 2010 00:30:56 -0700 (PDT) Subject: Help with batch mode delete of keys In-Reply-To: <8763104n87.fsf@wheatstone.g10code.de> References: <29032421.post@talk.nabble.com> <8763104n87.fsf@wheatstone.g10code.de> Message-ID: <29042742.post@talk.nabble.com> Thanks -- View this message in context: http://old.nabble.com/Help-with-batch-mode-delete-of-keys-tp29032421p29042742.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rahul.raviz at gmail.com Fri Jul 2 08:04:51 2010 From: rahul.raviz at gmail.com (Rahul R) Date: Fri, 2 Jul 2010 11:34:51 +0530 Subject: Digitally Sign a key In-Reply-To: <4C2D6351.5040703@gmail.com> References: <4C2D6351.5040703@gmail.com> Message-ID: Thanks Paul for the detailed reply. Let me try this... i will get back to you in case of any doubts... On Fri, Jul 2, 2010 at 9:26 AM, Paul Richard Ramer wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Wed, 30 Jun 2010 15:12:06 +0530, Rahul R wrote: > > I have a request from one of my client that they need me to digitally > > sign their files in my server with my gpg key after encrypting it with > > their key. I am not familiar with this. ie encrypting a file with a key > > and digitally sign it with another key. > > > > The process that we are trying to perform is to encrypt the file with > > the customer?s public key and then sign the file with our private key. > > There is more than one way to do this. You can create (1) an encrypted > and signed file (that is, a file with the encrypted data and the > signature embedded within it) or (2) an encrypted file with the > signature contained within another file. > > Some visual examples: > > (1) Encrypted and (2) Encrypted file and signature file > signed file > +----------------+ +----------------+ +----------------+ > | Signature | | Encrypted data | | Signature | > |----------------| | | | | > | Encrypted data | +----------------+ +----------------+ > +----------------+ > > For (1) let us suppose that you have a file called My_Secrets and you > are encrypting to Fred. To create the encrypted and signed file you > would run the following command: > > gpg --recipients Fred --output My_Secrets.gpg --sign --encrypt My_Secrets > > This command will encrypt the file My_Secrets to Fred, sign it with your > default key (if you have only one key, then that is your default key), > and create an encrypted and signed file with the name My_Secrets.gpg. > If you prefer to write a shorter command, you can rewrite the above > command as follows: > > gpg -r Fred -o My_Secrets.gpg -se My_Secrets > > Now for (2). To create an encrypted file and a signature file, run the > following commands in sequence: > > gpg --recipients Fred --output My_Secrets.gpg --encrypt My_Secrets > gpg --detach-sign My_Secrets.gpg > > What the first command will do is encrypt the file My_Secrets to Fred > and output the result to a file called My_Secrets.gpg. The second > command will sign the file My_Secrets.gpg and output that to a file > called My_Secrets.gpg.sig (even though you didn't specify an output file). > > With all of these examples, you can specify Fred's key using his name, > e-mail address, or key ID. For example: > > gpg --recipient Fred ... > gpg --recipient fred at example.net ... > gpg --recipient 0xBADDEED5 ... > > If any of this is unclear, please post a reply telling us what you > didn't understand. > > Hope this helps you, > > - --Paul > > > - -- > PGP Key ID: 0x3DB6D884 > PGP Fingerprint: EBA7 88B3 6D98 2D4A E045 A9F7 C7C6 6ADF 3DB6 D884 > -----BEGIN PGP SIGNATURE----- > > iQGcBAEBCAAGBQJMLWHEAAoJEJhBiuhgbQLIP2ML/j//xhhyySDlaDW1coLtV1CN > KDvR0bhzI0v/03+0BBgTx7wEhk6LrNxOW9nUEbOaFJ6xvUQ9k0iaxLnBBbgOWU2x > AY7ic8NvWkkNiedj4SL8tE6XjCHXDKChDx2fCtiBdAyRU5sE4vDyWOcrjUqFeu/s > P6ThBVC2QcePx2QsYNgEc0Yu1+I4Q7gbtjiEVlvPWc4y/DrgoKfHDV/FkcRyhJGh > 5wWthtlrhbTukjzefKeSiR/gnguoOx8jGxPeK4fv+4sJDV171gUtaY+xv3l3v6GA > 7OS9C4QfPFjF1pWhZ37CyyvlVamsZJWCsjjohOt5CGvyNTjfGxJXUFNq3flosKOY > hH5wN+zQrV7PGNTLDVopw7rQhQf5uvX7nRfZzgX1CTabscIfxDMsXEqRbrzhwWn0 > dtjlxwXpFZNHopAYB8SNil2eWn4Iip2Wu6Zp+kr7NSmaLGWMCWj8k5tJfKUF89WO > cZD/qJW92C0pAHa4VyBbvIu0LfKjs66sh8ecpOt48w== > =PPDu > -----END PGP SIGNATURE----- > -- Thanks, Regards, Rahul R Mob: 09008030921 -------------- next part -------------- An HTML attachment was scrubbed... URL: From fweimer at bfk.de Fri Jul 2 13:21:06 2010 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 02 Jul 2010 11:21:06 +0000 Subject: Using S/MIME encryption with self-signed certificates Message-ID: <82630yp1st.fsf@mid.bfk.de> Is it possible to use gpgsm to encrypt data for a self-signed X.509 certificate? Right now, the program bails out with "issuer certificate is not marked as a CA", and I would like to work around that, preferably without running a full CA. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From dougb at dougbarton.us Sat Jul 3 05:33:14 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 02 Jul 2010 20:33:14 -0700 Subject: Using gpg2 without pinentry? In-Reply-To: References: Message-ID: <4C2EAF7A.8010503@dougbarton.us> On 06/28/10 15:35, Nicholas Cole wrote: > On Mon, Jun 28, 2010 at 8:35 PM, Doug Barton wrote: >> On Mon, 28 Jun 2010, Nicholas Cole wrote: >> >>> On Sun, Jun 27, 2010 at 8:55 PM, Dan Mahoney, System Admin >>> wrote: >>> >>>> Is there some reasonable way that gpg can detect that it has a >>>> controlling >>>> termainal (or even, a config file option) and just ask me for my >>>> passphrase >>>> on stdin? >>> >>> Can you start gpg-agent separately - ie. before the passphrase is >>> needed. If so, you should be fine, I think, if I have understood your >>> problem correctly. >> >> That's not the issue. To simplify the problem somewhat, I'm on a windows >> box. I ssh to my Unix system at home. My .bashrc sets up gpg-agent for me. >> Now I want to sign something. The usual answer here is "pinentry-curses to >> the rescue." But let's assume that pinentry-curses is not an option. Now how >> do I enter my passphrase? > > > Do none of the gpg-agent options such as: > > > --xauthority string > > --keep-tty > > --keep-display > > help in this kind of case? It's not clear to me how any of these options would help, but thank you for suggesting them. To describe the problem more precisely, I'm running a command line mail program (Alpine). That program has a feature that allows you to send the incoming or outgoing mail to what's called a filter which is really a separate program that does something to what it's passed and then returns the result to Alpine. The specific filters in question are shell scripts that I've written to integrate PGP with Alpine, and the specific scripts that sometimes need a passphrase are the signing and en/decryption scripts. The filter feature allows the invoked program to be interactive so with gnupg 1.x there is no problem getting the passphrase. When I'm running Alpine within the same X environment as gpg-agent, gpg2 dutifully spawns the qt pinentry dialog and once it gets its response gpg2 chugs merrily along and all is well. The problem occurs when using gpg2 in an environment where spawning a separate pinentry dialog doesn't work. In the situation I'm describing: User runs Alpine, which spawns the internal filter subprocess, which spawns my script, which spawns gpg2, which attempts to spawn pinentry What's needed for this case is a way to tell gpg2 "emulate gpg 1.x behavior and prompt for the password in line." I haven't looked at the internals in detail so I have no idea how difficult this would be. The way that I "solve" this problem right now is that I tell my users not to use gnupg 2.x in this situation. However I'm not sure that's going to scale. Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From wk at gnupg.org Sun Jul 4 15:02:04 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Jul 2010 15:02:04 +0200 Subject: Using S/MIME encryption with self-signed certificates In-Reply-To: <82630yp1st.fsf@mid.bfk.de> (Florian Weimer's message of "Fri, 02 Jul 2010 11:21:06 +0000") References: <82630yp1st.fsf@mid.bfk.de> Message-ID: <871vbjpfhv.fsf@vigenere.g10code.de> On Fri, 2 Jul 2010 13:21, fweimer at bfk.de said: > Is it possible to use gpgsm to encrypt data for a self-signed X.509 > certificate? Right now, the program bails out with "issuer > certificate is not marked as a CA", and I would like to work around > that, preferably without running a full CA. Add the keyword "relax" to ~/.gnupg/trustlist.txt and give the agent a HUP (or run "gpgconf --reload gpg-agent"). Example line: 1122334455667788990011223344556677889900 S relax Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2010 at ymail.com Sun Jul 4 15:44:00 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 4 Jul 2010 14:44:00 +0100 Subject: "No-Keyserver" (and other) flags on keys In-Reply-To: <1613819.20100628191202@my_localhost> References: <8503D017-E02D-4FC8-B631-F127DE7F515A@jabberwocky.com> <9B07CB74-F83D-4852-8B93-5058CF2D6F99@jabberwocky.com> <3B0F685A-8D39-4B8C-AC4E-D4E81CA4E9E1@jabberwocky.com> <1613819.20100628191202@my_localhost> Message-ID: <106233585.20100704144400@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 28 June 2010 at 7:12:02 PM, in , I wrote: > On Monday 28 June 2010 at 4:41:16 PM, in > , > David Shaw wrote: >> auto-key-locate hkp://pgp.mit.edu >> hkp://subkeys.pgp.net hkp://some.other.server.etc >> ldap://even.a.ldap.server.works >> List as many as you like, they'll be tried in order. > Is this different to auto-key-retrieve? OK, I got it. Auto-key-retrieve controls fetching keys from a keyserver to verify a signature, and auto-key-locate controls fetching keys from a server to encrypt to an email address that doesn't match any keys on your keyring. Is there a reason you can only automatically query one keyserver for a key to verify a signature, but multiple keyservers for a key to encrypt to an email address? - -- Best regards MFPA mailto:expires2010 at ymail.com There is no job so simple that it cannot be done wrong -----BEGIN PGP SIGNATURE----- iQCVAwUBTDCQKKipC46tDG5pAQqaggP/VCMJpLRty5Kt3C5E5eFe2vo6IDiVZEN3 NJAL4r9vdtRjFF4pE2CbvGGrkEO7XuMST/88fc3SSOEJk397eVOAMEKbuGhl12/t npcVc/WAiXgQ0+rokyuPYcJHXEO7h72QJ7I1N8tIhuoZGcZWVFebj2kkAZEWIgSz aqTIlzcJfCA= =IRHU -----END PGP SIGNATURE----- From db111 at freemail.hu Sun Jul 4 18:21:11 2010 From: db111 at freemail.hu (Csabi) Date: Sun, 04 Jul 2010 18:21:11 +0200 Subject: Relative path in GPG.conf Message-ID: <4C30B4F7.4090303@freemail.hu> Hi all! Can somebody help me? I have Windows XP. I just installed the newest Thunderbird Portable 3.0.1 and GPG for Thunderbird Portable 1.4.10 and the EnigMail Extension to my USB drive. The Gpg.exe in the GPG for Thunderbird Portable 1.4.10 is always search my keyrings in the default location: c:\Documents and Settings\myusername\Application Data\GnuPG I would like to create a gpg.conf file with a relative path and put it near the Gpg.exe on to the portable drive. I want to copy my keyrings to a portable drive and want to set the relative path to find my keyrings. How can i do this? Thx. Sincerely, Csabi From John at Mozilla-Enigmail.org Sun Jul 4 20:04:43 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 04 Jul 2010 13:04:43 -0500 Subject: Relative path in GPG.conf In-Reply-To: <4C30B4F7.4090303@freemail.hu> References: <4C30B4F7.4090303@freemail.hu> Message-ID: <4C30CD3B.5020606@Mozilla-Enigmail.org> Csabi wrote: > Can somebody help me? > I have Windows XP. > I just installed the newest Thunderbird Portable 3.0.1 and GPG for > Thunderbird Portable 1.4.10 and the EnigMail Extension to my USB drive. > The Gpg.exe in the GPG for Thunderbird Portable 1.4.10 is always search > my keyrings in the default location: c:\Documents and > Settings\myusername\Application Data\GnuPG > I would like to create a gpg.conf file with a relative path and put it > near the Gpg.exe on to the portable drive. > > I want to copy my keyrings to a portable drive and want to set the > relative path to find my keyrings. How can i do this? 1) If there is a .BAT file starting Portable Thunderbird, insert a line before Thunderbird starts: SET GNUPGHOME= 2) Alternately from Thunderbird's main menu, Select OpenPGP, then Preferences. Click 'Display Expert Settings'. You may need to click OK and re-open the Preferences panel. Click the Advanced tab at the top of the Preferences panel. In the text box, 'Additional parameters for GnuPG', enter --homedir Click OK to save. Copy/move your keyring files: pubring.gpg, secring.gpg, trustdb.gpg, to the same directory you used in either of the above. The next time Thunderbird starts, gpg called from Enigmail will find your keyring files and any gpg.conf you create. There is a third possibility which involves editing a registry value, but that really isn't very portable. :) Much more Enigmail-specific help is available at http://enigmail.mozdev.org or by sending email to enigmail.mozdev.org -John -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From kgo at grant-olson.net Sun Jul 4 23:10:50 2010 From: kgo at grant-olson.net (Grant Olson) Date: Sun, 04 Jul 2010 17:10:50 -0400 Subject: Relative path in GPG.conf In-Reply-To: <4C30B4F7.4090303@freemail.hu> References: <4C30B4F7.4090303@freemail.hu> Message-ID: <4C30F8DA.9070500@grant-olson.net> On 7/4/10 12:21 PM, Csabi wrote: > Hi all! > > Can somebody help me? > I have Windows XP. > I just installed the newest Thunderbird Portable 3.0.1 and GPG for > Thunderbird Portable 1.4.10 and the EnigMail Extension to my USB drive. > The Gpg.exe in the GPG for Thunderbird Portable 1.4.10 is always search > my keyrings in the default location: c:\Documents and > Settings\myusername\Application Data\GnuPG > I would like to create a gpg.conf file with a relative path and put it > near the Gpg.exe on to the portable drive. > This should work out-of-the-box without any manual configuration if you installed GPG for Thunderbird portable correctly. Check to see if you have a dirctory under the main Thunderbird Portable directory called app/gpg. You should also have a directory under the thunderbird portable directory called data/gpg. You can copy your existing keyrings there if you want to. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From relst at relst.nl Mon Jul 5 19:34:44 2010 From: relst at relst.nl (Remy van Elst) Date: Mon, 05 Jul 2010 19:34:44 +0200 Subject: fsfe smartcard help Message-ID: Good Evening, Today I've received my fsfe smartcard and I've set it up at my work under arch linux with the following guide: http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups. Now I am at home, using ubuntu 10.04 and I would like to be able to sign my mail using my fsfe card. (I use cone). I've tried to follow the guide again using the backups of my secring/pubring. While my key gets imported it does not ask for my smartcard pin, but for my secret key passphrase. (Smartcardreader in my Dell keyboard). The contents of the card can be read with gpg --card-edit. remy at janedoe:~$ gpg --help gpg (GnuPG) 1.4.10 remy at janedoe:~$ gpg --card-edit gpg: detected reader `Dell smart card reader keyboard 00 00' General key info..: pub 2048R/xxxxxxxx 2010-07-05 Remy van Elst (FSFe card) sec# 2048R/xxxxxxxx created: 2010-07-05 expires: never ssb> 2048R/xxxxxxxx created: 2010-07-05 expires: never card-no: 0005 00000 ssb> 2048R/xxxxxxxx created: 2010-07-05 expires: never card-no: 0005 00000 Is there a way that I can use the card on other PC's then the one I;ve set it up? Sincerely, Remy van Elst From mailinglisten at hauke-laging.de Mon Jul 5 22:03:07 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 5 Jul 2010 22:03:07 +0200 Subject: fsfe smartcard help In-Reply-To: References: Message-ID: <201007052203.07744.mailinglisten@hauke-laging.de> Am Montag 05 Juli 2010 19:34:44 schrieb Remy van Elst: > remy at janedoe:~$ gpg --card-edit > > gpg: detected reader `Dell smart card reader keyboard 00 00' > General key info..: > pub 2048R/xxxxxxxx 2010-07-05 Remy van Elst (FSFe card) > sec# 2048R/xxxxxxxx created: 2010-07-05 expires: never > ssb> 2048R/xxxxxxxx created: 2010-07-05 expires: never > card-no: 0005 00000 > ssb> 2048R/xxxxxxxx created: 2010-07-05 expires: never > card-no: 0005 00000 > > Is there a way that I can use the card on other PC's then the one I;ve set > it up? Yes. First you import the public(!) key then you issue the command "gpg -- card-edit". After that a "gpg --list-secret-keys" should show the above lines "ssb> ..." which indicate that the secret key is on a smartcard. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Mon Jul 5 22:49:18 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 5 Jul 2010 22:49:18 +0200 Subject: fsfe smartcard help In-Reply-To: References: <201007052203.07744.mailinglisten@hauke-laging.de> Message-ID: <201007052249.19130.mailinglisten@hauke-laging.de> Am Montag 05 Juli 2010 22:25:35 schrieb Remy van Elst: > Dear Hauke, > > Thanks for your fast reply. It worked really good. I;ve been searching the > whole evening for this, but I could find it in the manpage. I had the same problem a few weeks ago. I suggest to improve the man page. The explanation for card status could be changed from "Show the content of the smart card." to "Show the content of the smart card. If the public key is available but the secret key is not then the secret key is marked as available on the smart card (ssb> instread of ssb)." > Two more questions, when I've imported my key via this way, and I leave the > pc, no-one else will be able to use the keys without my smartcard and pin? > (or passphrase)? I am not sure about the PIN caching. If you take the smartcard out of the reader then your description is correct. But if you leave the smartcard in the reader it may be that the card can be used without entering the PIN again. AFAIK this can be prevented by a flag on the card for signatures but not for decryption and authentication. > If I understand it correctly (which I probably don't, so please correct > me), my private key (which is removed from my pc but safely on a dvd > somewhere else) is not being used on the card. It uses the subkeys I've > generated via the fsfe site's tutorial. I guess you mix up the categories "secret keys and private keys" with "main key and subkeys". Both the main key and all subkeys have both a secret and a public part. You probably have a main key which has the only capability to certify (sub)keys. > Those are on the card and cannot be accessed without my PIN. Yes. > If I import the keys the way you say, first > import my .asc file and then a --card-edit (does gpg --card-edit + fetch > also works if you've put the URL to your http asc in there?) tells gpg on > the pc that my keys are on the card. It does not needs my passphrase, but > my pin. When I leave the PC, even if someone gets my secret keys they > won't be able to do anything with them because they do not have my card. > (what if people find out my passphrase, but only have the subkeys?). Nobody can get the secret keys from the PC because they are not stored on the PC. The only information stored there is that the secret keys reside on a smartcard. And this information is not so valuable for an attacker. The passphrase is usable with the encrypted secret keys only. Thus somebody with knowledge of your passphrase would have to get access to your key backup, too. Somebody with access to the secret subkeys (however) can read your encrypted data, can login as you (in case you have an authentication key) and can sign data as you. Only the last action can be detected on a smartcard (by the signature counter). Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Jul 6 10:49:51 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Jul 2010 10:49:51 +0200 Subject: Using gpg2 without pinentry? In-Reply-To: <4C2EAF7A.8010503@dougbarton.us> (Doug Barton's message of "Fri, 02 Jul 2010 20:33:14 -0700") References: <4C2EAF7A.8010503@dougbarton.us> Message-ID: <87mxu5m1u8.fsf@vigenere.g10code.de> On Sat, 3 Jul 2010 05:33, dougb at dougbarton.us said: > What's needed for this case is a way to tell gpg2 "emulate gpg 1.x > behavior and prompt for the password in line." I haven't looked at the > internals in detail so I have no idea how difficult this would be. The That is not easy but doable; see below. Assuming that Alpine is a curses application you may use the curses pinentry (If DISPLAY is not set, the standard pinentries fall back to curses). This might overwrite the Alpine screen, thus after the filter has been run, you should restore the screen (ctrl-L). If this is not possible you may make use of the shell's suspend feature. Using screen(1) and pinning the pinentry to one screen is another option. You may write a pinentry which loops back to Alpine or your script. To support this GnuPG provides the envvar PINENTRY_USER_DATA which you may set to an arbitrary string and evaluate in your loopback-pinentry. Your pinentry would then use a fifo or another mechanism to ask the originating process to enter a passpharse and return that one back to your loopback-pinentry and in turn to gpg-agent. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From ensamgud at gmail.com Tue Jul 6 15:09:49 2010 From: ensamgud at gmail.com (Robert) Date: Tue, 6 Jul 2010 15:09:49 +0200 Subject: GPG clarification Message-ID: Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at work. We have been given some requirements to comply with, spawning some general questions. I tried searching in help files but haven't found answers to everything so I'm trying here. If this questions are asked somewhere in documentation, I would be glad to get a link there. When I choose to generate a key, gpg --gen-key, I am asked what kind of key I want. If I go with default (DSA and Elgamal) I get a message saying "DSA keypair will have 1024 bits". 1) What does this mean? Is it some kind of 'key-encrypting' to secure the actual keys? It is not involved in the actual encryption of data? After this, I get to choose the size of the ELG-E key. I go with default of 2048. 2) Is this the actual 'data-encrypting' keys that will now be elgamal and size of 2048 bits? If so, is it the same for both public and secret key? Now, when I use the command to list my public keys, gpg --list-public-keys, I see my key in the list. Top row lists: pub, 1024D/2D*****7. 3) This, as I guessed in question 1, is not the actual data-encrypting key but more like a key-encrypting key? The next row shows uid which should be user id, nothing strange there. Then I get a row called 'sub'. 4) what does 'sub' mean? Is this the actual data encrypting key? Now, if I choose to list my secret keys, gpg --list-secret-keys, I get the exact same output but 'sec' is replaced with 'pub'. This should verify the 'key-encrypting-key' -thingy. But the rest of the output confuses me: 5) Is my secret and public key the same?? They both have the same id, it's just 'sub' in one place and 'ssb' in the other. 6) What does 'ssb' mean? I can see that the different commands use different files, 'pubring.gpg' and 'secring.gpg', still they seem to list the same key? Is the secret and public key displayed as one in the key ring? If so, is it possible to separate these somehow to put the private key in a safe for example? My final question: 7) I assume the key rings themselves, holding the keys, are encrypted. How strong is this encryption in GPG? What algorithm is used, etc? One requirement is about compromising the machine with the keys, how easy it would be to export the keys. Since the keyring is physically located on the machine. Thanks in advance, Regards, Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dave.Smith at st.com Tue Jul 6 16:52:14 2010 From: Dave.Smith at st.com (David Smith) Date: Tue, 6 Jul 2010 15:52:14 +0100 Subject: GPG clarification In-Reply-To: References: Message-ID: <4C33431E.3090207@st.com> Robert wrote: > Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at > work. We have been given some requirements to comply with, spawning some > general questions. I tried searching in help files but haven't found > answers to everything so I'm trying here. If this questions are asked > somewhere in documentation, I would be glad to get a link there. > > When I choose to generate a key, gpg --gen-key, I am asked what kind of > key I want. If I go with default (DSA and Elgamal) I get a message > saying "DSA keypair will have 1024 bits". > > 1) What does this mean? Is it some kind of 'key-encrypting' to secure > the actual keys? It is not involved in the actual encryption of data? > > After this, I get to choose the size of the ELG-E key. I go with default > of 2048. (by default) GnuPG uses a hybrid encryption system. The actual data is encrypted using a symmetric algorithm (where the keys for encrypting and decrypting are the same) using a randomly-generated "session" key, and this session key is then encrypted using an asymmetric (or public-key) algorithm. In this case, you are being given the opportunity to use DSA or ElGamal algorithms for the public-key encryption algorithm. > 2) Is this the actual 'data-encrypting' keys that will now be elgamal > and size of 2048 bits? No. See above. The algorithms used for encrypting the data are typically AES or TDES, and the key length is normally much shorter - e.g. AES-256. The fact that the key is apparently shorter is not a security risk - symmetric algorithms are much stronger for the same keylength. > If so, is it the same for both public and secret key? Yes. Public and secret keys in the same keypair have the same length. In reality, they are each "halves" of the same key, as they are generated together. > Now, when I use the command to list my public keys, gpg > --list-public-keys, I see my key in the list. Top row lists: pub, > 1024D/2D*****7. > > 3) This, as I guessed in question 1, is not the actual data-encrypting > key but more like a key-encrypting key? Yes. BTW, you don't have to censor the key ID (2D*****7) - it can safely be made public without risk of giving away the key value itself. > The next row shows uid which should be user id, nothing strange there. > Then I get a row called 'sub'. > > 4) what does 'sub' mean? Is this the actual data encrypting key? Your "key" can actually contain multiple keys. Typically, a user will have one "master" signing key (which is used to prove their identity), and multiple encryption subkeys. The advantage of this is that each subkey can be set to expire (become unusable for encrypting data) after a certain period of time, at which point the user generates and publishes a new subkey. Because it is still a subkey of the master signing key, the user does not have to prove his/her identity to all of his/her correspondents, as it will be signed by the master key which remains valid and unexpired > Now, if I choose to list my secret keys, gpg --list-secret-keys, I get > the exact same output but 'sec' is replaced with 'pub'. This should > verify the 'key-encrypting-key' -thingy. But the rest of the output > confuses me: > > 5) Is my secret and public key the same?? They both have the same id, > it's just 'sub' in one place and 'ssb' in the other. As I said, the public and secret parts are just two "halves" of the same key. The public part is given away to everyone so that they can use it for encrypting data, you keep the secret part so that you can decrypt the data they've encrypted. > 6) What does 'ssb' mean? "Secret sub". Your "key" record in the keyring has a master key (denoted by "pub" for the public part and "sec" for the secret part), plus one or more sub-keys (denoted by "sub" for the public part and "ssb" for the secret part). > I can see that the different commands use different files, 'pubring.gpg' > and 'secring.gpg', still they seem to list the same key? Is the secret > and public key displayed as one in the key ring? If so, is it possible > to separate these somehow to put the private key in a safe for example? The public halves of keys (both yours and everyone else's) are kept in pubring.gpg; the secret halves are kept in "secring.gpg". So yes, you could remove secring.gpg if you wish. However, if you want this level of security, you might want to consider using a GPG smartcard. > My final question: > > 7) I assume the key rings themselves, holding the keys, are encrypted. > How strong is this encryption in GPG? What algorithm is used, etc? One > requirement is about compromising the machine with the keys, how easy it > would be to export the keys. Since the keyring is physically located on > the machine. Sorry, I don't know. That's a question for the GPG maintainers. From Dave.Smith at st.com Tue Jul 6 17:06:46 2010 From: Dave.Smith at st.com (David Smith) Date: Tue, 6 Jul 2010 16:06:46 +0100 Subject: GPG clarification In-Reply-To: References: Message-ID: <4C334686.7010700@st.com> Robert wrote: > 7) I assume the key rings themselves, holding the keys, are encrypted. > How strong is this encryption in GPG? What algorithm is used, etc? One > requirement is about compromising the machine with the keys, how easy it > would be to export the keys. Since the keyring is physically located on > the machine. Some thoughts: GnuPG is generally designed on the assumption that the "source" and "destination" machines are not compromised. Yes, the key is kept encrypted, although I don't know how secure the encryption is. There are, of course, other attacks that could be mounted depending on how badly the machine has been compromised - for example: o The attacker could install keystroke logging software or hardware. o They could install a compromised version of GnuPG which takes the passphrase you type in, uses it to decrypt the secret key, and then transmits the unencrypted key to the attacker. o They could compromise the OS to intercept system calls etc... If this is a serious concern, you may be better off with a GnuPG smartcard, as then the key is kept in the card and is not copied to the machine. The card decrypts the session key and sends it back to the computer which then uses that session key to decrypt the data. Therefore, the host never sees the actual secret key. From joke at seiken.de Tue Jul 6 17:47:49 2010 From: joke at seiken.de (Joke de Buhr) Date: Tue, 6 Jul 2010 17:47:49 +0200 Subject: GPG clarification In-Reply-To: References: Message-ID: <201007061747.51366.joke@seiken.de> The wikipedia has a very could article with lots of information on public-key cryptography. It covers a lot of your questions regarding public keys and private keys. http://en.wikipedia.org/wiki/Public-key_cryptography On Tuesday 06 July 2010 15:09:49 Robert wrote: > Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at work. > We have been given some requirements to comply with, spawning some general > questions. I tried searching in help files but haven't found answers to > everything so I'm trying here. If this questions are asked somewhere in > documentation, I would be glad to get a link there. > > When I choose to generate a key, gpg --gen-key, I am asked what kind of key > I want. If I go with default (DSA and Elgamal) I get a message saying "DSA > keypair will have 1024 bits". > > 1) What does this mean? Is it some kind of 'key-encrypting' to secure the > actual keys? It is not involved in the actual encryption of data? > > After this, I get to choose the size of the ELG-E key. I go with default of > 2048. > > 2) Is this the actual 'data-encrypting' keys that will now be elgamal and > size of 2048 bits? If so, is it the same for both public and secret key? > > Now, when I use the command to list my public keys, gpg --list-public-keys, > I see my key in the list. Top row lists: pub, 1024D/2D*****7. > > 3) This, as I guessed in question 1, is not the actual data-encrypting key > but more like a key-encrypting key? > > The next row shows uid which should be user id, nothing strange there. Then > I get a row called 'sub'. > > 4) what does 'sub' mean? Is this the actual data encrypting key? > > Now, if I choose to list my secret keys, gpg --list-secret-keys, I get the > exact same output but 'sec' is replaced with 'pub'. This should verify the > 'key-encrypting-key' -thingy. But the rest of the output confuses me: > > 5) Is my secret and public key the same?? They both have the same id, it's > just 'sub' in one place and 'ssb' in the other. > > 6) What does 'ssb' mean? > > I can see that the different commands use different files, 'pubring.gpg' > and 'secring.gpg', still they seem to list the same key? Is the secret and > public key displayed as one in the key ring? If so, is it possible to > separate these somehow to put the private key in a safe for example? > > My final question: > > 7) I assume the key rings themselves, holding the keys, are encrypted. How > strong is this encryption in GPG? What algorithm is used, etc? One > requirement is about compromising the machine with the keys, how easy it > would be to export the keys. Since the keyring is physically located on the > machine. > > Thanks in advance, > > Regards, > Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From rjh at sixdemonbag.org Tue Jul 6 18:52:11 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 06 Jul 2010 12:52:11 -0400 Subject: GPG clarification In-Reply-To: References: Message-ID: <4C335F3B.3030400@sixdemonbag.org> On 7/6/10 9:09 AM, Robert wrote: > Hi, we're using GnuPG 1.4.5 to encrypt and store sensitive files at > work. Please consider upgrading to 1.4.10. There have been a lot of changes since 1.4.5, including better support for DSA2 and quite a few minor bugfixes. > If I go with default (DSA and Elgamal) I get a message saying "DSA > keypair will have 1024 bits". > > 1) What does this mean? Is it some kind of 'key-encrypting' to > secure the actual keys? It is not involved in the actual encryption > of data? I don't mean to sound acerbic, but the contents are exactly what's stamped on the tin. DSA is the Digital Signature Algorithm -- a U.S. federal standard for digital signatures. Per the federal standard in existence when 1.4.5 was written, DSA keys were allowed to have either 512 or 1024 bits. GnuPG is simply letting you know the DSA keypair you're creating will have 1024 bits. > 2) Is this the actual 'data-encrypting' keys that will now be > elgamal and size of 2048 bits? If so, is it the same for both public > and secret key? More or less. Getting into more detail will require mathematics and talk about inverse functions and whatnot. "More or less" is accurate enough for most purposes. > 3) This, as I guessed in question 1, is not the actual > data-encrypting key but more like a key-encrypting key? No. It's the ID of the key used for signing data. > 4) what does 'sub' mean? Is this the actual data encrypting key? It means "there is another set of cryptographic keys associated with this signing key." Without seeing the particular subkey I can't promise that it's a set of encryption and decryption keys. However, given what you've said so far, I think it's likely. > 5) Is my secret and public key the same?? They both have the same > id, it's just 'sub' in one place and 'ssb' in the other. They are intimately related, but not identical. > 6) What does 'ssb' mean? ssb is to sub as sec is to pub. ssb = Secret Subkey. > Is the secret and public key displayed as one in the key ring? No. > If so, is it possible to separate these somehow to put the private > key in a safe for example? Yes. If you wish to do this, I'd suggest looking into a tool called Paperkey. > 7) I assume the key rings themselves, holding the keys, are > encrypted. How strong is this encryption in GPG? All algorithms used by GnuPG are considered safe against all known forms of cryptanalysis. And by "safe," I mean "really, anyone with half a brain will find another way to get the information out of you, it'll be so much easier that way." From dshaw at JABBERWOCKY.COM Tue Jul 6 19:04:14 2010 From: dshaw at JABBERWOCKY.COM (David Shaw) Date: Tue, 6 Jul 2010 13:04:14 -0400 Subject: GPG clarification In-Reply-To: <4C334686.7010700@st.com> References: <4C334686.7010700@st.com> Message-ID: <72EA5988-8265-4A95-9A31-2297440D2329@JABBERWOCKY.COM> On Jul 6, 2010, at 11:06 AM, David Smith wrote: > Robert wrote: >> 7) I assume the key rings themselves, holding the keys, are encrypted. >> How strong is this encryption in GPG? What algorithm is used, etc? One >> requirement is about compromising the machine with the keys, how easy it >> would be to export the keys. Since the keyring is physically located on >> the machine. > > Some thoughts: > > GnuPG is generally designed on the assumption that the "source" and > "destination" machines are not compromised. Yes, the key is kept > encrypted, although I don't know how secure the encryption is. The encryption used for encrypting secret keys is the same symmetric encryption used for encrypting data. By default this uses CAST5, but you can change it to whatever you like with --s2k-cipher-algo (and then changing your passphrase). David From karadenizi at earthlink.net Thu Jul 8 23:50:15 2010 From: karadenizi at earthlink.net (Kara) Date: Thu, 08 Jul 2010 17:50:15 -0400 Subject: Absence of John W Moore III Message-ID: <4C364817.1040202@earthlink.net> ==== G'day Friends of John Regretfully and unexpectedly John's mother quietly died early Tue morning (6 Jul). John has asked me to inform you that as an understandable result of the above, he anticipates he will be both out-of-contact and off-line for perhaps the next two months or so. a. The 8 Jul surgery on John's foot has been canceled and will probably be rescheduled for sometime in Aug. b. As you could anticipate, John plans to be actively back as soon as possible under the above circumstances. However he wants you to be aware of why that will not be possible within the immediate future. Ciao Kara Timestamp: Thu, 08 Jul 2010, 1750 Local (UTC -0400) ==== From remco at webconquest.com Mon Jul 12 08:30:25 2010 From: remco at webconquest.com (Remco Rijnders) Date: Mon, 12 Jul 2010 08:30:25 +0200 Subject: Decrypting file encrypted for multiple recipients using a given ID? Message-ID: <4C3AB681.8090703@webconquest.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, I have a file encrypted to two different User ID's, both for which I have the public keys as well as the secret key. When I try to decrypt the file, it always prompts me for the passphrase of user A, while I'd like to decrypt it using the passphraseless key of user B. I've tried various combinations of -u with and without exclamation mark, but without success. How can I specify that the key of user B should be used? Thanks in advance, Remco -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkw6toEACgkQP0wYCuTizascOACg1BOJw9gYi2Zy+CljpWMxBQL+ A6oAoMiQMSY9QiDbIurJlWzRSIZUeeG+ =+SkD -----END PGP SIGNATURE----- From roam at ringlet.net Mon Jul 12 09:58:39 2010 From: roam at ringlet.net (Peter Pentchev) Date: Mon, 12 Jul 2010 10:58:39 +0300 Subject: Decrypting file encrypted for multiple recipients using a given ID? In-Reply-To: <4C3AB681.8090703@webconquest.com> References: <4C3AB681.8090703@webconquest.com> Message-ID: <20100712075839.GB2625@straylight.ringlet.net> On Mon, Jul 12, 2010 at 08:30:25AM +0200, Remco Rijnders wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > I have a file encrypted to two different User ID's, both for which I > have the public keys as well as the secret key. When I try to decrypt > the file, it always prompts me for the passphrase of user A, while I'd > like to decrypt it using the passphraseless key of user B. > > I've tried various combinations of -u with and without exclamation mark, > but without success. How can I specify that the key of user B should be > used? A possible workaround would be to create a separate secret keyring that only contains user B's secret key. I agree, it's not perfect, and it would entail explicitly specifying "--no-default-keyring --secret-keyring ..." and maybe also "--keyring ...". Alternatively, you could create a different ~/.gnupg/ directory and symlink all files *but* the secret keyring to your "real" ~/.gnupg/, then create a minimalistic secret keyring there containing only user B's key. This would mean setting GNUPG_HOME each time you want to use this keyring, so it's still not perfect. It's quite possible that there are simpler ways, I just can't think of them right now :) G'luck, Peter -- Peter Pentchev roam at space.bg roam at ringlet.net roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Do you think anybody has ever had *precisely this thought* before? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From joke at seiken.de Mon Jul 12 10:37:56 2010 From: joke at seiken.de (Joke de Buhr) Date: Mon, 12 Jul 2010 10:37:56 +0200 Subject: Decrypting file encrypted for multiple recipients using a given ID? In-Reply-To: <4C3AB681.8090703@webconquest.com> References: <4C3AB681.8090703@webconquest.com> Message-ID: <201007121038.08390.joke@seiken.de> On Monday 12 July 2010 08:30:25 Remco Rijnders wrote: > Dear all, > > I have a file encrypted to two different User ID's, both for which I > have the public keys as well as the secret key. When I try to decrypt > the file, it always prompts me for the passphrase of user A, while I'd > like to decrypt it using the passphraseless key of user B. > > I've tried various combinations of -u with and without exclamation mark, > but without success. How can I specify that the key of user B should be > used? > > Thanks in advance, > > Remco > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Gnupg tries to decrypt with possible keys the order they appear in the keyring. You could rebuild your keyring and reorder the keys. But as an alternative just hit the ESC button or press cancel until the password dialog shows the right key id. Enter that password. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From vedaal at nym.hush.com Mon Jul 12 17:25:24 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 12 Jul 2010 11:25:24 -0400 Subject: Decrypting file encrypted for multiple recipients using a given ID? Message-ID: <20100712152524.6481CB8079@smtp.hushmail.com> Joke de Buhr joke at seiken.de wrote on Mon Jul 12 10:37:56 CEST 2010 : >> How can I specify that the key of user B should be >> used? >But as an alternative just hit the ESC button or press cancel until >the password dialog shows the right key id. Enter that password. As another alternative, you can use the options of: --try-all-secrets --passphrase string i.e., gpg --try-all-secrets --passphrase (the passphrase for your desired key) filename GnuPG will not prompt you for anything alse, and will try the passphrase you wrote for all the keys in your secret ring until it reaches the key whose passphrase it is, and then GnuPG will decrypt it. vedaal From dshaw at jabberwocky.com Mon Jul 12 17:37:58 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 12 Jul 2010 11:37:58 -0400 Subject: Decrypting file encrypted for multiple recipients using a given ID? In-Reply-To: <4C3AB681.8090703@webconquest.com> References: <4C3AB681.8090703@webconquest.com> Message-ID: <06EC9711-5A1A-4F3A-B544-255E8644BF3F@jabberwocky.com> On Jul 12, 2010, at 2:30 AM, Remco Rijnders wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > I have a file encrypted to two different User ID's, both for which I > have the public keys as well as the secret key. When I try to decrypt > the file, it always prompts me for the passphrase of user A, while I'd > like to decrypt it using the passphraseless key of user B. > > I've tried various combinations of -u with and without exclamation mark, > but without success. How can I specify that the key of user B should be > used? There isn't a direct way to do this. GnuPG tries to decrypt the various encrypted session keys in order, so you'll get prompted for them in order. If you want to always have B before A, try switching the "-r" arguments when you encrypt. That will switch the order of the encrypted session keys. David From zartbitter at blacksec.org Tue Jul 13 09:25:49 2010 From: zartbitter at blacksec.org (Edmond) Date: Tue, 13 Jul 2010 09:25:49 +0200 Subject: Problem with Smart Card/scdaemon Message-ID: <4C3C14FD.7020709@blacksec.org> Hello, I just received my first OpenPGP smart card (http://www.g10code.de/p-card.html) and I'm trying to use it with GPG. My environment: Arch Linux, GnuPG 2.0.15; the reader is a Reiner SCT cyberJack pinpad. pcscd is running. See what happens when I try to access the card: ------------------------------ $ gpg2 --card-edit scdaemon[6493]: reading public key failed: Missing item in object scdaemon[6493]: reading public key failed: Missing item in object scdaemon[6493]: reading public key failed: Missing item in object Application ID ...: D27600012401020000050000063F0000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 0000063F Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> scdaemon[6493]: updating slot 0 status: 0x0000->0x0007 (0->1) scdaemon[6493]: sending signal 12 to client 6493 gpg: OpenPGP card not available: Broken pipe gpg/card> ------------------------------ That is, after the initial listing of the card's content, I cannot access it anymore due to the "Broken pipe". Using GnuPG 1.4.10, I don't have this problem (no surprise, since it doesn't use scdaemon, after all). Any ideas what's going on and how to fix it? Many thanks, Edmond From pub at lajeunesse.fr Tue Jul 13 23:08:48 2010 From: pub at lajeunesse.fr (LJE) Date: Tue, 13 Jul 2010 14:08:48 -0700 (PDT) Subject: GPGMAL english Message-ID: <29155690.post@talk.nabble.com> Hello all, I'm a mac user, and I think that Ubuntu would approach much. I have a concern to expose yourself ... I hope to be in the right place ... I have a Macbook Pro and an iMac, with identical configurations (snow leopard) ... I installed GnuPG and GPGMail and I have a bunch identical on both machines. When I sign / encrypt a message in the IMAC, my recipient receives an email like this: ----- BEGIN PGP MESSAGE ----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) hQIOA8klb9Sg6058EAf9GgEl/SJl0VXeP9vMIkUnrBH7fR554A7AT5r0U4I6FyXJ KogysQIbt2xZt2okqOlxxmZlzSXY7TqTLEoR6Tn8PnJDWGHPjmzKI91ZOY166xkk sYORV2D4R0x + rQnDhRAUI5kTD01NF When I do the same thing with the Macbook, my recipient receives an email with two attachments: mail and file attachment pgp.asc Do you know how to make my recipients can receive as IMAC sending ... Thank you all for your help .... Excuse me, i'm french -- View this message in context: http://old.nabble.com/GPGMAL-english-tp29155690p29155690.html Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at g10code.com Tue Jul 13 18:06:27 2010 From: wk at g10code.com (Werner Koch) Date: Tue, 13 Jul 2010 18:06:27 +0200 Subject: [Announce] Libgcrypt 1.4.6 released Message-ID: <87iq4je58c.fsf@vigenere.g10code.de> Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.4.6. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.4.6: * New variants of the TIGER algorithm. * New cipher algorithm mode for AES-WRAP. Source code is hosted at the GnuPG FTP server and its mirrors as listed at . On the primary server the source file and its digital signature is: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.bz2 (1125k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.gz (1391k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.gz.sig Alternativley you may upgrade version 1.4.5 using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5-1.4.6.diff.bz2 (16k) The SHA-1 checksums are: 445b9e158aaf91e24eae3d1040c6213e9d9f5ba6 libgcrypt-1.4.6.tar.bz2 dbe3fee0a9eea8128a1e47c973e0f432a62bfaa2 libgcrypt-1.4.6.tar.gz 9361c5ee7861548a4822e58baba95c81ec878384 libgcrypt-1.4.5-1.4.6.diff.bz2 For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. Note that this version is from the stable branch; the current development version is available at . Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], order extensions or support or more general by donating money to the Free Software movement (e.g. ). Commercial support contracts for Libgcrypt are available [3], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] See . [2] Note that copyright assignments to the FSF are required. [3] See the service directory at . -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From shavital at mac.com Wed Jul 14 11:58:42 2010 From: shavital at mac.com (Charly Avital) Date: Wed, 14 Jul 2010 05:58:42 -0400 Subject: GPGMAL english In-Reply-To: <29155690.post@talk.nabble.com> References: <29155690.post@talk.nabble.com> Message-ID: <4C3D8A52.30003@mac.com> LJE wrote the following on 7/13/10 5:08 PM: > When I do the same thing with the Macbook, my recipient receives an email > with two attachments: > mail and file attachment pgp.asc It seems that your e-mail application in the MacBook is configured to use PGP/MIME (French: il semblerait que votre g?n?rique de courrier ?lectronique dans votre MacBook est regl? ? utiliser PGP/MIME. > Do you know how to make my recipients can receive as IMAC sending ... If you are using Apple's Mail application with GPGMail, please go to Mail/Preferences/PGP/Composing and disable 'By default, use OpenPGP/MIME' (French: si vous utilisez le g?n?rique Mail de Apple, avec GPGMail, ouvrez Mail/Pr?f?rences/PGP/Composition et d?marquez le petit bouton carr? 'Par d?faut, utiliser OpenPGP/MIME' > Thank you all for your help .... > > Excuse me, i'm french Nothing to be excused about :-) Charly MacOS 10.6.4-MacBook Intel C2Duo 2GHz-GnuPG 1.4.10-MacGPG 2.0.14 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 + Running Enigmail version 1.1.2 (20100629-1412) From mailinglisten at hauke-laging.de Wed Jul 14 17:31:16 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 14 Jul 2010 17:31:16 +0200 Subject: Certification of subkeys possible? Message-ID: <201007141731.21321.mailinglisten@hauke-laging.de> Hello, is it possible today (if not: how big would the chanhes to gpg or the OpenPGP standard have to be) to sign not only the main key and UIDs but also subkeys? I just had a discussion about the advantages of OpenPGP and S/MIME. This seems to be one of the few properties of X.509 which cannot be "emulated" with gpg. AFAIK you cannot prevent someone who generates a key on a smartcard which is to be certified by you to only use the smartcard if it is for gpg. He could create a subkey on a PC (and keep it there), certify it by the main key on the smartcard and a third party would put too much trust in your "this key certifies smartcard keys only" signature. If it was possible to certify subkeys, too, then you would sign all keys on the smartcard and a third party could recognize a later generated subkey by the missing signature. And you could limit the capabilities by e.g. signing subkeys for authentication only. This would combine the flexibility of OpenPGP with the possibility to create a higher level of security and trust for certain applications. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From pub at lajeunesse.fr Wed Jul 14 16:18:22 2010 From: pub at lajeunesse.fr (LJE) Date: Wed, 14 Jul 2010 07:18:22 -0700 (PDT) Subject: GPGMAL english In-Reply-To: <4C3D8A52.30003@mac.com> References: <29155690.post@talk.nabble.com> <4C3D8A52.30003@mac.com> Message-ID: <29162518.post@talk.nabble.com> Thank you very much, but I have d?marqu? the option but it changes nothing! Charly Avital wrote: > > LJE wrote the following on 7/13/10 5:08 PM: >> When I do the same thing with the Macbook, my recipient receives an email >> with two attachments: >> mail and file attachment pgp.asc > > It seems that your e-mail application in the MacBook is configured to > use PGP/MIME > > (French: il semblerait que votre g?n?rique de courrier ?lectronique dans > votre MacBook est regl? ? utiliser PGP/MIME. > > >> Do you know how to make my recipients can receive as IMAC sending ... > > > If you are using Apple's Mail application with GPGMail, please go to > Mail/Preferences/PGP/Composing and disable 'By default, use OpenPGP/MIME' > (French: si vous utilisez le g?n?rique Mail de Apple, avec GPGMail, > ouvrez Mail/Pr?f?rences/PGP/Composition et d?marquez le petit bouton > carr? 'Par d?faut, utiliser OpenPGP/MIME' > >> Thank you all for your help .... >> >> Excuse me, i'm french > > Nothing to be excused about :-) > > Charly > MacOS 10.6.4-MacBook Intel C2Duo 2GHz-GnuPG 1.4.10-MacGPG 2.0.14 > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) > Gecko/20100608 Thunderbird/3.1 + Running Enigmail version 1.1.2 > (20100629-1412) > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://old.nabble.com/GPGMAL-english-tp29155690p29162518.html Sent from the GnuPG - User mailing list archive at Nabble.com. From zartbitter at blacksec.org Thu Jul 15 20:07:53 2010 From: zartbitter at blacksec.org (Edmond) Date: Thu, 15 Jul 2010 20:07:53 +0200 Subject: Problem with Smart Card/scdaemon In-Reply-To: <4C3C14FD.7020709@blacksec.org> References: <4C3C14FD.7020709@blacksec.org> Message-ID: <4C3F4E79.80805@blacksec.org> Hello, that problem was fixed after a reboot. I have no idea what might have caused it ... Anyway, it's gone now. :) Edmond From zartbitter at blacksec.org Thu Jul 15 21:06:15 2010 From: zartbitter at blacksec.org (Edmond) Date: Thu, 15 Jul 2010 21:06:15 +0200 Subject: PIN input via cyberJack pinpad Message-ID: <4C3F5C27.5000503@blacksec.org> Hi, I would really like to use my card reader's PIN pad to enter the PIN for my keys stored on an OpenPGP smart card. I have a cyberJack pinpad(a). Currently, when I'm required to enter my PIN, pinentry pops up and the reader's pad is ignored. Unfortunately, in a >4 years old message, somebody stated regarding those cyberJack readers and PCSC: > so either they implement it, but don't publish that part of the > source, or they implement it, but don't use the well known constants, > or they don't. no idea. (source: http://www.opensc-project.org/pipermail/opensc-user/2006-March/000837.html) I'm not sure whether things have changed since then, or if I'm just doing something wrong. I am using pcsc-lite and GPG 2. If there is really no way to use my reader's PIN pad, could you please recommend me some well-supported reader to replace my current one? Thanks, Edmond. From jh at jameshoward.us Fri Jul 16 15:20:15 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Fri, 16 Jul 2010 09:20:15 -0400 Subject: Problem with smartcards and scdaemon Message-ID: <4C405C8F.9030607@jameshoward.us> I have not seen this reported yet, so here goes. I have a German Privacy Foundation CryptoStick. When I plug it in and run "gpg --card-status" all is well. When I unplug it and plug it back in, all is not so well. It will not work until I unplug again, kill scdaemon, and then plug it back in. I am using a Mac with 10.6.x and have done this with MacGPG 2.0.12 and 2.0.14. James -- James P. Howard, II, MPA MBCS CGFM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From hawke at hawkesnest.net Fri Jul 16 18:50:22 2010 From: hawke at hawkesnest.net (Alex Mauer) Date: Fri, 16 Jul 2010 11:50:22 -0500 Subject: Problem with smartcards and scdaemon In-Reply-To: <4C405C8F.9030607__13992.082354571$1279289696$gmane$org@jameshoward.us> References: <4C405C8F.9030607__13992.082354571$1279289696$gmane$org@jameshoward.us> Message-ID: On 07/16/2010 08:20 AM, James P. Howard, II wrote: > I have not seen this reported yet, so here goes. I have a German > Privacy Foundation CryptoStick. When I plug it in and run "gpg > --card-status" all is well. When I unplug it and plug it back in, all > is not so well. It will not work until I unplug again, kill scdaemon, > and then plug it back in. Do you definitely have to replug it, or is killing scdaemon sufficient? I?ve seen the same thing on Linux when suspending my laptop (with a traditional card reader); upon resuming, the smartcard isn?t available until I kill scdaemon. ?Alex Mauer ?hawke? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From jh at jameshoward.us Fri Jul 16 19:10:40 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Fri, 16 Jul 2010 13:10:40 -0400 Subject: Problem with smartcards and scdaemon In-Reply-To: References: <4C405C8F.9030607__13992.082354571$1279289696$gmane$org@jameshoward.us> Message-ID: <4C409290.603@jameshoward.us> On 7/16/10 12:50 PM, Alex Mauer wrote: > Do you definitely have to replug it, or is killing scdaemon sufficient? Both are necessary. -- James P. Howard, II, MPA MBCS CGFM From richard at r-selected.de Fri Jul 16 20:18:22 2010 From: richard at r-selected.de (Richard) Date: Fri, 16 Jul 2010 20:18:22 +0200 Subject: poldi & unattended authentication Message-ID: <4C40A26E.7040606@r-selected.de> Hello everyone! I would like to authenticate using poldi without the need to enter my PIN. In an old blog posting, they use "auth sufficient pam_poldi.so try-pin=123456 quiet" in PAM config files the achieve this behavior (http://www.schiessle.org/howto/poldi.php). However, this specific feature seems not to be available with the latest poldi release (0.4.1) anymore. Is there another way to authenticate using an OpenPGP smart card, but without the need of having to enter a PIN? Since the OpenPGP smart card itself cannot be used without setting an (at least) 6 characters long PIN, I don't know what to do with the "try-pin" option removed. Richard. From wk at gnupg.org Mon Jul 19 10:39:20 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 19 Jul 2010 10:39:20 +0200 Subject: [Announce] GnuPG 2.0.16 released Message-ID: <87zkxnamrr.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.16. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.10) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New =========== * If the agent's --use-standard-socket option is active, all tools try to start and daemonize the agent on the fly. In the past this was only supported on W32; on non-W32 systems the new configure option --use-standard-socket may now be used to use this feature by default. * The gpg-agent commands KILLAGENT and RELOADAGENT are now available on all platforms. * Minor bug fixes. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.16 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.16.tar.bz2 (3910k) gnupg-2.0.16.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.15-2.0.16.diff.bz2 (51k) A patch file to upgrade a 2.0.15 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.16.tar.bz2 you would use this command: gpg --verify gnupg-2.0.16.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.16.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.16.tar.bz2 and check that the output matches the first line from the following list: e7eb4f60026884bd90803b531472bc518804b95d gnupg-2.0.16.tar.bz2 be77c0ba597b9ad9e38941e85ba1750890067227 gnupg-2.0.15-2.0.16.diff.bz2 Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jedi, Maxim Britov, Jaime Su?rez and Nilg?n Belma Bug?ner have been kind enough to go over their translations and thus the Chinese, German, Russian, Spanish, and Turkish translations are pretty much complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG-2. In fact it has been developed along with the KMail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. The manual is also available online in HTML format at http://www.gnupg.org/documentation/manuals/gnupg/ and in Portable Document Format at http://www.gnupg.org/documentation/manuals/gnupg.pdf . Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfeurope.org/help/donate.en.html). Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. The GnuPG service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From prasanth_thandra at yahoo.co.in Tue Jul 20 09:20:53 2010 From: prasanth_thandra at yahoo.co.in (Prasanth Thandra) Date: Tue, 20 Jul 2010 12:50:53 +0530 (IST) Subject: setuping local/standalone keyserver Message-ID: <413741.80841.qm@web94803.mail.in2.yahoo.com> Hi, i configured gnupg 2.0.15 on RHEL4 which is a mialserver. i am able to generate keypairs. now i want to setup a keyserver either on localhost or as a standalone. please let me know how to do the same. regards,prasanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From roam at ringlet.net Tue Jul 20 10:55:58 2010 From: roam at ringlet.net (Peter Pentchev) Date: Tue, 20 Jul 2010 11:55:58 +0300 Subject: setuping local/standalone keyserver In-Reply-To: <413741.80841.qm@web94803.mail.in2.yahoo.com> References: <413741.80841.qm@web94803.mail.in2.yahoo.com> Message-ID: <20100720085558.GA2652@straylight.ringlet.net> On Tue, Jul 20, 2010 at 12:50:53PM +0530, Prasanth Thandra wrote: > Hi, > i configured gnupg 2.0.15 on RHEL4 which is a mialserver. > i am able to generate keypairs. > now i want to setup a keyserver either on localhost or as a standalone. > please let me know how to do the same. Start from http://code.google.com/p/sks-keyserver/ I don't know if anybody has made an RPM of that; probably somebody has, but I'm not familiar enough with the various RPM distribution channels to check :) G'luck, Peter -- Peter Pentchev roam at space.bg roam at ringlet.net roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if pi were 3? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From john_espiro at yahoo.com Tue Jul 20 19:25:05 2010 From: john_espiro at yahoo.com (John Espiro) Date: Tue, 20 Jul 2010 19:25:05 +0200 Subject: Locating GnuPG 2.0.16 RH4 binaries... Message-ID: <4C45DBF1.3070409@yahoo.com> Greetings... My google skills must not be working lately... Can anyone help point me to the 2.0.16 binary for GnuPG / RHEL4? Thanks, John From jeandavid8 at verizon.net Tue Jul 20 20:53:05 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Tue, 20 Jul 2010 14:53:05 -0400 Subject: Locating GnuPG 2.0.16 RH4 binaries... In-Reply-To: <4C45DBF1.3070409@yahoo.com> References: <4C45DBF1.3070409@yahoo.com> Message-ID: <4C45F091.7090305@verizon.net> John Espiro wrote: > Greetings... > My google skills must not be working lately... Can anyone help point me > to the 2.0.16 binary for GnuPG / RHEL4? > > Thanks, > John > Is there one? I run RHEL 5.4 that is up-to-date as of this morning, and that binary rpm is gnupg-1.4.5-14.el5_5.1. If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 14:45:01 up 12 days, 23:31, 3 users, load average: 4.47, 4.64, 4.69 From vedaal at nym.hush.com Tue Jul 20 22:14:16 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 20 Jul 2010 16:14:16 -0400 Subject: verifying hashes with GnuPG Message-ID: <20100720201416.A1D842003D@smtp.hushmail.com> Is there a gnupg command to verifiy a hash, not a signature, (e.g. MD5, SHA1, SHA256), by entering the hash string and the file or text it corresponds to? TIA vedaal From dshaw at jabberwocky.com Tue Jul 20 22:56:09 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 20 Jul 2010 16:56:09 -0400 Subject: verifying hashes with GnuPG In-Reply-To: <20100720201416.A1D842003D@smtp.hushmail.com> References: <20100720201416.A1D842003D@smtp.hushmail.com> Message-ID: <858F5CFE-79C7-4284-A15F-8D60BDC57ADD@jabberwocky.com> On Jul 20, 2010, at 4:14 PM, vedaal at nym.hush.com wrote: > Is there a gnupg command to verifiy a hash, not a signature, (e.g. > MD5, SHA1, SHA256), by entering the hash string and the file or > text it corresponds to? No. You can do this with sha1sum (sha256sum, etc), with the --check option. David From lists at michel-messerschmidt.de Tue Jul 20 22:24:00 2010 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Tue, 20 Jul 2010 22:24:00 +0200 Subject: verifying hashes with GnuPG In-Reply-To: <20100720201416.A1D842003D@smtp.hushmail.com> References: <20100720201416.A1D842003D@smtp.hushmail.com> Message-ID: <20100720202400.GB4236@hiro.matrix> On Tue, Jul 20, 2010 at 04:14:16PM -0400, vedaal at nym.hush.com wrote: > Is there a gnupg command to verifiy a hash, not a signature, (e.g. > MD5, SHA1, SHA256), by entering the hash string and the file or > text it corresponds to? Why would you want to use gnupg for this if md5sum, sha1sum, sha256sum, etc. are available for most systems? From jcruff at gmail.com Tue Jul 20 23:47:14 2010 From: jcruff at gmail.com (Chris Ruff) Date: Tue, 20 Jul 2010 17:47:14 -0400 Subject: SHA2 digest, V2 smartcard and gpg-agent problem In-Reply-To: <201005020052.16107.stanislav@sidorenko.biz> References: <201005020052.16107.stanislav@sidorenko.biz> Message-ID: <4C461962.50209@gmail.com> On 05/01/2010 04:52 PM, Stanislav Sidorenko wrote: > Hi! > > I've tried to use SHA256 digest for signing using openpgp V2 smartcard and got > the following error: > > gpg: checking created signature failed: bad signature > gpg: signing failed: bad signature > gpg: signing failed: bad signature > > It happens only if gpg uses gpg-agent which is configured to use scdaemon for > accesing smartcards. > > If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN code > in the console then signing with SHA256 work perfectly. In case of enabled > gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an issue in gpg- > agent or scdaemon. > > The issue was found on gpg 1.4.10 and gpg-agent 2.0.14. > > Thanks, > > Stanislav > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Interesting, indeed. I unfortunately had to change my prefs when I got my openpgp v2 card since I was using gpg2 and the agent is required. So is this currently just an issue with gpg-agent? If I'm reading section 7.2.8.1 [Hash Algorithms] in the OpenPGP smart application PDF correctly it seems only OpenPGP cards <2.0 are limited to SHA1 & RIPEMD-160. "The following hash algorithms are supported by RFC 4880 and can be used as input in the DSI. However the card may not check the integrity of a DSI. Cards with Version < 2.0 sup?port RIPEMD-160 and SHA-1 only and may check it, so other hash algorithms cannot be used." Or is this saying >=2.0 OpenPGP cards can generate SHA2 hashes but cannot verify them? -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x0621F585 gpg fgpr: E3C4 0E2E AD99 59A2 E4D0 DC1B FD21 25BC 0621 F585 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 583 bytes Desc: OpenPGP digital signature URL: From jcruff at gmail.com Wed Jul 21 00:31:38 2010 From: jcruff at gmail.com (Chris Ruff) Date: Tue, 20 Jul 2010 18:31:38 -0400 Subject: [Announce] GnuPG 2.0.16 released In-Reply-To: <87zkxnamrr.fsf@vigenere.g10code.de> References: <87zkxnamrr.fsf@vigenere.g10code.de> Message-ID: <4C4623CA.10204@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2010 04:39 AM, Werner Koch wrote: > What's New > =========== > > * If the agent's --use-standard-socket option is active, all tools > try to start and daemonize the agent on the fly. In the past this > was only supported on W32; on non-W32 systems the new configure - - option --use-standard-socket may now be used to use this feature by + option --enable-standard-socket may now be used to use this feature by > default. - -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x0621F585 gpg fgpr: E3C4 0E2E AD99 59A2 E4D0 DC1B FD21 25BC 0621 F585 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: OpenPGP Smartcard v2.0 Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMRiPGAAoJEP0hJbwGIfWFpjUH/0dh0PdgaNAtFcUK++7TSSjE MfQgLG6tAu9hGYj13jMZK+F0lEMk9waeBNjW/sGImKqZnpWS0pI3AhU0f5tErrIN A3jaElgxrteCq59cYCsX4NBq5qvTqvWsAGcVzfBDpXuDuOWudg/WvqJ/pvg6udYy ToskWTsTKtYjbVtBxua8NpTmyJ4MFJP6mL7xJUtGrnQTMICuC4pg3QDUvp07AxSI nGriC7eE6M4dnOqYkEZB1DDBBfGRn0hz8Ghc+21g8rf3lEpBGTkY2yOntLcJ73yF NB1KV/lbpXlJuta/OUVVzgq+/tZI1wfOChF55FuMtrDzRkEWWzk28+Yec+hmFEg= =RnnT -----END PGP SIGNATURE----- From jcruff at gmail.com Wed Jul 21 00:09:13 2010 From: jcruff at gmail.com (Chris Ruff) Date: Tue, 20 Jul 2010 18:09:13 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> Message-ID: <4C461E89.8070409@gmail.com> On 06/01/2010 06:49 PM, Perry, James J. wrote: > I just updated to FC 13 and not gpg fails to work for any user. I get > the following messages when I try to decrypt a file and have the DISPLAY > set even though I am not using X. > > > > gpg --pgp6 EDI997.20100601091546.pgp > > > > You need a passphrase to unlock the secret key for > > user: ?xyz? > > 2048-bit ELG key, ID ? > > > > can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory > > gpg-agent[24444]: command get_passphrase failed: Operation cancelled > > gpg: cancelled by user > > gpg: encrypted with 2048-bit ELG key, ID ? > > gpg: public key decryption failed: General error > > gpg: decryption failed: No secret key > > > > This happens when I have a DISPLAY variable set. Without it I get a bad > looking curses interface image like below: > > lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk > > x Please enter the passphrase to unlock the secret key for the OpenPGP x > > x certificate: x > > x "xyz" x > > x 2048-bit ELG key, ID ? x > > x created 2010-05-30 (main key ID ?). x > > x x > > x x > > x Passphrase __________________________________________________________ x > > x x > > x x > > mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj > > > > This was not how it worked when I used it prior to upgrading to FC13. I > do not want all the pretty stuff and I need it to prompt for a password > on the command line like it did prior to the used of pinentry-qt or > pinentry-curses. What do I need to fix? I spent 4 hours digging around > to just find that if I had a DISPLAY variable set but no X-Server > running on my MS Win box, it would not even work. Users of GPG here on > Linux will not understand that issue so I will need to keep it running > as it did before, but no manuals I found seemed to indicate how to > correct it. > > > > Thanks! > > -Jim > > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users I'm not sure if this is your exact problem but on my openSuSE 11.2 system Seahorse really made a mess of things. Try running your gpg-agent the old fashion way and export the variables. I'm initializing mine in .xinitrc with an eval statement and relevant arguments b/c seahorse doesn't seem to work correctly with scdaemon. -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x0621F585 gpg fgpr: E3C4 0E2E AD99 59A2 E4D0 DC1B FD21 25BC 0621 F585 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 583 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Wed Jul 21 01:49:01 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 21 Jul 2010 00:49:01 +0100 Subject: verifying hashes with GnuPG In-Reply-To: <20100720202400.GB4236@hiro.matrix> References: <20100720201416.A1D842003D@smtp.hushmail.com> <20100720202400.GB4236@hiro.matrix> Message-ID: <766192160.20100721004901@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 20 July 2010 at 9:24:00 PM, in , Michel Messerschmidt wrote: > On Tue, Jul 20, 2010 at 04:14:16PM -0400, > vedaal at nym.hush.com wrote: >> Is there a gnupg command to verifiy a hash, not a signature, (e.g. >> MD5, SHA1, SHA256), by entering the hash string and the file or >> text it corresponds to? > Why would you want to use gnupg for this if md5sum, > sha1sum, sha256sum, etc. are available for most > systems? Maybe he wanted to check if an app he already installed would perform this function before downloading another app to do it? - -- Best regards MFPA mailto:expires2010 at ymail.com Was time invented by an Irishman named O'Clock? -----BEGIN PGP SIGNATURE----- iQCVAwUBTEY2AKipC46tDG5pAQoDDgQAgcemmkoFGNgvlQZjAZHdslAgjIqIZ9rV MclkMHWy9BoLZZwSvPDPh9RJRe1HkQGBBeEq5PUa3wif7c/mHs5kbmcmh6ZkKxW7 mLkD75v/0eB5P7LO/b7XE8I9w7CELEsSP5vGWmu2KUfZ8R6ydktFNiwWufGPf+LP vyvszEPhZZQ= =H59P -----END PGP SIGNATURE----- From bpm at sdf.org Wed Jul 21 02:02:51 2010 From: bpm at sdf.org (Breen Mullins) Date: Tue, 20 Jul 2010 17:02:51 -0700 Subject: Locating GnuPG 2.0.16 RH4 binaries... In-Reply-To: <4C45F091.7090305@verizon.net> References: <4C45DBF1.3070409@yahoo.com> <4C45F091.7090305@verizon.net> Message-ID: <20100721000251.GA23794@SDF.LONESTAR.ORG> * Jean-David Beyer [2010-07-20 14:53 -0400]: >John Espiro wrote: >> Greetings... >> My google skills must not be working lately... Can anyone help point me >> to the 2.0.16 binary for GnuPG / RHEL4? >> >> Thanks, >> John >> >Is there one? >I run RHEL 5.4 that is up-to-date as of this morning, and that binary >rpm is gnupg-1.4.5-14.el5_5.1. > >If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm On Fedora, and I expect on RHEL too, 2.0.16 would be installed by the gnupg2 rpm. You might look at http://fedoraproject.org/wiki/EPEL which provides ports of Fedora packages to EL. Breen -- Breen Mullins bpm at sdf.org From jeandavid8 at verizon.net Wed Jul 21 03:40:28 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Tue, 20 Jul 2010 21:40:28 -0400 Subject: Locating GnuPG 2.0.16 RH4 binaries... In-Reply-To: <20100721000251.GA23794@SDF.LONESTAR.ORG> References: <4C45DBF1.3070409@yahoo.com> <4C45F091.7090305@verizon.net> <20100721000251.GA23794@SDF.LONESTAR.ORG> Message-ID: <4C46500C.8020504@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Breen Mullins wrote: > * Jean-David Beyer [2010-07-20 14:53 -0400]: > >> John Espiro wrote: >>> Greetings... >>> My google skills must not be working lately... Can anyone help point me >>> to the 2.0.16 binary for GnuPG / RHEL4? >>> >>> Thanks, >>> John >>> >> Is there one? >> I run RHEL 5.4 that is up-to-date as of this morning, and that binary >> rpm is gnupg-1.4.5-14.el5_5.1. >> >> If I look at CentOS 4, the binary for it is gnupg-1.2.6-9.i386.rpm > > On Fedora, and I expect on RHEL too, 2.0.16 would be installed by the > gnupg2 rpm. > > You might look at > http://fedoraproject.org/wiki/EPEL > > which provides ports of Fedora packages to EL. > > Breen > Looks like it is there for RHEL 5, but not for RHEL 4. Probably too many incompatibilities for that older release. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 21:35:01 up 13 days, 6:21, 3 users, load average: 4.65, 4.79, 4.76 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMRlAMPtu2XpovyZoRAmIMAKDEHJbEIy5ZQ+ulpcE6IrEetciA3gCgh0T5 6CxIZAfcWY81yH/GeokvqQg= =UPjt -----END PGP SIGNATURE----- From john_espiro at yahoo.com Wed Jul 21 09:58:01 2010 From: john_espiro at yahoo.com (John Espiro) Date: Wed, 21 Jul 2010 09:58:01 +0200 Subject: Locating GnuPG 2.0.16 RH4 binaries... In-Reply-To: <4C46500C.8020504@verizon.net> References: <4C45DBF1.3070409@yahoo.com> <4C45F091.7090305@verizon.net> <20100721000251.GA23794@SDF.LONESTAR.ORG> <4C46500C.8020504@verizon.net> Message-ID: <4C46A889.6060304@yahoo.com> On 7/21/2010 3:40 AM, Jean-David Beyer wrote: > > > Breen > > Looks like it is there for RHEL 5, but not for RHEL 4. > Probably too many incompatibilities for that older release. > Thanks Jean-David, and Breen (althoguh I never saw Breen's response on the list). I d/l'd the source for 2.0.16, installed the following items from source: ftp://ftp.gnupg.org/gcrypt/libgpg-error ftp://ftp.gnupg.org/gcrypt/libgcrypt/ ftp://ftp.gnupg.org/gcrypt/libassuan/ ftp://ftp.gnupg.org/gcrypt/libksba/ And it built ! Wow... thanks guys! From John at Mozilla-Enigmail.org Wed Jul 21 11:43:08 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 21 Jul 2010 04:43:08 -0500 Subject: setuping local/standalone keyserver In-Reply-To: <20100720085558.GA2652@straylight.ringlet.net> References: <413741.80841.qm@web94803.mail.in2.yahoo.com> <20100720085558.GA2652@straylight.ringlet.net> Message-ID: <4C46C12C.7090806@Mozilla-Enigmail.org> Peter Pentchev wrote: > On Tue, Jul 20, 2010 at 12:50:53PM +0530, Prasanth Thandra wrote: >> Hi, >> i configured gnupg 2.0.15 on RHEL4 which is a mialserver. >> i am able to generate keypairs. >> now i want to setup a keyserver either on localhost or as a standalone. >> please let me know how to do the same. Setting up a keyserver is relatively simple, but I'm not reading the use case for a standalone keyserver. What is it you are wanting to accomplish? For serving a small number of keys, which is typically the standalone model, LDAP is more likely the better implementation. > Start from http://code.google.com/p/sks-keyserver/ > I don't know if anybody has made an RPM of that; probably somebody has, > but I'm not familiar enough with the various RPM distribution channels > to check :) Prebuilt RPMs as well as DEBs of the latest release should be available. The nominal place for SKS support is the sks-devel list at sks-devel at nongnu.org (http://lists.nongnu.org/mailman/listinfo/sks-devel ) -- John P. Clizbe Inet: John (a) keyservers DAWT net You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From wk at gnupg.org Wed Jul 21 11:41:45 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 21 Jul 2010 11:41:45 +0200 Subject: [Announce] GnuPG 2.0.16 released In-Reply-To: <4C4623CA.10204@gmail.com> (Chris Ruff's message of "Tue, 20 Jul 2010 18:31:38 -0400") References: <87zkxnamrr.fsf@vigenere.g10code.de> <4C4623CA.10204@gmail.com> Message-ID: <87wrspgoiu.fsf@vigenere.g10code.de> On Wed, 21 Jul 2010 00:31, jcruff at gmail.com said: > - option --use-standard-socket may now be used to use this feature by > + option --enable-standard-socket may now be used to use this feature by Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From awolff at newbreed.com Tue Jul 20 15:38:43 2010 From: awolff at newbreed.com (Wolff, Alex) Date: Tue, 20 Jul 2010 09:38:43 -0400 Subject: Keypair is expiring. Message-ID: Back in 2005 when I created my private/public key pair I never believed the universe would still exist today..hence I set an expiration date of 2010. Since it's expiringin the next couple of months and I am not sure what my options are? Can I change the expiration date of my key pair to not expire...without having to re-issue another public key to all my encryption partners? Or do I have to re-issue? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Wed Jul 21 16:33:16 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 21 Jul 2010 10:33:16 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> Message-ID: <1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> On Jun 1, 2010, at 6:49 PM, Perry, James J. wrote: > I just updated to FC 13 and not gpg fails to work for any user. I get the following messages when I try to decrypt a file and have the DISPLAY set even though I am not using X. > > gpg --pgp6 EDI997.20100601091546.pgp > > You need a passphrase to unlock the secret key for > user: ?xyz? > 2048-bit ELG key, ID ? > > can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory > gpg-agent[24444]: command get_passphrase failed: Operation cancelled > gpg: cancelled by user > gpg: encrypted with 2048-bit ELG key, ID ? > gpg: public key decryption failed: General error > gpg: decryption failed: No secret key [..] > This was not how it worked when I used it prior to upgrading to FC13. I do not want all the pretty stuff and I need it to prompt for a password on the command line like it did prior to the used of pinentry-qt or pinentry-curses. What do I need to fix? I spent 4 hours digging around to just find that if I had a DISPLAY variable set but no X-Server running on my MS Win box, it would not even work. Users of GPG here on Linux will not understand that issue so I will need to keep it running as it did before, but no manuals I found seemed to indicate how to correct it. Fedora 13 made a (in my opinion) bad change in how they handle GnuPG. Previously, there were two packages: 'gnupg' and 'gnupg2'. This makes sense since the two branches of GnuPG are intentionally non-conflicting, and while there is significant overlap, do serve somewhat different purposes. Fedora 13 removed 'gnupg' (i.e. gnupg 1.4.x) and caused the 'gnupg2' (i.e. gnupg 2.x) package to replace it. This breaks all sorts of scripts and things that were written to use 1.4.x. A few people are trying to get this fixed in Fedora. http://lists.fedoraproject.org/pipermail/devel/2010-July/138765.html http://lists.fedoraproject.org/pipermail/devel/2010-July/138781.html David From vedaal at nym.hush.com Wed Jul 21 16:52:03 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Wed, 21 Jul 2010 10:52:03 -0400 Subject: verifying hashes with Gnupg Message-ID: <20100721145203.53A402003D@smtp.hushmail.com> MFPA expires2010 at ymail.com wrote on Wed Jul 21 01:49:01 CEST 2010 : >> Why would you want to use gnupg for this if md5sum, >> sha1sum, sha256sum, etc. are available for most >> systems? >Maybe he wanted to check if an app he already installed would perform >this function before downloading another app to do it? Much simpler reason ;-( windows command line doesn't recognize it (without cygwin) C:\>sha1sum v:\t1.sha1 'SHA1SUM' is not recognized as an internal or external command, operable program or batch file. (There is an open source gui for windows written in VB that hashes and verifies, [pthasher by Karen Kenworthy http://www.karenware.com] still, I thought it might be done in gnupg with one of the 'cool undocumented' commands, but couldn't find it using gpg --dump- options vedaal From rahul.raviz at gmail.com Wed Jul 21 17:22:28 2010 From: rahul.raviz at gmail.com (Rahul R) Date: Wed, 21 Jul 2010 20:52:28 +0530 Subject: decryption failed: secret key not available Message-ID: Hi All,, When I try to decrypt a file which was encrypted with my key by a vendor, I am getting an error as below. ----------------------- gpg --yes --output 123.txt.out --decrypt 123.txt.out.pgp gpg: encrypted with 1024-bit ELG-E key, ID 424E35F0, created 2010-05-11 "TEST_ENV (For testing new test env) " gpg: decryption failed: secret key not available ------------------------ Can anyone shed some light on how to troubleshoot this? -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Wed Jul 21 17:33:34 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 21 Jul 2010 17:33:34 +0200 Subject: decryption failed: secret key not available In-Reply-To: References: Message-ID: <201007211733.41931.mailinglisten@hauke-laging.de> Am Mittwoch 21 Juli 2010 17:22:28 schrieb Rahul R: > Hi All,, > > When I try to decrypt a file which was encrypted with my key by a vendor, I > am getting an error as below. > > ----------------------- > > gpg --yes --output 123.txt.out --decrypt 123.txt.out.pgp > gpg: encrypted with 1024-bit ELG-E key, ID 424E35F0, created 2010-05-11 > "TEST_ENV (For testing new test env) " > gpg: decryption failed: secret key not available > > ------------------------ > > Can anyone shed some light on how to troubleshoot this? The error message isn't hard to understand, is it? "gpg --list-secret-keys" shows you the available secret keys of your gpg configuration. You need the key with the ID 424E35F0 which is obviously missing. Under Linux: gpg --list-secret-keys | grep -i eccb5814 sec# 1024D/0xECCB5814 2005-09-05 This is an examply with my key. "gpg --list-secret-keys | grep -i 424E35F0" probably does not deliver any content. You need import the secret key 424E35F0. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From faramir.cl at gmail.com Wed Jul 21 16:38:49 2010 From: faramir.cl at gmail.com (Faramir) Date: Wed, 21 Jul 2010 10:38:49 -0400 Subject: Keypair is expiring. In-Reply-To: References: Message-ID: <4C470679.9050705@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Wolff, Alex escribi?: > Back in 2005 when I created my private/public key pair I never believed > the universe would still exist today..hence I set an expiration date of > 2010. Since it?s expiringin the next couple of months and I am not sure > what my options are? I'd say your options are to change the expiration date, or to issue a new key. If your key is 1024 bits long, I'd suggest you to create a new key. > Can I change the expiration date of my key pair to not expire?without > having to re-issue another public key to all my encryption partners? > > Or do I have to re-issue? You need to provide an updated version of your public key to your encryption partners, if not, how will they become aware of the new expiration date? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMRwZ5AAoJEMV4f6PvczxAq68H/i5OVTAxh/J1VpvdKP4nTI+2 SgXMJiayzSL2g5jWmaUeH2/rQhZTDMf1eZ71jfE27QfAEKx9VqCEjfwxbdV6IjuT lAEJDpnDZe8JJGgkKJXmhUu9it8EpBBBW2ZyDEZ7CSqGmj6ExWIYeZDhIoCE6n48 agqMCaAfhoQyxz+bbRVP5lJLCcYzp+690+0zQYgv+9xatdiCWwKiZ60SQOMDXC61 9KblF16tp2FgciYv0xvyiw1HOt1jH23KF9CIyeIi841ouma4GFEyi+jDpMJ/xuGz aocB9kJbMVwsmpViooVdK03hRQxdIGNdjvcsgU0qHCxn9pIty5zyqAKAB860JYk= =S0OJ -----END PGP SIGNATURE----- From joke at seiken.de Wed Jul 21 17:42:12 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 21 Jul 2010 17:42:12 +0200 Subject: decryption failed: secret key not available In-Reply-To: References: Message-ID: <201007211742.14736.joke@seiken.de> On Wednesday 21 July 2010 17:22:28 Rahul R wrote: > Hi All,, > > When I try to decrypt a file which was encrypted with my key by a vendor, I > am getting an error as below. > > ----------------------- > > gpg --yes --output 123.txt.out --decrypt 123.txt.out.pgp > gpg: encrypted with 1024-bit ELG-E key, ID 424E35F0, created 2010-05-11 > "TEST_ENV (For testing new test env) " > gpg: decryption failed: secret key not available > > ------------------------ > > Can anyone shed some light on how to troubleshoot this? Obviously you don't have the secret key to key 424E35F0. Are you sure it's your key. Your secret keys are listed by running gpg -K Check if the IDs match. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Wed Jul 21 17:47:16 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 21 Jul 2010 11:47:16 -0400 Subject: Keypair is expiring. In-Reply-To: References: Message-ID: <5CBC1E26-921F-45F3-8A56-21762FB8D043@jabberwocky.com> On Jul 20, 2010, at 9:38 AM, Wolff, Alex wrote: > Back in 2005 when I created my private/public key pair I never believed the universe would still exist today..hence I set an expiration date of 2010. Since it?s expiringin the next couple of months and I am not sure what my options are? > > Can I change the expiration date of my key pair to not expire?without having to re-issue another public key to all my encryption partners? Yes and no. You can indeed change the expiration date of your key (use "gpg --edit-key THEKEY" and then "expire"), but you must give your public key to your encryption partners again so they get the new updated key. > Or do I have to re-issue? That is another option. Neither option is right or wrong. If you have a bunch of signatures on your key that you want to keep, you'd probably do better with changing the expiration date. If you want to take this opportunity to make a larger key, then you could re-issue. David From mailinglisten at hauke-laging.de Wed Jul 21 17:52:38 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 21 Jul 2010 17:52:38 +0200 Subject: decryption failed: secret key not available In-Reply-To: References: <201007211733.41931.mailinglisten@hauke-laging.de> Message-ID: <201007211752.39105.mailinglisten@hauke-laging.de> Am Mittwoch 21 Juli 2010 17:37:44 schrieb Rahul R: > Can you please help me in importing the secret key? > > Whats the command I should use and how? gpg --import secretkey.asc It might make sense for you to use an GUI (like GPA or Kleopatra) as tasks like key import are very easy with a GUI. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Wed Jul 21 18:18:12 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 21 Jul 2010 18:18:12 +0200 Subject: decryption failed: secret key not available In-Reply-To: References: <201007211752.39105.mailinglisten@hauke-laging.de> Message-ID: <201007211818.13353.mailinglisten@hauke-laging.de> Am Mittwoch 21 Juli 2010 18:01:58 schrieb Rahul R: > But how to generate a secret key in command mode... i have the public key > with me and imported it.. but still not able to decrypt... You are funny... Obviously it is impossible to "generate" the secret key for a given public key. Otherwise it wouldn't make sense to call it a "secret" key if anyone with access to the public part could easily create it. Somebody has had access to the secret key once. If you know who that is and he still has the key then you can ask him to export it for you. It that's not possible and no export file of the secret key happens to appear then you don't have any chance to decrypt messages which have been encrypted for this key only. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From rahul.raviz at gmail.com Wed Jul 21 17:37:44 2010 From: rahul.raviz at gmail.com (Rahul R) Date: Wed, 21 Jul 2010 21:07:44 +0530 Subject: decryption failed: secret key not available In-Reply-To: <201007211733.41931.mailinglisten@hauke-laging.de> References: <201007211733.41931.mailinglisten@hauke-laging.de> Message-ID: Thanks for the quick reply Hauke.. :-) Can you please help me in importing the secret key? Whats the command I should use and how? On Wed, Jul 21, 2010 at 9:03 PM, Hauke Laging wrote: > Am Mittwoch 21 Juli 2010 17:22:28 schrieb Rahul R: > > Hi All,, > > > > When I try to decrypt a file which was encrypted with my key by a vendor, > I > > am getting an error as below. > > > > ----------------------- > > > > gpg --yes --output 123.txt.out --decrypt 123.txt.out.pgp > > gpg: encrypted with 1024-bit ELG-E key, ID 424E35F0, created 2010-05-11 > > "TEST_ENV (For testing new test env) >" > > gpg: decryption failed: secret key not available > > > > ------------------------ > > > > Can anyone shed some light on how to troubleshoot this? > > The error message isn't hard to understand, is it? > > "gpg --list-secret-keys" shows you the available secret keys of your gpg > configuration. You need the key with the ID 424E35F0 which is obviously > missing. > > Under Linux: > gpg --list-secret-keys | grep -i eccb5814 > sec# 1024D/0xECCB5814 2005-09-05 > > This is an examply with my key. "gpg --list-secret-keys | grep -i 424E35F0" > probably does not deliver any content. > > You need import the secret key 424E35F0. > > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 > -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rahul.raviz at gmail.com Wed Jul 21 18:01:58 2010 From: rahul.raviz at gmail.com (Rahul R) Date: Wed, 21 Jul 2010 21:31:58 +0530 Subject: decryption failed: secret key not available In-Reply-To: <201007211752.39105.mailinglisten@hauke-laging.de> References: <201007211733.41931.mailinglisten@hauke-laging.de> <201007211752.39105.mailinglisten@hauke-laging.de> Message-ID: But how to generate a secret key in command mode... i have the public key with me and imported it.. but still not able to decrypt... On Wed, Jul 21, 2010 at 9:22 PM, Hauke Laging wrote: > Am Mittwoch 21 Juli 2010 17:37:44 schrieb Rahul R: > > > Can you please help me in importing the secret key? > > > > Whats the command I should use and how? > > gpg --import secretkey.asc > > It might make sense for you to use an GUI (like GPA or Kleopatra) as tasks > like key import are very easy with a GUI. > > > Hauke > -- > PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 > -- Thanks, Regards, Rahul R .~. /V\ // \\ /( )\ ^`~'^ Mob: 09008030921 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kgo at grant-olson.net Wed Jul 21 19:00:38 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 21 Jul 2010 13:00:38 -0400 Subject: Keypair is expiring. In-Reply-To: References: Message-ID: <4C4727B6.3090405@grant-olson.net> On 7/20/10 9:38 AM, Wolff, Alex wrote: > Can I change the expiration date of my key pair to not expire...without > having to re-issue another public key to all my encryption partners? > > Or do I have to re-issue? > They'll need to get it somehow. But that's where keyservers are handy. You push the key with the new expiration date to the keyserver. People (hopefully) refresh regularly and get the new date. If they don't refresh regularly, when they see the expired key they will (hopefully) refresh manually from the keyserver. If they don't do either, when they tell you your key is expired, you can tell them it's up-to-date on the keyserver and/or mail them a copy of the new public key. -- Grant "I am very hungry," Kobayashi said. "I wish there were hot dogs in jail." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From jeandavid8 at verizon.net Wed Jul 21 22:43:58 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Wed, 21 Jul 2010 16:43:58 -0400 Subject: decryption failed: secret key not available In-Reply-To: References: <201007211733.41931.mailinglisten@hauke-laging.de> <201007211752.39105.mailinglisten@hauke-laging.de> Message-ID: <4C475C0E.9060309@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rahul R wrote: > But how to generate a secret key in command mode... i have the public > key with me and imported it.. but still not able to decrypt... > My guess is that your best bet is to generate a new key-pair and send the public key to a key-server. Then notify whoever sent you the original message of the problem and to send it again with the new key. You might wish to revoke the old key-pair if you have a revocation certificate on your machine. I do not know how you lost your secret key. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 16:40:01 up 14 days, 1:26, 3 users, load average: 4.84, 4.75, 4.79 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMR1wOPtu2XpovyZoRAiCvAJ9sPuI069kgQRIG2sbkTxxAeeCJLACcDbKT 95wgHVIUeJ2NFYaMvYGNWA0= =JuL2 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Jul 22 00:59:38 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 21 Jul 2010 18:59:38 -0400 Subject: verifying hashes with Gnupg In-Reply-To: <20100721145203.53A402003D@smtp.hushmail.com> References: <20100721145203.53A402003D@smtp.hushmail.com> Message-ID: <4C477BDA.9000404@sixdemonbag.org> On 7/21/10 10:52 AM, vedaal at nym.hush.com wrote: > windows command line doesn't recognize it (without cygwin) > > C:\>sha1sum v:\t1.sha1 > 'SHA1SUM' is not recognized as an internal or external command, > operable program or batch file. http://lists.gnupg.org/pipermail/gnupg-announce/2004q4/000184.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From jcruff at gmail.com Thu Jul 22 07:22:36 2010 From: jcruff at gmail.com (John Ruff) Date: Thu, 22 Jul 2010 01:22:36 -0400 Subject: verifying hashes with Gnupg In-Reply-To: <20100721145203.53A402003D@smtp.hushmail.com> References: <20100721145203.53A402003D@smtp.hushmail.com> Message-ID: <07A2DAE5-7FF9-458B-87FF-9C208451839A@gmail.com> On Jul 21, 2010, at 10:52 AM, vedaal at nym.hush.com wrote: > MFPA expires2010 at ymail.com wrote on > Wed Jul 21 01:49:01 CEST 2010 : > >>> Why would you want to use gnupg for this if md5sum, >>> sha1sum, sha256sum, etc. are available for most >>> systems? > >> Maybe he wanted to check if an app he already installed would > perform >> this function before downloading another app to do it? > > Much simpler reason ;-( > > windows command line doesn't recognize it (without cygwin) > > not sure what version this was made available, but the '--print-md ' option to gpg will generate a hash, albeit you must visually validate. $ gpg --print-md SHA1 10MB.dat 10MB.dat: 8C20 6A1A 8759 9F53 2CE6 8675 536F 0B15 4690 0D7A $ openssl sha1 10MB.dat SHA1(10MB.dat)= 8c206a1a87599f532ce68675536f0b1546900d7a $ gpg --print-md SHA512 10MB.dat 10MB.dat: 868D3A19 0F272375 8D1A6449 8A4AC1F1 4B0297E1 6E731A0E EC3A446B 775C65CB 8428AB33 140CEE13 EF51E7BB 3764B5FF 1900CFB3 42A3DBF3 FCC41DD6 CDD9FCEA $ openssl dgst -sha512 10MB.dat SHA512(10MB.dat)= 868d3a190f2723758d1a64498a4ac1f14b0297e16e731a0eec3a446b775c65cb8428ab33140cee13ef51e7bb3764b5ff1900cfb342a3dbf3fcc41dd6cdd9fcea ___________________ Chris Ruff jcruff at gmail.com GPG Key: 0x307A351B4EC4B6A1 FGPR: BF2F 2497 22E7 FEB5 C805 075C 307A 351B 4EC4 B6A1 "No one can see past a choice they don't understand." --The Oracle -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 527 bytes Desc: This is a digitally signed message part URL: From dougb at dougbarton.us Thu Jul 22 09:21:22 2010 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 22 Jul 2010 00:21:22 -0700 (PDT) Subject: verifying hashes with Gnupg In-Reply-To: <20100721145203.53A402003D@smtp.hushmail.com> References: <20100721145203.53A402003D@smtp.hushmail.com> Message-ID: If you're looking for a a set of tools to verify hashes in windows, take a look at http://md5deep.sourceforge.net/ hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From wk at gnupg.org Thu Jul 22 09:36:35 2010 From: wk at gnupg.org (Werner Koch) Date: Thu, 22 Jul 2010 09:36:35 +0200 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> (David Shaw's message of "Wed, 21 Jul 2010 10:33:16 -0400") References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> <1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> Message-ID: <87lj94ge7w.fsf@vigenere.g10code.de> On Wed, 21 Jul 2010 16:33, dshaw at jabberwocky.com said: > Fedora 13 removed 'gnupg' (i.e. gnupg 1.4.x) and caused the 'gnupg2' (i.e. gnupg 2.x) package to replace it. This breaks all sorts of scripts and things that were written to use 1.4.x. FWIW, the new 2.0.16 may help to mitigate this problem if the --use-standard-socket option is used. The agent will then be started if needed. You can't use this feature if your home directory is NFS mounted or you are not using X. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From stanislav at sidorenko.biz Thu Jul 22 19:25:02 2010 From: stanislav at sidorenko.biz (Stanislav Sidorenko) Date: Thu, 22 Jul 2010 21:25:02 +0400 Subject: SHA2 digest, V2 smartcard and gpg-agent problem Message-ID: <201007222125.02489.stanislav@sidorenko.biz> > Or is this saying >=2.0 OpenPGP cards can generate SHA2 hashes but > cannot verify them? Cards do not used to verify signatures. In my case GPG checks a signature generated by card and fails because signature is invalid. But it seems I've already found the issue, it is not in gpg-agent, but in gpg itself. file cardglue.c, lines 1324-1328: init_membuf (&data, 1024); snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s", hashalgo == GCRY_MD_RMD160? "--hash=rmd160 ": "", serialno); line[DIM(line)-1] = 0; hashalgo is an int variable that contains hash id. As far as I understood this code generates a request to scdaemon and forces using RIPEMD160 if hashalgo == GCRY_MD_RMD160 or default hash (SHA1?) if hashalgo equals to any other value. I've made a quick&dirty fix that enables using SHA256 instead of RIPEMD160. hashalgo == GCRY_MD_SHA256? "--hash=sha256 ": "", Using my custom build I've successfully signed a message using SHA256. It is not a problem to add all other hashes but I'm not sure about the impact of such patch because I've just quickly checked the code :) -- Stanislav > On 05/01/2010 04:52 PM, Stanislav Sidorenko wrote: > > Hi! > > > > I've tried to use SHA256 digest for signing using openpgp V2 smartcard > > and got the following error: > > > > gpg: checking created signature failed: bad signature > > gpg: signing failed: bad signature > > gpg: signing failed: bad signature > > > > It happens only if gpg uses gpg-agent which is configured to use scdaemon > > for accesing smartcards. > > > > If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN > > code in the console then signing with SHA256 work perfectly. In case of > > enabled gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an > > issue in gpg- agent or scdaemon. > > > > The issue was found on gpg 1.4.10 and gpg-agent 2.0.14. > > > > Thanks, > > > > Stanislav > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > Interesting, indeed. I unfortunately had to change my prefs when I got > my openpgp v2 card since I was using gpg2 and the agent is required. So > is this currently just an issue with gpg-agent? If I'm reading section > 7.2.8.1 [Hash Algorithms] in the OpenPGP smart application PDF correctly > it seems only OpenPGP cards <2.0 are limited to SHA1 & RIPEMD-160. > > "The following hash algorithms are supported by RFC 4880 and can be used > as input in the DSI. However the card may not check the integrity of a > DSI. Cards with Version < 2.0 sup?port RIPEMD-160 and SHA-1 only and may > check it, so other hash algorithms cannot be used." > > Or is this saying >=2.0 OpenPGP cards can generate SHA2 hashes but > cannot verify them? From expires2010 at ymail.com Thu Jul 22 21:24:09 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 22 Jul 2010 20:24:09 +0100 Subject: verifying hashes with Gnupg In-Reply-To: <07A2DAE5-7FF9-458B-87FF-9C208451839A@gmail.com> References: <20100721145203.53A402003D@smtp.hushmail.com> <07A2DAE5-7FF9-458B-87FF-9C208451839A@gmail.com> Message-ID: <1941990394.20100722202409@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 22 July 2010 at 6:22:36 AM, in , John Ruff wrote: > '--print-md ' option to gpg will generate a > hash, albeit you must visually validate. > $ gpg --print-md SHA1 10MB.dat > 10MB.dat: 8C20 6A1A 8759 9F53 2CE6 8675 536F 0B15 4690 0D7A Use in conjunction with "--with-colons" to get the output in a different format, without spaces:- 10MB.dat:2:8C206A1A87599F532CE68675536F0B1546900D7A: I find the "--output " option does not send the output of "--print-md" to a file (for me, using GnuPG version 1.4.10 on Windows XP). Is this intentional, anyone know? - -- Best regards MFPA mailto:expires2010 at ymail.com Virtual workspace, Virtual Office, Virtual Job -----BEGIN PGP SIGNATURE----- iQCVAwUBTEia5KipC46tDG5pAQrfsgP/VeRlpeBZxsh9DS/dKJrEBluiwNQURryf xHZxPNhOimIlgEL99I+DMs2d8H3tisaa4c5m30cx96lji+0kRWyOLI+ZGqNwPopX lyX9zyDp5uo1NJ65BAe3dhr+Oa5D+Pwi313zLU+FrXqbM9rzVa2oROGb5LPGhW5w FeBf8YZ8mOg= =FHC3 -----END PGP SIGNATURE----- From andre at amorim.me Thu Jul 22 22:19:50 2010 From: andre at amorim.me (Andre Amorim) Date: Thu, 22 Jul 2010 21:19:50 +0100 Subject: plausibly deniable Message-ID: Hi folks, Do we have a "plausibly deniable" option ? Thanks Andre Amorim. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Thu Jul 22 22:26:45 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Jul 2010 16:26:45 -0400 Subject: plausibly deniable In-Reply-To: References: Message-ID: <4C48A985.2070208@sixdemonbag.org> On 7/22/2010 4:19 PM, Andre Amorim wrote: > Do we have a "plausibly deniable" option ? No. Plausible deniability depends entirely on what your adversary finds plausible. "I didn't sign that! Look -- I have Thunderbird configured to automatically sign *everything*, and I have no passphrase on my key. Someone got access to my system and sent out a message that got automagically signed by my key!" Such things have happened before. Werner himself has received PGP-signed spam, from some hapless person whose machine had been hijacked and was being used as a botnet to send messages through a PGP signing proxy. Some people will find this explanation plausible. Others will merely find it convenient. Since there is no agreed-upon definition of plausible deniability, GnuPG cannot be said to provide plausible deniability. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From dkg at fifthhorseman.net Thu Jul 22 22:32:12 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 22 Jul 2010 16:32:12 -0400 Subject: plausibly deniable In-Reply-To: References: Message-ID: <4C48AACC.4090606@fifthhorseman.net> On 07/22/2010 04:19 PM, Andre Amorim wrote: > Do we have a "plausibly deniable" option ? Yes: do not sign your messages. OpenPGP signatures are inherently designed to be non-repudiable. This is not what you want if you want deniability. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Thu Jul 22 23:17:40 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 22 Jul 2010 17:17:40 -0400 Subject: plausibly deniable In-Reply-To: <4C48A985.2070208@sixdemonbag.org> References: <4C48A985.2070208@sixdemonbag.org> Message-ID: <41F1AA1C-0B1D-40CB-811D-2E50DD8A7B1D@jabberwocky.com> On Jul 22, 2010, at 4:26 PM, Robert J. Hansen wrote: > On 7/22/2010 4:19 PM, Andre Amorim wrote: >> Do we have a "plausibly deniable" option ? > > No. Plausible deniability depends entirely on what your adversary finds > plausible. "I didn't sign that! Look -- I have Thunderbird configured > to automatically sign *everything*, and I have no passphrase on my key. > Someone got access to my system and sent out a message that got > automagically signed by my key!" > > Such things have happened before. Werner himself has received > PGP-signed spam, from some hapless person whose machine had been > hijacked and was being used as a botnet to send messages through a PGP > signing proxy. Some people will find this explanation plausible. > Others will merely find it convenient. > > Since there is no agreed-upon definition of plausible deniability, GnuPG > cannot be said to provide plausible deniability. By that logic, no program can be said to provide plausible deniability ;) (Not that I necessarily disagree - I tend to get stuck on the "plausible" part of the deniability. If things reach the point where you're relying on plausible deniability to save you, you're already in deep trouble.) David From rjh at sixdemonbag.org Thu Jul 22 23:28:28 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Jul 2010 17:28:28 -0400 Subject: plausibly deniable In-Reply-To: <41F1AA1C-0B1D-40CB-811D-2E50DD8A7B1D@jabberwocky.com> References: <4C48A985.2070208@sixdemonbag.org> <41F1AA1C-0B1D-40CB-811D-2E50DD8A7B1D@jabberwocky.com> Message-ID: <4C48B7FC.1080707@sixdemonbag.org> On 7/22/2010 5:17 PM, David Shaw wrote: > By that logic, no program can be said to provide plausible deniability ;) And I think that's a true statement. :) Plausible deniability is so context-sensitive that without a lot of context data, nothing can be said to provide it. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From andre at amorim.me Fri Jul 23 00:18:09 2010 From: andre at amorim.me (Andre Amorim) Date: Thu, 22 Jul 2010 23:18:09 +0100 Subject: Fwd: plausibly deniable In-Reply-To: <4C48BC99.6080103@fifthhorseman.net> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: No worrys Daniel.. living and learning.. --Andre ---------- Forwarded message ---------- From: Daniel Kahn Gillmor Date: 22 July 2010 22:48 Subject: Re: plausibly deniable To: Andre Amorim Hi Andre-- Please don't reply off-list. this discussion would be useful for others who follow the list, or who read the archives. By taking the discussion off-list, this is now hidden from everyone but you and me. I haven't replied on-list because i don't want to publish your words without your permission. You have my permission to re-post my text here on the list if you want to take it back public again. On 07/22/2010 04:43 PM, Andre Amorim wrote: > Why I felt stupid ? LOL.. I got it, thanks But if ..someone pick me up with > my openpgp smartcard, put a gun in my head and say .. decrypt it or die ... i think you might be getting data signatures confused with data encryption. public-key signatures are a way of placing a mark on some content that no one but the holder of your key could make. They're often used to mean something like "I wrote this message" or "I approve of this message". public-key encryption is a way of making it so that only the holder of a given key is able to access the cleartext content of your message. Plausible Deniability as a term is usually used in reference to the idea of signing, not encryption. That is, a system like OTR offers convincing proof to the other party in a conversation that you are who you say you are, but that information is designed to be uninterpretable to other people (because the way that per-session key material is handled after the session is over makes it possible for anyone to craft the same assertions). You should read up on otr if you're interested: http://www.cypherpunks.ca/otr/ This "feature" is legally dubious, since courts seem prepared to convict without cryptographic proof anyway. The closest idea to Plausible Deniability for encryption (not signatures) is something like hidden volumes within encrypted volumes, which truecrypt offers: http://www.truecrypt.org/ This feature is also dubious, because there will be suspiciously high-entropy on the disk, and you are known to be using tools with this feature, you will simply be coerced until you've accounted for all the data. And of course, when a gun is held to your head, it's hard to argue that you are in full control of your key. --dkg -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: not available URL: From andre at amorim.me Fri Jul 23 00:19:01 2010 From: andre at amorim.me (Andre Amorim) Date: Thu, 22 Jul 2010 23:19:01 +0100 Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: Hi Andre-- Please don't reply off-list. this discussion would be useful for others who follow the list, or who read the archives. By taking the discussion off-list, this is now hidden from everyone but you and me. I haven't replied on-list because i don't want to publish your words without your permission. You have my permission to re-post my text here on the list if you want to take it back public again. On 07/22/2010 04:43 PM, Andre Amorim wrote: > Why I felt stupid ? LOL.. I got it, thanks But if ..someone pick me up with > my openpgp smartcard, put a gun in my head and say .. decrypt it or die ... i think you might be getting data signatures confused with data encryption. public-key signatures are a way of placing a mark on some content that no one but the holder of your key could make. They're often used to mean something like "I wrote this message" or "I approve of this message". public-key encryption is a way of making it so that only the holder of a given key is able to access the cleartext content of your message. Plausible Deniability as a term is usually used in reference to the idea of signing, not encryption. That is, a system like OTR offers convincing proof to the other party in a conversation that you are who you say you are, but that information is designed to be uninterpretable to other people (because the way that per-session key material is handled after the session is over makes it possible for anyone to craft the same assertions). You should read up on otr if you're interested: http://www.cypherpunks.ca/otr/ This "feature" is legally dubious, since courts seem prepared to convict without cryptographic proof anyway. The closest idea to Plausible Deniability for encryption (not signatures) is something like hidden volumes within encrypted volumes, which truecrypt offers: http://www.truecrypt.org/ This feature is also dubious, because there will be suspiciously high-entropy on the disk, and you are known to be using tools with this feature, you will simply be coerced until you've accounted for all the data. And of course, when a gun is held to your head, it's hard to argue that you are in full control of your key. --dkg On 22 July 2010 23:18, Andre Amorim wrote: > No worrys Daniel.. > living and learning.. > > --Andre > > > ---------- Forwarded message ---------- > From: Daniel Kahn Gillmor > Date: 22 July 2010 22:48 > Subject: Re: plausibly deniable > To: Andre Amorim > > > Hi Andre-- > > Please don't reply off-list. this discussion would be useful for others > who follow the list, or who read the archives. By taking the discussion > off-list, this is now hidden from everyone but you and me. > > I haven't replied on-list because i don't want to publish your words > without your permission. You have my permission to re-post my text here > on the list if you want to take it back public again. > > On 07/22/2010 04:43 PM, Andre Amorim wrote: > > Why I felt stupid ? LOL.. I got it, thanks But if ..someone pick me up > with > > my openpgp smartcard, put a gun in my head and say .. decrypt it or die > ... > > i think you might be getting data signatures confused with data encryption. > > public-key signatures are a way of placing a mark on some content that > no one but the holder of your key could make. They're often used to > mean something like "I wrote this message" or "I approve of this message". > > public-key encryption is a way of making it so that only the holder of a > given key is able to access the cleartext content of your message. > > Plausible Deniability as a term is usually used in reference to the idea > of signing, not encryption. That is, a system like OTR offers > convincing proof to the other party in a conversation that you are who > you say you are, but that information is designed to be uninterpretable > to other people (because the way that per-session key material is > handled after the session is over makes it possible for anyone to craft > the same assertions). You should read up on otr if you're interested: > > http://www.cypherpunks.ca/otr/ > > This "feature" is legally dubious, since courts seem prepared to convict > without cryptographic proof anyway. > > The closest idea to Plausible Deniability for encryption (not > signatures) is something like hidden volumes within encrypted volumes, > which truecrypt offers: > > http://www.truecrypt.org/ > > This feature is also dubious, because there will be suspiciously > high-entropy on the disk, and you are known to be using tools with this > feature, you will simply be coerced until you've accounted for all the > data. > > And of course, when a gun is held to your head, it's hard to argue that > you are in full control of your key. > > --dkg > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malte.gell at gmx.de Fri Jul 23 00:13:24 2010 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 23 Jul 2010 00:13:24 +0200 Subject: Using pinentry-curses interactively in Linux boot process fails Message-ID: <201007230013.40148.malte.gell@gmx.de> Hi there! I have the following setup: a Linux luks encrypted partition. It is encrypted with a keyfile, the keyfile itself is GnuPG encrypted and stored in /root Now I have a smartcard reader and a OpenPGP card, so I want to decrypt the keyfile, enter the card's PIN and that's it. I wrote a little init script. Actually, this works *after* booting. But, when using it in real world booting, it does not work. gpg-agent is started correctly, but I see no pinentry-curses mask. What could be wrong? These are the commands I use in my init script: export GNUPGHOME=/root/.gnupg gpg-agent --daemon --sh --use-standard-socket --pinentry-program /usr/bin/pinentry-curses gpg -d /root/Administrativa/BOOT-SCHLUESSEL-LUKS/luks-key-home-malte.bin.gpg | cryptsetup luksOpen /dev/disk/by-id/ata-WDC_WD3200BEVT-22ZCT0_WD-WXJ0A99M9523- part6 --key-file=- cr_sda6 (this is one long line of course) mount -o acl,user_xattr /dev/mapper/cr_sda6 /home When I use these commands after booting, they do what I want them to do. pinentry-curses asks my PIN, I enter it and everything is fine. But when I use exactly these commands in my script, I simply get no pinentry-curses appearing on the screen... I use GnuPG 2.0.12. Thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From kgo at grant-olson.net Fri Jul 23 01:36:58 2010 From: kgo at grant-olson.net (Grant Olson) Date: Thu, 22 Jul 2010 19:36:58 -0400 Subject: Using pinentry-curses interactively in Linux boot process fails In-Reply-To: <201007230013.40148.malte.gell@gmx.de> References: <201007230013.40148.malte.gell@gmx.de> Message-ID: <4C48D61A.60102@grant-olson.net> On 7/22/10 6:13 PM, Malte Gell wrote: > Hi there! > > I have the following setup: a Linux luks encrypted partition. It is encrypted > with a keyfile, the keyfile itself is GnuPG encrypted and stored in /root > ... > > When I use these commands after booting, they do what I want them to do. > pinentry-curses asks my PIN, I enter it and everything is fine. But when I use > exactly these commands in my script, I simply get no pinentry-curses appearing > on the screen... > Are all the files for gpg2 on your boot partition? I'm not near a linux box now, but I'm guessing some of the files you need are installed to /usr/local/bin by default, which probably isn't available until after the encrypted drive is mounted onto the filesystem. -- Grant "I am very hungry," Kobayashi said. "I wish there were hot dogs in jail." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Fri Jul 23 02:00:15 2010 From: faramir.cl at gmail.com (Faramir) Date: Thu, 22 Jul 2010 20:00:15 -0400 Subject: Fwd: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: <4C48DB8F.1070109@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Andre Amorim escribi?: ... > The closest idea to Plausible Deniability for encryption (not > signatures) is something like hidden volumes within encrypted volumes, > which truecrypt offers: > > http://www.truecrypt.org/ > > This feature is also dubious, because there will be suspiciously > high-entropy on the disk, and you are known to be using tools with this > feature, you will simply be coerced until you've accounted for all the data. And that can be a problem... inside a volume encrypted with truecrypt, there may be other hidden volumes... plausible deniability comes from the fact that, without the right password, no one can prove there is a hidden volume. The problem is you can't prove there is no hidden volume, so if the options are "decrypt or die", you are likely to die, even if you reveal all the info. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSNuPAAoJEMV4f6PvczxA84EH/AsEpiWy5ekLhzKZFzx61DVN y9mq4yNLS6YZUOj8KzX/tOPVxpye/QjZeBmU/43bqajnQ/lrOJOK7VvJGi6R6qD2 s1611w5xvKWhsdKylU8nn9U+UONkKPK0jcKMThnnFenHJwX/RciAq62+wFSmi3Xb 8vw2rRyrw06oMb0CvhUF27Q0a8yaScFx5yCNITi9QE9RcnRIAQ4+ipMLm99yr8y8 P5noLlP2HWyReolL3Fk2xaWvig3BSJngsYtnkVo7+8I2x0jjdeRTXhzsieabO56j lOw71D/ZUMN3Myzz9N+O8OhZ1dPRvahxPaURVZLH9UY+lPnNkYwvSW2SsCg/sYI= =UYql -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Jul 23 03:53:50 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 22 Jul 2010 21:53:50 -0400 Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: <4C48F62E.2050108@sixdemonbag.org> On 7/22/2010 6:19 PM, Daniel Kahn Gillmor wrote: > This feature is also dubious, because there will be suspiciously > high-entropy on the disk, and you are known to be using tools with this > feature, you will simply be coerced until you've accounted for all > the data. It's considerably worse than that. Thanks to the deniable encryption features of TrueCrypt, there is no way to account for all the data. Is that empty space in your container, or is there a small hidden container that you're not confessing? Ultimately, you can't make the interrogation stop *even if you confess all the information the interrogator wants* -- because the interrogator might (reasonably!) think you're holding out. Deniable encryption is a useful tool, but it is not a universally good idea. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From andre at amorim.me Fri Jul 23 03:53:57 2010 From: andre at amorim.me (Andre Amorim) Date: Fri, 23 Jul 2010 02:53:57 +0100 Subject: plausibly deniable In-Reply-To: <4C48BC99.6080103@fifthhorseman.net> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: >>Please don't reply off-list . Daniel, sure no problems; --Andre ---------- Forwarded message ---------- From: Daniel Kahn Gillmor Date: 22 July 2010 22:48 Subject: Re: plausibly deniable To: Andre Amorim Hi Andre-- Please don't reply off-list. ?this discussion would be useful for others who follow the list, or who read the archives. ?By taking the discussion off-list, this is now hidden from everyone but you and me. I haven't replied on-list because i don't want to publish your words without your permission. ?You have my permission to re-post my text here on the list if you want to take it back public again. On 07/22/2010 04:43 PM, Andre Amorim wrote: > Why I felt stupid ? LOL.. I got it, thanks But if ..someone pick me up with > my openpgp smartcard, put a gun in my head and say .. decrypt it or die ... i think you might be getting data signatures confused with data encryption. public-key signatures are a way of placing a mark on some content that no one but the holder of your key could make. ?They're often used to mean something like "I wrote this message" or "I approve of this message". public-key encryption is a way of making it so that only the holder of a given key is able to access the cleartext content of your message. Plausible Deniability as a term is usually used in reference to the idea of signing, not encryption. ?That is, a system like OTR offers convincing proof to the other party in a conversation that you are who you say you are, but that information is designed to be uninterpretable to other people (because the way that per-session key material is handled after the session is over makes it possible for anyone to craft the same assertions). ?You should read up on otr if you're interested: ?http://www.cypherpunks.ca/otr/ This "feature" is legally dubious, since courts seem prepared to convict without cryptographic proof anyway. The closest idea to Plausible Deniability for encryption (not signatures) is something like hidden volumes within encrypted volumes, which truecrypt offers: ?http://www.truecrypt.org/ This feature is also dubious, because there will be suspiciously high-entropy on the disk, and you are known to be using tools with this feature, you will simply be coerced until you've accounted for all the data. And of course, when a gun is held to your head, it's hard to argue that you are in full control of your key. ? ? ? ?--dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: not available URL: From dougb at dougbarton.us Fri Jul 23 05:03:25 2010 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 22 Jul 2010 20:03:25 -0700 (PDT) Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: Can anyone else verify messages sent by Andre? His message claims to have a PGP signature, but what's in what should be the signature block isn't. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From faramir.cl at gmail.com Fri Jul 23 05:27:46 2010 From: faramir.cl at gmail.com (Faramir) Date: Thu, 22 Jul 2010 23:27:46 -0400 Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: <4C490C32.5090105@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Doug Barton escribi?: > Can anyone else verify messages sent by Andre? His message claims to > have a PGP signature, but what's in what should be the signature block > isn't. I don't see the signature, nor the claim about it being signed. I saw an attachment, but Thunderbird didn't say it was a signature... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSQwxAAoJEMV4f6PvczxA0A0H/jHA/TWy8r8Tr1XkIUS7OlJz w+PaHE1G1LcaS8t516U/qRClfyI3V/f65MrVR1/iOJ80eItwhKzc9hIaLtX8XtDF ftPG+rZH3W9HRh/YzGu+3jC+rNOFbt/BnQCnM39uAgqZLHabfJ5W+4GAJ3hmsze1 Mn7sKtRM/5odqVf9GYrfVWLay0GhQivIpNCDp09zYH2+uADV30a4lo97FyDPAQGu ShDSnGjy18nw6YUL3Tm84bCqWHDN8adR5nAO6HHZXR4irCcWCsUVvF11xVB8i7Jh +Hzrc0/X0pIre/Iq15WGxwZi2BlxjeuhwL8GpgZWr/RnSEW/2OC+nYPu0kxnWoM= =Sh7R -----END PGP SIGNATURE----- From dougb at dougbarton.us Fri Jul 23 05:40:08 2010 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 22 Jul 2010 20:40:08 -0700 (PDT) Subject: plausibly deniable In-Reply-To: <4C490C32.5090105@gmail.com> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> Message-ID: On Thu, 22 Jul 2010, Faramir wrote: > Doug Barton escribi?: >> Can anyone else verify messages sent by Andre? His message claims to >> have a PGP signature, but what's in what should be the signature block >> isn't. > > I don't see the signature, nor the claim about it being signed. I saw > an attachment, but Thunderbird didn't say it was a signature... If you navigate to the message in Thunderbird and then type Ctrl-U, then scroll down you'll see this in the attachment: Content-Type: application/pgp-signature; name="signature.asc" Content-Disposition: attachment; filename="signature.asc" I'm working on my PGP/MIME filter for Alpine at the moment, so I'm turning over more rocks than usual. :) Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From teddks at gmail.com Fri Jul 23 04:43:13 2010 From: teddks at gmail.com (Ted Smith) Date: Thu, 22 Jul 2010 22:43:13 -0400 Subject: plausibly deniable In-Reply-To: <4C48F62E.2050108@sixdemonbag.org> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> Message-ID: <1279852993.8660.14.camel@anglachel> On Thu, 2010-07-22 at 21:53 -0400, Robert J. Hansen wrote: > On 7/22/2010 6:19 PM, Daniel Kahn Gillmor wrote: > > This feature is also dubious, because there will be suspiciously > > high-entropy on the disk, and you are known to be using tools with this > > feature, you will simply be coerced until you've accounted for all > > the data. > > It's considerably worse than that. > > Thanks to the deniable encryption features of TrueCrypt, there is no way > to account for all the data. Is that empty space in your container, or > is there a small hidden container that you're not confessing? > Ultimately, you can't make the interrogation stop *even if you confess > all the information the interrogator wants* -- because the interrogator > might (reasonably!) think you're holding out. > > Deniable encryption is a useful tool, but it is not a universally good idea. > An interrogator as described in this thread is a movie plot threat. In reality, nobody is going to torture you for your key, because there are much easier ways of obtaining your cleartext or figuring out if you have a hidden volume. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From rjh at sixdemonbag.org Fri Jul 23 06:09:30 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 23 Jul 2010 00:09:30 -0400 Subject: plausibly deniable In-Reply-To: <1279852993.8660.14.camel@anglachel> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> Message-ID: <4C4915FA.9070200@sixdemonbag.org> On 7/22/2010 10:43 PM, Ted Smith wrote: >> Thanks to the deniable encryption features of TrueCrypt, there is no way >> to account for all the data. Is that empty space in your container, or >> is there a small hidden container that you're not confessing? >> Ultimately, you can't make the interrogation stop *even if you confess >> all the information the interrogator wants* -- because the interrogator >> might (reasonably!) think you're holding out. > > An interrogator as described in this thread is a movie plot threat. In > reality, nobody is going to torture you for your key... The point is not about torture. The point is about interrogation. Imagine this scenario: you've been sending innocuous encrypted traffic to a correspondent. Unknown to you, your correspondent is involved in drug trafficking. You're arrested on suspicion of drug trafficking and brought to speak with the prosecutor. You happily decrypt your innocuous emails. The prosecutor now asks to see the contents of your TrueCrypt container. You comply, since there's nothing illegal in there -- just your tax records (which the prosecutor already has anyway). The prosecutor tells you to produce the contents of the hidden container. "But I don't have an encrypted container!" Prove it. "I can't!" Then I guess we have no choice but to keep our investigation on you open, take your life apart one bit at a time, drag your reputation through the mud with our investigation, and cause you to spend untold tens of thousands of dollars on legal fees. Then in six months if we can't find anything, maybe we'll drop it. Or you can prove to me that you don't have an encrypted container. Your choice. From faramir.cl at gmail.com Fri Jul 23 08:07:51 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 Jul 2010 02:07:51 -0400 Subject: plausibly deniable In-Reply-To: <1279852993.8660.14.camel@anglachel> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> Message-ID: <4C4931B7.2050909@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ted Smith escribi?: ... >> Deniable encryption is a useful tool, but it is not a universally good idea. > > An interrogator as described in this thread is a movie plot threat. In > reality, nobody is going to torture you for your key, because there are > much easier ways of obtaining your cleartext or figuring out if you have > a hidden volume. Well, I suppose in most countries nobody is going to torture you, but there are other countries where you can't be so sure... Also, an interrogator that doesn't care about hurting an innocent can be very dangerous, if he suspects he is being fooled. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSTG3AAoJEMV4f6PvczxAUpgIAK2s63bERtL6uH4sBTMFY+Ng C1Ybr9KKefZX3kMkyHj48D2YRmYBtcNWJ72gWBhHfxmL/CWHstqApZKlki0fD9VO suvwWQ78ZA4TPndLwvnYHBZ0LhJSfJZ83GE79o1GzuC/PkMVkEswebqo2FAUNJyh T8cV5+4bj1jBkNSbpypNbSnO0OHKiVFUjF7F+7WusxH5N0HK683c9AXdbJTMAaxT u1WOxLBJeI39guLgPshHtnkIceGyEK5Nj/Xpwln2RC7I6iwC3/GVCmfDWXGPRZMH 3TYIR7P5c+nJ+tyGPCa961+kUG0/23Rv0yMepayUYr+v+YrwclTDSZkxP4K+Sas= =k4xG -----END PGP SIGNATURE----- From faramir.cl at gmail.com Fri Jul 23 07:49:56 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 Jul 2010 01:49:56 -0400 Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> Message-ID: <4C492D84.7050506@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Doug Barton escribi?: > On Thu, 22 Jul 2010, Faramir wrote: ... >> I don't see the signature, nor the claim about it being signed. I saw >> an attachment, but Thunderbird didn't say it was a signature... > > If you navigate to the message in Thunderbird and then type Ctrl-U, then > scroll down you'll see this in the attachment: > Content-Type: application/pgp-signature; name="signature.asc" > Content-Disposition: attachment; filename="signature.asc" Right. However, Thunderbird doesn't show the usual message about signatures... something is not working right. > I'm working on my PGP/MIME filter for Alpine at the moment, so I'm > turning over more rocks than usual. :) Good luck with it ;) Best Regard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSS2EAAoJEMV4f6PvczxAP/4IAIq0ygrOenvnMm3ESP6Ilh8W hJFO97e6GL8csmEWw7bl1buunKbaw1LeRW4y9wtRVD3YSh8e1z79NM1QvlfB4pOW YNdaZPWEcfT1xAzeywWCqyyBxo/EAdLZtu5E7CGjZWB21jLv5fSysGgSvic+r7aj wwz34IF/MvfE8cH00U2il4FMrG19bTH0SDCv1yZCMBEYnX7fIhF3AZReubPiFigN IHwozS3sPnTKauewX3Bz6NGx0+RpB/s3OB1BVhNxzIvprXw4/FbiMxXc8I12ZGOm 0uEB5jrBOe7tXTRlZRS3wuQEkoRZWH3wmplutVaYUxygEXLenMRN9IERMwY7GkQ= =9xqI -----END PGP SIGNATURE----- From malte.gell at gmx.de Fri Jul 23 08:52:07 2010 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 23 Jul 2010 08:52:07 +0200 Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <4C48D61A.60102@grant-olson.net> References: <201007230013.40148.malte.gell@gmx.de> <4C48D61A.60102@grant-olson.net> Message-ID: <201007230852.17745.malte.gell@gmx.de> Grant Olson wrote > On 7/22/10 6:13 PM, Malte Gell wrote: > > Hi there! > > > > I have the following setup: a Linux luks encrypted partition. It is > > encrypted with a keyfile, the keyfile itself is GnuPG encrypted and > > stored in /root > > ... > > > When I use these commands after booting, they do what I want them to do. > > pinentry-curses asks my PIN, I enter it and everything is fine. But when > > I use exactly these commands in my script, I simply get no > > pinentry-curses appearing on the screen... > Are all the files for gpg2 on your boot partition? Yes and the boot partition is not encrypted, only /home But I solved it. It was an init script issue. On openSUSE there is an init script "earlyxdm" and it has overridden so to say the pinentry-ncurses program. I have now edited earlyxdm and have added my own script to Requried-Start, thus earlyxdm now waits until pinentry-curses does its job. It works now. Pretty cool, I can now unlock my LUKS volume with the openPGP card, that's nerd ;-) Regards Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From faramir.cl at gmail.com Fri Jul 23 09:35:09 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 Jul 2010 03:35:09 -0400 Subject: plausibly deniable In-Reply-To: <4C4915FA.9070200@sixdemonbag.org> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> <4C4915FA.9070200@sixdemonbag.org> Message-ID: <4C49462D.1020209@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: ... >> An interrogator as described in this thread is a movie plot threat. In >> reality, nobody is going to torture you for your key... > > The point is not about torture. The point is about interrogation. > > Imagine this scenario: you've been sending innocuous encrypted traffic > to a correspondent. Unknown to you, your correspondent is involved in > drug trafficking. You're arrested on suspicion of drug trafficking and > brought to speak with the prosecutor. You happily decrypt your > innocuous emails. The prosecutor now asks to see the contents of your > TrueCrypt container. You comply, since there's nothing illegal in there > -- just your tax records (which the prosecutor already has anyway). > > The prosecutor tells you to produce the contents of the hidden > container. "But I don't have an encrypted container!" Prove it. "I > can't!" Then I guess we have no choice but to keep our investigation on That scenario is very scary, indeed... At first I thought the "innocent unless proven guilty" should protect us, that is, it is not our "job" to prove we don't have a hidden volume, but it's the prosecutor job to prove we have it. But it's right, in an attempt to prove there is a hidden volume, the prosecutor can make our lives miserable. By the way, do you know if it is possible to have more than one hidden volume inside a single container? I searched the documentation but couldn't find anything about that. _If only one_ hidden volume can be created, then the solution would be to actually create one, and leave it empty. If the prosecutor ask for it, you can show you don't have any hidden information there. Of course, doing that, you no longer have plausibly deniability. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSUYtAAoJEMV4f6PvczxAvOsH/jyUUpK6UN/KytOqsAROcyir 8XXTTfRmJS3LQDLqd9X5JyT5F8uYlXlX4LO2JbGKCWhf38bNYjCP3oEEqSJ8XW70 ziL4h9i8Z0H6c1+2lo1zjTV8CneTf3vhtPHmLuql8IRRYgPKaC/vAYz3lM48IRur OelGrqy+K5/h/vahg1H3I0792iR5T7v5uFpzxpo9xW0FqHVGZ/IDaPgb5WWMcsdh MAMgik9iT0+Cba6Mbdkk5IaBZtLydjFQnFfjxMMx//9toVq5/JOQ8g8A+nRXuSUj nrZ3uK2dCcMeJPIDvOofXRon1fmylnic5+WGS3Ni8vHV/K1lNUhp9S4EIiKi5B8= =H/I4 -----END PGP SIGNATURE----- From simon at bleah.co.uk Fri Jul 23 09:26:43 2010 From: simon at bleah.co.uk (Simon Ward) Date: Fri, 23 Jul 2010 08:26:43 +0100 Subject: plausibly deniable In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> Message-ID: <20100723072643.GA2402@penfold.cosgrove.lan> On Thu, Jul 22, 2010 at 08:03:25PM -0700, Doug Barton wrote: > Can anyone else verify messages sent by Andre? His message claims to > have a PGP signature, but what's in what should be the signature > block isn't. Mutt isn?t verifying these either. The message Content-Type appears to be multipart/alternative, not multipart/signed. The attached signature looks to me like an OpenPGP signature with the following comment: Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ I suspect it?s Daniel?s signature being forwarded, but can?t verify. Simon -- A complex system that works is invariably found to have evolved from a simple system that works.?John Gall -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From tux.tsndcb at free.fr Fri Jul 23 10:39:13 2010 From: tux.tsndcb at free.fr (tux.tsndcb at free.fr) Date: Fri, 23 Jul 2010 10:39:13 +0200 (CEST) Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <201007230852.17745.malte.gell@gmx.de> Message-ID: <2098808829.5686921279874353134.JavaMail.root@zimbra7-e1.priv.proxad.net> > Yes and the boot partition is not encrypted, only /home But I solved it. It > was an init script issue. On openSUSE there is an init script "earlyxdm" and > it has overridden so to say the pinentry-ncurses program. I have now edited > earlyxdm and have added my own script to Requried-Start, thus earlyxdm now > waits until pinentry-curses does its job. It works now. Pretty cool, I can now > unlock my LUKS volume with the openPGP card, that's nerd ;-) Hello Mate, I use Debian and not OpenSuse, but I'm interristing by your script. Could you give it ? Thanks in advanced for your answer Best Regards From mark at proseconsulting.co.uk Fri Jul 23 11:47:50 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Fri, 23 Jul 2010 10:47:50 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <29483.1279878470@proseconsulting.co.uk> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }I need to be able to ultimately trust a public key in batch mode, that I have downloaded automatically with wget from an internal server over HTTPS. I don't want to do --trust-model always, apart from the fact I want to use a trusted key anyway, gpg --trust-model always --verify displays a gratuitous warning "gpg: WARNING: Using untrusted key!". So how do I get gpg --batch --yes --edit-key trust to work? I would have expected an option like --trust-level 5 that would allow the level of trust to be selected in batch mode. So far I've considered using Expect to fill in the interactive fields (but this feels like using a sledgehammer to crack a nut, it has so many library dependencies), or modifying the source code to add the needed option. Can anyone think of another way of achieving the same goal? Thanks in advance, Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dave.Smith at st.com Fri Jul 23 12:48:00 2010 From: Dave.Smith at st.com (David Smith) Date: Fri, 23 Jul 2010 11:48:00 +0100 Subject: gpg --batch --yes --edit-key trust In-Reply-To: <29483.1279878470@proseconsulting.co.uk> References: <29483.1279878470@proseconsulting.co.uk> Message-ID: <4C497360.1060408@st.com> mark at proseconsulting.co.uk wrote: > I need to be able to ultimately trust a public key in batch mode, that I > have downloaded automatically with wget from an internal server over HTTPS. > > I don't want to do --trust-model always, apart from the fact I want to > use a trusted key anyway, gpg --trust-model always --verify displays a > gratuitous warning "gpg: WARNING: Using untrusted key!". > > So how do I get gpg --batch --yes --edit-key trust to work? I would > have expected an option like --trust-level 5 that would allow the level > of trust to be selected in batch mode. > > So far I've considered using Expect to fill in the interactive fields > (but this feels like using a sledgehammer to crack a nut, it has so many > library dependencies), or modifying the source code to add the needed > option. Can anyone think of another way of achieving the same goal? I think that you might be confusing "trust" with "validity". If you want it to blindly encrypt data using a key that it's downloaded from a keyserver without you having signed it (or without it being declared valid by the web-of-trust), then you can use "--always-trust" when doing the encryption. From mark at proseconsulting.co.uk Fri Jul 23 13:35:52 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Fri, 23 Jul 2010 12:35:52 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <25247.1279884952@proseconsulting.co.uk> > On Fri 23/07/10 11:48 AM , David Smith Dave.Smith at st.com sent: > > I need to be able to ultimately trust a public key > > in batch mode, that I have downloaded automatically with wget from an > > internal server over HTTPS. > > I think that you might be confusing "trust" with "validity". > > If you want it to blindly encrypt data using a key that it's downloaded > from a keyserver without you having signed it (or without it being > declared valid by the web-of-trust), then you can use "--always-trust" > when doing the encryption. > I don't think I'm confused. I need this for verifying digital signatures only. I'm not encrypting. Let me demonstrate: Attempt 1: this is no good for me ... # gpg --import /tmp/swrepo.pub gpg: key 61404A7B: public key "swrepo server " imported gpg: Total number processed: 1 gpg: imported: 1 # gpg --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: Good signature from "swrepo server " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Attempt 2: this is also no good for me ... # gpg --trust-model always --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: Good signature from "swrepo server " gpg: WARNING: Using untrusted key! Attempt 3: this is what I'm after ... # gpg --edit-key "swrepo server" trust quit ... Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y ... # gpg --verify catalog gpg: Signature made 23 July 2010 11:44:51 BST using DSA key ID 61404A7B gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Good signature from "swrepo server " So I need to ultimately trust a public key non-interactively. Which I can't do unless I have a way of telling gpg how far I trust the key in batch mode. This doesn't work: # gpg --batch --yes --edit-key "swrepo server" trust quit ... gpg: Sorry, we are in batchmode - can't get input If the option existed, I'd imagine this is how I would do it: # gpg --batch --yes --trust-level 5 --edit-key "swrepo server" trust quit or perhaps: # gpg --trust-key "swrepo server" 5 but of course I've made those options up, they don't exist. So the questions are a) is there already a way of achieving this? and b) if not, I'm happy to submit a patch to add the option, which of the above options makes more sense? Regards, Mark. From lists at whitehouse.org.nz Fri Jul 23 12:58:36 2010 From: lists at whitehouse.org.nz (Aaron Whitehouse) Date: Fri, 23 Jul 2010 22:58:36 +1200 Subject: Importing/Merging (secret) subkey into existing secret key Message-ID: <4C4975DC.3040903@whitehouse.org.nz> Hello, How do I import a subkey into an existing secret key? I use a DSA key with El-Gamal encryption keys that I regenerate every year. At some point my keyrings got out of sync and I ended up carrying on with an older key. There was a secret subkey in the middle there that got lost and I only noticed when I came to decrypt a file with it. I managed to find (after a lot of effort) a copy of the missing secret subkey and temporarily replaced my secring.pgp file to decrypt the encrypted document. Crisis averted. I would now like to merge that secret subkey into my main keyring, in case I ever need it again. I have (while I had my secring substituted) done a: gpg --export-secret-subkeys -a [subkey] > sec_subkey.asc and gone back to my main secring. Unfortunately, a gpg --import sec_subkey.asc doesn't import this subkey into my main keyring. How can I do this? Regards, Aaron From wk at gnupg.org Fri Jul 23 14:36:51 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 23 Jul 2010 14:36:51 +0200 Subject: [Announce] Security Alert for GnuPG 2.0 - Realloc bug in GPGSM Message-ID: <877hkmfk7w.fsf@vigenere.g10code.de> Realloc Bug with X.509 certificates in GnuPG ============================================== 2010-07-23 Summary ======= While trying to import a server certificate for a CDN service, a segv bug was found in GnuPG's GPGSM tool. It is likely that this bug is exploitable by sending a special crafted signed message and having a user verify the signature. [ Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). ] Impact ====== All applications using GnuPG's GPGSM tool to process S/MIME messages or manage X.509 certificates are affected. The bug exists in all versions of GnuPG including the recently released GnuPG 2.0.16. GPG (i.e. OpenPGP) is NOT affected. GnuPG 1.x is NOT affected because it does not come with the GPGSM tool. An exploit is not yet known but it can't be ruled out for sure that the problem has not already been identified by some dark forces. Description =========== Importing a certificate with more than 98 Subject Alternate Names [2] via GPGSM's import command or implicitly while verifying a signature causes GPGSM to reallocate an array with the names. The bug is that the reallocation code misses assigning the reallocated array to the old array variable and thus the old and freed array will be used. Usually this leads to a segv. It might be possible to use one of the techniques to exploit assignments to malloced and freed memory. Such an exploit won't be easy to write because the attack vector must fit into a valid ASN.1 DER encoded DN. To further complicate the task, that DN is not used directly but after a transformation to RFC-2253 format. Solution ======== Apply the following patch. The patch is required for all GnuPG versions < 2.0.17. It applies to 2.0.16 but should apply to many older versions as well. --- kbx/keybox-blob.c (revision 5367) +++ kbx/keybox-blob.c (working copy) @@ -898,6 +898,7 @@ rc = gpg_error_from_syserror (); goto leave; } + names = tmp; } names[blob->nuids++] = p; if (!i && (p=x509_email_kludge (p))) Support ======= g10 Code GmbH [3], a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. Support contracts or other financial backing will greatly help us to improve the quality of GnuPG. Thanks ====== Peter Gutmann for his "A mighty fortress is our PKI" mail to the cryptography ML which contained a pointer to a certificate to exhibit the problem. This bug was created, found and fixed by Werner Koch. [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel [2] [3] See http://www.gnupg.org/service.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From vedaal at nym.hush.com Fri Jul 23 15:51:38 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 23 Jul 2010 09:51:38 -0400 Subject: plausibly deniable Message-ID: <20100723135138.5C8731200AA@smtp.hushmail.com> >Message: 4 >Date: Thu, 22 Jul 2010 21:19:50 +0100 >From: Andre Amorim >To: GnuPG Users >Do we have a "plausibly deniable" option ? GnuPG can be used for plausible deniability both for encrypting and for signing: [1] hiding the identity of the encryption: The 'throw-keyids' option hides which keys the message is encrypted to (beware of this option, as it is useful only under very limited circumstances, i.e. posting anonymously in a newsgroup like alt.test, and where your threat model doesn't include government agencies or organized crime, so you can communicate by encryption but without using e- mail The reason to *not* use this option, is that it can be used by government to get access to all your keys and passwords! The government can claim, that in order to prove that you did not encrypt this, it must try all the keys in your possession, and in order to make sure that you didn't intentionally enter the 'wrong' password, it needs to enter the correct one. (The prosecutor may graciously allow you to change your passwords to temporary ones for this purpose, but if they can copy the key, then it won't really help you ;-) ). In fact, if one wanted to think 'really paranoid', then in a country where there is a law where people must surrender an encryption key upon demand to decrypt a message, then what prevents an intelligence agency from 'planting' a throw-keyid encrypted message on your computer by simply e-mailing it to you from an anonymous e-mail account? The message can be done with keys that only the intelligence agency has, and since you really didn't encrypt the message, you can't give up the session key, and now the government wants *all* your keys and passwords to prove you didn't encrypt the message. (Actually, you might try a defense that forcing you to try to decrypt a throw-keyid message using all the keys in your possession is already a violation of 'cruel and unusual punishment' ;-) ) [2] hiding the identity of the signer: (a) generate a new keypair and give it to a person you want to have 'plausible deniability' with (b) a signed message shown to anyone else, only means that 'one' of you signed it. Both of you know which one 'really' signed it, but neither can prove it. vedaal From vedaal at nym.hush.com Fri Jul 23 16:16:38 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 23 Jul 2010 10:16:38 -0400 Subject: plausibly deniable Message-ID: <20100723141638.60A81B8079@smtp.hushmail.com> vedaal at nym.hush.com wrote on Fri Jul 23 15:51:38 CEST 2010 >and since you really didn't >encrypt the message, you can't give up the session key, and now the >government wants *all* your keys and passwords to prove you didn't >encrypt the message. Sorry :-) meant to say: and since you really don't have the key the message was encrypted to, you can't give up the session key, and now the government wants *all* your keys and passwords to prove you don't have the key this message was encrypted to. vedaal From dkg at fifthhorseman.net Fri Jul 23 16:32:17 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 23 Jul 2010 10:32:17 -0400 Subject: plausibly deniable In-Reply-To: <20100723135138.5C8731200AA@smtp.hushmail.com> References: <20100723135138.5C8731200AA@smtp.hushmail.com> Message-ID: <4C49A7F1.4070309@fifthhorseman.net> On 07/23/2010 09:51 AM, vedaal at nym.hush.com wrote: >> From: Andre Amorim >> Do we have a "plausibly deniable" option ? > > [1] hiding the identity of the encryption: > > The 'throw-keyids' option hides which keys the message is encrypted to [...] > The government can claim, that in order to prove that you did not > encrypt this, it must try all the keys in your possession I think there is some confusion in this post about the nature of public key cryptography. There is no way to cryptographically prove the authorship of an arbitrary encrypted document. Anyone with access to the public key material (which is to say, anyone in the world) can encrypt messages to a given key. There is no way to "prove that you did not encrypt" a message. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Fri Jul 23 16:51:40 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 23 Jul 2010 10:51:40 -0400 Subject: gpg --batch --yes --edit-key trust In-Reply-To: <25247.1279884952@proseconsulting.co.uk> References: <25247.1279884952@proseconsulting.co.uk> Message-ID: <4C49AC7C.2080103@fifthhorseman.net> On 07/23/2010 07:35 AM, mark at proseconsulting.co.uk wrote: >> On Fri 23/07/10 11:48 AM , David Smith Dave.Smith at st.com sent: >>> I need to be able to ultimately trust a public key >>> in batch mode, that I have downloaded automatically with wget from an >>> internal server over HTTPS. >> >> I think that you might be confusing "trust" with "validity". > > I don't think I'm confused. I need this for verifying digital signatures only. I'm not encrypting. If i understand you correctly, I think you want --import-ownertrust. feed it the equivalent of the output of gpg --export-ownertrust, and you should be able to do what you're looking for. You'll need to know the key's full fingerprint, though. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Fri Jul 23 16:59:31 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 23 Jul 2010 10:59:31 -0400 Subject: plausibly deniable Message-ID: <20100723145931.5EBC52003D@smtp.hushmail.com> Daniel Kahn Gillmor dkg at fifthhorseman.net wrote on Fri Jul 23 16:32:17 CEST 2010 : > There is no way to "prove that you did not encrypt" a message. Agreed. But it is very simple to either give up a session key to an encrypted message, or show that that the message was not encrypted to any keypair in your possession. (Please see my amended post.) My point was only to show how the 'throw-keyid' option has potential problems. vedaal From war_is_peace at privatdemail.net Fri Jul 23 17:51:24 2010 From: war_is_peace at privatdemail.net (war_is_peace at privatdemail.net) Date: Fri, 23 Jul 2010 17:51:24 +0200 Subject: User ID without email address Message-ID: <4C49BA7C.5070104@privatdemail.net> Hi, I'm planning on finally uploading my key to a keyserver. Now I had the idea to add a primary user ID which contains only my name and no email address. The reason would be that i won't "lose" any signatures if I change my email address and revoke the then obsolete user id. Does that make sense? Are there known problems if a (primary) user ID doesn't contain any email address? Another question: What is the common practice when signing a key regarding its user IDs? Should you sign all user IDs, whether you checked if their email address belongs to the key owner or not? Is it common to verify the address at all? Greetings, Flo From jh at jameshoward.us Fri Jul 23 19:20:30 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Fri, 23 Jul 2010 13:20:30 -0400 Subject: User ID without email address In-Reply-To: <4C49BA7C.5070104@privatdemail.net> References: <4C49BA7C.5070104@privatdemail.net> Message-ID: <4C49CF5E.8020508@jameshoward.us> On 7/23/10 11:51 AM, war_is_peace at privatdemail.net wrote: > Does that make sense? Are there known problems if a (primary) user ID > doesn't contain any email address? Nope! Check out 0xE6602099 for my key with a primary uid of "James Patrick Howard, II". James -- James P. Howard, II, MPA MBCS CGFM From dshaw at jabberwocky.com Fri Jul 23 19:34:55 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 23 Jul 2010 13:34:55 -0400 Subject: User ID without email address In-Reply-To: <4C49BA7C.5070104@privatdemail.net> References: <4C49BA7C.5070104@privatdemail.net> Message-ID: On Jul 23, 2010, at 11:51 AM, war_is_peace at privatdemail.net wrote: > Hi, > > I'm planning on finally uploading my key to a keyserver. Now I had the > idea to add a primary user ID which contains only my name and no email > address. The reason would be that i won't "lose" any signatures if I > change my email address and revoke the then obsolete user id. > > Does that make sense? Are there known problems if a (primary) user ID > doesn't contain any email address? It does make sense, and some people do it. The problem is that it makes it difficult to use that key with some mail programs, which look for the proper key to use by email address. You can also have problem with people finding your key on keyservers. A better solution might be to just buy a domain (it's cheap these days) and then your email address will never change. > Another question: What is the common practice when signing a key > regarding its user IDs? Should you sign all user IDs, whether you > checked if their email address belongs to the key owner or not? No. When you make a signature, you are affirming that you believe that the user ID you are signing correctly represents the owner of the key. If you don't check the email address, you can't really affirm that. Not everyone checks. I believe they should. David From malte.gell at gmx.de Fri Jul 23 21:03:53 2010 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 23 Jul 2010 21:03:53 +0200 Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <2098808829.5686921279874353134.JavaMail.root@zimbra7-e1.priv.proxad.net> References: <2098808829.5686921279874353134.JavaMail.root@zimbra7-e1.priv.proxad.net> Message-ID: <201007232104.04054.malte.gell@gmx.de> tux.tsndcb at free.fr wrote > > Yes and the boot partition is not encrypted, only /home But I solved it. > > It was an init script issue. On openSUSE there is an init script > > "earlyxdm" and it has overridden so to say the pinentry-ncurses program. > > I have now edited earlyxdm and have added my own script to > > Requried-Start, thus earlyxdm now waits until pinentry-curses does its > > job. It works now. Pretty cool, I can now unlock my LUKS volume with the > > openPGP card, that's nerd ;-) > > Hello Mate, > I use Debian and not OpenSuse, but I'm interristing by your script. > Could you give it ? Yes, of course. I have attached it, I named it open-luks-key. The only interesting stuff is the start and stop section. I have directly put the name of my luks partition there. It is a dumb script, does not detect anything automatically, but it works if the card reader is running fine. I even have not removed the FOO template stuff from it :-) Ugly, but works. The "Required-Start:" section needs to contain the PCSC daemon, that needs to run, so gpg-agent can call the pinentry program. Regards Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: open-luks-key Type: application/x-shellscript Size: 10954 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From dougb at dougbarton.us Fri Jul 23 21:27:44 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 23 Jul 2010 12:27:44 -0700 (PDT) Subject: plausibly deniable In-Reply-To: <4C492D84.7050506@gmail.com> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> <4C492D84.7050506@gmail.com> Message-ID: On Fri, 23 Jul 2010, Faramir wrote: > Doug Barton escribi?: >> On Thu, 22 Jul 2010, Faramir wrote: > ... >>> I don't see the signature, nor the claim about it being signed. I saw >>> an attachment, but Thunderbird didn't say it was a signature... >> >> If you navigate to the message in Thunderbird and then type Ctrl-U, then >> scroll down you'll see this in the attachment: >> Content-Type: application/pgp-signature; name="signature.asc" >> Content-Disposition: attachment; filename="signature.asc" > > Right. However, Thunderbird doesn't show the usual message about > signatures... something is not working right. Right, hence my query. :) I just wanted to be sure I wasn't missing something, the ways that different clients implement PGP/MIME is really, um, challenging. >> I'm working on my PGP/MIME filter for Alpine at the moment, so I'm >> turning over more rocks than usual. :) > > Good luck with it ;) Thanks! I am pretty close to wrapping it up, and I'm going to post a message about the release candidate version soon (unless someone objects). I am doing many c!3v3R h4x with sed to munge the messages for verification and display, and I will need some linux testers to be sure I haven't broken anything. But I don't want to get too far OT ... Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From faramir.cl at gmail.com Fri Jul 23 22:00:11 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 Jul 2010 16:00:11 -0400 Subject: User ID without email address In-Reply-To: References: <4C49BA7C.5070104@privatdemail.net> Message-ID: <4C49F4CB.8040706@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: > On Jul 23, 2010, at 11:51 AM, war_is_peace at privatdemail.net wrote: ... >> I'm planning on finally uploading my key to a keyserver. Now I had the >> idea to add a primary user ID which contains only my name and no email >> address. The reason would be that i won't "lose" any signatures if I >> change my email address and revoke the then obsolete user id. ... > It does make sense, and some people do it. The problem is that it makes it difficult to use that key with some mail programs, which look for the proper key to use by email address. You can also have problem with people finding your key on keyservers. Well, he can have a "freeform" UID (the one without the email address), which would be the "permanent" one, and add more UIDs with the email address... that would solve the problem about searching the key. The additional UIDs can be revoked and replaced by new ones if the email address change. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSfTLAAoJEMV4f6PvczxANEgIAI4zDTDEVPOBDtslJ/SQYVW5 0CNjThiwaSJkPdKd4ZC1ehXtkV6Fxx9KYu28B/4uNSJ5Xbo7U1xDBumMUAw02ikr 96GKkf4JOSbVEDx4yiORzpfzUwWIPKOaRqzlIFh4Rsrm8b3ta8w+OuUPFvOumMJ5 MmfBhNB4IfSk7/NFahzt5H2qpwQrW6UMjMBekf0ni9ZiyVIexwrb2/Gv39zMi47r p6hpsgp+W4zZ715muoolzfoaDihesGn3Jj1qQo7snGDZ+j/Fj4UF5N7kz6ITp9nn 4+CJqxP0bper0tv10TFVo4STaOEL28efBdME44Ss+QsJDCNDEHRSzX2Nmydhjs4= =moqW -----END PGP SIGNATURE----- From kgo at grant-olson.net Fri Jul 23 22:32:18 2010 From: kgo at grant-olson.net (Grant Olson) Date: Fri, 23 Jul 2010 16:32:18 -0400 Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <201007230852.17745.malte.gell@gmx.de> References: <201007230013.40148.malte.gell@gmx.de> <4C48D61A.60102@grant-olson.net> <201007230852.17745.malte.gell@gmx.de> Message-ID: <4C49FC52.6090300@grant-olson.net> On 7/23/10 2:52 AM, Malte Gell wrote: > > > Yes and the boot partition is not encrypted, only /home But I solved it. > > Regards > Malte > Just keep in mind that if you're not encrypting the whole disk, your sensitive data can leak to /tmp and swap. I'm only bringing this up because it seems like you've taken some elaborate steps to protect your data. -- Grant "I am very hungry," Kobayashi said. "I wish there were hot dogs in jail." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From frankstefan at gmail.com Fri Jul 23 21:56:43 2010 From: frankstefan at gmail.com (Frank Stefan Sundberg Solli) Date: Fri, 23 Jul 2010 21:56:43 +0200 Subject: GPG2 SSH SmartCard Private Key Auth In-Reply-To: References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> <4C492D84.7050506@gmail.com> Message-ID: <4C49F3FB.8020103@gmail.com> Hi Guys. I am currently running OpenSolaris 2010, I got GPG2 set up and my (OpenPGP) Smartcard. I have no problems accesing the smartcard from GPG2 (e.g gpg2 --card-status) everything shows up fine, I am able to edit and view my keys and so on. The problem though is when I'm trying to get SSH to work with it. It wont authenticate. Here is a -vvv log of when im connecting: ssh -vvv user at host Sun_SSH_1.5, SSH protocols 1.5/2.0, OpenSSL 0x009080cf debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to hostname [IP] port 22. debug1: Connection established. debug1: identity file /export/home/frank/.ssh/identity type -1 debug1: identity file /export/home/frank/.ssh/id_rsa type -1 debug1: identity file /export/home/frank/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-Sun_SSH_1.5 debug1: use_engine is 'yes' debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers debug1: pkcs11 engine initialization complete debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: nb-NO debug2: kex_parse_kexinit: nb-NO debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible Unknown code 0 ) debug1: SSH2_MSG_KEXINIT sent debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0&& !0 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,3des-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: nb-NO debug2: kex_parse_kexinit: nb-NO debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Peer sent proposed langtags, ctos: debug1: Peer sent proposed langtags, stoc: debug1: We proposed langtags, ctos: nb-NO debug1: We proposed langtags, stoc: nb-NO debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 146/256 debug1: bits set: 1062/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /export/home/frank/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /export/home/frank/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'blazefire.danielbond.org' is known and matches the RSA host key. debug1: Found key in /export/home/frank/.ssh/known_hosts:1 debug1: bits set: 1008/2048 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0&& !0 debug2: set_newkeys: mode 1 debug1: set_newkeys: setting new keys for 'out' mode debug3: aes-128-ctr NID found debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: set_newkeys: setting new keys for 'in' mode debug3: aes-128-ctr NID found debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug2: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering agent key: cardno:000500000560 debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 lastkey 80d9108 hint -1 debug2: input_userauth_pk_ok: fp 6c:48:28:e4:72:39:2f:23:9e:88:10:23:2f:54:4d:38 debug3: sign_and_send_pubkey Agent admitted failure to sign using the key. debug3: clear_auth_state: key_free 80d9108 debug2: userauth_pubkey_agent: no more keys debug2: userauth_pubkey_agent: no message sent debug1: Trying private key: /export/home/frank/.ssh/identity debug3: no such identity: /export/home/frank/.ssh/identity debug1: Trying private key: /export/home/frank/.ssh/id_rsa debug3: no such identity: /export/home/frank/.ssh/id_rsa debug1: Trying private key: /export/home/frank/.ssh/id_dsa debug3: no such identity: /export/home/frank/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password The highlights here (I guess) is debug2: input_userauth_pk_ok: fp 6c:48:28:e4:72:39:2f:23:9e:88:10:23:2f:54:4d:38 debug3: sign_and_send_pubkey Agent admitted failure to sign using the key. debug3: clear_auth_state: key_free 80d9108 This didnt tell me much, so i set up gnupg-agent with debugging: 2010-07-23 20:01:57 gpg-agent[1315] gpg-agent (GnuPG) 2.0.13 started 2010-07-23 20:03:38 gpg-agent[1315] failed to build S-Exp (off=0): Bad character in S-expression 2010-07-23 20:03:38 gpg-agent[1315] failed to read the secret key Does anyone here have any idea how I can fix this? Regards Frank From jeandavid8 at verizon.net Fri Jul 23 23:15:05 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Fri, 23 Jul 2010 17:15:05 -0400 Subject: Where is FAQ? Message-ID: <4C4A0659.6060002@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have what I am sure is a frequently asked question, but I cannot find a FAQ. I can find the archives, but I know no good way to search them. It is the question about the order of signing and encrypting a message. I am pretty sure that is the correct order, but a while ago there was a thread about this and I would like to find it. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 17:10:01 up 16 days, 1:56, 3 users, load average: 4.67, 4.70, 4.57 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFMSgZZPtu2XpovyZoRAkIaAKCKoqHhAl92EVSw8uf2HVq4B97OjQCff6Wi KJb0tNzL42UbRbNl+LlJscM= =FmEw -----END PGP SIGNATURE----- From teddks at gmail.com Sat Jul 24 00:08:19 2010 From: teddks at gmail.com (Ted Smith) Date: Fri, 23 Jul 2010 18:08:19 -0400 Subject: plausibly deniable In-Reply-To: <4C4931B7.2050909@gmail.com> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> <4C4931B7.2050909@gmail.com> Message-ID: <1279922899.8524.3.camel@anglachel> On Fri, 2010-07-23 at 02:07 -0400, Faramir wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Ted Smith escribi?: > ... > >> Deniable encryption is a useful tool, but it is not a universally good idea. > > > > An interrogator as described in this thread is a movie plot threat. In > > reality, nobody is going to torture you for your key, because there are > > much easier ways of obtaining your cleartext or figuring out if you have > > a hidden volume. > > Well, I suppose in most countries nobody is going to torture you, but > there are other countries where you can't be so sure... Also, an > interrogator that doesn't care about hurting an innocent can be very > dangerous, if he suspects he is being fooled. Nobody in any country is going to torture you for your key, because keyloggers are much less expensive than torturers + torturing equipment. It's much easier to just place a keylogger somehow and get the key in plaintext with no fuss in a week. There are dozens of other ways to do something like this. Torture is a great movie plot threat; people can easily imagine it happening, so they overestimate its likelihood. In reality, it is exceedingly rare for people to be tortured for their encryption keys. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From andre at amorim.me Sat Jul 24 00:40:58 2010 From: andre at amorim.me (Andre Amorim) Date: Fri, 23 Jul 2010 23:40:58 +0100 Subject: plausibly deniable In-Reply-To: <1279922899.8524.3.camel@anglachel> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> <4C4931B7.2050909@gmail.com> <1279922899.8524.3.camel@anglachel> Message-ID: On 23 July 2010 23:08, Ted Smith wrote: > On Fri, 2010-07-23 at 02:07 -0400, Faramir wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Ted Smith escribi?: >> ... >> >> Deniable encryption is a useful tool, but it is not a universally good idea. >> > >> > An interrogator as described in this thread is a movie plot threat. In >> > reality, nobody is going to torture you for your key, because there are >> > much easier ways of obtaining your cleartext or figuring out if you have >> > a hidden volume. >> >> ? Well, I suppose in most countries nobody is going to torture you, but >> there are other countries where you can't be so sure... Also, an >> interrogator that doesn't care about hurting an innocent can be very >> dangerous, if he suspects he is being fooled. > > Nobody in any country is going to torture you for your key, because > keyloggers are much less expensive than torturers + torturing equipment. > It's much easier to just place a keylogger somehow and get the key in > plaintext with no fuss in a week. There are dozens of other ways to do > something like this. > > Torture is a great movie plot threat; people can easily imagine it > happening, so they overestimate its likelihood. In reality, it is > exceedingly rare for people to be tortured for their encryption keys. Tell that one to my wife though. LoL --Andre From rjh at sixdemonbag.org Sat Jul 24 02:56:52 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 23 Jul 2010 20:56:52 -0400 Subject: plausibly deniable In-Reply-To: <1279922899.8524.3.camel@anglachel> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> <4C4931B7.2050909@gmail.com> <1279922899.8524.3.camel@anglachel> Message-ID: <4C4A3A54.4010703@sixdemonbag.org> On 7/23/2010 6:08 PM, Ted Smith wrote: > Nobody in any country is going to torture you for your key, because > keyloggers are much less expensive than torturers + torturing equipment. This is not true. There are documented instances where people have been tortured to turn over crypto keys. You are assuming the torturer is a rational human being who has enough technical chops to know what a keylogger is and how to use it. In reality, torture is often the recourse of irrational human beings who, due to stress, ignorance, or any of dozens of other factors, do not immediately see a superior way to obtain the information. Yes, if the authority is rational and technically skilled they will have many better options than torture. I just disagree that all authorities, or even most of them, are both rational and technically skilled. From faramir.cl at gmail.com Sat Jul 24 04:04:08 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 23 Jul 2010 22:04:08 -0400 Subject: plausibly deniable In-Reply-To: <1279922899.8524.3.camel@anglachel> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C48F62E.2050108@sixdemonbag.org> <1279852993.8660.14.camel@anglachel> <4C4931B7.2050909@gmail.com> <1279922899.8524.3.camel@anglachel> Message-ID: <4C4A4A18.2070307@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ted Smith escribi?: > On Fri, 2010-07-23 at 02:07 -0400, Faramir wrote: ... >> Well, I suppose in most countries nobody is going to torture you, but >> there are other countries where you can't be so sure... Also, an ... > Nobody in any country is going to torture you for your key, because > keyloggers are much less expensive than torturers + torturing equipment. > It's much easier to just place a keylogger somehow and get the key in > plaintext with no fuss in a week. There are dozens of other ways to do > something like this. That is assuming the investigating party has time and knowledge to place the keylogger. But maybe the investigating party already seized the computer, maybe not expecting to find encryption software in it. And at that point is too late to place a keylogger. Besides, torture is just a possibility, the scenario Robert mentioned is nasty enough, even if it didn't involve anything illegal. We are not saying it is bad plausibly deniability, it is just you need to consider if that can cause troubles to you. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJMSkoYAAoJEMV4f6PvczxA98AH/2qrVK50qlTnOG03T2oqi52X TFUE4Ny1vT/BMN4T5SbvnkziyzyHYR2yDf9zjjcUX8jFw72gfIUTrjznpaHIHa24 dwYVSF5z7iZW1WKd4pp3I7+t6YWetsaHgukKzKd5cLxu9iNa9U/ZnS06kVuJnl+Z RxiwVpwyo1DLIRf+KeSP9/69VlsC79U8+g64MFj2zn73kKzrBXMS1Uz9H83ssmqt bD+oa1t0L6/qozPqr9Ov/1IIgNyhM9NvGhRAA0VCd2Mtfpc5Fe09Sr6PI53VFJJ3 cI/IR1Tyhm+RDKumL8CzIcFyAXCYEaOM7WRoJuyuuna5wp2ICOSC+t3uWjktnNs= =Q64l -----END PGP SIGNATURE----- From htd at fritha.org Sat Jul 24 08:48:48 2010 From: htd at fritha.org (Heinz Diehl) Date: Sat, 24 Jul 2010 08:48:48 +0200 Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <4C49FC52.6090300@grant-olson.net> References: <201007230013.40148.malte.gell@gmx.de> <4C48D61A.60102@grant-olson.net> <201007230852.17745.malte.gell@gmx.de> <4C49FC52.6090300@grant-olson.net> Message-ID: <20100724064848.GA6292@fritha.org> On 23.07.2010, Grant Olson wrote: > Just keep in mind that if you're not encrypting the whole disk, your > sensitive data can leak to /tmp and swap. I'm only bringing this up > because it seems like you've taken some elaborate steps to protect your > data. I second that. Besides, holding a GPG encrypted keyfile on unencrypted space to open a LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot process by entering the correct passphrase, to finally open the LUKS/dmcrypt secured device seems broken to me. Why not just use the same secure passphrase for the LUKS keyslot directly, instead of using a keyfile? Seems a little bit like "security by obscurity" to me.. (Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt in the last 2 years, if you need to customize your system in such a way that is not possible to achieve with the opensuse installer, feel free to drop me a note) From wk at gnupg.org Sat Jul 24 08:21:22 2010 From: wk at gnupg.org (Werner Koch) Date: Sat, 24 Jul 2010 08:21:22 +0200 Subject: GPG2 SSH SmartCard Private Key Auth In-Reply-To: <4C49F3FB.8020103@gmail.com> (Frank Stefan Sundberg Solli's message of "Fri\, 23 Jul 2010 21\:56\:43 +0200") References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> <4C492D84.7050506@gmail.com> <4C49F3FB.8020103@gmail.com> Message-ID: <8739v9wgbh.fsf@wheatstone.g10code.de> > The problem though is when I'm trying to get SSH to work with it. It > wont authenticate. Does "ssh-add -l" sdhow the key? > 2010-07-23 20:01:57 gpg-agent[1315] gpg-agent (GnuPG) 2.0.13 started It would better to try 2.0.16 becuase that is the one I can test. > 2010-07-23 20:03:38 gpg-agent[1315] failed to build S-Exp (off=0): Bad character in S-expression Somewhere in agent/findkey.c - you need to debug it. Tracing which files gpg-agent opens might help - it will be one below private-keys-v1.d. Look at that file using /usr/local/libexec/gpg-protect-tools FILE Does it parse cleanly? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sat Jul 24 11:11:39 2010 From: wk at gnupg.org (Werner Koch) Date: Sat, 24 Jul 2010 11:11:39 +0200 Subject: SHA2 digest, V2 smartcard and gpg-agent problem In-Reply-To: <201007222125.02489.stanislav@sidorenko.biz> (Stanislav Sidorenko's message of "Thu\, 22 Jul 2010 21\:25\:02 +0400") References: <201007222125.02489.stanislav@sidorenko.biz> Message-ID: <87mxthkzw4.fsf@wheatstone.g10code.de> Stanislav Sidorenko writes: > I've made a quick&dirty fix that enables using SHA256 instead of RIPEMD160. > hashalgo == GCRY_MD_SHA256? "--hash=sha256 ": "", > Okay. I just fixed that and gnupg 1 will now allow all hash algorithms. Note that this change is only required if you use gpg 1 with gpg-agent. In general it is better to use gpg2 - we keep gpg mainly for server operations and then it uses the integrated card stuff - without scdaemon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From frankstefan at gmail.com Sat Jul 24 15:09:57 2010 From: frankstefan at gmail.com (Frank Stefan Sundberg Solli) Date: Sat, 24 Jul 2010 15:09:57 +0200 Subject: GPG2 SSH SmartCard Private Key Auth In-Reply-To: <8739v9wgbh.fsf@wheatstone.g10code.de> References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> <4C492D84.7050506@gmail.com> <4C49F3FB.8020103@gmail.com> <8739v9wgbh.fsf@wheatstone.g10code.de> Message-ID: <4C4AE625.3020608@gmail.com> On 24.07.10 08:21, Werner Koch wrote: >> The problem though is when I'm trying to get SSH to work with it. It >> wont authenticate. > Does "ssh-add -l" sdhow the key? Yes it shows up here >> 2010-07-23 20:01:57 gpg-agent[1315] gpg-agent (GnuPG) 2.0.13 started > It would better to try 2.0.16 becuase that is the one I can test. > >> 2010-07-23 20:03:38 gpg-agent[1315] failed to build S-Exp (off=0): Bad character in S-expression > Somewhere in agent/findkey.c - you need to debug it. Tracing which > files gpg-agent opens might help - it will be one below > private-keys-v1.d. Look at that file using > > /usr/local/libexec/gpg-protect-tools FILE > > Does it parse cleanly? 1 out of 3 parses, the errors are gpg-protect-tool: invalid S-Expression in `E1771DB82D9516EE5866A3E617AE04ACE36B3574.key' (off=0): Unexpected reserved punctuation in S-expression frank at t60-opensolaris:~/.gnupg/private-keys-v1.d$ gpg-protect-tool 6BA2F28EA67A715A92FF055793954B68AA03C833.key gpg-protect-tool: invalid S-Expression in `6BA2F28EA67A715A92FF055793954B68AA03C833.key' (off=0): Bad character in S-expression > > > Shalom-Salam, > > Werner > > From malte.gell at gmx.de Sat Jul 24 21:53:08 2010 From: malte.gell at gmx.de (Malte Gell) Date: Sat, 24 Jul 2010 21:53:08 +0200 Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <20100724064848.GA6292@fritha.org> References: <201007230013.40148.malte.gell@gmx.de> <4C49FC52.6090300@grant-olson.net> <20100724064848.GA6292@fritha.org> Message-ID: <201007242153.16767.malte.gell@gmx.de> Hi there, > Besides, holding a GPG encrypted keyfile on unencrypted space to open a > LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot > process by entering the correct passphrase, to finally open the > LUKS/dmcrypt secured device seems broken to me. Can you explain, why this setup is broken? The keyfile consists of 4 kBytes of random data and is encrypted with my PGP key, which itself is a 1024 bit RSA key, thus the security of my encrypted partition basially is as secure as my PGP key. > Why not just use the same > secure passphrase for the LUKS keyslot directly, instead of using a > keyfile? The idea behind the whole thing is, that the openPGP pin is much easier to enter than a long password/phrase and if you use the openPGP card you simply need a keyfile to have a token that you use openPGP upon. > Seems a little bit like "security by obscurity" to me.. I'm sorry, but this is pure nonsense. This setup is secure. The keyfile is openPGP encrypted and when decrypted, it is piped to the cryptsetup command. There is no security hole. An attacker who gains access to the hard drive would have to break the openPGP encrypted keyfile. > (Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt > in the last 2 years, if you need to customize your system in such a way > that is not possible to achieve with the opensuse installer, feel free to > drop me a note) Well, I now achieved what I wanted to achieve. The number of people who own an openPGP card is very small so I think a small howto would be enough for these folks. Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Sun Jul 25 13:51:03 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 25 Jul 2010 12:51:03 +0100 Subject: Where is FAQ? In-Reply-To: <4C4A0659.6060002@verizon.net> References: <4C4A0659.6060002@verizon.net> Message-ID: <193318934.20100725125103@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 23 July 2010 at 10:15:05 PM, in , Jean-David Beyer wrote: > I have what I am sure is a frequently asked question, > but I cannot find a FAQ. I can find the archives, but I > know no good way to search them. Did you try http://marc.info/?l=gnupg-users ? > It is the question about the order of signing and > encrypting a message. I am pretty sure that is the > correct order, The usual way is to issue the --sign and the --encrypt options on the same command line. It makes no difference which order they appear, GnuPG will (in effect) combine encryption and signing into a single step. Some people (clear)sign a message and then encrypt the signed message. There may be groups or organisations that require this. I'm not aware of any advantages of doing it this way. A disadvantage is doubling of effort: the sender performs two gpg commands instead of one and so does the recipient. If you are communicating with a Hushmail address, your signature will only be detected if you first encrypt the message and then sign the encrypted message. Hushmail's webmail system is the only application I have encountered that requires it this way around. - -- Best regards MFPA mailto:expires2010 at ymail.com War is a matter of vital importance to the State. -----BEGIN PGP SIGNATURE----- iQCVAwUBTEwlO6ipC46tDG5pAQp/WgP/RRH6G39t1MMKXzPOZqgo59LrCNKlWx7g cBcp/GCOO2l4BuvR5hcHWonmPcgSsIJ5Zdz/IbllQSiPAfCZI4DlYUka7sYn9gqd a8xKfOm/gpTRCtpReBdRuj08/QkmjvKtRue6fMOBkADQn6RBy0dZrmu55dlsYo2R gyR2FoEWefE= =WF3G -----END PGP SIGNATURE----- From wk at gnupg.org Sun Jul 25 14:54:13 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 25 Jul 2010 14:54:13 +0200 Subject: verifying hashes with Gnupg In-Reply-To: <20100721145203.53A402003D@smtp.hushmail.com> (vedaal@nym.hush.com's message of "Wed, 21 Jul 2010 10:52:03 -0400") References: <20100721145203.53A402003D@smtp.hushmail.com> Message-ID: <876303hgcq.fsf@gnupg.org> On Wed, 21 Jul 2010 16:52, vedaal at nym.hush.com said: > windows command line doesn't recognize it (without cygwin) The gpg4win SVN has a sha1sum, sha256sum and md5sum complete with check option and proper filename special character escaping. It will be part of all future gpg4win releases. It is one simple source file. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Jul 25 14:50:12 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 25 Jul 2010 14:50:12 +0200 Subject: GPG2 SSH SmartCard Private Key Auth In-Reply-To: <4C4AE625.3020608@gmail.com> (Frank Stefan Sundberg Solli's message of "Sat, 24 Jul 2010 15:09:57 +0200") References: <4C48AACC.4090606@fifthhorseman.net> <4C48BC99.6080103@fifthhorseman.net> <4C490C32.5090105@gmail.com> <4C492D84.7050506@gmail.com> <4C49F3FB.8020103@gmail.com> <8739v9wgbh.fsf@wheatstone.g10code.de> <4C4AE625.3020608@gmail.com> Message-ID: <87aapfhgjf.fsf@gnupg.org> On Sat, 24 Jul 2010 15:09, frankstefan at gmail.com said: > gpg-protect-tool: invalid S-Expression in > E1771DB82D9516EE5866A3E617AE04ACE36B3574.key' (off=0): Unexpected > reserved punctuation in S-expression There is somewthing wrong ;-). You need to look at the file to see what the problem is. Or step with the debug through it to see which parts gives the error messages. The problem is that it contains your private key (passphrase protected) and tus should not be send around. Any special characters in the ssh key comment? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From telegraph at gmx.net Sun Jul 25 16:47:20 2010 From: telegraph at gmx.net (Gregor Zattler) Date: Sun, 25 Jul 2010 16:47:20 +0200 Subject: Where is FAQ? In-Reply-To: <4C4A0659.6060002@verizon.net> References: <4C4A0659.6060002@verizon.net> Message-ID: <20100725144720.GX23940@shi.workgroup> Hi Jean-David, * Jean-David Beyer [23. Jul. 2010]: > I have what I am sure is a frequently asked question, but I cannot find > a FAQ. There is a FAQ at http://www.gnupg.org/faq.html but it does not contain your question. > I can find the archives, but I know no good way to search them. > > It is the question about the order of signing and encrypting a message. if you --sign and --encrypt a file in one go -- as one would normally -- gnupg first signs and then encrypt the signed data. The order of the --sign and --encrypt commands on the command line does not matter. Ciao, Gregor -- -... --- .-. . -.. ..--.. ...-.- From vedaal at nym.hush.com Mon Jul 26 04:10:02 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Sun, 25 Jul 2010 22:10:02 -0400 Subject: plausibly deniable Message-ID: <20100726021002.71E231200AA@smtp.hushmail.com> On Sun, 25 Jul 2010 11:09:34 -0400 MFPA wrote: >Hi > > >On Friday 23 July 2010 at 2:51:38 PM, in >, >vedaal at nym.hush.com wrote: > > >> [2] hiding the identity of the signer: > >> (a) generate a new keypair and give it to a person you >> want to have 'plausible deniability' with > >> (b) a signed >> message shown to anyone else, only means that 'one' of >> you signed it. > >If you received a message signed with 0x413b9aa558ffe07d, which >individual would you suppose had signed it? >(That key is on the servers.) For this type of shared key, the key would be made with both individuals names: i.e. SmithJones at JonesSmith.test (Comment: this keypair is in possession of both Smith and Jones) so, if you saw a signed message with this key, you would think it would be signed by either Smith or Jones vedaal From rjh at sixdemonbag.org Mon Jul 26 04:24:19 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 25 Jul 2010 22:24:19 -0400 Subject: plausibly deniable In-Reply-To: <20100726021002.71E231200AA@smtp.hushmail.com> References: <20100726021002.71E231200AA@smtp.hushmail.com> Message-ID: <4C4CF1D3.4010703@sixdemonbag.org> On 7/25/10 10:10 PM, vedaal at nym.hush.com wrote: > so, if you saw a signed message with this key, you would think it > would be signed by either Smith or Jones This is not really plausible deniability. "You say you didn't write it? Fine. I guess we'll prosecute both you /and/ Jones, then!" Let's say SmithJones at aol.com gets involved in something the authorities don't like -- let's say narcotics trafficking. What happens is Smith and Jones *both* face charges of conspiracy to traffic, since the collusion before to produce a shared keypair is prima facie evidence of cooperation to hinder prosecution. Is it rebuttable? Sure. Is it a nightmare for both of them? Yes. Does it make their communications plausibly deniable? Not even close. From mark at proseconsulting.co.uk Mon Jul 26 10:01:51 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Mon, 26 Jul 2010 09:01:51 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <7937.1280131311@proseconsulting.co.uk> > On Fri 23/07/10 3:51 PM , Daniel Kahn Gillmor dkg at fifthhorseman.net sent: >>>> I need to be able to ultimately trust a public key in batch mode, that I have downloaded >>>> automatically with wget from an internal server over HTTPS. >>> >>> I think that you might be confusing "trust" with "validity". >> >> I don't think I'm confused. I need this for verifying digital signatures only. I'm not encrypting. > > If i understand you correctly, I think you want --import-ownertrust. > > feed it the equivalent of the output of gpg --export-ownertrust, and > you should be able to do what you're looking for. > > You'll need to know the key's full fingerprint, though. > > --dkg Perfect, that'll do me just fine! I've scripted this suggestion: #!/bin/ksh # # Set trust level for a given GPG key # AWK=/bin/gawk [ -x /bin/nawk ] && AWK=/bin/nawk [ $# -ne 2 ] && echo "Syntax: $0 key trust-level" && exit 1 gpg --fingerprint --list-keys "$1" |\ $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" ' /fingerprint/ { for (i=4; i<=NF; i++) fpr=fpr $i } END { FS=":" cmd="gpg --export-ownertrust" while (cmd | getline) if ($1!=fpr) print close(cmd) print fpr ":" trustlevel ":" } ' | gpg --import-ownertrust Here's an example of the script in use: # gpg --import swrepo.pub gpg: key 61404A7B: public key "swrepo server " imported gpg: Total number processed: 1 gpg: imported: 1 # ./set-gpg-trust "swrepo server" 6 gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: setting ownertrust to 6 From mark at proseconsulting.co.uk Mon Jul 26 10:14:01 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Mon, 26 Jul 2010 09:14:01 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <50112.1280132041@proseconsulting.co.uk> On Mon 26/07/10 9:01 AM , mark at proseconsulting.co.uk sent: > Perfect, that'll do me just fine! I've scripted this suggestion: > > #!/bin/ksh > # > # Set trust level for a given GPG key > # > AWK=/bin/gawk > [ -x /bin/nawk ] && AWK=/bin/nawk > > [ $# -ne 2 ] && echo "Syntax: $0 key trust-level" && exit 1 > > gpg --fingerprint --list-keys "$1" |\ > $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" ' > /fingerprint/ { for (i=4; i > END { > FS=":" > cmd="gpg --export-ownertrust" > while (cmd | getline) if ($1!=fpr) print > close(cmd) > print fpr ":" trustlevel ":" > } > ' | gpg --import-ownertrust Sorry, -v tmpfile="$TMPFILE" was a throw-back to an earlier test, you don't need to pass that variable to AWK, i.e. gpg --fingerprint --list-keys "$1" |\ $AWK -v trustlevel="$2" ' And sorry about the formatting. My mail client stripped all the indentation. From dalvarezso at ixe.com.mx Mon Jul 19 17:17:42 2010 From: dalvarezso at ixe.com.mx (Diego Alvarez Sotelo) Date: Mon, 19 Jul 2010 10:17:42 -0500 Subject: BUG 1253 hace 8 horas *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop chatting diegoas Message-ID: <84494CC0410AF94D9AA415EB1B958D41041CF168EB@EXCHMAILIP01.ixecorp.ixe.com.mx> I have one Zone in Solaris 10 and i am trying to install encryptor Gnugp 1.4.10 In the process for installation "make" i have this messages: make[2]: Entering directory `/usr/local/gnupg-1.4.10/tools' gcc -DHAVE_CONFIG_H -I. -I.. -I../include -I../intl - DLOCALEDIR="\"/usr/local/share/locale\"" -D_REENTRANT -I/usr/local/include -g - O2 -Wall -MT gpgsplit.o -MD -MP -MF .deps/gpgsplit.Tpo -c -o gpgsplit.o gpgsplit.c mv -f .deps/gpgsplit.Tpo .deps/gpgsplit.Po make[2]: *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop. make[2]: Leaving directory `/usr/local/gnupg-1.4.10/tools' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/gnupg-1.4.10' make: *** [all] Error 2 Regards in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gi185002 at ncr.com Tue Jul 20 12:32:48 2010 From: gi185002 at ncr.com (Guru_i) Date: Tue, 20 Jul 2010 03:32:48 -0700 (PDT) Subject: GPG decrypts but 11 bytes header of PGP doenst go and so it file Message-ID: <29213462.post@talk.nabble.com> Hi Im running into strange issue here. 1) I have large set of volume (multiple binary and text files) which are encrypted using PGP CL. and trying to decrypt in GnuPG CL 2) Each binary block file is set of TIFF images appended back to back. and encrypted using PGP CL AES256 cipher. 3) When I decrypt those block files (53) I see file 13, 26, 39 and 51 doens't decrypt properly BUT I dont get any error during decryption. The only way I can verify that decryption didnt work is because I can not see the TIFF images in it and also has same 11 bytes present which are there in encrypted block. im using gpg (GnuPG) 1.4.8 Below is the command im trying to run >gpg -vvv --output decryptblock_13 --passphrase 11::02::02-04::103::2010_cidmdp6" -d IMAGEARCHIVENEW_13 gpg: using character set `CP437' :marker packet: PGP :symkey enc packet: version 4, cipher 9, s2k 3, hash 2 salt af0784e63d4be8e0, count 524288 (144) gpg: AES256 encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase :literal data packet: mode b (62), created 0, name="imagearchivenew_13", raw data: unknown length gpg: original file name='imagearchivenew_13' gpg: decryption okay -- View this message in context: http://old.nabble.com/GPG-decrypts-but-11-bytes-header-of-PGP-doenst-go-and-so-it-file-tp29213462p29213462.html Sent from the GnuPG - User mailing list archive at Nabble.com. From Brian.Cooperider at RelayHealth.com Tue Jul 20 22:48:41 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Tue, 20 Jul 2010 13:48:41 -0700 Subject: Can't open PGP file with Gnupg Message-ID: I'm having an issue opening a file sent to us. They are using pgp commend line version 6.5. We are using GnuPG 2.0.12. When we try to open the file we get the message File contained no openPGdata. Any help you can provide would be greatly appreciated. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jjperry at water.com Wed Jul 21 00:15:35 2010 From: jjperry at water.com (Perry, James J.) Date: Tue, 20 Jul 2010 18:15:35 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <4C461E89.8070409@gmail.com> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> <4C461E89.8070409@gmail.com> Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F81E2@EXVS01.dsw.net> I was able to get that to work a while back but the main problem I am having is that if I have the display set on the terminal doing the ssh into the host but no X-server (Cygwin/X) running on my PC, then it fails to fall back to text-based password requests, making me spend hours trying to figure out what happened. If the interface is being changed in this manner than it would seem that simple code to check for a responding X-server or if the X-server connection is denied, it would fall back to curses style windows. HP's diagnostic tool stm, installation utility swinstall and OS level tool SAM all have had this logic for > 10 years. Just me doing something unexpected when the application was being beta tested that I wanted to bring up with a solution to see if it could improve the new interface to the application. Thanks! -Jim -----Original Message----- From: Chris Ruff [mailto:jcruff at gmail.com] Sent: Tuesday, July 20, 2010 6:09 PM To: Perry, James J. Cc: gnupg-users at gnupg.org Subject: Re: GPG seems broken on FC13 after upgrade. On 06/01/2010 06:49 PM, Perry, James J. wrote: > I just updated to FC 13 and not gpg fails to work for any user. I get > the following messages when I try to decrypt a file and have the DISPLAY > set even though I am not using X. > > > > gpg --pgp6 EDI997.20100601091546.pgp > > > > You need a passphrase to unlock the secret key for > > user: "xyz" > > 2048-bit ELG key, ID ... > > > > can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory > > gpg-agent[24444]: command get_passphrase failed: Operation cancelled > > gpg: cancelled by user > > gpg: encrypted with 2048-bit ELG key, ID ... > > gpg: public key decryption failed: General error > > gpg: decryption failed: No secret key > > > > This happens when I have a DISPLAY variable set. Without it I get a bad > looking curses interface image like below: > > lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq k > > x Please enter the passphrase to unlock the secret key for the OpenPGP x > > x certificate: x > > x "xyz" x > > x 2048-bit ELG key, ID ... x > > x created 2010-05-30 (main key ID ...). x > > x x > > x x > > x Passphrase __________________________________________________________ x > > x x > > x x > > mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq j > > > > This was not how it worked when I used it prior to upgrading to FC13. I > do not want all the pretty stuff and I need it to prompt for a password > on the command line like it did prior to the used of pinentry-qt or > pinentry-curses. What do I need to fix? I spent 4 hours digging around > to just find that if I had a DISPLAY variable set but no X-Server > running on my MS Win box, it would not even work. Users of GPG here on > Linux will not understand that issue so I will need to keep it running > as it did before, but no manuals I found seemed to indicate how to > correct it. > > > > Thanks! > > -Jim > > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users I'm not sure if this is your exact problem but on my openSuSE 11.2 system Seahorse really made a mess of things. Try running your gpg-agent the old fashion way and export the variables. I'm initializing mine in .xinitrc with an eval statement and relevant arguments b/c seahorse doesn't seem to work correctly with scdaemon. -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x0621F585 gpg fgpr: E3C4 0E2E AD99 59A2 E4D0 DC1B FD21 25BC 0621 F585 Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- From jjperry at water.com Wed Jul 21 16:53:43 2010 From: jjperry at water.com (Perry, James J.) Date: Wed, 21 Jul 2010 10:53:43 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> <1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F81E3@EXVS01.dsw.net> > I just updated to FC 13 and not gpg fails to work for any user. I get the following messages when I try to decrypt a file and have the DISPLAY set even though I am not using X. > > gpg --pgp6 EDI997.20100601091546.pgp > > You need a passphrase to unlock the secret key for > user: "xyz" > 2048-bit ELG key, ID ... > > can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory > gpg-agent[24444]: command get_passphrase failed: Operation cancelled > gpg: cancelled by user > gpg: encrypted with 2048-bit ELG key, ID ... > gpg: public key decryption failed: General error > gpg: decryption failed: No secret key [..] >> This was not how it worked when I used it prior to upgrading to FC13. I >>do not want all the pretty stuff and I need it to prompt for a password on >>the command line like it did prior to the used of pinentry-qt or pinentry->>curses. What do I need to fix? I spent 4 hours digging around to just >>find that if I had a DISPLAY variable set but no X-Server running on my MS >>Win box, it would not even work. Users of GPG here on Linux will not >>understand that issue so I will need to keep it running as it did before, >>but no manuals I found seemed to indicate how to correct it. >Fedora 13 made a (in my opinion) bad change in how they handle GnuPG. >Previously, there were two packages: 'gnupg' and 'gnupg2'. This makes >sense since the two branches of GnuPG are intentionally non-conflicting, >and while there is significant overlap, do serve somewhat different >purposes. >Fedora 13 removed 'gnupg' (i.e. gnupg 1.4.x) and caused the 'gnupg2' (i.e. >gnupg 2.x) package to replace it. This breaks all sorts of scripts and >things that were written to use 1.4.x. >A few people are trying to get this fixed in Fedora. > http://lists.fedoraproject.org/pipermail/devel/2010-July/138765.html > http://lists.fedoraproject.org/pipermail/devel/2010-July/138781.html >David Thanks for the links. If Fedora does not make the needed changes it would seem that the gnupg2 code would at least need to be altered to check for a working X display first, and then try curses. Optimally I think it would be nice to have a config parameter in the /etc/gnupg/gpgconfig file to specify the interface type be it X, curses or command line. I did not see any settings to control that when I dug through the configs and man pages months ago. Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- From jjperry at water.com Thu Jul 22 16:54:08 2010 From: jjperry at water.com (Perry, James J.) Date: Thu, 22 Jul 2010 10:54:08 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <87lj94ge7w.fsf@vigenere.g10code.de> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net><1CA09898-6D99-47B9-870F-ABC0735AC6F5@jabberwocky.com> <87lj94ge7w.fsf@vigenere.g10code.de> Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F81E8@EXVS01.dsw.net> Thanks for the update. As most of my GnuPG use is via script I normally do not see problems it is when I am trying to resolve problem that I run into issues where the new interface requires X or curses to interact with GnuPG. Of course better error messages about not being able to connect to X would have been very useful when I first noted the problem. -Jim On Wed, 21 Jul 2010 16:33, dshaw at jabberwocky.com said: > Fedora 13 removed 'gnupg' (i.e. gnupg 1.4.x) and caused the 'gnupg2' (i.e. gnupg 2.x) package to replace it. This breaks all sorts of scripts and things that were written to use 1.4.x. FWIW, the new 2.0.16 may help to mitigate this problem if the --use-standard-socket option is used. The agent will then be started if needed. You can't use this feature if your home directory is NFS mounted or you are not using X. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- From shavital at mac.com Mon Jul 26 16:23:14 2010 From: shavital at mac.com (Charly Avital) Date: Mon, 26 Jul 2010 10:23:14 -0400 Subject: Can't open PGP file with Gnupg In-Reply-To: References: Message-ID: <4C4D9A52.7080202@mac.com> Cooperider, Brian wrote the following on 7/20/10 4:48 PM: > File contained no openPGdata. GnuPG requires Unix line endings. Maybe, just maybe the file that was created by 6.5 command line (would that be PGP Command line 6.5.8?) is not Unix line ended. You might want to try and convert that file from his current format to Unix line-endings, using a text editor. As a Macintosh user, I would avail myself of BBEdit. I guess that you are a Windows user, I don't know which editor would be available. Just a thought. Charly From Brian.Cooperider at RelayHealth.com Mon Jul 26 16:23:02 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Mon, 26 Jul 2010 07:23:02 -0700 Subject: file contained no OpenPGPdata Message-ID: I asked this last week but I don't think it got answered. We have a customer using pgp command line version 6.5. The file they are sending us is giving us the error "file contained no OpenPGData" We are using GnuPG 2.0.12, GPA 0.9.0. We have not been able to resolve the issue. We are not having any issues with our other customers but are uncertain if anyone else is using the same pgp version. Any help would be greatly appreciated. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Cooperider at RelayHealth.com Mon Jul 26 16:41:55 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Mon, 26 Jul 2010 07:41:55 -0700 Subject: Can't open PGP file with Gnupg In-Reply-To: Produced By Microsoft Exchange V6.5 References: Produced By Microsoft Exchange V6.5 Message-ID: Thanks Charly for the quick response. We are a windows user. I'll need to verify the exact version of pgp they are using. I won't be able to see if that works until tomorrow but hopefully it does. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -----Original Message----- From: Charly Avital [mailto:shavital at mac.com] Sent: Monday, July 26, 2010 10:23 AM To: gnupg-users at gnupg.org Subject: Re: Can't open PGP file with Gnupg Cooperider, Brian wrote the following on 7/20/10 4:48 PM: > File contained no openPGdata. GnuPG requires Unix line endings. Maybe, just maybe the file that was created by 6.5 command line (would that be PGP Command line 6.5.8?) is not Unix line ended. You might want to try and convert that file from his current format to Unix line-endings, using a text editor. As a Macintosh user, I would avail myself of BBEdit. I guess that you are a Windows user, I don't know which editor would be available. Just a thought. Charly From rjh at sixdemonbag.org Mon Jul 26 16:50:43 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 26 Jul 2010 10:50:43 -0400 Subject: Can't open PGP file with Gnupg In-Reply-To: References: Produced By Microsoft Exchange V6.5 Message-ID: <4C4DA0C3.6090401@sixdemonbag.org> On 7/26/10 10:41 AM, Cooperider, Brian wrote: > Thanks Charly for the quick response. We are a windows user. I'll need > to verify the exact version of pgp they are using. I won't be able to > see if that works until tomorrow but hopefully it does. I believe Charly is in error. The line ending convention is specified in RFC4880, and both GnuPG and PGP conform to that. From dshaw at jabberwocky.com Mon Jul 26 17:08:07 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 26 Jul 2010 11:08:07 -0400 Subject: Can't open PGP file with Gnupg In-Reply-To: References: Message-ID: On Jul 20, 2010, at 4:48 PM, Cooperider, Brian wrote: > I?m having an issue opening a file sent to us. They are using pgp commend line version 6.5. We are using GnuPG 2.0.12. When we try to open the file we get the message File contained no openPGdata. Any help you can provide would be greatly appreciated. I'm happy to take a look at a file to see what exactly is wrong if you're willing/able to send me one. I'd need the key to decrypt it, so either encrypt the test message to my key (99242560), or make a new key for the purpose. Most likely the problem you are having is that PGP version 6.5 is beyond antique at this point. You might try adding the "--pgp6" flag to your gpg invocation, which enables some workarounds for various PGP 6-isms, but basically the problem is that PGP 6.5 predates the standard that GnuPG follows. David From shavital at mac.com Mon Jul 26 17:10:47 2010 From: shavital at mac.com (Charly Avital) Date: Mon, 26 Jul 2010 11:10:47 -0400 Subject: Can't open PGP file with Gnupg In-Reply-To: <4C4DA0C3.6090401@sixdemonbag.org> References: "Produced By Microsoft Exchange V6.5" <4C4DA0C3.6090401@sixdemonbag.org> Message-ID: <4C4DA577.5040601@mac.com> Robert J. Hansen wrote the following on 7/26/10 10:50 AM: > On 7/26/10 10:41 AM, Cooperider, Brian wrote: >> Thanks Charly for the quick response. We are a windows user. I'll need >> to verify the exact version of pgp they are using. I won't be able to >> see if that works until tomorrow but hopefully it does. > > I believe Charly is in error. The line ending convention is specified > in RFC4880, and both GnuPG and PGP conform to that. I possibly am. My very empirical knowledge of crypto does not include RFC's. I remember that in order to have GnuPG import e.g. key blocks generated by prior to Windows and even Macintosh PGP 7.0 releases, I had to convert those key blocks to Unix line-endings. Right now, using PGP Desktop 10.0.2.13, I have no such problem. Another erroneous guessing would be that the file that Brian has been trying to import is not in ASCII format? Charly From Brian.Cooperider at RelayHealth.com Mon Jul 26 17:13:48 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Mon, 26 Jul 2010 08:13:48 -0700 Subject: Can't open PGP file with Gnupg In-Reply-To: References: Message-ID: I should be able to send you a test file tomorrow. We will try adding that flag as well. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -----Original Message----- From: David Shaw [mailto:dshaw at jabberwocky.com] Sent: Monday, July 26, 2010 11:08 AM To: Cooperider, Brian Cc: gnupg-users at gnupg.org; Brian Cooperider Subject: Re: Can't open PGP file with Gnupg On Jul 20, 2010, at 4:48 PM, Cooperider, Brian wrote: > I'm having an issue opening a file sent to us. They are using pgp commend line version 6.5. We are using GnuPG 2.0.12. When we try to open the file we get the message File contained no openPGdata. Any help you can provide would be greatly appreciated. I'm happy to take a look at a file to see what exactly is wrong if you're willing/able to send me one. I'd need the key to decrypt it, so either encrypt the test message to my key (99242560), or make a new key for the purpose. Most likely the problem you are having is that PGP version 6.5 is beyond antique at this point. You might try adding the "--pgp6" flag to your gpg invocation, which enables some workarounds for various PGP 6-isms, but basically the problem is that PGP 6.5 predates the standard that GnuPG follows. David From wk at gnupg.org Tue Jul 27 10:12:23 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Jul 2010 10:12:23 +0200 Subject: gpg --batch --yes --edit-key trust In-Reply-To: <7937.1280131311@proseconsulting.co.uk> (mark@proseconsulting.co.uk's message of "Mon, 26 Jul 2010 09:01:51 +0100") References: <7937.1280131311@proseconsulting.co.uk> Message-ID: <87r5ip1gyg.fsf@vigenere.g10code.de> On Mon, 26 Jul 2010 10:01, mark at proseconsulting.co.uk said: > gpg --fingerprint --list-keys "$1" |\ > $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" ' Please use --with-colons for all scripts. The standard output is only for humans. Something like gpg --with-colons --with-fingerprint --list-keys "$1" |\ $AWK -F: -v tmpfile="$TMPFILE" -v trustlevel="$2" ' $1 == "fpr" { fpr=$10 } should do the job. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mark at proseconsulting.co.uk Tue Jul 27 12:02:07 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Tue, 27 Jul 2010 11:02:07 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <1367.1280224927@proseconsulting.co.uk> On Tue 27/07/10 9:12 AM , Werner Koch wk at gnupg.org sent: > On Mon, 26 Jul 2010 10:01, mark at proseconsulting.co.uk said: > > gpg --fingerprint --list-keys "$1" |\ > > $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" > > Please use --with-colons for all scripts. The standard output is only > for humans. Good spot. Amended script attached. I hope others find it useful. Best regards, Mark Bannister. -------------- next part -------------- A non-text attachment was scrubbed... Name: set-gpg-trust Type: application/octet-stream Size: 518 bytes Desc: not available URL: From mohanr at fss.co.in Tue Jul 27 13:29:19 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Tue, 27 Jul 2010 16:59:19 +0530 Subject: Find correct key id's Message-ID: <0EE14841E1FD8545B7E084F22AEF9681031FAE84@fssbemail.fss.india> Hi, I have some questions about matching key id's. 1. I am trying to find the key id of the key that encrypted a file so that I can use the corresponding decrypting key. 2. I am trying to use the correct decrypting key from the keyring using the code shown here to decrypt. Appreciate any advice ? Thanks, Mohan PGPSecretKey prk = ( PGPSecretKey )keyIt.next(); PGPPublicKey puk = prk.getPublicKey(); sb.append( "Private [" + prk.getKeyID() + "] Public [" + puk.getKeyID() + "]\n" ); for( Iterator it = puk.getUserIDs() ; it.hasNext() ; ){ sb.append( "User ID [" + it.next() + "]\n" ); } -------------- next part -------------- An HTML attachment was scrubbed... URL: From expires2010 at ymail.com Tue Jul 27 14:45:31 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 27 Jul 2010 13:45:31 +0100 Subject: Find correct key id's In-Reply-To: <0EE14841E1FD8545B7E084F22AEF9681031FAE84@fssbemail.fss.india> References: <0EE14841E1FD8545B7E084F22AEF9681031FAE84@fssbemail.fss.india> Message-ID: <161331422.20100727134531@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 27 July 2010 at 12:29:19 PM, in , Mohan Radhakrishnan wrote: > Hi, > I have some questions about matching key id's. > 1. I am trying to find the key id of the key that > encrypted a file so that I can use the corresponding > decrypting key. Is "--try-all-secrets" not helping you? - -- Best regards MFPA mailto:expires2010 at ymail.com There is no job so simple that it cannot be done wrong -----BEGIN PGP SIGNATURE----- iQCVAwUBTE7U/6ipC46tDG5pAQpXXgP/WKyGdIHaUJGiRAhKE+xg3u77S7P/PoMu vBrtgc8/VPt9qTKzm8viDNKf/oB6pCn1Km8IhYI+9QtxEpLpz4tNuR5WuUBFae8a IB9P4NKCmDV+GROUpfZQtDskks259lMkUfDICsMvOvlmWRs6k7AdMQA70ITaHQSS AVGZz8cSB/o= =VSsN -----END PGP SIGNATURE----- From mohanr at fss.co.in Tue Jul 27 16:00:42 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Tue, 27 Jul 2010 19:30:42 +0530 Subject: Find correct key id's In-Reply-To: <161331422.20100727134531@my_localhost> Message-ID: <0EE14841E1FD8545B7E084F22AEF9681031FAFAD@fssbemail.fss.india> Hi, I think as a newbie I was confused because --list-packets and BC API printed two different ID's. Correct me if I am wrong. It looks like when I use a user id like this and encrypt gpg --output readme.gpg --recipient test123 at test.co.in --encrypt CHANGE.txt the output from "--list-packets readme.gpg" is 2048-bit RSA key, ID 6540BD43, created 2010-02-11 (main key ID 202AAEDC) but when I use code like this to get a key for encrption while ( rings.hasNext()) { PGPPublicKeyRing ring = (PGPPublicKeyRing) rings.next(); key = ring.getPublicKey(); if( null == key ){ throw new KeyNotFoundException(); } for( Iterator userIds = key.getUserIDs() ; userIds.hasNext() ; ){ userId = ( String )userIds.next(); } //Read from properties file if( userId.equals( "test123 at test.co.in" )){ break; } } The output from --list-packets is 2048-bit RSA key, ID 202AAEDC, created 2010-02-11 So it looks like in the first instance it shows the sub-key but in the second case it seems to be showing the main key. Thanks, Mohan -----Original Message----- From: MFPA [mailto:expires2010 at ymail.com] Sent: Tuesday, July 27, 2010 6:16 PM To: Mohan Radhakrishnan on GnuPG-Users Cc: Mohan Radhakrishnan Subject: Re: Find correct key id's -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 27 July 2010 at 12:29:19 PM, in , Mohan Radhakrishnan wrote: > Hi, > I have some questions about matching key id's. > 1. I am trying to find the key id of the key that > encrypted a file so that I can use the corresponding > decrypting key. Is "--try-all-secrets" not helping you? - -- Best regards MFPA mailto:expires2010 at ymail.com There is no job so simple that it cannot be done wrong -----BEGIN PGP SIGNATURE----- iQCVAwUBTE7U/6ipC46tDG5pAQpXXgP/WKyGdIHaUJGiRAhKE+xg3u77S7P/PoMu vBrtgc8/VPt9qTKzm8viDNKf/oB6pCn1Km8IhYI+9QtxEpLpz4tNuR5WuUBFae8a IB9P4NKCmDV+GROUpfZQtDskks259lMkUfDICsMvOvlmWRs6k7AdMQA70ITaHQSS AVGZz8cSB/o= =VSsN -----END PGP SIGNATURE----- From vedaal at nym.hush.com Tue Jul 27 17:18:31 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 27 Jul 2010 11:18:31 -0400 Subject: file contained no OpenPGPdata Message-ID: <20100727151831.D482AB8079@smtp.hushmail.com> Cooperider, Brian Brian.Cooperider at RelayHealth.com wrote on Mon Jul 26 16:23:02 CEST 2010 : >We have a customer using pgp command line version 6.5. The file they are >sending us is giving us the error "file contained no OpenPGData" We are >using GnuPG 2.0.12, GPA 0.9.0 How is the pgp user encrypting this? If it's with symmetric encryption, then pgp6.5.8 uses IDEA by default. (In order for the pgp user to change this default behavior, the user needs to use the following command: pgp +ciphernum=1 -ce filename (this uses CAST5) or pgp +ciphernum=2 -ce filename (this uses 3DES) pgp6.5.8 can use only the 3 cipher algos: IDEA, CAST5, or 3DES, nothing else. If they are encrypting to your key, then how did you generate this key in gnupg? You would have needed to use the gnupg option of --pgp6 or pgp6.5.8 will be unable to use that key. It might be advisable to download a free commandline version of 6.5.8 (available here: http://www.pgpi.org/products/pgp/versions/freeware/ ) and set up a test system, and see if you can communicate with it using gnupg, and then tell the pgp6.5.8 client what additional commandline entries the client needs to use. vedaal From Brian.Cooperider at RelayHealth.com Tue Jul 27 18:14:45 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Tue, 27 Jul 2010 09:14:45 -0700 Subject: file contained no OpenPGPdata In-Reply-To: <20100727151831.D482AB8079@smtp.hushmail.com> References: <20100727151831.D482AB8079@smtp.hushmail.com> Message-ID: Thanks, I'm correct in that GNUPG is not compatible with IDEA but is with casts and 3DES? Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of vedaal at nym.hush.com Sent: Tuesday, July 27, 2010 11:19 AM Subject: file contained no OpenPGPdata Cooperider, Brian Brian.Cooperider at RelayHealth.com wrote on Mon Jul 26 16:23:02 CEST 2010 : >We have a customer using pgp command line version 6.5. The file they are >sending us is giving us the error "file contained no OpenPGData" We are >using GnuPG 2.0.12, GPA 0.9.0 How is the pgp user encrypting this? If it's with symmetric encryption, then pgp6.5.8 uses IDEA by default. (In order for the pgp user to change this default behavior, the user needs to use the following command: pgp +ciphernum=1 -ce filename (this uses CAST5) or pgp +ciphernum=2 -ce filename (this uses 3DES) pgp6.5.8 can use only the 3 cipher algos: IDEA, CAST5, or 3DES, nothing else. If they are encrypting to your key, then how did you generate this key in gnupg? You would have needed to use the gnupg option of --pgp6 or pgp6.5.8 will be unable to use that key. It might be advisable to download a free commandline version of 6.5.8 (available here: http://www.pgpi.org/products/pgp/versions/freeware/ ) and set up a test system, and see if you can communicate with it using gnupg, and then tell the pgp6.5.8 client what additional commandline entries the client needs to use. vedaal _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From vedaal at nym.hush.com Tue Jul 27 18:30:23 2010 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 27 Jul 2010 12:30:23 -0400 Subject: file contained no OpenPGPdata Message-ID: <20100727163023.78A8C1200AA@smtp.hushmail.com> On Tue, 27 Jul 2010 12:14:45 -0400 "Cooperider, Brian" wrote: >Thanks, I'm correct in that GNUPG is not compatible with IDEA but >is with casts and 3DES? yes (although, gnupg can be made compatible with IDEA if the IDEA plugin is used, but it's frowned on because it's not that great of an algorithm, it has copyright hassles, etc.) If you use the option of --pgp6 and generate a dh key in gnupg, then pgp6.5.8 will automatically use CAST5 when generating that key. (AFAIK, you *cannot* generate a v3 RSA key in gnupg for many versions now, and pgp6 will not recognize v4 RSA keys, so you must use the --pgp6 option when generating a key, and gnupg will automatically pick an old style dh key for you.) vedaal From stargrave at stargrave.org Tue Jul 27 18:33:29 2010 From: stargrave at stargrave.org (Sergey Matveev) Date: Tue, 27 Jul 2010 20:33:29 +0400 Subject: file contained no OpenPGPdata In-Reply-To: References: <20100727151831.D482AB8079@smtp.hushmail.com> Message-ID: <20100727163329.GA1987@stargrave.org> Greetings, On Tue, Jul 27, 2010 at 09:14:45AM -0700, Cooperider, Brian wrote: > Thanks, I'm correct in that GNUPG is not compatible with IDEA but is > with casts and 3DES? IDEA is patented, that is why default distributions and build of GnuPG do not include it. But it can be recompiled and built-in and successfully used. GnuPG supports many other various ciphers such as CAMELIA, Blowfish, Twofish, AES. You should recompile it with the needed ones. -- Happy hacking, Sergey Matveev ?? FSFE Fellow #1390 ?????? FSF Associate member #5968 ?? From wk at gnupg.org Tue Jul 27 18:59:02 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Jul 2010 18:59:02 +0200 Subject: [Announce] Security Alert for GnuPG 2.0 - Realloc bug in GPGSM In-Reply-To: <877hkmfk7w.fsf@vigenere.g10code.de> (Werner Koch's message of "Fri, 23 Jul 2010 14:36:51 +0200") References: <877hkmfk7w.fsf@vigenere.g10code.de> Message-ID: <871vao2755.fsf@vigenere.g10code.de> Hi, some more inforrmation about this bug On Fri, 23 Jul 2010 14:36, wk at gnupg.org said: > bug was found in GnuPG's GPGSM tool. It is likely that this bug is > exploitable by sending a special crafted signed message and having a On a first view this might actually happen. However, after some thinking or well, taking a shower in the morning, I come to the conclusion that writing an exploit for this bug is a too hard problem for an entity of the Deep Though designed computer. Here is what happens: 1. We parse each subjectAltName and convert it into a plain C string. This string is allocated on the heap and the address of that string (a pointer) is stored in an array. 2. That array has initially been allocated with space for 100 entries. The first two entries are used for the issuer and subject name and subjectAltNames are stored following them. 3. If the parser (step 1) wants to store the 99th subjectAltName string, the code detects that the array is full and uses realloc to reallocate the array with space for 100 more entries. The 99th pointer is then stored in the next slot of the reallocated array. 4. The bug is that we did not complete the reallocation but continued to use the old array and may now write out of bounds. Two cases may happen: The realloc function is able to extend the array, in which case no harm is done because the missing assignment of the new array would have been superfluous as it the same address. The more likely case is that realloc allocates a new memory block, copies the old array to the new array and frees the old array. 5. Thus when writing the 99th subjectAltName string we write into freed space, which is a no-no. We even write out of bounds in the freed space, so all kind of harm may happen. This is always a severe bug which is likey to be expoitable. Now, why do I think this is not exploitable: It is the simple fact that the attacker can't control the value which is written into the freed memory block. The value we are writing comes from our own malloc which at that point is working as expected because the entire heap has not yet been damaged (modulo other bugs in the code of course). Now the heap is corrupted and all future calls mallocs or free may to weird things. Usually you will see a segv then. To exploit it, an attacker needs to hope that an overwrite (using a malloc returned pointer) does harmful things but doesn't stop the execution and continues to parse his certificate. One of the next subjectAltName need to overwrite a function and set it to (already existing) code which does the actual attack. You may prove me wrong, but I dount that anyone will spend time on finding such an exploit. It would be much faster to look for other, not yet known, bugs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Jul 27 19:18:46 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 27 Jul 2010 19:18:46 +0200 Subject: file contained no OpenPGPdata In-Reply-To: <20100727163329.GA1987@stargrave.org> (Sergey Matveev's message of "Tue, 27 Jul 2010 20:33:29 +0400") References: <20100727151831.D482AB8079@smtp.hushmail.com> <20100727163329.GA1987@stargrave.org> Message-ID: <87sk34zvux.fsf@vigenere.g10code.de> On Tue, 27 Jul 2010 18:33, stargrave at stargrave.org said: > successfully used. GnuPG supports many other various ciphers such as > CAMELIA, Blowfish, Twofish, AES. You should recompile it with the needed > ones. In fact the standard demands a preference system where your key declares what algorithms you support. 3DES is the last resport algorithm and as such always available. IDEA for example is an optional algorithm. An implementation which uses an algorithm not given in the preferences of the key is not standard conform. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From shavital at mac.com Tue Jul 27 19:35:16 2010 From: shavital at mac.com (Charly Avital) Date: Tue, 27 Jul 2010 13:35:16 -0400 Subject: file contained no OpenPGPdata In-Reply-To: <20100727163329.GA1987@stargrave.org> References: <20100727151831.D482AB8079@smtp.hushmail.com> <20100727163329.GA1987@stargrave.org> Message-ID: <4C4F18D4.1060400@mac.com> Sergey Matveev wrote the following on 7/27/10 12:33 PM: > Greetings, > > On Tue, Jul 27, 2010 at 09:14:45AM -0700, Cooperider, Brian wrote: > >> Thanks, I'm correct in that GNUPG is not compatible with IDEA but is >> with casts and 3DES? > > IDEA is patented, that is why default distributions and build of GnuPG > do not include it. But it can be recompiled and built-in and > successfully used. GnuPG supports many other various ciphers such as > CAMELIA, Blowfish, Twofish, AES. You should recompile it with the needed > ones. > For Windows users, I believe you would need: ideadll.zip then ideadll.zip.sig to authenticate, then expand ideadll.zip and proceed from there. In my MacOSX system I have: gpg (GnuPG) 1.4.10 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), CAMELLIA256 (S13) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) Charly From wk at gnupg.org Wed Jul 28 10:44:10 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 28 Jul 2010 10:44:10 +0200 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <35C9A2CFC27ACC439F4F97B1915D3FA2016F81E2@EXVS01.dsw.net> (James J. Perry's message of "Tue, 20 Jul 2010 18:15:35 -0400") References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net> <4C461E89.8070409@gmail.com> <35C9A2CFC27ACC439F4F97B1915D3FA2016F81E2@EXVS01.dsw.net> Message-ID: <87k4ogyp0l.fsf@vigenere.g10code.de> On Wed, 21 Jul 2010 00:15, jjperry at water.com said: > trying to figure out what happened. If the interface is being changed > in this manner than it would seem that simple code to check for a > responding X-server or if the X-server connection is denied, it would > fall back to curses style windows. That is a good suggestion. We currently only look on the presence of the DISPLAY envvar but don't do any test: /* Simple test to check whether DISPLAY is set or the option --display was given. Used to decide whether the GUI or curses should be initialized. */ int pinentry_have_display (int argc, char **argv) { #ifndef HAVE_W32CE_SYSTEM const char *s; s = getenv ("DISPLAY"); if (s && *s) return 1; #endif for (; argc; argc--, argv++) if (!strcmp (*argv, "--display")) return 1; return 0; } If someone can come up with a simple test to check the presence of an X server, it should be easy to include it. Note that we don't use Xlib directly but GTk+ or Qt. I don't know whether gtk_init returns an error and we would be able fallback to the curses implementation then. Anyone care to test this? (pinentry/gtk+-2/pinentry-gtk-2.c)/ Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2010 at ymail.com Tue Jul 27 18:44:27 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 27 Jul 2010 17:44:27 +0100 Subject: file contained no OpenPGPdata In-Reply-To: References: <20100727151831.D482AB8079@smtp.hushmail.com> <20100727151831.D482AB8079@smtp.hushmail.com> Message-ID: <1828721919.20100727174427@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 27 July 2010 at 5:14:45 PM, in , Cooperider, Brian wrote: > Thanks, I'm correct in that GNUPG is not compatible > with IDEA but is with casts and 3DES? If necessary, an "unofficial" IDEA module can be downloaded and the - --load-extension option used to add IDEA support to GnuPG. People generally seem to recommend that IDEA is only to be used for decrypting old files or messages. Unless you are communicating (or sharing encrypted files) with people who cannot upgrade from elderly PGP versions supporting only IDEA. - -- Best regards MFPA mailto:expires2010 at ymail.com Always be on the lookout for conspicuousness -----BEGIN PGP SIGNATURE----- iQCVAwUBTE8M7KipC46tDG5pAQpN2QP+IQAq9Nlo6ohsfuo/KDsQcye9v8sntVXK 4YfVmBTyoiL0qsJGbnZhp5u+OxSwM2zwOoX20uvd/Xz32ZlqcuaLnAuccjvBBzU8 2orpr6EVPcPzCQxMvQHO0Rj5OW6d5G55uirZDYHngNoYChVpaRN+CDEU47mm/ZaA ps2d6MnfuYE= =tZui -----END PGP SIGNATURE----- From tux.tsndcb at free.fr Wed Jul 28 20:26:07 2010 From: tux.tsndcb at free.fr (tux.tsndcb at free.fr) Date: Wed, 28 Jul 2010 20:26:07 +0200 (CEST) Subject: Using pinentry-curses interactively in Linux boot process fails (SOLVED) In-Reply-To: <201007232104.04054.malte.gell@gmx.de> Message-ID: <2007097442.6404681280341567977.JavaMail.root@zimbra7-e1.priv.proxad.net> ----- Mail Original ----- De: "Malte Gell" ?: "tux tsndcb" Cc: gnupg-users at gnupg.org Envoy?: Vendredi 23 Juillet 2010 21h03:53 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: Using pinentry-curses interactively in Linux boot process fails (SOLVED) > Yes, of course. I have attached it, I named it open-luks-key. The only > interesting stuff is the start and stop section. I have directly put the name > of my luks partition there. It is a dumb script, does not detect anything > automatically, but it works if the card reader is running fine. I even have > not removed the FOO template stuff from it :-) Ugly, but works. > The "Required-Start:" section needs to contain the PCSC daemon, that needs to > run, so gpg-agent can call the pinentry program. > Regards > Malte Hello Malte, Thanks you very much. Bests Regards From mark at proseconsulting.co.uk Thu Jul 29 12:57:39 2010 From: mark at proseconsulting.co.uk (mark at proseconsulting.co.uk) Date: Thu, 29 Jul 2010 11:57:39 +0100 Subject: gpg --batch --yes --edit-key trust Message-ID: <55116.1280401059@proseconsulting.co.uk> On Tue 27/07/10 11:02 AM , mark at proseconsulting.co.uk sent: > On Tue 27/07/10 9:12 AM , Werner Koch sent: > > On Mon, 26 Jul 2010 10:01, said: > > > gpg --fingerprint --list-keys "$1" | > > > $AWK -v tmpfile="$TMPFILE" -v trustlevel="$2" > > > > Please use --with-colons for all scripts. The standard output is only > > for humans. > > Good spot. Amended script attached. I hope others find it useful. > Best regards, > Mark Bannister. Checking the mailing list archive, it seems my attached script got scrubbed. But also, it seems my formatting is not being lost until I get the mail back again. So all is good. Here is the final script one more time. For those who missed the original mailings, this script will set the trust-level non-interactively on a public key that you have previously imported, making it possible for tools (such as pkgutil) to verify digital signatures with a key previously downloaded from a secure keyserver, while at no time expecting the end user to interact with GPG: #!/bin/ksh # # Set trust level for a given GPG key # AWK=/bin/gawk [ -x /bin/nawk ] && AWK=/bin/nawk [ $# -ne 2 ] && echo "Syntax: $(basename $0) key trust-level" && exit 1 gpg --fingerprint --with-colons --list-keys |\ $AWK -F: -v keyname="$1" -v trustlevel="$2" ' $1=="pub" && $10 ~ keyname { fpr=1 } $1=="fpr" && fpr { fpr=$10; exit } END { cmd="gpg --export-ownertrust" while (cmd | getline) if ($1!=fpr) print close(cmd) print fpr ":" trustlevel ":" } ' | gpg --import-ownertrust Best regards, Mark Bannister. From jjperry at water.com Wed Jul 28 17:35:51 2010 From: jjperry at water.com (Perry, James J.) Date: Wed, 28 Jul 2010 11:35:51 -0400 Subject: GPG seems broken on FC13 after upgrade. In-Reply-To: <87k4ogyp0l.fsf@vigenere.g10code.de> References: <35C9A2CFC27ACC439F4F97B1915D3FA2016F80D4@EXVS01.dsw.net><4C461E89.8070409@gmail.com><35C9A2CFC27ACC439F4F97B1915D3FA2016F81E2@EXVS01.dsw.net> <87k4ogyp0l.fsf@vigenere.g10code.de> Message-ID: <35C9A2CFC27ACC439F4F97B1915D3FA2016F81FE@EXVS01.dsw.net> I don't know about Qt libraries but I found that just running the GTK code fragment checked it fairly easily: /* Simple check for X display with GTK+ */ include void main (int argc, char **argv){ gboolean return_code; /* Checks is X Server responds to initialization Returns true on success, false on failure */ return_code = gtk_init_check(&argc, &argv); printf("Return Code: %d\n", return_code); } Since I do not code much C anymore, it seemed way too easy of a check but worked very well. When I had my DISPLAY set but local X-Server not running, it returned false but when I ran it with the X-Server running it correctly displayed true. It does the same functions as gtk_init but returns a status code. Could this be what is needed here to check to see if curses is called when the DISPLAY is set but there is no X-Server or permissions are denied? >> trying to figure out what happened. If the interface is being changed >> in this manner than it would seem that simple code to check for a >> responding X-server or if the X-server connection is denied, it would >> fall back to curses style windows. > >That is a good suggestion. We currently only look on the presence of >the DISPLAY envvar but don't do any test: > > /* Simple test to check whether DISPLAY is set or the option --display > was given. Used to decide whether the GUI or curses should be > initialized. */ > int > pinentry_have_display (int argc, char **argv) > { > #ifndef HAVE_W32CE_SYSTEM > const char *s; > > s = getenv ("DISPLAY"); > if (s && *s) > return 1; > #endif > for (; argc; argc--, argv++) > if (!strcmp (*argv, "--display")) > return 1; > return 0; > } > >If someone can come up with a simple test to check the presence of an X >server, it should be easy to include it. Note that we don't use Xlib >directly but GTk+ or Qt. I don't know whether gtk_init returns an error >and we would be able fallback to the curses implementation then. Anyone >care to test this? (pinentry/gtk+-2/pinentry-gtk-2.c)/ > > >Salam-Shalom, > > Werner > >-- >Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- From emailtokshitij at gmail.com Thu Jul 29 16:55:59 2010 From: emailtokshitij at gmail.com (kshitij shrivastava) Date: Thu, 29 Jul 2010 20:25:59 +0530 Subject: gpg process gets stalled and does not release lock from the file Message-ID: Hi, I'm using GPG version 1.6.3 to encrypt decrypt some XML files kept on a windows server in a particular folder . There are around 10 to 50 files in that folder. I create a batch file with the decrypt / encrypt commands for all these files and then execute the batch file. PGP process starts and decrypts/encrypts some of the files successfully but it gets stuck after a while with any random file. The gpg.exe process simply doesn't release the lock from that file and as a result the whole batch file gets hung at that stage only. As an example, if my batch file has following commands: gpg --yes -eq -r "pgp key " -o test1.pgp test1.xml del test1.xml move test1.pgp d:/testFileDir gpg --yes -eq -r "pgp key " -o test2.pgp test2.xml del test2.xml move test2.pgp d:/testFileDir gpg --yes -eq -r "pgp key " -o test3.pgp test3.xml del test3.xml move test3.pgp d:/testFileDir gpg --yes -eq -r "pgp key " -o test4.pgp test4.xml del test4.xml move test4.pgp d:/testFileDir gpg --yes -eq -r "pgp key " -o test5.pgp test5.xml del test5.xml move test5.pgp d:/testFileDir The process successfully processes first 50% of 60 % of the files and all of a sudden it gets hung at on of the commands, say - "gpg --yes -eq -r "pgp key " -o test5.pgp test5.xml". Though this command is also executed successfully but the lock from file test5.xml and test5.pgp is never released and the entire process gets stuck. Any help would be much appreciated, its very critical for one of my applications. Thanks, Kshitij -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Thu Jul 29 23:27:54 2010 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 29 Jul 2010 14:27:54 -0700 (PDT) Subject: Version 1.8 of pine-pgp-filters Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Greetings, First, apologies to those who receive 2 copies of this message, or those for whom this message is unwelcome in any way. I wanted to send a quick note for those who are using, or may be interested in using my scripts to integrate GnuPG with Alpine. I've released version 1.8 which has revised (and greatly improved) scripts to deal with PGP/MIME messages; and a minor cosmetic change to the other filters. You can find the scripts themselves, and more information about them at http://dougbarton.us/PGP/ppf/. Regards, Doug - -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAEBCAAGBQJMUfJeAAoJEFzGhvEaGryEs6YIAKrE6+1JaHTSa7iwwWtED84W OePfLuunt+XSivjeffTkIv1y/x0e2Tx4YPG7TMzblfzvX3y0EJuvvwp0WeOH9AO4 XeydjoqSqo3IoQGLZXSUAlTtYq1T4KtwdqNbr5gXLSHg4K+FN6fOhscRn+sX3IRc d+4xNMqsxBFrOT7eoKwBVY84JOgoWdZdhQ7hfyx7ZFnW3EVOYjayBwGqDanzRg9G SBlrINRlRLVpAmGj/cKDoitpI7M2InJVSBIvLeJrnQkQTro3rkGyFfWxKqsdxd98 YyVfQ8q1CTCfloqZXODmsmN+EnMDMMXpKkCDUm7Xtr4wzFSo6WbJqMVNF8La4G4= =0kkb -----END PGP SIGNATURE----- From Brian.Cooperider at RelayHealth.com Fri Jul 30 22:36:44 2010 From: Brian.Cooperider at RelayHealth.com (Cooperider, Brian) Date: Fri, 30 Jul 2010 13:36:44 -0700 Subject: file contained no OpenPGPdata In-Reply-To: Produced By Microsoft Exchange V6.5 References: Produced By Microsoft Exchange V6.5 Message-ID: Thanks all that helped on this. As it turned out it was the transfer process that was messing the key up as it passed through some extra server security. Brian Cooperider IT Operations Relay Health 8720 Orion Place, Suite 300 Columbus, OH 43240 614-396-4511 614-885-0033 Fax http://www.relayhealth.com -----Original Message----- From: Charly Avital [mailto:shavital at mac.com] Sent: Tuesday, July 27, 2010 1:35 PM To: gnupg-users at gnupg.org Subject: Re: file contained no OpenPGPdata Sergey Matveev wrote the following on 7/27/10 12:33 PM: > Greetings, > > On Tue, Jul 27, 2010 at 09:14:45AM -0700, Cooperider, Brian wrote: > >> Thanks, I'm correct in that GNUPG is not compatible with IDEA but is >> with casts and 3DES? > > IDEA is patented, that is why default distributions and build of GnuPG > do not include it. But it can be recompiled and built-in and > successfully used. GnuPG supports many other various ciphers such as > CAMELIA, Blowfish, Twofish, AES. You should recompile it with the needed > ones. > For Windows users, I believe you would need: ideadll.zip then ideadll.zip.sig to authenticate, then expand ideadll.zip and proceed from there. In my MacOSX system I have: gpg (GnuPG) 1.4.10 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), CAMELLIA256 (S13) Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11) Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) Charly From DELEE at TRANSENTRIC.COM Fri Jul 30 23:06:14 2010 From: DELEE at TRANSENTRIC.COM (David E. Lee) Date: Fri, 30 Jul 2010 16:06:14 -0500 Subject: David E. Lee is out of the office Message-ID: I will be out of the office starting 07/29/2010 and will not return until 08/02/2010. ** This message and any attachments contain information from Union Pacific which may be confidential and/or privileged. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited by law. If you receive this message in error, please contact the sender immediately and delete the message and any attachments. ** -------------- next part -------------- An HTML attachment was scrubbed... URL: From nobody at nowhere.no Sat Jul 31 07:40:43 2010 From: nobody at nowhere.no (Null User) Date: Sat, 31 Jul 2010 07:40:43 +0200 (CEST) Subject: Kleopatra Start Error [Win7] Message-ID: When attempting to start Kleopatra, I get the following error: "The procedure entry point libiconv_set_relocation_prefix could not be located in the dynamic link library iconv.dll" This happens every time. Kleopatra's never worked, even after reinstalling 2.0.4 update. Everything else seems to be OK. Many thanks for any help with this! From gnupg.user at seibercom.net Sat Jul 31 12:08:25 2010 From: gnupg.user at seibercom.net (Jerry) Date: Sat, 31 Jul 2010 06:08:25 -0400 Subject: David E. Lee is out of the office In-Reply-To: References: Message-ID: <20100731060825.485098e2@scorpio> On Fri, 30 Jul 2010 16:06:14 -0500 David E. Lee articulated: > I will be out of the office starting 07/29/2010 and will not return > until 08/02/2010. > ** > > This message and any attachments contain information from Union > Pacific which may be confidential and/or privileged. If you are not > the intended recipient, be aware that any disclosure, copying, > distribution or use of the contents of this message is strictly > prohibited by law. If you receive this message in error, please > contact the sender immediately and delete the message and any > attachments. > > ** Yes, another incorrectly configured vacation notifier. Unfortunately, or fortunately depending on how you view it, this one does not have a list of e-mail or telephone contacts listed. Now I have no one to call or e-mail and explain why vacation messages should NOT be directed back to mailing lists. -- Jerry ? GNUPG.user at seibercom.net _____________________________________________________________________ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. The shortest distance between two points is under construction. Noelie Altito -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From kloecker at kde.org Sat Jul 31 17:21:17 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sat, 31 Jul 2010 17:21:17 +0200 Subject: David E. Lee is out of the office In-Reply-To: <20100731060825.485098e2@scorpio> References: <20100731060825.485098e2@scorpio> Message-ID: <201007311721.29194@thufir.ingo-kloecker.de> On Saturday 31 July 2010, Jerry wrote: > On Fri, 30 Jul 2010 16:06:14 -0500 > > David E. Lee articulated: > > I will be out of the office starting 07/29/2010 and will not > > return until 08/02/2010. > > ** > > > > This message and any attachments contain information from Union > > Pacific which may be confidential and/or privileged. If you are > > not the intended recipient, be aware that any disclosure, copying, > > distribution or use of the contents of this message is strictly > > prohibited by law. If you receive this message in error, please > > contact the sender immediately and delete the message and any > > attachments. > > > > ** > > Yes, another incorrectly configured vacation notifier. Unfortunately, > or fortunately depending on how you view it, this one does not have a > list of e-mail or telephone contacts listed. Now I have no one to > call or e-mail and explain why vacation messages should NOT be > directed back to mailing lists. The next time please simply ask gnupg-users-owner to disable the subscription of the misconfigured account instead of sending a rant to the mailing list. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: