From the2nd at otpme.org Tue Dec 1 00:19:20 2015 From: the2nd at otpme.org (the2nd at otpme.org) Date: Tue, 01 Dec 2015 00:19:20 +0100 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> Message-ID: Hi again, i asked for help on the openssh list and was told to ask the devs of gpg-agent for help ;) https://groups.google.com/forum/#!topic/mailing.unix.openssh-dev/qSPsDdj5-0M So are any devs reading on this list? The problem is reproducible and i am willing to help debugging and whatever is needed to fix the issue. :) regards the2nd On 2015-11-23 16:53, the2nd at otpme.org wrote: > Hi, > > i've done some more testing and found out that the problem starts to > exist with openssh version 6.8p1. With 6.7p1 everything works perfect. > I downloaded the openssh tarballs one by one, compiled with > ./configure;make and just copied the "ssh" binary. > > I was able to reproduce the problem with the following steps: > > 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support > --log-file ~/.gnupg/gpg-agent.log) > 2. Login to any host with your SSH key and keep the session open: ssh > -l root localhost > 3. Plug your yubikey out/in > 4. Try to login with your SSH key to any other host > > With openssh 6.8p1 this fails reproducable. With version 6.7p1 or > earlier it works. > > As a workaround i replaced my ssh client binary with the old version. > > It would be great to get a real fix for this. But i am unsure where > the realm problem lies, gpg or openssh. > > Maybe we should ask this on the openssh list? > > regards > the2nd > > > On 2015-11-22 03:06, Lance R. Vick wrote: >> This happens to me constantly as well. I my case I frequently need to >> kill and restart gpg-agent to get things working again on both Arch >> Linux and Gentoo. >> >> On Sat, Nov 21, 2015 at 4:41 AM, the2nd wrote: >> >>> Hi Ben, >>> >>> We have a similar Problem since we've upgraded from Ubuntu 15.04 to >>> 15.10.? When starting gpg-agent with --log-file the log show the >>> following: >>> >>> 2015-05-30 13:49:36?gpg-agent[3600] error accessing card: >>> Conflicting?use >>> 2015-05-30 13:49:36?gpg-agent[3600] smartcard signing failed:? >>> Conflicting use? >>> 2015-05-30 13:49:38?gpg-agent[3600] error getting >>> default?authentication keyID of card: Conflicting use >>> >>> I've asked the list serval times about this issue but got now answer >>> yet. So i dont have a solution but it may be interesting if your >>> problem is the same... >>> >>> Regards >>> The2nd? >>> >>> -------- Urspr?ngliche Nachricht -------- >>> Von: Ben Warren >>> Datum:11.20.2015 16:26 (GMT+01:00) >>> An: gnupg-users at gnupg.org >>> Betreff: scdaemon lockup with Yubikey NEO >>> >>> Hi, >>> >>> I?ve noticed several other problem reports that seem similar, >>> hopefully they?re all related and there?s a simple fix. >>> >>> The problem: >>> >>> After an indeterminate amount of time (sometimes minutes, sometimes >>> hours), any GPG operation that uses my Yubikey NEO device hangs.? >>> The two most common operations are SSH authentication and git >>> signing.? The following sequence gets things going again: >>> >>> $ killall -SIGKILL scdaemon >>> >>> $ gpg2 ?card-status >>> >>> System particulars: >>> >>> * Host OS is OS-X Yosemite, although it is also present on >>> Mavericks (haven?t tried El Capitan yet) >>> >>> * GPG 2.1.5 >>> >>> * Using the Yubikey?s authentication subkey to login to remote >>> Linux hosts >>> >>> * Using the Yubikey?s signing subkey for git signing operations, >>> both local and remote >>> >>> * Using gpg-agent for forwarding both GPG and SSH (great features, >>> BTW!) >>> >>> GPG configuration file: >>> >>> $ cat ~/.gnupg/gpg-agent.conf >>> >>> default-cache-ttl 1 >>> >>> ignore-cache-for-signing >>> >>> no-allow-external-cache >>> >>> max-cache-ttl 1 >>> >>> extra-socket ${HOME}/.gnupg/S.gpg-extra-agent >>> >>> debug-all >>> >>> log-file ${HOME}/.gnupg/mygpglogfile.log >>> >>> enable-ssh-support >>> >>> I?ll be happy to help debug this, but need some guidance. >>> >>> thanks, >>> >>> Ben >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users at gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users [1] >> >> -- >> >> Lance R. Vick >> __________________________________________________ >> Cell? ? ? -? 407.283.7596 >> Gtalk? ?? -? lance at lrvick.net >> Website?? -? http://lrvick.net [2] >> PGP Key?? -? http://lrvick.net/0x36C8AAA9.asc [3] >> keyserver -? subkeys.pgp.net [4] >> __________________________________________________ >> >> Links: >> ------ >> [1] http://lists.gnupg.org/mailman/listinfo/gnupg-users >> [2] http://lrvick.net >> [3] http://lrvick.net/0x36C8AAA9.asc >> [4] http://subkeys.pgp.net > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From rjh at sixdemonbag.org Tue Dec 1 01:37:30 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 30 Nov 2015 19:37:30 -0500 Subject: problems decrypting ASCII-armored file In-Reply-To: References: Message-ID: <565CEBCA.5000008@sixdemonbag.org> On 11/30/15 5:41 PM, Andrew Gallagher wrote: > That's a Unicode byte order mark. Strictly, it should only be used in > UTF-16 documents but in the real world it's commonly used to mark any > Unicode file.... It's a UTF-16BE BOM, you mean. The UTF-8 BOM is 0xEF 0xBB 0xBF. It's a little weird. You don't see much UTF-16BE out there. From gniibe at fsij.org Tue Dec 1 04:13:25 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 01 Dec 2015 12:13:25 +0900 Subject: How important are Admin PIN and Passphrase in this scenario? In-Reply-To: <565B849A.7040403@krebs.uno> References: <565B849A.7040403@krebs.uno> Message-ID: <565D1055.3070606@fsij.org> On 11/30/2015 08:04 AM, Daniel Krebs wrote: > There is a smartcard with subkeys for encryption, signing and > authentication. [...] > In any case there seems to > be no really benefit of using extraordinary strong admin pin because > there are only three tries before the card get rendered unusable. The > passphrase is only used in the secure environment. I agree your argument in general. I think that it depends on the smartcard implementation, its strength against physical attacks, and how you protect/detect your smartcard against possible steal. If the implementation stores your private key as raw data with no encryption (and use pin/passphrase only for authentication), complex pin/passphrase doesn't matter, perhaps. When the implementation stores your private key encrypted by pin/passphrase and the hardware is relatively weak by physical attacks, pin/passphrase with enough entropy still makes sense (somehow). Suppose I have a practice to use my token everyday and I always make sure having it, so that I can know its non-existence. Then, when I lost my token, if I could believe that it would take a week (to break the token phisically + to break encryption by brute force) by complex passphrase, it makes sense for me. -- From gniibe at fsij.org Tue Dec 1 05:16:51 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 01 Dec 2015 13:16:51 +0900 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> Message-ID: <565D1F33.4090206@fsij.org> On 12/01/2015 08:19 AM, the2nd at otpme.org wrote: > So are any devs reading on this list? The problem is reproducible > and i am willing to help debugging and whatever is needed to fix the > issue. :) Yes. It is not reproducible for me. I'm using OpenSSH 6.9p1. >> i've done some more testing and found out that the problem starts to >> exist with openssh version 6.8p1. With 6.7p1 everything works perfect. >> I downloaded the openssh tarballs one by one, compiled with >> ./configure;make and just copied the "ssh" binary. >> >> I was able to reproduce the problem with the following steps: >> >> 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support >> --log-file ~/.gnupg/gpg-agent.log) >> 2. Login to any host with your SSH key and keep the session open: ssh >> -l root localhost >> 3. Plug your yubikey out/in >> 4. Try to login with your SSH key to any other host Do you have multiple gpg-agent when you encounter failure? Or multiple scdaemon? -- From andrewg at andrewg.com Tue Dec 1 09:41:00 2015 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 1 Dec 2015 08:41:00 +0000 Subject: problems decrypting ASCII-armored file In-Reply-To: <565CEBCA.5000008@sixdemonbag.org> References: <565CEBCA.5000008@sixdemonbag.org> Message-ID: >> On 11/30/15 5:41 PM, Andrew Gallagher wrote: >> That's a Unicode byte order mark. Strictly, it should only be used in >> UTF-16 documents but in the real world it's commonly used to mark any >> Unicode file.... > > It's a UTF-16BE BOM, you mean. The UTF-8 BOM is 0xEF 0xBB 0xBF. > > It's a little weird. You don't see much UTF-16BE out there. It's the same thing. One is just a different encoding of the other. The OP's software is obviously Unicode-capable as it displayed the unknown character as a U+xxxx code point. The underlying code point is identical no matter which encoding is being used. The only time you would see the raw utf-8 bytes would be if the software was Unicode-incapable or if the locale was set incorrectly, leading it to be interpreted as a sequence of bytes. Andrew From peter at digitalbrains.com Tue Dec 1 11:24:05 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 01 Dec 2015 11:24:05 +0100 Subject: Why gpg 2.1.9 cannot export secret key without passphrase? In-Reply-To: <565CD38E.4060408@gmail.com> References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire> <56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com> <565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com> Message-ID: <565D7545.60007@digitalbrains.com> On 30/11/15 23:54, Andrey Utkin wrote: > Could you please direct me to exact S2K-stuff modes for exporting it > which would be compliant with earlier GnuPG branches 1.4 and 2.0? > [...] > But for unattended processing cases, I'd like a mode that makes utils > skip all passphrase entry prompts. I guess the no-encryption case > ("trivially cracked by anyone") is needed here. Which of the > mentioned modes was used in 1.4 and 2.0 for exporting without > passphrase? "Trivially cracked" implies that there is something to crack. That would be the silly case with the empty string as the password. Instead, the first octet in the secret part of the secret key packet indicates whether to use an S2K or not: >From [1]: > - One octet indicating string-to-key usage conventions. Zero > indicates that the secret-key data is not encrypted. 255 or 254 > indicates that a string-to-key specifier is being given. Any > other value is a symmetric-key encryption algorithm identifier. The "any other" stuff is ancient legacy stuff, and MUST NOT be produced by a conforming implementation. This byte is zero when there is no encryption, and the following bytes are just the plaintext version of the secret parts: > - Plain or encrypted multiprecision integers comprising the secret > key data. These algorithm-specific fields are as described > below. In this case, read it as "plain multiprecision integers ...". HTH, Peter. [1] http://tools.ietf.org/html/rfc4880#section-5.5.3 -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From jayson.barker at gmail.com Tue Dec 1 10:35:28 2015 From: jayson.barker at gmail.com (Jay Barker) Date: Tue, 1 Dec 2015 09:35:28 +0000 Subject: Malware detected In-Reply-To: References: Message-ID: I would suggest you check the SHA1 or SHA256 checksum for the exe you downloaded, the checksums are provided in this release note from the developers: http://lists.wald.intevation.org/pipermail/gpg4win-announce/2015-November/000067.html On 30 November 2015 at 22:34, Dale Sander wrote: > I downloaded gpupg for windows, during the installation Webroot Endpoint > Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with > W32.Malware.Gen and was blocked.. has the source code been infected or is > this some kind of false detection? > > Thank you, > > Dale > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From the2nd at otpme.org Tue Dec 1 11:55:38 2015 From: the2nd at otpme.org (the2nd at otpme.org) Date: Tue, 01 Dec 2015 11:55:38 +0100 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <565D1F33.4090206@fsij.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> Message-ID: <7e34851165fa63d62952f2a66440e567@otpme.org> There is just one gpg-agent + scdaemon. Do you keep the first SSH session open when re-plugging the yubikey? If i close the first session do problem does not occur. On 2015-12-01 05:16, NIIBE Yutaka wrote: > On 12/01/2015 08:19 AM, the2nd at otpme.org wrote: >> So are any devs reading on this list? The problem is reproducible >> and i am willing to help debugging and whatever is needed to fix the >> issue. :) > > Yes. > > It is not reproducible for me. I'm using OpenSSH 6.9p1. > >>> i've done some more testing and found out that the problem starts to >>> exist with openssh version 6.8p1. With 6.7p1 everything works >>> perfect. >>> I downloaded the openssh tarballs one by one, compiled with >>> ./configure;make and just copied the "ssh" binary. >>> >>> I was able to reproduce the problem with the following steps: >>> >>> 1. Start gpg-agent: eval $(gpg-agent --daemon --enable-ssh-support >>> --log-file ~/.gnupg/gpg-agent.log) >>> 2. Login to any host with your SSH key and keep the session open: ssh >>> -l root localhost >>> 3. Plug your yubikey out/in >>> 4. Try to login with your SSH key to any other host > > Do you have multiple gpg-agent when you encounter failure? Or > multiple scdaemon? From wk at gnupg.org Tue Dec 1 13:09:28 2015 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Dec 2015 13:09:28 +0100 Subject: problems decrypting ASCII-armored file In-Reply-To: (Andrew Gallagher's message of "Tue, 1 Dec 2015 08:41:00 +0000") References: <565CEBCA.5000008@sixdemonbag.org> Message-ID: <87k2oypdzb.fsf@vigenere.g10code.de> On Tue, 1 Dec 2015 09:41, andrewg at andrewg.com said: > point is identical no matter which encoding is being used. The only > time you would see the raw utf-8 bytes would be if the software was > Unicode-incapable or if the locale was set incorrectly, leading it to > be interpreted as a sequence of bytes. Would it be worth to detect this corner case and ignore the BOM? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From andrewg at andrewg.com Tue Dec 1 13:20:12 2015 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 01 Dec 2015 12:20:12 +0000 Subject: problems decrypting ASCII-armored file In-Reply-To: <87k2oypdzb.fsf@vigenere.g10code.de> References: <565CEBCA.5000008@sixdemonbag.org> <87k2oypdzb.fsf@vigenere.g10code.de> Message-ID: <565D907C.7040302@andrewg.com> On 01/12/15 12:09, Werner Koch wrote: > On Tue, 1 Dec 2015 09:41, andrewg at andrewg.com said: > >> point is identical no matter which encoding is being used. The only >> time you would see the raw utf-8 bytes would be if the software was >> Unicode-incapable or if the locale was set incorrectly, leading it to >> be interpreted as a sequence of bytes. > > Would it be worth to detect this corner case and ignore the BOM? I think so. The use of BOM as a UTF-8 marker is not going to go away any time soon... Andrew. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From mail at joed.hu Tue Dec 1 13:16:57 2015 From: mail at joed.hu (=?iso-8859-2?Q?Dubravszky_J=F3zsef?=) Date: Tue, 1 Dec 2015 13:16:57 +0100 Subject: gpg-agent protocol Message-ID: <005a01d12c32$300b7820$90226860$@joed.hu> Hello, Before I do any coding or trials I would like to clear some GPG4Win questions. Atsuhiko Yamanaka made an excellent Eclipse SSH agent plugin (https://github.com/ymnk/jsch-agent-proxy) to proxy SSH agents to Eclipse subsystems. Currently it supports ssh-agent on Linux and Pageant on Windows. As of GPG4Win 2.2 the gpg-agent.exe can function as an SSH agent for Putty. It would be just awesome to be able to use gpg-agent.exe in Eclipse. For that, a connector needs to be developed but first I would like to get information on how could I "talk to" the gpg-agent.exe? The Pageant connector uses Win32 shared memory operations. My question might sound silly, but is there anything that would prevent me writing a connector that uses the same Win32 shared memory operations based protocol? I also recognized that on Windows an S.gpg-agent.ssh file is created in the users roaming AppData (C:\Users\USERNAME\AppData\Roaming\gnupg\S.gpg-agent.ssh), that pretty much resembles a Unix socket. As far as I know there is no such compatible domain socket on Windows, but what is this file then? Thank you for your help. BR, joe From Jonathan-Harbord at marubeni.com Tue Dec 1 14:50:53 2015 From: Jonathan-Harbord at marubeni.com (Harbord Jonathan-EURITEC) Date: Tue, 1 Dec 2015 13:50:53 +0000 Subject: Provide user PIN to gpg-agent? Message-ID: Is it possible to pass the user PIN of a smartcard to gpg-agent in a command? I'd like to stop the pinentry program appearing for an automated system. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Dec 1 14:54:44 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 08:54:44 -0500 Subject: problems decrypting ASCII-armored file In-Reply-To: References: <565CEBCA.5000008@sixdemonbag.org> Message-ID: <565DA6A4.1090501@sixdemonbag.org> > It's the same thing. One is just a different encoding of the other. Ah, I read it as being straight-up hex, not a code point. Thank you. :) From rjh at sixdemonbag.org Tue Dec 1 21:47:32 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 15:47:32 -0500 Subject: New FAQ items Message-ID: <565E0764.9060509@sixdemonbag.org> 1. A new user contacted me via email to point out there was no FAQ entry about whether there's anything to be done about a lost passphrase. I added a FAQ entry for this, with text that basically amounted to "if you truly can't remember your passphrase then we can't help you, revoke your certificate with a pre-made revocation certificate and start anew." If anyone has better suggestions (that don't amount to "well, have you tried all permutations of what you think the passphrase was?"), please let me know. :) 2. GNU contacted me via email asking for a FAQ entry about how to use GnuPG to verify downloaded software. This was present in a prior iteration of the FAQ but not this re-written one, so I figured it was an unobjectionable addition. I would normally present things on the list before pushing to Git, but GNU's keen on a fast turnaround on #2. If you're interested in the FAQ, give it a day or so for the HTML version of it to get generated and check out the new entries. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Dec 1 21:52:41 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 15:52:41 -0500 Subject: Insecure memory message on PC-BSD In-Reply-To: <5657942F.7000807@cajuntechie.org> References: <5657942F.7000807@cajuntechie.org> Message-ID: <565E0899.6010609@sixdemonbag.org> > Hey Everyone, Hey, Anthony. Sorry for the long-delayed response: I'm just now crawling out from beneath my backlog. > I'm using PC-BSD 10.2 and I get the message "using insecure memory!" > when I type gpg2 at the terminal. Is this a major issue or is it > something I can (usually) ignore? Is there a way to use "secure" memory? Some operating systems allow GnuPG more low-level control over memory. Others don't, and these other systems get the insecure memory warning. However, it's pretty hard to exploit insecure memory without root privileges -- and if your attacker has root privileges on your machine then it's all over anyway. In my own environment, I don't care about this. It's a nonissue. You can disable the warning by putting no-secmem-warning in your gpg.conf file. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Dec 1 21:55:21 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 15:55:21 -0500 Subject: Malware detected In-Reply-To: References: Message-ID: <565E0939.7090309@sixdemonbag.org> > I downloaded gpupg for windows, during the installation Webroot Endpoint > Protection reported that GSPAWN-WIN32-HELPER.EXE was infected with > W32.Malware.Gen and was blocked.. has the source code been infected or > is this some kind of false detection? I'd be happy to look into this for you, but I'm going to need to know specifically which version of GnuPG for Windows you downloaded and where you downloaded it from (a link would be best). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Tue Dec 1 21:51:50 2015 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Tue, 1 Dec 2015 21:51:50 +0100 Subject: New FAQ items In-Reply-To: <565E0764.9060509@sixdemonbag.org> References: <565E0764.9060509@sixdemonbag.org> Message-ID: <565E0866.6060601@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/01/2015 09:47 PM, Robert J. Hansen wrote: > 1. A new user contacted me via email to point out there was no > FAQ entry about whether there's anything to be done about a lost > passphrase. I added a FAQ entry for this, with text that > basically amounted to "if you truly can't remember your passphrase > then we can't help you, revoke your certificate with a pre-made > revocation certificate and start anew." If anyone has better > suggestions (that don't amount to "well, have you tried all > permutations of what you think the passphrase was?"), please let me > know. :) Would a reference to nasty[0] or other tools to aid such brute-force attacks be useful in this context? Reference: [0] http://freecode.com/projects/nasty - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Donec eris sospes, multos numerabis amicos. Tempora si fuerint nubila, solus eris. As long as you are wealthy,you will have many friends. When the tough times come, you will be left alone -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWXghhAAoJECULev7WN52F5+AH/iHpwr7O6VveZkU7qEolvoIh LtN04Z0DHr9vrjwylhiqjKx0q9GeUy9nMoFXV6Aaz6b6SvLgqjTmeHVrCg6URA8C 5DAxgQdwmYvvPLbZbH+Ttg4MQpeHGopC9NsVKv0qcwwgybKJsINLMUlxbIqYtRlb rtOofFZVZa7eDf/PhxM5OOasyFGU08MX/cE8IcBuM+k2OmbrKgn9/En0A2Eh3vzx NABXhKVBuGD35lFeAzSQTRHhNNczQVlBEQ5Ezk4w8RdWF7UhhrNeKKfX6hvE7pKv s4nS4pmsQ/jb2wjp+pFV9GU8wVw9HM6VV27p8RLJhe0pYwZ9hI+0M6nw5z8DSkw= =Vjs4 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Dec 1 22:01:42 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 16:01:42 -0500 Subject: New FAQ items In-Reply-To: <565E0866.6060601@sumptuouscapital.com> References: <565E0764.9060509@sixdemonbag.org> <565E0866.6060601@sumptuouscapital.com> Message-ID: <565E0AB6.10406@sixdemonbag.org> > Would a reference to nasty[0] or other tools to aid such brute-force > attacks be useful in this context? I thought about it but decided against it. I've never heard of someone successfully using nasty to recover their passphrase. I hate to recommend a tool where I can't point to a single user who's had a good experience with it. I'm not saying they don't exist. Just that if they do exist, I don't know about them, and for that reason I feel I can't recommend the tool. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Tue Dec 1 22:00:29 2015 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Tue, 1 Dec 2015 22:00:29 +0100 Subject: New FAQ items In-Reply-To: <565E0AB6.10406@sixdemonbag.org> References: <565E0764.9060509@sixdemonbag.org> <565E0866.6060601@sumptuouscapital.com> <565E0AB6.10406@sixdemonbag.org> Message-ID: <565E0A6D.4030800@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/01/2015 10:01 PM, Robert J. Hansen wrote: >> Would a reference to nasty[0] or other tools to aid such >> brute-force attacks be useful in this context? > > I thought about it but decided against it. I've never heard of > someone successfully using nasty to recover their passphrase. I > hate to recommend a tool where I can't point to a single user who's > had a good experience with it. I've hard of a few users with good experiences using it, but it has always been in the context of rotation of several known password string using separators and number paddings etc so they have been able to build a good pattern to base it on - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Donec eris sospes, multos numerabis amicos. Tempora si fuerint nubila, solus eris. As long as you are wealthy,you will have many friends. When the tough times come, you will be left alone -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWXgpoAAoJECULev7WN52FX4wH/0yE7XgBLbF4TKWBBxYR0Gv6 mgYtqSq7/3cmXWkUmw2Oz5me63T9NKyA/j+KeTdWoOskryCDvU46X5I3OVf26lkV 4hFQl0rS5qMT3vtyK7wu8W53Ry6JcBIOhbjk2nQ3zCcVhMYEZBlxPCVcCI0KDorD 7H8C+tBpmsqLhHHP3RzDWQWkdNfFsSbJda+0Gvemt9hE52COCKEp0HqM42c4Grwp t2UOqq2yL4Wq6bWtKZbp3OS6+NCrkYyOA5lb5UOFVypCTIkj7isskhSPSufzoe6L Hf+YnJM8hKbv/r+4B/yRts/Uf64uKEgq3czkO9NEof9RxUbXhoN7CBkKjfdnjIU= =nozz -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Dec 1 22:08:18 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 1 Dec 2015 16:08:18 -0500 Subject: New FAQ items In-Reply-To: <565E0A6D.4030800@sumptuouscapital.com> References: <565E0764.9060509@sixdemonbag.org> <565E0866.6060601@sumptuouscapital.com> <565E0AB6.10406@sixdemonbag.org> <565E0A6D.4030800@sumptuouscapital.com> Message-ID: <565E0C42.1040008@sixdemonbag.org> > I've hard of a few users with good experiences using it... Good enough for me. I'll adjust the language and submit a revision to the list for review. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Wed Dec 2 04:07:12 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 02 Dec 2015 12:07:12 +0900 Subject: Provide user PIN to gpg-agent? In-Reply-To: References: Message-ID: <565E6060.3080806@fsij.org> On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote: > Is it possible to pass the user PIN of a smartcard to gpg-agent in a command? > > I'd like to stop the pinentry program appearing for an automated system. Please note that I don't have any experience like that, and I don't generally recommend such a usage. In general, we can provide a special application specific pinentry program for such a special purpose. In GnuPG 2.1.x, there is allow-loopback-pinentry option. When enabled it by .gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we can do something like: gpg-connect-agent \ "OPTION pinentry-mode=loopback" '/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \ "SCD CHECKPIN " /bye having a file /tmp/passphrase-for-smartcard, where is the one in the output of 'gpg --card-status' like: Application ID ...: D276000124010200F517000000010000 Substitute by D276000124010200F517000000010000. Please try. -- From gniibe at fsij.org Wed Dec 2 08:16:08 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 02 Dec 2015 16:16:08 +0900 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <7e34851165fa63d62952f2a66440e567@otpme.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> Message-ID: <1449040568.9848.1.camel@fsij.org> On 2015-12-01 at 11:55 +0100, the2nd at otpme.org wrote: > There is just one gpg-agent + scdaemon. OK. > Do you keep the first SSH session open when re-plugging the yubikey? I don't use Yubikey.??I use OpenPGPcard with card reader and Gnuk Token.??If you think your problem is Yubikey specific, it would be good to ask Yubikey community. I keep the SSH session when I remove my token, re-insert it and.??I also tried with the setting of 'ForwardAgent yes' in .ssh/config and used SSH to another remote host.??But I can't reproduce. To debug your situation, please add 'verbose' in your .gnupg/gpg-agent.conf and create a file .gnupg/scdaemon.conf with: ===================== debug-level guru debug-all log-file /tmp/scd.log ===================== Before your experiment, please set your PIN by default one, because the scd.log file will include your PIN information. -- From gnupg at raf.org Wed Dec 2 11:13:55 2015 From: gnupg at raf.org (gnupg at raf.org) Date: Wed, 2 Dec 2015 21:13:55 +1100 Subject: gpg-preset-passphrase: problem setting the gpg-agent options [caused by empty $DISPLAY] Message-ID: <20151202101355.GA30221@raf.org> Hi, ubuntu-14.04.3 LTS gnupg-1.4.16-1ubuntu2.3 gnupg2-2.0.22-3ubuntu1.3 gnupg-agent-2.0.22-3ubuntu1.3 I've just started using gpg-agent and gpg-preset-passphrase to store a passphrase briefly. Yesterday, this was working fine on two hosts. Today, it stopped working on one of them. The gpg-agent command looks like: $ /usr/bin/screen -- \ > /usr/bin/sudo -u thing --set-home -- \ > /usr/bin/gpg-agent \ > --homedir /etc/thing/.gnupg \ > --write-env-file /etc/thing/run/.gpg-agent-info \ > --allow-preset-passphrase \ > --daemon -- \ > /bin/bash --login And the gpg-preset-passphrase command looks like: $ gpg_cache_id="`/usr/bin/gpg --homedir /etc/thing/.gnupg --fingerprint --fingerprint thing at example.com | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`" $ my-ask-password 'Enter the GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id" The gpg-preset-passphrase command is executed from within the .bash_login script that is executed by bash that is run by gpg-agent in the first command above. So yesterday, this worked perfectly. Today, when I try it, I get: Enter the GPG passphrase: gpg-preset-passphrase: problem setting the gpg-agent options gpg-preset-passphrase: caching passphrase failed: Invalid response Is there any way to find out what the problem was? I couldn't find any log messages with more information and adding the -v option to gpg-preset-passphrase didn't add anything. There's nothing wrong with the cache id. It hasn't changed since yesterday. Hang on, I've found out what caused it: $ DISPLAY= Yesterday, I was logged into the problem host from the same LAN so I had $DISPLAY set. Today, I'm logged in from further way and cleared $DISPLAY to prevent slow X11 traffic. When I turn off X11, I do it by setting DISPLAY to the empty string. That has always worked for all other programs but it seems that gpg-preset-passphrase is assuming that if $DISPLAY exists, then it must contain something useful and, if not, it runs into problems. At least that's what it seems like. If I do the following instead: $ unset DISPLAY Then gpg-preset-passphrase works fine. It seems to me to be a buglet in gpg-preset-passphrase because it's the only program I've encountered that doesn't treat an empty $DISPLAY the same as an absent $DISPLAY. This also applies to: debian-8 gnupg-1.4.18-7 gnupg2-2.0.26-6 gnupg-agent-2.0.26-6 But at least I know now what not to do to keep it working. :-) cheers, raf From the2nd at otpme.org Wed Dec 2 12:36:02 2015 From: the2nd at otpme.org (the2nd at otpme.org) Date: Wed, 02 Dec 2015 12:36:02 +0100 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <1449040568.9848.1.camel@fsij.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> Message-ID: <87641f45c044ba0aaecd7669ae979cd2@otpme.org> Hi, here is the output for a failed session and a working one (with openssh 6.7p1). Both times i started two ssh sessions, keeping the first one open. Failed gpg-agent.log - http://paste.ubuntu.com/13620856/ scd.log - http://paste.ubuntu.com/13620863/ OK gpg-agent.log - http://paste.ubuntu.com/13621007/ scd.log - http://paste.ubuntu.com/13621013/ I am unsure if it is yubikey specific but as it is working with older openssh versions i guess its some bug thats related to any openssh changes. The log always shows "error getting default authentication keyID of card: Conflicting use" when the problem occurs. If you say that this is not a gnupg issue i'll ask the yubico folks. But it would be really great to get any hint what could be the problem from someone who is familiar with the technical details. :) regards the2nd On 2015-12-02 08:16, NIIBE Yutaka wrote: > On 2015-12-01 at 11:55 +0100, the2nd at otpme.org wrote: >> There is just one gpg-agent + scdaemon. > > OK. > >> Do you keep the first SSH session open when re-plugging the yubikey? > > I don't use Yubikey.??I use OpenPGPcard with card reader and Gnuk > Token.??If you think your problem is Yubikey specific, it would be > good to ask Yubikey community. > > I keep the SSH session when I remove my token, re-insert it and.??I > also tried with the setting of 'ForwardAgent yes' in .ssh/config and > used SSH to another remote host.??But I can't reproduce. > > To debug your situation, please add 'verbose' in your > .gnupg/gpg-agent.conf and create a file .gnupg/scdaemon.conf with: > > ===================== > debug-level guru > debug-all > log-file /tmp/scd.log > ===================== > > Before your experiment, please set your PIN by default one, because > the scd.log file will include your PIN information. From gniibe at fsij.org Wed Dec 2 14:26:29 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 02 Dec 2015 22:26:29 +0900 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <87641f45c044ba0aaecd7669ae979cd2@otpme.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> <87641f45c044ba0aaecd7669ae979cd2@otpme.org> Message-ID: <1449062789.2160.3.camel@fsij.org> On 2015-12-02 at 12:36 +0100, the2nd at otpme.org wrote: > here is the output for a failed session and a working one (with > openssh > 6.7p1). > Both times i started two ssh sessions, keeping the first one open. Thank you very much. > Failed > gpg-agent.log - http://paste.ubuntu.com/13620856/ There are three connections from SSH: ? (1) handler 0x557c807ec310 for fd 8 ? (2) handler 0x557c807eebb0 for fd 10 ? (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used) ??????????????token removed ??????| ??????????????v ???(1) ------------------> ????????(2)--> ???????(3)------> ??????????????????******---- conflicting use > scd.log - http://paste.ubuntu.com/13620863/ There are two connections from gpg-agent: ? (a) chan_7 from (1) ? (b) chan_9 from (3) ??????????????token removed ??????| ??????????????v ?????(a) ------------------> ????????(b)------> ???????????????????******---- conflicting use The connection from SSH remains in gpg-agent by some reason.??This is the reason why the connection from gpg-agent remains in Scdaemon, which results conflicting use. Anyway, when Scdaemon detects card/token removal, it could finish existing connection(s).??I'll consider fixing this. I don't know the exact reason why connection from SSH remains, though. > I am unsure if it is yubikey specific but as it is working with older > openssh versions i guess its some bug thats related to any openssh > changes. >From the logs, I don't think it's yubikey specific. > If you say that this is not a gnupg issue i'll ask the yubico folks. > But it would be really great to get any hint what could be the > problem > from someone who is familiar with the technical details. :) This is GnuPG issue, specifically, Scdaemon issue. -- From Jonathan-Harbord at marubeni.com Wed Dec 2 15:29:19 2015 From: Jonathan-Harbord at marubeni.com (Harbord Jonathan-EURITEC) Date: Wed, 2 Dec 2015 14:29:19 +0000 Subject: Provide user PIN to gpg-agent? In-Reply-To: <565E6060.3080806@fsij.org> References: <565E6060.3080806@fsij.org> Message-ID: Niibe-san Thank you so much for your help! It worked. I was using gpg4win, which of course does not include v2.1. I need to download the windows version from gnupg.org. I had some difficulty with the syntax of a windows batch file but eventually succeeded with gpg-connect-agent.exe --run Where contained: OPTION pinentry-mode=loopback /definqfile PASSPHRASE SCD CHECKPIN /bye And where was the ID of the card from gpg --card-status as you suggested, and was a file containing the PIN. Thank you again for your kind advice. -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of NIIBE Yutaka Sent: 02 December 2015 03:07 To: gnupg-users at gnupg.org Subject: Re: Provide user PIN to gpg-agent? On 12/01/2015 10:50 PM, Harbord Jonathan-EURITEC wrote: > Is it possible to pass the user PIN of a smartcard to gpg-agent in a command? > > I'd like to stop the pinentry program appearing for an automated system. Please note that I don't have any experience like that, and I don't generally recommend such a usage. In general, we can provide a special application specific pinentry program for such a special purpose. In GnuPG 2.1.x, there is allow-loopback-pinentry option. When enabled it by .gnupg/gpg-agent.conf or as an argument invoking gpg-agent, we can do something like: gpg-connect-agent \ "OPTION pinentry-mode=loopback" '/definqfile PASSPHRASE /tmp/passphrase-for-smartcard' \ "SCD CHECKPIN " /bye having a file /tmp/passphrase-for-smartcard, where is the one in the output of 'gpg --card-status' like: Application ID ...: D276000124010200F517000000010000 Substitute by D276000124010200F517000000010000. Please try. -- _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From the2nd at otpme.org Wed Dec 2 15:35:32 2015 From: the2nd at otpme.org (the2nd at otpme.org) Date: Wed, 02 Dec 2015 15:35:32 +0100 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <1449062789.2160.3.camel@fsij.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> <87641f45c044ba0aaecd7669ae979cd2@otpme.org> <1449062789.2160.3.camel@fsij.org> Message-ID: <974725082684833653e68c6ca4fe7ee9@otpme.org> On 2015-12-02 14:26, NIIBE Yutaka wrote: > On 2015-12-02 at 12:36 +0100, the2nd at otpme.org wrote: >> here is the output for a failed session and a working one (with >> openssh >> 6.7p1). >> Both times i started two ssh sessions, keeping the first one open. > > Thank you very much. No problem. I'm glad to help out and probably get a fix for this annoying issue. :) > > >> Failed >> gpg-agent.log - http://paste.ubuntu.com/13620856/ > > There are three connections from SSH: > > ? (1) handler 0x557c807ec310 for fd 8 > ? (2) handler 0x557c807eebb0 for fd 10 > ? (3) handler 0x557c807eeb80 for fd 10 (fd 10 re-used) > > ??????????????token removed > ??????| > ??????????????v > ???(1) ------------------> > ????????(2)--> > ???????(3)------> > ??????????????????******---- conflicting use > >> scd.log - http://paste.ubuntu.com/13620863/ > > There are two connections from gpg-agent: > > ? (a) chan_7 from (1) > ? (b) chan_9 from (3) > > ??????????????token removed > ??????| > ??????????????v > ?????(a) ------------------> > ????????(b)------> > ???????????????????******---- conflicting use > > > The connection from SSH remains in gpg-agent by some reason.??This is > the reason why the connection from gpg-agent remains in Scdaemon, > which results conflicting use. > > Anyway, when Scdaemon detects card/token removal, it could finish > existing connection(s).??I'll consider fixing this. Sounds good. Should i open a bug report for this? > > I don't know the exact reason why connection from SSH remains, though. > >> I am unsure if it is yubikey specific but as it is working with older >> openssh versions i guess its some bug thats related to any openssh >> changes. > > From the logs, I don't think it's yubikey specific. > >> If you say that this is not a gnupg issue i'll ask the yubico folks. >> But it would be really great to get any hint what could be the >> problem >> from someone who is familiar with the technical details. :) > > This is GnuPG issue, specifically, Scdaemon issue. Is there any workaround we can apply to fix this issue? Currently i am using a self compiled ssh client binary of openssh 6.7p1 as workaround. Thanks a lot for your help. Regards the2nd From Cathy.Smith at pnnl.gov Wed Dec 2 21:12:55 2015 From: Cathy.Smith at pnnl.gov (Smith, Cathy) Date: Wed, 2 Dec 2015 20:12:55 +0000 Subject: question about gpg2 and passphrase Message-ID: I need to be able to decrypt a file using gpg2 in batch. I have a customer who requires us to provide a public key that is RSA 2048 bit. I have RHEL6 available which provides gpg 2.0.14 to create the key pair. However, I?ve not been able to use gpg2 in batch to provide the passphrase to decrypt a file. It wants an interactive prompt for the passphrase. I?ve tried some things that I?ve read on-line without any success. Is there a way to configure gpg2 to accept a passphrase in batch? Thanks for your help. Cathy -- Cathy L. Smith IT Engineer, CISSP Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.smith at pnnl.gov -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.od.utkin at gmail.com Thu Dec 3 00:18:23 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Thu, 3 Dec 2015 01:18:23 +0200 Subject: question about gpg2 and passphrase In-Reply-To: References: Message-ID: <565F7C3F.7020801@gmail.com> On 02.12.2015 22:12, Smith, Cathy wrote: > I need to be able to decrypt a file using gpg2 in batch. I have a > customer who requires us to provide a public key that is RSA 2048 bit. > I have RHEL6 available which provides gpg 2.0.14 to create the key > pair. However, I?ve not been able to use gpg2 in batch to provide the > passphrase to decrypt a file. It wants an interactive prompt for the > passphrase. I?ve tried some things that I?ve read on-line without any > success. Is there a way to configure gpg2 to accept a passphrase in > batch? Hi, Have you tried generating a key with empty passphrase? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From lists at theflorys.org Thu Dec 3 00:18:46 2015 From: lists at theflorys.org (David) Date: Wed, 2 Dec 2015 18:18:46 -0500 Subject: Cannot revoke a certificate Message-ID: <565F7C56.2080901@theflorys.org> I am trying to revoke a very old certificate that may be compromised. I generated a revocation certificate using the following gpg command with no errors. I did get a warning about MD5 being deprecated. C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D However, I cannot use it. Here is the output: C:\Users\David> gpg --import .\kill7827.asc gpg: Note: signatures using the MD5 algorithm are rejected gpg: key 80942C8D: invalid revocation certificate: Invalid digest algorithm - rejected gpg: error reading `.\\kill7827.asc': Invalid digest algorithm gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm gpg: Total number processed: 0 C:\Users\David> How do I force gpg to accept the revocation? Or, how do I revoke the old key? Win10 GnuPG 2.0.29 (Gpg4Win 2.3.0) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 595 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Thu Dec 3 03:54:27 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 03 Dec 2015 11:54:27 +0900 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <974725082684833653e68c6ca4fe7ee9@otpme.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> <87641f45c044ba0aaecd7669ae979cd2@otpme.org> <1449062789.2160.3.camel@fsij.org> <974725082684833653e68c6ca4fe7ee9@otpme.org> Message-ID: <565FAEE3.9030602@fsij.org> On 12/02/2015 11:35 PM, the2nd at otpme.org wrote: > No problem. I'm glad to help out and probably get a fix for this annoying issue. :) Thanks for your patience. >> Anyway, when Scdaemon detects card/token removal, it could finish >> existing connection(s). I'll consider fixing this. > > Sounds good. Should i open a bug report for this? Not needed. It's fixed in master. I'm going to backport this to 2.0. The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3 > Is there any workaround we can apply to fix this issue? Currently i > am using a self compiled ssh client binary of openssh 6.7p1 as > workaround. Well, I found another bug with PC/SC. Because of this bug, it is sometimes (not always) possible for gpg not to raise the error of "Conflicting usage". So, it would be a workaround to disable internal ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.) Here is a backport patch which I'm considering to apply to 2.0. Thank you again for your cooperation fixing this long standing bug. ========================= diff --git a/scd/apdu.c b/scd/apdu.c index f9a1a2d..acca799 100644 --- a/scd/apdu.c +++ b/scd/apdu.c @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot) return SW_HOST_NO_DRIVER; sw = apdu_disconnect (slot); if (sw) - return sw; + { + /* + * When the reader/token was removed it might come here. + * It should go through to call CLOSE_READER even if we got an error. + */ + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw); + } if (reader_table[slot].close_reader) return reader_table[slot].close_reader (slot); return SW_HOST_NOT_SUPPORTED; diff --git a/scd/app-common.h b/scd/app-common.h index e48db3c..ac2c2e9 100644 --- a/scd/app-common.h +++ b/scd/app-common.h @@ -44,11 +44,6 @@ struct app_ctx_s { operations the particular function pointer is set to NULL */ unsigned int ref_count; - /* Flag indicating that a reset has been done for that application - and that this context is merely lingering and just should not be - reused. */ - int no_reuse; - /* Used reader slot. */ int slot; diff --git a/scd/app.c b/scd/app.c index 742f937..380a347 100644 --- a/scd/app.c +++ b/scd/app.c @@ -190,9 +190,12 @@ application_notify_card_reset (int slot) /* FIXME: We are ignoring any error value here. */ lock_reader (slot, NULL); - /* Mark application as non-reusable. */ + /* Release the APP, as it's not reusable any more. */ if (lock_table[slot].app) - lock_table[slot].app->no_reuse = 1; + { + deallocate_app (lock_table[slot].app); + lock_table[slot].app = NULL; + } /* Deallocate a saved application for that slot, so that we won't try to reuse it. If there is no saved application, set a flag so @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char *name, app_t *r_app) return gpg_error (GPG_ERR_CONFLICT); } - /* Don't use a non-reusable marked application. */ - if (app && app->no_reuse) - { - unlock_reader (slot); - log_info ("lingering application `%s' in use by reader %d" - " - can't switch\n", - app->apptype? app->apptype:"?", slot); - return gpg_error (GPG_ERR_CONFLICT); - } - /* If we don't have an app, check whether we have a saved application for that slot. This is useful so that a card does not get reset even if only one session is using the card - this @@ -506,15 +499,7 @@ release_application (app_t app) if (lock_table[slot].last_app) deallocate_app (lock_table[slot].last_app); - if (app->no_reuse) - { - /* If we shall not re-use the application we can't save it for - later use. */ - deallocate_app (app); - lock_table[slot].last_app = NULL; - } - else - lock_table[slot].last_app = lock_table[slot].app; + lock_table[slot].last_app = lock_table[slot].app; lock_table[slot].app = NULL; unlock_reader (slot); } -- From gnupg at raf.org Thu Dec 3 04:07:06 2015 From: gnupg at raf.org (gnupg at raf.org) Date: Thu, 3 Dec 2015 14:07:06 +1100 Subject: question about gpg2 and passphrase In-Reply-To: <565F7C3F.7020801@gmail.com> References: <565F7C3F.7020801@gmail.com> Message-ID: <20151203030706.GA2875@raf.org> Andrey Utkin wrote: > On 02.12.2015 22:12, Smith, Cathy wrote: > > I need to be able to decrypt a file using gpg2 in batch. I have a > > customer who requires us to provide a public key that is RSA 2048 bit. > > I have RHEL6 available which provides gpg 2.0.14 to create the key > > pair. However, I?ve not been able to use gpg2 in batch to provide the > > passphrase to decrypt a file. It wants an interactive prompt for the > > passphrase. I?ve tried some things that I?ve read on-line without any > > success. Is there a way to configure gpg2 to accept a passphrase in > > batch? > > Hi, > Have you tried generating a key with empty passphrase? Hi, Warning: I am not an expert. I only just found out how to do this myself. If it needs to always work with no intervention and it's safe to leave the key unencrypted on disk permanently (unlikely) then having an empty passphrase is definitely the easy option but if you can't leave the key unencrypted on disk and decryption only needs to occur at certain known times, and it's OK to have someone supply the passphrase in advance, then the following approach might be more appropriate. You can run gpg-agent explicitly as a daemon and use the --allow-preset-passphrase option and then use gpg-preset-passphrase to load a passphrase into it. The gpg-agent command will probably also need the --write-env-file option to store the gpg-agent socket details on disk so other, unrelated processes can connect to the gpg-agent. Here's an example gpg-agent command: $ gpg-agent \ > --homedir /PATH/TO/.gnupg \ > --write-env-file /PATH/TO/.gpg-agent-info \ > --allow-preset-passphrase \ > --max-cache-ttl 7200 \ > --daemon -- \ > bash --login To load the passphrase from within the bash process started above (the double --fingerprint is important because it shows the key we need): $ gpg_cache_id="`gpg --homedir /PATH/TO/.gnupg --fingerprint --fingerprint USER at DOMAIN | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`" $ systemd-ask-password 'Enter GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id" To load the passphrase from an unrelated process, you would first need to do the following to connect to the gpg-agent before loading the passphrase into gpg-agent as described above: $ . /PATH/TO/.gpg-agent-info $ export GPG_AGENT_INFO The process that needs to perform the decryption would also need to do the above if it is from a process that is unrelated to the bash process started by gpg-agent. e.g.: $ . /PATH/TO/.gpg-agent-info $ export GPG_AGENT_INFO # unset GPG_TTY # This is probably unnecessary $ gpg --batch --quiet --no-greeting --no-tty --use-agent \ > --homedir /PATH/TO/.gnupg --decrypt < ENCRYPTEDFILE > DECRYPTEDFILE Note that the passphrase will stay resident in gpg-agent until gpg-agent terminates, or until it is explicitly forgotten with: /usr/lib/gnupg2/gpg-preset-passphrase --forget "$gpg_cache_id" or until the max-cache-ttl expires, whichever comes first. By default, this is 7200 seconds (i.e. two hours) but it can be increased or decreased on the gpg-agent command line. It's probably a very bad idea to increase it too much and leave the passphrase available permanently. If that were OK, you might as well use an unencrypted key with no passphrase. But if it were OK, there'd be a gpg-agent option to remove the TTL limit altogether, but there is no such option. Notes: The gpg commands above (--fingerprint and --decrypt) should still work if they were changed to gpg2. That's probably more sensible since gpg-agent is a gpg2 thing but gpg works too so I use that. If you don't have systemd-ask-password, you could use ssh-askpass but it requires X11. It only takes a few lines of Perl to implement your own askpass program if needed. Also, don't set $DISPLAY to be empty before running gpg-preset-passphrase. If you need to disable X11, unset DISPLAY instead or gpg-preset-passphrase will give an error: gpg-preset-passphrase: problem setting the gpg-agent options gpg-preset-passphrase: caching passphrase failed: Invalid response Also, the gpg-agent command can be run inside a screen or tmux session so that you can detach from it and reattach to it again later to terminate it. Also, I don't know about RHEL6. The above works on debian-8 and ubuntu-14.04.3 which have gpg2 2.0.26 and 2.0.22, respectively. Hopefully, it will all work on RHEL6 with gpg2 2.0.14 as well. Good luck, raf From lance at lrvick.net Thu Dec 3 04:54:04 2015 From: lance at lrvick.net (Lance R. Vick) Date: Wed, 2 Dec 2015 19:54:04 -0800 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <565FAEE3.9030602@fsij.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> <87641f45c044ba0aaecd7669ae979cd2@otpme.org> <1449062789.2160.3.camel@fsij.org> <974725082684833653e68c6ca4fe7ee9@otpme.org> <565FAEE3.9030602@fsij.org> Message-ID: I came up with the following udev rule which, while heavy handed, solves these issues for me: https://gist.github.com/lrvick/d1a5a8e6cf0eefda69d7 On Wed, Dec 2, 2015 at 6:54 PM, NIIBE Yutaka wrote: > On 12/02/2015 11:35 PM, the2nd at otpme.org wrote: > > No problem. I'm glad to help out and probably get a fix for this > annoying issue. :) > > Thanks for your patience. > > >> Anyway, when Scdaemon detects card/token removal, it could finish > >> existing connection(s). I'll consider fixing this. > > > > Sounds good. Should i open a bug report for this? > > Not needed. It's fixed in master. I'm going to backport this to 2.0. > > The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3 > > > Is there any workaround we can apply to fix this issue? Currently i > > am using a self compiled ssh client binary of openssh 6.7p1 as > > workaround. > > Well, I found another bug with PC/SC. Because of this bug, it is > sometimes (not always) possible for gpg not to raise the error of > "Conflicting usage". So, it would be a workaround to disable internal > ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.) > > Here is a backport patch which I'm considering to apply to 2.0. > > Thank you again for your cooperation fixing this long standing bug. > > ========================= > diff --git a/scd/apdu.c b/scd/apdu.c > index f9a1a2d..acca799 100644 > --- a/scd/apdu.c > +++ b/scd/apdu.c > @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot) > return SW_HOST_NO_DRIVER; > sw = apdu_disconnect (slot); > if (sw) > - return sw; > + { > + /* > + * When the reader/token was removed it might come here. > + * It should go through to call CLOSE_READER even if we got an > error. > + */ > + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw); > + } > if (reader_table[slot].close_reader) > return reader_table[slot].close_reader (slot); > return SW_HOST_NOT_SUPPORTED; > diff --git a/scd/app-common.h b/scd/app-common.h > index e48db3c..ac2c2e9 100644 > --- a/scd/app-common.h > +++ b/scd/app-common.h > @@ -44,11 +44,6 @@ struct app_ctx_s { > operations the particular function pointer is set to NULL */ > unsigned int ref_count; > > - /* Flag indicating that a reset has been done for that application > - and that this context is merely lingering and just should not be > - reused. */ > - int no_reuse; > - > /* Used reader slot. */ > int slot; > > diff --git a/scd/app.c b/scd/app.c > index 742f937..380a347 100644 > --- a/scd/app.c > +++ b/scd/app.c > @@ -190,9 +190,12 @@ application_notify_card_reset (int slot) > /* FIXME: We are ignoring any error value here. */ > lock_reader (slot, NULL); > > - /* Mark application as non-reusable. */ > + /* Release the APP, as it's not reusable any more. */ > if (lock_table[slot].app) > - lock_table[slot].app->no_reuse = 1; > + { > + deallocate_app (lock_table[slot].app); > + lock_table[slot].app = NULL; > + } > > /* Deallocate a saved application for that slot, so that we won't > try to reuse it. If there is no saved application, set a flag so > @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const char > *name, app_t *r_app) > return gpg_error (GPG_ERR_CONFLICT); > } > > - /* Don't use a non-reusable marked application. */ > - if (app && app->no_reuse) > - { > - unlock_reader (slot); > - log_info ("lingering application `%s' in use by reader %d" > - " - can't switch\n", > - app->apptype? app->apptype:"?", slot); > - return gpg_error (GPG_ERR_CONFLICT); > - } > - > /* If we don't have an app, check whether we have a saved > application for that slot. This is useful so that a card does > not get reset even if only one session is using the card - this > @@ -506,15 +499,7 @@ release_application (app_t app) > > if (lock_table[slot].last_app) > deallocate_app (lock_table[slot].last_app); > - if (app->no_reuse) > - { > - /* If we shall not re-use the application we can't save it for > - later use. */ > - deallocate_app (app); > - lock_table[slot].last_app = NULL; > - } > - else > - lock_table[slot].last_app = lock_table[slot].app; > + lock_table[slot].last_app = lock_table[slot].app; > lock_table[slot].app = NULL; > unlock_reader (slot); > } > -- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Lance R. Vick __________________________________________________ Cell - 407.283.7596 Gtalk - lance at lrvick.net Website - http://lrvick.net PGP Key - http://lrvick.net/0x36C8AAA9.asc keyserver - subkeys.pgp.net __________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.od.utkin at gmail.com Thu Dec 3 05:25:27 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Thu, 3 Dec 2015 06:25:27 +0200 Subject: Why gpg 2.1.9 cannot export secret key without passphrase? In-Reply-To: <565D7545.60007@digitalbrains.com> References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire> <56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com> <565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com> <565D7545.60007@digitalbrains.com> Message-ID: <565FC437.2010209@gmail.com> Thank you for your hints Peter. The following tiny changes allow exporting and importing to succeed https://github.com/andrey-utkin/gnupg/commit/a3b539b6ef7c922b1f1f3f343fdc942086d96c4e Is the approach of using "s2kmode = 0" and "protection sha1" together correct? Shouldn't "protection none" be used? -- OpenPGP usage is appreciated (it also helps your letter to bypass spam filters). To email me with encryption easily, go https://encrypt.to/0xC6FCDB11 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From the2nd at otpme.org Thu Dec 3 12:04:06 2015 From: the2nd at otpme.org (the2nd at otpme.org) Date: Thu, 03 Dec 2015 12:04:06 +0100 Subject: scdaemon lockup with Yubikey NEO In-Reply-To: <565FAEE3.9030602@fsij.org> References: <3a3ecea4beb0c02bc963be57ee991b06@otpme.org> <565D1F33.4090206@fsij.org> <7e34851165fa63d62952f2a66440e567@otpme.org> <1449040568.9848.1.camel@fsij.org> <87641f45c044ba0aaecd7669ae979cd2@otpme.org> <1449062789.2160.3.camel@fsij.org> <974725082684833653e68c6ca4fe7ee9@otpme.org> <565FAEE3.9030602@fsij.org> Message-ID: <8030456070979ca6d09e1d699ffa0279@otpme.org> On 2015-12-03 03:54, NIIBE Yutaka wrote: > On 12/02/2015 11:35 PM, the2nd at otpme.org wrote: >> No problem. I'm glad to help out and probably get a fix for this >> annoying issue. :) > > Thanks for your patience. > >>> Anyway, when Scdaemon detects card/token removal, it could finish >>> existing connection(s). I'll consider fixing this. >> >> Sounds good. Should i open a bug report for this? > > Not needed. It's fixed in master. I'm going to backport this to 2.0. > > The commit is: f42c50dbf00c2e6298ca6830cbe6d36805fa54a3 > >> Is there any workaround we can apply to fix this issue? Currently i >> am using a self compiled ssh client binary of openssh 6.7p1 as >> workaround. > > Well, I found another bug with PC/SC. Because of this bug, it is > sometimes (not always) possible for gpg not to raise the error of > "Conflicting usage". So, it would be a workaround to disable internal > ccid driver of GnuPG and to use PC/SC. (I don't recommend, though.) > > Here is a backport patch which I'm considering to apply to 2.0. > > Thank you again for your cooperation fixing this long standing bug. Thank your for fixing it. :) Currently i will use the udev rule workaround from Lance. Is there any automatism that informs e.g. debian/ubuntu folks about such a backported fix? Does it make sense to open a debian/ubuntu bug report for this with reference to this thread? > > ========================= > diff --git a/scd/apdu.c b/scd/apdu.c > index f9a1a2d..acca799 100644 > --- a/scd/apdu.c > +++ b/scd/apdu.c > @@ -3136,7 +3136,13 @@ apdu_close_reader (int slot) > return SW_HOST_NO_DRIVER; > sw = apdu_disconnect (slot); > if (sw) > - return sw; > + { > + /* > + * When the reader/token was removed it might come here. > + * It should go through to call CLOSE_READER even if we got an > error. > + */ > + log_debug ("apdu_close_reader => 0x%x (apdu_disconnect)\n", sw); > + } > if (reader_table[slot].close_reader) > return reader_table[slot].close_reader (slot); > return SW_HOST_NOT_SUPPORTED; > diff --git a/scd/app-common.h b/scd/app-common.h > index e48db3c..ac2c2e9 100644 > --- a/scd/app-common.h > +++ b/scd/app-common.h > @@ -44,11 +44,6 @@ struct app_ctx_s { > operations the particular function pointer is set to NULL */ > unsigned int ref_count; > > - /* Flag indicating that a reset has been done for that application > - and that this context is merely lingering and just should not be > - reused. */ > - int no_reuse; > - > /* Used reader slot. */ > int slot; > > diff --git a/scd/app.c b/scd/app.c > index 742f937..380a347 100644 > --- a/scd/app.c > +++ b/scd/app.c > @@ -190,9 +190,12 @@ application_notify_card_reset (int slot) > /* FIXME: We are ignoring any error value here. */ > lock_reader (slot, NULL); > > - /* Mark application as non-reusable. */ > + /* Release the APP, as it's not reusable any more. */ > if (lock_table[slot].app) > - lock_table[slot].app->no_reuse = 1; > + { > + deallocate_app (lock_table[slot].app); > + lock_table[slot].app = NULL; > + } > > /* Deallocate a saved application for that slot, so that we won't > try to reuse it. If there is no saved application, set a flag so > @@ -265,16 +268,6 @@ select_application (ctrl_t ctrl, int slot, const > char *name, app_t *r_app) > return gpg_error (GPG_ERR_CONFLICT); > } > > - /* Don't use a non-reusable marked application. */ > - if (app && app->no_reuse) > - { > - unlock_reader (slot); > - log_info ("lingering application `%s' in use by reader %d" > - " - can't switch\n", > - app->apptype? app->apptype:"?", slot); > - return gpg_error (GPG_ERR_CONFLICT); > - } > - > /* If we don't have an app, check whether we have a saved > application for that slot. This is useful so that a card does > not get reset even if only one session is using the card - this > @@ -506,15 +499,7 @@ release_application (app_t app) > > if (lock_table[slot].last_app) > deallocate_app (lock_table[slot].last_app); > - if (app->no_reuse) > - { > - /* If we shall not re-use the application we can't save it for > - later use. */ > - deallocate_app (app); > - lock_table[slot].last_app = NULL; > - } > - else > - lock_table[slot].last_app = lock_table[slot].app; > + lock_table[slot].last_app = lock_table[slot].app; > lock_table[slot].app = NULL; > unlock_reader (slot); > } From peter at digitalbrains.com Thu Dec 3 15:15:59 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 03 Dec 2015 15:15:59 +0100 Subject: Why gpg 2.1.9 cannot export secret key without passphrase? In-Reply-To: <565FC437.2010209@gmail.com> References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire> <56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com> <565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com> <565D7545.60007@digitalbrains.com> <565FC437.2010209@gmail.com> Message-ID: <56604E9F.6070504@digitalbrains.com> On 03/12/15 05:25, Andrey Utkin wrote: > Is the approach of using "s2kmode = 0" and "protection sha1" together > correct? Shouldn't "protection none" be used? Why is all this hackery necessary? Why don't you just install GnuPG 1.4 next to your 2.1, instead of compiling a special hacked 2.1? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Fri Dec 4 14:06:49 2015 From: wk at gnupg.org (Werner Koch) Date: Fri, 04 Dec 2015 14:06:49 +0100 Subject: [Announce] GnuPG 2.1.10 released Message-ID: <878u5al5w6.fsf@vigenere.g10code.de> Hello! The GnuPG team is pleased to announce the availability of a new release of GnuPG modern: Version 2.1.10. The main features of this release are support for TOFU (Trust-On-First-Use) and anonymous key retrieval via Tor. The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. Since version 2 GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different branches of GnuPG are actively maintained: - GnuPG "modern" (2.1) is the latest development with a lot of new features. This announcement is about this branch. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG "classic" (1.4) is the old standalone version which is most suitable for older or embedded platforms. You may not install "modern" (2.1) and "stable" (2.0) at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions. Noteworthy changes in version 2.1.10 ==================================== * gpg: New trust models "tofu" and "tofu+pgp". * gpg: New command --tofu-policy. New options --tofu-default-policy and --tofu-db-format. * gpg: New option --weak-digest to specify hash algorithms which should be considered weak. * gpg: Allow the use of multiple --default-key options; take the last available key. * gpg: New option --encrypt-to-default-key. * gpg: New option --unwrap to only strip the encryption layer. * gpg: New option --only-sign-text-ids to exclude photo IDs from key signing. * gpg: Check for ambigious or non-matching key specification in the config file or given to --encrypt-to. * gpg: Show the used card reader with --card-status. * gpg: Print export statistics and an EXPORTED status line. * gpg: Allow selecting subkeys by keyid in --edit-key. * gpg: Allow updating the expiration time of multiple subkeys at once. * dirmngr: New option --use-tor. For full support this requires libassuan version 2.4.2 and a patched version of libadns (e.g. adns-1.4-g10-7 as used by the standard Windows installer). * dirmngr: New option --nameserver to specify the nameserver used in Tor mode. * dirmngr: Keyservers may again be specified by IP address. * dirmngr: Fixed problems in resolving keyserver pools. * dirmngr: Fixed handling of premature termination of TLS streams so that large numbers of keys can be refreshed via hkps. * gpg: Fixed a regression in --locate-key [since 2.1.9]. * gpg: Fixed another bug for keyrings with legacy keys. * gpgsm: Allow combinations of usage flags in --gen-key. * Make tilde expansion work with most options. * Many other cleanups and bug fixes. A detailed description of the changes found in the 2.1 branch can be found at . Please be aware that there are still known bugs which we are working on. Check https://bugs.gnupg.org, https://wiki.gnupg.org, and the mailing list archives for known problems and workarounds. Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.1.10 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.10.tar.bz2 (5052k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.10.tar.bz2.sig or here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.10.tar.bz2 (5052k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.10.tar.bz2.sig An installer for Windows without any graphical frontend except for a basic Pinentry tool is available here: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe (2617k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe.sig or here https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe (2617k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.10_20151204.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. This Windows installer is missing translations, it has no TOFU support and no HKPS support. However, it fully supports Tor and the Tor browser. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.1.10.tar.bz2 you would use this command: gpg --verify gnupg-2.1.10.tar.bz2.sig gnupg-2.1.10.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.1.10.tar.bz2, you run the command like this: sha1sum gnupg-2.1.10.tar.bz2 and check that the output matches the next line: 4aa2594d2d364fe7708a9739ae7cebd251e536c4 gnupg-2.1.10.tar.bz2 b86b642390e1bf1b144b84dfabdcd574a56c0ba8 gnupg-w32-2.1.10_20151204.exe 2923d56ac5288570b5503c3038081dc28e6294cd gnupg-w32-2.1.10_20151204.tar.xz Release Signing Keys ==================== To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these keys from a keyserver using this command gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Russian, and Ukrainian being almost completely translated (2111 different strings). Documentation ============= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete user manual of the system. Separate man pages are included as well but they have not all the details available as are the manual. It is also possible to read the complete manual online in HTML format at https://gnupg.org/documentation/manuals/gnupg/ or in Portable Document Format at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. You may also want to follow postings at . Support ======== Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . For commercial support requests we keep a list of known service companies at: https://gnupg.org/service.html If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Maintenance and development of GnuPG is mostly financed by donations. As of today we employ 3 full-time developers, one part-timer, and one contractor. They all work on GnuPG and closely related software like Enigmail. Please see https://gnupg.org/donate/ on how you can help. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and donating money. For the GnuPG hackers, Werner p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From andrey.od.utkin at gmail.com Sun Dec 6 21:41:48 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Sun, 6 Dec 2015 22:41:48 +0200 Subject: Why gpg 2.1.9 cannot export secret key without passphrase? In-Reply-To: <56604E9F.6070504@digitalbrains.com> References: <5653BA6F.1040002@gmail.com> <20151127123930.02d71cff@fire> <56583E47.8090307@digitalbrains.com> <565C9F0F.9000806@gmail.com> <565CA939.8020308@digitalbrains.com> <565CD38E.4060408@gmail.com> <565D7545.60007@digitalbrains.com> <565FC437.2010209@gmail.com> <56604E9F.6070504@digitalbrains.com> Message-ID: <56649D8C.5070204@gmail.com> Just for note. This can be worked around the following way (works in both 1.4 and 2.1, didn't test in 2.0). 1. Export key, giving any non-empty passphrase. 2. Import key on new location supposed for automated key usage. 3. `gpg --edit-key `, there type "passwd", enter old passphrase, enter empty line twice, strike Ctrl+D, confirm changes saving. This works identically in both 1.4 and 2.1. If importing location has no capability of passphrase changing (--edit-key) - e.g. Android Open Keychain - import it to 1.4 keychain, then export it, it will let you export it without passphrase (won't even ask for it). Thank you Peter for pointing out that this is solvable without fixing the issue in code, but your suggested solution wasn't enough, so I had to go a few steps further :) I'd like to state this explicitly (due to rational point made by Peter) that the link to my private GnuPG git fork with a patch is not supposed a working solution - it is an experimental work in progress which is not assured for being interoperable. It is a fruit of uneducated reckless tinkering with original code. -- OpenPGP usage is appreciated (it also helps your letter to bypass spam filters). To email me with encryption easily, go https://encrypt.to/0xC6FCDB11 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From darkpenguin at yandex.ru Sat Dec 5 20:33:36 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Sat, 05 Dec 2015 22:33:36 +0300 Subject: GPA - unsupported certificate Message-ID: <56633C10.2050203@yandex.ru> I wanted to report a few bugs in GPA that I've been getting on Debian Squeeze, but I thought I should check if they still exist in the latest version. So, I've installed Debian Jessie and got the latest release (0.9.9) to see if there was any improvement since few years ago. So, I start "gpa". The first thing I see is the Key Manager window and an invitation to create a new key. On top of it, an error message ("Unsupported certificate") pops up immediately; on top of this message, "GnuPG is rebuilding the trust database", which "might take a few seconds", but takes forever. I tried to wait, but in the end I just had to close the "trust database" popup and the "Unsupported certificate" error message. then I proceeded with generating a new key, and made sure all those old bugs are still there. And what's more, every time I open the Key Manager window, the "Unsupported certificate" error pops up again, and there are no keys in the Key Manager. Not even the one I've created. Are those really bugs or am I doing something wrong?.. I've tried that on an Ubuntu 14.04 LTS livecd right after booting it up, to see if it works on one of the most popular distributions, but all the problems were exactly the same. So, the problems are there on Debian Jessie with 3.16 kernel, gpa 0.9.5/0.9.9 and gpg 1.4.18/2.0.26 and Ubuntu 14.04 LTS with 3.19 kernel, gpa 0.9.4-1 and gpg 1.4.16/2.0.22. (I didn't upgrade Ubuntu before trying. Also, seems like GPA uses the gpg2-branch, but does it really call upon gpg2 and not old gpg, which is hardly possible to remove from the system without breaking a LOT of dependencies like APT?..) Should I go on and submit all those things as bug reports, or am I missing something important here?.. Seriously, things don't work out of the box and nobody has even noticed?.. I just have a hard time believing it... -- darkpenguin From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 7 01:05:51 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 7 Dec 2015 00:05:51 +0000 Subject: [Announce] GnuPG 2.1.10 released In-Reply-To: <878u5al5w6.fsf@vigenere.g10code.de> References: <878u5al5w6.fsf@vigenere.g10code.de> Message-ID: <566683204.20151207000551@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 4 December 2015 at 1:06:49 PM, in , Werner Koch wrote: > * gpg: New trust models "tofu" and "tofu+pgp". > * gpg: New command --tofu-policy. New options > --tofu-default-policy and --tofu-db-format. Should these be available in the Windows version? I get:- gpg: unknown trust model 'tofu+pgp' gpg: unknown TOFU policy 'ask' - -- Best regards MFPA Change is inevitable except from a vending machine -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlZkzXhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOShOgD+PS7gpG9jvlZZ+H614lQssEnU 5J21RGZTUFacn6p8SIoBAKQ644pI8D6al175S6TeCyC6bKvDbJbN1oM5gu466KYD iQF8BAEBCgBmBQJWZM1/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwLjEH+wbJELVCp1tv5KYZaM7w3rzv BrrTTDzEaz8vIE2ig0+Jc64h1eTQb9Mqvi3nMgfmbCdBJ1IAES0yOdcBDwFUZMu1 l4vkjUaP5qFWIOi+eHCwetFwf98G2NRsJ4AH/tj9mW8a6Z/7ajqb7wlYmHLGp40e h5qsSVQnhpxh9UaftQYClcY+mXkIlfuF7iMrxO/U4KO0I39zdzUchAxDphA8ExVX zVgSJ9O/KY0blOtoGFTT+0hrZ97wxlCYcQhwl1V7Lt2olH8jPGHJ0EsfC70EDBlq hIQcLfGH3QmxxfH81AHW0p3Ce5Yu2nGByRULaAUUnZPw4D2WW933dVY5f23QUkM= =5blg -----END PGP SIGNATURE----- From david at gbenet.com Mon Dec 7 01:24:55 2015 From: david at gbenet.com (david at gbenet.com) Date: Mon, 7 Dec 2015 00:24:55 +0000 Subject: GPA - unsupported certificate In-Reply-To: <56633C10.2050203@yandex.ru> References: <56633C10.2050203@yandex.ru> Message-ID: <5664D1D7.9050101@gbenet.com> On 05/12/15 19:33, Dark Penguin wrote: > I wanted to report a few bugs in GPA that I've been getting on Debian Squeeze, but I thought > I should check if they still exist in the latest version. So, I've installed Debian Jessie > and got the latest release (0.9.9) to see if there was any improvement since few years ago. > > So, I start "gpa". The first thing I see is the Key Manager window and an invitation to > create a new key. On top of it, an error message ("Unsupported certificate") pops up > immediately; on top of this message, "GnuPG is rebuilding the trust database", which "might > take a few seconds", but takes forever. > > I tried to wait, but in the end I just had to close the "trust database" popup and the > "Unsupported certificate" error message. then I proceeded with generating a new key, and > made sure all those old bugs are still there. And what's more, every time I open the Key > Manager window, the "Unsupported certificate" error pops up again, and there are no keys in > the Key Manager. Not even the one I've created. > > Are those really bugs or am I doing something wrong?.. I've tried that on an Ubuntu 14.04 > LTS livecd right after booting it up, to see if it works on one of the most popular > distributions, but all the problems were exactly the same. > > So, the problems are there on Debian Jessie with 3.16 kernel, gpa 0.9.5/0.9.9 and gpg > 1.4.18/2.0.26 and Ubuntu 14.04 LTS with 3.19 kernel, gpa 0.9.4-1 and gpg 1.4.16/2.0.22. (I > didn't upgrade Ubuntu before trying. Also, seems like GPA uses the gpg2-branch, but does it > really call upon gpg2 and not old gpg, which is hardly possible to remove from the system > without breaking a LOT of dependencies like APT?..) Should I go on and submit all those > things as bug reports, or am I missing something important here?.. Seriously, things don't > work out of the box and nobody has even noticed?.. I just have a hard time believing it... > > Hi Dark Penguin, The first thing to say is - when installing any Linux distro you need to ensure that the distro has installed every software update every security fix first. This is important when installing GPA Kleopatra and KGPG. Every Linux distro has gnupg installed - so at a terminal just type gpg - this will create ALL the folders and files needed (.gnupg) it's pointless installing GPA without running gpg first - I think it's pretty silly. Then you may wish to install gpgv2 via the package manager. Only then install GPA Kleopatra or KGPG. And only after installing all the updates and security fixes. Once you have done this you can use any of the packages to create a set of keys - GPA Kleopatra or Kgpg. There are no bugs in GPA - all these programmes expect to find a valid existing .gnupg David There are no bugs in GPA -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From neal at walfield.org Mon Dec 7 10:04:58 2015 From: neal at walfield.org (Neal H. Walfield) Date: Mon, 07 Dec 2015 10:04:58 +0100 Subject: [Announce] GnuPG 2.1.10 released In-Reply-To: <566683204.20151207000551@my_localhost> References: <878u5al5w6.fsf@vigenere.g10code.de> <566683204.20151207000551@my_localhost> Message-ID: <87a8pm1vet.wl-neal@walfield.org> On Mon, 07 Dec 2015 01:05:51 +0100, MFPA wrote: > > * gpg: New trust models "tofu" and "tofu+pgp". > > > * gpg: New command --tofu-policy. New options > > --tofu-default-policy and --tofu-db-format. > > Should these be available in the Windows version? I get:- > > gpg: unknown trust model 'tofu+pgp' > gpg: unknown TOFU policy 'ask' TOFU depends on libsqlite, which you are probably missing. If GnuPG doesn't find it, then it disables TOFU. Can you check whether this is the case? Thanks! :) Neal From wk at gnupg.org Mon Dec 7 11:06:49 2015 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Dec 2015 11:06:49 +0100 Subject: [Announce] GnuPG 2.1.10 released In-Reply-To: <566683204.20151207000551@my_localhost> (MFPA's message of "Mon, 7 Dec 2015 00:05:51 +0000") References: <878u5al5w6.fsf@vigenere.g10code.de> <566683204.20151207000551@my_localhost> Message-ID: <87h9juefnq.fsf@vigenere.g10code.de> On Mon, 7 Dec 2015 01:05, 2014-667rhzu3dc-lists-groups at riseup.net said: > Should these be available in the Windows version? I get:- > > gpg: unknown trust model 'tofu+pgp' > gpg: unknown TOFU policy 'ask' Have a look into the announcement: The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. This Windows installer is missing translations, it has no TOFU support and no HKPS support. However, it ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^ fully supports Tor and the Tor browser. The reason for the missing Tofu support is that we need to package Sqlite in a way to make it easy to cross-compile for Windows. It is just a bit of work but other things have higher priority for now than Windows. HPKS support is missing because out NTBTLS library is not yet ready. We want to use that small footprint library to avoid the huge overhead of installing GNUTLS with all its dependencies on Windows which duplicates most of our crypto code since GNUTLS switched to another crypto library. However, installing Tor and using an .onion keyserver is anyway a better option for OpenPGP keys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Mon Dec 7 11:41:16 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 07 Dec 2015 11:41:16 +0100 Subject: GPA - unsupported certificate In-Reply-To: <5664D1D7.9050101@gbenet.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> Message-ID: <5665624C.3010501@digitalbrains.com> On 07/12/15 01:24, david at gbenet.com wrote: > Every Linux distro has gnupg installed - so at a terminal just type gpg - > this will create ALL the folders and files needed (.gnupg) it's pointless > installing GPA without running gpg first - I think it's pretty silly. Eh? I don't find it silly at all. Why would someone, unprompted, fire up a terminal to initialise the GUI program they installed because they'd rather use a GUI program than a terminal program? That's like saying you should fire up Vim before you can use XFCE's Mousepad editor. Well, not really, but it's still silly to suggest that it is silly to expect a GUI program to do what it is supposed to do: pretty much replace the command line alternative. Wow, long complicated sentence. Better end with sentence fragments to compensate. Anyway, a quick glance at the open bugs for GPA in Jessie[1] show that it is a problem for people, but developers have difficulty reproducing it. In fact, those bugs are still open in Sid. That is, apart from the well-known issue: GNOME Keyring hijacks the agent connection, which causes all sorts of problems. Up until recently, they were unwilling to stop breaking GnuPG this way; but recently, they've finally agreed to provide their functionality in a different way that actually agrees with the GnuPG architecture. GPA will get very confused when GNOME Keyring hijacks the agent connection. For me, Debian Jessie x86_64 with XFCE, I'm pretty sure I fixed it with "Settings -> Session and Startup", "Application Autostart", uncheck the box next to "GPG Password Agent (GNOME Keyring: GPG Agent)". But a search on the web for disabling GNOME Keyring's GPG Agent should provide more information. HTH, Peter. [1] https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=gpa;dist=stable -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dkg at fifthhorseman.net Mon Dec 7 13:56:03 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 07 Dec 2015 07:56:03 -0500 Subject: Cannot revoke a certificate In-Reply-To: <565F7C56.2080901@theflorys.org> References: <565F7C56.2080901@theflorys.org> Message-ID: <8737vexvrw.fsf@alice.fifthhorseman.net> On Wed 2015-12-02 18:18:46 -0500, David wrote: > I am trying to revoke a very old certificate that may be compromised. I > generated a revocation certificate using the following gpg command with > no errors. I did get a warning about MD5 being deprecated. > > C:\Users\David> gpg --output kill7827.asc --gen-revoke 80942C8D > > However, I cannot use it. Here is the output: > > C:\Users\David> gpg --import .\kill7827.asc > gpg: Note: signatures using the MD5 algorithm are rejected > gpg: key 80942C8D: invalid revocation certificate: Invalid digest > algorithm - rejected > gpg: error reading `.\\kill7827.asc': Invalid digest algorithm > gpg: import from `.\\kill7827.asc' failed: Invalid digest algorithm > gpg: Total number processed: 0 > C:\Users\David> You should try adding "--cert-digest-algo sha1" arguments before the --gen-revoke command to make a SHA1-based certificate revocation. --dkg From dkg at fifthhorseman.net Mon Dec 7 09:12:56 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 07 Dec 2015 09:12:56 +0100 Subject: GPA - unsupported certificate In-Reply-To: <5664D1D7.9050101@gbenet.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> Message-ID: <87r3iyy8vr.fsf@alice.fifthhorseman.net> On Mon 2015-12-07 01:24:55 +0100, "david at gbenet.com" wrote: > The first thing to say is - when installing any Linux distro you need to ensure that the > distro has installed every software update every security fix first. This is important when > installing GPA Kleopatra and KGPG. > > Every Linux distro has gnupg installed - so at a terminal just type gpg - this will create > ALL the folders and files needed (.gnupg) it's pointless installing GPA without running gpg > first - I think it's pretty silly. hm, i'd say that if gpa knows that gpg needs to be run first, and it hasn't been run, it should run it on the user's behalf instead of expecting that they know this bit of esoterica. Dark Penguin, if you're experiencing problems with GPA integration with the rest of the OS, I encourage you to report a bug to debian. On a debian system, you might use the "reportbug" utility to do this. > Then you may wish to install gpgv2 via the package manager. Only then install GPA Kleopatra > or KGPG. And only after installing all the updates and security fixes. If these packages must be installed in a certain order, the package manager should know about that order. if it does not, this is a bug in the stated dependencies of the packages in question. For example, if gpa won't work without the gnupg2 package installed, but it doesn't state that it explicitly depends on gnupg2, that would be a bug in gpa. Regards, --dkg From 2014-667rhzu3dc-lists-groups at riseup.net Mon Dec 7 23:13:48 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 7 Dec 2015 22:13:48 +0000 Subject: [Announce] GnuPG 2.1.10 released In-Reply-To: <87h9juefnq.fsf@vigenere.g10code.de> References: <878u5al5w6.fsf@vigenere.g10code.de> <566683204.20151207000551@my_localhost> <87h9juefnq.fsf@vigenere.g10code.de> Message-ID: <123391295.20151207221348@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 7 December 2015 at 10:06:49 AM, in , Werner Koch wrote: > Have a look into the announcement: > The source used to build the Windows installer can be > found in the same directory with a ".tar.xz" suffix. > This Windows installer is missing translations, it > has no TOFU support and no HKPS support. However, it > ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^ fully supports > Tor and the Tor browser. Oops! I missed that bit. Sorry. > The reason for the missing Tofu support is that we need > to package Sqlite in a way to make it easy to > cross-compile for Windows. It is just a bit of work > but other things have higher priority for now than > Windows. Thanks for the explanation. - -- Best regards MFPA Colourless green ideas sleep furiously (Noam Chomsky) -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlZmBKlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORn5QD9EhcV419z4t0hM/I2nfgaeFLf mfMlkM7qMwCsKp1/FWYA/3ZW/Y3M8gu6NVYGq1/qry2bFaUGHf7+PXyLmLKadqEH iQF8BAEBCgBmBQJWZgSuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwqkAIAJEiH684AJNY2phReHsBJ/WH SfGTFXeqNrvvverpbgb3EaJfvgrZIklI2BykdjT28DCzYC63CW5IizERuIskbZBT elhzEEtSuQh7twJofaORX9n1vC+rcGyUMUUuUToxGZXsWGXWiVnyUQ8e6LgjGO5Z jtkuUb/jaBigivnTq2iFgIq0/JToA2ajlxAP/zt+WjIecIF+hznqaqmsPCkIz579 ptxZiQ8Z4wcx/xMj1rNT/t2gw6HstqmUkqNeJWRo/5Pd1JsQJMNy2pcvJABkfa5O bZDIgojc1h8vgNFPjjihEHmpUokVu1z1pedlOPiSv71vMeon4iFl47FDee1M4D4= =Es3b -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 8 00:51:36 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Mon, 7 Dec 2015 23:51:36 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" Message-ID: <144345553.20151207235136@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 What does the error message "gpg: Can't check signature: Broken public key" mean? One of the members of PGPNET reports getting that error message when verifying the signatures on my signed and encrypted messages to the group. He gets it for the signatures from my EDDSA subkey 0x1712BC461AF778E4, and says he uses GnuGP 2.1.8. The only references I can find (eg [0]) say:- 592 GPG_ERR_BROKEN_PUBKEY Broken public key 593 594 The public key was mathematically not correctly generated. [0] - -- Best regards MFPA Why is the universe here? Well, where else would it be? -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlZmG4xfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORUAAD/XZQqwtz7Q1+Lem/ev5EwrE9O BJCWG/6+dlyAvQSogR0BANsB14r4s6s+Udhd35Zhj/m4q3cOZ84thFqB5hNT3lkK iQF8BAEBCgBmBQJWZhuZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwpS0H/ipta+E5Dq7f3+aDnpDbAJJS 4XFUM6tmJY2AdAzRqhxjSsCRmCkyekZX9R9CPGT2RlqYRJfqFLSSODka8VIMA4kk XYuJo+AK9+LnDSVh0/G4DKjPRb67CZCT9Fx4UH+6uFrtQTsTWcACb2xzQE62fkxr ntMNwROqo90D4mbEemUTvv33rSl/00KysbJC3eg9ybbIjNpn1hO/VtIAK9ipF3iU 3NPwXHgmJk5sJ6esyS1Eqtm0QkckZa/sHAV1GrRtKC91k9d4/4qzdK96MKkKLbdo rUClB8SF3YsO1KwxxbOT0RiUUAa5MUMvwm1oPmEKtw9XymImQDZ7IaR3VoE8ko4= =td+o -----END PGP SIGNATURE----- From gniibe at fsij.org Tue Dec 8 09:26:23 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 08 Dec 2015 17:26:23 +0900 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <144345553.20151207235136@my_localhost> References: <144345553.20151207235136@my_localhost> Message-ID: <5666942F.2000404@fsij.org> On 12/08/2015 08:51 AM, MFPA wrote: > What does the error message "gpg: Can't check signature: Broken public > key" mean? > > One of the members of PGPNET reports getting that error > message when verifying the signatures on my signed and encrypted > messages to the group. He gets it for the signatures from my EDDSA subkey > 0x1712BC461AF778E4, and says he uses GnuGP 2.1.8. I don't think that GnuPG frontend or gpg-agent doesn't emit this error. It could be libgcrypt which generates this error. EdDSA key is represented by a point on the Ed25519 curve. When the point is not on the curve (the key is invalid), it complains by this error. I validate your e-mail by the key of 0x1712BC461AF778E4 with no error. So, I don't think there is a problem in your key. The local copy of your public key in his computer would be a problem. -- From darkpenguin at yandex.ru Tue Dec 8 00:41:27 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Tue, 08 Dec 2015 02:41:27 +0300 Subject: GPA - import keys more easily?.. Message-ID: <56661927.2000003@yandex.ru> Is it possible to import public keys into GPA by "opening them with GPA" instead of using "Keys - Import"?.. That would sure be convenient, but simply opening an .asc key with GPA did not do that, and I couldn't find anything mentioning such thing in the man gpa. If this functionality is indeed not there, may I suggest we file a "wishlist" bug for this issue?.. It seems quite natural to expect this kind of thing. If it is there, I suggest we put it into the manual page, because it's not there. If it's there in the latest version, do rebuke me, for I am not upgrading from 0.9.5 (from Debian Jessie repo) to 0.9.9 just to confirm this behaviour; and I couldn't find a changelog for the last versions anywhere on the site... It took me quite a while to even find a download link, even though I do remember that it's hosted on the same site!.. Shouldn't it be put in the "Downloads" section, at least as a short link in the bottom - "Also, see GPA, which aims to be the default GUI frontend and is hosted on this site as well"?.. -- darkpenguin From darkpenguin at yandex.ru Tue Dec 8 00:00:42 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Tue, 08 Dec 2015 02:00:42 +0300 Subject: GPA - unsupported certificate In-Reply-To: <5665624C.3010501@digitalbrains.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> Message-ID: <56660F9A.6010402@yandex.ru> I am sure I've installed all updates and security-updates. I wanted to confirm the existence of another bug, so I've upgraded everything. Debian has gpg installed by default; I did not run it before installing GPA - naturally, I would expect GPA to run it itself if it needs it. Also, in Debian, GPA depends on GPGv2, so it got installed as well. I believe this means GPA is using GPGv2, but I have no way to confirm it. I am running MATE, not KDE, as some might have expected (judging by the abundance of "K"'s in the names "KGPG" and "Kleopatra") or GNOME3 (judging by the mention of "GNOME Keyring"). I don't think I've seen any mentions of "Kleopatra" in my GPA, either the one from the repo, or the one from the website... Erm... sorry, I am still not very good with understanding the bug report flow; I would have checked the Debian GPA bug page before writing here if I knew about its existence. ^_^' And yes, here it is, my "Unsupported certificate" bug!.. Seems like MATE uses GNOME Keyring, too. Unchecking it did not help... This did: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=790737#25 Indeed, this is a problem with GNOME Keyring, though fixing it now apparently requires more than just disabling the GNOME Keyring; but, this is a better solution, since you can keep the GNOME Keyring and have GPA work. I'm not sure if this idea makes sense, but maybe it would be easy to add a check on the version of said gpg-agent before attempting to use it?.. On one side, GPA is probably supposed to work with whatever GPG_AGENT_INFO is set to; on the other side, if all the other software is fine working with GNOME Keyring and only GPA needs "only its own" gpg-agent, maybe it would make sense to disregard GPG_AGENT_INFO if it points to GNOME Keyring one, or maybe even disregard it always, or maybe even have GPA use another fixed path to always connect to "our" gpg-agent?.. This is not really "our problem", but a workaround would probably help... -- darkpenguin From peter at digitalbrains.com Tue Dec 8 13:16:29 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 8 Dec 2015 13:16:29 +0100 Subject: GPA - unsupported certificate In-Reply-To: <56660F9A.6010402@yandex.ru> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru> Message-ID: <5666CA1D.4070206@digitalbrains.com> On 08/12/15 00:00, Dark Penguin wrote: > Erm... sorry, I am still not very good with understanding the bug > report flow; I would have checked the Debian GPA bug page before > writing here if I knew about its existence. ^_^' And yes, here it is, > my "Unsupported certificate" bug!.. No problem, it's what mailing lists are for: to give pointers in the right direction. > I'm not sure if this idea makes sense, but maybe it would be easy to > add a check on the version of said gpg-agent before attempting to use > it?.. I know certain recent versions of GnuPG complain and warn about the hijacking, but that is during usage on the terminal. > On one side, GPA is probably supposed to work with whatever > GPG_AGENT_INFO is set to No, this variable is part of the internal architecture of GnuPG and should be set to the gpg-agent that is part of the installed version of GnuPG. This is why I use the term "hijack", rather than something like "provide an alternative service". It has never been intended that other software packages use this variable and start imitating internal parts of GnuPG. > on the other side, if all the other software is fine working with > GNOME Keyring and only GPA needs "only its own" gpg-agent Again, no. Lots of programs get vague problems. It's just that it used to be that GNOME Keyring said "those problems are in GnuPG", whereas the GnuPG project said "those problems are caused by GNOME Keyring breaking our software". The result is that nobody fixed it. I hope that when Debian Stretch is released, we can finally put this behind us, as the problem has been fixed in recent versions that are unfortunately too recent for Jessie AFAIK. > maybe it would make sense to disregard GPG_AGENT_INFO if it points to > GNOME Keyring one, or maybe even disregard it always, or maybe even > have GPA use another fixed path to always connect to "our" > gpg-agent? GnuPG 2.1 already always uses a fixed path and disregards the variable. And recent GnuPG 2.0 versions already warn about the hijack. The problem is that two software projects want opposite things; this would lead to an arms race. But fortunately, it will all go away when distributions start using recent versions of the software, as the issue has finally been resolved. Oh, by the way, the functionality that GNOME Keyring is providing is that it offers the option of unlocking your GnuPG keys when you log in. I've never understood why this is so darn important. Without GNOME Keyring, you would type two passphrases per login session: once to login, and for the second time when you use your GnuPG key for the first time. The gpg-agent can then keep the key unlocked for the rest of the time if you want it to. With GNOME Keyring, it is reduced to one passphrase: your login passphrase. Some might say that's a 50% gain, I say it is the smallest possible gain: you gain one less passphrase-entering moment per session. Whooptie-friggin'-doo. I don't get it. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From neal at walfield.org Tue Dec 8 13:27:56 2015 From: neal at walfield.org (Neal H. Walfield) Date: Tue, 08 Dec 2015 13:27:56 +0100 Subject: GPA - unsupported certificate In-Reply-To: <5666CA1D.4070206@digitalbrains.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru> <5666CA1D.4070206@digitalbrains.com> Message-ID: <874mft15wz.wl-neal@walfield.org> On Tue, 08 Dec 2015 13:16:29 +0100, Peter Lebbing wrote: > Again, no. Lots of programs get vague problems. It's just that it used > to be that GNOME Keyring said "those problems are in GnuPG", whereas the > GnuPG project said "those problems are caused by GNOME Keyring breaking > our software". The result is that nobody fixed it. I hope that when > Debian Stretch is released, we can finally put this behind us, as the > problem has been fixed in recent versions that are unfortunately too > recent for Jessie AFAIK. The problem has been fixed in Gnome 3.18 (IIRC) and is already shipping in the latest version of Fedora, for instance. The fix will appear in the next Debian version, but the changes are too large for them to be considered a Jessie point release. :) Neal From peter at digitalbrains.com Tue Dec 8 13:46:14 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 8 Dec 2015 13:46:14 +0100 Subject: GPA - unsupported certificate In-Reply-To: <5666CA1D.4070206@digitalbrains.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru> <5666CA1D.4070206@digitalbrains.com> Message-ID: <5666D116.3050609@digitalbrains.com> On 08/12/15 13:16, Peter Lebbing wrote: > The problem > is that two software projects want opposite things; this would lead to > an arms race. What might be a better "fix", IMHO, would be to have GPA also warn about this, so people know what to do. Perhaps with another environment variable GPG_NO_WARN_AGENT_HIJACK because GUI's usually warn through modal dialogs, which gets tiresome quickly when you actually want GNOME Keyring. That is, if GPA works *at all* with GNOME Keyring; I don't know. However, looking at the age and number of bugs reported against Debian's gpa related to this mess, I think the package maintainers don't have a lot of time to spend on this. So someone would need to champion it all. Write a complete patch, and campaign for its inclusion in the next Jessie point release. I don't know if it would work, though. If the GPA maintainers campaign for its inclusion in a point release, it might work, but I doubt an outsider could get it done. Note: I'm not a Debian Developer. I'm just making observations from the outside. I might be babbling complete gobbledygook (is that how you spell it? :). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From 2014-667rhzu3dc-lists-groups at riseup.net Tue Dec 8 23:47:19 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Tue, 8 Dec 2015 22:47:19 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <5666942F.2000404@fsij.org> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> Message-ID: <619034873.20151208224719@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 8 December 2015 at 8:26:23 AM, in , NIIBE Yutaka wrote: > I don't think that GnuPG frontend or gpg-agent doesn't > emit this error. > It could be libgcrypt which generates this error. It seems to be defined in Libgpg-error, which "defines common error values for all GnuPG components." > I validate your e-mail by the key of 0x1712BC461AF778E4 > with no error. So do I. > So, I don't think there is a problem in > your key. The local copy of your public key in his > computer would be a problem. I suggested he delete my key and re-import it. He tells me he tried that twice and it didn't help. It's a mystery to me. - -- Best regards MFPA The man who really wants to do something finds a way, the other finds an excuse. -----BEGIN PGP SIGNATURE----- iL4EARYKAGYFAlZnXgVfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3 MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOSMUwD/TAoSg7DIEsekEyNnuKee3eh+ TUJDOCmpRU29m4i8TFMA/AsPpuDegLO+snCiqxKeIyLUvVMMhWmcnwYM5v9M9IID iQF8BAEBCgBmBQJWZ14KXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEagIALJa/sbbSF6MSDNm/EhecLw7 gOBCOX9NCx+phXX4lGFbWGCm97QFp8be3kNFa64cpXKWFc7IoVCXWyS8wlhsH99q 5af9ZLOaV2RfaJEIe8JGErqC8nD8cfCwlUN42JSwzy3OW+3eBVQO0o30UzUygKPp lYUmz8SUGeFoxnRzRy45gF/eA1ytI1jcT3mqGVyE4+q7TzQk5BrSzyvuKBZL5UNI Jp1ECj3lyK06PXLJe2vfwoAQcbLNnHe5GD2bjzb9i3pTLsuksMpiUegzVjT1UcFX rzqNsvqceCHIxlshaACFVXvOTxAaCGGd73MEq7zIMU8QBU1SSLgYgmh7ZZKiiCs= =3cNb -----END PGP SIGNATURE----- From brad at fineby.me.uk Wed Dec 9 00:24:36 2015 From: brad at fineby.me.uk (Brad Rogers) Date: Tue, 8 Dec 2015 23:24:36 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <619034873.20151208224719@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> Message-ID: <20151208232436.72780e07@abydos.stargate.org.uk> On Tue, 8 Dec 2015 22:47:19 +0000 MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote: Hello MFPA, >I suggested he delete my key and re-import it. He tells me he tried >that twice and it didn't help. It's a mystery to me. It's the same for me; A re-import of your key still results in an error(1). I've checked some (locally) archived emails from you (received via this list) and they verify fine. Obviously, something's changed, but IDK what. Whatever the change, it occurred between 15 Nov and 7 Dec. I have a message from the earlier date that verifies and a message from the latter date that doesn't. Consequently, I believe the issue is something other than your keyfile. If it helps, I use a self-compiled (from GIT) Claws Mail as my MUA. (1) Different error message "The signature can't be checked - End of file." -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Gary don't need his eyes to see. Gary and his eyes have parted company Gary Gilmore's Eyes - The Adverts -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From darkpenguin at yandex.ru Wed Dec 9 19:11:59 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Wed, 09 Dec 2015 21:11:59 +0300 Subject: GPA - import keys more easily?.. In-Reply-To: <56676FC5.9010805@gbenet.com> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> Message-ID: <56686EEF.80109@yandex.ru> > You can import keys (1) direct from personal contact - people give you the key id and you > can download from a key server - most people upload their public key to a key server (2) you > can get keys when people have included their public key as an attachment in an email. If you > have installed Thunderbird - you could install Enigmail - you can do all the things with > that that GPA does. Of course, I could use other software if I don't like this one, but the question is "wouldn't it be convenient to add a simple commandline option to GPA to import a key". It's not that big of a deal, but the idea is so obvious I'm really surprised it's not there yet. It's not about GNOME Keyring; it's just that I've been using GnuPG and GPA since Squeeze, and I would really like to be able to add public keys by just "opening" them from anywhere, not only from a Thunderbird mail attachment, and with GPA, not with something else. I just don't want to submit a "wishlist" bug report without consulting the users first - maybe it's already there in the newer versions?.. The developers seem to be really busy... -- darkpenguin From darkpenguin at yandex.ru Wed Dec 9 18:57:04 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Wed, 09 Dec 2015 20:57:04 +0300 Subject: GPA - unsupported certificate In-Reply-To: <5666CA1D.4070206@digitalbrains.com> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru> <5666CA1D.4070206@digitalbrains.com> Message-ID: <56686B70.1020605@yandex.ru> >> I'm not sure if this idea makes sense, but maybe it would be easy to >> add a check on the version of said gpg-agent before attempting to use >> it?.. > > I know certain recent versions of GnuPG complain and warn about the > hijacking, but that is during usage on the terminal. Then this should definitely alert GPA to forward the warning to the user! It's already there, but GPA is ignoring this?.. (I don't have a "recent" version of GnuPG, so I can't be sure this is not already done.) >> maybe it would make sense to disregard GPG_AGENT_INFO if it points to >> GNOME Keyring one, or maybe even disregard it always, or maybe even >> have GPA use another fixed path to always connect to "our" >> gpg-agent? > > GnuPG 2.1 already always uses a fixed path and disregards the variable. > And recent GnuPG 2.0 versions already warn about the hijack. The problem > is that two software projects want opposite things; this would lead to > an arms race. But fortunately, it will all go away when distributions > start using recent versions of the software, as the issue has finally > been resolved. Ok, so now it's only a question of GPA and GnuPG 2.1 being backported to Jessie. That's good to know. > Oh, by the way, the functionality that GNOME Keyring is providing is > that it offers the option of unlocking your GnuPG keys when you log in. > I've never understood why this is so darn important. Without GNOME > Keyring, you would type two passphrases per login session: once to > login, and for the second time when you use your GnuPG key for the first > time. The gpg-agent can then keep the key unlocked for the rest of the > time if you want it to. With GNOME Keyring, it is reduced to one > passphrase: your login passphrase. Some might say that's a 50% gain, I > say it is the smallest possible gain: you gain one less > passphrase-entering moment per session. Whooptie-friggin'-doo. I don't > get it. I just wanted to say that "the GNOME guys must have some reason to do that, though I seriously doubt their reasoning since GNOME3". Now I see I was actually right. %) -- darkpenguin From gnupg at raf.org Wed Dec 9 21:34:41 2015 From: gnupg at raf.org (gnupg at raf.org) Date: Thu, 10 Dec 2015 07:34:41 +1100 Subject: GPA - unsupported certificate In-Reply-To: <56686B70.1020605@yandex.ru> References: <56633C10.2050203@yandex.ru> <5664D1D7.9050101@gbenet.com> <5665624C.3010501@digitalbrains.com> <56660F9A.6010402@yandex.ru> <5666CA1D.4070206@digitalbrains.com> <56686B70.1020605@yandex.ru> Message-ID: <20151209203441.GA13859@raf.org> Dark Penguin wrote: > > > maybe it would make sense to disregard GPG_AGENT_INFO if it points to > > > GNOME Keyring one, or maybe even disregard it always, or maybe even > > > have GPA use another fixed path to always connect to "our" > > > gpg-agent? > > > > GnuPG 2.1 already always uses a fixed path and disregards the variable. > > And recent GnuPG 2.0 versions already warn about the hijack. The problem > > is that two software projects want opposite things; this would lead to > > an arms race. But fortunately, it will all go away when distributions > > start using recent versions of the software, as the issue has finally > > been resolved. > > Ok, so now it's only a question of GPA and GnuPG 2.1 being backported to > Jessie. That's good to know. Does this mean that gpg-agent's --write-env-file option has also been removed in 2.1? I'm relying on that and had better be paying attention when gpg gets upgraded on my systems so I can change my scripts to keep them working. cheers, raf From rejo at zenger.nl Wed Dec 9 21:00:39 2015 From: rejo at zenger.nl (Rejo Zenger) Date: Wed, 9 Dec 2015 21:00:39 +0100 Subject: cache gpg passphrase for mutt on os x Message-ID: <20151209200039.GH7277@ix.home> Hi, I am running OS X 10.11.1 (and on another the latest version), in combination with compiled-from-source mutt 1.5.23hg, and gpg 2.0.29 and gpg-agent 2.0.29 (the latter two via Homebrew). This all works fine, but one thing: caching of passphrase for, for example, ten minutes. As I understand it, this is a problem with the session mutt runs in: each new mutt decryption and signing operation runs in a new session and hence can't access the previous' one. Probably, I can work around this, but to avoid spending hours of searching for a good solution: has anyone else done this before? -- Rejo Zenger E rejo at zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J rejo at zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF Signal 0507 A41B F4D6 5DB4 937D E8A1 29B6 AAA6 524F B68B 93D4 4C6E 8BAB 7C9E 17C9 FB28 03 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 931 bytes Desc: not available URL: From andrey.od.utkin at gmail.com Wed Dec 9 23:05:58 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Thu, 10 Dec 2015 00:05:58 +0200 Subject: Please consider joining Bountysource Salt to collect recurring donations Message-ID: <5668A5C6.10603@gmail.com> This request targets GnuPG maintainers to register a team on that (and/or others, e.g. Gratipay) croudfunding platform. GnuPG users are welcome to comment whether they would support such opportunity. Occasional GnuPG contributors are welcome to comment whether they would like to become "bounty hunters" (an opportunity on subj site). I am not affiliated to these platforms. -- OpenPGP usage is appreciated (it also helps your letter to bypass spam filters). To email me with encryption easily, go https://encrypt.to/0xC6FCDB11 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Dec 10 00:29:34 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 9 Dec 2015 18:29:34 -0500 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5668A5C6.10603@gmail.com> References: <5668A5C6.10603@gmail.com> Message-ID: <5668B95E.3000709@sixdemonbag.org> > This request targets GnuPG maintainers to register a team on that > (and/or others, e.g. Gratipay) croudfunding platform. Is there some problem with the existing donation system? If there's a problem then let's fix it, but I'm not sure it's a good idea to change something that works. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From 2014-667rhzu3dc-lists-groups at riseup.net Thu Dec 10 01:50:23 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Thu, 10 Dec 2015 00:50:23 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <20151208232436.72780e07@abydos.stargate.org.uk> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> Message-ID: <541836753.20151210005023@my_localhost> Hi On Tuesday 8 December 2015 at 11:24:36 PM, in , Brad Rogers wrote: > It's the same for me; A re-import of your key still > results in an error(1). Which GnuPG version are you using? > I've checked some (locally) > archived emails from you (received via this list) and > they verify fine. Obviously, something's changed, but > IDK what. Whatever the change, it occurred between 15 > Nov and 7 Dec. I have a message from the earlier date > that verifies and a message from the latter date that > doesn't. Consequently, I believe the issue is > something other than your keyfile. I have two "local-user" lines in my gpg.conf file, 0x1712BC461AF778E4! and 0x6B7C74CEB31F25F0!. The aim is a signature from EDDSA subkey 0x1712BC461AF778E4, but also a signature from my RSA subkey 0x6B7C74CEB31F25F0 that can be verified by GnuPG 1.4 or 2.0 versions. On 6th December I switched the order of these lines, so that the RSA signature comes last. An Enigmail and GnuPG 2.0 user told me he was not seeing the "good" signature from 0x6B7C74CEB31F25F0. It appears that if there are multiple signatures present, Enigmail only passes on the GnuPG output for the last one. > If it helps, I use a self-compiled (from GIT) Claws > Mail as my MUA. Maybe if there are multiple signatures present, your MUA only passes on the GnuPG output for the first one? I just switched them back round to see what happens. > (1) Different error message "The signature can't be > checked - End of file." -- Best regards MFPA To steal ideas from one person is plagiarism; to steal from many is research. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 841 bytes Desc: not available URL: From andrey.od.utkin at gmail.com Thu Dec 10 02:22:58 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Thu, 10 Dec 2015 03:22:58 +0200 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5668B95E.3000709@sixdemonbag.org> References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> Message-ID: <5668D3F2.2070600@gmail.com> On 10.12.2015 01:29, Robert J. Hansen wrote: >> This request targets GnuPG maintainers to register a team on that >> (and/or others, e.g. Gratipay) croudfunding platform. > > Is there some problem with the existing donation system? If there's a > problem then let's fix it, but I'm not sure it's a good idea to change > something that works. Wow, actual Donate page turned out to be a secret area, not obvious to get to it (it looks like a menu header, not a menu entry). Without regard to that: - subj enables recurring donations (personally I am not willing to make large one-time transcation), - subj is a place where people eager to give go to find whom to give, - subj is new, it gains popularity and gets people attention, so somebody would consider GnuPG when reviewing projects available for funding. -- OpenPGP usage is appreciated (it also helps your letter to bypass spam filters). To email me with encryption easily, go https://encrypt.to/0xC6FCDB11 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From mail at tankredhase.de Thu Dec 10 07:28:34 2015 From: mail at tankredhase.de (Tankred Hase) Date: Thu, 10 Dec 2015 13:28:34 +0700 Subject: CORS requests not working in SKS 1.1.5 Message-ID: Hey, Tankred from OpenPGP.js / Whiteout.io here. I?m currently testing HTTP CORS request to SKS via JS in the browser after having read the announcement on v1.1.5 (https://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html). Unfortunately I?m getting a 502 (Bad Gateway) response. Upon further analysis I saw that only the following header is set: The Access-Control-Allow-Origin: * Tested using: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=safewithme.testuser%40gmail.com This is indeed a requirement for CORS requests, but not sufficient. Without the following headers, CORS requests from the Browser will fail as an OPTIONS preflight check is required: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS 'Access-Control-Allow-Headers?: Content-Type You can test how it should look here: https://keys.whiteout.io/safewithme.testuser at gmail.com Would it be possible to add the headers? It would allow me the remove the need for our proprietary key server proxy and send requests directly to SKS server from the web. Thanks! Tankred -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From peter at digitalbrains.com Thu Dec 10 11:46:42 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 10 Dec 2015 11:46:42 +0100 Subject: GPA - import keys more easily?.. In-Reply-To: <56686EEF.80109@yandex.ru> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> <56686EEF.80109@yandex.ru> Message-ID: <56695812.3020003@digitalbrains.com> On 09/12/15 19:11, Dark Penguin wrote: > Of course, I could use other software if I don't like this one, but the question > is "wouldn't it be convenient to add a simple commandline option to GPA to > import a key". For commandline usage, you can simply use GnuPG directly: $ gpg2 --import pubkey.asc GPA is a GUI frontend to GnuPG. Commandline support is already in GnuPG and doesn't need to be in a GUI frontend. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Dec 10 11:49:24 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 10 Dec 2015 11:49:24 +0100 Subject: cache gpg passphrase for mutt on os x In-Reply-To: <20151209200039.GH7277@ix.home> References: <20151209200039.GH7277@ix.home> Message-ID: <566958B4.6050201@digitalbrains.com> On 09/12/15 21:00, Rejo Zenger wrote: > As I understand it, this is a problem with the session mutt runs in: each > new mutt decryption and signing operation runs in a new session and hence > can't access the previous' one. > > Probably, I can work around this, but to avoid spending hours of searching > for a good solution: has anyone else done this before? Sounds like GPG_AGENT_INFO is not set in that session, and hence cannot access the already running agent that has the passphrase cached. Other than that hint, I can't help you. I have no experience with Mac OS or mutt. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From brad at fineby.me.uk Thu Dec 10 10:46:31 2015 From: brad at fineby.me.uk (Brad Rogers) Date: Thu, 10 Dec 2015 09:46:31 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <541836753.20151210005023@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> Message-ID: <20151210094631.4bd7fbd9@abydos.stargate.org.uk> On Thu, 10 Dec 2015 00:50:23 +0000 MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote: Hello MFPA, >Which GnuPG version are you using? Damn; I always forget some vital bit of info.... GnuPG v1.4.19 >Maybe if there are multiple signatures present, your MUA only >passes on the GnuPG output for the first one? I just switched them back No idea, TBH - I don't understand coding well enough to figure it out. I'll ask on the CM list and see what they say. >round to see what happens. This message validated correctly. There's also one other difference; The signature is no longer inline, but attached. Not that I expect that is relevant. -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" You never listen to a word that I said Public Image - Public Image Ltd -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From philip.jackson at nordnet.fr Thu Dec 10 14:05:15 2015 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Thu, 10 Dec 2015 14:05:15 +0100 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <541836753.20151210005023@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> Message-ID: <5669788B.6010406@nordnet.fr> On 10/12/15 01:50, MFPA wrote: > On 6th December I switched the order of these lines, so that the RSA > signature comes last. An Enigmail and GnuPG 2.0 user told me he was > not seeing the "good" signature from 0x6B7C74CEB31F25F0. It appears > that if there are multiple signatures present, Enigmail only passes on > the GnuPG output for the last one. I'm using gpg2.0.22 on my desktop and I can never verify your emails (MFPA) - I always get from enigmail : "Unverified signature; the key type is not supported by your version of GnuPG" "Unverified signature UNTRUSTED BAD signature from 2014-667rhzu3dc-lists-groups at riseup.net <2014-667rhzu3dc-lists-groups at riseup.net>" Which is normal for an ECC key. On my laptop, with Debian Jessie and gpg2.1.7, the signature verifies ok. Again normal for 2.1.x Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Dec 10 17:33:44 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 10 Dec 2015 11:33:44 -0500 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5668D3F2.2070600@gmail.com> References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> Message-ID: <5669A968.2090108@sixdemonbag.org> > Wow, actual Donate page turned out to be a secret area, not obvious to > get to it (it looks like a menu header, not a menu entry). Then that's a problem we should look into, and thanks for telling us about it. :) > - subj enables recurring donations (personally I am not willing to make > large one-time transcation), Recurring donations would be a nice feature. We should look into this. > - subj is a place where people eager to give go to find whom to give, See my next remark. > - subj is new, it gains popularity and gets people attention, so > somebody would consider GnuPG when reviewing projects available for funding. You just said it's a place where people eager to give go to find whom to give... but now you're saying that it's new. If it's new, that means they're still beginning to attract users and build their own reputation. So which is it? Is it a place with a lot of users and a reputation for being a place where people looking to give can find worthy projects, or is it just starting out and needs to gain popularity? From rjh at sixdemonbag.org Thu Dec 10 17:49:09 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 10 Dec 2015 11:49:09 -0500 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5669A968.2090108@sixdemonbag.org> References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> <5669A968.2090108@sixdemonbag.org> Message-ID: <5669AD05.8020009@sixdemonbag.org> > You just said it's a place where people eager to give go to find whom to > give... but now you're saying that it's new. If it's new, that means > they're still beginning to attract users and build their own reputation. > So which is it? Is it a place with a lot of users and a reputation for > being a place where people looking to give can find worthy projects, or > is it just starting out and needs to gain popularity? On a lark, I checked out Bountysource Salt. Here's their C++ projects you can support: Tiled: $1027 pledged this month ZNC: $0 this month TrinityCore: $0 this month Gammu: $0 this month Arduino: $0 this month NetMauMau: $0 this month MineTest: $0 this month NLUlite: $0 this month KDevelop: $0 this month VX68K.org: $0 this month Checking their Python project offerings: urllib3: $0 this month aspidites: $0 this month Checking their GTK+ project offerings: Elementary: $302 last month XFCE: $118 last month Antergos: $21 this month FeedReader: $2 this month GNOME: $0 this month Switchboard: $0 this month Midori Browser: $0 this month Scratch: $0 this month Pantheon Photos: $0 this month Maya: $0 this month Slingshot: $0 this month Noise: $0 this month Granite: $0 this month WingPanel: $0 this month Numix: $0 this month Pragha Music Player: $0 this month Ozon OS: $0 this month Solus-project: $0 this month ... So, yeah. I'm thinking this is not a credible source for fundraising. Arduino and GNOME, projects with *far* greater visibility, get $0 a month from Bountysource. I find it hard to believe we'd do much better. I think this is something best avoided. From wk at gnupg.org Thu Dec 10 20:53:05 2015 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Dec 2015 20:53:05 +0100 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5668D3F2.2070600@gmail.com> (Andrey Utkin's message of "Thu, 10 Dec 2015 03:22:58 +0200") References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> Message-ID: <871tauf5cu.fsf@vigenere.g10code.de> On Thu, 10 Dec 2015 02:22, andrey.od.utkin at gmail.com said: > Wow, actual Donate page turned out to be a secret area, not obvious to > get to it (it looks like a menu header, not a menu entry). Thanks for telling. This is the first time I heard about this but I can imagine the problem. I just modified it to put an submenu item as an alias there. Is that better? > - subj enables recurring donations (personally I am not willing to make > large one-time transcation), I know. It is quite some work to do that properly because it needs some kind of account manegment to match the donations with the donor. However, most people in Europe have an easy way to do this by using SEPA transfers and standing orders. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From darkpenguin at yandex.ru Thu Dec 10 21:00:22 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Thu, 10 Dec 2015 23:00:22 +0300 Subject: GPA - import keys more easily?.. In-Reply-To: <56695812.3020003@digitalbrains.com> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> <56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com> Message-ID: <5669D9D6.4020007@yandex.ru> >> Of course, I could use other software if I don't like this one, but the question >> is "wouldn't it be convenient to add a simple commandline option to GPA to >> import a key". > > For commandline usage, you can simply use GnuPG directly: > > $ gpg2 --import pubkey.asc > > GPA is a GUI frontend to GnuPG. Commandline support is already in GnuPG and > doesn't need to be in a GUI frontend. I could do that, but I believe for most users it would be much more convenient to see a graphical window of a familiar program with the user's name and email address and a confirmation dialog, instead of seeing a terminal saying "I've already imported it" (or not even seeing it, because I think it would normally close immediately after the program has finished running). I know how keys work; I've been using it at work for a long time. And I usually import the keys from email attachments, which I know are correct, because I've helped them set up PGP and I've created their email account. I just want to be able to have them imported with simply opening them with GPA and not have to save them somewhere, then look for them in the "Import keys..." dialog, and then delete them. I've submitted this along with other bugs and wishlist items to gnupg-devel, but it seems that those have not yet been approved by the moderator (though almost a week has passed since the first report). I wanted to hear what do they have to say before creating the bug reports, but now I've submitted all of the "bugs" I wanted to report on bugs.gnupg.org (issues 2178, 2179, and this one - 2180). -- darkpenguin From mail at tankredhase.de Fri Dec 11 05:08:11 2015 From: mail at tankredhase.de (Tankred Hase) Date: Fri, 11 Dec 2015 11:08:11 +0700 Subject: CORS requests not working in SKS 1.1.5 In-Reply-To: References: Message-ID: <1AC193EE-F3EE-4ACF-BBE0-4A8E06DD8F46@tankredhase.de> It seems I just some connection problems yesterday that caused the 502. Thanks to Daniel Roesler to providing help. I?ve implemented initial HKP support to OpenPGP.js. Comments welcome: https://github.com/openpgpjs/openpgpjs/pull/380 Thanks! Tankred > Am 10.12.2015 um 13:28 schrieb Tankred Hase : > > Hey, > > Tankred from OpenPGP.js / Whiteout.io here. I?m currently testing HTTP CORS request to SKS via JS in the browser after having read the announcement on v1.1.5 (https://lists.gnupg.org/pipermail/gnupg-users/2014-May/049682.html). Unfortunately I?m getting a 502 (Bad Gateway) response. Upon further analysis I saw that only the following header is set: > > The Access-Control-Allow-Origin: * > > Tested using: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=safewithme.testuser%40gmail.com > > This is indeed a requirement for CORS requests, but not sufficient. Without the following headers, CORS requests from the Browser will fail as an OPTIONS preflight check is required: > > Access-Control-Allow-Origin: * > Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS > 'Access-Control-Allow-Headers?: Content-Type > > You can test how it should look here: https://keys.whiteout.io/safewithme.testuser at gmail.com > > Would it be possible to add the headers? It would allow me the remove the need for our proprietary key server proxy and send requests directly to SKS server from the web. Thanks! > > Tankred From peter at digitalbrains.com Fri Dec 11 10:40:45 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 11 Dec 2015 10:40:45 +0100 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <871tauf5cu.fsf@vigenere.g10code.de> References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> <871tauf5cu.fsf@vigenere.g10code.de> Message-ID: <566A9A1D.4030600@digitalbrains.com> On 10/12/15 20:53, Werner Koch wrote: > I just modified it to put an submenu item as an alias there. Is that > better? While I think it's a good idea to include an alias, I think you should do that consistently for all the menus, otherwise "Documentation" and "Related software" are going to end up even more hidden ;). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Dec 11 10:49:39 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 11 Dec 2015 10:49:39 +0100 Subject: GPA - import keys more easily?.. In-Reply-To: <5669D9D6.4020007@yandex.ru> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> <56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com> <5669D9D6.4020007@yandex.ru> Message-ID: <566A9C33.5040809@digitalbrains.com> On 10/12/15 21:00, Dark Penguin wrote: > (or not even seeing it, because I think it would normally close > immediately after the program has finished running). Oh, okay, I misunderstood your request. I thought you wanted to invoke GPA from the command line, since you called it a command line option. But I suppose you want a file association so GPA is launched on an .asc or .gpg file, and subsequently takes the most logical action for the actual content of the file (show key info with an option to import for keys, decrypt and verify for encrypted/signed data). Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Dec 11 10:55:20 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 11 Dec 2015 10:55:20 +0100 Subject: GPA - import keys more easily?.. In-Reply-To: <5669D9D6.4020007@yandex.ru> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> <56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com> <5669D9D6.4020007@yandex.ru> Message-ID: <566A9D88.3080708@digitalbrains.com> On 10/12/15 21:00, Dark Penguin wrote: > And I usually import the keys from email attachments, which I know > are correct, because I've helped them set up PGP and I've created > their email account. I just want to be able to have them imported > with simply opening them with GPA and not have to save them > somewhere, then look for them in the "Import keys..." dialog, and > then delete them. Since I'm constantly making wrong assumptions on implied contexts here, just let me make this explicit: we are talking about e-mail clients for which no OpenPGP plugins/extensions/etc. exist, like webmail and such, right? Because I just have Enigmail handling keys in e-mail, in my Icedove (Thunderbird). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From andrey.od.utkin at gmail.com Fri Dec 11 14:51:49 2015 From: andrey.od.utkin at gmail.com (Andrey Utkin) Date: Fri, 11 Dec 2015 15:51:49 +0200 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <5669AD05.8020009@sixdemonbag.org> References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> <5669A968.2090108@sixdemonbag.org> <5669AD05.8020009@sixdemonbag.org> Message-ID: <566AD4F5.5090500@gmail.com> On 10.12.2015 18:49, Robert J. Hansen wrote: > ... So, yeah. I'm thinking this is not a credible source for > fundraising. Arduino and GNOME, projects with *far* greater visibility, > get $0 a month from Bountysource. I find it hard to believe we'd do > much better. > > I think this is something best avoided. > The Salt project has released this spring or this autumn, I don't remember for sure. There's competing project Gratipay (former Gittip, rebranded recently), and some more, so there's also a fragmentation. Yes you are right that these platforms (and recurring donation to FOSS projects in general) is far from being as popular as it should be. But basically this is a network, and the value of network is bound to number of members in it. If nobody is in, nobody considers joining worth. The more time passes, the more projects and backers join and the more is money flow. I was surprised to become first backer of FFmpeg project, which was already set up :) Also I am not aware how much hassle is it for you to set up your donation-collecting account on these networks, but I hope it's not that painful. Werner, Donate menu entry got better, but there's another issue - when cursor pointer moves from menu header down to menu entries, menu dropdown tends to disappear, it takes many attempts to catch it :) Thanks for all the comments. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Dec 11 18:57:24 2015 From: wk at gnupg.org (Werner Koch) Date: Fri, 11 Dec 2015 18:57:24 +0100 Subject: Please consider joining Bountysource Salt to collect recurring donations In-Reply-To: <566A9A1D.4030600@digitalbrains.com> (Peter Lebbing's message of "Fri, 11 Dec 2015 10:40:45 +0100") References: <5668A5C6.10603@gmail.com> <5668B95E.3000709@sixdemonbag.org> <5668D3F2.2070600@gmail.com> <871tauf5cu.fsf@vigenere.g10code.de> <566A9A1D.4030600@digitalbrains.com> Message-ID: <877fkkdg1n.fsf@vigenere.g10code.de> On Fri, 11 Dec 2015 10:40, peter at digitalbrains.com said: > While I think it's a good idea to include an alias, I think you should > do that consistently for all the menus, otherwise "Documentation" and > "Related software" are going to end up even more hidden ;). Frankly, I think we should change the style of the menu again because we now have two identical entries in the sub-menu. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From darkpenguin at yandex.ru Fri Dec 11 16:28:13 2015 From: darkpenguin at yandex.ru (Dark Penguin) Date: Fri, 11 Dec 2015 18:28:13 +0300 Subject: GPA - import keys more easily?.. In-Reply-To: <566A9C33.5040809@digitalbrains.com> References: <56661927.2000003@yandex.ru> <56676FC5.9010805@gbenet.com> <56686EEF.80109@yandex.ru> <56695812.3020003@digitalbrains.com> <5669D9D6.4020007@yandex.ru> <566A9C33.5040809@digitalbrains.com> Message-ID: <566AEB8D.1050606@yandex.ru> >> (or not even seeing it, because I think it would normally close >> immediately after the program has finished running). > > Oh, okay, I misunderstood your request. I thought you wanted to invoke > GPA from the command line, since you called it a command line option. > > But I suppose you want a file association so GPA is launched on an .asc > or .gpg file, and subsequently takes the most logical action for the > actual content of the file (show key info with an option to import for > keys, decrypt and verify for encrypted/signed data). Yes; I can set up a file association myself, but when I open someone's .asc public key in GPA, I see a "File manager" window with an option to decrypt it, which doesn't make sense. I want either GPA to automatically understand that this is a public key (which is not hard at all, because there is the PGP header written in plaintext), or at least to be able to open keys with GPA with some option to tell it that this is a key, not an encrypted message, if it can not see that without my help - maybe with a commandline option. Or at the very least, they should just add an "Import key" option in that file manager for such cases - that would also be fine by me. I just want to be able to import a key I'm already looking at without having to look for it again in the "Import key..." dialog. There may be "workarounds" like installing some plugins for some mail clients, but I'm happy with GPA, and I want to use GPA, and installing a plugin (and probably switching to a compatible email client) and setting it up and getting used to it just to be able import keys a couple of seconds quicker does not really make sense. PGP for Windows does that from time immemorial, naturally. I would expect at least this much from a frontend for encryption software for an operating system which, unlike Windows, is actually concerned about security, and I believe our new "converts" from Windows would expect it too, and I can't believe it's still not there by now. =/ -- darkpenguin From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 11 22:35:56 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 11 Dec 2015 21:35:56 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <20151210094631.4bd7fbd9@abydos.stargate.org.uk> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> <20151210094631.4bd7fbd9@abydos.stargate.org.uk> Message-ID: <1662083054.20151211213556@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 December 2015 at 9:46:31 AM, in , Brad Rogers wrote: > GnuPG v1.4.19 1.4.x should verify the signature from my RSA subkey but report "Can't check signature: unknown pubkey algorithm" for the signature from my EDDSA subkey. > There's also one > other difference; The signature is no longer inline, > but attached. Not that I expect that is relevant. Yes, I accidentally used PGP/MIME instead of inline. - -- Best regards MFPA Vegetarian: Indian word for lousy hunter!!! -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJWa0INXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwtWsH/0pus4Fby0eWHiXwRMKeUStc UiTWl/rE/w6wmnDA6gTqUuDZQSQoiJxS37xJjAHJmE0OESC/1IjUA1pTLsq+Hdwh UkXUerOPjazzJhoLhMxAhCXshzxov89wARbeOSqr+J2IHukrgOt6tJ7jfCbmx6mm S/9LJNyCQ81GoGAaMq2HvFnyOatAH7K0pIi9swehZ8XyorBQc7CeziO6NVgxsNAz ieFKCXJYGdS32z6QAg7Et/pIzKU2xNstciVLNa5AXYZ2/5Z5wOvsPsahRCaSm+w9 bomPBfbyiFGp3dtPe8OBDGORdFjfqIHEwfkgTw3i+QImiGs8R3Ke/qZw4ojFC2iI vgQBFgoAZgUCVmtCE18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45CUpAPwNDCXop+tmAs1zatvZDU9unmrE 7s9UEsiv+dhjvjZmwgD/WBOn4QBjSjp+lsChmRszLD/0UKS8QL/cC3L7lj+eWQU= =xLr5 -----END PGP SIGNATURE----- From 2014-667rhzu3dc-lists-groups at riseup.net Fri Dec 11 22:42:04 2015 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Fri, 11 Dec 2015 21:42:04 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <5669788B.6010406@nordnet.fr> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr> Message-ID: <1039963885.20151211214204@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 10 December 2015 at 1:05:15 PM, in , Philip Jackson wrote: > I'm using gpg2.0.22 on my desktop and I can never > verify your emails (MFPA) - I always get from enigmail > : > "Unverified signature; the key type is not supported by > your version of GnuPG" > "Unverified signature > UNTRUSTED BAD signature from > 2014-667rhzu3dc-lists-groups at riseup.net > <2014-667rhzu3dc-lists-groups at riseup.net>" > Which is normal for an ECC key. Except that "Unverified" is not the same as "BAD". And Enigmail is failing to pass on GnuPG's output from verifing the signature made with my RSA key. > On my laptop, with Debian Jessie and gpg2.1.7, the > signature verifies ok. Again normal for 2.1.x Do both signatures verify correctly for you with 2.1.x, or does Enigmail still only pass on the result of one of them? - -- Best regards MFPA Time flies like an arrow. Fruit flies like a banana. -- Groucho Marx -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJWa0MtXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwc+8IALf022WwZZ7EQWHopVGRaGjS 7z+nIQHzqjcdKa8GeCSkQlNO9BKG4sMZsi3gngsgbELKaqHNeIYbve3Y783vfFKT 3Yv7qayAS4B0ygkI90okOAH56ai7XUtu0blvphvx/IBE6w2VVqkFZXIrO8htJ3iS KuJpYD9JyIz40bY8rgz3Hs2/B89XtOU8F/YEJd/374z4ptET7Wk7/xtijsGna0Bl A+J8EVyY9GHGtX0qAb0MNR9IyvpkM9YX+fPx4XTKbIqM9KEbvaTq1UZCjZ8a+oOA Pqo9pzUc502i6mscyHKFtDeOvlcnHSzTvAdFeN4vnWIZ8nJJxXzkZf/pJ3R2FX+I vgQBFgoAZgUCVmtDLV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45Gw2AP0erl6yVwMdgznCBB+5Gh/gTyWq 8m1Cfce28LPcqqB8iAEAr9g2cKnk3oua/DWRksEndTUogjRF4/y3ieK/XFtoDQI= =LPUB -----END PGP SIGNATURE----- From brad at fineby.me.uk Fri Dec 11 23:12:57 2015 From: brad at fineby.me.uk (Brad Rogers) Date: Fri, 11 Dec 2015 22:12:57 +0000 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <1662083054.20151211213556@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> <20151210094631.4bd7fbd9@abydos.stargate.org.uk> <1662083054.20151211213556@my_localhost> Message-ID: <20151211221257.6bad2e8e@abydos.stargate.org.uk> On Fri, 11 Dec 2015 21:35:56 +0000 MFPA <2014-667rhzu3dc-lists-groups at riseup.net> wrote: Hello MFPA, >1.4.x should verify the signature from my RSA subkey but report "Can't >check signature: unknown pubkey algorithm" for the signature from my >EDDSA subkey. Unfortunately, GPGME and Claws Mail (probably) interfere with the error reporting. No matter..... -- Regards _ / ) "The blindingly obvious is / _)rad never immediately apparent" Loaded like a freight train flyin' like an aeroplane Nightrain - Guns 'N' Roses -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From brian at minton.name Fri Dec 11 22:55:46 2015 From: brian at minton.name (Brian Minton) Date: Fri, 11 Dec 2015 16:55:46 -0500 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <1039963885.20151211214204@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr> <1039963885.20151211214204@my_localhost> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I got the following message: rejected by import screener Here's more detail (gpg 2.1.8 on Windows 8): C:\Users\mintonb>gpg -vvv --recv 0x1712BC461AF778E4 gpg: using character set 'CP437' gpg: data source: http://pgp.mit.edu:80 gpg: armor: BEGIN PGP PUBLIC KEY BLOCK gpg: armor header: Version: SKS 1.1.5 gpg: armor header: Comment: Hostname: pgp.mit.edu # off=0 ctb=99 tag=6 hlen=3 plen=269 :public key packet: version 4, algo 1, created 1415500876, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 251BCCEB547B7194 # off=272 ctb=b4 tag=13 hlen=2 plen=4 :user ID packet: "MFPA" # off=278 ctb=89 tag=2 hlen=3 plen=322 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1415582356, md5len 0, sigclass 0x13 digest algo 10, begin of digest 24 eb hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2014-11-10) hashed subpkt 25 len 1 (primary user ID) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2048 bits] # off=603 ctb=89 tag=2 hlen=3 plen=322 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1441185092, md5len 0, sigclass 0x13 digest algo 10, begin of digest f2 40 hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2015-09-02) hashed subpkt 25 len 1 (primary user ID) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2042 bits] # off=928 ctb=b4 tag=13 hlen=2 plen=18 :user ID packet: "0x251BCCEB547B7194" # off=948 ctb=89 tag=2 hlen=3 plen=319 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1416188694, md5len 0, sigclass 0x13 digest algo 10, begin of digest a3 61 hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2014-11-17) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2048 bits] # off=1270 ctb=89 tag=2 hlen=3 plen=319 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1441185086, md5len 0, sigclass 0x13 digest algo 10, begin of digest 58 9d hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 2 len 4 (sig created 2015-09-02) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2045 bits] # off=1592 ctb=89 tag=2 hlen=3 plen=319 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1416145056, md5len 0, sigclass 0x13 digest algo 10, begin of digest 30 1c hashed subpkt 2 len 4 (sig created 2014-11-16) hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2044 bits] # off=1914 ctb=b4 tag=13 hlen=2 plen=81 :user ID packet: "2014-667rhzu3dc-lists-groups at riseup.net <2014-667rhzu3dc-lists - -groups at riseup.net>" # off=1997 ctb=89 tag=2 hlen=3 plen=319 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1441159293, md5len 0, sigclass 0x13 digest algo 10, begin of digest 96 2d hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) hashed subpkt 2 len 4 (sig created 2015-09-02) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2046 bits] # off=2319 ctb=89 tag=2 hlen=3 plen=319 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1415582302, md5len 0, sigclass 0x13 digest algo 10, begin of digest cd 16 hashed subpkt 2 len 4 (sig created 2014-11-10) hashed subpkt 27 len 1 (key flags: 01) hashed subpkt 11 len 10 (pref-sym-algos: 13 9 8 12 7 3 11 10 4 2) hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 11 3 2) hashed subpkt 22 len 4 (pref-zip-algos: 3 2 1 0) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2047 bits] # off=2641 ctb=b8 tag=14 hlen=2 plen=86 :public sub key packet: version 4, algo 18, created 1415574475, expires 0 pkey[0]: [72 bits] nistp256 (1.2.840.10045.3.1.7) pkey[1]: [515 bits] pkey[2]: [32 bits] keyid: 6ACDDA063F6FC8DE # off=2729 ctb=89 tag=2 hlen=3 plen=287 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1415574475, md5len 0, sigclass 0x18 digest algo 10, begin of digest f8 e2 hashed subpkt 2 len 4 (sig created 2014-11-09) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2047 bits] # off=3019 ctb=89 tag=2 hlen=3 plen=287 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1421371951, md5len 0, sigclass 0x28 digest algo 10, begin of digest 64 f3 hashed subpkt 2 len 4 (sig created 2015-01-16) hashed subpkt 29 len 1 (revocation reason 0x03 ()) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2045 bits] # off=3309 ctb=b8 tag=14 hlen=2 plen=87 :public sub key packet: version 4, algo 18, created 1417809993, expires 0 pkey[0]: [80 bits] brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7) pkey[1]: [515 bits] pkey[2]: [32 bits] keyid: 4793107F2C53A3B6 # off=3398 ctb=89 tag=2 hlen=3 plen=287 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1417809993, md5len 0, sigclass 0x18 digest algo 10, begin of digest 8c 6d hashed subpkt 2 len 4 (sig created 2014-12-05) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2045 bits] # off=3688 ctb=b9 tag=14 hlen=3 plen=269 :public sub key packet: version 4, algo 1, created 1415502447, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 6B7C74CEB31F25F0 # off=3960 ctb=89 tag=2 hlen=3 plen=670 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1415502447, md5len 0, sigclass 0x18 digest algo 10, begin of digest fa 7d hashed subpkt 2 len 4 (sig created 2014-11-09) hashed subpkt 27 len 1 (key flags: 02) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) subpkt 32 len 380 (signature: v4, class 0x19, algo 1, digest algo 10) data: [2046 bits] # off=4633 ctb=b9 tag=14 hlen=3 plen=269 :public sub key packet: version 4, algo 1, created 1415502602, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 8D69E0E6BAE157F8 # off=4905 ctb=89 tag=2 hlen=3 plen=287 :signature packet: algo 1, keyid 251BCCEB547B7194 version 4, created 1415502602, md5len 0, sigclass 0x18 digest algo 10, begin of digest 6e e7 hashed subpkt 2 len 4 (sig created 2014-11-09) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 251BCCEB547B7194) data: [2048 bits] gpg: pub rsa2048/251BCCEB547B7194 2014-11-09 MFPA gpg: key 251BCCEB547B7194: rejected by import screener gpg: Total number processed: 1 C:\Users\mintonb> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlZrRbcACgkQa46zoGXPuqnBjAD6A4EWvTcfWVK1mpfN+zWDRARe myNNWmjDUAsYqaqn9IAA/iBHS/7vUJtBJgMCxbT69VRYZ/qkvjqGlb3Ti48aGbId =JhPl -----END PGP SIGNATURE----- From david at gbenet.com Sat Dec 12 11:59:01 2015 From: david at gbenet.com (david at gbenet.com) Date: Sat, 12 Dec 2015 10:59:01 +0000 Subject: Merry Christmas Message-ID: <566BFDF5.3080005@gbenet.com> -- http://www.bbc.com/news/uk-35058761 David ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From philip.jackson at nordnet.fr Sun Dec 13 00:11:05 2015 From: philip.jackson at nordnet.fr (Philip Jackson) Date: Sun, 13 Dec 2015 00:11:05 +0100 Subject: Error message "gpg: Can't check signature: Broken public key" In-Reply-To: <1039963885.20151211214204@my_localhost> References: <144345553.20151207235136@my_localhost> <5666942F.2000404@fsij.org> <619034873.20151208224719@my_localhost> <20151208232436.72780e07@abydos.stargate.org.uk> <541836753.20151210005023@my_localhost> <5669788B.6010406@nordnet.fr> <1039963885.20151211214204@my_localhost> Message-ID: <566CA989.70902@nordnet.fr> On 11/12/15 22:42, MFPA wrote: > >> > On my laptop, with Debian Jessie and gpg2.1.7, the >> > signature verifies ok. Again normal for 2.1.x > Do both signatures verify correctly for you with 2.1.x, or does > Enigmail still only pass on the result of one of them? > I don't use the laptop regularly for mail but I did update its inbox today just to check out what it does now. gpg2.1.7 with enigmail 1.9a1 of 30 Nov 2015 verifies all your emails of 2015 as 'good signature'. However, when I look to see more details, the verification behind the enigmail 'Details' button quotes key ID 0x547B7194 which is the RSA 2048 public key identity. But when I look into the enigmail log, there I see that signatures were made by both EDDSA subkey 0x1712BC461AF778E4 and RSA subkey 0x6B7C74CEB31F25F0. Getting back to the desktop -- On my desktop with 2.0.22 with enigmail 1.9a1 of 8 Oct 2015, enigmail provides differing info depending on whether you're inline or pgp/mime. The latter gives the more alarming info behind enigmail's Details button "Untrusted bad signature ...." But again, enigmail's logfile shows both subkeys were used. Enigmail doesn't use the available info which is there in the logfile wrt the RSA key ...(I quote from the logfile)... "using subkey 0x6B7C74CEB31F25F0 instead of primary key 0x251BCCEB547B7194 gpg: using PGP trust model gpg: key 0x26BD500A23543A63: accepted as trusted key gpg: Good signature from "MFPA" [unknown] gpg: aka "2014-667rhzu3dc-lists-groups at riseup.net <2014-667rhzu3dc-lists-groups at riseup.net>" [unknown] gpg: aka "0x251BCCEB547B7194" [unknown] gpg: WARNING: This key is not certified with a trusted signature!" Never mind the trust issue. The logfile does show "good signature". Philip -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From bober_182 at riseup.net Mon Dec 14 06:20:17 2015 From: bober_182 at riseup.net (bober) Date: Mon, 14 Dec 2015 05:20:17 +0000 Subject: Tor Support for SKSkeyservers in 2.1 Message-ID: <566E5191.80506@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Greetings, I am having trouble setting up TOR support for sks-keyservers in 2.1. I recently migrated my system from an ubuntu install where I had this in my gpg.conf file. keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 Now that I am on Arch, and using the 2.1 GPG I need to change some options to make this work. I have the following in my dirmngr.conf hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem And it works with out the keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 line in my gpg.conf But then I don't have TOR support. otherwise if I include it I get the following error message. gpg: error searching keyserver: Configuration error gpg: keyserver search failed: Configuration error Regards, bober -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWblGRAAoJEIjdyOfDrt8PWSEIAIM35Hk/g57mSaCqP20ECLYE I05h3ww+NN20xzuzB129Wy/ZkMtwvWeCDodqgafbSsYUD08+HCh/NAkU31jdkQje 0kuQ4v9+pm1nI4DnBUzPNJwVE3o8CJx6mdQSWmPG6pQGexf5EiDS7ijV3W27rrV1 HTQnkYJYeOKWT5b9V8ZvOQNs1HZODpe1jCf9JLn1b7klqwcSVVpbqzXwT3E4BM+g rbx5TWXGofn1YKkTfxtNKpTkY8ki3tqJN57ovhApOSvS+l+HJj6YClc9MtcUF04s DIHVhzzyVyJdsfiiVQyE8kEJRAKjCcy3KB8cp0yqkmpKePsaNSNbY46AZ8rv/Ew= =e/VP -----END PGP SIGNATURE----- From malte at wk3.org Mon Dec 14 10:46:57 2015 From: malte at wk3.org (Malte) Date: Mon, 14 Dec 2015 10:46:57 +0100 Subject: Tor Support for SKSkeyservers in 2.1 In-Reply-To: <566E5191.80506@riseup.net> References: <566E5191.80506@riseup.net> Message-ID: <3480536.nM1hsSSNXB@localhost> On Monday 14 December 2015 05:20 bober wrote: > I am having trouble setting up TOR support for sks-keyservers in 2.1. Hi, the --use-tor option got introduced in 2.1.10: https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030385.html If you are using GnuPG in a version before 2.1.10 the following might help you: https://lists.gnupg.org/pipermail/gnupg-users/2015-September/054299.html Sincerely, Malte From wk at gnupg.org Tue Dec 15 19:43:32 2015 From: wk at gnupg.org (Werner Koch) Date: Tue, 15 Dec 2015 19:43:32 +0100 Subject: Tor Support for SKSkeyservers in 2.1 In-Reply-To: <566E5191.80506@riseup.net> (bober's message of "Mon, 14 Dec 2015 05:20:17 +0000") References: <566E5191.80506@riseup.net> Message-ID: <87wpsf4koa.fsf@vigenere.g10code.de> On Mon, 14 Dec 2015 06:20, bober_182 at riseup.net said: > keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 A http proxy is not a socks proxy. These are different concepts. Tor is implemented as a socks proxy and GnuPG before version 2.1.10 has no support for this. See Malte's mails on how to work around this. Note that the Tor support in 2.1.10 depends on how GnuPG was build. Unless you are using the Windows installer you need to build against a patched version of the ADNS library. However, for all platforms you can use keyservers behind a onion address - this works even if you do not put "use-tor" into dirmngr.conf. Instead put keyserver hkp://dyh2j3qyrirn43iw.onion into dirmngr.conf and do _not_ put a keyserver option into gpg.conf. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: From anthony at cajuntechie.org Tue Dec 15 23:58:21 2015 From: anthony at cajuntechie.org (Anthony Papillion) Date: Tue, 15 Dec 2015 16:58:21 -0600 Subject: Can I pass the password from the command line? Message-ID: <56709B0D.9060009@cajuntechie.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I'd like to script encryption and decryption from the command line. Is there a way to pass the encryption passphrase to GnuPG from the command line. For example: gpg2 --encrypt --recipient --passphrase anthony at cajuntechie.org SomePassphrase FileIWantToEncrypt Is this possible at all? If so, how? Also, the same question for decryption. Thanks! Anthony - -- Phone: 1.845.666.1114 Skype: cajuntechie PGP Key: 0x028ADF7453B04B15 Fingerprint: C5CE E687 DDC2 D12B 9063 56EA 028A DF74 53B0 4B15 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWcJsNAAoJEAKK33RTsEsVOWYP/0gJszoRDGauIsmMMqR+UWDF Q4KkzzbqSNwJAc+xn+Rt1XnAYqK04cDfQjzAhTfJLnwGV47jfrS9GG/qfIPWgyv3 xilGvyrKXS2/YrNj+JGvcoN3S9jp2hrgXVoeqsx5Qiv7liG/NrajiStHnGXknqX5 lwXbuQ/o5BnHGS70s5mASGzgCWMUUxE5pB4EWJR247Dd0SevDBrE1XmEMxNFHoRj yG4PXj1YVjaWQhNT/lF/fSZi49b0ufwovsciusQPxZmzPsd503KqS+qkwB6mAhur mDu2BwqFu79qE4BJ3C4ccatbbxtfb6zmF703ChqnJLYef57Ox0mKnV8kxbHUSd+W vViovg/ptSj60IH3ppS/pO3juma0KFQuFU8eztnzhvvTXnfWEik7d+Q6y9LRRLtM x/Scujgjmk1SL3K15x8ZDnVOaQdit7q3Ylh6BKRnPnZiUWbd2UIDtrGXV9Av6Zrz j4M0cuEdUVzMzwNie9SUstKcEoQ3mCBzVeIGVRv48MaNw40A1Q1e9g3P62/0zJJg iqytI051E13bM/fF/uMt/j6OtpJHTXsfYHb3oYObmQGhMglReuPz4FbR3VcOSuc/ ge6zjcdkWrK5wGIRjCfjzQlEbEJZMzzchIQ7rnb7SJQw3VleBjHdzfQ+bi/6haxO E6QOdTeRg9VbgsGFZaLx =txgJ -----END PGP SIGNATURE----- From andrewg at andrewg.com Wed Dec 16 00:07:04 2015 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 15 Dec 2015 23:07:04 +0000 Subject: Can I pass the password from the command line? In-Reply-To: <56709B0D.9060009@cajuntechie.org> References: <56709B0D.9060009@cajuntechie.org> Message-ID: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> > On 15 Dec 2015, at 22:58, Anthony Papillion wrote: > > I'd like to script encryption and decryption from the command line. Is > there a way to pass the encryption passphrase to GnuPG from the > command line. I don't think there is a password parameter, and I'd strongly recommend not doing it even if there was. Many OSes make the command line parameters of processes available to any local user. Have you tried piping the password to stdin? Andrew From anthony at cajuntechie.org Wed Dec 16 00:21:44 2015 From: anthony at cajuntechie.org (Anthony Papillion) Date: Tue, 15 Dec 2015 17:21:44 -0600 Subject: Can I pass the password from the command line? In-Reply-To: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> References: <56709B0D.9060009@cajuntechie.org> <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> Message-ID: <5670A088.8080903@cajuntechie.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/15/2015 5:07 PM, Andrew Gallagher wrote: > >> On 15 Dec 2015, at 22:58, Anthony Papillion >> wrote: >> >> I'd like to script encryption and decryption from the command >> line. Is there a way to pass the encryption passphrase to GnuPG >> from the command line. > > I don't think there is a password parameter, and I'd strongly > recommend not doing it even if there was. Many OSes make the > command line parameters of processes available to any local user. > > Have you tried piping the password to stdin? > > Andrew Thank you for the quick answer, Andrew. After thinking about it, I can see the absolute folly of having something set up the way I requested and I appreciate you pointing that out. I had not thought about piping to stdin - never even crossed my mind! Thanks again! -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWcKCIAAoJEAKK33RTsEsVSPMQALJOsQ3u7RYyERyPoJUtde8W bTTLaAXnfFmmhB/3EzNQBcrs0fPqc4uQ1UrB3iWITqA0rbf+9asrPETDaR3Ev2xq ilmpuZAO678NetEcG1Pc7w0gM9hNd8hDQcolRECYRBXfoPchTxGI3jaYjd3IKuOa W1jyUohW0kSkXg98m8GKkCrNTzLwePNWn9COXn7494Kq9rQLQ5+kCQmpjtSN64QY AXhVo0JF8xK55QPcMlnW6F5N93jLHneY+ymyK36hF3NFQL1X7r0BKtvby9SNhon6 kq+3yd6YLw8mjAEplgKPRHYerKPjrdUNVS4PtbI7hcoO4EaPK2e8Wdrg4kfAokSV q++n3ATsKResldBEZr6NOX425N5AmhIhtkMJt2l18V5mcyhWNwqpi4qkPwMmMlGA uqPe1zjXAaGuouWdjo96HDDZvmZLrYo92fE3Or3oK9HyZMwn9i2+rTlqPuOFgXmR VizXt04AZLKTDaC5X0VGMSsVLinmIDw0t+iky9jHfcttWpyPVHexozWLVosN7rJ2 +pSb5bU7HOZEUOXwaERzx/k5885m8hDkAIXuKscFHETLnTMXc00S3kZOMNdbqyRw 2NuL6FIA0VOGKZrJ/vUtHxyP16qjirlVRtsheX+MlXmUqYHEJDm6Cw4S3FtEZKo9 r6SnsxzigqY6CvbHOyGs =4k1n -----END PGP SIGNATURE----- From sbutler at fchn.com Wed Dec 16 00:21:13 2015 From: sbutler at fchn.com (Steve Butler) Date: Tue, 15 Dec 2015 23:21:13 +0000 Subject: Can I pass the password from the command line? In-Reply-To: <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> References: <56709B0D.9060009@cajuntechie.org>, <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> Message-ID: There is under 1.4. Don't know if it is in v2. I'm not at my desk to pop the script open. But you could pipe the passphrase via stain and tell gpg to grab it from there. Be careful as that still leaves it in the clear to those reading your script. Potential local users could also see it if you echo'd it to the pipe. Sent from my Verizon Wireless 4G LTE smartphone -------- Original message -------- From: Andrew Gallagher Date: 12/15/2015 15:09 (GMT-08:00) To: Anthony Papillion Cc: gnupg-users at gnupg.org Subject: Re: Can I pass the password from the command line? > On 15 Dec 2015, at 22:58, Anthony Papillion wrote: > > I'd like to script encryption and decryption from the command line. Is > there a way to pass the encryption passphrase to GnuPG from the > command line. I don't think there is a password parameter, and I'd strongly recommend not doing it even if there was. Many OSes make the command line parameters of processes available to any local user. Have you tried piping the password to stdin? Andrew _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From marioxcc.MT at yandex.com Wed Dec 16 01:27:06 2015 From: marioxcc.MT at yandex.com (=?UTF-8?Q?Mario_Castel=c3=a1n_Castro?=) Date: Tue, 15 Dec 2015 18:27:06 -0600 Subject: Can I pass the password from the command line? In-Reply-To: <5670A088.8080903@cajuntechie.org> References: <56709B0D.9060009@cajuntechie.org> <6F342058-3097-40A8-B3F3-7299C52188CE@andrewg.com> <5670A088.8080903@cajuntechie.org> Message-ID: <5670AFDA.7090204@yandex.com> El 15/12/15 a las 17:21, Anthony Papillion escribi?: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 12/15/2015 5:07 PM, Andrew Gallagher wrote: >> >>> On 15 Dec 2015, at 22:58, Anthony Papillion >>> wrote: >>> >>> I'd like to script encryption and decryption from the command >>> line. Is there a way to pass the encryption passphrase to GnuPG >>> from the command line. >> >> I don't think there is a password parameter, and I'd strongly >> recommend not doing it even if there was. Many OSes make the >> command line parameters of processes available to any local user. >> >> Have you tried piping the password to stdin? >> >> Andrew > > Thank you for the quick answer, Andrew. After thinking about it, I can > see the absolute folly of having something set up the way I requested > and I appreciate you pointing that out. I had not thought about piping > to stdin - never even crossed my mind! > > Thanks again! I recall that there is an option "--passphrase-file", which can be used to pass the password programatically. Of course, make sure that the file has secure permissions since it's created (or at least, written to) to store the password. From erkan77 at gmail.com Wed Dec 16 05:53:01 2015 From: erkan77 at gmail.com (Erkan Yilmaz) Date: Wed, 16 Dec 2015 05:53:01 +0100 Subject: end-of-life for libgcrypt 1.5.x Message-ID: Hello, is this info (1), from 2014 August, still valid ? Thank you, Erkan (1) "Declare 2016-12-31 as end-of-life for 1.5." https://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000351.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From fabian at fstab.de Wed Dec 16 11:51:51 2015 From: fabian at fstab.de (Fabian =?iso-8859-1?Q?St=E4ber?=) Date: Wed, 16 Dec 2015 11:51:51 +0100 Subject: character encoding differs in gpg and gpg2 Message-ID: <20151216105151.GA950@lessing.int.consol.de> Hello, sorry if this has been asked before, but I didn't find it on google: If I call gpg, it uses charset utf-8. If I call gpg2, it uses charset US-ASCII. My locale is en_US.UTF-8. My name has a special character. 'gpg --edit-key' shows it correctly, 'gpg2 --edit-key' does not. I am wondering what other users will most likely see when they get my key from the keyserver? Is my key correct and gpg2 wrong, or is my key wrong and gpg2 correct? Thanks a lot Fabian P.S.: gpg is version 1.4.19, gpg2 is version 2.0.29, I am using iTerm on OS X. From wk at gnupg.org Wed Dec 16 13:48:14 2015 From: wk at gnupg.org (Werner Koch) Date: Wed, 16 Dec 2015 13:48:14 +0100 Subject: end-of-life for libgcrypt 1.5.x In-Reply-To: (Erkan Yilmaz's message of "Wed, 16 Dec 2015 05:53:01 +0100") References: Message-ID: <87zixa36gh.fsf@vigenere.g10code.de> On Wed, 16 Dec 2015 05:53, erkan77 at gmail.com said: > is this info (1), from 2014 August, still valid ? > (1) "Declare 2016-12-31 as end-of-life for 1.5." Sure. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From erkan77 at gmail.com Wed Dec 16 14:10:46 2015 From: erkan77 at gmail.com (Erkan Yilmaz) Date: Wed, 16 Dec 2015 14:10:46 +0100 Subject: end-of-life for libgcrypt 1.5.x In-Reply-To: <87zixa36gh.fsf@vigenere.g10code.de> References: <87zixa36gh.fsf@vigenere.g10code.de> Message-ID: Hello Werner, thank you very much for the confirmation. Have a nice day, Erkan On Wed, Dec 16, 2015 at 1:48 PM, Werner Koch wrote: > On Wed, 16 Dec 2015 05:53, erkan77 at gmail.com said: > > > is this info (1), from 2014 August, still valid ? > > > (1) "Declare 2016-12-31 as end-of-life for 1.5." > > Sure. > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jarlelistsubscriber at gmail.com Wed Dec 16 17:19:07 2015 From: jarlelistsubscriber at gmail.com (Jarle Hammen Knudsen) Date: Wed, 16 Dec 2015 17:19:07 +0100 Subject: Get gpg to use keyring files in the current directory Message-ID: <56718EFB.6000006@gmail.com> I'm trying to get gpg to create and use keyryring files in the current directory. In e:\test I have this options file named test.conf : utf8-strings no-default-keyring keyring test-public.keyring secret-keyring test-secret.keyring If I cd to e:\test and use this command line: gpg --gen-key --options test.conf the keyrings are not created in the current directory, but in C:\Users\username\AppData\Roaming\gnupg The options file is read, since the keyring files use the specified names. I'm using gpg to encrypt small backup files which will be decrypted by non-tech-savvy users that do not usually use gpg. I'm going to store the keyrings ready for use on a USB-stick and will not know the absolute path to the keyfiles. Any suggestions? gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0) Windows 10 From sbutler at fchn.com Wed Dec 16 18:30:18 2015 From: sbutler at fchn.com (Steve Butler) Date: Wed, 16 Dec 2015 17:30:18 +0000 Subject: Get gpg to use keyring files in the current directory In-Reply-To: <56718EFB.6000006@gmail.com> References: <56718EFB.6000006@gmail.com> Message-ID: <1e14659a5fba44afb4c0dd613dde8e85@t1l1exchmbs-01.fchn.com> Either set --homedir on the command line or in the options file. -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jarle Hammen Knudsen Sent: Wednesday, December 16, 2015 8:19 AM To: Gnupg-users at gnupg.org Subject: Get gpg to use keyring files in the current directory I'm trying to get gpg to create and use keyryring files in the current directory. In e:\test I have this options file named test.conf : utf8-strings no-default-keyring keyring test-public.keyring secret-keyring test-secret.keyring If I cd to e:\test and use this command line: gpg --gen-key --options test.conf the keyrings are not created in the current directory, but in C:\Users\username\AppData\Roaming\gnupg The options file is read, since the keyring files use the specified names. I'm using gpg to encrypt small backup files which will be decrypted by non-tech-savvy users that do not usually use gpg. I'm going to store the keyrings ready for use on a USB-stick and will not know the absolute path to the keyfiles. Any suggestions? gpg (GnuPG) 2.0.29 (Gpg4win 2.3.0) Windows 10 _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From anthony at cajuntechie.org Wed Dec 16 20:41:00 2015 From: anthony at cajuntechie.org (Anthony Papillion) Date: Wed, 16 Dec 2015 13:41:00 -0600 Subject: QC resistant algorithms? Message-ID: <5671BE4C.5010601@cajuntechie.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 While I know it's not a big concern at the moment, we are well on the way to a future that includes quantum computing. While some in the computer science and crypto fields say we won't see a crypto breaking quantum computer for another 30+ years, others are putting it closer to 10 and even 5-6. Regardless of what the actual timeframe is, I'm wondering what work is being done in GnuPG to implement QC resistant asymmetric algorithms? Perhaps a better question, and I have done very little research into this specifically I admit, /are/ there any QC resistant asymmetric algorithms to implement or will we need to come up with something completely different? Anthony - -- Phone: 1.845.666.1114 Skype: cajuntechie PGP Key: 0x028ADF7453B04B15 Fingerprint: C5CE E687 DDC2 D12B 9063 56EA 028A DF74 53B0 4B15 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWcb5LAAoJEAKK33RTsEsVplkP/RMkSuX5mPHJoetvkui/1scJ /g2VyHhZz7L2YMwOpXdDxmN40/6aFIopNcBt1DvnRqG9SFeVKIRFW9ndIhr2GhFk DSQPpQrunK5xSERgw+PKIvECsJoaEB2uG3wV/us7wuqd8d2iqnFVNtM8OFqiUp6e rz9T8XAgZg/2pKJDt3XFjRhq8E1rUbm1Sby3I0DwZwRefc+lDA+Iju19G5BYuUn1 oklCwLadpg/6+qngXzUaXSjGLNEl6UEK7NumBuDW68x1M9D4xBHXDuH1NbHTzEjB UuL2kzb5bLZpnQSYL1n259p+PWzQnX/V/HvwWahh/+wkcpPjMo3RMpt/Q2Z9Zm74 vn1Ob54rUaWqcl5b03Hy7mvXZW/ZHADwv2rKnjUEvxeKpF7yakgk9iK7U5J/iGFB O/9BEEkc834sZ/iZRwTUQPKurDZ+We4/kW8jNfCcZmDl7lIiCXGGr91leMRYflLR kc+8rS+7iRA9u4EH/hPWJ1iqERQt/0brfN4YvrEpUQWGtaXboRQJk3pTRV7WB4oH 367nJEEwPp0JnviFVD1PN4MoLYtIFkatEcIvku6s+gxWsVRkkEUqdNKRA5kKY/Sb 3zAKEjpcW03hc/h+0KvYSRGUOYCcB4y3PM+P/cwYRAU9lBcZJ5jEKbAkCJR7I11F ek76H2BMUuVqmxPVtGIN =eH5A -----END PGP SIGNATURE----- From lachlan at twopif.net Wed Dec 16 21:14:29 2015 From: lachlan at twopif.net (Lachlan Gunn) Date: Wed, 16 Dec 2015 21:14:29 +0100 Subject: QC resistant algorithms? In-Reply-To: <5671BE4C.5010601@cajuntechie.org> References: <5671BE4C.5010601@cajuntechie.org> Message-ID: Long story short, there exist algorithms that are hypothesised tho be QC-resistant, though as far as I know nothing is proven in that respect. Those that do exist, there's still a substantial possibility that they'll be broken. Key and signature sizes are generally large, kilobytes to megabytes. Certainly nothing is standardised, let alone being ready to go into OpenPGP. This is all outside of my area, so someone please correct me if I'm way off. Thanks, Lachlan From kloecker at kde.org Wed Dec 16 21:17:11 2015 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 16 Dec 2015 21:17:11 +0100 Subject: QC resistant algorithms? In-Reply-To: <5671BE4C.5010601@cajuntechie.org> References: <5671BE4C.5010601@cajuntechie.org> Message-ID: <1751464.p7NrN1UKX4@thufir> On Wednesday 16 December 2015 13:41:00 Anthony Papillion wrote: > While I know it's not a big concern at the moment, we are well on the > way to a future that includes quantum computing. While some in the > computer science and crypto fields say we won't see a crypto breaking > quantum computer for another 30+ years, others are putting it closer > to 10 and even 5-6. > > Regardless of what the actual timeframe is, I'm wondering what work is > being done in GnuPG to implement QC resistant asymmetric algorithms? > Perhaps a better question, and I have done very little research into > this specifically I admit, /are/ there any QC resistant asymmetric > algorithms to implement or will we need to come up with something > completely different? Yes. You might want to continue your research at https://en.wikipedia.org/wiki/Post-quantum_cryptography Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From anthony at cajuntechie.org Wed Dec 16 21:22:13 2015 From: anthony at cajuntechie.org (Anthony Papillion) Date: Wed, 16 Dec 2015 14:22:13 -0600 Subject: QC resistant algorithms? In-Reply-To: References: <5671BE4C.5010601@cajuntechie.org> Message-ID: <5671C7F5.5020508@cajuntechie.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/16/2015 2:14 PM, Lachlan Gunn wrote: > Long story short, there exist algorithms that are hypothesised tho > be QC-resistant, though as far as I know nothing is proven in that > respect. Those that do exist, there's still a substantial > possibility that they'll be broken. Key and signature sizes are > generally large, kilobytes to megabytes. > > Certainly nothing is standardised, let alone being ready to go into > OpenPGP. > > This is all outside of my area, so someone please correct me if I'm > way off. This is sort of what I'd gathered from the brief reading I've done about the situation. I'm sure there's a lot of research going on in the area and I certainly hope "we beat them to it". -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWccf1AAoJEAKK33RTsEsV8dgP/03RIj2PId9g8WXMKlyC8ZtF uC2P+TKaNOJk+p3IkuGE7ot7+eqskyPfAemhpYERqsJksAUg834zrHDMwYVryARy HtZGopBRyBKrW9i9gP/CNU9vDSzXULW01C4x5nzotlwviK3JEXhln5MTr76Ll9w8 gzBaB362Qfu4gs35UY5tFr+c6G5mlNmDkPL94ihjw7aQdgp8bqZH1E56BUGIry9b jdzP5TiZcdlh6+aqL5p6wiQ/fiJJ+5pPd+mmlqFVIvDABHAjOTfdsPi2NRe/NnHl 1IG7Ooa16MmKWkycFqvlCZull/hQjMVrIquwLIMH0+rlt4w7WhweJGMZ22D0ebru Nq8P04v3WqgO+Teyur0/DvCIu/L6OBqOxUWnm+RYCQyDUtCpeYZ/lDdckFnqzQWt l1Ge0gbb9TLkv5waOxw0kaXKvUQyRisyJ+pM3nHu4rs36yFM+fMIiRoZl0zLIV0G ba1ucJziTiU307kkQD+pnQQSCHd8tcFt225EpXXNzjcqX9s+rnSQicoupFv+uy0C VX9AdFoWkX2evUPScYMOZdfBL+OFHVaOHDXrZNpHXXVLBp9hncsP1cg71y3fo3kd ff87wiz5/bbQ3/2UBtdAXqVwxdD2MGATrpKDLucJanR3XEnkVXjv4r7ixwjoxryp oNBWxSS+TynaZDHP+xbU =8Uxp -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Dec 16 23:21:21 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 16 Dec 2015 17:21:21 -0500 Subject: QC resistant algorithms? In-Reply-To: References: <5671BE4C.5010601@cajuntechie.org> Message-ID: <5671E3E1.4070004@sixdemonbag.org> > Long story short, there exist algorithms that are hypothesised tho be > QC-resistant, though as far as I know nothing is proven in that > respect. The one-time pad is proven QC resistant. With respect to hypothesis, remember that *none* of the ciphers in OpenPGP are proven to be resistant against even classical computers, and we won't until there's a solid proof that P != NP. QC-resistant algorithms are in much the same state: a formal proof that an algorithm was QC-resistant would be breathtaking and shocking, and possibly on the level of a P != NP proof. > Those that do exist, there's still a substantial possibility > that they'll be broken. Some. Others look quite solid -- e.g., Lamport signatures. From rjh at sixdemonbag.org Wed Dec 16 23:25:26 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 16 Dec 2015 17:25:26 -0500 Subject: QC resistant algorithms? In-Reply-To: <5671C7F5.5020508@cajuntechie.org> References: <5671BE4C.5010601@cajuntechie.org> <5671C7F5.5020508@cajuntechie.org> Message-ID: <5671E4D6.1060204@sixdemonbag.org> > This is sort of what I'd gathered from the brief reading I've done > about the situation. I'm sure there's a lot of research going on in > the area and I certainly hope "we beat them to it". If I remember correctly, we definitely already have -- a while ago I saw some paper claiming to be a proof that McEliece was NP-HARD. If that's true, I'm willing to say McEliece is QC-immune, because a QC attack on an NP-HARD problem is currently pretty much unimaginable. From mls at dabpunkt.eu Thu Dec 17 00:09:10 2015 From: mls at dabpunkt.eu (Daniel Baur) Date: Thu, 17 Dec 2015 00:09:10 +0100 Subject: character encoding differs in gpg and gpg2 In-Reply-To: <20151216105151.GA950@lessing.int.consol.de> References: <20151216105151.GA950@lessing.int.consol.de> Message-ID: <5671EF16.9020002@dabpunkt.eu> Hello, Am 16.12.2015 um 11:51 schrieb Fabian St?ber: > My name has a special character. 'gpg --edit-key' shows it correctly, > 'gpg2 --edit-key' does not. either gpg or gpg2 show the umlaut in your key correct here. My locale is LC_ALL=de_DE.UTF-8. Sincerely, DaB. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 880 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Dec 17 21:29:22 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 17 Dec 2015 15:29:22 -0500 Subject: MIT Tech Review on user error Message-ID: <56731B22.7060603@sixdemonbag.org> MIT's Technology Review has a good article on how user error tends to subvert communications security. It's probably not news to people here, but it might be worth sharing with your less-technical friends. http://www.technologyreview.com/news/544516/user-error-compromises-many-encrypted-communication-apps/ From gnupgpacker at on.yourweb.de Sun Dec 20 10:44:58 2015 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Sun, 20 Dec 2015 10:44:58 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... Message-ID: <000601d13b0b$16f72630$44e57290$@on.yourweb.de> Hello, I did install Gpg4win-3.0 beta (with gpg 2.1.10 included). All older pub/sec keys are imported with Kleopatra, gpg encryption / decryption is working. But if using GPGrelay 0.9.6, while starting it displays attached error message. There seems to be a different key storing location or key format between 1.4x and 2.1x versions, isn't it? How to supply keys for GPGrelay in 1.4x format? Is there any way to export it from Kleopatra? Correct location? Thx + regards, Chris [ http://sourceforge.net/projects/gpgrelay/ ] [ https://wiki.gnupg.org/Gpg4win/Testversions ] -------------- next part -------------- A non-text attachment was scrubbed... Name: relay.png Type: image/png Size: 3618 bytes Desc: not available URL: From wk at gnupg.org Sun Dec 20 13:16:04 2015 From: wk at gnupg.org (Werner Koch) Date: Sun, 20 Dec 2015 13:16:04 +0100 Subject: [Announce] GnuPG 1.4.20 released Message-ID: <878u4puxh7.fsf@vigenere.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG classic release: Version 1.4.20. This release finally rejects all MD5 based signatures; see below for details. What is GnuPG ============= The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard as defined by RFC-4880 and better known as PGP. GnuPG, also known as GPG, allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Three different versions of GnuPG are actively maintained: - GnuPG "modern" (2.1) is the latest development with a lot of new features. - GnuPG "stable" (2.0) is the current stable version for general use. This is what most users are currently using. - GnuPG "classic" (1.4) is the old standalone version which is most suitable for older platforms or if there is a need to handle PGP-2 messages. This announcement is about a release of this version. You may not install "modern" (2.1) and "stable" (2.0) at the same time. However, it is possible to install "classic" (1.4) along with any of the other versions. What's New in GnuPG 1.4.20 ========================== * Reject signatures made using the MD5 hash algorithm unless the new option --allow-weak-digest-algos or --pgp2 are given. * New option --weak-digest to specify hash algorithms which should be considered weak. * Changed default cipher for symmetric-only encryption to AES-128. * Fix for DoS when importing certain garbled secret keys. * Improved error reporting for secret subkey w/o corresponding public subkey. * Improved error reporting in decryption due to wrong algorithm. * Fix cluttering of stdout with trustdb info in double verbose mode. * Pass a DBUS envvar to gpg-agent for use by gnome-keyring. Getting the Software ==================== Please follow the instructions found at https://gnupg.org/download/ or read on: GnuPG 1.4.20 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at https://gnupg.org/mirrors.html . Note that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org you find these files: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.bz2 (3606k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.bz2.sig This is the GnuPG 1.4.20 source code compressed using BZIP2 and its OpenPGP signature. ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.gz (5036k) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.20.tar.gz.sig This is the same GnuPG 1.4.20 source code compressed using GZIP and its OpenPGP signature. ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.20.exe (2359k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.20.exe.sig This is GnuPG 1.4.20 compiled for Microsoft Windows and its OpenPGP signature. This is a command line only version; the source files are the same as above. Note, that this is a minimal installer and unless you are only in need for the simple the gpg binary, you are better off using the full featured installer at https://www.gpg4win.org . To download the files via https use these URLs: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.bz2 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.bz2.sig https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.gz https://gnupg.org/ftp/gcrypt/gnupg/gnupg-1.4.20.tar.gz.sig https://gnupg.org/ftp/gcrypt/binary/gnupg-w32cli-1.4.20.exe https://gnupg.org/ftp/gcrypt/binary/gnupg-w32cli-1.4.20.exe.sig Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-1.4.20.tar.bz2 you would use this command: gpg --verify gnupg-1.4.20.tar.bz2.sig gnupg-1.4.20.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-1.4.20.tar.bz2, you would run the command like this: sha1sum gnupg-1.4.20.tar.bz2 and check that the output matches the first line from the following list: cbc9d960e3d8488c32675019a79fbfbf8680387e gnupg-1.4.20.tar.bz2 359e464bcabbe370696e3dba45a1d63968c06ab3 gnupg-1.4.20.tar.gz 8f0c4760c9f38102f64a156744ec8a428298b92d gnupg-w32cli-1.4.20.exe Release Signing Keys ==================== To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these files from the keyservers using this command gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at https://gnupg.org/signature_key.html . Note that this mail has been signed using my standard PGP key. Support ======== Please consult the archive of the gnupg-users mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . For commercial support requests we keep a list of known service companies at: https://gnupg.org/service.html If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Maintenance and development of GnuPG is mostly financed by donations. As of today we employ 3 full-time developers, one part-timer, and one contractor. They all work on GnuPG and closely related software like Enigmail. Please see https://gnupg.org/donate/ on how you can help. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and donating money. For the GnuPG hackers, Werner p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From samir at samirnassar.com Sun Dec 20 21:50:09 2015 From: samir at samirnassar.com (Samir Nassar) Date: Sun, 20 Dec 2015 21:50:09 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <000601d13b0b$16f72630$44e57290$@on.yourweb.de> References: <000601d13b0b$16f72630$44e57290$@on.yourweb.de> Message-ID: <1545089.7T55mq9Y1A@lathe> On Sunday 20 December 2015 10:44:58 gnupgpacker wrote: > But if using GPGrelay 0.9.6, while starting it displays attached error > message. There seems to be a different key storing location or key format > between 1.4x and 2.1x versions, isn't it? This is not about the key format. It appears that GPGRelay uses the GPG public keyring directly. They keyring format changed from 1.4 to 2.1. > How to supply keys for GPGrelay in 1.4x format? Is there any way to export > it from Kleopatra? Correct location? I suggest filing a bug with the GPGRelay project to support newer versions of GnuPG. -- Samir Nassar samir at samirnassar.com https://samirnassar.com From gnupgpacker at on.yourweb.de Mon Dec 21 11:33:25 2015 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Mon, 21 Dec 2015 11:33:25 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... Message-ID: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> Thanks for answer. It seems GPGrelay is not longer maintained by its developers but is still working with a charme if gpg.exe 1.4x is used. So, how to work around and supply keys to GPGrelay even if using gpg version 2 and up? Regards, Chris http://sites.inka.de/tesla/gpgrelay.html http://is.gd/c4duwS (Sourceforge) From peter at digitalbrains.com Mon Dec 21 11:43:33 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 21 Dec 2015 11:43:33 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> Message-ID: <5677D7D5.4010205@digitalbrains.com> On 21/12/15 11:33, gnupgpacker wrote: > So, how to work around and supply keys to GPGrelay even if using gpg version > 2 and up? Install GnuPG 1.4 alongside 2.1 and manually sync all keys from GnuPG 2.1 to 1.4, with for instance: $ gpg2 --export | gpg --import I'm not sure how large the overhead is when you sync all keys everytime you get a new key... GnuPG will figure out that it already has the keys, but it will inspect all signatures to see if it already has them and stuff like that, so it might have quite some overhead that way. The obvious alternative is to import with both GnuPG versions every time you import a new key. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From gnupgpacker at on.yourweb.de Mon Dec 21 11:53:13 2015 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Mon, 21 Dec 2015 11:53:13 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... Message-ID: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de> Thanks for hint, that would be a distress way. But it seems to be limited to v1.4x supported keys only. What will happen, if v1.4x tries to import gpg-2.x keys with elevated features? Regards, Chris From perillamint at gentoo.moe Mon Dec 21 10:28:47 2015 From: perillamint at gentoo.moe (perillamint) Date: Mon, 21 Dec 2015 18:28:47 +0900 Subject: gpgkey2ssh and Ed25519 key Message-ID: <5677C64F.1090609@gentoo.moe> Hello, I'm having trouble setting up ssh auth using Ed25519 key. I tries to convert it using gpgkey2ssh and it returns Unsupported algorithm: 22 Is there any version of gpgkey2ssh or other tool which allows converting ed25519 pubkey for ssh use? From neal at walfield.org Mon Dec 21 15:12:23 2015 From: neal at walfield.org (Neal H. Walfield) Date: Mon, 21 Dec 2015 15:12:23 +0100 Subject: gpgkey2ssh and Ed25519 key In-Reply-To: <5677C64F.1090609@gentoo.moe> References: <5677C64F.1090609@gentoo.moe> Message-ID: <87si2vyjp4.wl-neal@walfield.org> Hi, On Mon, 21 Dec 2015 10:28:47 +0100, perillamint wrote: > I'm having trouble setting up ssh auth using Ed25519 key. > > I tries to convert it using gpgkey2ssh and it returns > > Unsupported algorithm: 22 > > Is there any version of gpgkey2ssh or other tool which allows converting > ed25519 pubkey for ssh use? gpgkey2ssh has been decprecated for a while. In fact, it was only intended as a debugging aid. (See https://bugs.gnupg.org/gnupg/issue1610) Thanks, :) Neal From samir at samirnassar.com Mon Dec 21 17:08:12 2015 From: samir at samirnassar.com (Samir Nassar) Date: Mon, 21 Dec 2015 17:08:12 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de> References: <004a01d13bdd$ca44e920$5ecebb60$@on.yourweb.de> Message-ID: <1710583.aL8eVhATi7@lathe> On Monday 21 December 2015 11:53:13 gnupgpacker wrote: > Thanks for hint, that would be a distress way. > But it seems to be limited to v1.4x supported keys only. > What will happen, if v1.4x tries to import gpg-2.x keys with elevated > features? The features are part of GnuPG 2.x and not part of the keys themselves. YOu can import and export OpenPGP keys freely between Gnupg 1.4 and 2.x and 2.1. The only thing you cannot do is freely re-use the keystore. -- Samir Nassar samir at samirnassar.com https://samirnassar.com From gniibe at fsij.org Tue Dec 22 01:06:18 2015 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 22 Dec 2015 00:06:18 +0000 Subject: gpgkey2ssh and Ed25519 key In-Reply-To: <5677C64F.1090609@gentoo.moe> References: <5677C64F.1090609@gentoo.moe> Message-ID: <567893FA.7040105@fsij.org> On 12/21/2015 09:28 AM, perillamint wrote: > I'm having trouble setting up ssh auth using Ed25519 key. When you configure your gpg-agent properly (for your key), you can use the SSH tool of ssh-add with option -L to show your public key in SSH format. Thank you for using new feature. I know that gpgkey2ssh is still useful in some cases, but I think that you don't need it because we can use 'ssh-add -L'. Here is an example session to configure GnuPG for Ed25519 key. In this example, I'm adding an authentication subkey for me. Here we go. I invoke gpg 2.1.x with --edit-key option specifying my name. An option of --expert is required for Ed25519 key, since it's not yet in the OpenPGP standard. $ gpg2 --expert --edit-key gniibe gpg (GnuPG) 2.1.10; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa2048/4CA7BABE created: 2010-10-15 expires: never usage: SC card-no: F517 00000001 trust: ultimate validity: ultimate ssb rsa2048/084239CF created: 2010-10-15 expires: never usage: E card-no: F517 00000001 ssb rsa2048/5BB065DC created: 2010-10-22 expires: never usage: A card-no: F517 00000001 [ultimate] (1). NIIBE Yutaka [ultimate] (2) NIIBE Yutaka These are my keys (on smartcard, in this case). I'm adding a subkey of Ed25519 by the subcommand of "addkey". gpg> addkey Secret parts of primary key are stored on-card. Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key Your selection? 11 I select "(11) ECC (set your own capabilities)" for authentication key. Then, put the capability of "Authenticate"... Possible actions for a ECDSA key: Sign Authenticate Current allowed actions: Sign (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? s Removed "Sign" capability, by typing "s" and RETURN. Possible actions for a ECDSA key: Sign Authenticate Current allowed actions: (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? a Added "Authenticate" capability, by typing "a" and RETURN. Possible actions for a ECDSA key: Sign Authenticate Current allowed actions: Authenticate (S) Toggle the sign capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Done (by typing "q" and RETURN). Then, selection of the Curve... Please select which elliptic curve you want: (1) Curve 25519 (2) NIST P-256 (3) NIST P-384 (4) NIST P-521 (5) Brainpool P-256 (6) Brainpool P-384 (7) Brainpool P-512 Your selection? 1 I selected "(1) Curve 25519" by typing "1" and RETURN. The name would be confusing, but this is the curve for Ed25519. gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard. Use this curve anyway? (y/N) y Yup, we know. Confirmed by typing "y" and RETURN. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y Answered "y", more times. Then, I was asked for passphrase (two times, not shown). I inputted it by pinentry. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. sec rsa2048/4CA7BABE created: 2010-10-15 expires: never usage: SC card-no: F517 00000001 trust: ultimate validity: ultimate ssb rsa2048/084239CF created: 2010-10-15 expires: never usage: E card-no: F517 00000001 ssb rsa2048/5BB065DC created: 2010-10-22 expires: never usage: A card-no: F517 00000001 ssb ed25519/9E350F4D created: 2015-12-21 expires: never usage: A [ultimate] (1). NIIBE Yutaka [ultimate] (2) NIIBE Yutaka OK, I have the subkey of ed25519/9E350F4D. Good. gpg> save Saved. We need the keygrip of this subkey to configure gpg-agent for the SSH key. I invoke the gpg to see the keygrip: $ gpg2 --with-keygrip --list-keys gniibe pub rsa2048/4CA7BABE 2010-10-15 Keygrip = 101DE7B639FE29F4636BDEECF442A9273AFA6565 uid [ultimate] NIIBE Yutaka uid [ultimate] NIIBE Yutaka sub rsa2048/084239CF 2010-10-15 Keygrip = 65F67E742101C7FE6D5B33FCEFCF4F65EAF0688C sub rsa2048/5BB065DC 2010-10-22 Keygrip = 5D6C89682D07CCFC034AF508420BF2276D8018ED sub ed25519/9E350F4D 2015-12-21 Keygrip = 308EB1096486CF3694380875EDC4C2C9973CB000 OK, the keygrip for ed25519/9E350F4D (my Ed25519 key) is: 308EB1096486CF3694380875EDC4C2C9973CB000 I put it in ~/.gnupg/sshcontrol. If done by command-line, it would be: $ echo 308EB1096486CF3694380875EDC4C2C9973CB000 >> ~/.gnupg/sshcontrol Well, I did edit the file by Emacs, though. Then, invoke gpg-connect-agent to reload the file (of sshcontrol). $ gpg-connect-agent RELOADAGENT /bye OK Let's see if gpg-agent knows the new key. I invoke ssh-add -L: $ ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/XqCK831odBl7Po174AExdRlOcyNSCKfJR18Mrxi8LnKwyjDgGH7Z29Qm4XyZvnLkJvSLcYiSx46iDMWbIYH7w1Or57kp/sUzdlj6clmlV8zklVthppYWpFd+x6Qif9CndRKcPr9S1+tbAIlU5k42RG90XnhEQF1/V3MR01mG0Ey9xBAIoHizZKX5XAjPheVGdDyZERB7Zry3e8kDrU+OjsVTjzq7oXtCE7EwI5c+pBQdF8qfXZC35nAizu0oqQEBne5MsF9ZIBaY/D+hhXVV51oyyCEwNGTr8Ol6KXKK7MWhf16gd0zjulwvO9xH88Q0n1eYur3plH+BZVjXOQPr cardno:F51700000001 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3u/YlGa9VfB/QdWCv8hOTonLpEoKoci2pCm/uI/XT7 (none) OK, it is registered now (along with my old RSA key). We can see that it's shorter than the one of RSA. I'm putting this new key to my remote host where I already have my RSA public key. $ ssh-copy-id MY-REMOTE-HOST /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh '******.****.***'" and check to make sure that only the key(s) you wanted were added. OK, done. My public key of ed25519/9E350F4D is registered onto the ~/.ssh/authorized_key of the remote machine. I'm login-ing into the machine to confirm my new key really works (removing my token which has RSA keys)... gniibe at OrangePI:~$ Yes, I'm using Orange Pi PC these days. -- From guru at unixarea.de Tue Dec 22 13:28:28 2015 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 22 Dec 2015 13:28:28 +0100 Subject: pubring.kbx, no secring? Message-ID: <20151222122828.GA3916@c720-r285885-amd64> Hello, I was using GnuPG v1.x mostly to cipher some private files, i.e. not for mail and information exchange with other. I will now create a new key to use this for mail and move to GnuPG v2.x. I have a short question. I created (until now for test) the key like this: $ gpg2 --version gpg (GnuPG) 2.1.6 libgcrypt 1.6.3 ... $ gpg2 --full-gen-key $ gpg2 --armor --output revoke.asc --gen-revoke guru the list keys show: $ gpg2 --list-secret-keys /home/guru/.gnupg/pubring.kbx ^^^^^^^----------------???? ----------------------------- sec dsa2048/FFEE762B922A6CBB 2015-12-22 uid [ultimate] Matthias Apitz (GnuPGv2) ssb elg2048/6C7E963A56E2D675 2015-12-22 $ gpg2 --list-public-keys /home/guru/.gnupg/pubring.kbx ----------------------------- pub dsa2048/FFEE762B922A6CBB 2015-12-22 uid [ultimate] Matthias Apitz (GnuPGv2) sub elg2048/6C7E963A56E2D675 2015-12-22 and I have the following files: $ find .gnupg .gnupg .gnupg/gpg.conf .gnupg/trustdb.gpg .gnupg/pubring.kbx~ .gnupg/private-keys-v1.d .gnupg/private-keys-v1.d/EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1.key .gnupg/private-keys-v1.d/8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB.key .gnupg/pubring.kbx .gnupg/openpgp-revocs.d .gnupg/openpgp-revocs.d/812E69DC246DB739AE84473BFFEE762B922A6CBB.rev .gnupg/S.gpg-agent .gnupg/revoke.asc Question: Why I do not have a file .gnupg/secring.kbx (as I have had with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From neal at walfield.org Tue Dec 22 14:41:24 2015 From: neal at walfield.org (Neal H. Walfield) Date: Tue, 22 Dec 2015 14:41:24 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <20151222122828.GA3916@c720-r285885-amd64> References: <20151222122828.GA3916@c720-r285885-amd64> Message-ID: <87r3iey517.wl-neal@walfield.org> Hi Matthias, On Tue, 22 Dec 2015 13:28:28 +0100, Matthias Apitz wrote: > Question: Why I do not have a file .gnupg/secring.kbx (as I have had > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? The short answer is that we are using a new format. Note: GnuPG 2 will automatically migrate keys from secring.kbx to .gnupg/private-keys-v1.d the first time it is run. :) Neal From guru at unixarea.de Tue Dec 22 14:45:59 2015 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 22 Dec 2015 14:45:59 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <87r3iey517.wl-neal@walfield.org> References: <20151222122828.GA3916@c720-r285885-amd64> <87r3iey517.wl-neal@walfield.org> Message-ID: <20151222134559.GA4298@c720-r285885-amd64> El d?a Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield escribi?: > Hi Matthias, > > On Tue, 22 Dec 2015 13:28:28 +0100, > Matthias Apitz wrote: > > Question: Why I do not have a file .gnupg/secring.kbx (as I have had > > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? > > The short answer is that we are using a new format. > > Note: GnuPG 2 will automatically migrate keys from secring.kbx to > .gnupg/private-keys-v1.d the first time it is run. Hi Neal, Just to make sure: there have been no v1.x keys (I move away the old .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d? Thx matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From neal at walfield.org Tue Dec 22 15:03:39 2015 From: neal at walfield.org (Neal H. Walfield) Date: Tue, 22 Dec 2015 15:03:39 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <20151222134559.GA4298@c720-r285885-amd64> References: <20151222122828.GA3916@c720-r285885-amd64> <87r3iey517.wl-neal@walfield.org> <20151222134559.GA4298@c720-r285885-amd64> Message-ID: <87poxyy404.wl-neal@walfield.org> On Tue, 22 Dec 2015 14:45:59 +0100, Matthias Apitz wrote: > El d?a Tuesday, December 22, 2015 a las 02:41:24PM +0100, Neal H. Walfield escribi?: > > > Hi Matthias, > > > > On Tue, 22 Dec 2015 13:28:28 +0100, > > Matthias Apitz wrote: > > > Question: Why I do not have a file .gnupg/secring.kbx (as I have had > > > with v1.x)? And, why are the keys stored in .gnupg/private-keys-v1.d? > > > > The short answer is that we are using a new format. > > > > Note: GnuPG 2 will automatically migrate keys from secring.kbx to > > .gnupg/private-keys-v1.d the first time it is run. > > Hi Neal, > > Just to make sure: there have been no v1.x keys (I move away the old > .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d? I don't really understand your question, but I'll try to answer what I think you are asking: secring is the old format; private-keys-v1.d is the new format. GnuPG 1 doesn't know about the new format; GnuPG 2 only uses the new format, but the first time it is run it will migrate any existing keys from the old format to the new format. :) Neal From guru at unixarea.de Tue Dec 22 15:08:46 2015 From: guru at unixarea.de (Matthias Apitz) Date: Tue, 22 Dec 2015 15:08:46 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <87poxyy404.wl-neal@walfield.org> References: <20151222122828.GA3916@c720-r285885-amd64> <87r3iey517.wl-neal@walfield.org> <20151222134559.GA4298@c720-r285885-amd64> <87poxyy404.wl-neal@walfield.org> Message-ID: <20151222140846.GA4432@c720-r285885-amd64> El d?a Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield escribi?: > > Just to make sure: there have been no v1.x keys (I move away the old > > .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d? > > I don't really understand your question, but I'll try to answer what I > think you are asking: > > secring is the old format; private-keys-v1.d is the new format. GnuPG > 1 doesn't know about the new format; GnuPG 2 only uses the new format, > but the first time it is run it will migrate any existing keys from > the old format to the new format. I understand the migration of the old v1 keys to a new form/directory; but why the new keys of v2 are stored in a dir private-keys-v1.d and not in a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses people (like me)? matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From neal at walfield.org Tue Dec 22 15:22:42 2015 From: neal at walfield.org (Neal H. Walfield) Date: Tue, 22 Dec 2015 15:22:42 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <20151222140846.GA4432@c720-r285885-amd64> References: <20151222122828.GA3916@c720-r285885-amd64> <87r3iey517.wl-neal@walfield.org> <20151222134559.GA4298@c720-r285885-amd64> <87poxyy404.wl-neal@walfield.org> <20151222140846.GA4432@c720-r285885-amd64> Message-ID: <87oadiy34d.wl-neal@walfield.org> On Tue, 22 Dec 2015 15:08:46 +0100, Matthias Apitz wrote: > > El d?a Tuesday, December 22, 2015 a las 03:03:39PM +0100, Neal H. Walfield escribi?: > > > > Just to make sure: there have been no v1.x keys (I move away the old > > > .gnupg dir), why are the new v2 keys in a dir named .gnupg/private-keys-v1.d? > > > > I don't really understand your question, but I'll try to answer what I > > think you are asking: > > > > secring is the old format; private-keys-v1.d is the new format. GnuPG > > 1 doesn't know about the new format; GnuPG 2 only uses the new format, > > but the first time it is run it will migrate any existing keys from > > the old format to the new format. > > I understand the migration of the old v1 keys to a new form/directory; but > why the new keys of v2 are stored in a dir private-keys-v1.d and not in > a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses > people (like me)? v1 is the version of the format, which is independent of GnuPG's format. I can see how it would be confusing, sorry about that. :) Neal From wk at gnupg.org Tue Dec 22 16:26:48 2015 From: wk at gnupg.org (Werner Koch) Date: Tue, 22 Dec 2015 16:26:48 +0100 Subject: pubring.kbx, no secring? In-Reply-To: <20151222140846.GA4432@c720-r285885-amd64> (Matthias Apitz's message of "Tue, 22 Dec 2015 15:08:46 +0100") References: <20151222122828.GA3916@c720-r285885-amd64> <87r3iey517.wl-neal@walfield.org> <20151222134559.GA4298@c720-r285885-amd64> <87poxyy404.wl-neal@walfield.org> <20151222140846.GA4432@c720-r285885-amd64> Message-ID: <87zix2sdvr.fsf@vigenere.g10code.de> On Tue, 22 Dec 2015 15:08, guru at unixarea.de said: > why the new keys of v2 are stored in a dir private-keys-v1.d and not in > a dir for example private-keys-v2.d; don't you think that such name *v1.d* confuses > people (like me)? You are the first one to comment on this ;-) The new format is actually much older than gnupg 2.1. We use it since about 2003, albeit then only for gpgsm (X.509, S/MIME). Note also that there are actually two changes: private-keys-v1.d/ replaces the secring.gpg and pubring.kbx replaces pubring.gpg. However, we still support the old pubring.gpg format and only create the new pubring.kbx format if no pubring.gpg exists. To make things more complicate, pubring.kbx is used by gpg 2.1 only iff has been created by gpg or if an OpenPGP key has been inserted. Thus for public keys there are theses cases: - Only pubring.kbx: Used by gpgsm and gpg for all keys. - Only pubring.gpg: Used by gpg; if gpgsm creates or imports the first X.509 certificate that will be stored in a newly created pubring.kbx. - pubring.kbx and pubring.gpg but no OpenPGP key in pubring.kbx: The first is used by gpgsm and the latter by gpg. - pubring.kbx and pubring.gpg but with OpenPGP key in pubring.kbx: Only pubring.kbx is used by both, gpg and gpgsm. Now, how can you know whether gpg uses pubring.kbx? There are three ways: The first is to use -v with a key listing and gpg prints the name of the key database. The seconds is $ kbxutil --stats ~/.gnupg/pubring.kbx Total number of blobs: 30 header: 1 empty: 0 openpgp: 5 x509: 3 non flagged: 8 secret flagged: 0 ephemeral flagged: 0 which shows that there are OpenPGP keys, and the third is $ kbxutil ~/.gnupg/pubring.kbx | head | grep Flags Flags: 0002 (openpgp) The flag shows that the pubring.kbx is used for OpenPGP keys. This is actually how gpg decides whether to use pubring.kbx. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From guru at unixarea.de Wed Dec 23 09:23:12 2015 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 23 Dec 2015 09:23:12 +0100 Subject: keysearch fails Message-ID: <20151223082312.GA2833@c720-r285885-amd64> Hello, I can not manage to get a keysearch via dirmngr to work; when I use: $ gpg2 --keyserver pool.sks-keyservers.net --debug 1024 --search xxxx at FreeBSD.org gpg: reading options from '/home/guru/.gnupg/gpg.conf' gpg: enabled debug flags: ipc gpg: DBG: chan_3 <- # Home: /home/guru/.gnupg gpg: DBG: chan_3 <- # Config: /home/guru/.gnupg/dirmngr.conf gpg: DBG: chan_3 <- OK Dirmngr 2.1.6 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pool.sks-keyservers.net gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_SEARCH -- xxxx at FreeBSD.org gpg: DBG: chan_3 <- [eof] gpg: error searching keyserver: End of file gpg: b?squeda del servidor de claves fallida: End of file gpg: DBG: chan_3 -> BYE gpg: secmem usage: 0/32768 bytes in 0 blocks In /var/log/message I see: Dec 23 09:15:09 c720-r285885-amd64 kernel: pid 2809 (dirmngr), uid 1001: exited on signal 6 which perhaps is normal (soemhow the spawned proc must be killed); but a TCPDUMP only shows a lot of PTR requests, see below. No real traffic is to be seen to no server. What I do miss here? matthias 09:15:57.465887 IP 10.42.0.152.26961 > 10.42.0.1.53: 57200+ A? pool.sks-keyservers.net. (41) 09:15:57.698231 IP 10.42.0.1.53 > 10.42.0.152.26961: 57200 10/0/0 A 176.9.51.79, A 193.224.163.43, A 207.237.164.231, A 193.17.17.6, A 85.93.13.183, A 104.236.44.212, A 46.229.47.139, A 223.252.21.101, A 192.71.151.126, A 144.76.120.109 (201) 09:15:57.698443 IP 10.42.0.152.15292 > 10.42.0.1.53: 44337+ AAAA? pool.sks-keyservers.net. (41) 09:15:58.136982 IP 10.42.0.1.53 > 10.42.0.152.15292: 44337 10/0/0 AAAA 2604:a880:800:10::60d:b001, AAAA 2a03:4000:6:202e::1, AAAA 2a01:7a0:1::6, AAAA 2001:470:1f09:1d75::80, AAAA 2a01:4f8:a0:4024::2:0, AAAA 2a01:4f8:150:7142::2, AAAA 2001:41d0:2:a8b4::10, AAAA 2a02:168:4a01::37, AAAA 2604:a880:800:10::688:e001, AAAA 2001:6f8:124e::1 (321) 09:15:58.138270 IP 10.42.0.152.57903 > 10.42.0.1.53: 3651+ PTR? 212.44.236.104.in-addr.arpa. (45) 09:15:58.139749 IP 10.42.0.1.53 > 10.42.0.152.57903: 3651 1/0/0 PTR openpgp.us. (69) 09:15:58.140405 IP 10.42.0.152.49791 > 10.42.0.1.53: 29976+ PTR? 126.151.71.192.in-addr.arpa. (45) 09:15:58.142479 IP 10.42.0.1.53 > 10.42.0.152.49791: 29976 1/0/0 PTR mimir.alderwick.co.uk. (80) 09:15:58.142854 IP 10.42.0.152.20861 > 10.42.0.1.53: 61059+ PTR? 101.21.252.223.in-addr.arpa. (45) 09:15:58.144671 IP 10.42.0.1.53 > 10.42.0.152.20861: 61059 1/0/0 PTR svcs4.riverwillow.net.au. (83) 09:15:58.145031 IP 10.42.0.152.51574 > 10.42.0.1.53: 21456+ PTR? 139.47.229.46.in-addr.arpa. (44) 09:15:58.146670 IP 10.42.0.1.53 > 10.42.0.152.51574: 21456 1/0/0 PTR jarvis.alpha-labs.net. (79) 09:15:58.147016 IP 10.42.0.152.24483 > 10.42.0.1.53: 11392+ PTR? 79.51.9.176.in-addr.arpa. (42) 09:15:58.149302 IP 10.42.0.1.53 > 10.42.0.152.24483: 11392 1/0/0 PTR alita.karotte.org. (73) 09:15:58.149639 IP 10.42.0.152.45716 > 10.42.0.1.53: 51515+ PTR? 183.13.93.85.in-addr.arpa. (43) 09:15:58.150581 IP 10.42.0.1.53 > 10.42.0.152.45716: 51515 1/0/0 PTR host10.slyinvestment.com. (81) 09:15:58.151058 IP 10.42.0.152.31608 > 10.42.0.1.53: 34134+ PTR? 6.17.17.193.in-addr.arpa. (42) 09:15:58.153963 IP 10.42.0.1.53 > 10.42.0.152.31608: 34134 1/0/0 PTR key.ip6.li. (66) 09:15:58.154314 IP 10.42.0.152.37867 > 10.42.0.1.53: 56496+ PTR? 231.164.237.207.in-addr.arpa. (46) 09:15:58.156621 IP 10.42.0.1.53 > 10.42.0.152.37867: 56496 1/0/0 PTR keys.sflc.info. (74) 09:15:58.156959 IP 10.42.0.152.20412 > 10.42.0.1.53: 34648+ PTR? 43.163.224.193.in-addr.arpa. (45) 09:15:58.158943 IP 10.42.0.1.53 > 10.42.0.152.20412: 34648 1/0/0 PTR hufu.ki.iif.hu. (73) 09:15:58.159277 IP 10.42.0.152.46457 > 10.42.0.1.53: 32569+ PTR? 109.120.76.144.in-addr.arpa. (45) 09:15:58.161678 IP 10.42.0.1.53 > 10.42.0.152.46457: 32569 1/0/0 PTR encrypt.to. (69) 09:15:58.162290 IP 10.42.0.152.58716 > 10.42.0.1.53: 61479+ PTR? 0.0.0.0.2.0.0.0.0.0.0.0.0.0.0.0.4.2.0.4.0.a.0.0.8.f.4.0.1.0.a.2.ip6.arpa. (90) 09:15:58.163688 IP 10.42.0.1.53 > 10.42.0.152.58716: 61479 1/0/0 PTR a.keyserver.pki.scientia.net. (132) 09:15:58.164128 IP 10.42.0.152.32231 > 10.42.0.1.53: 26254+ PTR? 1.0.0.e.8.8.6.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa. (90) 09:15:58.166679 IP 10.42.0.1.53 > 10.42.0.152.32231: 26254 0/0/0 (90) 09:15:58.167037 IP 10.42.0.152.15342 > 10.42.0.1.53: 14504+ PTR? 7.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.a.4.8.6.1.0.2.0.a.2.ip6.arpa. (90) 09:15:58.168514 IP 10.42.0.1.53 > 10.42.0.152.15342: 14504 1/0/0 PTR pgpkeys.urown.net. (121) 09:15:58.168872 IP 10.42.0.152.49875 > 10.42.0.1.53: 39926+ PTR? 0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.b.8.a.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa. (90) 09:15:58.170820 IP 10.42.0.1.53 > 10.42.0.152.49875: 39926 NXDomain 0/0/0 (90) 09:15:58.171163 IP 10.42.0.152.32030 > 10.42.0.1.53: 45608+ PTR? 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.4.1.7.0.5.1.0.8.f.4.0.1.0.a.2.ip6.arpa. (90) 09:15:58.173415 IP 10.42.0.1.53 > 10.42.0.152.32030: 45608 1/0/0 PTR alita.karotte.org. (121) 09:15:58.173779 IP 10.42.0.152.48813 > 10.42.0.1.53: 38867+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.4.2.1.8.f.6.0.1.0.0.2.ip6.arpa. (90) 09:15:59.037424 IP 10.42.0.1.53 > 10.42.0.152.48813: 38867 FormErr 0/0/0 (90) 09:15:59.037986 IP 10.42.0.152.57139 > 10.42.0.1.53: 19220+ PTR? 0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.7.d.1.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. (90) 09:15:59.043902 IP 10.42.0.1.53 > 10.42.0.152.57139: 19220 NXDomain 0/0/0 (90) 09:15:59.044301 IP 10.42.0.152.52403 > 10.42.0.1.53: 1040+ PTR? 6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.a.7.0.1.0.a.2.ip6.arpa. (90) 09:15:59.053424 IP 10.42.0.1.53 > 10.42.0.152.52403: 1040 1/0/0 PTR key.ip6.li. (114) 09:15:59.053950 IP 10.42.0.152.25246 > 10.42.0.1.53: 33858+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.2.0.2.6.0.0.0.0.0.0.4.3.0.a.2.ip6.arpa. (90) 09:15:59.056508 IP 10.42.0.1.53 > 10.42.0.152.25246: 33858 1/0/0 PTR metalgamer.eu. (117) 09:15:59.057051 IP 10.42.0.152.28425 > 10.42.0.1.53: 31847+ PTR? 1.0.0.b.d.0.6.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.8.0.0.8.8.a.4.0.6.2.ip6.arpa. (90) 09:15:59.058008 IP 10.42.0.1.53 > 10.42.0.152.28425: 31847 1/0/0 PTR openpgp.us. (114) -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From mailinglists at vanwingerde.net Wed Dec 23 00:00:29 2015 From: mailinglists at vanwingerde.net (Jaap van Wingerde) Date: Tue, 22 Dec 2015 23:00:29 +0000 Subject: Problems with ESTEID and gpgsm Message-ID: <20151222230029.0c38449c@jaap.custard.shrl.nl> How can I solve them? jaap at jaap:~$ gpgsm --help gpgsm (GnuPG) 2.0.26 libgcrypt 1.6.3 libksba 1.3.2-unknown ... jaap at jaap:~$ jaap at jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt gpgsm: enabled debug flags: x509 assuan gpgsm: no key usage specified - assuming all usages gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93 FF F7 72 gpgsm: no running gpg-agent - starting one gpg-agent[22381]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12 B1 60 15 gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2 DD 22 53 gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16 92 67 39 gpgsm: no default signer found gpgsm: error creating signature: General error secmem usage: 0/16384 bytes in 0 blocks jaap at jaap:~$ jaap at jaap:~$ /usr/bin/gpgsm --learn-card gpgsm: enabled debug flags: x509 assuan gpgsm: no running gpg-agent - starting one gpg-agent[22386]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3 gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1 gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1 gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid, library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, allow_protected=1, cert_is_private=1, private_mask=00000001 gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2 gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry version='1.11', pid=22387, reference='esteid', provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so', allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider 'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Provider 'esteid' added rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket '/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[22387]: chan_6 <- GETINFO socket_name gnupg-pkcs11-scd[22387]: chan_6 -> D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- SERIALNO gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- LEARN --force gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login entry session=0xd3ff10, is_publicOnly=1, readonly=1, user_data=0xd34880, mask_prompt=00000001 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'VAN WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6 <- END gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pin_prompt hook return rv=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login C_Login rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Cannot get token information for provider 'OpenSC (www.opensc-project.org)' slot 1 rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1450824309 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects entry session=0xd3ff10, filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0, p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0xd3ff10, object=13889536, attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8 form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258 form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0xd41f30, user_data=0xd34880, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd40140 form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20, p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate return gpgsm: error learning card: No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil), ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=(nil), *max=0000000000000000, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0, *max=0000000000000070, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0xd41ba0, *max=0000000000000070, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01' gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap at jaap:~$ gnupg-pkcs11-scd[22387]: chan_6 <- RESTART gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed: Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized ^C jaap at jaap:~$ -- Jaap van Wingerde e-mail: 1234567890 at vanwingerde.nl From guru at unixarea.de Wed Dec 23 11:12:30 2015 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 23 Dec 2015 11:12:30 +0100 Subject: keysearch fails In-Reply-To: <20151223082312.GA2833@c720-r285885-amd64> References: <20151223082312.GA2833@c720-r285885-amd64> Message-ID: <20151223101230.GA7885@c720-r285885-amd64> El d?a Wednesday, December 23, 2015 a las 09:23:12AM +0100, Matthias Apitz escribi?: > Hello, > > I can not manage to get a keysearch via dirmngr to work; when I use: > > $ gpg2 --keyserver pool.sks-keyservers.net --debug 1024 --search xxxx at FreeBSD.org > gpg: reading options from '/home/guru/.gnupg/gpg.conf' > gpg: enabled debug flags: ipc > gpg: DBG: chan_3 <- # Home: /home/guru/.gnupg > gpg: DBG: chan_3 <- # Config: /home/guru/.gnupg/dirmngr.conf > gpg: DBG: chan_3 <- OK Dirmngr 2.1.6 at your service > gpg: DBG: connection to the dirmngr established > gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pool.sks-keyservers.net > gpg: DBG: chan_3 <- OK > gpg: DBG: chan_3 -> KS_SEARCH -- xxxx at FreeBSD.org > gpg: DBG: chan_3 <- [eof] > gpg: error searching keyserver: End of file > gpg: b?squeda del servidor de claves fallida: End of file > gpg: DBG: chan_3 -> BYE > gpg: secmem usage: 0/32768 bytes in 0 blocks Seems to be a known bug: $ dirmngr # Home: ~/.gnupg # Config: /home/guru/.gnupg/dirmngr.conf OK Dirmngr 2.1.6 at your service KEYSERVER hkps://hkps.pool.sks-keyservers.net OK KS_SEARCH matthew at FreeBSD.org Assertion failed: (a >= 0 && a < hosttable_size), function sort_hostpool, file ks-engine-hkp.c, line 179. Abort trap (core dumped) https://bugs.gnupg.org/gnupg/issue2107 -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.? ?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte. Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece coraz?n.?, junge Welt del 3 de octubre 2015, p. 11 From wk at gnupg.org Wed Dec 23 12:12:07 2015 From: wk at gnupg.org (Werner Koch) Date: Wed, 23 Dec 2015 12:12:07 +0100 Subject: keysearch fails In-Reply-To: <20151223082312.GA2833@c720-r285885-amd64> (Matthias Apitz's message of "Wed, 23 Dec 2015 09:23:12 +0100") References: <20151223082312.GA2833@c720-r285885-amd64> Message-ID: <87fuyts9ko.fsf@vigenere.g10code.de> On Wed, 23 Dec 2015 09:23, guru at unixarea.de said: > gpg: DBG: chan_3 <- OK Dirmngr 2.1.6 at your service Please first update to gnupg 2.1.10. > Dec 23 09:15:09 c720-r285885-amd64 kernel: pid 2809 (dirmngr), uid 1001: exited on signal 6 Which probably is SIGABRT which in in turn may indicate that an assert() failed. If this probelm persists with 2.1.10 please rn dirmngr uner a debugger: gdb --args dirmngr -v server Then "run" and enter the commands KEYSERVER --clear hkp://pool.sks-keyservers.net and KS_SEARCH -- xxxx at FreeBSD.org On the signal you should get back to the debugger prompt and so you can print a stack backtrace. If it it indeed an assert you may run dirmngr w/o a debugger and the assert will print the diagnositcs to stderr which you should be able to see. > which perhaps is normal (soemhow the spawned proc must be killed); but a No, dirmngr is started on-the-fly as a daemon. To stop it you either use "pkill dirmngr" or "gpgconf --kill dirmngr". > TCPDUMP only shows a lot of PTR requests, see below. No real traffic is > to be seen to no server. It is resolving the the pool addreses to select one of the servers. With 2.1.10 there are two different resolver libraries in use, entering getinfo dnsinfo on the "dirmngr --server" prompt shows you which one is used. To play with dirmngr it is often easier to use gpg-connect-agent --dimngr -v which enables you to use readline and some other goodies. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Dec 23 12:15:31 2015 From: wk at gnupg.org (Werner Koch) Date: Wed, 23 Dec 2015 12:15:31 +0100 Subject: Problems with ESTEID and gpgsm In-Reply-To: <20151222230029.0c38449c@jaap.custard.shrl.nl> (Jaap van Wingerde's message of "Tue, 22 Dec 2015 23:00:29 +0000") References: <20151222230029.0c38449c@jaap.custard.shrl.nl> Message-ID: <87bn9hs9f0.fsf@vigenere.g10code.de> On Wed, 23 Dec 2015 00:00, mailinglists at vanwingerde.net said: > gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3 You are using some modified version of GnuPG's scdaemon. Please ask the author of that version for help. The parts of GnuPG all belong together and it is in general not a good idea to exchange one of the coomponents. The APIs used between the GnuPG componentes are not stable between versions. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglists at vanwingerde.nl Wed Dec 23 12:23:00 2015 From: mailinglists at vanwingerde.nl (Jaap van Wingerde) Date: Wed, 23 Dec 2015 11:23:00 +0000 Subject: Problems with ESTEID and gpgsm Message-ID: <20151223112300.0502bef1@jaap.custard.shrl.nl> How can I solve them? jaap at jaap:~$ gpgsm --help gpgsm (GnuPG) 2.0.26 libgcrypt 1.6.3 libksba 1.3.2-unknown ... jaap at jaap:~$ jaap at jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt gpgsm: enabled debug flags: x509 assuan gpgsm: no key usage specified - assuming all usages gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93 FF F7 72 gpgsm: no running gpg-agent - starting one gpg-agent[22381]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12 B1 60 15 gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2 DD 22 53 gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16 92 67 39 gpgsm: no default signer found gpgsm: error creating signature: General error secmem usage: 0/16384 bytes in 0 blocks jaap at jaap:~$ jaap at jaap:~$ /usr/bin/gpgsm --learn-card gpgsm: enabled debug flags: x509 assuan gpgsm: no running gpg-agent - starting one gpg-agent[22386]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3 gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1 gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1 gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid, library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, allow_protected=1, cert_is_private=1, private_mask=00000001 gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2 gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry version='1.11', pid=22387, reference='esteid', provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so', allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider 'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Provider 'esteid' added rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket '/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[22387]: chan_6 <- GETINFO socket_name gnupg-pkcs11-scd[22387]: chan_6 -> D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- SERIALNO gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- LEARN --force gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login entry session=0xd3ff10, is_publicOnly=1, readonly=1, user_data=0xd34880, mask_prompt=00000001 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'VAN WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6 <- END gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pin_prompt hook return rv=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login C_Login rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Cannot get token information for provider 'OpenSC (www.opensc-project.org)' slot 1 rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1450824309 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects entry session=0xd3ff10, filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0, p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0xd3ff10, object=13889536, attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8 form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258 form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0xd41f30, user_data=0xd34880, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd40140 form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20, p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate return gpgsm: error learning card: No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil), ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=(nil), *max=0000000000000000, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0, *max=0000000000000070, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0xd41ba0, *max=0000000000000070, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01' gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap at jaap:~$ gnupg-pkcs11-scd[22387]: chan_6 <- RESTART gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed: Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized ^C jaap at jaap:~$ -- Jaap van Wingerde e-mail: 1234567890 at vanwingerde.nl From guru at unixarea.de Wed Dec 23 18:54:07 2015 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 23 Dec 2015 18:54:07 +0100 Subject: signing mails with MUA mutt fails Message-ID: <20151223175407.GA4804@c720-r285885-amd64> Hello, To sign mails one configure in the MUA the command in the following form: gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f where %a is the actual user and %f the mail attachment to be signed; it does not work and I digged into this; this works as it should: $ gpg2 --output - --armor --sign --detach-sign -u guru msg.asc Please enter the passphrase to unlock the OpenPGP secret key: "Matthias Apitz (GnuPGv2) " 2048-bit DSA key, ID FFEE762B922A6CBB, created 2015-12-22. Passphrase: -----BEGIN PGP SIGNATURE----- iF4EABEIAAYFAlZ63U8ACgkQ/+52K5IqbLuC+wD/RnSo6soMzg0wxTdAFEbD2ykB Yc15kIv7SPBXDoKohvcA/jUN2FNNEhlrrh5B/gAldFyYsJ7ruD5ktPa3b/DfpEP3 =DXMS -----END PGP SIGNATURE----- while this gives an error: $ killall gpg-agent $ echo xxxxxxxx | gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc gpg: signing failed: gpg: signing failed: Invalid IPC response gpg: signing failed: Invalid IPC response running with --debug gives some kind of error in the communication with the agent: $ killall gpg-agent $ echo xxxxxxxx | gpg2 --debug 1024 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u guru msg.asc gpg: reading options from '/home/guru/.gnupg/gpg.conf' gpg: enabled debug flags: ipc gpg: DBG: chan_7 <- OK Pleased to meet you gpg: DBG: connection to agent established gpg: DBG: chan_7 -> RESET gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION ttytype=rxvt gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION display=:0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION xauthority=/tmp/kde-guru/xauth-1001-_0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/dbus-O4oooGN9t0,guid=4cf4542b4bf772f2892b2ac3567aaf2d gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION allow-pinentry-notify gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> OPTION agent-awareness=2.1.0 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> AGENT_ID gpg: DBG: chan_7 <- ERR 67109139 Unknown IPC command gpg: DBG: chan_7 -> HAVEKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1 8FB0DD8249EC4A24E2A73B4721098FCDE815FEBB gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> RESET gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SIGKEY EF8AE0E0D3D7EBBFA6A0230CD105E0DFC04D9DE1 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22Matthias+Apitz+(GnuPGv2)+%22%0A2048-bit+DSA+key,+ID+FFEE762B922A6CBB,%0Acreated+2015-12-22.%0A gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> SETHASH 8 B0E553EDE7C732CA26D96C45C32E6143AB642BF28E03217400C893CCB0F14B62 gpg: DBG: chan_7 <- OK gpg: DBG: chan_7 -> PKSIGN gpg: DBG: chan_7 <- INQUIRE PINENTRY_LAUNCHED 4886 gpg: DBG: chan_7 -> END gpg: DBG: chan_7 <- ERR 83886340 Invalid IPC response gpg: signing failed: Invalid IPC response gpg: signing failed: Invalid IPC response gpg: secmem usage: 1568/32768 bytes in 3 blocks What do I miss or do wrong? matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From wk at gnupg.org Wed Dec 23 20:40:24 2015 From: wk at gnupg.org (Werner Koch) Date: Wed, 23 Dec 2015 20:40:24 +0100 Subject: signing mails with MUA mutt fails In-Reply-To: <20151223175407.GA4804@c720-r285885-amd64> (Matthias Apitz's message of "Wed, 23 Dec 2015 18:54:07 +0100") References: <20151223175407.GA4804@c720-r285885-amd64> Message-ID: <87mvt1q7h3.fsf@vigenere.g10code.de> On Wed, 23 Dec 2015 18:54, guru at unixarea.de said: > To sign mails one configure in the MUA the command in the following > form: You should put set crypt_use_gpgme into your ~/.muttrc to use the modern (ie. from ~2003) version of Mutt's crypto layer. it works much better that the bunch of configured commands. > gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f --passphrase-fd 0 does not work with gpg2 (since 2.1) because the gpg-agent is responsible for the private keys and the passphrase to protect them. If you are using an xterm the GUI Pinentry pops up from the background (controlled by the existence of the DISPLAY envvar). If you are using a plain tty, either the curses pinentry or the dump tty only pinentry can be used. The curses pinentry is used part of the GUI pinentry and used if DISPLAY is not set. Take care to set the GPG_TTY envvar (man gpg-agent). If you really need it with 2.1 you may also use the loopback mode which allows to gpg2 for ask for a passphrase in a similar but not indentical way gpg1 and pgp did. Put allow-loopback-pinentry into ~/.gnupg/gpg-agent.conf and restart the agent. Add --pinentry-mode=loopback to the gpg command line. > running with --debug gives some kind of error in the communication with > the agent: > > $ killall gpg-agent > gpg: DBG: chan_7 -> AGENT_ID > gpg: DBG: chan_7 <- ERR 67109139 Unknown IPC command That error is expected: it is a test for the former GNOME gpg-agent replacement. > gpg: DBG: chan_7 <- ERR 83886340 Invalid IPC response > gpg: signing failed: Invalid IPC response Something is wrong with your pinentry. To debug this you add --8<---------------cut here---------------start------------->8--- log-file /foo/bar/gpg-agent.log verbose debug-pinentry debug ipc --8<---------------cut here---------------end--------------->8--- into gpg-agent.conf ("debug ipc" Is the same as "debug 1024") Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From stevehendo34 at gmail.com Wed Dec 23 19:14:11 2015 From: stevehendo34 at gmail.com (stevehendo34) Date: Wed, 23 Dec 2015 11:14:11 -0700 (MST) Subject: gpg: BAD signature from Message-ID: <1450894451876-45427.post@n7.nabble.com> Downloaded armory-bin.tar.gz from arch AUR On Armory site they gave public key text in ASCII format. I saved it to armory_key.txt I imported this public key from armory_key.txt file to my key ring. gpg --list-keys pub rsa4096/98832223 2012-02-28 uid [ unknown] Alan C. Reiner (Offline Signing Key) uid [ unknown] Alan C. Reiner (Armory Signing Key) uid [ unknown] Alan C. Reiner (Armory Signing Key) sub rsa4096/DE6B2D74 2012-02-28 t The also gave signature in ascii and I saved that to armory_sig.txt gpg --verify armory_sig.txt armory-bin.tar.gz gpg: Signature made Sun Jun 7 20:46:36 2015 CDT using RSA key ID 98832223 gpg: BAD signature from "Alan C. Reiner (Offline Signing Key) " [unknown] The key ID 98832223 match whats on their site 0x98832223, and whats on my keyring, but Can you explain what the third line means why (BAD signature)? I am pretty much new to all this stuff! -- View this message in context: http://gnupg.10057.n7.nabble.com/gpg-BAD-signature-from-tp45427.html Sent from the GnuPG - User mailing list archive at Nabble.com. From guru at unixarea.de Wed Dec 23 21:41:50 2015 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 23 Dec 2015 21:41:50 +0100 Subject: signing mails with MUA mutt fails In-Reply-To: <87mvt1q7h3.fsf@vigenere.g10code.de> References: <20151223175407.GA4804@c720-r285885-amd64> <87mvt1q7h3.fsf@vigenere.g10code.de> Message-ID: <20151223204150.GA12119@c720-r285885-amd64> El d?a Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch escribi?: > On Wed, 23 Dec 2015 18:54, guru at unixarea.de said: > > > To sign mails one configure in the MUA the command in the following > > form: > > You should put > > set crypt_use_gpgme Thanks for that hint! I have had to re-compile the mutt port (on FreeBSD) to get this option to work, but it now works nicely. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From pete at heypete.com Wed Dec 23 21:34:51 2015 From: pete at heypete.com (Pete Stephenson) Date: Wed, 23 Dec 2015 15:34:51 -0500 Subject: gpg: BAD signature from In-Reply-To: <1450894451876-45427.post@n7.nabble.com> References: <1450894451876-45427.post@n7.nabble.com> Message-ID: On Wed, Dec 23, 2015 at 1:14 PM, stevehendo34 wrote: > Downloaded armory-bin.tar.gz from arch AUR > > On Armory site they gave public key text in ASCII format. > I saved it to armory_key.txt > I imported this public key from armory_key.txt file to my key ring. > gpg --list-keys > pub rsa4096/98832223 2012-02-28 > uid [ unknown] Alan C. Reiner (Offline Signing Key) > > uid [ unknown] Alan C. Reiner (Armory Signing Key) > > uid [ unknown] Alan C. Reiner (Armory Signing Key) > > sub rsa4096/DE6B2D74 2012-02-28 > t > > The also gave signature in ascii and I saved that to armory_sig.txt > gpg --verify armory_sig.txt armory-bin.tar.gz > gpg: Signature made Sun Jun 7 20:46:36 2015 CDT using RSA key ID 98832223 > gpg: BAD signature from "Alan C. Reiner (Offline Signing Key) > " [unknown] > > The key ID 98832223 match whats on their site 0x98832223, and whats on my > keyring, but > Can you explain what the third line means why (BAD signature)? > > I am pretty much new to all this stuff! Hi Steve, Welcome! The error means that the data you downloaded doesn't match the data that was originally signed by the author. It's possible this could be due to an error by the signer, a transmission error over the internet, or intentional tampering. Cheers! -Pete -- Pete Stephenson From wub at partyvan.eu Thu Dec 24 04:29:09 2015 From: wub at partyvan.eu (Juuso Lapinlampi) Date: Thu, 24 Dec 2015 03:29:09 +0000 (UTC) Subject: New GnuPG FTP mirror: mirror.se.partyvan.eu Message-ID: <17093789854478232448.enqueue@partyvan.eu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi gnupg-users. I noticed the FTP Mirrors page [1] is outdated. Many mirrors are dead, some have not existed for perhaps years. The fair amount of confusion that came from that page made me initially delay with the decision to host a new mirror - I wasn't sure where to start. Sunet announced to decommission last year, although it still seems to be available and syncing. ftp.jyu.fi may have been merged with ftp.funet.fi, although I couldn't find GnuPG to be hosted on Funet's FTP server. This led me to believe there is no active GnuPG mirror available in Sweden/Finland, so I have setup one for GnuPG on our mirror server in Stockholm, Sweden. This mirror server is connected to a 1 Gbps connection at AS42708 Portlane AB. - - ftp: n/a - - http: http://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/ - - https: https://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/ - - onion: http://tpvj6abq225m5pcf.onion/pub/ftp.gnupg.org/gcrypt/ - - rsync: rsync://mirror.se.partyvan.eu/pub/ftp.gnupg.org/gcrypt/ I've setup syncing to happen from ftp.gnupg.org over rsync daily at 12:00.[2] This happened to be the closest available rsync server right now, excluding ftp.sunet.se which's future seems uncertain. If interested, I can setup syncing to happen more frequently too, e.g. twice or four times a day. [1]: https://www.gnupg.org/download/mirrors.html [2]: https://partyvan.eu/transparency/config/cron/tabs/rsync - -- Juuso Lapinlampi Partyvan -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWe2ZIAAoJEJiZcbKmt69LwiQP/RO/FC/SBgpUbq6K5gpkpekw YiGqU1jRPleUEJNPjR+8mwWCdYjY6hFZ6bB47BsUjlDnttUIEZzQsP4sc2UW3neU JdXJgZ7LEJ9UDH98X9VO272W9zHBO68RlaB16QTOT/6Vc4SzlEyz540tzwx+7IU6 SiquT/wKiBkUstgusTstX/Kh+MZ9Tr2MJWffzJKCCH8+NHUm8cJbjshFKSLmjjLA r7h1Uyqim9bSwEo2Epco0edyDtaqg5ON+dN7rV9cmnNtMQhvfKc9kTLRovQiFX23 3wDDYJnnaxphIrg5QjZOTGHtKbeOIxQXe52gje51ikr67P9742M+bBjnLOtXjlC8 7ad7dp4/sMhO9btV8i26UCt1BgZG5RLRdhCtbYfF4QNUvlrVrb3m3ZKcwwlYD/wb OhBwX/ejTEtRg7MCLGNQmuVc2UKrgaaCQ4itT06S49yEGZ0QnbblADGBciw1+vnV cNHoL5npPQIlM7jatO32VpdHb5FsoCye4bs3t9/nIoyEGpAYrLDA/AFRffXCAXNl FAGTRbGkkeU1mqzfTVfIt4Ia5rUCMjSnYwlekzzDgFZaP49QymZ9ScOqXfubxoLX SPRCFpDawg3nMvng/kX7e+P8P0PyP/bxSW4dzyRi99D2IzfzoSPRON4M43uSJAYl ZMkZ6xBoU2svrqKUsiq1 =HRNJ -----END PGP SIGNATURE----- From guru at unixarea.de Thu Dec 24 09:15:46 2015 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 24 Dec 2015 09:15:46 +0100 Subject: signing mails with MUA mutt fails In-Reply-To: <87mvt1q7h3.fsf@vigenere.g10code.de> References: <20151223175407.GA4804@c720-r285885-amd64> <87mvt1q7h3.fsf@vigenere.g10code.de> Message-ID: <20151224081546.GA2465@c720-r285885-amd64> El d?a Wednesday, December 23, 2015 a las 08:40:24PM +0100, Werner Koch escribi?: > On Wed, 23 Dec 2015 18:54, guru at unixarea.de said: > > > To sign mails one configure in the MUA the command in the following > > form: > > You should put > > set crypt_use_gpgme > > into your ~/.muttrc to use the modern (ie. from ~2003) version of Mutt's > crypto layer. it works much better that the bunch of configured commands. > > > gpg2 --batch --output - --passphrase-fd 0 --armor --sign --detach-sign --textmode -u %a %f > > --passphrase-fd 0 > > does not work with gpg2 (since 2.1) because the gpg-agent is responsible > for the private keys and the passphrase to protect them. If you are > using an xterm the GUI Pinentry pops up from the background (controlled > by the existence of the DISPLAY envvar). If you are using a plain tty, > either the curses pinentry or the dump tty only pinentry can be used. > The curses pinentry is used part of the GUI pinentry and used if DISPLAY > is not set. Take care to set the GPG_TTY envvar (man gpg-agent). > ... As I said, it works very well; only pinentry is not popping up as an X application (which I do not want either); a ps shows: $ ps ax | egrep 'gnu|pin|mutt' 2374 - Ss 0:00,01 gpg-agent --homedir /home/guru/.gnupg --use-standard-socket --daemon 2392 - S 0:00,03 pinentry --display :0 (pinentry-tty) 2394 1 S+ 0:00,00 egrep gnu|pin|mutt 2354 3 S+ 0:00,23 mutt and of course, I have DISPLAY=:0 in my env; I only wanted to mention this for the records; for me it is fine; matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.? ?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte. Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece coraz?n.?, junge Welt del 3 de octubre 2015, p. 11 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From guru at unixarea.de Thu Dec 24 17:02:54 2015 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 24 Dec 2015 17:02:54 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' Message-ID: <20151224160254.GA2153@c720-r285885-amd64> Hello, I do not fully understand why some 4 random words like Correct, horse! Battery staple! is a better passphrase like, for example Und allein dieser Mangel und nichts anderes f?hrte zum Tod. i.e. some phrasing which could be memorized better? matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From peter at digitalbrains.com Thu Dec 24 17:50:47 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 24 Dec 2015 17:50:47 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: <567C2267.6040108@digitalbrains.com> Hello, > Correct, horse! Battery staple! My understanding is that these words in such a passphrase are chosen by a random number generator in a computer. I use such a passphrase; I've let my computer pick words out of a word list based on reading /dev/random; or actually, I'm fairly sure I used GnuPG to generate the randomness. I didn't let it generate four words; I let it generate a few more until some combination of four words emerged that I could somehow memorize. It is not a phrase, it is non-grammatical, it just has something to it that makes it such that I can remember. The amount of entropy each word contains is close to the amount of choice there is in picking a word from the word list; i.e., base-2 log of the number of words in the word list if you express it in bits. > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. This is grammatical. There is a subject (or two), a verb, an.. well whatever those things are like "zum Tod", I don't often discuss grammar in any other language than Dutch so I forgot the technical terms. Furthermore, the phrase actually makes sense semantically. I don't know if somebody ever said or wrote it; that would make it even worse, since a passphrase cracker could try sentences from a corpus of likely texts it has scoured from the internet. It has grammar, it has semantics, it has a proper meaning. All these things go at the expense of its entropy. Whereas a few words that only make enough sense to be memorizable have loads of entropy, as the cartoon expresses. "Memorizability" is not easily quantified when you write a password cracker. It's almost a Turing test in a way. What you want to avoid is that there is a a pattern that a password cracker can look for. Replacing an i with a 1 (one) is a horribly little amount of extra entropy that serves more to make it difficult for you than that one little extra try that a password cracker has to do matters. > i.e. some phrasing which could be memorized better? I don't think I can ever make myself forget Correct horse, battery staple! :) HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From lopaki at gmail.com Thu Dec 24 17:16:59 2015 From: lopaki at gmail.com (Scott Lambdin) Date: Thu, 24 Dec 2015 11:16:59 -0500 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: My boss told me to pick an 8 word sentence and use the initials. I chose the my favorite line from my fan fiction: "Put All Star Ships Where Only Romulans Dwell" and he fired me. On Thu, Dec 24, 2015 at 11:02 AM, Matthias Apitz wrote: > > Hello, > > I do not fully understand why some 4 random words like > > Correct, horse! Battery staple! > > is a better passphrase like, for example > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > i.e. some phrasing which could be memorized better? > > matthias > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Eat like you give a damn. Go vegan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ineiev at gnu.org Fri Dec 25 06:19:37 2015 From: ineiev at gnu.org (Ineiev) Date: Fri, 25 Dec 2015 00:19:37 -0500 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <567C2267.6040108@digitalbrains.com> References: <20151224160254.GA2153@c720-r285885-amd64> <567C2267.6040108@digitalbrains.com> Message-ID: <20151225051936.GB1448@gnu.org> Hello, On Thu, Dec 24, 2015 at 05:50:47PM +0100, Peter Lebbing wrote: > > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > This is grammatical. There is a subject (or two), a verb, an.. well > whatever those things are like "zum Tod", I don't often discuss grammar > in any other language than Dutch so I forgot the technical terms. > Furthermore, the phrase actually makes sense semantically. I don't know > if somebody ever said or wrote it; that would make it even worse, since > a passphrase cracker could try sentences from a corpus of likely texts > it has scoured from the internet. > > It has grammar, it has semantics, it has a proper meaning. All these > things go at the expense of its entropy. I assume the amount of entropy is what really matters. for instance, if on every next step you are free to choose any of 4 random words taken from 60000-word dictionary, you may put it in a grammatically correct form[*], then you must get a certain entropy per step. * Depending on the language, there may be more than one correct form (past, future, plural, first or second person, modified with a preposition...), but this randomness is hard to ensure. From peter at digitalbrains.com Fri Dec 25 10:57:06 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 25 Dec 2015 10:57:06 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151225051936.GB1448@gnu.org> References: <20151224160254.GA2153@c720-r285885-amd64> <567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org> Message-ID: <567D12F2.7020504@digitalbrains.com> On 25/12/15 06:19, Ineiev wrote: > I assume the amount of entropy is what really matters. for instance, > if on every next step you are free to choose any of 4 random words > taken from 60000-word dictionary, you may put it in a grammatically > correct form[*], then you must get a certain entropy per step. Yes, however, this characterization seems mathematically incorrect. Let's assume one in four words in the dictionary fits the grammar. I hope this concurs broadly with what you assumed. Rather than pick four random words of the full list, and then pick one of those, you pick one out of a quarter of the wordlist size. So that's 2 bits per word you're losing, a lot more than if you were free to pick one of four random words. And there is a lot more structure to the sentence given by Matthias than just its grammatical soundness. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From ineiev at gnu.org Fri Dec 25 16:38:45 2015 From: ineiev at gnu.org (Ineiev) Date: Fri, 25 Dec 2015 10:38:45 -0500 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <567D12F2.7020504@digitalbrains.com> References: <20151224160254.GA2153@c720-r285885-amd64> <567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org> <567D12F2.7020504@digitalbrains.com> Message-ID: <20151225153845.GA5951@gnu.org> On Fri, Dec 25, 2015 at 10:57:06AM +0100, Peter Lebbing wrote: > On 25/12/15 06:19, Ineiev wrote: > Let's assume one in four words in the dictionary fits the grammar. I > hope this concurs broadly with what you assumed. Rather than pick four > random words of the full list, and then pick one of those, you pick one > out of a quarter of the wordlist size. Agreed. > So that's 2 bits per word you're losing, a lot more than if you were > free to pick one of four random words. 60000/4 is more than 13 bits; 2 bits is not a lot compared to 13, but the result may be much easier to remember. > And there is a lot more structure > to the sentence given by Matthias than just its grammatical soundness. I see; it's a different issue. From johanw at vulcan.xs4all.nl Fri Dec 25 15:57:14 2015 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 25 Dec 2015 15:57:14 +0100 Subject: MIT Tech Review on user error In-Reply-To: <56731B22.7060603@sixdemonbag.org> References: <56731B22.7060603@sixdemonbag.org> Message-ID: <567D594A.7050002@vulcan.xs4all.nl> On 17-12-2015 21:29, Robert J. Hansen wrote: > http://www.technologyreview.com/news/544516/user-error-compromises-many-encrypted-communication-apps/ Signal assumes TOFU, and warns if the key is changed. That can have a ligitimate reason (new installation), or indicate an attempted mitm attack. Which one it is can not be determined in the application itself. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Fri Dec 25 16:02:38 2015 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri, 25 Dec 2015 16:02:38 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: <567D5A8E.4050604@vulcan.xs4all.nl> On 24-12-2015 17:02, Matthias Apitz wrote: > I do not fully understand why some 4 random words like > > Correct, horse! Battery staple! > > is a better passphrase like, for example > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. I do know that using accented characters might get you into trouble on some keyboards. I remember working somewhere where German keyboards were used but the driver for them was loaded after login. We had to tell the people not to use a z or y in the password to limit the amount of "I can't login" calls to the IT department. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From vedaal at nym.hush.com Fri Dec 25 17:13:15 2015 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 25 Dec 2015 11:13:15 -0500 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151225153845.GA5951@gnu.org> References: <20151224160254.GA2153@c720-r285885-amd64> <567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org> <567D12F2.7020504@digitalbrains.com> <20151225153845.GA5951@gnu.org> Message-ID: <20151225161315.A420B401EA@smtp.hushmail.com> If you want a simple random list, look at diceware: http://world.std.com/~reinhold/diceware.html Both the page and the diceware lists are available in many languages, including German vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From lachlan at twopif.net Fri Dec 25 17:41:15 2015 From: lachlan at twopif.net (Lachlan Gunn) Date: Fri, 25 Dec 2015 17:41:15 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151225161315.A420B401EA@smtp.hushmail.com> References: <20151224160254.GA2153@c720-r285885-amd64> <567C2267.6040108@digitalbrains.com> <20151225051936.GB1448@gnu.org> <567D12F2.7020504@digitalbrains.com> <20151225153845.GA5951@gnu.org> <20151225161315.A420B401EA@smtp.hushmail.com> Message-ID: I'm a big fan of that list, and for some time I've been meaning to generate a tweaked version that uses binary numbering, having recently needed to generate a passphrase without a dice to hand. Using a coin and rejection sampling isn't too hard, but it's rather annoying to have to throw away 20% of digits. Thanks, Lachlan Le 25 d?c. 2015 17:16, a ?crit : > If you want a simple random list, look at diceware: > > http://world.std.com/~reinhold/diceware.html > > Both the page and the diceware lists are available in many languages, > including German > > > vedaal > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malte at wk3.org Fri Dec 25 18:21:09 2015 From: malte at wk3.org (malte at wk3.org) Date: Fri, 25 Dec 2015 18:21:09 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: <145106406944.21768.1031069467226354305@solidarity.enteig.net> It's about the randomness/unpredictability/entropy of the passphrase. There are less grammatically correct sentences with 4 words than there are combinations of 4 words in total. So, yes, you can take a sentence that makes sense, but then the whole passphrase has to be longer. There is an estimate of 1.5 bit of entropy per character in natural language. So if you want a passphrase with 60 bits of entropy, it would need to be 40 characters long. You could reach the same strength with 10 random characters (alphanumeric with upper and lower case). In the end it depends what you can remember better and what you can type faster. Sincerely, Malte From guru at unixarea.de Fri Dec 25 18:41:30 2015 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 25 Dec 2015 18:41:30 +0100 Subject: self signing the pub key Message-ID: <20151225174130.GA5083@c720-r285885-amd64> Hello, I read that I should self-sign my pub key, but when I do this after creation, it says: $ LANG=C gpg2 --sign-key Matthias pub rsa2048/AA1EF4741F9046D4 created: 2015-12-25 expires: never usage: SC trust: ultimate validity: ultimate sub rsa2048/D6AD2EFF41863FE4 created: 2015-12-25 expires: never usage: E [ultimate] (1). Matthias Apitz (GnuPG v2) "Matthias Apitz (GnuPG v2) " was already signed by key AA1EF4741F9046D4 Nothing to sign with key AA1EF4741F9046D4 Key not changed so no update needed. What I do wrong? matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 From kloecker at kde.org Fri Dec 25 18:50:07 2015 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 25 Dec 2015 18:50:07 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote: > Hello, > > I do not fully understand why some 4 random words like > > Correct, horse! Battery staple! > > is a better passphrase like, for example > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > i.e. some phrasing which could be memorized better? The second sentence is found by search engines (2 hits in DuckDuckGo). Don't use it or any other phrase that's has been published on the internet. A phrase of 4 random words has a high probability that it has not been published on the internet (or anywhere else). The tricky part is that you must never put your 4-random-words phrase into a search engine to check this. Instead of using a 4-random-words phrase you can use a proper sentence with equivalent entropy provided that you do not use a sentence that has been published anywhere. Come up with your own sentence. Ideally come up with a sentence that doesn't make any sense like "The horse was correct. You cannot staple batteries." This phrase might be easier to remember and has a similar entropy as the above mentioned 4-random-words phrase. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Fri Dec 25 18:54:38 2015 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 25 Dec 2015 18:54:38 +0100 Subject: self signing the pub key In-Reply-To: <20151225174130.GA5083@c720-r285885-amd64> References: <20151225174130.GA5083@c720-r285885-amd64> Message-ID: <65960159.zdBgcz4ukb@collossus.ingo-kloecker.de> On Friday 25 December 2015 18:41:30 Matthias Apitz wrote: > Hello, > > I read that I should self-sign my pub key, but when I do this after > creation, it says: > > $ LANG=C gpg2 --sign-key Matthias > > pub rsa2048/AA1EF4741F9046D4 > created: 2015-12-25 expires: never usage: SC > trust: ultimate validity: ultimate > sub rsa2048/D6AD2EFF41863FE4 > created: 2015-12-25 expires: never usage: E > [ultimate] (1). Matthias Apitz (GnuPG v2) > > "Matthias Apitz (GnuPG v2) " was already signed by key > AA1EF4741F9046D4 Nothing to sign with key AA1EF4741F9046D4 > > Key not changed so no update needed. > > What I do wrong? You didn't do anything wrong. When you create a new key it is automatically self-signed. A long time ago this was not necessarily the case. Today the above advice is still correct, but probably no longer necessary. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From guru at unixarea.de Fri Dec 25 20:11:03 2015 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 25 Dec 2015 20:11:03 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> Message-ID: <20151225191103.GA1930@c720-r285885-amd64> El d?a Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Kl?cker escribi?: > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > > > i.e. some phrasing which could be memorized better? > > The second sentence is found by search engines (2 hits in DuckDuckGo). Don't > use it or any other phrase that's has been published on the internet. A phrase > of 4 random words has a high probability that it has not been published on the > internet (or anywhere else). The tricky part is that you must never put your > 4-random-words phrase into a search engine to check this. > > Instead of using a 4-random-words phrase you can use a proper sentence with > equivalent entropy provided that you do not use a sentence that has been > published anywhere. Come up with your own sentence. Ideally come up with a > sentence that doesn't make any sense like "The horse was correct. You cannot > staple batteries." This phrase might be easier to remember and has a similar > entropy as the above mentioned 4-random-words phrase. Ofc, I would not have used this phrase, which is part of my signature :-) This was only an example. I'd have used something from a book or poem which was written before Internet-times and perhaps never published afterwards. Thanks for all hints in this thread. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 ?(?ber die DDR)... Und allein dieser Mangel (an Sozialismus) und nichts anderes f?hrte zum Tod. Und wer da nicht trauert, hat kein Herz, und wer da nicht neu anpackt, hat auch keins verdient.? ?(sobre la RDA)... Y solo esta escasez (de socialismo) y no otra cosa, le llev? a la muerte. Y quien no est? de luto, no tiene coraz?n, y quien no se lanza a luchar de nuevo, no se merece coraz?n.?, junge Welt del 3 de octubre 2015, p. 11 From gnupg at raf.org Sat Dec 26 00:56:18 2015 From: gnupg at raf.org (gnupg at raf.org) Date: Sat, 26 Dec 2015 10:56:18 +1100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151225191103.GA1930@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> <20151225191103.GA1930@c720-r285885-amd64> Message-ID: <20151225235617.GA16126@raf.org> Matthias Apitz wrote: > El d?a Friday, December 25, 2015 a las 06:50:07PM +0100, Ingo Kl?cker escribi?: > > > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > > > > > i.e. some phrasing which could be memorized better? > > > > The second sentence is found by search engines (2 hits in DuckDuckGo). Don't > > use it or any other phrase that's has been published on the internet. A phrase > > of 4 random words has a high probability that it has not been published on the > > internet (or anywhere else). The tricky part is that you must never put your > > 4-random-words phrase into a search engine to check this. > > > > Instead of using a 4-random-words phrase you can use a proper sentence with > > equivalent entropy provided that you do not use a sentence that has been > > published anywhere. Come up with your own sentence. Ideally come up with a > > sentence that doesn't make any sense like "The horse was correct. You cannot > > staple batteries." This phrase might be easier to remember and has a similar > > entropy as the above mentioned 4-random-words phrase. > > Ofc, I would not have used this phrase, which is part of my signature :-) > This was only an example. I'd have used something from a book or > poem which was written before Internet-times and perhaps never published > afterwards. that's no good. if it's been published ever, then google has probably obtained a copy and digitized it and re-published it at books.google.com. From malte at wk3.org Sat Dec 26 01:39:40 2015 From: malte at wk3.org (malte at wk3.org) Date: Sat, 26 Dec 2015 01:39:40 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> Message-ID: <145109038056.28662.14078272701893580572@solidarity.enteig.net> Hi, do you have an estimate on the number of unique sentences published on the Internet? Sincerely, Malte From peter at digitalbrains.com Sat Dec 26 09:53:38 2015 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 26 Dec 2015 09:53:38 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <145109038056.28662.14078272701893580572@solidarity.enteig.net> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> <145109038056.28662.14078272701893580572@solidarity.enteig.net> Message-ID: <567E5592.7040300@digitalbrains.com> On 26/12/15 01:39, malte at wk3.org wrote: > do you have an estimate on the number of unique sentences published on > the Internet? Hmmmmm.... how many of those would have been generated by a Markov chain generator that a spammer used to generate some filler text in a spam mail? I bet you've seen them, those texts that superficially look like proper English sentences, but when you look closely, it's completely non-sensical. What is your purpose by the way? Look for an estimated amount of entropy contained in picking one of those sentences? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Sat Dec 26 10:36:28 2015 From: wk at gnupg.org (Werner Koch) Date: Sat, 26 Dec 2015 10:36:28 +0100 Subject: GnuPG News for November and December 2015 Message-ID: <878u4hr1pf.fsf@vigenere.g10code.de> Hi, here comes the plaintext copy of Neal's status update for November and December: (https://gnupg.org/blog/20151224-gnupg-in-november-and-december.html) _________________________________________ 20151224-GNUPG-IN-NOVEMBER-AND-DECEMBER Neal _________________________________________ December 24th, 2015 Table of Contents _________________ 1 GnuPG News for November and December 2015 .. 1.1 See us at 32C3 .. 1.2 Press .. 1.3 Development .. 1.4 Contact .. 1.5 Discussions .. 1.6 Donations 2 About this news posting 1 GnuPG News for November and December 2015 =========================================== 1.1 See us at 32C3 ~~~~~~~~~~~~~~~~~~ Werner and Neal will each give a talk at 32C3 as part of the [FSFE Assembly]. Both talks are on Monday, December 28th. Neal's presentation is at 16:00 in Hall A.1. He'll present "An Advanced Introduction to GnuPG." Werner follows immediately at 17:00 with "GnuPG and its current state of development." If you want to chat, we (Justus, Kai, Neal & Werner) will be around during the congress. (Neal will be mostly hanging out at the Kidspace and thus will probably be the easiest to find.) If you want to arrange a chat, send us an email. If you see one of us, don't hesitate to ask for a business card with a list of the keys we use to sign GnuPG releases! [FSFE Assembly] https://events.ccc.de/congress/2015/wiki/Assembly:Free_Software_Foundation_Europe#sessions 1.2 Press ~~~~~~~~~ [Werner was interviewed] (in German) by J?rgen Asbeck from Germany's Pirate Party. [Werner was interviewed] https://www.piratenpartei.de/2015/12/23/interview-mit-werner-koch/ 1.3 Development ~~~~~~~~~~~~~~~ There have been two new releases of GnuPG: version [2.1.10] and version [1.4.20]. Version 2.1.10 is the first GnuPG version to include support for TOFU. TOFU stands for trust on first use and should be familiar to anyone who uses ssh. Basically, TOFU is a mechanism to detect when the binding between an identity and a key changes. This can prevent or detect active man-in-the-middle (MitM) attacks and forgeries. Although this protection is weaker than the Web of Trust's theoretical guarantees, we have observed that most people don't bother to sign keys or set owner trust. The practical result is that most users don't make use of the web of trust and, as such, GnuPG only protects them from passive MitM attacks. TOFU provides protection against active MitM as long as they are not sustained while not requiring any user support. Happily, the web of trust and TOFU can be combined. To read more about how to use TOFU, see this [email]. A more theoretical handling of how TOFU works is described in our forthcoming [paper]. (Feedback is welcome.) Another noteworthy addition to 2.1.10 is Tor support. To enable this, simple add the following to your dirmngr.conf file: ,---- | use-tor | keyserver hkp://jirk5u4osbsr34t5.onion `---- (`hkp://jirk5u4osbsr34t5.onion' is the .onion address for [SKS Keyserver Pool].) Note: for this to work, you'll need to be running Tor. On Debian, you just need to install the Tor package; there is nothing more to configure. 2.1.10 also includes a number of small additions. It is now possible to use `--default-key' multiple times and GnuPG will use the last key that is available for signing (this is good when using a configuration file shared among multiple hosts). `--encrypt-to-default-key' will causes all messages to also be encrypted to the key specified in `--default-key'. `--unwrap' will strip an OpenPGP message of its encryption layer (and everyone thing outside of it). Since most messages are signed and then encrypted, this preserves the signature (unlike `--decrypt'). `--only-sign-text-ids' causes `--sign' to not sign photo IDs. In 2.1.10, Neal added code to detect ambiguous key specifications. This code proved to be incomplete and has since been removed from git. Given that it will take some time to ensure that the code is stable, this feature will return in 2.3.x. (2.2 is planned for the beginning of 2016.) 2.1.10 also includes a number of bug fixes for dirmngr. In particular, there was a bug that prevented fetching a large number of keys over TLS streams. Both 2.1.10 and 1.4.20 include support for the new `--weak-digest' option, which can be used to explicitly mark a digest as deprecated. (You should consider doing this for SHA-1, which is no longer considered safe.) Andre published [version 2.3.0 of gpg2win]. He's also been working on GpgOL (a GnuPG plug-in for Outlook). The latest test version includes support for sending PGP/MIME mails. If you are interested in helping to test it, read the [wiki] and follow the [gpg4win-devel mailing list] for details. Jussi has continued his work on libgcrypt. He recently added a variable length output interface for the digest API, which was needed for new SHAKE algorithms. He has also worked on some new optimizations for the hash-algorithms; fine-tuned existing SHA-3/SHAKE and Tiger implementations and added an ARMv7/NEON implementation of SHA-3/SHAKE. Niibe fixed an important long standing bug in scdaemon whereby users cannot access their smartcard after reinsertion. Another minor bug that he fixed is that the removal of smartcards was not always correctly detected. These bugs are fixed in 2.1.10 and will be backported to 2.0.x. Niibe also did a major change in libgcrypt for Curve25519, which changes the point format of the curve by adding the 0x40 prefix (this is the same as Ed25519). New private keys and encrypted messages created with the new libgcrypt will always have the prefix 0x40. Any users of Curve25519 encryption should update their libgcrypt. Existing keys should continue to be handled correctly. For those interested in Werner's work on g13 (a LUKS replacement, which allows using a smartcard to decrypt the master key), he has pushed his current work to the `wk/g13work' branch. [2.1.10] https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html [1.4.20] https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000382.html [email] https://lists.gnupg.org/pipermail/gnupg-devel/2015-October/030341.html [paper] ftp://ftp.g10code.com/people/neal/tofu.pdf [SKS Keyserver Pool] https://sks-keyservers.net [version 2.3.0 of gpg2win] http://lists.wald.intevation.org/pipermail/gpg4win-announce/2015-November/000067.html [wiki] https://wiki.gnupg.org/Gpg4win/Testversions [gpg4win-devel mailing list] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-devel 1.4 Contact ~~~~~~~~~~~ Werner announced the official [chat room] for developers. Note: for general questions, #gnupg on freenode remains the better real-time chat forum. [chat room] https://lists.gnupg.org/pipermail/gnupg-devel/2015-December/030599.html 1.5 Discussions ~~~~~~~~~~~~~~~ Guilhem Moulin discussed using [OpenPGP notations to limit the scope of subkeys]. James asked about [best practices for creating keys] and got a number of helpful responses. The Nitrokey developers [announced an effort to develop a new USB Security Key] with hidden storage (for plausible deniability). Nitrokey is 100% free software and open hardware. Their [crowdfunding campaign] runs until the end of December. Robert J. Hansen shared a link to an MIT Technology Review article on how [user error subverts communication security]. Matthias Apitz asked about [why private keys are stored differently in GnuPG 2.1] and Werner provided a detailed explanation. [OpenPGP notations to limit the scope of subkeys] https://lists.gnupg.org/pipermail/gnupg-devel/2015-November/030576.html [best practices for creating keys] https://lists.gnupg.org/pipermail/gnupg-users/2015-November/054679.html [announced an effort to develop a new USB Security Key] https://lists.gnupg.org/pipermail/gnupg-users/2015-November/054695.html [crowdfunding campaign] https://www.indiegogo.com/projects/nitrokey-storage-usb-security-key-for-encryption#/ [user error subverts communication security] https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054864.html [why private keys are stored differently in GnuPG 2.1] https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054881.html 1.6 Donations ~~~~~~~~~~~~~ At the beginning of 2015, the Linux Foundation, as part of their core infrastructure initiative, made a one-time USD60,000 donation. We are pleased to report that the Linux Foundation has decided to renew their support for 2016 and have donated another USD60,000. Thanks! Unfortunately, [although Facebook initially announced that they would provide USD50,000 of support per year], they have since rescinded. [although Facebook initially announced that they would provide USD50,000 of support per year] https://twitter.com/stripe/status/563449352635432960' 2 About this news posting ========================= We try to write a news posting each month. However, other work may have a higher priority (e.g. security fixes) and thus there is no promise for a fixed publication date. If you have an interesting topic for a news posting, please send it to us. A regular summary of the mailing list discussions would make a nice column on this news. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From malte at wk3.org Sat Dec 26 17:00:04 2015 From: malte at wk3.org (malte at wk3.org) Date: Sat, 26 Dec 2015 17:00:04 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <567E5592.7040300@digitalbrains.com> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> <145109038056.28662.14078272701893580572@solidarity.enteig.net> <567E5592.7040300@digitalbrains.com> Message-ID: <145114560479.8130.7376137733924956804@solidarity.enteig.net> Quoting Peter Lebbing (2015-12-26 09:53:38) > On 26/12/15 01:39, malte at wk3.org wrote: > > do you have an estimate on the number of unique sentences published on > > the Internet? > > What is your purpose by the way? Look for an estimated amount of entropy > contained in picking one of those sentences? Yes. To know if picking a random, but previously published sentence (no matter the length) may ever be good enough. And then maybe going on to see if two random, but previously published sentences might be good enough (-: Sincerely, Malte From jeandavid8 at verizon.net Sat Dec 26 16:54:31 2015 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Sat, 26 Dec 2015 10:54:31 -0500 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> References: <20151224160254.GA2153@c720-r285885-amd64> <2294973.TDpHq92AEh@collossus.ingo-kloecker.de> Message-ID: <567EB837.60304@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/25/2015 12:50 PM, Ingo Kl?cker wrote: > On Thursday 24 December 2015 17:02:54 Matthias Apitz wrote: >> Hello, >> >> I do not fully understand why some 4 random words like >> >> Correct, horse! Battery staple! >> >> is a better passphrase like, for example >> >> Und allein dieser Mangel und nichts anderes f?hrte zum Tod. >> >> i.e. some phrasing which could be memorized better? > > The second sentence is found by search engines (2 hits in > DuckDuckGo). Don't use it or any other phrase that's has been > published on the internet. A phrase of 4 random words has a high > probability that it has not been published on the internet (or > anywhere else). The tricky part is that you must never put your > 4-random-words phrase into a search engine to check this. > > Instead of using a 4-random-words phrase you can use a proper > sentence with equivalent entropy provided that you do not use a > sentence that has been published anywhere. Come up with your own > sentence. Ideally come up with a sentence that doesn't make any > sense like "The horse was correct. You cannot staple batteries." > This phrase might be easier to remember and has a similar entropy > as the above mentioned 4-random-words phrase. > > A favorite of mine, not usable then, and even less so now, is the following: At Night We Walk in Circles and Are Consumed by Fire In Latin, that is a palindrome. It is now the name of a musical composition, and has a group of its own on Facebook. https://www.wnyc.org/radio/#/ondemand/510001 - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:166D840A 0C610C8B Registered Machine 1935521. /( )\ Shrewsbury, New Jersey http://linuxcounter.net ^^-^^ 10:35:01 up 1 day, 11:08, 2 users, load average: 4.16, 4.24, 4.19 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQEcBAEBAgAGBQJWfrg0AAoJEBZthAoMYQyLcOMH/3q0mmnai7E49VontTna/2gf yZD9FHbiVE7tQl2OZmjNa16AzVMwpTlJxpS82/n3/8ljVxWbyd0JzdStAyq4xONV hdYN05SL6A43L8dobaO0IQLMB7ZdzJYawQW8wLfKQzevXMMXMiGg5BLMVdhNMqWo TPOLu8GFPfDGqC1P6EzKplCremb2NsMvrxw1RpxQcNwIksz1S3XO+YZWAYegUmsC fUCVH3qgTNrlaiG/FFGqBols0RJYS9EsWC/0EWSOZN0TCqzfoWbwPSse76HolV9Y lkXklPCxaqwan09jtkGwwSye1sTTHjmHA6t1YtK8yRxNc5k/zQKiY3mvLtt23Nc= =2AOW -----END PGP SIGNATURE----- From melvincarvalho at gmail.com Sat Dec 26 22:52:54 2015 From: melvincarvalho at gmail.com (Melvin Carvalho) Date: Sat, 26 Dec 2015 22:52:54 +0100 Subject: about cartoon in FAQ 10.1. 'Correct, horse! Battery staple!' In-Reply-To: <20151224160254.GA2153@c720-r285885-amd64> References: <20151224160254.GA2153@c720-r285885-amd64> Message-ID: On 24 December 2015 at 17:02, Matthias Apitz wrote: > > Hello, > > I do not fully understand why some 4 random words like > > Correct, horse! Battery staple! > > is a better passphrase like, for example > > Und allein dieser Mangel und nichts anderes f?hrte zum Tod. > > i.e. some phrasing which could be memorized better? > Might help: https://rya.nc/cracking_cryptocurrency_brainwallets.pdf (See slide 35) > > matthias > -- > Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? > +49-176-38902045 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From landaurob at gmail.com Sun Dec 27 07:11:56 2015 From: landaurob at gmail.com (Rob Landau) Date: Sun, 27 Dec 2015 19:11:56 +1300 Subject: advice please Message-ID: Good day, I have just received my first Linux system (Ubuntu 14.04) It has Seahorse installed, but I don't see any GnuPG application. How can I determine if there is a GnuPG installed, and if so where to find it. Searching the Dash for GnuPG reveals nothing, and there doesn't appear to be any program in the Ubuntu Software Center Cheers ~Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From lachlan at twopif.net Sun Dec 27 10:54:00 2015 From: lachlan at twopif.net (Lachlan Gunn) Date: Sun, 27 Dec 2015 10:54:00 +0100 Subject: advice please In-Reply-To: References: Message-ID: Hello, According to the documentation that I've found, it is called "passwords and keys". Thanks, Lachlan Le 27 d?c. 2015 10:45, "Rob Landau" a ?crit : > Good day, I have just received my first Linux system (Ubuntu 14.04) It > has Seahorse installed, but I don't see any GnuPG application. How can I > determine if there is a GnuPG installed, and if so where to find it. > Searching the Dash for GnuPG reveals nothing, and there doesn't appear to > be any program in the Ubuntu Software Center > > Cheers ~Rob > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Sun Dec 27 11:19:13 2015 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 27 Dec 2015 04:19:13 -0600 Subject: advice please In-Reply-To: References: Message-ID: <567FBB21.1060803@sixdemonbag.org> > Good day, I have just received my first Linux system (Ubuntu 14.04) Welcome to the world of free software. :) > How can I determine if there is a GnuPG installed... This is in the FAQ: https://www.gnupg.org/faq/gnupg-faq.html#get_gnupg Good luck! From viktordick86 at gmail.com Sun Dec 27 11:04:16 2015 From: viktordick86 at gmail.com (Viktor Dick) Date: Sun, 27 Dec 2015 11:04:16 +0100 Subject: advice please In-Reply-To: References: Message-ID: <567FB7A0.1080501@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-12-27 07:11, Rob Landau wrote: > Good day, I have just received my first Linux system (Ubuntu > 14.04) It has Seahorse installed, but I don't see any GnuPG > application. How can I determine if there is a GnuPG installed, > and if so where to find it. Searching the Dash for GnuPG reveals > nothing, and there doesn't appear to be any program in the Ubuntu > Software Center If I remember correctly, the set of 'applications' on an Ubuntu system is only a subset of the set of packages. Specifically, applications are only programs that, when installed, have entries in the menu (or its Unity replacement). Programs that are console-only are usually not listed in the menu and it is possible that they are also not listed in the Software Center. So the fact that there is no application called gnupg does not mean that gnupg is not installed. It probably is. Maybe just open a terminal and type 'gnupg', that way you can be sure. Regards, Viktor -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWf7egAAoJEPNGVztcQuQ/tCEIAIJvdwTYOWxvp1mmO9q6BYw/ GTG20Oy6zwrQY3TMUeU7qb0ehTLhDPkvXk4XfXPr3izkwyUeZS9BEW5QEcj9ivZ6 d+Nm1oKW495KNY2Gj1sjbUD/zV5I9LlteMDa5xwNfa91dxjp3bXHErrFdJ9tnxAA e47NgpaZ42Z2v7I0bCxddJhuiAhFKU7do+dDwnb3VTuBH5X40cfdLz/2yPCmCvSr a2Egm7/PTJDZTO8clJUITvYq7WCMMElOp6B1qYEeimTpyv2Xv/upqGgwUuTMDy19 xikbKmo3Pzz4W9WcfmZSPnMwwXDChm5Gxtis6g/UTvT0mqApayp6ayIj0NRpnLg= =WSp8 -----END PGP SIGNATURE----- From jays at panix.com Mon Dec 28 21:02:12 2015 From: jays at panix.com (Jay Sulzberger) Date: Mon, 28 Dec 2015 15:02:12 -0500 (EST) Subject: advice please In-Reply-To: References: Message-ID: On Sun, 27 Dec 2015, Rob Landau wrote: > Good day, I have just received my first Linux system (Ubuntu 14.04) It > has Seahorse installed, but I don't see any GnuPG application. How can I > determine if there is a GnuPG installed, and if so where to find it. > Searching the Dash for GnuPG reveals nothing, and there doesn't appear to > be any program in the Ubuntu Software Center > > Cheers ~Rob I use Debian. On my system, if I open a terminal, and then, whether I am root or no, give the command: apt-cache search gnupg apt returns a long list of packages. Here are the last few: pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x) libqca2-plugin-gnupg - transitional package for libqca2-plugins signing-party - Various OpenPGP related tools gnupg-doc - GNU Privacy Guard documentation gnupg-agent - GNU privacy guard - cryptographic agent gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x) gnupg2-dbg - debugging symbols for gnupg2 gpgsm - GNU privacy guard - S/MIME version scdaemon - GNU privacy guard - smart card support On Debian, if you are connected to the Net, and if you do, as root; apt-get update and then apt-get install gnupg-doc gnupg-agent gnupg2 apt should install the above three packages. Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd have guessed that the "Ubuntu Software Center" would be it, and that the USC would show you gnupg easily. oo--JS. From thecissou98 at hotmail.fr Mon Dec 28 19:43:47 2015 From: thecissou98 at hotmail.fr (Francis Le Roy) Date: Mon, 28 Dec 2015 19:43:47 +0100 Subject: Create Process ec=87 Message-ID: Hi, I am trying to use your librairy but when I try to check the OpenPGP engine's version, I get an error. Here is join the code I tried to run and the complete error log. Your sincerely, F. -------------- next part -------------- #include "../Student.h" #include "gpgme.h" #include using namespace std; void genKey(Sdt& student,int ksize,string passwd) { gpgme_set_global_flag("debug","9"); gpgme_check_version(NULL); gpg_error_t test = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP); cout << gpgme_strerror(test) << endl; cout << "Engine : " << gpgme_get_dirinfo("gpg-name") << endl; } -------------- next part -------------- GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_debug: level=9 GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_debug: gpgme='D:\CODING\C++\bin\Debug' GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_check_version: call: 0=00000000, req_version=(null), VERSION=1.6.0 GPGME 2015-12-28 19:05:21 <0x2b18> gpgme_check_version_internal: call: 0=00000000, req_version=(null), offset_sig_validity=32 GPGME 2015-12-28 19:05:21 <0x2b18> gpgme-dinfo: gpgconf='C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe' GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028F680, inherit_idx=1 (GPGME uses it for reading) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (00000150/0x0), write=0x1 (00000164/0x0) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --list-dirs GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-HBCBJ6 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=00000150 socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000164 socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028F680, inherit_idx=1 (GPGME uses it for reading) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (00000168/0x0), write=0x1 (00000174/0x0) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --list-components GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-4Cb3i3 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=00000168 socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000174 socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: enter: filedes=0028FA5C, inherit_idx=1 (GPGME uses it for reading) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_pipe: leave: read=0x0 (0000017C/0x0), write=0x1 (00000190/0x0) GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: enter: path=0AF93FD0, path=C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 0] = C:\Program Files (x86)\GNU\GnuPG\gpgconf.exe GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, argv[ 1] = --version GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, tmp_name = C:\Users\User\AppData\Local\Temp\gpgme-DrOuSZ GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: check: path=0AF93FD0, CreateProcess failed: ec=87 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_spawn: error: Input/output error GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000000 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000000, fd=0 -> handle=0000017C socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: enter: fd=00000001 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: check: fd=00000001, fd=1 -> handle=00000190 socket=-1 dupfrom=-1 GPGME 2015-12-28 19:05:21 <0x2b18> _gpgme_io_close: leave: result=0 GPGME 2015-12-28 19:05:21 <0x2b18> engine.c:365: returning error: Invalid crypto engine GPGME 2015-12-28 19:05:21 <0x2b18> engine.c:155: returning error: Invalid crypto engine Invalid crypto engine From sbutler at fchn.com Mon Dec 28 22:52:54 2015 From: sbutler at fchn.com (Steve Butler) Date: Mon, 28 Dec 2015 21:52:54 +0000 Subject: advice please In-Reply-To: References: Message-ID: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com> I see the attached when I do the search in Software Center on Ubuntu 15.10. Stephen M. Butler, PMP, PSM IT Manager - Software Engineering First Choice Health Network Email: sbutler at fchn.com Voice: 206-268-2309 Fax: 206-268-6173 -----Original Message----- From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jay Sulzberger Sent: Monday, December 28, 2015 12:02 PM To: GnuPG-users at gnupg.org Subject: Re: advice please On Sun, 27 Dec 2015, Rob Landau wrote: > Good day, I have just received my first Linux system (Ubuntu 14.04) > It has Seahorse installed, but I don't see any GnuPG application. How > can I determine if there is a GnuPG installed, and if so where to find it. > Searching the Dash for GnuPG reveals nothing, and there doesn't appear > to be any program in the Ubuntu Software Center > > Cheers ~Rob I use Debian. On my system, if I open a terminal, and then, whether I am root or no, give the command: apt-cache search gnupg apt returns a long list of packages. Here are the last few: pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x) libqca2-plugin-gnupg - transitional package for libqca2-plugins signing-party - Various OpenPGP related tools gnupg-doc - GNU Privacy Guard documentation gnupg-agent - GNU privacy guard - cryptographic agent gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x) gnupg2-dbg - debugging symbols for gnupg2 gpgsm - GNU privacy guard - S/MIME version scdaemon - GNU privacy guard - smart card support On Debian, if you are connected to the Net, and if you do, as root; apt-get update and then apt-get install gnupg-doc gnupg-agent gnupg2 apt should install the above three packages. Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd have guessed that the "Ubuntu Software Center" would be it, and that the USC would show you gnupg easily. oo--JS. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2015-12-28 13-39-46.png Type: image/png Size: 213838 bytes Desc: Screenshot from 2015-12-28 13-39-46.png URL: From jays at panix.com Mon Dec 28 23:22:20 2015 From: jays at panix.com (Jay Sulzberger) Date: Mon, 28 Dec 2015 17:22:20 -0500 (EST) Subject: advice please In-Reply-To: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com> References: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com> Message-ID: On Mon, 28 Dec 2015, Steve Butler wrote: > I see the attached when I do the search in Software Center on Ubuntu 15.10. > > > Stephen M. Butler, PMP, PSM Well, I see gnupg in the list, I am not sure whether it is gnupg2 or not. gpg is hard to set up. Even after it is set up to do what you want, your correspondent must also have a working gpg/PGP system, else you will not be able to communicate using gpg as your encrypt/decrypt system. The Free Software Forces have, so far, failed to produce an email crypto system which one billion people could use. We have a good central armature for such a system, namely gpg, but the stuff around gpg is in practice very difficult to use. What do you want to with GnuPG? oo--JS. > IT Manager - Software Engineering > First Choice Health Network > Email: sbutler at fchn.com > Voice: 206-268-2309 > Fax: 206-268-6173 > > > -----Original Message----- > From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jay Sulzberger > Sent: Monday, December 28, 2015 12:02 PM > To: GnuPG-users at gnupg.org > Subject: Re: advice please > > > On Sun, 27 Dec 2015, Rob Landau wrote: > >> Good day, I have just received my first Linux system (Ubuntu 14.04) >> It has Seahorse installed, but I don't see any GnuPG application. How >> can I determine if there is a GnuPG installed, and if so where to find it. >> Searching the Dash for GnuPG reveals nothing, and there doesn't appear >> to be any program in the Ubuntu Software Center >> >> Cheers ~Rob > > I use Debian. On my system, if I open a terminal, and then, whether I am root or no, give the command: > > apt-cache search gnupg > > apt returns a long list of packages. Here are the last few: > > pinentry-tty - minimal dumb-terminal PIN or pass-phrase entry for GnuPG python-gnupg - Python wrapper for the GNU Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the GNU Privacy Guard (Python 3.x) libqca2-plugin-gnupg - transitional package for libqca2-plugins signing-party - Various OpenPGP related tools gnupg-doc - GNU Privacy Guard documentation gnupg-agent - GNU privacy guard - cryptographic agent > gnupg2 - GNU privacy guard - a free PGP replacement (new v2.x) gnupg2-dbg - debugging symbols for gnupg2 gpgsm - GNU privacy guard - S/MIME version scdaemon - GNU privacy guard - smart card support > > On Debian, if you are connected to the Net, and if you do, as root; > > apt-get update > > and then > > apt-get install gnupg-doc gnupg-agent gnupg2 > > apt should install the above three packages. > > Likely Ubuntu has a "GUI" wrapper or an equivalent for apt. I'd have guessed that the "Ubuntu Software Center" would be it, and that the USC would show you gnupg easily. > > oo--JS. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > From juanmi.3000 at gmail.com Tue Dec 29 01:37:30 2015 From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=) Date: Tue, 29 Dec 2015 01:37:30 +0100 Subject: advice please In-Reply-To: References: Message-ID: <5681D5CA.2020106@gmail.com> If you believe that distro is trustworthy and one of the recommended ones for Linux users, then just try: gpg -v && gpg2 -v It will first try to use gpg and tell its version and, if it does, it will then try to do with 'gpg2'. If t's a Debian-based distro or a distro with apt-get, you can do: sudo apt-get update && apt-cache policy gnupg gnupg2 First command will update the local cache of the software listed in the repository, if it all goes well then apt-cache will output a small info about each package, including the prefered version in the repositories and, either it'll say if it is not installed or if it is, it will output the version installed. You can also try: dpkg -s gnupg | more; dpkg -s gnupg2 | more Which, if installed, will output information about the package, version, dependencies and if it is still installed or not. First for gnupg, then for gnupg2. You are using Ubuntu 14.04, which by default comes with Gnupg 1.X installed. You can install GnuPg 2.0.X by doing: sudo apt-get update && sudo apt-get install gnupg2 On 2015-12-27 at 07:11, Rob Landau wrote: > Good day, I have just received my first Linux system (Ubuntu 14.04) It > has Seahorse installed, but I don't see any GnuPG application. How can I > determine if there is a GnuPG installed, and if so where to find it. > Searching the Dash for GnuPG reveals nothing, and there doesn't appear to > be any program in the Ubuntu Software Center > > Cheers ~Rob > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Juan Miguel Navarro Mart?nez GPG Keyfingerprint: 5A91 90D4 CF27 9D52 D62A BC58 88E2 947F 9BC6 B3CF From bob.henson at galen.org.uk Tue Dec 29 10:07:31 2015 From: bob.henson at galen.org.uk (Bob Henson) Date: Tue, 29 Dec 2015 09:07:31 +0000 Subject: advice please In-Reply-To: References: <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com> Message-ID: <56824D53.2000804@galen.org.uk> On 28/12/2015 10:22 pm, Jay Sulzberger wrote: > > On Mon, 28 Dec 2015, Steve Butler wrote: > >> I see the attached when I do the search in Software Center on Ubuntu 15.10. >> >> >> Stephen M. Butler, PMP, PSM > > Well, I see gnupg in the list, I am not sure whether it is gnupg2 or not. > > gpg is hard to set up. Even after it is set up to do what you > want, your correspondent must also have a working gpg/PGP system, > else you will not be able to communicate using gpg as your > encrypt/decrypt system. The Free Software Forces have, so far, > failed to produce an email crypto system which one billion people > could use. We have a good central armature for such a system, > namely gpg, but the stuff around gpg is in practice very > difficult to use. > I'm not that technical - but I can tell you that basic signing and encryption with GnuPG (what else would anyone want it for?) isn't hard to use at all, even for an ancient old geezer like me. The thing to do is to forget all about command lines and run it from Enigmail within Thunderbird (easiest and best) or the appropriate extension/s within Claws Mail. Most other Linux e-mail clients will do it too - but most other Linux e-mail clients are very poor, in my experience. If, as you imply above, you are looking for a more universal system of encryption, then PGP/OpenPGP certainly isn't the one to use - it is intended to be a "person to person" system used between people known to one another and whose keys can be countersigned with absolute certainty. There is already a system, albeit far from perfect, which lends itself to large scale use and that is the X.509 certificate system - already widely used. Regards, Bob From thecissou98 at hotmail.fr Tue Dec 29 12:24:26 2015 From: thecissou98 at hotmail.fr (Francis Le Roy) Date: Tue, 29 Dec 2015 12:24:26 +0100 Subject: General error when creating keypair Message-ID: Hi, I got a problem generating a key pair, when I run the code, it return a General error code :/. If you could give me a sample on how to gen a key or fix my code it would be nice :) your sincerely, F. gpgme_set_global_flag("debug", "9"); gpgme_set_global_flag("disable-gpgconf","1"); gpgme_set_global_flag("gpg-name","gpgconf"); cout << "cououcou" << endl; gpgme_check_version(NULL); gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP); gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,NULL,"CHOME"); gpgme_ctx_t ctx; gpgme_error_t err; gpgme_data_t pubkey; gpgme_data_t privkey; setlocale (LC_ALL, ""); gpgme_set_locale (NULL, LC_CTYPE, setlocale (LC_CTYPE, NULL)); #ifdef LC_MESSAGES gpgme_set_locale (NULL, LC_MESSAGES, setlocale (LC_MESSAGES, NULL)); #endif err = gpgme_new(&ctx); if(err!=GPG_ERR_NO_ERROR) return err; err = gpgme_set_protocol(ctx,GPGME_PROTOCOL_OpenPGP); if(err!=GPG_ERR_NO_ERROR) return err; gpgme_set_armor(ctx,1); gpgme_set_offline(ctx,1); string req = ""; req += "\nKey-Type: RSA"; req += "\nKey-length: 1024"; req += "\nName-Real: " + student.getFname() + " " + student.getLname(); req += "\nName-Comment: " + student.getAddress(); req += " " + student.getCity(); req += " " + student.getZip(); req += " " + student.getCountry(); req += "\nExpire-Date: 0"; req += "\nPassphrase: bla"; req += "\n"; cout << "Sgen "; gpgme_data_new(&pubkey); gpgme_data_new(&privkey); gpgme_data_set_encoding(privkey,GPGME_DATA_ENCODING_ARMOR); gpgme_data_set_encoding(pubkey,GPGME_DATA_ENCODING_ARMOR); const char* param = req.c_str(); err = gpgme_op_genkey(ctx,param,NULL,NULL); cout << "Egen" << endl; if(err!=GPG_ERR_NO_ERROR) return err; From bob.henson at galen.org.uk Tue Dec 29 12:51:23 2015 From: bob.henson at galen.org.uk (Bob Henson) Date: Tue, 29 Dec 2015 11:51:23 +0000 Subject: General error when creating keypair In-Reply-To: References: Message-ID: <568273BB.8050800@galen.org.uk> On 29/12/2015 11:24 am, Francis Le Roy wrote: > 
 > Hi, > I got a problem generating a key pair, when I run the code, it
return a > General error code :/. > If you could give me a sample on how
to gen a key or fix my code it > would be nice :) >
As you're using Thunderbird, why not add the Enigmail extension, and let
that do it for you simply and automatically?

Regards,

Bob


-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

From stebe at mailbox.org  Tue Dec 29 15:05:35 2015
From: stebe at mailbox.org (stebe at mailbox.org)
Date: Tue, 29 Dec 2015 15:05:35 +0100 (CET)
Subject: advice please (just about the same over here)
In-Reply-To: <56824D53.2000804@galen.org.uk>
References: 
 
 <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
 
 <56824D53.2000804@galen.org.uk>
Message-ID: <653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>


> Bob Henson  hat am 29. Dezember 2015 um 10:07
> geschrieben:
> 
> 
> On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
> > 
> > On Mon, 28 Dec 2015, Steve Butler  wrote:
> > 

> If, as you imply above, you are looking for a more universal system of
> encryption, then PGP/OpenPGP certainly isn't the one to use - it is
> intended to be a "person to person" system used between people known to
> one another and whose keys can be countersigned with absolute certainty.
> There is already a system, albeit far from perfect, which lends itself
> to large scale use and that is the X.509 certificate system - already
> widely used.
> 
(Sorry for appending a slightly off-topic question to this thread, well, I
really like the person-to person design of gpg and the WebofTrust, and the
enigmail extension makes it quite easy to get along, the Enigmail handbook
is written in a clear and concise manner suited for beginners as well as
for more technical users...whenever you need a free German translation,
knock on my door!)

By the way, talking about the X509 certificate system, which is the exact
command line syntax to verify (using openssl, I guess) a given
certificate's signature by using the public key of the certificate that
has issued the certificate to be verified? 
openssl verify pkeyutl (and what else? "sigfile=file" AND "pkey" as a file
or STDIN?)
The certificate to be validated (as presented in the TLS handshake) is not
present as a file, just as a data stream captured with a specialized tool,
and in the signature field I cannot see a signature, just the algorithm
used, or maybe I am blind?) whereas the OCSP response details a long
signature preceded by the word "signature:". The public key I have to use
is already in the browser's certificate, but how do I get it all down to
command line syntax?

Any help appreciated.

Cheers,

Stephan


From stebe at mailbox.org  Tue Dec 29 21:42:59 2015
From: stebe at mailbox.org (stebe at mailbox.org)
Date: Tue, 29 Dec 2015 21:42:59 +0100 (CET)
Subject: advice please (just about the same over here)
In-Reply-To: <653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>
References: 
 
 <04c7500e31814d08bf29f1586ad12da1@t1l1exchmbs-01.fchn.com>
 
 <56824D53.2000804@galen.org.uk>
 <653946150.20246.0908b4f2-5a5f-4173-ad10-b90afa4f1ed8.open-xchange@office.mailbox.org>
Message-ID: <1706253488.20267.4f93bbb7-49e9-4096-98e2-0e9b73c7cc94.open-xchange@office.mailbox.org>


> stebe at mailbox.org hat am 29. Dezember 2015 um 15:05 geschrieben:
> 
> 
> 
> > Bob Henson  hat am 29. Dezember 2015 um 10:07
> > geschrieben:
> > 
> > 
> > On 28/12/2015 10:22 pm, Jay Sulzberger wrote:
> > > 
> > > On Mon, 28 Dec 2015, Steve Butler  wrote:
> > > 
> 
> > If, as you imply above, you are looking for a more universal system of
> > encryption, then PGP/OpenPGP certainly isn't the one to use - it is
> > intended to be a "person to person" system used between people known
> > to
> > one another and whose keys can be countersigned with absolute
> > certainty.
> > There is already a system, albeit far from perfect, which lends itself
> > to large scale use and that is the X.509 certificate system - already
> > widely used.
> > 
> (Sorry for appending a slightly off-topic question to this thread, well,
> I
> really like the person-to person design of gpg and the WebofTrust, and
> the
> enigmail extension makes it quite easy to get along, the Enigmail
> handbook
> is written in a clear and concise manner suited for beginners as well as
> for more technical users...whenever you need a free German translation,
> knock on my door!)
> 
> By the way, talking about the X509 certificate system, which is the
> exact
> command line syntax to verify (using openssl, I guess) a given
> certificate's signature by using the public key of the certificate that
> has issued the certificate to be verified? 

Resolved. I have found the specific command line syntax. And sorry (to the
author/translator), there IS a German Enigmail handbook translation. I
only use the English original and I've never taken a look at the German
version.

A nice New Year's eve to everyone

Stebe


From wk at gnupg.org  Wed Dec 30 21:55:49 2015
From: wk at gnupg.org (Werner Koch)
Date: Wed, 30 Dec 2015 21:55:49 +0100
Subject: General error when creating keypair
In-Reply-To:  (Francis Le
 Roy's message of "Tue, 29 Dec 2015 12:24:26 +0100")
References: 
Message-ID: <87poxnmzai.fsf@vigenere.g10code.de>

On Tue, 29 Dec 2015 12:24, thecissou98 at hotmail.fr said:

>     gpgme_set_global_flag("debug", "9");
>     gpgme_set_global_flag("disable-gpgconf","1");
>     gpgme_set_global_flag("gpg-name","gpgconf");

Why are you using these gobal flags?  They are only useful in some
certain environments.

Disabling gpgconf and chnaging the name of gpg to gppconf is definitely
not a good ideas.  c+p error?  Remove all these flags.

>     if(err!=GPG_ERR_NO_ERROR) return err;

BTW, using

      if (err) return err;

is much easier to read.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.



From david at gbenet.com  Thu Dec 31 02:18:15 2015
From: david at gbenet.com (david at gbenet.com)
Date: Thu, 31 Dec 2015 09:18:15 +0800
Subject: Ian Murdock
Message-ID: <56848257.2090005@gbenet.com>

Apparently the founder of the Debian project, Ian Murdock, has died
[1]. There is some interesting discussion on Reddit, especially the link
to his last tweets [2].

This is very sad news, especially given the alleged circumstances.

[1] https://blog.docker.com/2015/12/ian-murdock/
[2] https://www.reddit.com/r/programming/comments/3ytdsi/ian_murdock_creator_of_debian_has_died/

David

-- 
?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the
kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No
delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xAAD8C47D.asc
Type: application/pgp-keys
Size: 5054 bytes
Desc: not available
URL: 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: