From stebe at mailbox.org Mon Feb 1 00:06:54 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Mon, 1 Feb 2016 00:06:54 +0100 (CET) Subject: GnuPG and the debian-archive-keyring In-Reply-To: <07E2B236-D325-4C69-BC30-7F5FC165B13D@andrewg.com> References: <1438937703.3486.d0e3fe43-f143-47ca-803d-bf3856d0c20a.open-xchange@office.mailbox.org> <07E2B236-D325-4C69-BC30-7F5FC165B13D@andrewg.com> Message-ID: <685907637.657.4b7bd281-beed-4891-8bbe-24a25352520c.open-xchange@office.mailbox.org> Hi, > Andrew Gallagher hat am 31. Januar 2016 um 18:40 > geschrieben: > > > On 31 Jan 2016, at 15:07, stebe at mailbox.org wrote: > > > > gpg2 --edit-key 0x2B90D010 > > > > Dieser Schl?ssel k?nnte durch RSA mit Schl?ssel CA1CF964 [?] > > widerrufen > > worden sein > > [This key may have been revoked by RSA key CA1CF964 [?]] > > Dieser Schl?ssel k?nnte durch RSA mit Schl?ssel B12525C4 [?] > > widerrufen > > worden sein > > Dieser Schl?ssel k?nnte durch RSA mit Schl?ssel 15B0FD82 [?] > > widerrufen > > worden sein > > pub 4096R/2B90D010 erzeugt: 2014-11-21 verf?llt: 2022-11-19 > > Aufruf: SC > > Do you have the revoking keys in your keyring? It sounds as if there's a > revocation sig attached to the public key but gpg has no way of > determining its validity. > No, I haven't. Yes, you're right, the encryption subkey had been revoked, not the key, and I don't have the revokers' keys in my keyring. Thanks to Peter's indications I could determine what it was all about. Thanks. Stebe From ludovic at hirlimann.net Tue Feb 2 13:47:34 2016 From: ludovic at hirlimann.net (Ludovic Hirlimann) Date: Tue, 2 Feb 2016 13:47:34 +0100 Subject: Error when signing Message-ID: Hello, I've recently created a new key. When I try to sign with it I get the following error : Really sign all user IDs? (y/N) y gpg: skipped "F8CC972DC3A81C07": secret key not available while gpg -K sec rsa4096/C3A81C07 2015-12-17 uid [ultimate] Ludovic Hirlimann (work key) uid [ultimate] Ludovic Hirlimann uid [ultimate] Ludovic Hirlimann ssb rsa4096/FFC53A40 2015-12-17 Any idea how to fix this ? Ludo -- http://sietch-tabr.tumblr.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Tue Feb 2 17:51:37 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 2 Feb 2016 17:51:37 +0100 Subject: Error when signing In-Reply-To: References: Message-ID: <56B0DE99.9030001@digitalbrains.com> On 02/02/16 13:47, Ludovic Hirlimann wrote: > I've recently created a new key. When I try to sign with it I get the > following error : Could you show the exact command you're trying, and also, do you have a gpg.conf? If so, could you include it as well. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From antoine.michard at chezgeek.fr Tue Feb 2 19:06:57 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Tue, 2 Feb 2016 19:06:57 +0100 Subject: PlussID Smartcard Reader Message-ID: <56B0F041.2070707@chezgeek.fr> Hi all, Recently, I've bought a PlussID (or +ID) Smartcard reader on there website (http://www.pluss-id.com/). I bought it to use it on travel. I receive it today and it's really, really tiny !! But, unfortunetly it doesn't work with my OpenPGP Card 2.1 with 3 RSA 4096bits keys. I can read data on the card, I can enter my PIN but then I can't sign, decrypt or use my any key. What can I do to debug the smartcard reader ?? It is possible to resolve this ?? Thanks for reply -- Antoine Michard GPG Key: 0xF5C9E7CD0882B381 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From ludovic at hirlimann.net Tue Feb 2 19:35:29 2016 From: ludovic at hirlimann.net (Ludovic Hirlimann) Date: Tue, 2 Feb 2016 19:35:29 +0100 Subject: Error when signing In-Reply-To: <56B0DE99.9030001@digitalbrains.com> References: <56B0DE99.9030001@digitalbrains.com> Message-ID: Sure I'm trying to gpg --edit-key XXXXXX Setup works with my other and older key. Ludo On Tue, Feb 2, 2016 at 5:51 PM, Peter Lebbing wrote: > On 02/02/16 13:47, Ludovic Hirlimann wrote: > > I've recently created a new key. When I try to sign with it I get the > > following error : > > Could you show the exact command you're trying, and also, do you have a > gpg.conf? If so, could you include it as well. > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -- http://sietch-tabr.tumblr.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- # Options for GnuPG # Copyright 1998, 1999, 2000, 2001, 2002, 2003 Free Software Foundation, Inc. # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Unless you specify which option file to use (with the command line # option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf # by default. # # An options file can contain any long options which are available in # GnuPG. If the first non white space character of a line is a '#', # this line is ignored. Empty lines are also ignored. # # See the man page for a list of options. # Uncomment the following option to get rid of the copyright notice #no-greeting # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key 6B17EA1E default-key F8CC972DC3A81C07 # If you do not pass a recipient to gpg, it will ask for one. Using # this option you can encrypt to a default key. Key validation will # not be done in this case. The second form uses the default key as # default recipient. #default-recipient some-user-id #default-recipient-self # By default GnuPG creates version 3 signatures for data files. This # is not strictly OpenPGP compliant but PGP 6 and most versions of PGP # 7 require them. To disable this behavior, you may use this option # or --openpgp. #no-force-v3-sigs # Because some mailers change lines starting with "From " to ">From " # it is good to handle such lines in a special way when creating # cleartext signatures; all other PGP versions do it this way too. # To enable full OpenPGP compliance you may want to use this option. #no-escape-from-lines # If you do not use the Latin-1 (ISO-8859-1) charset, you should tell # GnuPG which is the native character set. Please check the man page # for supported character sets. This character set is only used for # metadata and not for the actual message which does not undergo any # translation. Note that future version of GnuPG will change to UTF-8 # as default character set. #charset utf-8 # Group names may be defined like this: # group mynames = paige 0x12345678 joe patti # # Any time "mynames" is a recipient (-r or --recipient), it will be # expanded to the names "paige", "joe", and "patti", and the key ID # "0x12345678". Note there is only one level of expansion - you # cannot make an group that points to another group. Note also that # if there are spaces in the recipient name, this will appear as two # recipients. In these cases it is better to use the key ID. #group mynames = paige 0x12345678 joe patti # Some old Windows platforms require 8.3 filenames. If your system # can handle long filenames, uncomment this. #no-mangle-dos-filenames # Lock the file only once for the lifetime of a process. If you do # not define this, the lock will be obtained and released every time # it is needed - normally this is not needed. #lock-once # GnuPG can send and receive keys to and from a keyserver. These # servers can be HKP, email, or LDAP (if GnuPG is built with LDAP # support). # # Example HKP keyserver: # x-hkp://pgp.mit.edu # # Example email keyserver: # mailto:pgp-public-keys at keys.nl.pgp.net # # Example LDAP keyservers: # ldap://pgp.surfnet.nl:11370 # ldap://keyserver.pgp.com # # Regular URL syntax applies, and you can set an alternate port # through the usual method: # x-hkp://keyserver.example.net:22742 # # If you have problems connecting to a HKP server through a buggy http # proxy, you can use keyserver option broken-http-proxy (see below), # but first you should make sure that you have read the man page # regarding proxies (keyserver option honor-http-proxy) # # Most users just set the name and type of their preferred keyserver. # Most servers do synchronize with each other and DNS round-robin may # give you a quasi-random server each time. #keyserver x-hkp://pgp.mit.edu keyserver x-hkp://pool.sks-keyservers.net #keyserver mailto:pgp-public-keys at keys.nl.pgp.net #keyserver ldap://pgp.surfnet.nl:11370 #keyserver ldap://keyserver.pgp.com # Common options for keyserver functions: # # include-disabled = when searching, include keys marked as "disabled" # on the keyserver (not all keyservers support this). # # no-include-revoked = when searching, do not include keys marked as # "revoked" on the keyserver. # # verbose = show more information as the keys are fetched. # Can be used more than once to increase the amount # of information shown. # # use-temp-files = use temporary files instead of a pipe to talk to the # keyserver. Some platforms (Win32 for one) always # have this on. # # keep-temp-files = do not delete temporary files after using them # (really only useful for debugging) # # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy # environment variable # # broken-http-proxy = try to work around a buggy HTTP proxy # # auto-key-retrieve = automatically fetch keys as needed from the keyserver # when verifying signatures or when importing keys that # have been revoked by a revocation key that is not # present on the keyring. # # no-include-attributes = do not include attribute IDs (aka "photo IDs") # when sending keys to the keyserver. #keyserver-options auto-key-retrieve # Uncomment this line to display photo user IDs in key listings and # when a signature from a key with a photo is verified. #show-photos # Use this program to display photo user IDs # # %i is expanded to a temporary file that contains the photo. # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. # %k is expanded to the key ID of the key. # %K is expanded to the long OpenPGP key ID of the key. # %t is expanded to the extension of the image (e.g. "jpg"). # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). # %f is expanded to the fingerprint of the key. # %% is %, of course. # # If %i or %I are not present, then the photo is supplied to the # viewer on standard input. If your platform supports it, standard # input is the best way to do this as it avoids the time and effort in # generating and then cleaning up a secure temp file. # # The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin" # On Mac OS X and Windows, the default is to use your regular JPEG image # viewer. # # Some other viewers: # photo-viewer "qiv %i" # photo-viewer "ee %i" # photo-viewer "display -title 'KeyID 0x%k'" # # This one saves a copy of the photo ID in your home directory: # photo-viewer "cat > ~/photoid-for-key-%k.%t" # # Use your MIME handler to view photos: # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" # Passphrase agent # # We support the old experimental passphrase agent protocol as well as # the new Assuan based one (currently available in the "newpg" package # at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, # you have to run an agent as daemon and use the option # # use-agent # # which tries to use the agent but will fallback to the regular mode # if there is a problem connecting to the agent. The normal way to # locate the agent is by looking at the environment variable # GPG_AGENT_INFO which should have been set during gpg-agent startup. # In certain situations the use of this variable is not possible, thus # the option # # --gpg-agent-info=::1 # # may be used to override it. enable-dsa2 personal-digest-preferences SHA256 RIPEMD160 From stebe at mailbox.org Tue Feb 2 21:11:20 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Tue, 2 Feb 2016 21:11:20 +0100 (CET) Subject: PlussID Smartcard Reader In-Reply-To: <56B0F041.2070707@chezgeek.fr> References: <56B0F041.2070707@chezgeek.fr> Message-ID: <477362145.18682.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> Hi, > Antoine Michard hat am 2. Februar 2016 um > 19:06 geschrieben: > > > Hi all, > > Recently, I've bought a PlussID (or +ID) Smartcard reader on there > website (http://www.pluss-id.com/). I bought it to use it on travel. > > I receive it today and it's really, really tiny !! > > But, unfortunetly it doesn't work with my OpenPGP Card 2.1 with 3 RSA > 4096bits keys. I can read data on the card, I can enter my PIN but then > I can't sign, decrypt or use my any key. > > What can I do to debug the smartcard reader ?? It is possible to resolve > this ?? unfortunately I cannot answer you in detail but have you checked (particularly the Troubleshooting section)? (1) https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card HTH Stebe From antoine.michard at chezgeek.fr Tue Feb 2 22:22:24 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Tue, 2 Feb 2016 22:22:24 +0100 Subject: PlussID Smartcard Reader In-Reply-To: <477362145.18682.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> References: <56B0F041.2070707@chezgeek.fr> <477362145.18682.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> Message-ID: <56B11E10.5060208@chezgeek.fr> I've found something and is bad: PC/SC device scanner V 1.4.23 (c) 2001-2011, Ludovic Rousseau Compiled with PC/SC lite version: 1.8.13 Using reader plug'n play mechanism Scanning present readers... 0: OMNIKEY AG Smart Card Reader 00 00 Tue Feb 2 22:03:21 2016 Reader 0: OMNIKEY AG Smart Card Reader 00 00 ... So, the reader is an Omnikey, then I've found this: Omnikey based readers don't work with that card because the readers don't support Extended Length APDUs. http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042566.html I've contact +ID support to know a little more about it. It is worth nothing, this reader is very tiny and you can take it with you everywhere (It's the size of little lighter). Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 02/02/2016 21:11, stebe at mailbox.org a ?crit : > Hi, > >> Antoine Michard hat am 2. Februar 2016 um >> 19:06 geschrieben: >> >> >> Hi all, >> >> Recently, I've bought a PlussID (or +ID) Smartcard reader on there >> website (http://www.pluss-id.com/). I bought it to use it on travel. >> >> I receive it today and it's really, really tiny !! >> >> But, unfortunetly it doesn't work with my OpenPGP Card 2.1 with 3 RSA >> 4096bits keys. I can read data on the card, I can enter my PIN but then >> I can't sign, decrypt or use my any key. >> >> What can I do to debug the smartcard reader ?? It is possible to resolve >> this ?? > > unfortunately I cannot answer you in detail but have you checked > (particularly the Troubleshooting section)? > > (1) https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card > > HTH > > Stebe > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From stebe at mailbox.org Tue Feb 2 22:41:58 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Tue, 2 Feb 2016 22:41:58 +0100 (CET) Subject: Error when signing In-Reply-To: References: <56B0DE99.9030001@digitalbrains.com> Message-ID: <414332712.18917.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> Hi, > Ludovic Hirlimann hat am 2. Februar 2016 um > 19:35 geschrieben: > > > Sure I'm trying to gpg --edit-key XXXXXX > > Setup works with my other and older key. > > Ludo > > On Tue, Feb 2, 2016 at 5:51 PM, Peter Lebbing > wrote: > > > On 02/02/16 13:47, Ludovic Hirlimann wrote: > > > I've recently created a new key. When I try to sign with it I get > > > the > > > following error : > > > > Could you show the exact command you're trying, and also, do you have > > a > > gpg.conf? If so, could you include it as well. > > > > Peter. > > I had problems downloading your gpg.conf, so I'm just guessing (sorry :-) # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key XXXXXXX Guess: Maybe you did uncomment it, created the new key and the older is set as your default key Cheers, Stebe From antoine.michard at chezgeek.fr Wed Feb 3 09:05:06 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Wed, 3 Feb 2016 09:05:06 +0100 Subject: PlussID Smartcard Reader In-Reply-To: <56B11E10.5060208@chezgeek.fr> References: <56B0F041.2070707@chezgeek.fr> <477362145.18682.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> <56B11E10.5060208@chezgeek.fr> Message-ID: <56B1B4B2.1090909@chezgeek.fr> Hi, I've just try on my Windows computer and it works !!! So, It's the Omnikey linux driver... too bad :'( Someone have something new about it ?? Make it work maybe ?? Thanks Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 02/02/2016 22:22, Antoine Michard a ?crit : > I've found something and is bad: > > PC/SC device scanner > V 1.4.23 (c) 2001-2011, Ludovic Rousseau > Compiled with PC/SC lite version: 1.8.13 > Using reader plug'n play mechanism > Scanning present readers... > 0: OMNIKEY AG Smart Card Reader 00 00 > > Tue Feb 2 22:03:21 2016 > Reader 0: OMNIKEY AG Smart Card Reader 00 00 > ... > > So, the reader is an Omnikey, then I've found this: > Omnikey based readers don't work with that card because the readers > don't support Extended Length APDUs. > http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042566.html > > I've contact +ID support to know a little more about it. > It is worth nothing, this reader is very tiny and you can take it with > you everywhere (It's the size of little lighter). > > Antoine Michard > GPG Key: 0xF5C9E7CD0882B381 > > Le 02/02/2016 21:11, stebe at mailbox.org a ?crit : >> Hi, >> >>> Antoine Michard hat am 2. Februar 2016 um >>> 19:06 geschrieben: >>> >>> >>> Hi all, >>> >>> Recently, I've bought a PlussID (or +ID) Smartcard reader on there >>> website (http://www.pluss-id.com/). I bought it to use it on travel. >>> >>> I receive it today and it's really, really tiny !! >>> >>> But, unfortunetly it doesn't work with my OpenPGP Card 2.1 with 3 RSA >>> 4096bits keys. I can read data on the card, I can enter my PIN but then >>> I can't sign, decrypt or use my any key. >>> >>> What can I do to debug the smartcard reader ?? It is possible to resolve >>> this ?? >> >> unfortunately I cannot answer you in detail but have you checked >> (particularly the Troubleshooting section)? >> >> (1) https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card >> >> HTH >> >> Stebe >> > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Feb 3 10:42:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 3 Feb 2016 10:42:39 +0100 Subject: Error when signing In-Reply-To: References: <56B0DE99.9030001@digitalbrains.com> Message-ID: <56B1CB8F.9020604@digitalbrains.com> On 02/02/16 19:35, Ludovic Hirlimann wrote: > Sure I'm trying to gpg --edit-key XXXXXX > > Setup works with my other and older key. Your gpg.conf seems okay, but when I download your key from the keyserver, it's telling me that you revoked the key on the day you created it. The error "secret key not available" is a bit misleading; I think perhaps "available" here indicates "usable". You cannot sign with an expired key. However, this explanation doesn't quite account for this output you got: > gpg -K > sec rsa4096/C3A81C07 2015-12-17 > uid [ultimate] Ludovic Hirlimann (work key) > uid [ultimate] Ludovic Hirlimann > uid [ultimate] Ludovic Hirlimann > ssb rsa4096/FFC53A40 2015-12-17 Because it should say "revoked" for the UID validity. So... why are you trying to sign with a key that appears to be revoked? And did you revoke it on a different computer and not import the revocation to this computer that still says "ultimate" for validity? BTW, which version of GnuPG are you using, and on which platform? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From antoine.michard at chezgeek.fr Wed Feb 3 12:04:18 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Wed, 3 Feb 2016 12:04:18 +0100 Subject: PlussID Smartcard Reader In-Reply-To: <56B1B4B2.1090909@chezgeek.fr> References: <56B0F041.2070707@chezgeek.fr> <477362145.18682.25f198e7-19d0-410d-abe0-0abd5a04aea1.open-xchange@office.mailbox.org> <56B11E10.5060208@chezgeek.fr> <56B1B4B2.1090909@chezgeek.fr> Message-ID: <56B1DEB2.3010502@chezgeek.fr> YESS !!! It works with HID drivers: x86 http://www.hidglobal.com/drivers/21277 x64 http://www.hidglobal.com/drivers/21278 If this can help someone later :D Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 03/02/2016 09:05, Antoine Michard a ?crit : > Hi, > > I've just try on my Windows computer and it works !!! > So, It's the Omnikey linux driver... too bad :'( > > Someone have something new about it ?? Make it work maybe ?? > > Thanks > > Antoine Michard > GPG Key: 0xF5C9E7CD0882B381 > > Le 02/02/2016 22:22, Antoine Michard a ?crit : >> I've found something and is bad: >> >> PC/SC device scanner >> V 1.4.23 (c) 2001-2011, Ludovic Rousseau >> Compiled with PC/SC lite version: 1.8.13 >> Using reader plug'n play mechanism >> Scanning present readers... >> 0: OMNIKEY AG Smart Card Reader 00 00 >> >> Tue Feb 2 22:03:21 2016 >> Reader 0: OMNIKEY AG Smart Card Reader 00 00 >> ... >> >> So, the reader is an Omnikey, then I've found this: >> Omnikey based readers don't work with that card because the readers >> don't support Extended Length APDUs. >> http://lists.gnupg.org/pipermail/gnupg-users/2011-August/042566.html >> >> I've contact +ID support to know a little more about it. >> It is worth nothing, this reader is very tiny and you can take it with >> you everywhere (It's the size of little lighter). >> >> Antoine Michard >> GPG Key: 0xF5C9E7CD0882B381 >> >> Le 02/02/2016 21:11, stebe at mailbox.org a ?crit : >>> Hi, >>> >>>> Antoine Michard hat am 2. Februar 2016 um >>>> 19:06 geschrieben: >>>> >>>> >>>> Hi all, >>>> >>>> Recently, I've bought a PlussID (or +ID) Smartcard reader on there >>>> website (http://www.pluss-id.com/). I bought it to use it on travel. >>>> >>>> I receive it today and it's really, really tiny !! >>>> >>>> But, unfortunetly it doesn't work with my OpenPGP Card 2.1 with 3 RSA >>>> 4096bits keys. I can read data on the card, I can enter my PIN but then >>>> I can't sign, decrypt or use my any key. >>>> >>>> What can I do to debug the smartcard reader ?? It is possible to resolve >>>> this ?? >>> >>> unfortunately I cannot answer you in detail but have you checked >>> (particularly the Troubleshooting section)? >>> >>> (1) https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card >>> >>> HTH >>> >>> Stebe >>> >> >> >> >> _______________________________________________ >> Gnupg-users mailing list >> Gnupg-users at gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Wed Feb 3 21:12:59 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 3 Feb 2016 15:12:59 -0500 Subject: FAQ maintenance Message-ID: <56B25F4B.4000603@sixdemonbag.org> Time for my semi-regular FAQ perusing and updating. I plan on updating the FAQ to include a link to the FSF's email security guide, but that seems like such an unobjectionable change I'm not going to kick it around the list for pre-approval. Beyond that, if there's anything you've always thought the FAQ should mention, now's a great time to suggest it. :) From ineiev at gnu.org Thu Feb 4 06:16:16 2016 From: ineiev at gnu.org (Ineiev) Date: Thu, 4 Feb 2016 00:16:16 -0500 Subject: FAQ maintenance In-Reply-To: <56B25F4B.4000603@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> Message-ID: <20160204051612.GA2284@gnu.org> On Wed, Feb 03, 2016 at 03:12:59PM -0500, Robert J. Hansen wrote: > Time for my semi-regular FAQ perusing and updating. Gorgeous! > I plan on updating > the FAQ to include a link to the FSF's email security guide, Out of curiosity - have you reviewed the latest version of ESD? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From antoine.michard at chezgeek.fr Thu Feb 4 08:23:00 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Thu, 4 Feb 2016 08:23:00 +0100 Subject: FAQ maintenance In-Reply-To: <56B25F4B.4000603@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> Message-ID: <56B2FC54.5070908@chezgeek.fr> Hi Robert, It's a great idea to update the FAQ. I propose to explain the different key in the keyring: - C for Certify. This key certify all other key in your keyring - E for Encrypt. It's use for encryption/decryption. Be aware with encryption subkey. - S for Sign. This key is use for sign document, message, file, etc... - A for Authentification. You can use this key to authentificate your self to a server/desktop (SSH, PAM) And some subtilities with subkeys, like you should always have a backup on your encryption subkey. Because GnuPG use the lastest key for encrypt, and even if you have an encryption key in your master key, you couldn't decrypt it because it was encrypted with you lastest key, your subkey... Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 03/02/2016 21:12, Robert J. Hansen a ?crit : > Time for my semi-regular FAQ perusing and updating. I plan on updating > the FAQ to include a link to the FSF's email security guide, but that > seems like such an unobjectionable change I'm not going to kick it > around the list for pre-approval. Beyond that, if there's anything > you've always thought the FAQ should mention, now's a great time to > suggest it. :) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From dsaklad at gnu.org Thu Feb 4 09:42:42 2016 From: dsaklad at gnu.org (Don Saklad) Date: Thu, 04 Feb 2016 03:42:42 -0500 Subject: Glossary. Please add definitions to a Glossary... Message-ID: <5ilh70zx19.fsf@fencepost.gnu.org> Glossary Please add definitions to an online Glossary... including even common words used in particular ways or frequently with GnuPG beginning with signature... Making available any and all things that ease a task for uninitiated folks include a Glossary for wording in instructional materials even if only the top 10 terms. From rjh at sixdemonbag.org Thu Feb 4 09:56:47 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 4 Feb 2016 03:56:47 -0500 Subject: FAQ maintenance In-Reply-To: <56B2FC54.5070908@chezgeek.fr> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> Message-ID: <56B3124F.70505@sixdemonbag.org> > I propose to explain the different key in the keyring: As near as I can tell, this question isn't asked very frequently. If the opinion of the list is that it is, though, I'll certainly add it. What say y'all? From dsaklad at gnu.org Thu Feb 4 10:11:00 2016 From: dsaklad at gnu.org (Don Warner Saklad) Date: Thu, 04 Feb 2016 04:11:00 -0500 Subject: For GnuPG what would be a lexicon definition of... key Message-ID: <5iio24zvq3.fsf@fencepost.gnu.org> a. For GnuPG what would be a lexicon definition?... key b. For GNUpg what would be a lexicon definition?... keyring From rjh at sixdemonbag.org Thu Feb 4 10:29:17 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 4 Feb 2016 04:29:17 -0500 Subject: FAQ maintenance In-Reply-To: <20160204051612.GA2284@gnu.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> Message-ID: <56B319ED.4010701@sixdemonbag.org> > Out of curiosity - have you reviewed the latest version of ESD? The FSF asked Patrick Brunschwig and me to review it prior to publication. I don't know if Patrick turned in criticisms; I gave a couple of pages' worth. I'm pleased with the end result. From sampablokuper at riseup.net Thu Feb 4 16:07:03 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Thu, 4 Feb 2016 15:07:03 +0000 Subject: lsign and sign Message-ID: <56B36917.4090206@riseup.net> On Sun, 4 Mar 2001, Werner Koch wrote: > On Sun, 4 Mar 2001, Stefan Bellon wrote: >> I've a short question concerning signing and lsigning. If you lsign a >> key and afterwards (some time later) decide you want to export it and >> therefore sign it, does the lsignature gets marked exportable or is a >> new signature created? > > Because that flag resides in the non hashed are, it is possible to > change it without creating a new signature. However there is no > code for this. (See https://lists.gnupg.org/pipermail/gnupg-users/2001-March/007884.html ) Has this changed since 2001? I like to use cert-levels[1] to record how carefully I have checked keys that I wish to sign. In cases where the signee would prefer me not to publicly reveal information about how carefully I have checked their key[2], I would like to accommodate their wishes by signing with cert-level 0 but still locally signing with the level appropriate to how thoroughly I have checked their key, so that I have a signed record of this for myself, in my keyring. However, Neither gpg nor gpg2 seem to let me do this. If I `sign`, regardless of cert-level, and then try to `lsign`, then I get a message along the lines: > "User Name " was already signed by key DEADBEEF > Nothing to sign with key DEADBEEF Likewise, if I instead reverse the order and `lsign` first, then when I run the `sign` command, I get: > Your current signature on "User Name " > is a local signature. > Do you want to promote it to a full exportable signature? (y/N) N > "User Name " was already signed by key DEADBEEF > Nothing to sign with key DEADBEEF Either way, GnuPG stymies me in my desire to `sign` and `lsign` the same UID with different values. It would be nice if GnuPG offered a way to `sign` and `lsign` with different values, to handle the use case I have presented. Please could you let me know if it already does, and I have missed this feature somehow, or alternatively whether this feature is planned for a future release? Many thanks, - spk [1] I have my own set of key-signing principles, which at some point I will probably post online. Based upon observation of other GnuPG users' habits, many do not use cert-levels. Of those who do, my level 1 is probably equivalent to most people's level 2; my level 2 probably equivalent to most people's level 3, and my level 3 is more extensive than my level 2. [2] E.g. as per https://www.debian-administration.org/users/dkg/weblog/98 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From stebe at mailbox.org Thu Feb 4 19:20:58 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Thu, 4 Feb 2016 19:20:58 +0100 (CET) Subject: Glossary. Please add definitions to a Glossary... In-Reply-To: <5ilh70zx19.fsf@fencepost.gnu.org> References: <5ilh70zx19.fsf@fencepost.gnu.org> Message-ID: <326654356.21896.5297ab48-d206-4aa0-9474-60eefc1fff0d.open-xchange@office.mailbox.org> Yes, that would be useful, and the wiki is the right place to publish it. I'll contribute to it, maybe it should be made available in different languages. Anyone else out there willing to lend a hand? Stebe > Don Saklad hat am 4. Februar 2016 um 09:42 > geschrieben: > > > Glossary > > Please add definitions to an online Glossary... including even common > words used in particular ways or frequently with GnuPG beginning with > > signature... > > > Making available any and all things that ease a task for uninitiated > folks include a Glossary for wording in instructional materials even > if only the top 10 terms. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From david at gbenet.com Fri Feb 5 00:25:21 2016 From: david at gbenet.com (david at gbenet.com) Date: Thu, 4 Feb 2016 23:25:21 +0000 Subject: FAQ maintenance In-Reply-To: <56B319ED.4010701@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> Message-ID: <56B3DDE1.1050905@gbenet.com> On 04/02/16 09:29, Robert J. Hansen wrote: >> Out of curiosity - have you reviewed the latest version of ESD? > > The FSF asked Patrick Brunschwig and me to review it prior to > publication. I don't know if Patrick turned in criticisms; I gave a > couple of pages' worth. I'm pleased with the end result. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > A list of do's and don'ts - weird and impracticable keys common sense usage - common sense things to put in your gpg.conf :) David -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAAD8C47D.asc Type: application/pgp-keys Size: 5054 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From david at gbenet.com Fri Feb 5 00:26:57 2016 From: david at gbenet.com (david at gbenet.com) Date: Thu, 4 Feb 2016 23:26:57 +0000 Subject: FAQ maintenance In-Reply-To: <56B3124F.70505@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> <56B3124F.70505@sixdemonbag.org> Message-ID: <56B3DE41.8030606@gbenet.com> On 04/02/16 08:56, Robert J. Hansen wrote: >> I propose to explain the different key in the keyring: > > As near as I can tell, this question isn't asked very frequently. If > the opinion of the list is that it is, though, I'll certainly add it. > What say y'all? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Yes David -- ?See the sanity of the man! No gods, no angels, no demons, no body. Nothing of the kind.Stern, sane,every brain-cell perfect and complete even at the moment of death. No delusion.? https://linuxcounter.net/user/512854.html - http://gbenet.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From sampablokuper at riseup.net Fri Feb 5 01:36:52 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Fri, 5 Feb 2016 00:36:52 +0000 Subject: Obituary for Artikel 10 Grundgesetz on GnuPG website Message-ID: <56B3EEA4.4030207@riseup.net> At the bottom right-hand corner of many (all?) pages on the GnuPG website, the following image is present: https://www.gnupg.org/share/traueranzeige-g10_v2015.png It has an alt attribute that gives the text content of the image, and reads as follows: "Traueranzeige: Wir nehmen Abschied von einem sicher geglaubten Freund, dem | Fernmeldegeheimniss | (Artikel 10 Grundgesetz) | * 23. Mai 1949, + 18. Dezember 2015" The image also has a title attribute that reads: "Article 10 of the German constitution (communication privacy) is not anymore with us." I would be grateful to know what happened (on 18 December 2015) to prompt the posting of this statement on the GnuPG website. I searched the archive but did not find an explanation. If that was a failure on my part, please post a URL to the relevant archived post to the list. Thank you, - spk -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From m.mansfeld at mansfeld-elektronik.de Fri Feb 5 04:56:53 2016 From: m.mansfeld at mansfeld-elektronik.de (Matthias Mansfeld) Date: Fri, 05 Feb 2016 04:56:53 +0100 Subject: Obituary for Artikel 10 Grundgesetz on GnuPG website In-Reply-To: <56B3EEA4.4030207@riseup.net> References: <56B3EEA4.4030207@riseup.net> Message-ID: <56B41D85.5364.42483B5@m.mansfeld.mansfeld-elektronik.de> On 5 Feb 2016 at 0:36, Sam Pablo Kuper wrote: > > At the bottom right-hand corner of many (all?) pages on the GnuPG > website, the following image is present: > https://www.gnupg.org/share/traueranzeige-g10_v2015.png > > It has an alt attribute that gives the text content of the image, and > reads as follows: > > "Traueranzeige: Wir nehmen Abschied von einem sicher geglaubten Freund, > dem | Fernmeldegeheimniss | (Artikel 10 Grundgesetz) | * 23. Mai 1949, + > 18. Dezember 2015" > > The image also has a title attribute that reads: > > "Article 10 of the German constitution (communication privacy) is not > anymore with us." > > I would be grateful to know what happened (on 18 December 2015) to > prompt the posting of this statement on the GnuPG website. This is the day when new (I say old zombie) data retention laws in Germany came in force (... again...) Articel 10 of our Grundgesetz (= "German Constitution") used to cover privacy in telecommunication and generally all digital communication, "Fernmeldegeheimnis", but this seems to be more and more worthless with these old, new laws.... http://www.vorratsdatenspeicherung.de/content/view/46/42/lang,en/ https://de.wikipedia.org/wiki/Vorratsdatenspeicherung https://en.wikipedia.org/wiki/Telecommunications_data_retention (the last one is outdated...) > > I searched the archive but did not find an explanation. If that was a > failure on my part, please post a URL to the relevant archived post to > the list. > > Thank you, You're welcome :-) Matthias -- OpenPGP: http://www.mmmkm.de/gnupgkey/mmmkm.asc Fingerprint: B70C 2150 DC6E BD14 745E 67E9 3385 B312 E1C6 1D8D From sampablokuper at riseup.net Fri Feb 5 11:17:22 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Fri, 5 Feb 2016 10:17:22 +0000 Subject: Obituary for Artikel 10 Grundgesetz on GnuPG website In-Reply-To: <56B41D85.5364.42483B5@m.mansfeld.mansfeld-elektronik.de> References: <56B3EEA4.4030207@riseup.net> <56B41D85.5364.42483B5@m.mansfeld.mansfeld-elektronik.de> Message-ID: <56B476B2.2030509@riseup.net> On 05/02/16 03:56, Matthias Mansfeld wrote: > On 5 Feb 2016 at 0:36, Sam Pablo Kuper wrote: >> "Article 10 of the German constitution (communication privacy) is not >> anymore with us." >> >> I would be grateful to know what happened (on 18 December 2015) to >> prompt the posting of this statement on the GnuPG website. > > This is the day when new (I say old zombie) data retention laws in > Germany came in force (... again...) > > Articel 10 of our Grundgesetz (= "German Constitution") used to cover > privacy in telecommunication and generally all digital communication, > "Fernmeldegeheimnis", but this seems to be more and more worthless > with these old, new laws.... > > http://www.vorratsdatenspeicherung.de/content/view/46/42/lang,en/ > https://de.wikipedia.org/wiki/Vorratsdatenspeicherung > https://en.wikipedia.org/wiki/Telecommunications_data_retention (the > last one is outdated...) Thank you! - spk From peter at digitalbrains.com Fri Feb 5 11:24:35 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 11:24:35 +0100 Subject: FAQ maintenance In-Reply-To: <56B3124F.70505@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> <56B3124F.70505@sixdemonbag.org> Message-ID: <56B47863.3030709@digitalbrains.com> On 04/02/16 09:56, Robert J. Hansen wrote: > What say y'all? When the GnuPG default was not to show the key usage, I would have said: unnecessary detail. In my opinion, in a very broad sense, the FAQ should be aimed at people sticking to the defaults, not the people who tinker. But now GnuPG shows the key usage by default. Personally, I would probably think "usage: SC? What is it telling me?". The GNU Privacy Handbook doesn't seem to mention it. The GnuPG 2.1 manual is not what I consider a guide for beginners, it's more of a reference. But anyway, I don't see it there either. I just quickly browsed through these two documents. I do think it should be documented in a document that a beginner ought to read. I don't know if it belongs in the FAQ; I would be equally satistied with it being in the GNU Privacy Handbook. How well maintained is this latter document anyway? My 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Feb 5 11:55:25 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 5 Feb 2016 05:55:25 -0500 Subject: FAQ maintenance In-Reply-To: <56B47863.3030709@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> <56B3124F.70505@sixdemonbag.org> <56B47863.3030709@digitalbrains.com> Message-ID: <56B47F9D.8080501@sixdemonbag.org> > When the GnuPG default was not to show the key usage, I would have said: > unnecessary detail. In my opinion, in a very broad sense, the FAQ should be > aimed at people sticking to the defaults, not the people who tinker. Let me put on the maintainer hat and speak ex cathedra a moment: The FAQ is aimed at Qs that are F Aed. The answers it provides are aimed at new and/or casual users, not tinkerers, and this focus will not change. Once a FAQ becomes a tinkering manual, the content explodes and so does the size of the maintainer's job. For my own sanity, I won't let it become a tinkering guide. > I do think it should be documented in a document that a beginner ought to read. > I don't know if it belongs in the FAQ; I would be equally satistied with it > being in the GNU Privacy Handbook. I suspect the FAQ is appropriate. If we're going to present information to new users, we should anticipate them having questions about it. > How well maintained is [the GNU Privacy Handbook] anyway? It's not, as near as I can tell. Some of their GnuPG examples are from version 0.9.4, which is 17 years old. One would think periodic maintenance would have led to these examples being updated. For that reason, my suspicion is it's unmaintained. Further, I can't recall the last time I saw the maintainer (Mike Ashley) post here. From peter at digitalbrains.com Fri Feb 5 11:55:46 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 11:55:46 +0100 Subject: Glossary. Please add definitions to a Glossary... In-Reply-To: <326654356.21896.5297ab48-d206-4aa0-9474-60eefc1fff0d.open-xchange@office.mailbox.org> References: <5ilh70zx19.fsf@fencepost.gnu.org> <326654356.21896.5297ab48-d206-4aa0-9474-60eefc1fff0d.open-xchange@office.mailbox.org> Message-ID: <56B47FB2.4030805@digitalbrains.com> On 04/02/16 19:20, stebe at mailbox.org wrote: > Yes, that would be useful, and the wiki is the right place to publish it. There's already a list of terms in the FAQ as well. "Signature" is not in it, but I don't think that's a Frequently Asked Question. The other word Don Saklad asked, "key", is there already. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Feb 5 11:55:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 11:55:39 +0100 Subject: FAQ maintenance In-Reply-To: <56B3DDE1.1050905@gbenet.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> Message-ID: <56B47FAB.4050304@digitalbrains.com> On 05/02/16 00:25, david at gbenet.com wrote: > A list of do's and don'ts Don't use --expert > - weird and impracticable keys ... Don't use --expert ;P > common sense usage - common sense Stick to the defaults > things to put in your gpg.conf :) keyserver ... And that's it. Really. Having a look at my own gpg.conf, there are two more things: default-key ... use-agent And those should not be needed for normal users, who only have a single key (I have a bunch of test keys to play with), and only use GnuPG 2.1 (I use 1.x to help people here on the list who use it). Like I said in the mail I just sent: in my opinion, in a very broad sense, the FAQ should be aimed at people sticking to the defaults, not the people who tinker. GnuPG is already more than complicated enough without drowning people in unnecessary detail. The defaults are reasonable; you should stick to them until you have very good reason not to. Otherwise it is very easy to shoot yourself in the foot. Or get lost and give up. So I don't think those things you mention should be in the FAQ. In fact, "things to put in gpg.conf" would seem directly opposed to: > 8.1 Does GnuPG need to be ?tuned? before use? > > No. GnuPG has sensible defaults right out of the box. You don?t need to > tune GnuPG before you can use it. (from the FAQ) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Feb 5 12:01:38 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 5 Feb 2016 06:01:38 -0500 Subject: GNU Privacy Handbook In-Reply-To: <56B47863.3030709@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> <56B3124F.70505@sixdemonbag.org> <56B47863.3030709@digitalbrains.com> Message-ID: <56B48112.5030702@sixdemonbag.org> Looking over the GNU Privacy Handbook, it's clear it hasn't received any maintenance in a decade or more. According to it, DSA is limited to 1024-bit keys, RSA gets almost no mention, SKS gets no mention, and users are led to use the (closed-source, non-synchronizing) PGP Corporation keyserver. IMO, the GPH needs to be taken down. Documentation that badly out of date does no one any good. At the very least it needs top-to-bottom revisions. If Mike Ashley is no longer maintaining the GNU Privacy Handbook, I'm willing to take on the job. From peter at digitalbrains.com Fri Feb 5 12:07:32 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 12:07:32 +0100 Subject: GNU Privacy Handbook In-Reply-To: <56B48112.5030702@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <56B2FC54.5070908@chezgeek.fr> <56B3124F.70505@sixdemonbag.org> <56B47863.3030709@digitalbrains.com> <56B48112.5030702@sixdemonbag.org> Message-ID: <56B48274.1050100@digitalbrains.com> On 05/02/16 12:01, Robert J. Hansen wrote: > IMO, the GPH needs to be taken down. I agree. I was composing a mail on the subject when I started... eh... composing a different mail on a different subject ;). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Feb 5 12:23:05 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 12:23:05 +0100 Subject: FAQ maintenance In-Reply-To: <56B25F4B.4000603@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> Message-ID: <56B48619.3000907@digitalbrains.com> On 03/02/16 21:12, Robert J. Hansen wrote: > Beyond that, if there's anything > you've always thought the FAQ should mention, now's a great time to > suggest it. :) I just notice section 8.19. It says to verify a download: > gpg foo.zip.asc As became clear in this[1] discussion, you should always specify the file to be verified, as in "gpg foo.zip.asc foo.zip". Section 8.20 supposes GnuPG <2.1, by the way, since it plays around with the fact that --export uses the same format as a keyring. I think it should be rephrased to use --import instead of using the output of --export as a keyring. Furthermore, I think a reasonably often asked question is "Why can't I provide the password in a pipe to GnuPG anymore?". Old 1.4 allowed this, but 2.0 is incapable of it and 2.1 needs a loopback pinentry. But of course, the answer could instead say that it is very unlikely that it is more secure than just not using a passphrase. I don't have time right now to actually supply the text to use for these things, sorry. HTH, Peter. [1] https://lists.gnupg.org/pipermail/gnupg-users/2014-November/051333.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Fri Feb 5 12:32:24 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 12:32:24 +0100 Subject: FAQ maintenance In-Reply-To: <56B47FAB.4050304@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> Message-ID: <56B48848.40206@digitalbrains.com> On 05/02/16 11:55, Peter Lebbing wrote: > In fact, "things to put in gpg.conf" would seem directly opposed to: Okay, I take that back, since section 8.7 clearly shows options you could put in gpg.conf :). Regarding that section, I think > # Always add these two certificates to my recipients list. > encrypt-to 23806BE5D6B98E10 > encrypt-to 1DCBDC01B44427C7 should be rephrased to use fingerprints, not long keyid's. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Feb 5 13:06:07 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 5 Feb 2016 07:06:07 -0500 Subject: FAQ maintenance In-Reply-To: <56B48848.40206@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> Message-ID: <56B4902F.9070406@sixdemonbag.org> > Okay, I take that back, since section 8.7 clearly shows options you could put in > gpg.conf :). I confess to some slight misdirection here. Is that a valid gpg.conf file? Sure. Will it get someone in trouble? Probably not. But is it needed? Not really. :) > Regarding that section, I think > >> # Always add these two certificates to my recipients list. >> encrypt-to 23806BE5D6B98E10 >> encrypt-to 1DCBDC01B44427C7 > > should be rephrased to use fingerprints, not long keyid's. What's the justification? From peter at digitalbrains.com Fri Feb 5 13:22:51 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 13:22:51 +0100 Subject: FAQ maintenance In-Reply-To: <56B4902F.9070406@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> Message-ID: <56B4941B.4050703@digitalbrains.com> On 05/02/16 13:06, Robert J. Hansen wrote: > What's the justification? If somebody can create a long-keyID-collision, and you download your own key by that key ID and also import the other one, they might be able to be the one that gets "encrypted-to", I think? Another way to get on your keyring is when someone attaches "their" public key to an e-mail and you click import. If I just specify a key ID as encrypt-to in my gpg.conf, I don't get a warning like "It is NOT certain that the key belongs to the person", it just encrypts to a key with unknown validity without giving so much as a peep! So the usual "collisions are not a problem because the key is invalid" doesn't apply. You're stuck with the much weaker "your own key will probably be first in the keyring, so it will use that". I don't feel comfortable with such a weak assurance. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Feb 5 13:34:42 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 5 Feb 2016 07:34:42 -0500 Subject: FAQ maintenance In-Reply-To: <56B4941B.4050703@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> Message-ID: <56B496E2.3080306@sixdemonbag.org> > If somebody can create a long-keyID-collision... That seems to be a big 'if' right now. Short collisions are easy; long ones are nontrivial. Or did I miss something? From peter at digitalbrains.com Fri Feb 5 13:40:40 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 13:40:40 +0100 Subject: FAQ maintenance In-Reply-To: <56B496E2.3080306@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> Message-ID: <56B49848.7050000@digitalbrains.com> On 05/02/16 13:34, Robert J. Hansen wrote: > Or did I miss something? No, I don't think so. But I was under the impression that for a while now, people were generally advised not to rely on the uniqueness of long key ID's. And since this seems to be all you rely on with encrypt-to, key validity not being a factor, it seems unwise to me. But it's your FAQ (and your gpg.conf apparently ;). And since I just stipulated the implications as far as I see them, I accept your judgement of the situation. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From oleg at gurevich.de Fri Feb 5 15:08:38 2016 From: oleg at gurevich.de (Oleg Gurevich) Date: Fri, 5 Feb 2016 15:08:38 +0100 Subject: GnuPG 2.1 how to delete card based secret key ? Message-ID: <56B4ACE6.3020503@gurevich.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi @all, with GnuPG modern (2.1) i can't delete anymore a secret key based on smartcard. Is there an known workaround ? by calling of: gpg --delete-secret-key ABCDEF123 ... Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y gpg: deleting secret key failed: Not possible with a card based key gpg: deleting secret subkey failed: Not possible with a card based key gpg: deleting secret subkey failed: Not possible with a card based key gpg: ABCDEF123: delete key failed: Not possible with a card based key Mit freundlichen Gr??en/ ? ?????????/ best regards Oleg Gurevich PGP fingerprint: 38A0 D0CC BD23 1707 B0AF D158 E9D7 6E3F E74A 0B0C -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWtKzgAAoJEH5u5dDzfOKim6oP/2Ek9wbMDw9LB5GqRHwIrnpq Kz9ZpT9tCPsoMEKWchHop1tjxSB35RKLcYN/BAQPi6i66qHO4WZwrKIAOhCXc/T5 sK25+Fk/jUXaicClEnJTsnlpwItPL4tp+rnp9JMKSMMlajZDQh/MNCOUM1JyCoSw X4OSGsISkwLYw/75m+yXqeX07czFhxygJCHHauXz9EtKz9/TvGlUDycxDnAcWfAq 4GsU71/4ZWIuYuCdVj3zupTujeSk/PP6m+rtbIzXXgmhn2OIL8B/KaOpwqZbuidN Jz43AUeRDaeBdmwheezHz2nR8OfmIpTUB44Iog/4XAL6ybau4zKDOyCtHPOvP4kB E2nQy7u882I1muYdZ2kJ08R509N0Pit0rWshqp3HQ0HWQzlANG00ezRwZcr2T8V1 Kf6Zsk6c2RS6TUZJCHZAfz3Lpbi4LBV5r8HJIJRpgdEYWlfgsH4D81gyd0vHFCLu +nvfbVGvgLPXbNH5tbHKGcSKgkXMsOC38yvRaU32Bh/oua4ERqXEhjKmdnW9T0wg 72SVAlCkbhSfhEUKz+jFbrx04pSfi9XSIIqWbUcf+9fsnFps96pk5vNti4cjVi/4 yUIZO4YW6AXaVPetT4ZVfr9KY6xxRZla6Ty5PHe+ygWLWFBpdFlsOoz0W4B7jy2K Bskp4On/AXPH5Q2Idjcb =fXkb -----END PGP SIGNATURE----- From peter at digitalbrains.com Fri Feb 5 19:36:17 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 5 Feb 2016 19:36:17 +0100 Subject: GnuPG 2.1 how to delete card based secret key ? In-Reply-To: <56B4ACE6.3020503@gurevich.de> References: <56B4ACE6.3020503@gurevich.de> Message-ID: <56B4EBA1.7010709@digitalbrains.com> On 05/02/16 15:08, Oleg Gurevich wrote: > with GnuPG modern (2.1) i can't delete anymore a secret key based on > smartcard. Is there an known workaround ? Do you want the key off your keyring or off your smartcard? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From oleg at gurevich.de Fri Feb 5 19:51:08 2016 From: oleg at gurevich.de (Oleg Gurevich) Date: Fri, 5 Feb 2016 19:51:08 +0100 Subject: GnuPG 2.1 how to delete card based secret key ? In-Reply-To: <56B4EBA1.7010709@digitalbrains.com> References: <56B4ACE6.3020503@gurevich.de> <56B4EBA1.7010709@digitalbrains.com> Message-ID: <8D63441E-8669-4F1D-B468-F24A8CB91C43@gurevich.de> ... to delete key from the keyring mit freundlichen Gr??en/ ? ?????????/ sincerely yours Oleg Gurevich PGP fingerprint: 38A0 D0CC BD23 1707 B0AF D158 E9D7 6E3F E74A 0B0C > On 05 Feb 2016, at 19:36, Peter Lebbing wrote: > >> On 05/02/16 15:08, Oleg Gurevich wrote: >> with GnuPG modern (2.1) i can't delete anymore a secret key based on >> smartcard. Is there an known workaround ? > > Do you want the key off your keyring or off your smartcard? > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4826 bytes Desc: not available URL: From rjh at sixdemonbag.org Sat Feb 6 12:51:35 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 06:51:35 -0500 Subject: Minor FAQ updates Message-ID: <56B5DE47.6090400@sixdemonbag.org> Ineiev of the Free Software Foundation sent me some typos she noticed while composing a Russian translation. I incorporated these typo fixes and introduced a link to her Russian translation. Thank you, Ineiev! :) There are no other changes to speak of. The FAQ is current, the contents are accurate. This weekend I'll be drafting comments on the SCEA capabilities; once I have language I'll bring it to the list for final review before I incorporate it into the FAQ. Also, please think about what we want to do with the GNU Privacy Handbook. Peter and I both think it's badly out of date. I think it either needs to be taken down or else completely rewritten. If the list consensus is to keep it around but rewrite it, I'll volunteer to coordinate that task. (Samir Nassar contacted me to express his interest in helping with a rewrite, which I really appreciate; thanks, Samir!) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1016 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sat Feb 6 13:08:50 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 07:08:50 -0500 Subject: Documentation format Message-ID: <56B5E252.6070106@sixdemonbag.org> Since I seem to have become the doyen of documentation, I figure I should ask: what markup language and/or output formats should we be pursuing for future documentation work? The FAQ is currently written up in orgmode, which Werner is fond of. What you see on the web is orgmode-text put through an HTML translator. But, it also produces lousy print output. The FSF is really fond of their own standard, texinfo, which they prefer to be used for hardcopy and online documentation. I personally don't like texinfo; some people really like it. In its favor, it produces high-quality print output. It actually looks like a book when you print it off. I'm a big fan of LaTeX and PDF output. With a good layout package (like Tufte-Latex) you can get astonishing print quality and professional-looking layout. However, this comes at the expense of good HTML support. You'd have a hard time reading these docs on mobile devices, or at a text-only terminal that had no PDF reader. Another option: Open Document. For obvious reasons we can't choose Microsoft Word, but there are no liberty-related reasons to avoid Open Document. Does anyone have any particular preferences? From lachlan at twopif.net Sat Feb 6 13:14:37 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Sat, 6 Feb 2016 13:14:37 +0100 Subject: Documentation format In-Reply-To: <56B5E252.6070106@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> Message-ID: I'm about to start writing some documentation in Docbook, so I can report back after that's done if you like. Thanks, Lachlan Le 6 f?vr. 2016 13:12, "Robert J. Hansen" a ?crit : > Since I seem to have become the doyen of documentation, I figure I > should ask: what markup language and/or output formats should we be > pursuing for future documentation work? > > The FAQ is currently written up in orgmode, which Werner is fond of. > What you see on the web is orgmode-text put through an HTML translator. > But, it also produces lousy print output. > > The FSF is really fond of their own standard, texinfo, which they prefer > to be used for hardcopy and online documentation. I personally don't > like texinfo; some people really like it. In its favor, it produces > high-quality print output. It actually looks like a book when you print > it off. > > I'm a big fan of LaTeX and PDF output. With a good layout package (like > Tufte-Latex) you can get astonishing print quality and > professional-looking layout. However, this comes at the expense of good > HTML support. You'd have a hard time reading these docs on mobile > devices, or at a text-only terminal that had no PDF reader. > > Another option: Open Document. For obvious reasons we can't choose > Microsoft Word, but there are no liberty-related reasons to avoid Open > Document. > > Does anyone have any particular preferences? > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From e.stanley at iragan.com Sat Feb 6 12:43:17 2016 From: e.stanley at iragan.com (Eugene Stanley) Date: Sat, 6 Feb 2016 12:43:17 +0100 Subject: OpenPGP cards and on-device subkeys Message-ID: <56B5DC55.8040703@iragan.com> Hi there, I would like to know if it's possible to obtain a setup like the following: * master key on an OpenPGP smartcard * an encryption subkey both on smartcard and on disk (laptop, phone etc) * a signing subkey both on smartcard and on disk (laptop, phone etc) In the best scenario one would be able to revoke the subkeys and generate new, without using an off-card copy of the master key, but as far as I understood that is not possible. -- eugene From guru at unixarea.de Sat Feb 6 15:01:34 2016 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 06 Feb 2016 15:01:34 +0100 Subject: Documentation format In-Reply-To: References: <56B5E252.6070106@sixdemonbag.org> Message-ID: <0652699d-b221-4e90-972d-17d0a8b609a2@unixarea.de> On Saturday, 6 February 2016 13:14:37 CET, Lachlan Gunn wrote: >> ... >> Does anyone have any particular preferences? What about Markdown and gitbook? Here you have a living example: https://www.gitbook.com/book/gurucubano/bq-aquaris-e-4-5-ubuntu-phone/details matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ From rjh at sixdemonbag.org Sat Feb 6 15:17:07 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 09:17:07 -0500 Subject: Usage text Message-ID: <56B60063.8040003@sixdemonbag.org> Proposed FAQ language -- feel free to criticize, to suggest alternate phrasings, or anything else. :) ===== Q: When I view my certificate I see letters like S, C, E, and A. What do they mean? A: Your certificate contains two or more cryptographic keys. When attached to a certificate, we call them ?subkeys?. Different subkeys get used for different sorts of tasks. There are four different tasks a subkey can perform. It can * Sign data, so others know it came from you * Certify somebody else's certificate, so others can see you vouching for it * Encrypt data to you * Authenticate you to a computer system For instance, looking at my own certificate, we see: laptop:~ rjh$ gpg --edit-key rob at enigmail.net Secret key is available. sec rsa3072/1DCBDC01B44427C7 created: 2015-07-16 expires: never usage: SC card-no: 0005 00000D18 trust: ultimate validity: ultimate ssb rsa3072/DC0F82625FA6AADE created: 2015-07-16 expires: never usage: E card-no: 0005 00000D18 [ultimate] (1). Robert J. Hansen [ultimate] (2) Robert J. Hansen Subkey 1DCBDC01B44427C7 can be used to sign data or certify other people's certificates; subkey DC0F82625FA6AADE can only be used to encrypt data. You don't need to keep track of subkeys. GnuPG will never ask you for a specific subkey. Instead, GnuPG will ask you for a certificate ID. GnuPG will then use whichever subkey is appropriate for the task it's performing. If two or more subkeys are appropriate, it will use the newer one. Q: None of my subkeys are marked ?A?. Is this a problem? A: No. Using GnuPG to authenticate yourself to a computer system is an advanced topic and only a few users will ever need it. For that reason, by default GnuPG does not mark subkeys as usable for authentication. From rjh at sixdemonbag.org Sat Feb 6 15:44:53 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 09:44:53 -0500 Subject: Minor FAQ updates In-Reply-To: <56B5F64D.6030107@student.utwente.nl> References: <56B5DE47.6090400@sixdemonbag.org> <56B5F64D.6030107@student.utwente.nl> Message-ID: <56B606E5.1030606@sixdemonbag.org> > And perhaps readers of the FAQ should be made aware (in the same > section) that the old advice is no longer considered good practice, > since the old advice is obviously all over the internet. I agree, but this will be a substantive change. For that reason I'm folding it into the substantive edits I'm making over the weekend, as opposed to the review-and-typo-hunt of this morning. :) From sampablokuper at riseup.net Sat Feb 6 19:34:56 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Sat, 6 Feb 2016 18:34:56 +0000 Subject: Documentation format In-Reply-To: <56B5E252.6070106@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> Message-ID: <56B63CD0.9070507@riseup.net> On 06/02/16 12:08, Robert J. Hansen wrote: > Since I seem to have become the doyen of documentation, I figure I > should ask: what markup language and/or output formats should we be > pursuing for future documentation work? Thanks for working on the documentation :) > The FAQ is currently written up in orgmode, which Werner is fond of. > What you see on the web is orgmode-text put through an HTML translator. > But, it also produces lousy print output. Please can you expand on what you mean by saying that Org "produces lousy print output"? > The FSF is really fond of their own standard, texinfo, which they prefer > to be used for hardcopy and online documentation. I personally don't > like texinfo; some people really like it. In its favor, it produces > high-quality print output. It actually looks like a book when you print > it off. I'm not aware of any objections to Texinfo, except that it would mean switching away from Org. That could create hostages to fortune: people wanting to maintain GnuPG documentation in the future having to learn both mark-up formats; lack of clarity about which format they should use going forward, etc. If you dismiss Texinfo on that basis, fair enough. However, if you dismiss it because you personally don't like it, it might be helpful for you to at least state your objections to it. > I'm a big fan of LaTeX and PDF output. With a good layout package (like > Tufte-Latex) you can get astonishing print quality and > professional-looking layout. However, this comes at the expense of good > HTML support. You'd have a hard time reading these docs on mobile > devices, or at a text-only terminal that had no PDF reader. Why not use LaTeX export for Org-mode, and get the best of both worlds? > Another option: Open Document. For obvious reasons we can't choose > Microsoft Word, but there are no liberty-related reasons to avoid Open > Document. Please don't pick a format whose documents do not begin life as human-readable plain-text files. That rules out DocBook, too. As for other formats that *do* begin life as human-readable plain-text files (e.g. ReStructuredText, Groff, CommonMark, etc.), they all share the same problem as Texinfo. See above. I vote for Org: - GnuPG's lead developer likes Org & is, I would guess, more likely to engage with the documentation if it is in Org. - Org text is very human-readable in any decent text editor. - Org has flexible output into LaTeX, HTML and ODT formats, among others: http://orgmode.org/manual/Export-back_002dends.html . - Org maintains consistency with the existing docs. Thanks again :) - spk -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From sampablokuper at riseup.net Sat Feb 6 19:40:55 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Sat, 6 Feb 2016 18:40:55 +0000 Subject: OpenPGP cards and on-device subkeys In-Reply-To: <56B5DC55.8040703@iragan.com> References: <56B5DC55.8040703@iragan.com> Message-ID: <56B63E37.4010401@riseup.net> On 06/02/16 11:43, Eugene Stanley wrote: > I would like to know if it's possible to obtain a setup like the following: > > * master key on an OpenPGP smartcard Yes. It would go in the signing key slot. > * an encryption subkey both on smartcard and on disk (laptop, phone etc) Yes. > * a signing subkey both on smartcard and on disk (laptop, phone etc) Yes, but not on the same OpenPGP smart card as the master key, as OpenPGP smart cards only have space for one signing key. > In [this] scenario one would be able to revoke the subkeys and > generate new, without using an off-card copy of the master key I believe that is correct. Someone with more experience may want to verify this. - spk -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sat Feb 6 22:11:24 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 16:11:24 -0500 Subject: Documentation format In-Reply-To: <56B63CD0.9070507@riseup.net> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> Message-ID: <56B6617C.2040707@sixdemonbag.org> I should preface this by saying that I'm not advocating we move away from org-mode. I don't have any aims in that direction. I really dislike org-mode's print output, but that's (IMO) insufficient reason to throw the entire thing out. I *do* think, though, that exploring other options is a good idea. :) >> The FAQ is currently written up in orgmode, which Werner is fond of. >> What you see on the web is orgmode-text put through an HTML translator. >> But, it also produces lousy print output. > > Please can you expand on what you mean by saying that Org "produces > lousy print output"? My big annoyance comes from how org-mode silently mangles i18n. The FAQ uses UTF-8 encoding so that we can do the Right Thing with respect to languages. Right now we only rely on it in two places (presenting the Greek roots of the word 'cryptography'), but I can easily imagine it in more; for instance, if I have to credit a GnuPG-Users contributor named A?man, or talk about Merkle-Damg?rd hash functions, or Vigen?re ciphers, or... etc. Crypto is a truly international field, and so we need to expect/prepare for internationalized text. When org-mode exports to LaTeX, most internationalized text falls out and goes boom. The Greek that's currently in the FAQ gets silently dropped, for instance. This *really really annoys me*, because it means that after I've done a detail read of the HTML version of the FAQ looking for errors I now have to do a detail read of the print version looking for errors introduced by org-mode's export filter. (For the record: yes, I know why org-mode has trouble with i18n export to LaTeX. Yes, it's a hard problem. Yes, fixing it might not be worth the effort. All of this is true. None of it changes how annoyed I am by the bug, though.) >> The FSF is really fond of their own standard, texinfo, which they prefer >> to be used for hardcopy and online documentation. I personally don't >> like texinfo; some people really like it. In its favor, it produces >> high-quality print output. It actually looks like a book when you print >> it off. > > I'm not aware of any objections to Texinfo, except that it would mean > switching away from Org. That could create hostages to fortune: people > wanting to maintain GnuPG documentation in the future having to learn > both mark-up formats; lack of clarity about which format they should use > going forward, etc. If you dismiss Texinfo on that basis, fair enough. I don't like the way Texinfo looks on the page. It has a very 1970s textbook feel to it. It's also deeply married to very specific font families, and I think we can do a lot better. The world has mostly abandoned Computer Modern Roman, even Knuth -- he's moved on to his Concrete font family, for the most part. >> Another option: Open Document. For obvious reasons we can't choose >> Microsoft Word, but there are no liberty-related reasons to avoid Open >> Document. > > Please don't pick a format whose documents do not begin life as > human-readable plain-text files. That rules out DocBook, too. Open Document is just XML, so it meets your requirement of a human-readable plain text file. Or do you really mean, "I don't like XML, so please don't use an XML-based standard"? :) From p.lebbing at student.utwente.nl Sat Feb 6 14:34:05 2016 From: p.lebbing at student.utwente.nl (Peter Lebbing) Date: Sat, 6 Feb 2016 14:34:05 +0100 Subject: Minor FAQ updates In-Reply-To: <56B5DE47.6090400@sixdemonbag.org> References: <56B5DE47.6090400@sixdemonbag.org> Message-ID: <56B5F64D.6030107@student.utwente.nl> On 06/02/16 12:51, Robert J. Hansen wrote: > There are no other changes to speak of. The FAQ is current, the > contents are accurate. I disagree on one point. It's about this[1] thread from November 2014: On 11/11/14 12:09, Werner Koch wrote: > On Tue, 11 Nov 2014 11:00, peter at digitalbrains.com said: >> If the warning is triggered by existence of a file without the >> .sig extension, it does suggest to me that people should not rely >> on the warning and thus always specify both the signature file and >> the signed file on the command line. Because they might infer by >> absence of the > > Indeed, this should always be done. [...] Section 8.19 says: > 3. Download the software package. Let?s assume it?s called > ?foo.zip?. > > 4. Download the detached signature for the package. Let?s assume it?s > called ?foo.zip.asc?. > > 5. Run: > > gpg foo.zip.asc > > GnuPG will assume the original file is in foo.zip. (If GnuPG can?t > find foo.zip, GnuPG will prompt you for the name of the original > package.) If all goes well, GnuPG will report good signatures and you > may be confident you've received the package as the author intended. I think this should be changed to read: ----------------8<--------->8---------------- [...] 5. Run: gpg --verify foo.zip.asc foo.zip This will verify foo.zip using the signature in foo.zip.asc. If all goes well, GnuPG will report good signatures and you may be confident you've received the package as the author intended. ----------------8<--------->8---------------- And perhaps readers of the FAQ should be made aware (in the same section) that the old advice is no longer considered good practice, since the old advice is obviously all over the internet. Peter. [1] https://lists.gnupg.org/pipermail/gnupg-users/2014-November/051401.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From sampablokuper at riseup.net Sat Feb 6 23:00:26 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Sat, 6 Feb 2016 22:00:26 +0000 Subject: Documentation format In-Reply-To: <56B6617C.2040707@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> Message-ID: <56B66CFA.3030007@riseup.net> On 06/02/16 21:11, Robert J. Hansen wrote: >> Please can you expand on what you mean by saying that Org "produces >> lousy print output"? > > My big annoyance comes from how org-mode silently mangles i18n. The FAQ > uses UTF-8 encoding so that we can do the Right Thing with respect to > languages. Right now we only rely on it in two places (presenting the > Greek roots of the word 'cryptography'), but I can easily imagine it in > more; for instance, if I have to credit a GnuPG-Users contributor named > A?man, or talk about Merkle-Damg?rd hash functions, or Vigen?re ciphers, > or... etc. Crypto is a truly international field, and so we need to > expect/prepare for internationalized text. > > When org-mode exports to LaTeX, most internationalized text falls out > and goes boom. The Greek that's currently in the FAQ gets silently > dropped, for instance. This *really really annoys me*, because it means > that after I've done a detail read of the HTML version of the FAQ > looking for errors I now have to do a detail read of the print version > looking for errors introduced by org-mode's export filter. Thanks for clarifying. I wasn't aware of these issues. > (For the record: yes, I know why org-mode has trouble with i18n export > to LaTeX. Yes, it's a hard problem. Yes, fixing it might not be worth > the effort. All of this is true. None of it changes how annoyed I am > by the bug, though.) Do you happen to have links to the relevant bug reports, or other documentation of the issues? Also, have you explored alternative pipelines from Org-mode to PDF? Maybe via ODT or Markdown, etc? >>> [Texinfo] produces >>> high-quality print output. It actually looks like a book when you print >>> it off. [...] > > I don't like the way Texinfo looks on the page. It has a very 1970s > textbook feel to it. Hm, you think it produces high-quality print output, but you don't like the way it looks on the page. Not a *direct* contradiction, maybe... ;) It's also deeply married to very specific font > families, and I think we can do a lot better. The world has mostly > abandoned Computer Modern Roman, even Knuth -- he's moved on to his > Concrete font family, for the most part. I take your point here, but I'd suggest it isn't a priority. People come to GnuPG for the cryptography, not the typography. So, Texinfo still seems a reasonable candidate. >>> Another option: Open Document. For obvious reasons we can't choose >>> Microsoft Word, but there are no liberty-related reasons to avoid Open >>> Document. >> >> Please don't pick a format whose documents do not begin life as >> human-readable plain-text files. That rules out DocBook, too. > > Open Document is just XML, so it meets your requirement of a > human-readable plain text file. Or do you really mean, "I don't like > XML, so please don't use an XML-based standard"? :) I've spent enough time hand-editing XML documents in text editors and specialised XML editors that I've come to regard many XML languages as not significantly more human-readable than binaries. Compared to Org, ReST CommonMark, MediaWiki mark-up, etc, they require much more mental overhead and/or editor configuration. Getting clean plain-text diffs from these languages, including from OpenDocument Text, can be a pain, which complicates revision control. Support for editing documents like this in non-graphical free software environments was poor, last time I checked. It's up to you, of course - and maybe you like that sort of thing - but I would generally encourage you not to inflict this upon yourself, let alone anyone else :) Thanks again, - spk From stebe at mailbox.org Sun Feb 7 00:38:54 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Sun, 7 Feb 2016 00:38:54 +0100 (CET) Subject: Documentation format In-Reply-To: <56B5E252.6070106@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> Message-ID: <1039540526.10692.703e9d93-67ce-4153-ad87-aa7b0c9f8151.open-xchange@office.mailbox.org> Hi, > "Robert J. Hansen" hat am 6. Februar 2016 um 13:08 > geschrieben: > > > Since I seem to have become the doyen of documentation, I figure I > should ask: what markup language and/or output formats should we be > pursuing for future documentation work? > [...] > Does anyone have any particular preferences? I've been studying XML Schema (W3C standard, the official OASIS validation standard is RELAX-NG) for some time now and have been playing around with docbook5-xml, but I'm lacking practical application (i.e experience). I'm still at it and will use it for a small installation and usage report for the Nitrokey with which I am about to create a new gpg pub key and for other docs I'd like to write. So, for now, I just can give you a semi-professional opinion. Docbook5-xml is fully xml-compliant, supersedes the somewhat limited DTDs by validating against XML schema (or, officially, Relax-NG) and is a well-known and applied standard in technical documentation, especially in computer science/industry, hard and soft. As far as output is concerned, you can create (via XSLT, with xsltproc, for instance) other XML, HTML, XHTML and plain text documents. Using the XSL-FO formatting language (and an XSL-FO processor like Apache FOP) you can convert/render them to/as PDF, text and Postscript and thus the output is very professional. The big advantage of any standard or markup language based on XML, in particular, is that XML is widely used as a universal data exchange format and an ideal basis for single source publishing (one file, several output formats). Now to the question if you should use docbook5-xml. It depends. If you want to use it only for a single document like the GNU Privacy Handbook, I don't think that it would be worth learning it, as it requires too much effort of studying (eh, in fact, I don't know if you are already using it :-) compared to any other tool you might already know. But if you plan to write a lot of documentation, or even if one has to use it professionally (i.e. at work) I'd positively choose docbook5-xml. Well, sorry for not being the old wise guy with 20 years of experience (pretty old yes, wise hmm), but that's what I can tell you. Cheers, Stebe From rjh at sixdemonbag.org Sun Feb 7 05:59:23 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 6 Feb 2016 23:59:23 -0500 Subject: Documentation format In-Reply-To: <56B66CFA.3030007@riseup.net> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> <56B66CFA.3030007@riseup.net> Message-ID: <56B6CF2B.50303@sixdemonbag.org> >> (For the record: yes, I know why org-mode has trouble with i18n export >> to LaTeX. Yes, it's a hard problem. Yes, fixing it might not be worth >> the effort. All of this is true. None of it changes how annoyed I am >> by the bug, though.) > > Do you happen to have links to the relevant bug reports, or other > documentation of the issues? I don't; for all I know nobody's reported it yet. (If that's the case, I should.) The problem stems from how orgmode assumes that downstream tools can parse UTF-8. LaTeX way predates UTF-8 and requires that foreign symbols be composed using TeX escape sequences. For orgmode to translate UTF-8 to LaTeX reliably would require it to keep track of an impractically large translation table: Greek characters, French, Cyrillic, grave and acute accents, circumflex composition, and more. LaTeX is unique among document processing systems in that it can effortlessly represent the correct orthography for the rock group Spinal Tap (which uses a Turkish dotless lowercase i and a Jacaltec umlauted n), but that comes with a steep price: namely, its near complete inability to handle Unicode like the rest of the world. > Also, have you explored alternative pipelines from Org-mode to PDF? > Maybe via ODT or Markdown, etc? I tried pandoc, but without good effect. I haven't explored it further. > Hm, you think it produces high-quality print output, but you don't like > the way it looks on the page. Not a *direct* contradiction, maybe... ;) Sure! I also think Marisa Berenson is the most fashionable woman in the world... for 1967. Look at photographs of Marisa Berenson from the '60s and you'll be stunned at the fashion ensembles she wore: beautiful, striking, and memorable. But if you were to see someone walking down the street dressed like that, you'd think they came to the party about forty years late. :) Typography is the fashion of literature. If you want to look good, you need to balance the timeless with the temporal. Texinfo looks really good for the 1970s, but by current standards it's pretty antiquated. Typography and layout are, believe it or not, user interface issues. If the user's response on seeing the printed documentation is "did this just fall out of the '70s?", they're probably going to start off with a negative impression of the work. To make documentation approachable and something that people actually want to read, you need to make it look like something current. ... Incidentally, Marisa Berenson on the cover of _Vogue_ in the '60s. Safe for work. http://iv1.lisimg.com/image/3906868/442full-marisa-berenson.jpg > I take your point here, but I'd suggest it isn't a priority. People come > to GnuPG for the cryptography, not the typography. The old saw is "you can't judge a book by its cover". The old saw is wrong. Book publishers spend enormous amounts crafting their books so that you have a positive experience with it from the moment your eye lands on the cover in the bookstore. Typography and layout matter. From daniele at grinta.net Sun Feb 7 06:47:45 2016 From: daniele at grinta.net (Daniele Nicolodi) Date: Sat, 6 Feb 2016 22:47:45 -0700 Subject: Documentation format In-Reply-To: <56B6CF2B.50303@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> <56B66CFA.3030007@riseup.net> <56B6CF2B.50303@sixdemonbag.org> Message-ID: <56B6DA81.3060107@grinta.net> On 06/02/16 21:59, Robert J. Hansen wrote: >>> (For the record: yes, I know why org-mode has trouble with i18n export >>> to LaTeX. Yes, it's a hard problem. Yes, fixing it might not be worth >>> the effort. All of this is true. None of it changes how annoyed I am >>> by the bug, though.) >> >> Do you happen to have links to the relevant bug reports, or other >> documentation of the issues? > > I don't; for all I know nobody's reported it yet. (If that's the case, > I should.) The problem stems from how orgmode assumes that downstream > tools can parse UTF-8. LaTeX way predates UTF-8 and requires that > foreign symbols be composed using TeX escape sequences. For orgmode to > translate UTF-8 to LaTeX reliably would require it to keep track of an > impractically large translation table: Greek characters, French, > Cyrillic, grave and acute accents, circumflex composition, and more. > > LaTeX is unique among document processing systems in that it can > effortlessly represent the correct orthography for the rock group Spinal > Tap (which uses a Turkish dotless lowercase i and a Jacaltec umlauted > n), but that comes with a steep price: namely, its near complete > inability to handle Unicode like the rest of the world. LaTeX handles utf8 encoded input files with \usepackage[utf8]{inputenc} and on my system org-mode correctly produces utf8 encoded LaTeX files using that directive. It works just fine for the non-ascii characters contained in your examples a couple of messages up in the thread. Can you be more precise in describing the problem? I would also suggest to look into the org-entities facility as a way to handle more complex cases: http://orgmode.org/manual/Special-symbols.html Cheers, Daniele From sampablokuper at riseup.net Sun Feb 7 11:33:05 2016 From: sampablokuper at riseup.net (Sam Pablo Kuper) Date: Sun, 7 Feb 2016 10:33:05 +0000 Subject: Documentation format In-Reply-To: <56B6CF2B.50303@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> <56B66CFA.3030007@riseup.net> <56B6CF2B.50303@sixdemonbag.org> Message-ID: <56B71D61.8000402@riseup.net> On 07/02/16 04:59, Robert J. Hansen wrote: > The problem stems from how orgmode assumes that downstream > tools can parse UTF-8. I agree with Daniele's earlier reply. Using Org and LaTeX with UTF-8 would seem to be the best way forward. >> Also, have you explored alternative pipelines from Org-mode to PDF? > > I tried pandoc, but without good effect. I haven't explored it further. If Org export to LaTeX really truly is impossibly buggy, then I respectfully encourage exploring other Org export paths. Org export to ODT followed by LibreOffice headless conversion to PDF, for instance. >> Hm, you think [Texinfo] produces high-quality print output, but you >> don't like >> the way it looks on the page. Not a *direct* contradiction, maybe... ;) > > Sure! I also think Marisa Berenson is the most fashionable woman in the > world... for 1967. [...] Texinfo looks really > good for the 1970s, but by current standards it's pretty antiquated. Thanks, that's clearer now. > Typography and layout are, believe it or not, user interface issues. I believe it very strongly. I probably should have been clearer about that. Specifically, I should have said about typography in the context of GnuPG documentation, "I'd suggest it isn't top priority," rather than "I'd suggest it isn't a priority." I believe that making the content concise, comprehensible and accessible is the top priority. Improving the appeal and comprehensibility further, by judicious use of free software typographical tools that other documentation volunteers will be able to work with in the future, is probably the next priority after that. More power to your elbow for taking on the task! Best wishes, and thanks again for looking into it. - spk From tlikonen at iki.fi Sun Feb 7 06:16:54 2016 From: tlikonen at iki.fi (Teemu Likonen) Date: Sun, 07 Feb 2016 07:16:54 +0200 Subject: Documentation format In-Reply-To: <56B6CF2B.50303__47976.7137011096$1454821290$gmane$org@sixdemonbag.org> (Robert J. Hansen's message of "Sat, 6 Feb 2016 23:59:23 -0500") References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> <56B66CFA.3030007@riseup.net> <56B6CF2B.50303__47976.7137011096$1454821290$gmane$org@sixdemonbag.org> Message-ID: <87k2mhksl5.fsf@iki.fi> Robert J. Hansen [2016-02-06 23:59:23-05] wrote: > LaTeX way predates UTF-8 and requires that foreign symbols be composed > using TeX escape sequences. With \usepackage{fontspec} (etc.) and "xelatex" compiler you can use UTF-8 and Opentype fonts. No special composing for characters. See the fontspec package fro more info: . They should be included in any Texlive distribution. -- /// Teemu Likonen - .-.. // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From wk at gnupg.org Mon Feb 8 12:28:07 2016 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Feb 2016 12:28:07 +0100 Subject: Documentation format In-Reply-To: <56B6617C.2040707@sixdemonbag.org> (Robert J. Hansen's message of "Sat, 6 Feb 2016 16:11:24 -0500") References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> Message-ID: <87d1s7fnlk.fsf@vigenere.g10code.de> On Sat, 6 Feb 2016 22:11, rjh at sixdemonbag.org said: > My big annoyance comes from how org-mode silently mangles i18n. The FAQ > uses UTF-8 encoding so that we can do the Right Thing with respect to > languages. Right now we only rely on it in two places (presenting the > Greek roots of the word 'cryptography'), but I can easily imagine it in I don't have any problems creating PDF via Latex from org-mode. As a German I use non-ASCII quite often and it just works. Depending on your TeX distribution you may run in some problems with some UTF-8 characters but M-x org-entity-help shows you the entities you can use to avoid these problems. If you notice problems with some characters, please add a fixme and briefly mention this in the commit log and I will go and fix it. > I don't like the way Texinfo looks on the page. It has a very 1970s > textbook feel to it. It's also deeply married to very specific font I would actually like to drop Texinfo in favor of org-mode but there are two problems: - There is no replacement for @deftypefun and I had no success to emulate this with macros. - There is no support indices in org-mode yet. > Open Document is just XML, so it meets your requirement of a XML is for machines and not for humans. We used to use Docbook in the 90ies but it was too hard to properly render it to get an output similar in quality to a TeX based document. A proper SGML DTD would have been okay for writing documents. With the stripped down XML version of Docbook you spend most of your time fixing the markup and rendering. Shalom-Salam, Werner p.s. re. Markdown: There is no proper syntax and using the common comment character to indicate headers is at best a joke. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Tue Feb 9 11:24:06 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 9 Feb 2016 11:24:06 +0100 Subject: Usage text In-Reply-To: <56B60063.8040003@sixdemonbag.org> References: <56B60063.8040003@sixdemonbag.org> Message-ID: <56B9BE46.5050707@digitalbrains.com> On 06/02/16 15:17, Robert J. Hansen wrote: > Proposed FAQ language -- feel free to criticize, to suggest alternate > phrasings, or anything else. :) While the primary key is certainly in a subordinate position to the certificate, I don't think it's common to refer to it as a subkey of the certificate? In my mind, you have the primary key, and zero or more subkeys. So I suggest the following: ===== --------------------8<-------------->8-------------------- Q: When I view my certificate I see letters like S, C, E, and A. What do they mean? A: Your certificate contains two or more cryptographic keys. There's a primary key, and possibly several subkeys. Different keys get used for different sorts of tasks. There are four different tasks a key can perform. It can * (S)ign data, so others know it came from you * (C)ertify somebody else's certificate, so others can see you vouching for it * (E)ncrypt data to you * (A)uthenticate you to a computer system For instance, looking at my own certificate, we see: laptop:~ rjh$ gpg --edit-key rob at enigmail.net Secret key is available. sec rsa3072/1DCBDC01B44427C7 created: 2015-07-16 expires: never usage: SC card-no: 0005 00000D18 trust: ultimate validity: ultimate ssb rsa3072/DC0F82625FA6AADE created: 2015-07-16 expires: never usage: E card-no: 0005 00000D18 [ultimate] (1). Robert J. Hansen [ultimate] (2) Robert J. Hansen Key 1DCBDC01B44427C7 can be used to sign data or certify other people's certificates; subkey DC0F82625FA6AADE can only be used to encrypt data. The primary key is always the key to certify other people's certificates. This is never a task for a subkey. You don't need to keep track of subkeys. GnuPG will never ask you for a specific key in a certificate. Instead, GnuPG will ask you for a certificate ID. GnuPG will then use whichever (sub)key is appropriate for the task it's performing. If two or more keys in the certificate are appropriate, it will use the newer one. --------------------8<-------------->8-------------------- I also emphasized the first letters of the words. People who like certain puzzles will immediately notice the correspondence of the first letters of your itemization to the letters of the capabilities, but others might need to hunt for it before they get it. Typographically, it did suffer. Feel free to remove it, but you could also use boldface. By the way, I think the abbreviations GnuPG uses are in favour of my interpretation of the word subkey: pub - public key sub - subkey sec - secret key ssb - secret subkey Then again, I'm interpreting these terms coming from my view of the terminology, so it's a bit of a circular reasoning :). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Feb 9 11:38:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 9 Feb 2016 11:38:39 +0100 Subject: GnuPG 2.1 how to delete card based secret key ? In-Reply-To: <8D63441E-8669-4F1D-B468-F24A8CB91C43@gurevich.de> References: <56B4ACE6.3020503@gurevich.de> <56B4EBA1.7010709@digitalbrains.com> <8D63441E-8669-4F1D-B468-F24A8CB91C43@gurevich.de> Message-ID: <56B9C1AF.3060404@digitalbrains.com> On 05/02/16 19:51, Oleg Gurevich wrote: > ... to delete key from the keyring It doesn't work for me either. Your error message is a lot more descriptive, though. I just get: > $ gpg2 --delete-secret-keys de500b3e > gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > gpg: key "de500b3e" not found > gpg: de500b3e: delete key failed: Not found I can delete the public key; then the secret key is not listed anymore either. When I re-import my public key, it will instantly remember the card as well, so it was there all along :). I do need to set my trust again (not a surprise). But anyway... it's usually harmless, since all it is, is a note that if you need the secret key, it is located on card X. It will then prompt you to insert card X. There is nothing secret on the disk of the computer (unless you consider the fact you use a card and its serial number as a secret). So I'd suggest you let it be if you don't consider your card and serial number a secret. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Feb 9 11:42:46 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 9 Feb 2016 11:42:46 +0100 Subject: OpenPGP cards and on-device subkeys In-Reply-To: <56B63E37.4010401@riseup.net> References: <56B5DC55.8040703@iragan.com> <56B63E37.4010401@riseup.net> Message-ID: <56B9C2A6.5020801@digitalbrains.com> On 06/02/16 19:40, Sam Pablo Kuper wrote: >> In [this] scenario one would be able to revoke the subkeys and >> generate new, without using an off-card copy of the master key > > I believe that is correct. [...] You should just be able to use your smartcard to do all operations with the master key on it, including generating and revoking subkeys. There is one little snag: with GnuPG before 2.1, it's rather difficult to spread one certificate over multiple smartcards. Once it sees one of the two, it will mark the other keys as "not available" and never update it when it subsequently sees the other smartcard. You need OpenPGP packet surgery to transplant the correct data. GnuPG 2.1 does the right thing, I believe. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Tue Feb 9 16:25:04 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Feb 2016 16:25:04 +0100 Subject: [Announce] Libgcrypt 1.6.5 with security fix released Message-ID: <87h9hhdhyn.fsf@vigenere.g10code.de> Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.6.5. This is a security fix release to mitigate a new side channel attack. Libgcrypt is a general purpose library of cryptographic building blocks. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required for proper use Libgcrypt. Noteworthy changes in version 1.6.5 =================================== * Mitigate side-channel attack on ECDH with Weierstrass curves [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for details. * Fix build problem on Solaris. Download ======== Please follow the instructions found at or read on: Libgcrypt may be downloaded from one of the GnuPG mirror sites or From its primary FTP server. The list of mirrors can be found at . Note that Libgcrypt is not available at ftp.gnu.org. The Libgcrypt source code compressed using BZIP2 and its OpenPGP signature are available here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.bz2 (2490k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.bz2.sig or here: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.bz2 (2490k) https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.bz2.sig The same source code but compressed with the older GZIP algorithm is available here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.gz (2901k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.5.tar.gz.sig The affected ECDH algorithm is for example used by GnuPG 2.1 (modern). An update of Libgcrypt is sufficient to fix this for GnuPG. We have also updated the Windows installer of that GnuPG version to include this fixed version of Libgcrypt: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.11_20160209.exe (2630k) ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.11_20160209.exe.sig or here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.11_20160209.exe (2630k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.11_20160209.exe.sig The source used to build that Windows installer can be found in the same directory with a ".tar.xz" suffix. Checking the Integrity ====================== In order to check that the version of Libgcrypt you are going to build is an original and unmodified one, you can do it in one of the following ways: * Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.6.5.tar.bz2 you would use this command: gpg --verify libgcrypt-1.6.5.tar.bz2.sig libgcrypt-1.6.5.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See below for information on the signing keys. * If you are not able to use GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file libgcrypt-1.6.5.tar.bz2, you run the command like this: sha1sum libgcrypt-1.6.5.tar.bz2 and check that the output matches the first line from the following list: c3a5a13e717f7b3e3895650afc1b6e0d3fe9c726 libgcrypt-1.6.5.tar.bz2 765370d9ee9e858c257dc06c3f0621bda8acaf69 libgcrypt-1.6.5.tar.gz 89bd31652d370ba69ac27b42b4d474d7edd9e0ea gnupg-w32-2.1.11_20160209.exe 0a81d3a7b404299f651bf6f6540176b00d0a3967 gnupg-w32-2.1.11_20160209.tar.xz Release Signing Keys ==================== To guarantee that a downloaded Libgcrypt version has not been tampered by malicious entities we provide signature files for all tarballs. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048/E0856959 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31] Key fingerprint = D238 EA65 D64C 67ED 4C30 73F2 8A86 1B1C 7EFD 60D9 Werner Koch (Release Signing Key) You may retrieve these keys from a keyserver using this command gpg --keyserver hkp://keys.gnupg.net --recv-keys \ 249B39D24F25E3B6 04376F3EE0856959 \ 2071B08A33BD3F06 8A861B1C7EFD60D9 The keys are also available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require these additional notices are distributed. Support ======= For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. If you are a developer and you may need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Please consult the archive of the gcrypt-devel mailing list before reporting a bug . We suggest to send bug reports for a new release to this list in favor of filing a bug at . For commercial support requests we keep a list of known service companies at: https://gnupg.org/service.html If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Maintenance and development of Libgcrypt is mostly financed by donations. We currently employ 3 full-time developers, one part-timer, and one contractor. They all work on GnuPG and closely related software like Libgcrypt. Please see https://gnupg.org/donate/ on how you can help. Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, and donating money. Niibe Yutaka did most of the work on fixing the side channel attack. Special thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer for notifying us about their attack in advance and testing the fix. For the Libgcrypt hackers, Werner p.s. This is a announcement only mailing list. Please send replies only to the gcrypt-devel at gnupg.org mailing list. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 180 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From e.stanley at iragan.com Tue Feb 9 20:46:44 2016 From: e.stanley at iragan.com (Eugene Stanley) Date: Tue, 9 Feb 2016 20:46:44 +0100 Subject: OpenPGP cards and on-device subkeys In-Reply-To: <56B9C2A6.5020801@digitalbrains.com> References: <56B5DC55.8040703@iragan.com> <56B63E37.4010401@riseup.net> <56B9C2A6.5020801@digitalbrains.com> Message-ID: <56BA4224.5000204@iragan.com> On 09/02/16 11:42, Peter Lebbing wrote: > On 06/02/16 19:40, Sam Pablo Kuper wrote: >>> In [this] scenario one would be able to revoke the subkeys and >>> generate new, without using an off-card copy of the master key >> I believe that is correct. [...] > You should just be able to use your smartcard to do all operations with > the master key on it, including generating and revoking subkeys. There > is one little snag: with GnuPG before 2.1, it's rather difficult to > spread one certificate over multiple smartcards. Once it sees one of the > two, it will mark the other keys as "not available" and never update it > when it subsequently sees the other smartcard. You need OpenPGP packet > surgery to transplant the correct data. GnuPG 2.1 does the right thing, > I believe. Thanks for the answer, I think I will go for the approach proposed by Sam Pablo. I am indeed inclined to use GnuPG 2.1 as much as possible, as I see it wasteful to have to remember both commands' syntax. It is not possible to export an on-card subkey, thus I was asking how to properly do this by having a subkey existing both on-key and off-key, but possibly never the master key. I estimate a compromise/revocation of the subkey as affordable, while doing the same for the master key should be avoided as much as possible through best practices. -- eugene > HTH, > > Peter. > From e.stanley at iragan.com Tue Feb 9 20:53:41 2016 From: e.stanley at iragan.com (Eugene Stanley) Date: Tue, 9 Feb 2016 20:53:41 +0100 Subject: OpenPGP cards and on-device subkeys In-Reply-To: <56B63E37.4010401@riseup.net> References: <56B5DC55.8040703@iragan.com> <56B63E37.4010401@riseup.net> Message-ID: <56BA43C5.7000000@iragan.com> On 06/02/16 19:40, Sam Pablo Kuper wrote: > On 06/02/16 11:43, Eugene Stanley wrote: >> I would like to know if it's possible to obtain a setup like the following: >> >> * master key on an OpenPGP smartcard > Yes. It would go in the signing key slot. If it's the master key then I see it described as "SCA", not just "S". > >> * an encryption subkey both on smartcard and on disk (laptop, phone etc) > Yes. Unfortunately the procedure to achieve this is everything but simple, as I noticed that when exporting subkeys gpg does not export the master signature as well. This was a surprise, but again - maybe I didn't properly RTFM and use the features right. Some online sources suggest using gpgsplit to do this correctly. I would think that the use-case I described is common enough to be verbosely documented somewhere, but this is not the case; apparently most people either just keep a copy of the master key on multiple devices or use some product like yubikey. I would have preferred a master key that has ever only existed on-card with expendable subkeys on-card and off-card. >> * a signing subkey both on smartcard and on disk (laptop, phone etc) > Yes, but not on the same OpenPGP smart card as the master key, as > OpenPGP smart cards only have space for one signing key. I am currently using a single openpgp smartcard (v2), so this is a bit disappointing, but I do understand why. -- eugene > >> In [this] scenario one would be able to revoke the subkeys and >> generate new, without using an off-card copy of the master key > I believe that is correct. Someone with more experience may want to > verify this. > > - spk > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ml.throttle at xoxy.net Tue Feb 9 20:52:27 2016 From: ml.throttle at xoxy.net (Helmut Waitzmann) Date: Tue, 09 Feb 2016 20:52:27 +0100 Subject: Does gnupg-users receive all messages sent to gnupg-announce as well? Message-ID: <877fidiru2.fsf@helmutwaitzmann.news.arcor.de> Hello, administrators of the mailinglist. I'd like to know: Will every message, that is sent to , be delivered to all subscribers of as well, or, the other way round, will I miss any articles in , if I only subscribe to ? Thanks in advance, Helmut Waitzmann From dsaklad at gnu.org Wed Feb 10 15:37:24 2016 From: dsaklad at gnu.org (Don Warner Saklad) Date: Wed, 10 Feb 2016 09:37:24 -0500 Subject: By Tom Simonite. Why the Policy Fight over Encryption Is at an Impasse. The next U.S. government looks set to inherit the ongoing fight over whether the government should rein in encryption. Message-ID: <5isi10ws0r.fsf@fencepost.gnu.org> By Tom Simonite Why the Policy Fight over Encryption Is at an Impasse The next U.S. government looks set to inherit the ongoing fight over whether the government should rein in encryption https://www.technologyreview.com/s/600756/why-the-policy-fight-over-encryption-is-at-an-impasse/ From peter at digitalbrains.com Wed Feb 10 16:27:52 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 10 Feb 2016 16:27:52 +0100 Subject: By Tom Simonite. Why [snip] In-Reply-To: <5isi10ws0r.fsf@fencepost.gnu.org> References: <5isi10ws0r.fsf@fencepost.gnu.org> Message-ID: <56BB56F8.9060308@digitalbrains.com> A friendly reminder: On this list, it's encouraged to post at the least an excerpt of the text, not just a link and nothing more. Also, I think I'm not the only one who would rather see a subject line contain maybe 60 characters at a maximum... Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From muri+gnupg-users at immerda.ch Wed Feb 10 16:52:26 2016 From: muri+gnupg-users at immerda.ch (Muri Nicanor) Date: Wed, 10 Feb 2016 16:52:26 +0100 Subject: Expiration date of key signature Message-ID: <56BB5CBA.9010803@immerda.ch> hello gnupg-users, if i want to sign a gpg-key, how do i set an expiration date for that signature? i haven't found anything in the documentation about characteristics of signatures other than the option --ask-cert-level. i'm on debian stretch with gpg 1.4.20 thanks & cheers, muri From peter at digitalbrains.com Wed Feb 10 18:41:19 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 10 Feb 2016 18:41:19 +0100 Subject: Expiration date of key signature In-Reply-To: <56BB5CBA.9010803@immerda.ch> References: <56BB5CBA.9010803@immerda.ch> Message-ID: <56BB763F.6040008@digitalbrains.com> On 10/02/16 16:52, Muri Nicanor wrote: > if i want to sign a gpg-key, how do i set an expiration date for that > signature? >From the man page of GnuPG 1.4 on Debian Jessie: > --ask-cert-expire > > --no-ask-cert-expire > When making a key signature, prompt for an expiration time. If > this option is not specified, the expiration time set via > --default-cert-expire is used. --no-ask-cert-expire disables this > option. > > --default-cert-expire > The default expiration time to use for key signature expiration. > Valid values are "0" for no expiration, a number followed by the > letter d (for days), w (for weeks), m (for months), or y (for > years) (for example "2m" for two months, or "5y" for five years), > or an absolute date in the form YYYY-MM-DD. Defaults to "0". I think this is what you need. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From ineiev at gnu.org Wed Feb 10 19:58:26 2016 From: ineiev at gnu.org (Ineiev) Date: Wed, 10 Feb 2016 13:58:26 -0500 Subject: Minor FAQ updates In-Reply-To: <56B5DE47.6090400@sixdemonbag.org> References: <56B5DE47.6090400@sixdemonbag.org> Message-ID: <20160210185826.GE25971@gnu.org> On Sat, Feb 06, 2016 at 06:51:35AM -0500, Robert J. Hansen wrote: > Ineiev of the Free Software Foundation sent me some typos I feel I ought to disclaim: I do volunteer for the GNU project (including some unimpressive but prominent tasks) and take part in a few FSF's campaigns, however, technically I'm but FSF's volunteer like you. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: Digital signature URL: From muri+gnupg-users at immerda.ch Wed Feb 10 21:54:01 2016 From: muri+gnupg-users at immerda.ch (Muri Nicanor) Date: Wed, 10 Feb 2016 21:54:01 +0100 Subject: Expiration date of key signature In-Reply-To: <56BB763F.6040008@digitalbrains.com> References: <56BB5CBA.9010803@immerda.ch> <56BB763F.6040008@digitalbrains.com> Message-ID: <56BBA369.9060305@immerda.ch> On 02/10/2016 06:41 PM, Peter Lebbing wrote: > On 10/02/16 16:52, Muri Nicanor wrote: >> if i want to sign a gpg-key, how do i set an expiration date for that >> signature? > > From the man page of GnuPG 1.4 on Debian Jessie: >> --ask-cert-expire >> >> --no-ask-cert-expire [...] >> --default-cert-expire [...] > > I think this is what you need. yes! thanks a lot! cheers, muri From gnupgpacker at on.yourweb.de Thu Feb 11 11:00:39 2016 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Thu, 11 Feb 2016 11:00:39 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <5677D7D5.4010205@digitalbrains.com> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> <5677D7D5.4010205@digitalbrains.com> Message-ID: <000101d164b3$0f851ac0$2e8f5040$@on.yourweb.de> Thanks for hint! > From: Peter Lebbing [mailto:peter at digitalbrains.com] > Install GnuPG 1.4 alongside 2.1 and manually sync all keys from GnuPG > 2.1 to 1.4, with for instance: > $ gpg2 --export | gpg --import I did get it running even on Windows: gpg2\gpg2.exe --export --output C:\temp\exported.keys gpg14\gpg.exe --import C:\temp\exported.keys BUT: If a key is deleted in Gpg2 version of keyring, with the above method it is NOT deleted in Gpg's keyring while importing. So is there an option for 'synchronisation' while importing (e.g. deleted keys in source export will be deleted while importing)? Thx + regards, Chris From peter at digitalbrains.com Thu Feb 11 12:29:29 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 11 Feb 2016 12:29:29 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <000101d164b3$0f851ac0$2e8f5040$@on.yourweb.de> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> <5677D7D5.4010205@digitalbrains.com> <000101d164b3$0f851ac0$2e8f5040$@on.yourweb.de> Message-ID: <56BC7099.5090505@digitalbrains.com> First of all... it was established in this thread that you could not share the key store between GnuPG 2.1 and 1.4. Why is that the case? I can happily do that here on Linux. The only gotcha is that you don't profit from the speed gains GnuPG 2.1 gets from the new format of the key store. Oh, and there might be some issues with elliptic curve keys as 1.4 can't work with those, but I think it just means GnuPG 1.4 will complain a bit and not be able to use the elliptic curve keys, but otherwise keep working. Perhaps I missed a message in the thread, or I'm missing some knowledge about Windows. If you were to delete your GnuPG homedir to start fresh (backups though!), then import keys in 1.4 before you ever start 2.1, wouldn't 2.1 simply pick up the old key store format from 1.4 and work with that? That would seem the best option here if that were possible... On 11/02/16 11:00, gnupgpacker wrote: > I did get it running even on Windows: gpg2\gpg2.exe --export --output > C:\temp\exported.keys gpg14\gpg.exe --import C:\temp\exported.keys A word of warning: the best way to phrase the first command is as: gpg2\gpg2.exe --output C:\temp\exported.keys --export Options come before commands. After --export, you specify which keys to export. Some common reorderings are recognised and "fixed for you", but it might bite you with a different command. So: options come before commands! Furthermore, pipes do generally work on Windows. The last time I did anything at a command prompt in Windows is seriously long ago, though. Wouldn't this work? gpg2\gpg2.exe --export | gpg14\gpg.exe --import > BUT: If a key is deleted in Gpg2 version of keyring, with the above > method it is NOT deleted in Gpg's keyring while importing. Yes, --import is to add keys to your keyring or update existing keys with new information. > So is there an option for 'synchronisation' while importing (e.g. > deleted keys in source export will be deleted while importing)? Hmmmm. I can't think of a good way. You could choose to delete keys from both programs yourself; everytime you delete a key in GnuPG 2.1, also delete it in GnuPG 1.4. Deleting the keys beforehand is theoretically an option, but you would have to do an --export-trustdb before (I'd take the gpg2 for that) and an --import-trustdb afterwards, because you lose all trust settings. However, I don't even know of any other way to delete all keys than the rather rude way of deleting pubring.gpg. I can't think of a way to specify a user ID that would match all keys in the command --delete-keys. Deleting pubring.gpg seems to preserve private keys; if I import all public keys including the ones I have the private key for, the private key also "comes back" as it survived in secring.gpg. Also, it's a process that takes a large amount of time as it has to reprocess everything, including recomputing the key validity. Maybe someone else has a bright idea. Meanwhile, here is a not recommended way to do it... If your GnuPG home directory is where I would expect it. I have no experience whatsoever with GnuPG on Windows, so I'm just guessing based on what a quick internet search gives me. You might need to adjust it. Also, it is potentially dangerous. I'm very reluctant to suggest to someone, without any knowledge about their specific situation, to run a "del" command like that. Please, make backups, make your own judgement, don't type commands unless you understand exactly what it does. It might, for instance, delete your keys from a different installation of GnuPG, such as gpg2.exe. gpg2\gpg2.exe --export-ownertrust >C:\temp\exported.trust gpg2\gpg2.exe --output C:\temp\exported.keys --export del %APPDATA%\GNU\GnuPG\pubring.gpg gpg14\gpg.exe --import C:\temp\exported.keys gpg14\gpg.exe --import-ownertrust C:\temp\exported.trust gpg14\gpg.exe --check-trustdb Oh, you could do: echo %APPDATA% to see where that actually points to. I'm not sure why --export-ownertrust doesn't allow you to specify a file to export to, but --import-ownertrust does allow you to specify a file to import from. But it means you need the redirect I used for exporting. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From sasc0041 at stud.hs-kl.de Thu Feb 11 18:54:00 2016 From: sasc0041 at stud.hs-kl.de (Sandra Schreiner) Date: Thu, 11 Feb 2016 17:54:00 +0000 Subject: How can GPGME use GnuPG on Android Message-ID: Hello, Looking at gnupg-for-android I was wondering and amazed. How does a Android app manages to use GnuPG? As far as I understand the relationship between GPGME and GnuPG, GPGME gathers all necessary information from the app and sends the data to GnuPG in a 'command-line-based way' and receives the result. I know it is not that hard to use C++ libraries in Android (thanks to JNI and NDK). Therefore the connection between the java wrapper and the C++ part is no real mistery. I just can't imagine how this all works together with GnuPG. On a Linux pc there is a standard path for GnuPG, so GPGME can find and call it very easy. On Android - I guess - you have to bring your own GnuPG with the apk. But how does the C++ part of GPGME know where GnuPG is located? Does the whole communication work in the same manner as on a pc? Does the deviation of bionic and glibc affect GPGME and GnuPG in any way? I tried to understand how this is done in gnupg-for-android, however it seems like sorcery to me. I would be very grateful if someone could help me to get a better basic understanding of the android <-> gpgme <->gnupg relationship. Many thanks in advance. Sandra From wk at gnupg.org Thu Feb 11 19:00:07 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 11 Feb 2016 19:00:07 +0100 Subject: Does gnupg-users receive all messages sent to gnupg-announce as well? In-Reply-To: <877fidiru2.fsf@helmutwaitzmann.news.arcor.de> (Helmut Waitzmann's message of "Tue, 09 Feb 2016 20:52:27 +0100") References: <877fidiru2.fsf@helmutwaitzmann.news.arcor.de> Message-ID: <87d1s3b00o.fsf@vigenere.g10code.de> On Tue, 9 Feb 2016 20:52, ml.throttle at xoxy.net said: > I'd like to know: Will every message, that is sent to > , be delivered to all subscribers of > as well, or, the other way round, will I Yes, they are copied to gnupg-users. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From stebe at mailbox.org Fri Feb 12 01:39:47 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Fri, 12 Feb 2016 01:39:47 +0100 (CET) Subject: How can I delete a subkey that has no USAGE assigned to it? Message-ID: <1708020883.1320.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> Hi, I have generated a new pub key with several subkeys following (1). While generating one of the subkeys, just after gpg tells you to play around with your mouse or do some keystrokes in the terminal, gpg output was: key generation failed. To start generating this encryption subkey again, I typed gpg> quit $ gpg2 --edit-key XXXXXXXX [key/subkey listing] gpg> addkey #once again, but I did't think of typing pfkill gpg-agent #this time, as I had done at the beginning of key generation. I could create the remaining subkey(s) but had to type in the passphrase into pinentry every time. When I had generated the last subkey, I realized that there was one subkey that had no USAGE assigned to it, precisely the one the generation of which failed. (I really don't know why, I did a thousand keystrokes and painted a gimp masterpiece in the meanwhile). #I tried to use key XXXXXXXX # where XXXXXXXX is the keyID of the subkey delkey XXXXXXXX #to get rid of it, but gpg still tells me I have to select at least one key, so it's not the (sub)keyID I have to type in. My assumption: I suppose the "N" in the explanation of the key and delkey command refers to the USAGE:[letter], as I can't think of any other way of referring to that key. USAGE, however, is blank. I couldn't find any further details about it in the manpages. Is there a way to delete this subkey? TIA Stebe (1)https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups From ml.throttle at xoxy.net Fri Feb 12 01:59:32 2016 From: ml.throttle at xoxy.net (Helmut Waitzmann) Date: Fri, 12 Feb 2016 01:59:32 +0100 Subject: Does gnupg-users receive all messages sent to gnupg-announce as well? In-Reply-To: <87d1s3b00o.fsf@vigenere.g10code.de> (Werner Koch's message of "Thu, 11 Feb 2016 19:00:07 +0100") References: <877fidiru2.fsf@helmutwaitzmann.news.arcor.de> <87d1s3b00o.fsf@vigenere.g10code.de> Message-ID: <87lh6qd9pt.fsf@helmutwaitzmann.news.arcor.de> Werner Koch wrote: > On Tue, 9 Feb 2016 20:52, ml.throttle at xoxy.net said: [Messages sent to ] > Yes, they are copied to gnupg-users. So, I'll save (a little bit of) internet bandwidth. Thank you very much. Helmut From stebe at mailbox.org Fri Feb 12 07:04:31 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Fri, 12 Feb 2016 07:04:31 +0100 (CET) Subject: How can I delete a subkey that has no USAGE assigned to it? In-Reply-To: <1708020883.1320.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> References: <1708020883.1320.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> Message-ID: <1361467617.1506.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> > Hi, > > I have generated a new pub key with several subkeys following (1). > Is there a way to delete this subkey? Yes, indeed. I guess I found it in my dreams, i.e. when I woke up, it came to my mind that it might be simply N for number... > (1)https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups Stebe From antony at blazrsoft.com Fri Feb 12 09:16:24 2016 From: antony at blazrsoft.com (antony at blazrsoft.com) Date: Fri, 12 Feb 2016 03:16:24 -0500 Subject: How can I delete a subkey that has no USAGE assigned to it? In-Reply-To: <1361467617.1506.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> References: <1708020883.1320.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> <1361467617.1506.4b7ee824-8d5c-4c8a-8611-78eccf19c715.open-xchange@office.mailbox.org> Message-ID: <2C7D2E4B-D9F9-4541-BA75-6E5B0B2CFB65@blazrsoft.com> On February 12, 2016 1:04:31 AM EST, stebe at mailbox.org wrote: > >Yes, indeed. I guess I found it in my dreams, i.e. when I woke up, it >came >to my mind that it might be simply N for number... > At least you figured it out. I'm sure someone will have that same question in the future and this thread on the mailing list will be their savior. :-) -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From gnupgpacker at on.yourweb.de Fri Feb 12 09:35:45 2016 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Fri, 12 Feb 2016 09:35:45 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <56BC7099.5090505@digitalbrains.com> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> <5677D7D5.4010205@digitalbrains.com> <000101d164b3$0f851ac0$2e8f5040$@on.yourweb.de> <56BC7099.5090505@digitalbrains.com> Message-ID: <000801d16570$5dc13260$19439720$@on.yourweb.de> Wowh, what a comprehensive answer... :) THANKS! > Furthermore, pipes do generally work on Windows. > Wouldn't this work? > gpg2\gpg2.exe --export | gpg14\gpg.exe --import Similar pipes are working in Windows. > gpg2\gpg2.exe --export-ownertrust >C:\temp\exported.trust > gpg2\gpg2.exe --output C:\temp\exported.keys --export > del %APPDATA%\GNU\GnuPG\pubring.gpg > gpg14\gpg.exe --import C:\temp\exported.keys > gpg14\gpg.exe --import-ownertrust C:\temp\exported.trust > gpg14\gpg.exe --check-trustdb If respecting own pathes and user rights with care, it seems to be a practicable way. Regular backup recommended. Thanks once more and regards, Chris From m.mansfeld at mansfeld-elektronik.de Fri Feb 12 10:28:37 2016 From: m.mansfeld at mansfeld-elektronik.de (Matthias Mansfeld) Date: Fri, 12 Feb 2016 10:28:37 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <000801d16570$5dc13260$19439720$@on.yourweb.de> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de>, <56BC7099.5090505@digitalbrains.com>, <000801d16570$5dc13260$19439720$@on.yourweb.de> Message-ID: <56BDA5C5.17530.9EABAAB@m.mansfeld.mansfeld-elektronik.de> On 12 Feb 2016 at 9:35, gnupgpacker wrote: > Wowh, what a comprehensive answer... :) > THANKS! > > > Furthermore, pipes do generally work on Windows. > > Wouldn't this work? > > gpg2\gpg2.exe --export | gpg14\gpg.exe --import > > Similar pipes are working in Windows. > > > gpg2\gpg2.exe --export-ownertrust >C:\temp\exported.trust > > gpg2\gpg2.exe --output C:\temp\exported.keys --export > > del %APPDATA%\GNU\GnuPG\pubring.gpg > > gpg14\gpg.exe --import C:\temp\exported.keys > > gpg14\gpg.exe --import-ownertrust C:\temp\exported.trust > > gpg14\gpg.exe --check-trustdb > > If respecting own pathes and user rights with care, it seems to be a practicable way. > Regular backup recommended. > > Thanks once more and regards, Chris Maybe it will become a bit more complicated if it is necessary to keep the keyrings syncronized in both directions. This will happen at least if you let GPGRelay "Learn aliases from POP3".... Regards Mattias -- OpenPGP: http://www.mansfeld-elektronik.de/gnupgkey/mansfeld.asc Fingerprint: 6563 057D E6B8 9105 1CE4 18D0 4056 1F54 8B59 40EF From mhw at netris.org Fri Feb 12 03:13:27 2016 From: mhw at netris.org (Mark H Weaver) Date: Thu, 11 Feb 2016 21:13:27 -0500 Subject: [Issue2229] make check 14 of 35 tests failed Message-ID: <87wpqavfp4.fsf@netris.org> [I wanted to add this to , but I wasn't able to find the email address where I should send it.] We've run into this problem in GNU Guix. Here's the report in our bug tracker: https://debbugs.gnu.org/22558 A few observations: * The problem mostly only occurs on x86_64 systems. On our build farm, gnupg-2.1.11 failed to build 8 times before it finally succeeded. On our other supported architectures (i686, armhf, and mips64el), it succeeded on the first try. * Sometimes there are 14 failures, and sometimes there's only 1 failure (gpgtar.test). * Although we perform builds within an isolated build container, the problem tends to happen on some systems and not others. Ludovic Court?s reported building gnupg-2.1.11 three times on his x86_64 laptop, and that it succeeded all three times. Other users have reported consistent build failures. * One of the core Guix developers who consistently gets 14 failures did a git bisect, and found that the problem was apparently introduced in commit ee87c653bf. Regards, Mark From peter at digitalbrains.com Fri Feb 12 11:41:04 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 12 Feb 2016 11:41:04 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <56BDA5C5.17530.9EABAAB@m.mansfeld.mansfeld-elektronik.de> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> <56BC7099.5090505@digitalbrains.com> <000801d16570$5dc13260$19439720$@on.yourweb.de> <56BDA5C5.17530.9EABAAB@m.mansfeld.mansfeld-elektronik.de> Message-ID: <56BDB6C0.1060905@digitalbrains.com> On 12/02/16 10:28, Matthias Mansfeld wrote: > Maybe it will become a bit more complicated if it is necessary to > keep the keyrings syncronized in both directions. Hehe :). Okay, I'll humour you :). I'd probably extract all known keys from both installations, and propagate deletions. You also still need to transfer keys known to both installations, since there might be updates to the keys. Additionally, all the "del..." commands in --edit-key, as well as things like "clean" and stuff, become pretty impossible without doing it in both installations before you sync. gpg2 --fingerprint --with-colons -k | grep ^fpr | cut -d: -f 10 This gives a list of the fingerprints of all public keys known to gpg2. However, it is using standard Unix tools which might not be available (by default?) on Windows. Similarly, I'd continue to write a Bash script that extracts the common set and the differences, and applies any deletions on either side in addition to transferring the common set both ways to get any new information. Obviously, you can't tell the difference between a previously common key that got deleted on one side and a key that got added on the other side. So you need to keep the list of fingerprints from the previous sync to tell the difference. You might even get update conflicts; I can't think of a way right away though. For the trust database, it's easy to imagine a conflict. If I set a different trust level on either side, which one prevails? I do have to say this is a perfect reason to alert the operator. You completely trust someone when you're using GnuPG 2, but only marginally using 1.4? Make up your mind! :) Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From stebe at mailbox.org Fri Feb 12 11:43:37 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Fri, 12 Feb 2016 11:43:37 +0100 (CET) Subject: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc Message-ID: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> Hi, just a few more questions on key generation and the fsfe doc (1) Following the indications in the referred document I have used a LIVE OS for all the steps indicated in it (up to now), and GnuPG version 2.1.9. I understand that the sections starting with "Removing the master key from the keyring" up to "Remove backups from your machine" have to be performed on the machine/OS I actually use to work/communicate with gpg/Enigmail (GnuPG version 2.0.19). 1) To do so, is it enough to use the backup of private-keys-v1.d and pubring.kbx I stored on a separate USB flash drive and reimport that to the actual machine/OS I use (and then perform the steps described in the referred doc as there are Remove main encryption subkey/Export secret subkeys/Remove secret master key/Reimport the subkey stubs etc.)? Or should I in any case make a complete backup of the live system's ~/.gnupg before stopping it? I haven't manually configured anything in gpg.conf there. The target OS I'll use has gpg 2.0.19 installed. The pubring file format used there is different (.gpg). There is also secring.gpg In this secring.gpg there are still secret keys of disabled/revoked keys. I have made a separate backup of it. I understand that the .kbx format used in 2.1.x holds some information of what in 2.0.19 is stored in the secring (or did I misunderstand that?). Is it at all possible to do what I plan to do? 2) Will it thus suffice to export my new pub key from pubring.kbx on the separate flash drive and reimport it (in)to pubring.gpg on the target OS AND copy the private-keys-v1.d folder to the .gnupg directory of the target OS (and then perform the remaining steps)? Or is there something else I should take into account? Any confirmation/help appreciated. TIA Stebe (1) https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups From wk at gnupg.org Fri Feb 12 13:32:50 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 12 Feb 2016 13:32:50 +0100 Subject: [Issue2229] make check 14 of 35 tests failed In-Reply-To: <87wpqavfp4.fsf@netris.org> (Mark H. Weaver's message of "Thu, 11 Feb 2016 21:13:27 -0500") References: <87wpqavfp4.fsf@netris.org> Message-ID: <87wpqa85xp.fsf@vigenere.g10code.de> On Fri, 12 Feb 2016 03:13, mhw at netris.org said: > [I wanted to add this to , > but I wasn't able to find the email address where I should send it.] You may now comment on other peoples report and thus also on 2229. > * One of the core Guix developers who consistently gets 14 failures did > a git bisect, and found that the problem was apparently introduced in > commit ee87c653bf. >From looking at the strace in msg7794 it seems that the clientdied after having seen the first PROGRESS line. The client in this case is gpg-preset-passphrase which is an old hack and not a proper Assuan client. It received the 'S PROGRESS' line but does not expect it and returns an error. We should re-implement that tool in terms of gpg-connect-agent and for the test scripts use gpg-connect-agent directly. Justus is currently reworking the test suite anyway. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From guilhem at fripost.org Fri Feb 12 13:51:10 2016 From: guilhem at fripost.org (Guilhem Moulin) Date: Fri, 12 Feb 2016 13:51:10 +0100 Subject: Alternative to =?utf-8?B?4oCYLS1rZXlzZXJ2?= =?utf-8?Q?er-options_auto-key-retrieve=E2=80=99?= under 2.1.x Message-ID: <20160212125110.GA20800@localhost.localdomain> Hi there, With 1.4.x and 2.0.x ?--keyserver-options auto-key-retrieve? provided a convenient way to automatically download a missing key, when verifying a message signature in the MUA for instance. However it seems to be a noop with 2.1.11, unless the deprecated option ?--keyserver? is also given. From the manpage it looks like only some not all keyserver options are deprecated, and ?auto-key-retrieve? in not among them. Is there a way around to tell gpg to retrieve the key via dirmngr? Thanks, cheers, -- Guilhem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From gnupgpacker at on.yourweb.de Fri Feb 12 15:58:49 2016 From: gnupgpacker at on.yourweb.de (gnupgpacker) Date: Fri, 12 Feb 2016 15:58:49 +0100 Subject: GPGrelay does not recognize Gpg-2.1 keys; Gpg4win-3beta... In-Reply-To: <56BC7099.5090505@digitalbrains.com> References: <004301d13bdb$060a9b10$121fd130$@on.yourweb.de> <5677D7D5.4010205@digitalbrains.com> <000101d164b3$0f851ac0$2e8f5040$@on.yourweb.de> <56BC7099.5090505@digitalbrains.com> Message-ID: <000701d165a5$e189f8e0$a49deaa0$@on.yourweb.de> Hello, > Matthias: > Maybe it will become a bit more complicated if it is necessary to > keep the keyrings syncronized in both directions. This will happen at > least if you let GPGRelay "Learn aliases from POP3".... Switch off! ;) Serious answer: Latest known version of GPGrelay ist 0.962, extracted from Sebastian's GnuPG-Pack: http://home.arcor.de/rose-indorf/ Sourceforge provides the source code til version 0.959: https://sourceforge.net/projects/gpgrelay/ There seems to be no further development since 2005/2006, isn't it? In my opinion it would be very desirable if someone would adapt GPGrelay for interaction with new GPG-2.x key versions. And if touching source code, some minor issues with UTF-8 implementation could be fixed too. Actual OpenSSL libraries (f.e. 1.0.2f) are running without any issue with GPGrelay too. GPGrelay is the only known free proxy/relay program which allows different mail clients connecting with secured gpg encryption (Inline + PGP/Mime). Because of missing a fully functional solution for M$ Outlook it is needed further more... Who knows initial developer andreas john? Regards, Chris From stebe at mailbox.org Fri Feb 12 16:44:31 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Fri, 12 Feb 2016 16:44:31 +0100 (CET) Subject: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc [UPDATED]] In-Reply-To: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> References: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> Message-ID: <982576660.5119.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> (UPDATED] > stebe at mailbox.org hat am 12. Februar 2016 um 11:43 geschrieben: > > > Hi, > > > just a few more questions on key generation and the fsfe doc (1) > > Following the indications in the referred document I have used a LIVE OS > for all the steps indicated in it (up to now), and GnuPG version 2.1.9. > > I understand that the sections starting with "Removing the master key > from > the keyring" up to "Remove backups from your machine" have to be > performed > on the machine/OS I actually use to work/communicate with gpg/Enigmail > (GnuPG version 2.0.19). Having thoroughly read the manpages of 2.1.9 (source machine) and 2.0.19 (target machine), respectively, and thought about the whole thing, I deduce, for now, this result: (I thought I wouldn't have enough time to do that as I posted my previous message...) --> My new key: 1) --export --output [MyNewKeyID] to file [file] 2) --import key [MyNewKeyID] from file [file] --keep-ownertrust on target machine -->that's the way to go.... --> copying private keys folder of 2.1.9 to version 2.0.19 should work (I haven't created any new key with version 2.0.19 so there's nothing inside yet), the "old" keys were (once) created using gpg 1.4.12) -->trustdb trustdb on 2.1.x only contais the absolute/ultimative trust I set in my own key (and its subkeys) --> --export-ownertrust (but isn't the ownertrust of my new key, including subkeys, already being (implicitly) exported using --export -output [MyNewKeyID] and thus updating (implicitly) trustdb (target machine) on its import to version 2.0.x (--> newly generated key has been, automatically, self-signed by version 2.1.x and I self-signed my first uid with my second uid) --> --keep-ownertrust as import-options parameter because on import ownertrust values are stripped off of the new pub key --> pubring.gpg of 2.0.19 (target machine) --> special topic: expiry of disabled keys (which started as a copy and paste of the 1.4.x's pubring, when I started using 2.0.19) contains my disabled/revoked public keys (once created with 1.4.12) and other pub keys: so I can simply 1) set an (very close, today's) expiry date to the disabled keys in order to let them expire as soon as possible, then remove those keys from pubring.gpg, or remove them right away, given the fact that I still have a copy (of pubring and secring) in order to be able to put an expiry date later) --> how important is it to let disabled keys expire (by activating them for a "moment" in order to let them expire)? Would such proceeding be a security risk, better leaving them disabled forever? --> follow the remaining steps indicated in the referred FSFE's card-howTo-doc (1) Any objections, hints welcome. Stebe (1) https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups From marko.bauhardt at mailbox.org Fri Feb 12 17:13:53 2016 From: marko.bauhardt at mailbox.org (Marko Bauhardt) Date: Fri, 12 Feb 2016 17:13:53 +0100 Subject: using an expired GPG key with ssh Message-ID: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> Hi, i plan to use my GPG authentication key to do a login via ssh onto my server. I tried monkeysphere to convert my GPG key to a ssh key, and adding the key to the ssh-agent. Everything works as expected. But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired? Has anyone experience with GPG and ssh authentication? Should i use the gpg-agent instead of the ssh-agent? Thanks Marko -- Marko Bauhardt marko.bauhardt at mailbox.org Bitte sch?tzen Sie meine und Ihre Privatsph?re, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From wk at gnupg.org Fri Feb 12 20:57:18 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 12 Feb 2016 20:57:18 +0100 Subject: Alternative to =?utf-8?Q?=E2=80=98--keyserver-options_auto-ke?= =?utf-8?Q?y-retrieve=E2=80=99?= under 2.1.x In-Reply-To: <20160212125110.GA20800@localhost.localdomain> (Guilhem Moulin's message of "Fri, 12 Feb 2016 13:51:10 +0100") References: <20160212125110.GA20800@localhost.localdomain> Message-ID: <874mdd8zxd.fsf@vigenere.g10code.de> On Fri, 12 Feb 2016 13:51, guilhem at fripost.org said: > However it seems to be a noop with 2.1.11, unless the deprecated option > ?--keyserver? is also given. From the manpage it looks like only some > not all keyserver options are deprecated, and ?auto-key-retrieve? in not > among them. Is there a way around to tell gpg to retrieve the key via > dirmngr? It works for me using a fresh GNUPGHOME with keyserver hkp://keys.mayfirst.org set in dirmngr.conf and no gpg.conf: $ gpg -v --verify --auto-key-retrieve ~/tarballs/gnupg/v1.4/gnupg-1.4.2[...] gpg: WARNING: "--auto-key-retrieve" is a deprecated option gpg: please use "--keyserver-options auto-key-retrieve" instead gpg: assuming signed data in '/home/wk/tarballs/gnupg/v1.4/gnupg-1.4.20[...] gpg: Signature made Sun Dec 20 09:02:24 2015 CET using RSA key ID 4F25E3B6 gpg: no running Dirmngr - starting '/usr/local/bin/dirmngr' gpg: waiting for the dirmngr to come up ... (5s) gpg: connection to the dirmngr established gpg: data source: http://keys.mayfirst.org:11371 gpg: armor header: Version: SKS 1.1.5 gpg: armor header: Comment: Hostname: zimmermann.mayfirst.org gpg: pub rsa2048/4F25E3B6 2011-01-12 Werner Koch (dist sig) gpg: using PGP trust model gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent' gpg: waiting for the agent to come up ... (5s) gpg: connection to agent established gpg: 0 keys processed (0 validity counts cleared) gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Werner Koch (dist sig)" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048 gpg: Signature made Mon Dec 21 07:06:19 2015 CET using RSA key ID 33BD3F06 gpg: Signature made Mon Dec 21 07:06:19 2015 CET using RSA key ID 33BD3F06 gpg: data source: http://keys.mayfirst.org:11371 gpg: armor header: Version: SKS 1.1.5 gpg: armor header: Comment: Hostname: zimmermann.mayfirst.org gpg: pub rsa2048/33BD3F06 2014-10-29 NIIBE Yutaka (GnuPG Release Ke[...] gpg: key 33BD3F06: public key "NIIBE Yutaka (GnuPG Release Key) References: <20160212125110.GA20800@localhost.localdomain> <874mdd8zxd.fsf@vigenere.g10code.de> Message-ID: <20160212214736.GA25141@localhost.localdomain> On Fri, 12 Feb 2016 at 20:57:18 +0100, Werner Koch wrote: > On Fri, 12 Feb 2016 13:51, guilhem at fripost.org said: >> However it seems to be a noop with 2.1.11, unless the deprecated option >> ?--keyserver? is also given. From the manpage it looks like only some >> not all keyserver options are deprecated, and ?auto-key-retrieve? in not >> among them. Is there a way around to tell gpg to retrieve the key via >> dirmngr? > > It works for me using a fresh GNUPGHOME with > keyserver hkp://keys.mayfirst.org > set in dirmngr.conf and no gpg.conf: Oops right, in fact I'm no longer able to reproduce that either. I guess there was something on the line somehow? Sorry for the noise. -- Guilhem. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From stebe at mailbox.org Sat Feb 13 18:20:09 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Sat, 13 Feb 2016 18:20:09 +0100 (CET) Subject: Heuristics of gpg's output Message-ID: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> Hi, a few days ago I downloaded http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-testing-amd64-DVD-1.iso Resolving hostname ?gensho.acc.umu.se (gensho.acc.umu.se)?... 130.239.18.176, 2001:6b0:e:2018::176 from a secondary mirror located in Sweden. Before that I had installed a DNSSEC capable DNS resolver software as an extension in my browser and set its standard URL as standard DNS server in my router. I did not activate the option that denies connections if no DNSSEC record could be found/checked. I looked for the available keys for the different CD releases pointing my browser to the Debian website (DNSSec info says: OK) pub 4096R/64E6EA7D 2009-10-03 Primary key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D uid Debian CD signing key pub 4096R/6294BE9B 2011-01-05 Primary key fingerprint = DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B uid Debian CD signing key sub 4096R/11CD9819 2011-01-05 pub 4096R/09EA8AC3 2014-04-15 Primary key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 uid Debian Testing CDs Automatic Signing Key sub 4096R/6BD05CFB 2014-04-15 being the last one in the list the key I was looking for. #verifying the signature I downloaded from that very server LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID 09EA8AC3 gpg: BAD signature from "Debian Testing CDs Automatic Signing Key " me at mymachine:/media/sdb1$ LC_ALL=C gpg2 --edit-key 09EA8AC3 gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 4096R/09EA8AC3 created: 2014-04-15 expires: never usage: SC trust: unknown validity: unknown sub 4096R/6BD05CFB created: 2014-04-15 expires: never usage: E [ unknown] (1). Debian Testing CDs Automatic Signing Key gpg> fpr pub 4096R/09EA8AC3 2014-04-15 Debian Testing CDs Automatic Signing Key Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 So, what does that information tell us? Would that information suffice to think that the iso file is/was compromised? Would that information suffice to think that the server is/was compromised? What would such information tell us exactly? I am trying to figure out what does and what it does not tell us in order to better understand the heuristic scope of gpg's output. Any help, hint or assessment is appreciated. Cheers, Stebe From kloecker at kde.org Sat Feb 13 19:55:02 2016 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Sat, 13 Feb 2016 19:55:02 +0100 Subject: Heuristics of gpg's output In-Reply-To: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> References: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> Message-ID: <1971789.LGM0CCurNJ@thufir> On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote: > Hi, > > a few days ago I downloaded > > > http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te > sting-amd64-DVD-1.iso Resolving hostname ?gensho.acc.umu.se > (gensho.acc.umu.se)?... 130.239.18.176, 2001:6b0:e:2018::176 > > from a secondary mirror located in Sweden. > [snip] > > #verifying the signature I downloaded from that very server > > LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso > gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID > 09EA8AC3 > gpg: BAD signature from "Debian Testing CDs Automatic > Signing Key " > [snip] > > So, what does that information tell us? > Would that information suffice to think that the iso file is/was > compromised? It doesn't tell us anything because the signature does not belong to the iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS which contains the SHA256 hashes for the iso files. In order to check the ISO file you have to verify the signature of the SHA256SUMS file, i.e. # gpg2 --verify SHA256SUMS.sign SHA256SUMS and then check the SHA256 hash of the iso file against the hash in the SHA256SUMS file, e.g. with # sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64- DVD-1.iso SHA256SUMS See also section "How can I verify my download is correct and exactly what has been created by Debian?" on http://ftp.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/ Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From johanw at vulcan.xs4all.nl Sat Feb 13 21:47:27 2016 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat, 13 Feb 2016 21:47:27 +0100 Subject: Documentation format In-Reply-To: <56B6CF2B.50303@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> <56B63CD0.9070507@riseup.net> <56B6617C.2040707@sixdemonbag.org> <56B66CFA.3030007@riseup.net> <56B6CF2B.50303@sixdemonbag.org> Message-ID: <56BF965F.7070802@vulcan.xs4all.nl> On 07-02-2016 5:59, Robert J. Hansen wrote: > LaTeX is unique among document processing systems in that it can > effortlessly represent the correct orthography for the rock group Spinal > Tap (which uses a Turkish dotless lowercase i and a Jacaltec umlauted > n), but that comes with a steep price: namely, its near complete > inability to handle Unicode like the rest of the world. Considering the PITA that unicode gives in text editors (and not only there, I remember when the company I worked then switched to an unicode-enabled version of Delphi and we had to rebuild over 100 reports that didn't work anymore...) I'd say that is an big advantage. Both html and TeX can handle special characters and accents well with commands. Starting with one of those, the correct output can always be expressed in ascii, especially for the GnuPG documentation that does not do anything extremely difficult. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From stebe at mailbox.org Sat Feb 13 23:22:48 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Sat, 13 Feb 2016 23:22:48 +0100 (CET) Subject: Heuristics of gpg's output In-Reply-To: <1971789.LGM0CCurNJ@thufir> References: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <1971789.LGM0CCurNJ@thufir> Message-ID: <1396477048.10118.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> > Ingo Kl?cker hat am 13. Februar 2016 um 19:55 > geschrieben: > > > On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote: > > Hi, > > > > a few days ago I downloaded > > > > > > http://gensho.acc.umu.se/cdimage/weekly-builds/amd64/iso-dvd/debian-te > > sting-amd64-DVD-1.iso Resolving hostname ?gensho.acc.umu.se > > (gensho.acc.umu.se)?... 130.239.18.176, 2001:6b0:e:2018::176 > > > > from a secondary mirror located in Sweden. > > > [snip] > > > > #verifying the signature I downloaded from that very server > > > > LC_ALL=C gpg2 --verify SHA256SUMS.sign debian-testing-amd64-DVD-1.iso > > gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID > > 09EA8AC3 > > gpg: BAD signature from "Debian Testing CDs Automatic > > Signing Key " > > > [snip] > > > > So, what does that information tell us? > > Would that information suffice to think that the iso file is/was > > compromised? > > It doesn't tell us anything because the signature does not belong to the > > iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS > which contains the SHA256 hashes for the iso files. > [snip] Thanks, Ingo, for clarifying this. From stebe at mailbox.org Sun Feb 14 00:07:55 2016 From: stebe at mailbox.org (Stephan Beck) Date: Sat, 13 Feb 2016 23:07:55 +0000 Subject: Heuristics of gpg's output In-Reply-To: <1971789.LGM0CCurNJ@thufir> References: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <1971789.LGM0CCurNJ@thufir> Message-ID: <56BFB74B.1070704@mailbox.org> Ingo Kl?cker: > On Saturday 13 February 2016 18:20:09 stebe at mailbox.org wrote: >> Hi, >> >> a few days ago I downloaded [snip] > It doesn't tell us anything because the signature does not belong to the > iso file. The signature SHA256SUMS.sign belongs to the file SHA256SUMS > which contains the SHA256 hashes for the iso files. > > In order to check the ISO file you have to verify the signature of the > SHA256SUMS file, i.e. > > # gpg2 --verify SHA256SUMS.sign SHA256SUMS > > and then check the SHA256 hash of the iso file against the hash in the > SHA256SUMS file, e.g. with > > # sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64- > DVD-1.iso SHA256SUMS > LC_ALL=C gpg2 --verify SHA256SUMS.sign SHA256SUMS gpg: Signature made Mon Feb 8 08:31:22 2016 CET using RSA key ID 09EA8AC3 gpg: Good signature from "Debian Testing CDs Automatic Signing Key " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 me at mymachine:/path/to/iso$ LC_ALL=C sha256sum debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-DVD-1.iso SHA256SUMS 08f3fd4e3ea3df7711c4f120bd3fbf9df0238a8cfe89f6bea40db51e27622bd8 debian-testing-amd64-DVD-1.iso 08f3fd4e3ea3df7711c4f120bd3fbf9df0238a8cfe89f6bea40db51e27622bd8 debian-testing-amd64-DVD-1.iso Everything ok! Thanks again Stebe From peter at digitalbrains.com Sun Feb 14 12:58:03 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 14 Feb 2016 12:58:03 +0100 Subject: Heuristics of gpg's output In-Reply-To: <56BFB74B.1070704@mailbox.org> References: <280980648.9443.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <1971789.LGM0CCurNJ@thufir> <56BFB74B.1070704@mailbox.org> Message-ID: <56C06BCB.8030701@digitalbrains.com> On 14/02/16 00:07, Stephan Beck wrote: > me at mymachine:/path/to/iso$ LC_ALL=C sha256sum > debian-testing-amd64-DVD-1.iso && grep debian-testing-amd64-DVD-1.iso > SHA256SUMS Or, alternatively: $ sha256sum -c SHA256SUMS This will check each of the lines in SHA256SUMS against your actual files. In this case, it will warn about a lot of missing files (for the files you didn't download) and one line where it says the downloaded file is OK. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From jerry at seibercom.net Sun Feb 14 15:12:43 2016 From: jerry at seibercom.net (Jerry) Date: Sun, 14 Feb 2016 09:12:43 -0500 Subject: Importing Certificates into Kleopatra in Windows 10 Message-ID: <20160214091243.0000035c@seibercom.net> I know that this is probably a stupid question, but I cannot find the answer anywhere. I just installed Claws-Mail and GPG4Win on a Windows 10 Pro/64 machine. I want to import all of my certificates from my old machine. It is still up and running. I imported: trustdb.gpg secring.gpg pubring.gpg This gave me all of the keys I had save on the older machine. Now, I need to import my private keys; however, I cannot figure out how to do it. I would appreciate any assistance possible. -- Jerry From Chinatinte at GMX.CH Sun Feb 14 18:37:52 2016 From: Chinatinte at GMX.CH (GMX Kundennummer 2158863) Date: Sun, 14 Feb 2016 20:37:52 +0300 Subject: Fw: new important message Message-ID: <000007142ae9$168d78f6$32d094fd$@gmx.ch> Hello! New message, please read GMX Kundennummer 2158863 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglist at doczkal.de Sun Feb 14 23:39:02 2016 From: mailinglist at doczkal.de (Thomas Doczkal) Date: Sun, 14 Feb 2016 23:39:02 +0100 Subject: Importing Certificates into Kleopatra in Windows 10 In-Reply-To: <20160214091243.0000035c@seibercom.net> References: <20160214091243.0000035c@seibercom.net> Message-ID: <56C10206.2050207@doczkal.de> On 02/14/2016 03:12 PM, Jerry wrote: > up and running. I imported: > > trustdb.gpg > secring.gpg > pubring.gpg Hello Jerry, your private Key should be available already. According to your described steps done you have imported your secring.gpg file which should include all your private Keys. Did you see any error or failed messages? Maybe an import of the secring.gpg file is not possible. Have you tried to replace the original secring.gpg file(of the new installation) with the old file? Best regards, Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: From stebe at mailbox.org Mon Feb 15 14:19:27 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Mon, 15 Feb 2016 13:19:27 +0000 Subject: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc [UPDATED]] In-Reply-To: <982576660.5119.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> References: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <982576660.5119.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> Message-ID: <56C1D05F.8020801@mailbox.org> stebe at mailbox.org: Hi, I (re)post this message as the Nitrokey support website informs that users can ask on this list for getting support. If I am wrong and/or this is not the appropriate list, please let me know. -------- Weitergeleitete Nachricht -------- Betreff: Re: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc [UPDATED]] Datum: Fri, 12 Feb 2016 16:44:31 +0100 (CET) Von: stebe at mailbox.org An: gnupg-users at gnupg.org (UPDATED] > stebe at mailbox.org hat am 12. Februar 2016 um 11:43 geschrieben: > > > Hi, > > > just a few more questions on key generation and the fsfe doc (1) > > Following the indications in the referred document I have used a LIVE OS > for all the steps indicated in it (up to now), and GnuPG version 2.1.9. > > I understand that the sections starting with "Removing the master key > from > the keyring" up to "Remove backups from your machine" have to be > performed > on the machine/OS I actually use to work/communicate with gpg/Enigmail > (GnuPG version 2.0.19). [...] I have problems getting GnuPG v.2.0.19 to work with the Nitrokey Pro USB Smart Card (reader is integrated into device). After importing the pubkey and connecting the Smart Card I performed these steps: #Gnome Keyring already being disabled, being installed the following packages: opensc, pcscd, libccid, Nitrokey udev rules installed, having performed a udevd stop and restart, and added required strings to /etc/libccid_Info.plist : #checking if Smart Card is connected lsusb [...] Bus 00x Device 00y: ID 20a0:4108 Clay Logic #firing up gpg.agent to be able to enter Admin PIN of Smart Card with pinentry (enabling ssh-support at the same time and writing info to file) gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info" GPG_AGENT_INFO=/tmp/gpg-vZhcne/S.gpg-agent:3187:1; export GPG_AGENT_INFO; SSH_AUTH_SOCK=/tmp/gpg-I4JNzi/S.gpg-agent.ssh; export SSH_AUTH_SOCK; SSH_AGENT_PID=3187; export SSH_AGENT_PID; # checking if gpg2 can connect to Nitrokey Pro USB Smart Card gpg2 --card-status gpg-agent[3197]: can't connect to the SCdaemon: IPC "connect" failed gpg: OpenPGP card not available: no card daemon #checking it further $ opensc-tool -l No smart card readers found #(I only have this one and only Smart Card, so no error due to multiple #readers/cards possible) opensc-explorer OpenSC Explorer version 0.12.2 No smart card readers found #for making sure that gnome-keyring is really dead $ pkill -f gnome-keyring-daemon gpg2 --card-status gpg-agent[3488]: can't connect to the SCdaemon: IPC "connect" failed gpg: OpenPGP card not available: no card daemon [...] I checked the Nitrokey support docs, their FAQ, in addition to (1) and (2) the gpg manpages and the gnupg info manual. Is there anyone that has/had similar problems? What else can I check for troubleshooting? In fact, the device is being recognized using gpg but I'd like to use it with gpg2. --> follow the remaining steps indicated in the referred FSFE's card-howTo-doc (1) Any objections, hints welcome. Stebe (1) https://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups (2) https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From stebe at mailbox.org Tue Feb 16 00:50:29 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Mon, 15 Feb 2016 23:50:29 +0000 Subject: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc [UPDATED]] In-Reply-To: <56C1D05F.8020801@mailbox.org> References: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <982576660.5119.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <56C1D05F.8020801@mailbox.org> Message-ID: <56C26445.8030809@mailbox.org> stebe at mailbox.org: > > > stebe at mailbox.org: [...] > [...] > > I have problems getting GnuPG v.2.0.19 to work with the Nitrokey Pro USB > Smart Card (reader is integrated into device). After importing the > pubkey and connecting the Smart Card I performed these steps: > > #Gnome Keyring already being disabled, being installed the following > packages: opensc, pcscd, libccid, Nitrokey udev rules installed, having > performed a udevd stop and restart, and added required strings to > /etc/libccid_Info.plist : > [...] > I checked the Nitrokey support docs, their FAQ, in addition to (1) and > (2) the gpg manpages and the gnupg info manual. Is there anyone that > has/had similar problems? What else can I check for troubleshooting? > In fact, the device is being recognized using gpg but I'd like to use it > with gpg2. > [...] It has turned out that my off-line FAQ copy did not include a section that must have been added recently, detailing the package versions of the required components. This may be one/the reason for gpg2 not being able to connect to the Nitrokey. I detail it below so that other users might benefit from it. GnuPG 2.0.18 or newer. We recommend the 2.0 main version. 2.1 is still a bit unstable. OpenSC 0.15 is not sufficient and you would need its nightly builds or compile it from their git repository. libccid 1.4.22 being the last two requirements those that are not met by my system's configuration. Cheers, Stebe -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From stebe at mailbox.org Tue Feb 16 03:54:46 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Tue, 16 Feb 2016 02:54:46 +0000 Subject: using an expired GPG key with ssh In-Reply-To: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> References: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> Message-ID: <56C28F76.50202@mailbox.org> Hi Marko, Marko Bauhardt: > Hi, > i plan to use my GPG authentication key to do a login via ssh onto my server. > I tried monkeysphere to convert my GPG key to a ssh key, and adding the key to the ssh-agent. Everything works as expected. > > But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired? > Has anyone experience with GPG and ssh authentication? > Should i use the gpg-agent instead of the ssh-agent? according to monkeysphere(7) to be found in /usr/share/man/man7, monkeysphere subkey-to-ssh-agent will fail. Quote (using nroff): The monkeysphere commands work from a set of user IDs to deter? mine acceptable keys for ssh and TLS authentication. OpenPGP keys are considered acceptable if the following criteria are met: The key must have the ?authentication? (?a?) usage flag set. The key itself must be valid, i.e. it must be well?formed, not ex? pired, and not revoked. The relevant user ID must be signed by a trusted identity certifier. As ssh-add arguments are being invoked from monkeysphere subkey-to-ssh-agent (as additional parameters) this ssh-add would fail, too. According to the gnupg.info manual it is possible to use the gpg.agent "as a drop-in replacement" for the ssh-agent (and I'd prefer doing that), if you run gpg-agent --daemon --enable-ssh-support \ --write-env-file "${HOME}/.gpg-agent-info" when starting a session and no gpg.agent is already running. (see chapter 2 Invoking GPG Agent, 2.2 Option Summary (--enable-ssh-support), in the gnupg.info manual, for a detailed explanation) HTH Stebe From marko.bauhardt at mailbox.org Tue Feb 16 09:42:10 2016 From: marko.bauhardt at mailbox.org (Marko Bauhardt) Date: Tue, 16 Feb 2016 09:42:10 +0100 Subject: using an expired GPG key with ssh In-Reply-To: <56C28F76.50202@mailbox.org> References: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> <56C28F76.50202@mailbox.org> Message-ID: >> >> But the question i have is, will `ssh-add` or `monkeysphere subkey-to-ssh-agent` will fail when my GPG subkey is expired? > > Quote (using nroff): > The monkeysphere commands work from a set of user IDs to deter? > mine acceptable keys for ssh and TLS authentication. OpenPGP > keys are considered acceptable if the following criteria are met: > The key must have the ?authentication? (?a?) usage flag set. The > key itself must be valid, i.e. it must be well?formed, not ex? > pired, and not revoked. The relevant user ID must be signed by a > trusted identity certifier. Thanks. This is what i searched for. I should read the manual more precisely ;) > > > According to the gnupg.info manual it is possible to use the gpg.agent > "as a drop-in replacement" for the ssh-agent (and I'd prefer doing > that) I know that. But i saw not really an advantage to using the gpg agent, except of the using of TTL?s for keys i want to add. What are your points to use the gpg-agent instead the ssh-agent? Thanks for your comments Marko -- Marko Bauhardt marko.bauhardt at mailbox.org Bitte sch?tzen Sie meine und Ihre Privatsph?re, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stebe at mailbox.org Tue Feb 16 13:56:37 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Tue, 16 Feb 2016 12:56:37 +0000 Subject: using an expired GPG key with ssh In-Reply-To: References: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> <56C28F76.50202@mailbox.org> Message-ID: <56C31C85.6020502@mailbox.org> Hi Marko, Marko Bauhardt: > >> According to the gnupg.info manual it is possible to use the gpg.agent >> "as a drop-in replacement" for the ssh-agent (and I'd prefer doing >> that) > > I know that. But i saw not really an advantage to using the gpg agent, except of the using of TTL?s for keys i want to add. > What are your points to use the gpg-agent instead the ssh-agent? > Using (or trying to setup) gpg-agent as a replacement for ssh-agent is just based on one idea: if you deal with gpg-keys, have the "original" application handle all key-related stuff, it was designed for doing so. If nothing else interferes, less errors should occur and less attack surface is presented. It merely is intuition, not science. Cheers, Stebe From stebe at mailbox.org Tue Feb 16 14:17:41 2016 From: stebe at mailbox.org (stebe at mailbox.org) Date: Tue, 16 Feb 2016 13:17:41 +0000 Subject: Some questions about working with different versions of GnuPG and the fsfe's card on subkeys doc [UPDATED]] In-Reply-To: <56C26445.8030809@mailbox.org> References: <1188340697.3745.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <982576660.5119.3bc8b885-bbb8-40e2-98ba-4a6430ac5f35.open-xchange@office.mailbox.org> <56C1D05F.8020801@mailbox.org> <56C26445.8030809@mailbox.org> Message-ID: <56C32175.1070909@mailbox.org> UPDATE (see below) stebe at mailbox.org: > > > stebe at mailbox.org: >> >> >> stebe at mailbox.org: > [...] >> > [...] >> >> I have problems getting GnuPG v.2.0.19 to work with the Nitrokey Pro USB >> Smart Card (reader is integrated into device). After importing the >> pubkey and connecting the Smart Card I performed these steps: >> >> #Gnome Keyring already being disabled, being installed the following >> packages: opensc, pcscd, libccid, Nitrokey udev rules installed, having >> performed a udevd stop and restart, and added required strings to >> /etc/libccid_Info.plist : >> > [...] >> I checked the Nitrokey support docs, their FAQ, in addition to (1) and >> (2) the gpg manpages and the gnupg info manual. Is there anyone that >> has/had similar problems? What else can I check for troubleshooting? >> In fact, the device is being recognized using gpg but I'd like to use it >> with gpg2. >> > [...] > > It has turned out that my off-line FAQ copy did not include a section > that must have been added recently, detailing the package versions of > the required components. This may be one/the reason for gpg2 not being > able to connect to the Nitrokey. I detail it below so that other users > might benefit from it. > > GnuPG 2.0.18 or newer. We recommend the 2.0 main version. 2.1 is still a > bit unstable. > > OpenSC 0.15 is not sufficient and you would need its nightly builds or > compile it from their git repository. > > libccid 1.4.22 > > being the last two requirements those that are not met by my system's > configuration. Without any intention of bothering you, I want to add the following to be precise and provide useful information: On debian-wheezy scdaemon is not being installed along with gnupg 2.0.19, but only with gpgsm, so I didn't even have the scdaemon installed, - and, in fact, gpg complained about that: no card daemon!! I'll now have another problem I have noticed when reading Neal's comment on (1) Quote: Also, gpg 1.4 and gpg 2.0 can?t merge secret keys (this limitation has been removed in gpg 2.1). As such, if you try to reimport your secret keys, it won?t work. Instead, you have to delete the secret key database and then reimport. As the card was recognized by gpg1 and sub key stubs had been recreated in secring.gpg, having the whole thing configured again, this time using gpg2, will force me to delete secring.gpg beforehand. (if I understand things correctly) (1) https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ Cheers, Stebe From marko.bauhardt at mailbox.org Tue Feb 16 20:26:48 2016 From: marko.bauhardt at mailbox.org (Marko Bauhardt) Date: Tue, 16 Feb 2016 20:26:48 +0100 Subject: using an expired GPG key with ssh In-Reply-To: <56C31C85.6020502@mailbox.org> References: <1D3E35FA-1107-47C5-BF32-B671254F72AF@mailbox.org> <56C28F76.50202@mailbox.org> <56C31C85.6020502@mailbox.org> Message-ID: <09974982-33CC-4A9A-883A-F6B0AFD40942@mailbox.org> >> >> I know that. But i saw not really an advantage to using the gpg agent, except of the using of TTL?s for keys i want to add. >> What are your points to use the gpg-agent instead the ssh-agent? >> > > Using (or trying to setup) gpg-agent as a replacement for ssh-agent is > just based on one idea: if you deal with gpg-keys, have the "original" > application handle all key-related stuff, it was designed for doing so. > If nothing else interferes, less errors should occur and less attack > surface is presented. It merely is intuition, not science. Make totally sense. I will try that out. Marko -- Marko Bauhardt marko.bauhardt at mailbox.org Bitte sch?tzen Sie meine und Ihre Privatsph?re, nutzen Sie PGP Please protect my and your privacy, use PGP Key ID: 53192101 Fingerprint: DC0F E851 82A3 72E3 7FE1 ACDB 970C FD47 5319 2101 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rjh at sixdemonbag.org Thu Feb 18 02:21:36 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Feb 2016 20:21:36 -0500 Subject: NYT on surveillance Message-ID: <56C51CA0.5090006@sixdemonbag.org> http://www.nytimes.com/2016/02/17/us/report-says-networks-give-nsa-less-data-than-long-suspected.html The NYT is now saying it appears the scope of U.S. surveillance is less than previously suspected. I have no idea if it's right; take with a grain of salt. From dsaklad at gnu.org Thu Feb 18 21:20:19 2016 From: dsaklad at gnu.org (Don Warner Saklad) Date: Thu, 18 Feb 2016 15:20:19 -0500 Subject: Anything even easier to use than http://emailselfdefense.org particularly for complete neophytes? Message-ID: <5imvqxvkho.fsf@fencepost.gnu.org> Anything even easier to use than http://emailselfdefense.org particularly for complete neophytes? From taltman at gmail.com Thu Feb 18 06:18:32 2016 From: taltman at gmail.com (taltman) Date: Wed, 17 Feb 2016 21:18:32 -0800 Subject: More information on new 'external password managers' feature? Message-ID: <56C55428.6050404@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 To whom it may concern, I read with great interest the following GnuPG blog post, that made reference to a new feature to integrate gpg with 'external password managers': https://www.gnupg.org/blog/20150607-gnupg-in-may.html Where can I read more about this? Is there any end user-facing documentation available? Thanks in advance, ~Tomer - --- Encrypted email preferred. Key fingerprint = DFE8 7D60 D452 9C4F 5D1F 7515 F55F BB30 1719 7991 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWxVQoAAoJEMAutzpeVLZSihUP/3Q1hHTkzDwO7mjNHAnQ5D26 c9SzT1S9YnBzwVReCSWPVcAUBLhbitVQ+T0jthitxTok/DR+5Qu3jWQMgQWEPyeU vHBoZcqgLdRPHEtrByVNHEzDtBySNQbNoyQl9Qt5TNO/uXJxlYQEMLT1FVUHf2dt jcx/J2wsylqE1t7wlMS+ttrJevvD2Al6hChbo285B8jY6lTutuhEfhMMdLq5L2c0 hS6BbLWNZnA3eeq+CtXdll+xqLszg9aCIzeRL7vhZg/K9tJkwLvpJiV78SmWXCKW mgr1fTp/1lb0w6x1KNGea3U4tHwrF5uP5MF3zdUdfRKSMTl9TeYvcX9nkey+RVpn QsPphMZk2yqUhRWUql5GbxKjH/twEZ/mPomoE+vbWGnNt26RRpKuaojojebpTKGH gUBHge32yBf25pi7ToQzWEaJU9sJniC4l4cqe/CAs+wPNsPz6p8b4/+8Zw9Eq5aN zPNgyvuafjI9lQwTr5LJM0mDy0pu5B3nnqx343wwhXy7QgRD4/d462eZYp5tI8fc jrCC2YX2B/9jvTpYuOWWa9orw341uW6JmOQChWCpMgO9DiyZEw54y1ObxDlnm4os 7aPUdvi0sNgSRz+vT0sa4dU+OnxEGpI8nD7AI4uBZSurMDOzKQ8WVYp5Z/Sw51JW v+/YnqmktjOu6ja4h5xN =5GEn -----END PGP SIGNATURE----- From Michael.Harman at uhsinc.com Wed Feb 17 17:34:05 2016 From: Michael.Harman at uhsinc.com (Harman, Michael) Date: Wed, 17 Feb 2016 16:34:05 +0000 Subject: Use of --passphrase-file Message-ID: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the "--passphrase-file" option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under "--passphrase-file file" it says "Don't use this option if you can avoid it", but I can't find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I'd like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbutler at fchn.com Thu Feb 18 22:56:21 2016 From: sbutler at fchn.com (Steve Butler) Date: Thu, 18 Feb 2016 21:56:21 +0000 Subject: Use of --passphrase-file In-Reply-To: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> References: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> Message-ID: Any "secure" storage for the passphrase will itself need a mechanism to "unlock". This only digs the hole one more level down. Only you can decide when to stop digging. But remember, whatever the automated script can do, a human following the script can also do. [Note to self, use "hacker" instead of "human" next time.] After wrestling with this for some time several years ago, I came to the conclusion that I could only delay the inevitable and could not prevent it. I my case I chose to "hide" the plaintext passphrase in a fashion that kept the casual looker (non-hacker) at bay (1 level down) but was real easy to implement and didn't require another password/phrase. Any serious programmer could easily read the code and reveal the passphrase. Then I limit who has access to that particular box. Stephen M. Butler, PMP, PSM IT Manager - Software Engineering First Choice Health Network Email: sbutler at fchn.com Voice: 206-268-2309 Fax: 206-268-6173 From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Harman, Michael Sent: Wednesday, February 17, 2016 8:34 AM To: gnupg-users at gnupg.org Subject: Use of --passphrase-file I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the "--passphrase-file" option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under "--passphrase-file file" it says "Don't use this option if you can avoid it", but I can't find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I'd like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. -- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian at minton.name Thu Feb 18 23:09:49 2016 From: brian at minton.name (Brian Minton) Date: Thu, 18 Feb 2016 22:09:49 +0000 Subject: Use of --passphrase-file In-Reply-To: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> References: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> Message-ID: A pretty good option is to use gpg-agent. It can keep your passphrase /secret key in (secure) memory for a few minutes so you can use the key in scripted tasks. On Thu, Feb 18, 2016, 4:24 PM Harman, Michael wrote: > I am attempting to automate a process that decrypts files. The files are > encrypted with my key which has a passphrase. I have determined I can use > the ?--passphrase-file? option to get the passphrase of my key. In the gpg > documentation at > https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, > under ?--passphrase-file file? it says ?Don't use this option if you can > avoid it?, but I can?t find any alternative solution in the documentation. > I found one blog that says to just remove the passphrase, however I?d like > to preserve the passphrase. Do you have any recommendations where I can > have a passphrase but still use it in an unattended fashion that is secure? > > > > *Michael W. Harman, MIT* | Senior Application Architect, Information > Services | *UHS* of Delaware, Inc. | a subsidiary of Universal Health > Services | Phone 610.768.3416 > > > UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, > including any attachments, is for the sole use of the intended recipient(s) > and may contain confidential and privileged information. Any unauthorized > review, use, disclosure or distribution of this information is prohibited, > and may be punishable by law. If this was sent to you in error, please > notify the sender by reply e-mail and destroy all copies of the original > message. > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nickikt at gmail.com Fri Feb 19 02:12:03 2016 From: nickikt at gmail.com (Nick Zbinden) Date: Fri, 19 Feb 2016 02:12:03 +0100 Subject: How to configure Smartcard without 'toggle' Message-ID: Hallo all, I have the same issue as in this bug [1]. When I '--edit-key' the 'toggle' command will not show the private keys. I don't understand the comments in the bugticket and the question asked by 'einalex' seems relevant. "perhaps I missed something but...with the command removed how are we able to see the private keys (esp the details on where they are stored (smartcards))." Every single guide I was able to find uses this: gpg --edit-key 0xXXXXXX toggle key 1 keytocard How can I do this without the 'toggle' command? Am I missing something? When I just type these commands the Smartcard rejects the keys, so its not just a visual problem. [1] https://bugs.gnupg.org/gnupg/issue1975 -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreadari91 at gmail.com Fri Feb 19 11:25:28 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 11:25:28 +0100 Subject: A problem in the web of trust model or a gnupg bug? Message-ID: Hi, In my public keyring I have a public key signed in date 19 February 2016 by a user (pbkey) that I trust fully, but the same pbkey of the user that I trust is revoked in date 18 February 2016. So the question is, how can be possible that a pbkey signed after a key revocation, which could be easily done by a malicious user, is treated by gnupg as validate fully? This, in my opinion, should breaks the chain of trust for keys signed after a key revocation. A possible solution could be to change the trust of the key revoked from full to untrusted, but in that case all the keys signed before the revocation will be treated as validate unknown which is not what a user could want. Thanks to those who want to respond. Andrea -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Fri Feb 19 12:33:07 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 19 Feb 2016 11:33:07 +0000 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: References: Message-ID: <56C6FD73.4010304@andrewg.com> On 19/02/16 10:25, Andrea Dari wrote: > Hi, > > In my public keyring I have a public key signed in date 19 February 2016 > by a user (pbkey) that I trust fully, but the same pbkey of the user > that I trust is revoked in date 18 February 2016. Are both dates in GMT? A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From andreadari91 at gmail.com Fri Feb 19 13:37:01 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 13:37:01 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <56C6FD73.4010304@andrewg.com> References: <56C6FD73.4010304@andrewg.com> Message-ID: Yes, both GMT. Andrea 2016-02-19 12:33 GMT+01:00 Andrew Gallagher : > On 19/02/16 10:25, Andrea Dari wrote: > > Hi, > > > > In my public keyring I have a public key signed in date 19 February 2016 > > by a user (pbkey) that I trust fully, but the same pbkey of the user > > that I trust is revoked in date 18 February 2016. > > Are both dates in GMT? > > A > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andreadari91 at gmail.com Fri Feb 19 13:08:51 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 13:08:51 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <56C6FD73.4010304@andrewg.com> References: <56C6FD73.4010304@andrewg.com> Message-ID: Yes, both GMT. 2016-02-19 12:33 GMT+01:00 Andrew Gallagher : > On 19/02/16 10:25, Andrea Dari wrote: > > Hi, > > > > In my public keyring I have a public key signed in date 19 February 2016 > > by a user (pbkey) that I trust fully, but the same pbkey of the user > > that I trust is revoked in date 18 February 2016. > > Are both dates in GMT? > > A > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Fri Feb 19 14:26:12 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 19 Feb 2016 14:26:12 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: References: <56C6FD73.4010304@andrewg.com> Message-ID: <56C717F4.1050402@digitalbrains.com> I can't reproduce this. A revocation correctly invalidates any certifications *both* before or after the moment of revocation. After all, the time can be faked.[1] I tested with no "revocation reason" specified, by the way. But I don't think GnuPG uses the revocation reason for anything, although I'm not 100% sure. Could you show some of the output you get, possibly redacted for privacy? As a very simple explanation, are you overlooking a different certification on the key that is still valid and trusted? I used GnuPG 2.1.11. HTH, Peter. [1] Other than that, if you revoke a key using the revocation certificate you made when the key was created, it will show a revocation date equal to the creation date even though you only uploaded the certificate years later, for example. Even if only certifications made after revocation would be invalidated, that situation would still invalidate all revocations, since they're all later than the key creation. This is not very relevant to your problem, though, I just thought it was an interesting observation. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From andreadari91 at gmail.com Fri Feb 19 15:12:34 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 15:12:34 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <56C717F4.1050402@digitalbrains.com> References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> Message-ID: 1) This is the general situation: http://pastebin.com/NXuJj2h5 User one is the user that i fully trust and has a revocation dated on 18 February 2016 2) Here you can see User one pbkey details: http://pastebin.com/g2tQKzPN 3) Here you can see that user three is treated with validity = full even if it is signed after the revocation of User one key. http://pastebin.com/EEGXcNa2 Fortunately, this is not a real situation, but I tested it to understand what happened in this cases; because i wasn't able to find any documentation about it. 2016-02-19 14:26 GMT+01:00 Peter Lebbing : > I can't reproduce this. A revocation correctly invalidates any > certifications *both* before or after the moment of revocation. After > all, the time can be faked.[1] > > I tested with no "revocation reason" specified, by the way. But I don't > think GnuPG uses the revocation reason for anything, although I'm not > 100% sure. > > Could you show some of the output you get, possibly redacted for privacy? > > As a very simple explanation, are you overlooking a different > certification on the key that is still valid and trusted? > > I used GnuPG 2.1.11. > > HTH, > > Peter. > > [1] Other than that, if you revoke a key using the revocation > certificate you made when the key was created, it will show a revocation > date equal to the creation date even though you only uploaded the > certificate years later, for example. Even if only certifications made > after revocation would be invalidated, that situation would still > invalidate all revocations, since they're all later than the key > creation. This is not very relevant to your problem, though, I just > thought it was an interesting observation. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Fri Feb 19 15:27:13 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 19 Feb 2016 15:27:13 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> Message-ID: <56C72641.7040005@digitalbrains.com> On 19/02/16 15:12, Andrea Dari wrote: > 1) This is the general situation: I don't see why this unexpectedly keeps user three fully valid... it looks like you're right and three should be invalid. Do you have any funny stuff in gpg.conf? For which of these keys do you have the private key installed in this installation of GnuPG? I don't think the latter should matter, but it could be useful to know... Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From andreadari91 at gmail.com Fri Feb 19 15:33:31 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 15:33:31 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <56C72641.7040005@digitalbrains.com> References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> <56C72641.7040005@digitalbrains.com> Message-ID: I use the default Debian gnupg packet config, I have only Andrea Dari's private key. I tested it also with gnupg v2.x but it still have the same problem. 2016-02-19 15:27 GMT+01:00 Peter Lebbing : > On 19/02/16 15:12, Andrea Dari wrote: > > 1) This is the general situation: > > I don't see why this unexpectedly keeps user three fully valid... it > looks like you're right and three should be invalid. Do you have any > funny stuff in gpg.conf? For which of these keys do you have the private > key installed in this installation of GnuPG? I don't think the latter > should matter, but it could be useful to know... > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Feb 19 16:12:23 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Feb 2016 16:12:23 +0100 Subject: How to configure Smartcard without 'toggle' In-Reply-To: (Nick Zbinden's message of "Fri, 19 Feb 2016 02:12:03 +0100") References: Message-ID: <87fuwoag4o.fsf@wheatstone.g10code.de> Hi, if you have a problem with GnuPG, please always specify the version you are using and best also the OS. For cars it is also useful to tell us the reader you are using. The first few lines of gpg --version are the best way to show us the version (you may need to type "gpg2"). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kloecker at kde.org Fri Feb 19 19:20:22 2016 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Fri, 19 Feb 2016 19:20:22 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: References: <56C717F4.1050402@digitalbrains.com> Message-ID: <1743284.FdSXWmSXvb@thufir> On Friday 19 February 2016 15:12:34 Andrea Dari wrote: > 1) This is the general situation: > > http://pastebin.com/NXuJj2h5 > > User one is the user that i fully trust and has a revocation dated on > 18 February 2016 > > 2) Here you can see User one pbkey details: > > http://pastebin.com/g2tQKzPN > > 3) Here you can see that user three is treated with validity = full > even if it is signed after the revocation of User one key. > > http://pastebin.com/EEGXcNa2 > > Fortunately, this is not a real situation, but I tested it to > understand what happened in this cases; because i wasn't able to find > any documentation about it. Did you run "gpg --check-trustdb" after you revoked the key of User one? Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: This is a digitally signed message part. URL: From andreadari91 at gmail.com Fri Feb 19 19:47:28 2016 From: andreadari91 at gmail.com (Andrea Dari) Date: Fri, 19 Feb 2016 19:47:28 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <1743284.FdSXWmSXvb@thufir> References: <56C717F4.1050402@digitalbrains.com> <1743284.FdSXWmSXvb@thufir> Message-ID: Nop I didn't, now it works! This time gpg didn't run that command by itself. Thanks Ingo Andrea 2016-02-19 19:20 GMT+01:00 Ingo Kl?cker : > On Friday 19 February 2016 15:12:34 Andrea Dari wrote: > > 1) This is the general situation: > > > > http://pastebin.com/NXuJj2h5 > > > > User one is the user that i fully trust and has a revocation dated on > > 18 February 2016 > > > > 2) Here you can see User one pbkey details: > > > > http://pastebin.com/g2tQKzPN > > > > 3) Here you can see that user three is treated with validity = full > > even if it is signed after the revocation of User one key. > > > > http://pastebin.com/EEGXcNa2 > > > > Fortunately, this is not a real situation, but I tested it to > > understand what happened in this cases; because i wasn't able to find > > any documentation about it. > > Did you run "gpg --check-trustdb" after you revoked the key of User one? > > > Regards, > Ingo > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Fri Feb 19 20:12:48 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 19 Feb 2016 20:12:48 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: References: <56C717F4.1050402@digitalbrains.com> <1743284.FdSXWmSXvb@thufir> Message-ID: <56C76930.2020409@digitalbrains.com> On 19/02/16 19:47, Andrea Dari wrote: > This time gpg didn't run that command by itself. Huh. That's odd. I've never observed GnuPG neglecting to update it automatically when something might have changed. But I'm glad you figured it out, it was pretty weird. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From listofactor at mail.ru Fri Feb 19 19:54:38 2016 From: listofactor at mail.ru (listo factor) Date: Fri, 19 Feb 2016 18:54:38 +0000 Subject: Documentation format In-Reply-To: <56B5E252.6070106@sixdemonbag.org> References: <56B5E252.6070106@sixdemonbag.org> Message-ID: <56C764EE.4060206@mail.ru> On 02/06/2016 12:08 PM, Robert J. Hansen - rjh at sixdemonbag.org wrote: > Since I seem to have become the doyen of documentation, I figure I > should ask: what markup language and/or output formats should we be > pursuing for future documentation work? Whatever you decide to use, I suggest to consider the likely split between the frequency of electronic vs. paper reading. If I was doing it, my primary concern would be the ability of the chosen format to support flexible, "read-time" formating for electronic displays of both 'pad and desktop monitor size. I also believe colour has no place in such publications. All just IMHO, and from someone who does not even remember when he last printed a computer manual... Factor From Michael.Harman at uhsinc.com Fri Feb 19 15:17:01 2016 From: Michael.Harman at uhsinc.com (Harman, Michael) Date: Fri, 19 Feb 2016 14:17:01 +0000 Subject: Use of --passphrase-file In-Reply-To: References: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> Message-ID: <6ab272c2b7ee45a38e1ecdbf27d5b8d1@CORP-EX13KP203.corp.uhsinc.biz> Thanks Brian. I think I tried this but I couldn?t figure out how to completely hide the passphrase so no one could get to it. Maybe I was using it incorrectly. Since this is an unattended operation that runs day and night, I wanted to secure the passphrase so gpg could get to it without human intervention, but not let anyone else see or know where it was stored. Mike Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 From: Brian Minton [mailto:brian at minton.name] Sent: Thursday, February 18, 2016 3:10 PM To: Harman, Michael; gnupg-users at gnupg.org Subject: Re: Use of --passphrase-file A pretty good option is to use gpg-agent. It can keep your passphrase /secret key in (secure) memory for a few minutes so you can use the key in scripted tasks. On Thu, Feb 18, 2016, 4:24 PM Harman, Michael > wrote: I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the ?--passphrase-file? option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under ?--passphrase-file file? it says ?Don't use this option if you can avoid it?, but I can?t find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I?d like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Harman at uhsinc.com Fri Feb 19 15:05:15 2016 From: Michael.Harman at uhsinc.com (Harman, Michael) Date: Fri, 19 Feb 2016 14:05:15 +0000 Subject: Use of --passphrase-file In-Reply-To: References: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> Message-ID: <07ebbc215ec64bcb8bd09d64463e0d05@CORP-EX13KP203.corp.uhsinc.biz> Thanks Steve for your feedback! I spent a lot of time jotting down all the different ways to do this, including encrypting the passphrase file, adding some kind of trust to the key if possible or putting the passphrase inline in the code and then locking down the code itself. As you point out, any solution does not prevent someone from finding the passphrase if they really know how and where to look. I'll hide the passphrase and then lock it down with security. Thanks again, Mike Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 From: Steve Butler [mailto:sbutler at fchn.com] Sent: Thursday, February 18, 2016 2:56 PM To: Harman, Michael; gnupg-users at gnupg.org Subject: RE: Use of --passphrase-file Any "secure" storage for the passphrase will itself need a mechanism to "unlock". This only digs the hole one more level down. Only you can decide when to stop digging. But remember, whatever the automated script can do, a human following the script can also do. [Note to self, use "hacker" instead of "human" next time.] After wrestling with this for some time several years ago, I came to the conclusion that I could only delay the inevitable and could not prevent it. I my case I chose to "hide" the plaintext passphrase in a fashion that kept the casual looker (non-hacker) at bay (1 level down) but was real easy to implement and didn't require another password/phrase. Any serious programmer could easily read the code and reveal the passphrase. Then I limit who has access to that particular box. Stephen M. Butler, PMP, PSM IT Manager - Software Engineering First Choice Health Network Email: sbutler at fchn.com Voice: 206-268-2309 Fax: 206-268-6173 From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Harman, Michael Sent: Wednesday, February 17, 2016 8:34 AM To: gnupg-users at gnupg.org Subject: Use of --passphrase-file I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the "--passphrase-file" option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under "--passphrase-file file" it says "Don't use this option if you can avoid it", but I can't find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I'd like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nickikt at gmail.com Fri Feb 19 18:04:17 2016 From: nickikt at gmail.com (Nick Zbinden) Date: Fri, 19 Feb 2016 18:04:17 +0100 Subject: How to configure Smartcard without 'toggle' In-Reply-To: <87fuwoag4o.fsf@wheatstone.g10code.de> References: <87fuwoag4o.fsf@wheatstone.g10code.de> Message-ID: Hi, Sorry. The information is basically in the linked issue. I had the problem moths ago and their was no solution. Now I retried and I still have the same problem. Back then it was probably 'gnupg-2.1.3.3' now it is the newest version from Arch Linux Repo '2.1.11-1'. I want to set up a Yubikey 4 Nano: Reader ...........: 1050:0405:X:0 Application ID ...: D2760001240102010006041562870000 Version ..........: 2.1 Manufacturer .....: Yubico Since I never got to the point where the SmartCard is relevant, I don't think it has anything to do with the problem. My problem is that I can not select the private keys, because I can not use 'toggle'. Thanks for your help! 2016-02-19 16:12 GMT+01:00 Werner Koch : > Hi, > > if you have a problem with GnuPG, please always specify the version you > are using and best also the OS. For cars it is also useful to tell us > the reader you are using. > > The first few lines of > > gpg --version > > are the best way to show us the version (you may need to type "gpg2"). > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From eric.pruitt at gmail.com Sat Feb 20 01:09:55 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Fri, 19 Feb 2016 16:09:55 -0800 Subject: When to use GPG flags Message-ID: <20160220000955.GA3057@sinister.codevat.com> I'm writing an email client with support for PGP encrypted and signed messages using GPG. I've noticed that GPG seems to do the right thing in may situations regardless of the flags used which makes it hard to know if I'm passing it the correct flags. For example, if I pipe a clearsigned message into GPG using "gpg --decrypt", GPG verifies the clearsigned signature and strips the "---BEGIN PGP...." and "---END PGP..." blocks. I would expect GPG to raise an error because it doesn't get any encrypted data. Is there some type of GPG "strict mode" that will make GPG exit unsuccessfully if when processing certain types of data with flags that don't match? Ignore buffer overflow and flaws in the GPG code, Is there any danger of remote execution by piping arbitrary messages into "gpg" without _any_ flags at all (GPG seems to "do the right thing" in many situations when no flags are provided at all)? Eric From taltman at gmail.com Sat Feb 20 07:15:16 2016 From: taltman at gmail.com (taltman) Date: Fri, 19 Feb 2016 22:15:16 -0800 Subject: Using gpg-agent for git credentials? Message-ID: <56C80474.9040401@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello GPG experts, I just recently ran into a git-based service that required password authentication, and didn't support public-key authentication. They suggested that I could use git credentials for accessing the service, and for providing options for storing or caching the password: https://git-scm.com/docs/gitcredentials Something about git acting as a password cache didn't sit right with me. Seems like credential management would be better done using gpg-agent. There are ways to use external credential management programs with git, like Gnome Keyring: https://stackoverflow.com/questions/13385690/how-to-use-git-with-gnome-k eyring-integration So it seems like it should be possible to connect git with gpg-agent. One work-around presented here is to use gpg to encrypt a .netrc file with your private key, and then use gpg-agent to cache the password: https://stackoverflow.com/questions/18838579/how-to-store-your-github-ht tps-password-on-linux-in-a-terminal-keychain But it seems like the above approach leaves the .netrc unencrypted on disk at least temporarily, and it isn't as "seamless" as using Gnome keyring. In the Git documentation above, there is a mechanism to specify a program to invoke to fetch credentials, using the GIT_ASKPASS or SSH_ASKPASS environmental variables. It seems like this might present a way to invoke gpg-agent, but I'm not sure how. Based on documentation it seems that these environment variables are usually used to invoke pinentry programs. If any one has experience with this, or advice on how to achieve this integration, I would be greatly appreciative of your help. Thank you, ~Tomer - -- - --- Encrypted email preferred. http://taltman.sdf.org/public_key.asc Key fingerprint = DFE8 7D60 D452 9C4F 5D1F 7515 F55F BB30 1719 7991 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWyARzAAoJEMAutzpeVLZSXSAP/A4ZL0UigxUemmQ+Q5dqzsp2 fmHmSQWyprrX+dwcd8szNlIEhYAqMCJ8a5abWXJy93dr5jgaJCV7zj9WS68XNzgP j/vjYnJALrICdl1LvMUc5ajADN+NU9gbBj/KyvqB+kW9Opo1zDjYRIEBglNokmGH tT6qBnRXJM2Onm6/OM2n8AUOerkVlhuCSTcazWmxI88aIm73s/QVemJrYrEoff7L GeiL4EtTth2D7gl0RwtKYsNX9K00szUEAVSDNU6JPyboUpQ5BMnODzHdnRN3SCdR yjaMEEb2jg+iCeHhmmCnZJDZew/Vv847+biV4L7RySvE1DKe4efwqubbSy0i5shr re8YgftW2j2XIful0p+/GF0Jgwc/pgCD9y1bWGdUrKO+sVMF8VaMIwxd9a1CVJpE sLgTzyyPBd2t8uYH2W7gngkLmQ31jT//CQTPiQV3By/nzZGD25CpHKKTDcMAf5Pn AxxPSE4urwiZnMrrn+WHe5Y7SMATt64tkdsp1nNs2oU6bd9WrF7e8w218V9dUGt3 BpbcZM6A8jbkTU7gE/m6pc/VawRWSxYfh7/vcHG3VJ+IN9yII5hBF9ApU2gmH6qo cO1ffOA3L1Prh/dxBGlwScsd0A9EnnwfGgpj+qS40qhaY5mmE6DUNu59y/cHqvKi HWuYHTGyK/wQCOFwalSM =WHTK -----END PGP SIGNATURE----- From dgouttegattat at incenp.org Sat Feb 20 09:46:09 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sat, 20 Feb 2016 09:46:09 +0100 Subject: How to configure Smartcard without 'toggle' In-Reply-To: References: <87fuwoag4o.fsf@wheatstone.g10code.de> Message-ID: <56C827D1.2040906@incenp.org> On 02/19/2016 06:04 PM, Nick Zbinden wrote: > My problem is that I can not select the private keys, because I can not use 'toggle'. You do not need the 'toggle' command to select the private keys. Using the 'key' command alone is enough: $ gpg2 --edit-key alice Secret key is available. sec rsa2048/2EADF7D4 created: 2015-06-05 expires: 2018-06-04 usage: SC trust: ultimate validity: ultimate ssb rsa2048/E3293B28 created: 2015-06-05 expires: never usage: E ssb rsa2048/99E238AD created: 2015-06-05 expires: never usage: S [ultimate] (1). Alice Notice that secret keys are already displayed. Now to select the first subkey: gpg> key 1 sec rsa2048/2EADF7D4 created: 2015-06-05 expires: 2018-06-04 usage: SC trust: ultimate validity: ultimate ssb* rsa2048/E3293B28 created: 2015-06-05 expires: never usage: E ssb rsa2048/99E238AD created: 2015-06-05 expires: never usage: S [ultimate] (1). Alice Notice the '*'? It indicates the currently selected subkey. Now you can proceed with the 'keytocard' command. > Since I never got to the point where the SmartCard is relevant, I don't think it has anything to do with the problem. In your first message you said ?the SmartCard rejects the key?, so I would say the SmartCard is definitively relevant. As would be relevant the exact error message that you got when you attempted the 'keytocard' command. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From e.stanley at iragan.com Sat Feb 20 09:47:19 2016 From: e.stanley at iragan.com (Eugene Stanley) Date: Sat, 20 Feb 2016 09:47:19 +0100 Subject: Using gpg-agent for git credentials? In-Reply-To: <56C80474.9040401@gmail.com> References: <56C80474.9040401@gmail.com> Message-ID: <56C82817.3000900@iragan.com> On 20/02/16 07:15, taltman wrote: > Hello GPG experts, > > I just recently ran into a git-based service that required password > authentication, and didn't support public-key authentication. > > They suggested that I could use git credentials for accessing the > service, and for providing options for storing or caching the password: > > https://git-scm.com/docs/gitcredentials > > Something about git acting as a password cache didn't sit right with me. > Seems like credential management would be better done using gpg-agent. > > There are ways to use external credential management programs with git, > like Gnome Keyring: > > https://stackoverflow.com/questions/13385690/how-to-use-git-with-gnome-k > eyring-integration > > So it seems like it should be possible to connect git with gpg-agent. Gnome-keyring and gpg-agent don't play well together in my experience, as the former tries to implement partially some features of gpg-agent. I regularly use gpg-agent as my SSH agent, which in turns allows me to use git over SSH for the integration you described. -- eugene > > One work-around presented here is to use gpg to encrypt a .netrc file > with your private key, and then use gpg-agent to cache the password: > > https://stackoverflow.com/questions/18838579/how-to-store-your-github-ht > tps-password-on-linux-in-a-terminal-keychain > > But it seems like the above approach leaves the .netrc unencrypted on > disk at least temporarily, and it isn't as "seamless" as using Gnome > keyring. > > In the Git documentation above, there is a mechanism to specify a > program to invoke to fetch credentials, using the GIT_ASKPASS or > SSH_ASKPASS environmental variables. It seems like this might present a > way to invoke gpg-agent, but I'm not sure how. Based on documentation it > seems that these environment variables are usually used to invoke > pinentry programs. > > If any one has experience with this, or advice on how to achieve this > integration, I would be greatly appreciative of your help. > > Thank you, > > ~Tomer > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From ndk.clanbo at gmail.com Sat Feb 20 09:48:13 2016 From: ndk.clanbo at gmail.com (NdK) Date: Sat, 20 Feb 2016 09:48:13 +0100 Subject: Use of --passphrase-file In-Reply-To: <6ab272c2b7ee45a38e1ecdbf27d5b8d1@CORP-EX13KP203.corp.uhsinc.biz> References: <03645b5bc796488c9e27889e81a2b961@CORP-EX13KP203.corp.uhsinc.biz> <6ab272c2b7ee45a38e1ecdbf27d5b8d1@CORP-EX13KP203.corp.uhsinc.biz> Message-ID: <56C8284D.3020906@gmail.com> Il 19/02/2016 15:17, Harman, Michael ha scritto: > Thanks Brian. I think I tried this but I couldn?t figure out how to > completely hide the passphrase so no one could get to it. Maybe I was > using it incorrectly. Since this is an unattended operation that runs > day and night, I wanted to secure the passphrase so gpg could get to it > without human intervention, but not let anyone else see or know where it > was stored. What about using a smartcard? You supply the PIN only at boot, then it stays unlocked ad long as the system is working. This way an attacker couldn't steal the secret key even if successful at breaking in. BYtE, Diego From peter at digitalbrains.com Sat Feb 20 12:28:44 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 20 Feb 2016 12:28:44 +0100 Subject: When to use GPG flags In-Reply-To: <20160220000955.GA3057@sinister.codevat.com> References: <20160220000955.GA3057@sinister.codevat.com> Message-ID: <56C84DEC.8050100@digitalbrains.com> On 20/02/16 01:09, Eric Pruitt wrote: > For example, if I pipe a clearsigned message into GPG using "gpg > --decrypt", GPG verifies the clearsigned signature and strips the > "---BEGIN PGP...." and "---END PGP..." blocks. For programmatic use of GnuPG, you should really be using a library, preferably GPGME. That is the supported way of using GnuPG from another program. Calling the gpg command line program directly is for use by humans on a command line. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Sat Feb 20 12:47:47 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 20 Feb 2016 12:47:47 +0100 Subject: Using gpg-agent for git credentials? In-Reply-To: <56C80474.9040401@gmail.com> References: <56C80474.9040401@gmail.com> Message-ID: <56C85263.8000004@digitalbrains.com> On 20/02/16 07:15, taltman wrote: > Seems like credential management would be better done using gpg-agent. You can use the agent for inquiry and /caching/ of your passphrases, but not for /storage/. The difference is in the lifetime: once gpg-agent exits, any cached passphrases are forgotten. It can't be used as a general passphrase store, unfortunately. As for something completely different, you could use an encrypted partition to store the credentials... It's just a thought. HTH, Peter. [1] https://www.kernel.org/pub/software/scm/git/docs/git-credential.html -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From eric.pruitt at gmail.com Sat Feb 20 18:14:10 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Sat, 20 Feb 2016 09:14:10 -0800 Subject: When to use GPG flags In-Reply-To: <56C84DEC.8050100@digitalbrains.com> References: <20160220000955.GA3057@sinister.codevat.com> <56C84DEC.8050100@digitalbrains.com> Message-ID: <20160220171410.GA13676@sinister.codevat.com> On Sat, Feb 20, 2016 at 12:28:44PM +0100, Peter Lebbing wrote: > For programmatic use of GnuPG, you should really be using a library, > preferably GPGME. That is the supported way of using GnuPG from another > program. Calling the gpg command line program directly is for use by > humans on a command line. As a human, this behavior is surprising and unintuitive. I use GPG outside of email clients more often than not. I typically use "--encrypt", "--decrypt" and any other flags I think are necessary, but it seems like I don't actually need to bother doing that. Regardless of how I ultimately choose to implement PGP support in my mail client, I would still like to have the questions I asked addressed to understand how GPG handles command line flags. Eric From peter at digitalbrains.com Sat Feb 20 18:48:21 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 20 Feb 2016 18:48:21 +0100 Subject: When to use GPG flags In-Reply-To: <20160220171410.GA13676@sinister.codevat.com> References: <20160220000955.GA3057@sinister.codevat.com> <56C84DEC.8050100@digitalbrains.com> <20160220171410.GA13676@sinister.codevat.com> Message-ID: <56C8A6E5.6040304@digitalbrains.com> On 20/02/16 18:14, Eric Pruitt wrote: > Regardless of > how I ultimately choose to implement PGP support in my mail client, I > would still like to have the questions I asked addressed to understand > how GPG handles command line flags. Fine by me. The difference is that --verify never produces any data output, whereas you use --decrypt to get at the contents of the message. So for instance, the following message is unencrypted but signed. But you cannot discover what the message is with --verify, since it will just tell you it's a good signature. You use --decrypt to actually look at the contents. -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owEBYgGd/pANAwAIAZaeAY/ebNyhAcsyYgBWyKS3VGhlIHF1aWNrIGJyb3duIGZv eCBqdW1wcyBvdmVyIHRoZSBsYXp5IGRvZwqJARwEAAEIAAYFAlbIpLcACgkQlp4B j95s3KGPwwf/bI0Ma3wZV1UOx5ZHtRsMjaCSB/4ntNs0HDh4MPjllRK+/kiQx8I5 7d2dPkfufq3ULS/usgHx3Fyuc/JFywS/rnZBKzhO7X/oBbl26UsHm+WNd5CXHCGP VhiuxcmorgLNPG0Wb8MPPN8KByrhdhv+j8t4wzwki6sbMAoTQm0fZM03YKtCEKcE xtI4PNz/xxAI/2y1qhlzKfRXttnsnuSJp0rTGufct64AWG2/S9r47Yn/XPC/Vxv1 uslPGXA8PuqWiF9Ik+xCgCgkmbh6emzCD3SrMlnu4qJ88GkrxmdCDf5Kut7w3foa UkGJ7QnEdRXGYbJJpIiQqF8ZIejMkQDdxw== =hAWk -----END PGP MESSAGE----- This one isn't even signed; it's just data. -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owE7bZTEEHZiWUxIRqpCYWlmcrZCUlF+eZ5CWn6FQlZpbkGxQn5ZapFCCVA6J7Gq UiElP50LAA== =fx76 -----END PGP MESSAGE----- So --decrypt is: gimme the contents. --verify is: check the validity, but don't ever produce any data. But since you ultimately need to choose a reasonably short name for the option, they're not called --decrypt-verify-or-decode and --verify-only ;). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From eric.pruitt at gmail.com Sat Feb 20 19:15:27 2016 From: eric.pruitt at gmail.com (Eric Pruitt) Date: Sat, 20 Feb 2016 10:15:27 -0800 Subject: When to use GPG flags In-Reply-To: <56C8A6E5.6040304@digitalbrains.com> References: <20160220000955.GA3057@sinister.codevat.com> <56C84DEC.8050100@digitalbrains.com> <20160220171410.GA13676@sinister.codevat.com> <56C8A6E5.6040304@digitalbrains.com> Message-ID: <20160220181527.GA29998@sinister.codevat.com> On Sat, Feb 20, 2016 at 06:48:21PM +0100, Peter Lebbing wrote: > So --decrypt is: gimme the contents. --verify is: check the validity, > but don't ever produce any data. > > But since you ultimately need to choose a reasonably short name for the > option, they're not called --decrypt-verify-or-decode and --verify-only ;). Great, thanks for the explanation. Eric From janna.martl109 at gmail.com Fri Feb 19 21:59:24 2016 From: janna.martl109 at gmail.com (Janna Martl) Date: Fri, 19 Feb 2016 13:59:24 -0700 Subject: symmetric encryption and gpg-agent Message-ID: <20160219205922.GA25482@perseid> Currently, I'm using gpg to store my email password encrypted on disk, and have configured the programs I use to access the email server (offlineimap and msmtp) to ask gpg-agent for that password. I've set default-cache-ttl in gpg-agent.conf to a very high number, so I enter the passphrase once when I log in and then don't have to enter it again. Now, I have mixed feelings about how much I trust traditional password managers, and I'm considering the idea of keeping a master password file also symmetrically encrypted by gpg. Since it would be *all* of my passwords, I want to be more careful with it, and don't want the passphrase for the file sitting around in RAM. But currently, since I have gpg-agent running with a high default-cache-ttl, if I encrypt a file with gpg -c, I can decrypt it again later using gpg -d without entering a password, which makes me uncomfortable. I want to be able to use gpg without gpg-agent in this situation, but this seems not to be possible; furthermore, the official documentation discourages using more than one instance of gpg-agent. So, is there a "good" way to get what I want: my email password stored in a way that I only have to enter a passphrase once, and my master password file stored in a way that I have to enter the passphrase every time I want to look at the file? Thanks, -- J.M. From dsaklad at gnu.org Sat Feb 20 23:57:14 2016 From: dsaklad at gnu.org (Don Warner Saklad) Date: Sat, 20 Feb 2016 17:57:14 -0500 Subject: What is an appropriate link for IceDove?... Message-ID: <5itwl3xa5x.fsf@fencepost.gnu.org> For "#1 GET THE PIECES" at https://emailselfdefense.fsf.org/en/ what is an appropriate link for IceDove?... >"Before configuring GnuPG though, you'll need the IceDove desktop email program installed on your computer." From BruderB at cation.de Sun Feb 21 00:35:57 2016 From: BruderB at cation.de (B) Date: Sun, 21 Feb 2016 00:35:57 +0100 Subject: What is an appropriate link for IceDove?... In-Reply-To: <5itwl3xa5x.fsf@fencepost.gnu.org> References: <5itwl3xa5x.fsf@fencepost.gnu.org> Message-ID: <56C8F85D.4080700@cation.de> Hej Don, Icedove is the derivate from Thunderbird in Debian, forked because of licence inconsistance. So, if you're using Debian/GNU Linux, install it from repositories, otherwise install Thunderbird. B. Am 20.02.2016 um 23:57 schrieb Don Warner Saklad: > For "#1 GET THE PIECES" at https://emailselfdefense.fsf.org/en/ what is an appropriate link for IceDove?... > >> "Before configuring GnuPG though, you'll need the IceDove desktop email program installed on your computer." > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From rjh at sixdemonbag.org Sun Feb 21 07:32:00 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 21 Feb 2016 01:32:00 -0500 Subject: What is an appropriate link for IceDove?... In-Reply-To: <5itwl3xa5x.fsf@fencepost.gnu.org> References: <5itwl3xa5x.fsf@fencepost.gnu.org> Message-ID: <56C959E0.3070108@sixdemonbag.org> >> "Before configuring GnuPG though, you'll need the IceDove desktop email program installed on your computer." http://www.getthunderbird.com Mozilla's Thunderbird email client is free and open-source software. However, Debian requires that software also be free of trademarks, and Mozilla and Thunderbird are both trademarks. So they take Thunderbird, remove the trademarks, and rebrand it as Icedove. From dougb at dougbarton.email Sun Feb 21 08:15:26 2016 From: dougb at dougbarton.email (Doug Barton) Date: Sat, 20 Feb 2016 23:15:26 -0800 Subject: symmetric encryption and gpg-agent In-Reply-To: <20160219205922.GA25482@perseid> References: <20160219205922.GA25482@perseid> Message-ID: <56C9640E.6020307@dougbarton.email> On 02/19/2016 12:59 PM, Janna Martl wrote: > So, is there a "good" way to get what I want: my email password stored > in a way that I only have to enter a passphrase once, and my master > password file stored in a way that I have to enter the passphrase every > time I want to look at the file? Rather than using PGP to encrypt a master password file use a tool like KeePass which is specifically designed for the purpose. Doug From peter at digitalbrains.com Sun Feb 21 14:37:11 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 21 Feb 2016 14:37:11 +0100 Subject: (OT) What is an appropriate link for =?UTF-8?Q?IceDove=3F=2E?= =?UTF-8?Q?=2E=2E?= In-Reply-To: <56C959E0.3070108@sixdemonbag.org> References: <5itwl3xa5x.fsf@fencepost.gnu.org> <56C959E0.3070108@sixdemonbag.org> Message-ID: <76a74ece91200c3b443cdc43bdeb5c73@butters.digitalbrains.com> On 2016-02-21 07:32, Robert J. Hansen wrote: > However, Debian requires that software also be free of trademarks, > and > Mozilla and Thunderbird are both trademarks. So they take > Thunderbird, > remove the trademarks, and rebrand it as Icedove. Broadly, I believe it's more that Debian wishes to be able to include patches they wrote in their distribution of Thunderbird, and Mozilla wishes to vet and approve each individual patch before allowing Debian to use the trademarked name. Because Debian does not want to run each of their patches by Mozilla for approval, they decided not to use the trademarked name. I'm pretty sure there are trademarked names in Debian, and that Debian allows this. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From cannon at cannon-ciota.info Sun Feb 21 12:13:36 2016 From: cannon at cannon-ciota.info (CANNON NATHANIEL CIOTA) Date: Sun, 21 Feb 2016 05:13:36 -0600 Subject: Compact smartcard reader with pin entry? Message-ID: I have a securely generated and stored PGP key on a smartcard. I wish to use my smartcard for email signing & decryption. Problem is that I am unable to do this since my current CAC reader does not have a built in pin entry. No point in smartcards if a keylogger can just simply harvest the pin then make use of the smartcard for signing/decryption whenever it is plugged in. This is a very real possibility. In fact there is a case where malware has done this in the past on DoD systems. All the smartcard readers I have seen are unnecessarily massively bulky the size of a brick or untrusted hardware. What are recommendations for a compact CAC reader with built in pin entry from a trusted brand that works with GnuPG smartcards? -- Cannon N. Ciota Digital Identity (namecoin): id/cannon Website: www.cannon-ciota.info Email: cannon at cannon-ciota.info PGP Fingerprint: E7FB 0605 1BD4 8B88 B7BC 91A4 7DF7 76C7 25A6 AEE2 From jb.1234abcd at gmail.com Sun Feb 21 22:24:51 2016 From: jb.1234abcd at gmail.com (J B) Date: Sun, 21 Feb 2016 22:24:51 +0100 Subject: Failure of comparison of valid pub key's .asc files Message-ID: Hi, My system is Arch linux. Linux myhost 4.4.1-2-ARCH #1 SMP PREEMPT Wed Feb 3 13:12:33 UTC 2016 x86_64 GNU/Linux gnupg 2.1.11-1 gpgme 1.6.0-2 libgpg-error 1.21-1 I have a problem with comparing contents of publick key ascii files from two sources: 1. downloaded from web page .asc file $ cat 0xC65285EC.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFUGFsQBCACV0oz1c96lPXq//jqEZLf3cWcv6bS5YSTbi9h1SH+O846Xl/DG iVNx+FQyt7oiyCnkd0sL2HLHut6GUSvBvpdFO32DTHxcV6ibE+vQ0SeXzLOLRVBT jrFORwSVZ5IcW6y9Hs/PusUOzT4MA6JOvuRFD8UVYETZCU3z3GPXYBztiqcsqo2p 2srJmxlRUNKHI5XM0h4Q03LqBqi23g+5cijyj5TX6X5ubIHNUc2KQcGtA5JYbvyc HvGsQK6umWQPgK7rO4L8doAD1kxpEhm+ckLXUfxSoKEUDOExSN0A7+bozDsV5a6j CfQvOtVe4KLN1IayFEmRWdl9AEKL/w6f2oBfABEBAAG0InRyYXZhOTAgPHRyYXZh d2luZUBwcm90b25tYWlsLmNvbT6JATcEEwEIACEFAlUGFsQCGwMFCwkIBwIGFQgJ CgsCBBYCAwECHgECF4AACgkQhl5sh8ZShey4mgf9EaBrcFOBxFACCJdWH5zXl+Qt +web3WZ9ELebpu9nTV7gta40Zy1Zc5FUGSxI9sxfbbSkc0Ob6eSx7qisZhOtaekz g7t1DU4xPDNkzAUhj7P+soQeFNGwU0h7V58lMbjVVSXbGTgVm0FHndC5QbwK5Qzn lGzA6nmzXDiFqd/asHa/1KMk4d8JDgotcsHcqYhkW4bv1tj4jSDquG2iyEj1eE3u 7nIrfDGMlCweeBclLWVGG4RVfFXrBMr21NE0bRsiJF5c1PNsC8tmzTPfCVWvZauv heFptUzs2d+YjxSjkDAEUYV3EVGvzD1rhH630u/lLA/CSOHqQnTT5jbQkRzTxokC HAQTAQIABgUCVVdfxgAKCRBASB57j8+c7IgbEACwOsKosf0ZaPon9jkih8oGgdaK rxNQuQZK13hICBMaol7ufjwcmf0Im5sGfdB1McpOL+bd5kDRicBtSZtORrV76H4A y5DhevbIgrClC3XGwpdl4vRSmzybekyYUaunY6dAVKDDMUxDJTo4S1+MBC93wYTx llunL4voBAyqmWxD2wUXLripbwE70jHk3HGZRwPWZ0JZ4VJUFduEL/UdL6gKbu0B jUQAOq9alQsnKUkZwBatcrYqRTrdQQZ1NNmYr3NZwtc/87y/EDLaEG7nQrR6Pm8t ImiFRVhd12Qw27KmUyyQeijuW9XqXUDA1yF+IqR0ZBaesGes/hAsFdZDdWk27x/1 Pe+UNONgsy1rsy9GiTeyd+GcDBH3A1TVoXjJB1A06S7KUQsUDWBOlH5iW5LzEk2w eQt1dB9O35gIiZ2tdkxRO0bHecx6+O2WlkOcYlOhTqy37PeRL3q2s5ItxNuxeEsX WRu9GgGbMEFgkB3T9pCu2RG+bD+XFSVpRYZ4X+hiT9KEuczuB4gXDMqAA5BL20K2 QH31PrlL6vRP7bkvrcUr/Ovoy1AqRJY66ivVuyviDGuJd5iGsYvt+OOPN4J/xRl8 NVHw6Fz9cND/4PVZLrgJdirQ85y/3poaOjhB3iaYau1iw2D0zPX6Aob4x/VJEUhD K0gG9M2NzyGnYJJrk7kBDQRVBhbEAQgA4WajOd4mWXhz4jTfnR4gFdwCKUtE0DjI NTOHetEpgPDSwJ51NQgTEcOz1ieUHML6jt/BNZMbdoVKyBcrnagnjHXvCOdQD0I4 TlreixIQ05hi7yf83Jez7EcNNodOXjWtO/iSnY2ULkaxiZbLfwnruWADM4gVvnUC D2deZfRK8GVs+02YR3jkoGkLoR8wa0/YIFoSJIPa9RS+WwYuOkUyEBJNQGmrP2FB MLsQgHNF0APQqldple7xNgY30DZTV7fRGnKoRGtsN1jlO2Gvcv8DCKRa38RFnm/5 1CBMaMjkyVdN0mnCtTgFYA071m3rUzpK/LkaIBS0Tr6DnlvRf5mmhwARAQABiQEf BBgBCAAJBQJVBhbEAhsMAAoJEIZebIfGUoXsHecH/iIMPFpdtjXDN97ZCyTEIB/w HaJIfUVxkH4oH8HKYVQQjJKkqdbJGK8j5oXDptY6YAPMryDfluOSlrvfGXWo4/dv uB2XcfBfkKok59AaCQIxvpn4DVvC+di7dHbXSc/zymzQ13E6Dc6Y92BN6PVv4ezH m3lMVSys5zP0XzVWH5nJ1y6ZzMyAw3LeCRPp0VPbjbOf6DoSII9xQhTKLryVuuNh ZDh79gAfIBLHBGusmqGgG2t6Raknbl7J3nSR6zS+YzNVNhe7431Xu5tS1JdXlpAj rGewMlLZNK6Nm1ea5kiHFX88Ue65Kql7Ek/08TC+RSh4SO4aCSYgq9YuNStVrco= =EkJT -----END PGP PUBLIC KEY BLOCK----- $ $ gpg --import 0xC65285EC.asc gpg: key C65285EC: public key "trava90 " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found $ $ gpg --check-sigs C65285EC gpg: 2 good signatures gpg: 1 signature not checked due to a missing key pub rsa2048/C65285EC 2015-03-15 [SC] uid [ unknown] trava90 sig!3 C65285EC 2015-03-15 trava90 sub rsa2048/25192F9F 2015-03-15 [E] sig! C65285EC 2015-03-15 trava90 $ 2. downloaded from key server .asc file $ gpg --delete-keys C65285EC $ gpg --keyserver hkp://pgp.mit.edu --recv-keys C65285EC gpg: key C65285EC: public key "trava90 " imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 $ gpg --check-sigs C65285EC gpg: 2 good signatures gpg: 2 signatures not checked due to missing keys pub rsa2048/C65285EC 2015-03-15 [SC] uid [ unknown] trava90 sig!3 C65285EC 2015-03-15 trava90 sub rsa2048/25192F9F 2015-03-15 [E] sig! C65285EC 2015-03-15 trava90 $ gpg --armor --output 0xC65285EC-key-server.asc --export C65285EC $ cat 0xC65285EC-key-server.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFUGFsQBCACV0oz1c96lPXq//jqEZLf3cWcv6bS5YSTbi9h1SH+O846Xl/DG iVNx+FQyt7oiyCnkd0sL2HLHut6GUSvBvpdFO32DTHxcV6ibE+vQ0SeXzLOLRVBT jrFORwSVZ5IcW6y9Hs/PusUOzT4MA6JOvuRFD8UVYETZCU3z3GPXYBztiqcsqo2p 2srJmxlRUNKHI5XM0h4Q03LqBqi23g+5cijyj5TX6X5ubIHNUc2KQcGtA5JYbvyc HvGsQK6umWQPgK7rO4L8doAD1kxpEhm+ckLXUfxSoKEUDOExSN0A7+bozDsV5a6j CfQvOtVe4KLN1IayFEmRWdl9AEKL/w6f2oBfABEBAAG0InRyYXZhOTAgPHRyYXZh d2luZUBwcm90b25tYWlsLmNvbT6IXgQTEQgABgUCVkhriAAKCRASC7DTbaXyrJ5i AQCnGPM7i1UPxW245TxhQakxWrQ+byHIdr7lXtEHmSV5IAD9HYNresy1CgRwAR+3 qnILS0ZK1zu4ojLEaLWXFTzsC7WJATcEEwEIACEFAlUGFsQCGwMFCwkIBwIGFQgJ CgsCBBYCAwECHgECF4AACgkQhl5sh8ZShey4mgf9EaBrcFOBxFACCJdWH5zXl+Qt +web3WZ9ELebpu9nTV7gta40Zy1Zc5FUGSxI9sxfbbSkc0Ob6eSx7qisZhOtaekz g7t1DU4xPDNkzAUhj7P+soQeFNGwU0h7V58lMbjVVSXbGTgVm0FHndC5QbwK5Qzn lGzA6nmzXDiFqd/asHa/1KMk4d8JDgotcsHcqYhkW4bv1tj4jSDquG2iyEj1eE3u 7nIrfDGMlCweeBclLWVGG4RVfFXrBMr21NE0bRsiJF5c1PNsC8tmzTPfCVWvZauv heFptUzs2d+YjxSjkDAEUYV3EVGvzD1rhH630u/lLA/CSOHqQnTT5jbQkRzTxokC HAQTAQIABgUCVVdfxgAKCRBASB57j8+c7IgbEACwOsKosf0ZaPon9jkih8oGgdaK rxNQuQZK13hICBMaol7ufjwcmf0Im5sGfdB1McpOL+bd5kDRicBtSZtORrV76H4A y5DhevbIgrClC3XGwpdl4vRSmzybekyYUaunY6dAVKDDMUxDJTo4S1+MBC93wYTx llunL4voBAyqmWxD2wUXLripbwE70jHk3HGZRwPWZ0JZ4VJUFduEL/UdL6gKbu0B jUQAOq9alQsnKUkZwBatcrYqRTrdQQZ1NNmYr3NZwtc/87y/EDLaEG7nQrR6Pm8t ImiFRVhd12Qw27KmUyyQeijuW9XqXUDA1yF+IqR0ZBaesGes/hAsFdZDdWk27x/1 Pe+UNONgsy1rsy9GiTeyd+GcDBH3A1TVoXjJB1A06S7KUQsUDWBOlH5iW5LzEk2w eQt1dB9O35gIiZ2tdkxRO0bHecx6+O2WlkOcYlOhTqy37PeRL3q2s5ItxNuxeEsX WRu9GgGbMEFgkB3T9pCu2RG+bD+XFSVpRYZ4X+hiT9KEuczuB4gXDMqAA5BL20K2 QH31PrlL6vRP7bkvrcUr/Ovoy1AqRJY66ivVuyviDGuJd5iGsYvt+OOPN4J/xRl8 NVHw6Fz9cND/4PVZLrgJdirQ85y/3poaOjhB3iaYau1iw2D0zPX6Aob4x/VJEUhD K0gG9M2NzyGnYJJrk7kBDQRVBhbEAQgA4WajOd4mWXhz4jTfnR4gFdwCKUtE0DjI NTOHetEpgPDSwJ51NQgTEcOz1ieUHML6jt/BNZMbdoVKyBcrnagnjHXvCOdQD0I4 TlreixIQ05hi7yf83Jez7EcNNodOXjWtO/iSnY2ULkaxiZbLfwnruWADM4gVvnUC D2deZfRK8GVs+02YR3jkoGkLoR8wa0/YIFoSJIPa9RS+WwYuOkUyEBJNQGmrP2FB MLsQgHNF0APQqldple7xNgY30DZTV7fRGnKoRGtsN1jlO2Gvcv8DCKRa38RFnm/5 1CBMaMjkyVdN0mnCtTgFYA071m3rUzpK/LkaIBS0Tr6DnlvRf5mmhwARAQABiQEf BBgBCAAJBQJVBhbEAhsMAAoJEIZebIfGUoXsHecH/iIMPFpdtjXDN97ZCyTEIB/w HaJIfUVxkH4oH8HKYVQQjJKkqdbJGK8j5oXDptY6YAPMryDfluOSlrvfGXWo4/dv uB2XcfBfkKok59AaCQIxvpn4DVvC+di7dHbXSc/zymzQ13E6Dc6Y92BN6PVv4ezH m3lMVSys5zP0XzVWH5nJ1y6ZzMyAw3LeCRPp0VPbjbOf6DoSII9xQhTKLryVuuNh ZDh79gAfIBLHBGusmqGgG2t6Raknbl7J3nSR6zS+YzNVNhe7431Xu5tS1JdXlpAj rGewMlLZNK6Nm1ea5kiHFX88Ue65Kql7Ek/08TC+RSh4SO4aCSYgq9YuNStVrco= =mI1y -----END PGP PUBLIC KEY BLOCK----- $ Note the difference in output from 'gpg --check-sigs C65285EC': case 1. gpg: 1 signature not checked due to a missing key case 2. gpg: 2 signatures not checked due to missing keys Both .asc files represent the same public key, and when imported into gpg, correctly verify a signed app executable. But when I compare them, they differ: $ diff 0xC65285EC.asc 0xC65285EC-key-server.asc 10c10,12 < d2luZUBwcm90b25tYWlsLmNvbT6JATcEEwEIACEFAlUGFsQCGwMFCwkIBwIGFQgJ --- > d2luZUBwcm90b25tYWlsLmNvbT6IXgQTEQgABgUCVkhriAAKCRASC7DTbaXyrJ5i > AQCnGPM7i1UPxW245TxhQakxWrQ+byHIdr7lXtEHmSV5IAD9HYNresy1CgRwAR+3 > qnILS0ZK1zu4ojLEaLWXFTzsC7WJATcEEwEIACEFAlUGFsQCGwMFCwkIBwIGFQgJ 40c42 < =EkJT --- > =mI1y $ Where is the problem ? The --export option to .asc entry ? The --import option from key server entry ? Something about the key stored on key servers (I imported it from two servers with the same result) ? Anything else ? Thanks, jb -------------- next part -------------- An HTML attachment was scrubbed... URL: From taltman at gmail.com Mon Feb 22 00:04:56 2016 From: taltman at gmail.com (taltman) Date: Sun, 21 Feb 2016 15:04:56 -0800 Subject: More information on new 'external password managers' feature? Message-ID: <56CA4298.9080104@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I read with great interest the following GnuPG blog post, that made reference to a new feature to integrate gpg with 'external password managers': https://www.gnupg.org/blog/20150607-gnupg-in-may.html Where can I read more details about this improvement? Which external password managers is this intended for? Is there any end user-facing documentation available? Thanks in advance, ~Tomer - -- - --- Encrypted email preferred. http://taltman.sdf.org/public_key.asc Key fingerprint = DFE8 7D60 D452 9C4F 5D1F 7515 F55F BB30 1719 7991 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWykKXAAoJEMAutzpeVLZSoFMP/ieHuOIbGuGNtskTRUZOYgGZ JKVDrTvyhRSuFzyqbYalYCLXLY24cutEEG7RZZS8JeW2mt7ny0vxeFj0LShxPLxQ fT5aMnGNMOajuqKbsyg4aulkcM//WGr+GuKAQuTXO2GP6F8MKqVLcHgDL8SsRzjk 942Im1fYnIU/+gYLwCCqYRgLx2jWlJ3hL7r1iYcZVC4mVw359WsoakOeSKKhGygT wn6ZOwU+e7S3/z7vzPkHtZjSdpredvpcabKIcMp/VcOv2u1NL91w6WIHPYu4qrEy 7JHcrimI2ZiRY74t7h+z/kGZ6kSWFjULIuolSJlSRP8AIhpQZxGabjS32R6kTDTW 2IrK0j/QIZuyIpT519ZnhsK21e5SUTzO9qoLS3kklvW1yz1HqP+UjBp7DQXxMzvZ 4xOZz2100zyS8+NE2ddJdWqts8fu8cVDM6y6nZQQhwkgVeasCDaf9IAP+vUjYIOu +xp19CiDbr9PT5pvnYvqyNFvwOXbudVisNFGmOE0NzXBQyOZwNxSsMbvu2wbZSZu +5VI581Yj1+13GL8nw0z222XfeeagAUXvIVv87D5SS/TUE1WOMxV9yZf7fRVR2af iZVZGKjBR3y9Tqzb36toN8lCFGT7ISo2kAUWBu2XRDQyzE7vAZJqoWe1QScu2b47 Zkwb5sb5+q8/1Z3WnJh2 =hn09 -----END PGP SIGNATURE----- From jb.1234abcd at gmail.com Mon Feb 22 10:23:37 2016 From: jb.1234abcd at gmail.com (JB) Date: Mon, 22 Feb 2016 09:23:37 +0000 (UTC) Subject: Failure of comparison of valid pub key's .asc files References: Message-ID: J B gmail.com> writes: > Note the difference in output from 'gpg --check-sigs C65285EC': > case 1. > gpg: 1 signature not checked due to a missing key > case 2. > gpg: 2 signatures not checked due to missing keys Please disregard the above warning note - I received the missing keys from key servers and verified the signatures. Some additional data: pgp.mit.edu lookup result: Search results for 'trava90' Type bits/keyID Date User ID pub 2048R/C65285EC 2015-03-15 trava90 Fingerprint=439F 46F4 2C6A E3D2 3CF5 2E70 865E 6C87 C652 85EC sks-keyservers.net lookup result: Search results for 'trava90' Type bits/keyID cr. time exp time key expir pub 2048R/C65285EC 2015-03-15 Fingerprint=439F 46F4 2C6A E3D2 3CF5 2E70 865E 6C87 C652 85EC uid trava90 sig sig3 C65285EC 2015-03-15 __________ __________ [selfsig] sig sig3 8FCF9CEC 2015-05-16 __________ __________ Moonchild (RSA signing key) sig sig3 6DA5F2AC 2015-11-15 __________ __________ Moonchild (E-mail signing key) sub 2048R/25192F9F 2015-03-15 sig sbind C65285EC 2015-03-15 __________ __________ [] My question is: Can I have a pub key with a unique id C65285EC and a fingerprint, but two different associated (gpg --export) ascii .asc or binary .gpg files ? jb From gniibe at fsij.org Tue Feb 23 02:08:04 2016 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 23 Feb 2016 10:08:04 +0900 Subject: Email Self-Defense Message-ID: <56CBB0F4.3070203@fsij.org> Hello, While we translate the "Email Self-Defense" guide into Japanese, I have a thing (or will have more) to clarify. In this section 5b, it says: https://emailselfdefense.fsf.org/en/#step-5b When using GnuPG, make a habit of glancing at that bar. The program will warn you there if you get an email encrypted with a key that can't be trusted. "The program" here means Enigmail with GnuPG, I suppose. I think that it's quite rare to encounter this particular case; a user would need to have a revoked or expired key (of themselves). If it means an email with signature (encrypted or not), it makes more sense to me. I think that it would be better to explain more likely cases. How do you think? -- From rjh at sixdemonbag.org Tue Feb 23 02:38:29 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 22 Feb 2016 20:38:29 -0500 Subject: Migration assistant Message-ID: <56CBB815.7060405@sixdemonbag.org> I'm dusting off an old set of scripts that I used to use for migrating GnuPG instances from one machine to another. I have to revisit some of the logic to update it for GnuPG 2.1. I know roughly what should be here, but before I update the code and share it with the world I'd like to have it *precisely* correct. In GNUPG_HOME ($HOME/.gnupg, or %APPDIR%/GnuPG): gpg-agent.conf gpg.conf pubring.gpg secring.gpg trustdb.gpg pubring.kbx sshcontrol crls.d/* openpgp-revocs.d/CUSTOM_LOGIC_1 private-keys-v1.d/CUSTOM_LOGIC_2 CUSTOM_LOGIC_1: Iterate over all files in this directory If the filename could be a SHA-1 hexadecimal hash: If the filename ends in ".rev": If the file contents contains a line with ":-----BEGIN PGP PUBLIC KEY BLOCK-----": Flag this file for inclusion in the archive CUSTOM_LOGIC_2: Iterate over all files in this directory If the filename could be a SHA-1 hexadecimal hash: If the filename ends in ".key": Flag this file for inclusion in the archive Do I have this correct? Are there any files that I'm missing? Is there any better logic I can use for the contents of the crls.d/ subdirectory except "better grab everything, I guess"? From dgouttegattat at incenp.org Tue Feb 23 08:21:58 2016 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Tue, 23 Feb 2016 08:21:58 +0100 Subject: Migration assistant In-Reply-To: <56CBB815.7060405@sixdemonbag.org> References: <56CBB815.7060405@sixdemonbag.org> Message-ID: <56CC0896.9050905@incenp.org> On 02/23/2016 02:38 AM, Robert J. Hansen wrote: > Are there any files that I'm missing? There could be some more configuration files (one for each component): * dirmngr.conf * gpa.conf * scdaemon.conf * gpgsm.conf I also have two more files for use with GpgSM: * policies.txt * trustlist.txt and a script to handle smartcard events: * scd-event Starting from GnuPG 2.1.10, there could also be a TOFU database (either a directory tofu.d, or a single file tofu.db). Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mercuryrising11 at gmail.com Tue Feb 23 09:00:21 2016 From: mercuryrising11 at gmail.com (Mercury Rising) Date: Tue, 23 Feb 2016 00:00:21 -0800 Subject: Can the NSA Crack GnuPG Message-ID: I saw his old disturbing post at: I am having a hard time believing it, but if Zimmerman did put in a backdoor code in PGP and GnuPG is based on that, wouldn't it be compromised? I would trust a multinational team of software engineers who have read the source code after compiling that this is not true. It says: "NSA Can Break PGP Encryption" ------------------------------ "A lot of people think that PGP encryption is unbreakable and that the NSA/FBI/CIA/MJ12 cannot read their mail. This is wrong, and it can be a deadly mistake. In Idaho, a left-wing activist by the name of Craig Steingold was arrested *one day* before he and others were to stage a protest at government buildings; the police had a copy of a message sent by Steingold to another activist, a message which had been encrypted with PGP and sent through E-mail." "Since version 2.1, PGP ("Pretty Good Privacy") has been rigged to allow the NSA to easily break encoded messages. Early in 1992, the author, Paul Zimmerman, was arrested by Government agents. He was told that he would be set up for trafficking narcotics unless he complied. The Government agency's demands were simple: He was to put a virtually undetectable trapdoor, designed by the NSA, into all future releases of PGP, and to tell no one." "After reading this, you may think of using an earlier version of PGP. However, any version found on an FTP site or bulletin board has been doctored. Only use copies acquired before 1992, and do NOT use a recent compiler to compile them. Virtually ALL popular compilers have been modified to insert the trapdoor (consisting of a few trivial changes) into any version of PGP prior to 2.1. Members of the boards of Novell, Microsoft, Borland, AT&T and other companies were persuaded into giving the order for the modification (each ot these companies' boards contains at least one Trilateral Commission member or Bilderberg Committee attendant)." "It took the agency more to modify GNU C, but eventually they did it. The Free Software Foundation was threatened with "an IRS investigation", in other words, with being forced out of business, unless they complied. The result is that all versions of GCC on the FTP sites and all versions above 2.2.3, contain code to modify PGP and insert the trapdoor. Recompiling GCC with itself will not help; the code is inserted by the compiler into itself. Recompiling with another compiler may help, as long as the compiler is older than from 1992." "Distribute and reproduce this information freely. Do not alter it." ------------------------------ *"Hint*: This is a joke!" ------------------------------ *"WebMistress at quadralay.com "* Well I hope it was a joke! I went to an EFF meeting in San Francisco and this big guy came up to me and said he had a program that would would break PGP. Then Elvis left the building fast so I could not follow him fast enough although I really tried. IMHO an agent of the Illuminati or its branch arm, the NSA. Cast doubts into the strength of 4096 or larger keys. I don't know how many prime numbers are possible between 2 bits (II binary = decimal 3) and 4096 bits = decimal a google maybe???) are possible. Now multiply the two prime numbers of this size into a larger number then reverse factor and find the two originating prime numbers. Now here's a question? If you had a chart showing every prime number multiplied by every other prime number couldn't there be a database for every multiplied larger number showing the possibilities of each of these prime number sets? Some of these larger numbers may only have one pair of numbers that would work. AN ADVANCED Database program using array capabilities might help. How big would this data base be and how fast could it be searched? The man who disappeared said he authored a database program using arrays for non encryption uses but said it could break PGP. How does key generation work. Does PGP go into some large database of primes and just choose two? If it just pulled two numbers out of a hat, PGP would have to determine if the numbers were prime or not. Reverse factoring to test some very large numbers might take a very long time? You must have two of these primes to be able to multiply them. Apple phones on the other hand - its the password that makes all the difference. 10 bad tries of 4-6 digit numbers and all the data is wiped. I have no idea what kind of encryption they use for the data itself. Elwin -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Tue Feb 23 10:09:30 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Feb 2016 04:09:30 -0500 Subject: Can the NSA Crack GnuPG In-Reply-To: References: Message-ID: <56CC21CA.6070803@sixdemonbag.org> > I am having a hard time believing it, but if Zimmerman did put in a > backdoor code in PGP and GnuPG is based on that, wouldn't it be compromised? One might suspect this question had been asked so frequently there was a FAQ entry devoted to it. ;) https://www.gnupg.org/faq/gnupg-faq.html#successful_attacks From patrick at enigmail.net Tue Feb 23 09:04:41 2016 From: patrick at enigmail.net (Patrick Brunschwig) Date: Tue, 23 Feb 2016 09:04:41 +0100 Subject: Email Self-Defense In-Reply-To: <56CBB0F4.3070203__5307.16954167492$1456189838$gmane$org@fsij.org> References: <56CBB0F4.3070203__5307.16954167492$1456189838$gmane$org@fsij.org> Message-ID: <2eff5d3e-acd7-ee40-af59-157c0dc0d349@enigmail.net> On 23.02.16 02:08, NIIBE Yutaka wrote: > Hello, > > While we translate the "Email Self-Defense" guide into Japanese, I > have a thing (or will have more) to clarify. > > In this section 5b, it says: > > https://emailselfdefense.fsf.org/en/#step-5b > > When using GnuPG, make a habit of glancing at that bar. The > program will warn you there if you get an email encrypted with a key > that can't be trusted. > > "The program" here means Enigmail with GnuPG, I suppose. Yes. > I think that it's quite rare to encounter this particular case; a user > would need to have a revoked or expired key (of themselves). > > If it means an email with signature (encrypted or not), it makes more > sense to me. I think that it would be better to explain more likely > cases. > > How do you think? Enigmail displays various information in the status bar, such as: (1) Good signature (hopefully mostly) (2) "Bad signature" (Enigmail v1.8) / "Unverified signature" (v1.9) in case the signature is bad (3) "Unverified signature" together with an "Import" button in case the signature is from an unknown key (4) Good signature, but key is not trusted (5) Good signature, but key is expired or revoked The last one happens quite frequently if you look at old mails, but hardly on current mails. I think the guide refers to (2) and/or (4), but I'm not the author of the document ... -Patrick From peter at digitalbrains.com Tue Feb 23 11:11:16 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 11:11:16 +0100 Subject: Email Self-Defense In-Reply-To: <2eff5d3e-acd7-ee40-af59-157c0dc0d349@enigmail.net> References: <56CBB0F4.3070203__5307.16954167492$1456189838$gmane$org@fsij.org> <2eff5d3e-acd7-ee40-af59-157c0dc0d349@enigmail.net> Message-ID: <56CC3044.7040004@digitalbrains.com> On 23/02/16 09:04, Patrick Brunschwig wrote: > On 23.02.16 02:08, NIIBE Yutaka wrote: >> When using GnuPG, make a habit of glancing at that bar. The >> program will warn you there if you get an email encrypted with a key >> that can't be trusted. > [...] > (2) "Bad signature" (Enigmail v1.8) / "Unverified signature" (v1.9) in > case the signature is bad > [...] > (4) Good signature, but key is not trusted > [...] > I think the guide refers to (2) and/or (4), but > I'm not the author of the document ... Note that it says "encrypted with a key that can't be trusted", not "signed with a key that can't be trusted". HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Tue Feb 23 11:16:24 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Feb 2016 05:16:24 -0500 Subject: Can the NSA Crack GnuPG In-Reply-To: References: Message-ID: <56CC3178.1020303@sixdemonbag.org> And what the heck, I can't sleep, so I'll give longer answers: > Well I hope it was a joke! I went to an EFF meeting in San Francisco > and this big guy came up to me and said he had a program that would > would break PGP. Then Elvis left the building fast so I could not > follow him fast enough although I really tried. IMHO an agent of the > Illuminati or its branch arm, the NSA. Why would they tell you? And if you're the sort of person they'd tell, why would you tell us? > Cast doubts into the strength of 4096 or larger keys. No, it really doesn't. > I don't know how many prime numbers are possible between 2 bits (II > binary = decimal 3) and 4096 bits = decimal a google maybe???) There are about n/ln n primes less than n. 2**4096 = e**2839. e**2839 e**2839 ----------- = --------- ln(e**2839) 2839 ln 2839 is approximately 8. e**2839 ------- = e**(2839 - 8) = e**2831. e**8 e**2831 / log(2) = 2**4084 = 10**1229. There are about 10**1229 primes less than 4096 bits. If you repeat this exercise again for how many primes there are less than 4095 bits, then subtract one from the other, you'll get a solid approximation for how many 4096-bit primes there are. I'll leave that as your homework and just tell you the answer: it still comes out to pretty much the same number. 10**1229 is unimaginably huge. By comparison, there are about 10**90 neutrinos in the universe. > Now here's a question? If you had a chart showing every prime number > multiplied by every other prime number Where do you plan on storing this chart? You literally need to store it in a bigger universe than our current one. Our universe doesn't have enough matter or energy to make this chart. > The man who disappeared said he authored a database program using > arrays for non encryption uses but said it could break PGP. People say lots of things. And some people are cruel enough to deliberately mislead people they feel will believe their nonsense. I'm not saying you're one of these cruel people; I'm saying he probably was. > If it just pulled two numbers out of a hat, PGP would have to > determine if the numbers were prime or not. Reverse factoring to test > some very large numbers might take a very long time? Miller-Rabin is a really nice primality checking algorithm. AKS is an even better one. Factoring composite numbers is really hard; figuring out if a number is composite is really easy. From peter at digitalbrains.com Tue Feb 23 13:48:03 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 13:48:03 +0100 Subject: Failure of comparison of valid pub key's .asc files In-Reply-To: References: Message-ID: <56CC5503.9080605@digitalbrains.com> On 22/02/16 10:23, JB wrote: >> Note the difference in output from 'gpg --check-sigs C65285EC': >> case 1. >> gpg: 1 signature not checked due to a missing key >> case 2. >> gpg: 2 signatures not checked due to missing keys This is also why the exported .asc files are different: the version on the keyserver has an additional signature that the one on thr web page did not have. That's it, that's all there is to it! > My question is: > Can I have a pub key with a unique id C65285EC and a fingerprint, but two > different associated (gpg --export) ascii .asc or binary .gpg files ? Absolutely. Certifications by other people are also included. They can change order, they can be on one and not on the other. And there are more reasons why the binary blob can be different, such as included information that is no longer relevant but also doesn't hurt (old, superseded self-sigs, f.e.). For authenticity, you should be looking purely at the primary fingerprint and the UID's. If those two combined match your expectation (you expect John to have a key with fingerprint X), you're good. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From pete at heypete.com Tue Feb 23 12:55:12 2016 From: pete at heypete.com (Pete Stephenson) Date: Tue, 23 Feb 2016 12:55:12 +0100 Subject: Can the NSA Crack GnuPG In-Reply-To: References: Message-ID: <56CC48A0.9060005@heypete.com> On 2/23/2016 9:00 AM, Mercury Rising wrote: > I saw his old disturbing post at: > That post is a joke. It even says so. > I am having a hard time believing it, but if Zimmerman did put in a > backdoor code in PGP and GnuPG is based on that, wouldn't it be compromised? If that happened, yes. So far, there's no credible, publicly available evidence that this has occurred. GnuPG is based on an open standard (RFC 4880) that is available for your perusal at https://tools.ietf.org/html/rfc4880 Both the RFC and the GnuPG source code is publicly available. It's unlikely (though not impossible) that an intentional backdoor exists, particularly a backdoor that has been inserted undetected not only into the PGP/GnuPG code, but also into the code of every compiler (including new ones like LLVM) made in the last 24 years. If one were particularly concerned, it's possible (albeit costly and time-consuming) to write one's own disassembler and then disassemble the compiled code and examine the assembly language for backdoors. > I went to an EFF meeting in San Francisco and this big guy came up to > me and said he had a program that would would break PGP. Then Elvis > left the building fast so I could not follow him fast enough although > I really tried. IMHO an agent of the Illuminati or its branch arm, > the NSA. People come in all shapes and sizes, can enter or leave public venues as they please, move at whatever speeds they wish, and can say whatever they want. That doesn't make this big guy's statement true, nor does it imply membership in particular organizations, shadowy or otherwise. If the NSA (or some other shadowy organization) could, in fact, break PGP, why would they send someone to an EFF meeting in San Francisco, have this person reveal this information to strangers, and then run away? What purpose would that serve? If anything, I'd expect them to keep such capabilities heavily guarded so they could use such a method for intelligence-gathering. > Cast doubts into the strength of 4096 or larger keys. I don't know > how many prime numbers are possible between 2 bits (II binary = > decimal 3) and 4096 bits = decimal a google maybe???) are possible. The Prime Number Theorem states that the number of prime numbers between 0 and x is: x / ln(x) The number of primes less than 2^4096 are thus: (2^4096) / ln(2^4096) which is about 1.84*10^1229. That's a lot of numbers. > Now multiply the two prime numbers of this size into a larger number > then reverse factor and find the two originating prime numbers. You say that one can "reverse factor" (which I interpret as "factor", as "reverse factoring" is multiplication) as if it's something trivial. It's not: as far as we know and barring any mathematical breakthrough, factoring is hard (at least on classical computers). If you can factor such enormous semiprimes in a reasonably efficient way, there's a lot of people who would be interested. > Now here's a question? If you had a chart showing every prime number > multiplied by every other prime number couldn't there be a database for > every multiplied larger number showing the possibilities of each of > these prime number sets? Short answer: Not in this universe. Recall above how I mentioned that there's ~1.84*10^1229 prime numbers less than 2^4096. Even if we limit our search for numbers between 2^4096 and 2^4095, that only reduces the search space by a factor of two. It's still enormous. Considering there's only about 10^80 (~2^265.75) atoms in the visible universe, you'd need to fit 2^(4096-265.75) = 1.05*10^1153 prime numbers per atom in order to store a "chart" of all prime numbers less than 2^4096. If you could do that you'd likely win multiple Nobel Prizes in different disciplines. They'd probably have to invent new categories of Nobel Prizes to award you. > Some of these larger numbers may only have one pair of numbers that > would work. AN ADVANCED Database program using array capabilities > might help. How big would this data base be and how fast could it be > searched? Such a database would be unimaginably vaster than the universe. Searching it would be all-surpassingly impractical. Leaving aside the speed of light limitations of searching a database far (I've run out of superlatives) larger than our universe, if you could get each atom in the universe to output one of the 1.05*10^1153 prime numbers its storing every Planck time (5.39*10^-44 seconds), it would still take 1.3*10^1092 times longer than the known age of our universe. Current cosmological models suggest that the universe will reach its heat death in about 10^100 years, so searching this database would take ~10^992 times longer than the heat death of the universe. How this would take place is left as an exercise to the reader. This doesn't consider the time needed to actually do any useful computation using that data. I suspect by the time that such a search was completed, any information encrypted by PGP would be of little use. > The man who disappeared said he authored a database program using > arrays for non encryption uses but said it could break PGP. That is unlikely. > How does key generation work. Does PGP go into some large database of > primes and just choose two? If it just pulled two numbers out of a > hat, PGP would have to determine if the numbers were prime or not. > Reverse factoring to test some very large numbers might take a very > long time? You must have two of these primes to be able to multiply > them. Typically primes are chosen by picking random numbers in the desired range (e.g. around 2^2048, 2^4096, etc.) and performing primality tests on them. These tests are probabilistic, but if enough tests are performed the confidence that a number is prime can be made to any arbitrary level. See As mentioned earlier, factoring is thought (but not proved) to be hard. Various mathematical improvements in factoring have been made over the millennia, but short of a major breakthrough in mathematics, it's likely that factoring-based cryptosystems will be secure until the development of quantum computers (see ). Quantum-resistant cryptographic algorithms are something that interests the NSA. See for details. > Apple phones on the other hand - its the password that makes all the > difference. 10 bad tries of 4-6 digit numbers and all the data is wiped. ...assuming that Apple or the Feds can't load modified software onto the phone that disables the auto-erase, delay, and lockout functionality. It is, after all, just software. Even if the functionality is baked into hardware, hardware can be taken apart, examined, and modified. It's expensive, risks losing the data one seeks to recover, and is time-consuming, but it's at least somewhat feasible to do in our universe. > I have no idea what kind of encryption they use for the data itself. AES. Cheers! -Pete (Any math errors are my own. From peter at digitalbrains.com Tue Feb 23 13:55:15 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 13:55:15 +0100 Subject: More information on new 'external password managers' feature? In-Reply-To: <56CA4298.9080104@gmail.com> References: <56CA4298.9080104@gmail.com> Message-ID: <56CC56B3.1070108@digitalbrains.com> On 22/02/16 00:04, taltman wrote: > Where can I read more details about this improvement? Can't help you with that, sorry. > Which external password managers is this intended for? I believe the initial target audience was Gnome Keyring and possibly the MacGPG project, but primarily to solve the issues with Gnome Keyring. But it is a general feature. The intended use case, AFAIK, is to have the external password manager store the password for your OpenPGP key(s). That way, it can unlock your key when you log in (and provide your login password). Without it, you would have to enter a password twice each session: once to log in, once to unlock your OpenPGP key. That's all I know. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Tue Feb 23 14:01:50 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 14:01:50 +0100 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC48A0.9060005@heypete.com> References: <56CC48A0.9060005@heypete.com> Message-ID: <56CC583E.2060600@digitalbrains.com> On 23/02/16 12:55, Pete Stephenson wrote: > Searching it would be all-surpassingly impractical. Leaving aside the > speed of light limitations of searching a database far (I've run out of > superlatives) larger than our universe We've recently established that Einstein was wrong and that information can travel faster than light. They managed to use entangled electrons to observe at a distance that the other electron got altered, without any time passing. It doesn't affect your exposition in the least, I just thought it was cool :). Nice exposition, by the way. I didn't run the numbers, though :). My 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Tue Feb 23 14:04:38 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Feb 2016 08:04:38 -0500 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC48A0.9060005@heypete.com> References: <56CC48A0.9060005@heypete.com> Message-ID: <56CC58E6.3070501@sixdemonbag.org> > Searching it would be all-surpassingly impractical. Leaving aside the > speed of light limitations of searching a database far (I've run out of > superlatives) larger than our universe, if you could get each atom in > the universe to output one of the 1.05*10^1153 prime numbers its storing > every Planck time (5.39*10^-44 seconds), it would still take 1.3*10^1092 > times longer than the known age of our universe. Pfeh. Haven't you heard of Grover's algorithm? Come on, man, get with the program. Assuming you've got a Zarbnulaxian quantum computer with an arbitrary number of qubits, an epsilon error rate, effectively zero decoherence, and protons that are stable over considerably longer than the currently expected lifetime, you could reduce this down to about 10**550 times longer than the known age of the universe. From rjh at sixdemonbag.org Tue Feb 23 14:23:08 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Feb 2016 08:23:08 -0500 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC583E.2060600@digitalbrains.com> References: <56CC48A0.9060005@heypete.com> <56CC583E.2060600@digitalbrains.com> Message-ID: <56CC5D3C.7030107@sixdemonbag.org> > We've recently established that Einstein was wrong and that information can > travel faster than light. That noise you just heard was my train of thought going off the rails, catching on fire, and hurtling like a fiery missile of kinetic death into a nearby station. I'm sorry, *what*? If we're able to transmit information FTL then relativity is wrong wrong *wrong*. Are you sure that you're not reporting on the Bell inequality experiments, where they were able to demonstrate instantaneous action but in a way that was unable to be used for a communications channel? Either way, you have my full attention. :) From peter at digitalbrains.com Tue Feb 23 14:44:24 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 14:44:24 +0100 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC5D3C.7030107@sixdemonbag.org> References: <56CC48A0.9060005@heypete.com> <56CC583E.2060600@digitalbrains.com> <56CC5D3C.7030107@sixdemonbag.org> Message-ID: <56CC6238.2030503@digitalbrains.com> On 23/02/16 14:23, Robert J. Hansen wrote: > If we're able to transmit information FTL then relativity is wrong wrong > *wrong*. I went by recollection of a news item, which even if I could find it was probably in Dutch. But I think this is what I meant: http://www.nature.com/news/quantum-spookiness-passes-toughest-test-yet-1.18255?WT.mc_id=TWT_NatureNews http://arxiv.org/abs/1508.05949 HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Tue Feb 23 15:04:04 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 23 Feb 2016 09:04:04 -0500 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC6238.2030503@digitalbrains.com> References: <56CC48A0.9060005@heypete.com> <56CC583E.2060600@digitalbrains.com> <56CC5D3C.7030107@sixdemonbag.org> <56CC6238.2030503@digitalbrains.com> Message-ID: <56CC66D4.7070108@sixdemonbag.org> > I went by recollection of a news item, which even if I could find it was > probably in Dutch. But I think this is what I meant: Whew. Okay, that's a relief: that's on experimental confirmation of Bell's theorem. Yes, the speed of entanglement is instantaneous, but there's some additional weirdness involved that makes it impossible to use as an instantaneous communications channel. :) From peter at digitalbrains.com Tue Feb 23 15:35:05 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 15:35:05 +0100 Subject: (OT) Can the NSA Crack GnuPG In-Reply-To: <56CC66D4.7070108@sixdemonbag.org> References: <56CC48A0.9060005@heypete.com> <56CC583E.2060600@digitalbrains.com> <56CC5D3C.7030107@sixdemonbag.org> <56CC6238.2030503@digitalbrains.com> <56CC66D4.7070108@sixdemonbag.org> Message-ID: <56CC6E19.4080306@digitalbrains.com> On 23/02/16 15:04, Robert J. Hansen wrote: > but there's some additional weirdness involved that makes it > impossible to use as an instantaneous communications channel. :) Okay. For a moment I thought I heard your train of thought again, but it turned out my cat had managed to throw over some pretty heavy stuff. Luckily it didn't fall on him. If it had been your train of thought, we probably would have to re-examine the speed of sound, though. It all sounds very interesting, though. I'll try to get a faint grasp of the additional weirdness, but I'm faced by not being taught the basic weirdness either (= quantum physics). I'm not even in that stage yet where you know so little of a topic that you think you know a lot of it ;). Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From jb.1234abcd at gmail.com Tue Feb 23 15:40:14 2016 From: jb.1234abcd at gmail.com (JB) Date: Tue, 23 Feb 2016 14:40:14 +0000 (UTC) Subject: Failure of comparison of valid pub key's .asc files References: <56CC5503.9080605@digitalbrains.com> Message-ID: Peter Lebbing digitalbrains.com> writes: > ... > This is also why the exported .asc files are different: the version on the > keyserver has an additional signature that the one on thr web page did not have. > That's it, that's all there is to it! > ... Thanks for your clarifications. One more thing. > $ gpg --check-sigs C65285EC > gpg: 2 good signatures > gpg: 1 signature not checked due to a missing key > pub rsa2048/C65285EC 2015-03-15 [SC] > uid [ unknown] trava90 > sig!3 C65285EC 2015-03-15 trava90 > sub rsa2048/25192F9F 2015-03-15 [E] > sig! C65285EC 2015-03-15 trava90 W/r to above display, would it not be better to display the line(s) with the unverified signature and the missing key in response, so that I could have a clue which user(s) certified the key and who I was missing on my ring ? As you can see from my key server lookups, the pgp.mit.edu was useless in this regard, only sks-keyservers.net gave me a hint who I was missing. Like this: $ gpg --check-sigs C65285EC gpg: 2 good signatures gpg: 1 signature not checked due to a missing key pub rsa2048/C65285EC 2015-03-15 [SC] uid [ unknown] trava90 sig!3 C65285EC 2015-03-15 trava90 sig%3 8FCF9CEC 2015-05-16 Moonchild (RSA signing key) sub rsa2048/25192F9F 2015-03-15 [E] sig! C65285EC 2015-03-15 trava90 where the missing key line(s) like this would be included: sig%3 8FCF9CEC 2015-05-16 Moonchild (RSA signing key) The status could be e.g. "%" char to denote an error as defined in: gpg(1) --check-sigs ... Do you think it makes sense to request an enhancement ? jb From lachlan at twopif.net Tue Feb 23 15:17:13 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Tue, 23 Feb 2016 15:17:13 +0100 Subject: Can the NSA Crack GnuPG In-Reply-To: <56CC6238.2030503@digitalbrains.com> References: <56CC48A0.9060005@heypete.com> <56CC583E.2060600@digitalbrains.com> <56CC5D3C.7030107@sixdemonbag.org> <56CC6238.2030503@digitalbrains.com> Message-ID: <56CC69E9.9080406@twopif.net> By a weird freak of coincidence I am currently writing some code to simulate this type of experiment. It doesn't break relativity, rather (roughly speaking) it shows that quantum measurements cannot be predetermined unless you have FTL or some kind of non-local theory that predetermines the random numbers that you are going to take. There are various potential flaws in this type experiment that might let you have your cake---relativity---and eat it too---no quantum randomness. These experiments have been done for many decades, and over time they have chipped away at the various flaws, requiring any hidden-variable theory to become increasingly perverse. This one claims to be completely free of such issues. But I'm not the greatest expert in this, so don't try to read too much into what I just said. Thanks, Lachlan Le 2016-02-23 14:44, Peter Lebbing a ?crit : > On 23/02/16 14:23, Robert J. Hansen wrote: >> If we're able to transmit information FTL then relativity is wrong wrong >> *wrong*. > > I went by recollection of a news item, which even if I could find it was > probably in Dutch. But I think this is what I meant: > > http://www.nature.com/news/quantum-spookiness-passes-toughest-test-yet-1.18255?WT.mc_id=TWT_NatureNews > > http://arxiv.org/abs/1508.05949 > > HTH, > > Peter. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Feb 23 16:42:05 2016 From: wk at gnupg.org (Werner Koch) Date: Tue, 23 Feb 2016 16:42:05 +0100 Subject: Migration assistant In-Reply-To: <56CBB815.7060405@sixdemonbag.org> (Robert J. Hansen's message of "Mon, 22 Feb 2016 20:38:29 -0500") References: <56CBB815.7060405@sixdemonbag.org> Message-ID: <87a8mr5t82.fsf@wheatstone.g10code.de> On Tue, 23 Feb 2016 02:38, rjh at sixdemonbag.org said: > If the filename could be a SHA-1 hexadecimal hash: I would suggest to look for file files consisting only of hex digits with at least 40 digits. This should help with a future v5 key format. > If the filename ends in ".rev": Okay. > CUSTOM_LOGIC_2: > Iterate over all files in this directory > If the filename could be a SHA-1 hexadecimal hash: > If the filename ends in ".key": We might add another file here, but that is not yet sure. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Tue Feb 23 17:40:34 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 23 Feb 2016 17:40:34 +0100 Subject: Failure of comparison of valid pub key's .asc files In-Reply-To: References: <56CC5503.9080605@digitalbrains.com> Message-ID: <56CC8B82.1020803@digitalbrains.com> On 23/02/16 15:40, JB wrote: > W/r to above display, would it not be better to display the line(s) with > the unverified signature and the missing key in response, You can use --list-sig to show the unverified signatures as well. Note they could be bogus, you can't tell until you import the key that made the signature. --check-sig checks signatures as its name implies, and you can't check a signature made by a key you don't have. Like this: -----------------8<---------->8----------------- $ gpg2 --list-sig C65285EC pub rsa2048/C65285EC 2015-03-15 [SC] uid [ unknown] trava90 sig 3 6DA5F2AC 2015-11-15 [User ID not found] sig 3 C65285EC 2015-03-15 trava90 sig 3 8FCF9CEC 2015-05-16 [User ID not found] sub rsa2048/25192F9F 2015-03-15 [E] sig C65285EC 2015-03-15 trava90 -----------------8<---------->8----------------- > so that I could > have a clue which user(s) certified the key Without the key, it's just a short string of hex digits. You need to fetch the key before there is anything more to go on (a user ID). Luckily, you can do that: $ gpg2 --recv-keys 6DA5F2AC 8FCF9CEC > As you can see from my key server lookups, the pgp.mit.edu was useless in > this regard And several more ;) > only sks-keyservers.net gave me a hint who I was missing. In the webinterface you mean? I should mention that the webinterface does no verification of anything, it naively "believes" anything it is told. That means that nefarious people can include bogus data that will only turn out to be bogus once you feed the key to GnuPG, which does verify what it is fed. > > Like this: > $ gpg --check-sigs C65285EC > gpg: 2 good signatures > gpg: 1 signature not checked due to a missing key > pub rsa2048/C65285EC 2015-03-15 [SC] > uid [ unknown] trava90 > sig!3 C65285EC 2015-03-15 trava90 > sig%3 8FCF9CEC 2015-05-16 Moonchild (RSA signing key) > > sub rsa2048/25192F9F 2015-03-15 [E] > sig! C65285EC 2015-03-15 trava90 > > where the missing key line(s) like this would be included: > sig%3 8FCF9CEC 2015-05-16 Moonchild (RSA signing key) > Did you mock up this output yourself or is this something you actually got? I wouldn't understand how the latter happened. That % is when the key is on your keyring, but the signature could not be verified due to some error. So you already have the Moonchild key, as can also be inferred from the fact that it knows that UID. And that signature checks out fine for me. > Do you think it makes sense to request an enhancement ? I haven't seen anything that is both not implemented yet and physically possible, unless I misunderstand. It is impossible to show data about a key you don't have on your keyring. The data is simply not there. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From jb.1234abcd at gmail.com Tue Feb 23 17:57:37 2016 From: jb.1234abcd at gmail.com (JB) Date: Tue, 23 Feb 2016 16:57:37 +0000 (UTC) Subject: Failure of comparison of valid pub key's .asc files References: <56CC5503.9080605@digitalbrains.com> <56CC8B82.1020803@digitalbrains.com> Message-ID: Peter Lebbing digitalbrains.com> writes: > ... > You can use --list-sig to show the unverified signatures as well. > ... Right. > ... > > where the missing key line(s) like this would be included: > > sig%3 8FCF9CEC 2015-05-16 Moonchild (RSA signing key) > > palemoon.org> > > Did you mock up this output yourself or is this something you actually > got? I made it up for the sake of demonstration. > ... Much appreciated. jb From hellyj at ucsd.edu Wed Feb 24 05:27:51 2016 From: hellyj at ucsd.edu (John Helly) Date: Tue, 23 Feb 2016 18:27:51 -1000 Subject: How to prevent emacs from unencrypting my files Message-ID: <56CD3147.2000808@ucsd.edu> Hi. I've just discovered that emacs can unencrypt my *.gpg files without prompting for a password. IMHO this largely negates the purpose of encrypting files in case I lose my laptop. What's the logic behind this? I know it's for convenience but can I encrypt my files such they cannot be opened without a passphrase? Thanks. J. -- John Helly, University of California, San Diego / San Diego Supercomputer Center / Scripps Institution of Oceanography / 760 840 8660 mobile / stonesteps (Skype) / stonesteps7 (iChat) / http://www.sdsc.edu/~hellyj -------------- next part -------------- A non-text attachment was scrubbed... Name: hellyj.vcf Type: text/x-vcard Size: 158 bytes Desc: not available URL: From fa-ml at ariis.it Wed Feb 24 08:03:05 2016 From: fa-ml at ariis.it (Francesco Ariis) Date: Wed, 24 Feb 2016 08:03:05 +0100 Subject: How to prevent emacs from unencrypting my files In-Reply-To: <56CD3147.2000808@ucsd.edu> References: <56CD3147.2000808@ucsd.edu> Message-ID: <20160224070305.GA29208@casa.casa> On Tue, Feb 23, 2016 at 06:27:51PM -1000, John Helly wrote: > Hi. > > I've just discovered that emacs can unencrypt my *.gpg files without > prompting for a password. IMHO this largely negates the purpose of > encrypting files in case I lose my laptop. > > What's the logic behind this? I know it's for convenience but can I > encrypt my files such they cannot be opened without a passphrase? > > Thanks. > J. Hello John, I suppose Emacs caches the passphrase somehow. Maybe/Probably this is done through gpg-agent: scan your gpg-agent config file for `default-cache-ttl`, set it appropriately and report back! -F -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From thecissou98 at hotmail.fr Wed Feb 24 11:34:27 2016 From: thecissou98 at hotmail.fr (Francis Le Roy) Date: Wed, 24 Feb 2016 11:34:27 +0100 Subject: Decrypt without importing key to keyring Message-ID: Hi, is there a way to use a private key (PGP) to decrypt a message without adding it to the keyring. I don't want the private key to be written on the disk. I'm using gpgme in a C++ and I can't figure out 'transform' a gpgme_data_t object into gpgme_key_t without using the gpgme_op_import function. Thanks. F. From wk at gnupg.org Wed Feb 24 10:42:51 2016 From: wk at gnupg.org (Werner Koch) Date: Wed, 24 Feb 2016 10:42:51 +0100 Subject: GnuPG 2.1 how to delete card based secret key ? In-Reply-To: <56B9C1AF.3060404@digitalbrains.com> (Peter Lebbing's message of "Tue, 9 Feb 2016 11:38:39 +0100") References: <56B4ACE6.3020503@gurevich.de> <56B4EBA1.7010709@digitalbrains.com> <8D63441E-8669-4F1D-B468-F24A8CB91C43@gurevich.de> <56B9C1AF.3060404@digitalbrains.com> Message-ID: <87h9gy30mc.fsf@wheatstone.g10code.de> On Tue, 9 Feb 2016 11:38, peter at digitalbrains.com said: > I can delete the public key; then the secret key is not listed anymore Right. > either. When I re-import my public key, it will instantly remember the > card as well, so it was there all along :). I do need to set my trust > again (not a surprise). You may delete the stub key in private-keys-v1.d which is where gpg-agent remembers that it has seen the key. We don't do this automatically because the key may also be used by other protocols (ssh or gpgsm). That the ownertrust is remembered may be called a feature. IT has always been the case and I guess it is best to leave that behavior as is. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From lachlan at twopif.net Wed Feb 24 15:12:45 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Wed, 24 Feb 2016 15:12:45 +0100 Subject: Tor and keyservers (was: Key selection order) In-Reply-To: <5697CC7C.7040603@sixdemonbag.org> References: <5697CC7C.7040603@sixdemonbag.org> Message-ID: <56CDBA5D.8050307@twopif.net> Hello, Sorry to bring this thread back from the dead, but now that I have a preprint out I can elaborate a bit more on my motivations for this previous discussion. I've spent a little bit of time investigating the use of Tor to create an interactive protocol for auditing keyservers, the idea being that if Tor works well and is properly configured and used, a keyserver can't tell who is who when two requests come in simultaneously. The idea is that you continuously make requests, perhaps a few times an hour, for your own key. Then, when you want to verify someone else's key, you do the same thing for a certain number of requests, make sure the responses are all the same, and then wait for a bit to make sure that the other party hasn't reported receiving different several different keys. This is obviously fairly simplified---you probably want to verify a Merkle tree rather than an individual key, you need some way for a person to publicly report failures, a reliable and correctable way of selecting a key from the search results, etc. The paper and prototype are here if anyone is interested. http://arxiv.org/abs/1602.03316 https://github.com/LachlanGunn/keywatch Apologies if this is too far offtopic, but since it's PGP-related and explains my previous cryptic questions about selecting keys, I thought someone perhaps might be interested, even if only for some closure. I'd certainly appreciate any thoughts that anyone might have. Thanks, Lachlan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From carnap at gmx.at Wed Feb 24 15:11:37 2016 From: carnap at gmx.at (Josef Carnap) Date: Wed, 24 Feb 2016 15:11:37 +0100 Subject: Possible values for --compress-level and --bzip2-compress-level Message-ID: <56CDBA19.5030301@gmx.at> Hello everyone, I have a question to the options --compress-level and --bzip2-compress-level. Which are the supportet (possible) values of each of the options? -- Numbers from 0 up to 6? --- Here is the description of the both options in the GPG Manual: -z n --compress-level n --bzip2-compress-level n Set compression level to n for the ZIP and ZLIB compression algorithms. The default is to use the default compression level of zlib (normally 6). --bzip2-compress-level sets the compression level for the BZIP2 compression algorithm (defaulting to 6 as well). This is a different option from --compress-level since BZIP2 uses a significant amount of memory for each additional compression level. -z sets both. A value of 0 for n disables compression. Best regards Josef P.S. Sorry for my perhaps weird english, I'm not a native speaker. From brian at minton.name Wed Feb 24 16:21:56 2016 From: brian at minton.name (Brian Minton) Date: Wed, 24 Feb 2016 10:21:56 -0500 Subject: Key selection order In-Reply-To: <569CE436.6090202@andrewg.com> References: <5697CC7C.7040603@sixdemonbag.org> <5697D507.6020501@andrewg.com> <5697F2E5.5060409@gmail.com> <477F0326-6B69-47D6-84F2-0888EF21944D@andrewg.com> <89f6fb0a548fda8e19ccd0ae22a33161@butters.digitalbrains.com> <4BC6AFD1-AC0C-4A44-93B2-F12493F5941F@andrewg.com> <5698E151.8050907@digitalbrains.com> <569CE436.6090202@andrewg.com> Message-ID: <56CDCA94.8010007@minton.name> On 01/18/2016 08:10 AM, Andrew Gallagher wrote: > (*) Granted, I don't always sign mine but you can blame the iPhone for > that. That's the problem I have too. Not iPhone specifically, but my main email clients are gmail.com on my desktop and gooogle inbox on my Android smart phone. I occasionally use Enigmaiil in Icedove on Linux, but it's not great (a bit of a memory hog). On Android, I occasionally use K-9 mail but it's not nearly as nice as Inbox. On my desktop, I have mailvelope, but it doesn't work very well either. So, I mostly don't sign my list posts. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 274 bytes Desc: OpenPGP digital signature URL: From martin.konold at erfrakon.com Wed Feb 24 16:59:38 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Wed, 24 Feb 2016 16:59:38 +0100 Subject: Nitrokey HSM and GPG Message-ID: <1693223.gyKMTKaxmb@sony-01.tue.hq.erfrakon.de> Hi, I am successfully using Nitrokey Pro with GnuPG 2.1.11. On the otherhand I have a need to support more than 3 RSA subkeys and therefore I am testing with Nitrokey HSM which is supposed to be able to deal with up to 48 RSA-2048 keys. On an uptodate openSUSE I verfied that Nitrokey Pro fully works as expected but Nitrokey HSM fails with OpenPGgpg2 --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From brian at minton.name Wed Feb 24 18:31:10 2016 From: brian at minton.name (Brian Minton) Date: Wed, 24 Feb 2016 12:31:10 -0500 Subject: status of ed25519 draft In-Reply-To: <8761b84unc.fsf@vigenere.g10code.de> References: <54DA7099.9030909@minton.name> <8761b84unc.fsf@vigenere.g10code.de> Message-ID: <56CDE8DE.6080009@minton.name> The next draft is due soon. How long does it usually take the IETF to ratify a draft RFC? On 02/11/2015 05:20 AM, Werner Koch wrote: > On Tue, 10 Feb 2015 21:56, brian at minton.name said: >> Is there any way to see the progress of the IETF working group on >> the draft Werner has submitted? I noticed that the draft expires in > The process to get the I-D to an RFC is somewhat work intensive and I > would actually prefer to have the OpenPGP WG re-established to make it > easier. I will of course update the I-D in time. > >> May. In particular, I would like to know if 22 is going to be the IANA >> standardized Public-Key Algorithm number. > We have an informal agreement on the WG list to use that number. > > > Shalom-Salam, > > Werner > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 274 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Feb 24 20:53:03 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 24 Feb 2016 20:53:03 +0100 Subject: Tor and keyservers (was: Key selection order) In-Reply-To: <56CDBA5D.8050307@twopif.net> References: <5697CC7C.7040603@sixdemonbag.org> <56CDBA5D.8050307@twopif.net> Message-ID: I haven't looked at the links yet, but what is your purpose? Do you want to detect rogue keyservers in the keyserver network, or perhaps attacks on keyservers? There is no need to trust keyservers in the Web of Trust, or even in TOFU (as I assume in the latter you got a signed message from the other to start things off, and the wrong key would not verify the message). Still, it could be interesting to see if the keyserver network is somehow messed with, I suppose. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From andreas.schwier.ml at cardcontact.de Wed Feb 24 20:12:13 2016 From: andreas.schwier.ml at cardcontact.de (Andreas Schwier) Date: Wed, 24 Feb 2016 20:12:13 +0100 Subject: Nitrokey HSM and GPG In-Reply-To: <1693223.gyKMTKaxmb@sony-01.tue.hq.erfrakon.de> References: <1693223.gyKMTKaxmb@sony-01.tue.hq.erfrakon.de> Message-ID: <56CE008D.4050201@cardcontact.de> Dear Martin, the Nitrokey HSM has an embedded SmartCard-HSM which is only supported by gpgsm. Unfortunately you can not use a key on the device as gpg key, but only for S/MIME. GPG only supports cards that conform to the OpenPGP Card Specification, which the SmartCard-HSM doesn't. Andreas On 02/24/2016 04:59 PM, Martin Konold wrote: > Hi, > > I am successfully using Nitrokey Pro with GnuPG 2.1.11. > > On the otherhand I have a need to support more than 3 RSA subkeys and > therefore I am testing with Nitrokey HSM which is supposed to be able to deal > with up to 48 RSA-2048 keys. > > On an uptodate openSUSE I verfied that Nitrokey Pro fully works as expected but > Nitrokey HSM fails with > > OpenPGgpg2 --card-status > gpg: selecting openpgp failed: Card error > gpg: OpenPGP card not available: Card error > > Kind Regards > --martin konold > -- --------- CardContact Systems GmbH |.##> <##.| Sch?lerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Gesch?ftsf?hrer Andreas Schwier From tlikonen at iki.fi Wed Feb 24 12:46:42 2016 From: tlikonen at iki.fi (Teemu Likonen) Date: Wed, 24 Feb 2016 13:46:42 +0200 Subject: How to prevent emacs from unencrypting my files In-Reply-To: <56CD3147.2000808@ucsd.edu> (John Helly's message of "Tue, 23 Feb 2016 18:27:51 -1000") References: <56CD3147.2000808@ucsd.edu> Message-ID: <87y4aagwkd.fsf@iki.fi> John Helly [2016-02-23 18:27:51-10] wrote: > I've just discovered that emacs can unencrypt my *.gpg files without > prompting for a password. IMHO this largely negates the purpose of > encrypting files in case I lose my laptop. Emacs can cache passphrases and expire them automatically. The related configuration variables have changed quite recently but check these: password-cache password-cache-expiry mml2015-cache-passphrase mml2015-passphrase-cache-expiry mml-secure-cache-passphrase mml-secure-passphrase-cache-expiry -- /// Teemu Likonen - .-.. // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From lachlan at twopif.net Wed Feb 24 21:41:19 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Wed, 24 Feb 2016 21:41:19 +0100 Subject: Tor and keyservers In-Reply-To: References: <5697CC7C.7040603@sixdemonbag.org> <56CDBA5D.8050307@twopif.net> Message-ID: <56CE156F.5000002@twopif.net> > I haven't looked at the links yet, but what is your purpose? Do you want > to detect rogue keyservers in the keyserver network, or perhaps attacks > on keyservers? Essentially I'm looking to see if it's possible to make a secure directory service, for some definition of secure, even against persistent attackers. > There is no need to trust keyservers in the Web of Trust, or even in > TOFU (as I assume in the latter you got a signed message from the other > to start things off, and the wrong key would not verify the message). > Still, it could be interesting to see if the keyserver network is > somehow messed with, I suppose. The idea is to see whether we can make something with security between the WoT and "download a random key and see what happens" that doesn't require user intervention. Whether this would be too burdensome remains to be seen. Essentially, if you look up your email address regularly on the major keyservers, you can see whether people emailing you out of the blue will get the right key. But whoever is controlling it could send you the true key and a fake one to everyone else. This is a way to overcome that. If you use e.g. Signal, you can encrypt from the first message; I want to see if that kind of user experience is possible with email, despite the lack of what I guess you might term biometric authentication. Thanks, Lachlan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Feb 24 21:55:58 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 24 Feb 2016 21:55:58 +0100 Subject: Tor and keyservers In-Reply-To: <56CE156F.5000002@twopif.net> References: <5697CC7C.7040603@sixdemonbag.org> <56CDBA5D.8050307@twopif.net> <56CE156F.5000002@twopif.net> Message-ID: <56CE18DE.6010002@digitalbrains.com> On 24/02/16 21:41, Lachlan Gunn wrote: > The idea is to see whether we can make something with security between the > WoT and "download a random key and see what happens" that doesn't require > user intervention. Whether this would be too burdensome remains to be seen. Thanks for the explanation. Good luck! Post-Snowden, you sure see a lot of people trying to reduce the burden of key verification... But some ideas are better thought out than others. A lot of misconceptions out there, it seems. > despite the lack of what I guess you might term biometric authentication. Personally, I stay far from actual biometric authentication. I can't revoke my eyes... and biometric scanners that aren't easily fooled are insanely expensive. Watch out with that logical implication there: some insanely expensive biometric scanners can be easily fooled :). It's interesting you're using "biometric" as a qualifier implying something "good". I wouldn't agree. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From lachlan at twopif.net Wed Feb 24 22:10:26 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Wed, 24 Feb 2016 22:10:26 +0100 Subject: Tor and keyservers In-Reply-To: <56CE18DE.6010002@digitalbrains.com> References: <5697CC7C.7040603@sixdemonbag.org> <56CDBA5D.8050307@twopif.net> <56CE156F.5000002@twopif.net> <56CE18DE.6010002@digitalbrains.com> Message-ID: <56CE1C42.208@twopif.net> > It's interesting you're using "biometric" as a qualifier implying something > "good". I wouldn't agree. I mean in the sense that it's a lot easier for someone doing MITM to transparently rewrite the signatures in an email than it is to transparently detect that you are reading the verification code and then replace it with a synthesised version without breaking the flow of speech. It's not perfect, but it's a barrier at least. Thanks, Lachlan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Wed Feb 24 22:13:39 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Wed, 24 Feb 2016 22:13:39 +0100 Subject: Tor and keyservers In-Reply-To: <56CE1C42.208@twopif.net> References: <5697CC7C.7040603@sixdemonbag.org> <56CDBA5D.8050307@twopif.net> <56CE156F.5000002@twopif.net> <56CE18DE.6010002@digitalbrains.com> <56CE1C42.208@twopif.net> Message-ID: <56CE1D03.7030303@digitalbrains.com> On 24/02/16 22:10, Lachlan Gunn wrote: > I mean in the sense that it's a lot easier for someone doing MITM to > transparently rewrite the signatures in an email than it is to > transparently detect that you are reading the verification code and then > replace it with a synthesised version without breaking the flow of > speech. It's not perfect, but it's a barrier at least. Ah! Then it makes sense. I hadn't picked up on that. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From martin.konold at erfrakon.com Wed Feb 24 22:53:01 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Wed, 24 Feb 2016 22:53:01 +0100 Subject: Nitrokey HSM and GPG In-Reply-To: <56CE008D.4050201@cardcontact.de> References: <1693223.gyKMTKaxmb@sony-01.tue.hq.erfrakon.de> <56CE008D.4050201@cardcontact.de> Message-ID: <3422886.FiS0SX2a9a@sony-01.tue.hq.erfrakon.de> Am Mittwoch, 24. Februar 2016, 20:12:13 CET schrieb Andreas Schwier: Dear Andreas, > the Nitrokey HSM has an embedded SmartCard-HSM which is only supported > by gpgsm. Unfortunately you can not use a key on the device as gpg key, > but only for S/MIME. GPG only supports cards that conform to the OpenPGP > Card Specification, which the SmartCard-HSM doesn't. Thanks for enlightening me. I assume if I simply want to encrypt / decrypt files gpgsm should be sufficient?! I read the man page but still fail using the Nitrokey HSM with gpgsm. Can you provide me a hint how to instruct gpgsm to use a specific SmardCard-HSM device? I successully used openssl with this card but fail with gpgsm sofar using engine -t dynamic -pre SO_PATH:/usr/lib64/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/opensc-pkcs11.so req -engine pkcs11 -new -key 0:10 -keyform engine -out cert.pem -text -x509 - days 3640 Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From anthony at cajuntechie.org Wed Feb 24 22:45:02 2016 From: anthony at cajuntechie.org (Anthony Papillion) Date: Wed, 24 Feb 2016 15:45:02 -0600 Subject: Problem compiling 2.0.29 Message-ID: <56CE245E.4040206@cajuntechie.org> I'm trying to compile 2.0.29 and I'm running into a problem. I've compiled all of the dependencies and, when I try to compile gnupg itself, I get the following error: Making all in openpgp make[3]: Entering directory `/home/anthony/Source/gnupg-2.0.29/tests/openpgp' echo '#!/bin/sh' >./gpg_dearmor echo "../../g10/gpg2 --homedir . --no-options --no-greeting \ --no-secmem-warning --batch --dearmor" >>./gpg_dearmor chmod 755 ./gpg_dearmor ./gpg_dearmor > ./pubring.gpg < ./pubring.asc ../../g10/gpg2: error while loading shared libraries: libgcrypt.so.20: cannot open shared object file: No such file or directory make[3]: *** [pubring.gpg] Error 127 make[3]: Leaving directory `/home/anthony/Source/gnupg-2.0.29/tests/openpgp' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/anthony/Source/gnupg-2.0.29/tests' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/anthony/Source/gnupg-2.0.29' make: *** [all] Error 2 It eems the problem is in libgcrypt so I recompiled it to make sure it was properly installed and it made no difference. Can anyone give me a clue as to what might be going wrong or how to fix this? Thanks! Anthony -- Anthony Papillion Phone: (918) 533-9699 Skype: CajunTechie PGP: 0x53B04B15 XMPP" cypher at chat.cpunk.us -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Thu Feb 25 00:45:18 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 24 Feb 2016 18:45:18 -0500 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <56C717F4.1050402@digitalbrains.com> References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> Message-ID: <87ziupzn8x.fsf@alice.fifthhorseman.net> On Fri 2016-02-19 08:26:12 -0500, Peter Lebbing wrote: > I can't reproduce this. A revocation correctly invalidates any > certifications *both* before or after the moment of revocation. After > all, the time can be faked.[1] > > I tested with no "revocation reason" specified, by the way. But I don't > think GnuPG uses the revocation reason for anything, although I'm not > 100% sure. according to https://tools.ietf.org/html/rfc4880#section-5.2.3.23 : If a key has been revoked because of a compromise, all signatures created by that key are suspect. However, if it was merely superseded or retired, old signatures are still valid. If the revoked signature is the self-signature for certifying a User ID, a revocation denotes that that user name is no longer in use. Such a revocation SHOULD include a 0x20 code. so the reason for revocation should affect whether signatures made before the revocation are worthy of consideration. however, "no reason specified" should default to the safer/harsher situation, where all signatures made by that key are no longer considered, regardless of timestamp. hth, --dkg From dsaklad at gnu.org Thu Feb 25 00:48:16 2016 From: dsaklad at gnu.org (Don Saklad) Date: Wed, 24 Feb 2016 18:48:16 -0500 Subject: Please include an appropriate link at an instructive/useful remark at https://emailselfdefense.fsf.org/en/ Message-ID: <5itwkx8ybj.fsf@fencepost.gnu.org> Please include an appropriate link at this instructive/useful remark at https://emailselfdefense.fsf.org/en/ >"Before configuring GnuPG though, you'll need the IceDove desktop email program installed on your computer." An appropriate link at that point will be helpful for folks new to computers, new to the technology. From rjh at sixdemonbag.org Thu Feb 25 02:52:09 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 24 Feb 2016 20:52:09 -0500 Subject: Profile Backup Tool In-Reply-To: <87a8mr5t82.fsf@wheatstone.g10code.de> References: <56CBB815.7060405@sixdemonbag.org> <87a8mr5t82.fsf@wheatstone.g10code.de> Message-ID: <56CE5E49.8060300@sixdemonbag.org> Well, it's done (enough) for a 1.0 release: https://rjhansen.github.io/gpg_wpf_migrator/ Supported OSes: * Windows via the .NET 4.5 runtime and WPF. * A Gtk# release for UNIX and OS X will follow once this is debugged. ObWarnings: * It has the worst kind of bugs in it -- ones I haven't found yet. * It hasn't undergone rigorous testing. * It'll probably set your GnuPG installation on fire. Licensing: * ISC. Share and enjoy. Signatures: * The app and MSI each have Authenticode sigs * A detached GnuPG signature of the MSI is available. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 630 bytes Desc: OpenPGP digital signature URL: From carnap at gmx.at Thu Feb 25 09:21:45 2016 From: carnap at gmx.at (Josef Carnap) Date: Thu, 25 Feb 2016 09:21:45 +0100 Subject: What are key helpers? Message-ID: <56CEB999.60601@gmx.at> Hello mailing list members, In the option desription of --exec-path and in some descriptions of other options as well I can read of "Key helpers". What kind of program is a key helpers? Are key helpers part of the GnuPG suite oder are they external programs? Does anybody know some examples and for wehat purposes one could use hey helpers? Best regards Josef From peter at digitalbrains.com Thu Feb 25 11:05:49 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 11:05:49 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <87ziupzn8x.fsf@alice.fifthhorseman.net> References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> <87ziupzn8x.fsf@alice.fifthhorseman.net> Message-ID: <56CED1FD.1040303@digitalbrains.com> On 25/02/16 00:45, Daniel Kahn Gillmor wrote: > so the reason for revocation should affect whether signatures made > before the revocation are worthy of consideration. Ah, thanks for the rectification! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Feb 25 11:26:25 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 11:26:25 +0100 Subject: Possible values for --compress-level and --bzip2-compress-level In-Reply-To: <56CDBA19.5030301@gmx.at> References: <56CDBA19.5030301@gmx.at> Message-ID: <56CED6D1.8010203@digitalbrains.com> On 24/02/16 15:11, Josef Carnap wrote: > I have a question to the options --compress-level and > --bzip2-compress-level. Which are the supportet (possible) > values of each of the options? -- Numbers from 0 up to 6? The canonical way to use the BZIP2 algorithm on Linux is through the bzip2 program. Its man page lists the following: > -1 (or --fast) to -9 (or --best) > Set the block size to 100 k, 200 k ... 900 k when compressing. > Has no effect when decompressing. See MEMORY MANAGEMENT below. > The --fast and --best aliases are primarily for GNU gzip compati? > bility. In particular, --fast doesn't make things significantly > faster. And --best merely selects the default behaviour. The other two require you to look a bit further than just lowercasing :), but I think they both use the DEFLATE compression method. On Linux, you will often use gzip to create archives with DEFLATE. Its man page says: > -# --fast --best > Regulate the speed of compression using the specified digit #, > where -1 or --fast indicates the fastest compression method (less > compression) and -9 or --best indicates the slowest compression > method (best compression). The default compression level is -6 > (that is, biased towards high compression at expense of speed). This does however raise a question: > Here is the description of the both options in the GPG Manual: > [...] > --bzip2-compress-level sets the compression level for the BZIP2 > compression algorithm (defaulting to 6 as well). This is a different > option from --compress-level since BZIP2 uses a significant amount of > memory for each additional compression level. The defaults are apparently different? HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Feb 25 11:43:01 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 11:43:01 +0100 Subject: Problem compiling 2.0.29 In-Reply-To: <56CE245E.4040206@cajuntechie.org> References: <56CE245E.4040206@cajuntechie.org> Message-ID: <56CEDAB5.3080900@digitalbrains.com> On 24/02/16 22:45, Anthony Papillion wrote: > ../../g10/gpg2: error while loading shared libraries: libgcrypt.so.20: > cannot open shared object file: No such file or directory Where did you install the library? Is that path in /etc/ld.so.conf? Perhaps you need to run # ldconfig to update the library cache. I must admit I haven't ever compiled GnuPG myself other than with dpkg-buildpackage, though :). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From lachlan at twopif.net Thu Feb 25 14:10:33 2016 From: lachlan at twopif.net (Lachlan Gunn) Date: Thu, 25 Feb 2016 14:10:33 +0100 Subject: FAQ maintenance In-Reply-To: <56B25F4B.4000603@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> Message-ID: <56CEFD49.5010700@twopif.net> Le 2016-02-03 21:12, Robert J. Hansen a ?crit : > Time for my semi-regular FAQ perusing and updating. I plan on updating > the FAQ to include a link to the FSF's email security guide, but that > seems like such an unobjectionable change I'm not going to kick it > around the list for pre-approval. Beyond that, if there's anything > you've always thought the FAQ should mention, now's a great time to > suggest it. :) Hello, I realise this is rather late, but I notice that under the section, "Will GnuPG ever support RSA-3072 or RSA-4096 by default?", ECC is referred to as Elliptical Curve Cryptography rather than Elliptic. If this is intentional then please disregard. Thanks, Lachlan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 14:25:52 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 14:25:52 +0100 Subject: FAQ maintenance In-Reply-To: <56B496E2.3080306@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> Message-ID: <56CF00E0.4030502@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/05/2016 01:34 PM, Robert J. Hansen wrote: >> If somebody can create a long-keyID-collision... > > That seems to be a big 'if' right now. Short collisions are easy; > long ones are nontrivial. Or did I miss something? https://www.ietf.org/mail-archive/web/openpgp/current/msg07195.html .. but at least 1.4 and 2.0 won't be able to import a colliding 64 bit certificate as it is used as internal identifier as shown later in the thread iirc. Now, the real question discussed here though isn't really collission but preimage attack, that is a different story and far more difficult :) - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWzwDdAAoJECULev7WN52F45EH/iuUsMpcQBnUMk8JGCAGDpAb EnOu4EEfK8QnCdQw3ggc/4Q02cH51SSx7k46PtYj74ENAQoJ13N20zFSzbR/Kfkj yVs6PVROLkVh48fmd12jho4BQ0wSUD02v8F0avtYnlt9IRy4neSX2L7ukeSGCiLB HIbPtbxAj1NnpZa0qov9DfImSaUIfAydks5McQML/S/r5rbySEKv53sXOCsDzs3t o/k0JH8b6/kkhlFfR8/3GyqETYW+Ty7jFs+HjxK2jdlTYIBhBUD+bv1xGXcqizkS aNR1BFBj+dFlBxr/b3KT2UTAtUT6WTJviXcKy2hcKafi2uKg3I2ToUbkLRFrn4k= =d5cw -----END PGP SIGNATURE----- From wk at gnupg.org Thu Feb 25 08:24:40 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Feb 2016 08:24:40 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <87ziupzn8x.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Wed, 24 Feb 2016 18:45:18 -0500") References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> <87ziupzn8x.fsf@alice.fifthhorseman.net> Message-ID: <87twkxz1zb.fsf@wheatstone.g10code.de> On Thu, 25 Feb 2016 00:45, dkg at fifthhorseman.net said: > according to https://tools.ietf.org/html/rfc4880#section-5.2.3.23 : > > If a key has been revoked because of a compromise, all signatures > created by that key are suspect. However, if it was merely > superseded or retired, old signatures are still valid. If the If the key has been compromised and the attacker assumes that the legitimate owner of the key is aware of that, the attacker may issue a revocation certificate with "superceded" reason and and claim that a later arriving "compromised" revocation has been done accidentally. Thus I am not convinced that the revocation reasons are useful for any automated evaluation. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Feb 25 08:27:44 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Feb 2016 08:27:44 +0100 Subject: status of ed25519 draft In-Reply-To: <56CDE8DE.6080009@minton.name> (Brian Minton's message of "Wed, 24 Feb 2016 12:31:10 -0500") References: <54DA7099.9030909@minton.name> <8761b84unc.fsf@vigenere.g10code.de> <56CDE8DE.6080009@minton.name> Message-ID: <87povlz1u7.fsf@wheatstone.g10code.de> On Wed, 24 Feb 2016 18:31, brian at minton.name said: > The next draft is due soon. How long does it usually take the IETF to > ratify a draft RFC? There won't be an RFC for that I-D. Instead it will hopefully be part of rfc-4880bis (the updated OpenPGP specs which is in the works). Given that there are no real complaints about the Ed25519 I-D I plan to remove the extra prompt during key generation and go ahead with Ed25519. RFC-4880bis will take too long to get published. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Feb 25 08:35:28 2016 From: wk at gnupg.org (Werner Koch) Date: Thu, 25 Feb 2016 08:35:28 +0100 Subject: Decrypt without importing key to keyring In-Reply-To: (Francis Le Roy's message of "Wed, 24 Feb 2016 11:34:27 +0100") References: Message-ID: <87lh69z1hb.fsf@wheatstone.g10code.de> On Wed, 24 Feb 2016 11:34, thecissou98 at hotmail.fr said: > Hi, is there a way to use a private key (PGP) to decrypt a message > without adding it to the keyring. I don't want the private key to be No there is no such way, You may however delete the key after use. gpgsm has a concept of ephemeral keys which are remove from the keyring after a few hours. This could be added to gpg as well, but I don't see a real use case for this. Note that OpenPGP often requires access to several keys to validate the key. This is not only due to the Web-of-trust but also for dedicated revocation keys and of course to track revocations. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Thu Feb 25 14:38:10 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 14:38:10 +0100 Subject: FAQ maintenance In-Reply-To: <56CF00E0.4030502@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> Message-ID: (If this feels like droning on to you, just stop reading and go do something fun!) On 2016-02-25 14:25, Kristian Fiskerstrand wrote: > Now, the real question discussed here though isn't really collission > but preimage attack, that is a different story and far more difficult > :) Thanks for the link! But my approach to it wasn't really from "is it a problem in practice" but more "should this be the advice we give" and "what's wrong with just using the fingerprint and be done with it forever". We always tell users to use the fingerprint if they need to be sure of authenticity. Or if I'm mistaken about that, I think we should. My 2 cents, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From richard.genthner at wheniwork.com Thu Feb 25 14:38:02 2016 From: richard.genthner at wheniwork.com (Richard Genthner) Date: Thu, 25 Feb 2016 08:38:02 -0500 Subject: Single GPG key and multiple yubikeys Message-ID: <56CF03BA.70907@wheniwork.com> So I have a single gpg key for work with 3 sub keys. I have copied it to a yubikey nano just fine. Removed the yubi and removed my gpg key and then reimported the gpg key and inserted yubikey number two and did keytocard again for the second yubikey. When ever I do ssh -l git github.com gpg-agent[99732]: chan_10 -> SETDESC Please remove the current card and insert the one with serial number:%0A%0A "D2760001240102010006041632600000" which is the nano. It seems that even killing the gpg-agent and inserting the other yubikey doesn't seem to work. Suggestions? -- Richard Genthner Sr DevOps Engineer When I Work, Inc. St Paul, MN Meet Sam orGet a free T-Shirt here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 15:48:16 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 15:48:16 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <56CF03BA.70907@wheniwork.com> References: <56CF03BA.70907@wheniwork.com> Message-ID: <56CF1430.2080501@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/25/2016 02:38 PM, Richard Genthner wrote: > So I have a single gpg key for work with 3 sub keys. I have copied > it to a yubikey nano just fine. Removed the yubi and removed my gpg > key and then reimported the gpg key and inserted yubikey number two > and did keytocard again for the second yubikey. When ever I do > > ssh -l git github.com > > gpg-agent[99732]: chan_10 -> SETDESC Please remove the current card > and insert the one with serial number:%0A%0A > "D2760001240102010006041632600000" > > which is the nano. It seems that even killing the gpg-agent and > inserting the other yubikey doesn't seem to work. Suggestions? Delete the stubs and do gpg --card-status to learn of the new smartcard - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWzxQsAAoJECULev7WN52FVoIIAMSkMuc0/v01e9qHYsC7GL+K eVbUBKtZlmOQIhigVs9dU5hXYVMs9kGLDkCmPQJ8M38VzkpELtwOXUiZq7Bm/4rn 5NEvzL+PBbHfYo+yAn5ddhUv/usQP3dxVjKNDAF7vsf7arETiddDcuz3xJ6xdDaJ A3DlqfTAMqzZaOi0iSMMniXcyn/YsMzoB+WXF0FAKzWZQRuh/BOdfV9h/jZTRShe 4WKP26KBwCKViJQGfOzdwIfsSUG54eCh5nL+sMmkBBR942hDQceLcJtw1QRLZc5e 0lZqQrVHciJRSOClL4Tr8T5lp2dlVGVb2QepMfsFZNX1JXVBqkgCnBCId/EIxKQ= =xZws -----END PGP SIGNATURE----- From richard.genthner at wheniwork.com Thu Feb 25 15:44:11 2016 From: richard.genthner at wheniwork.com (Richard Genthner) Date: Thu, 25 Feb 2016 09:44:11 -0500 Subject: Single GPG key and multiple yubikeys In-Reply-To: <56CF1430.2080501@sumptuouscapital.com> References: <56CF03BA.70907@wheniwork.com> <56CF1430.2080501@sumptuouscapital.com> Message-ID: <56CF133B.4020505@wheniwork.com> How do I delete the stubs with out deleting key? and when I do gpg --card-status never updates the application id. > Kristian Fiskerstrand > February 25, 2016 at 9:48 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Delete the stubs and do gpg --card-status to learn of the new smartcard > > > - -- > - ---------------------------- > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > - ---------------------------- > Public OpenPGP key at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > - ---------------------------- > Aquila non capit muscas > The eagle does not hunt flies > -----BEGIN PGP SIGNATURE----- > > iQEcBAEBCgAGBQJWzxQsAAoJECULev7WN52FVoIIAMSkMuc0/v01e9qHYsC7GL+K > eVbUBKtZlmOQIhigVs9dU5hXYVMs9kGLDkCmPQJ8M38VzkpELtwOXUiZq7Bm/4rn > 5NEvzL+PBbHfYo+yAn5ddhUv/usQP3dxVjKNDAF7vsf7arETiddDcuz3xJ6xdDaJ > A3DlqfTAMqzZaOi0iSMMniXcyn/YsMzoB+WXF0FAKzWZQRuh/BOdfV9h/jZTRShe > 4WKP26KBwCKViJQGfOzdwIfsSUG54eCh5nL+sMmkBBR942hDQceLcJtw1QRLZc5e > 0lZqQrVHciJRSOClL4Tr8T5lp2dlVGVb2QepMfsFZNX1JXVBqkgCnBCId/EIxKQ= > =xZws > -----END PGP SIGNATURE----- -- Richard Genthner Sr DevOps Engineer When I Work, Inc. St Paul, MN Meet Sam orGet a free T-Shirt here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 15:50:57 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 15:50:57 +0100 Subject: FAQ maintenance In-Reply-To: References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> Message-ID: <56CF14D1.70209@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/25/2016 02:38 PM, Peter Lebbing wrote: > (If this feels like droning on to you, just stop reading and go do > something fun!) > > On 2016-02-25 14:25, Kristian Fiskerstrand wrote: >> Now, the real question discussed here though isn't really >> collission but preimage attack, that is a different story and far >> more difficult :) > > Thanks for the link! But my approach to it wasn't really from "is > it a problem in practice" but more "should this be the advice we > give" and "what's wrong with just using the fingerprint and be done > with it forever". We always tell users to use the fingerprint if > they need to be sure of authenticity. Or if I'm mistaken about > that, I think we should. > Well, it depends. Sure, should always use full fingerprint for certificate validation etc, no question asked. But the internal keyid and the packet structure use 64 bit keyid as identifier, so using fingerprint in quite a number of other cases is more resource intensive without necessarily improving too much (in particular in cases where action from yourself is required, default key for signing etc). - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWzxTNAAoJECULev7WN52FJFsIAKiJj4s233uBIXQ8quGpD8Gz MV7QqCJwPPaxZC4OIQzIP8pDN/vGcs8diGEdwouuPOsX8Q8Y8TUMUXxzgb2HpUQD /sPk/VWneAsIe9H64nAIBMAYtObWNuTLeciy+e5coLjq0YdlpuK3sklNMS3RcQ9/ a1J9hCvpKEyFClEvlK/MY9iUXyG6TreHKfLlN606f0Ui/4em3tqJNnitrwCeYQPJ XSsLeR+G3nhGsbKE3kJWLDQjwkJvGdRkJRQqaIk21d5malJ6zXT4dHMactMKvvoF 0xEgZXkgyqyNWGNFe+DgacLhlji0KEHwinBeFsWjOZH1+mQZiuKv5gMv6scwvKk= =nhfW -----END PGP SIGNATURE----- From peter at digitalbrains.com Thu Feb 25 15:54:03 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 15:54:03 +0100 Subject: FAQ maintenance In-Reply-To: <56CF14D1.70209@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> Message-ID: <0c5a0516844e365c0225d8980ff02941@butters.digitalbrains.com> On 2016-02-25 15:50, Kristian Fiskerstrand wrote: > (in particular in > cases where action from yourself is required, default key for signing > etc). I agree. Note that the discussed case, encrypt-to, silently encrypts to unvalidated keys that happen to be on a keyring. Just pick any key on your keyring that isn't valid, say it's mine, AC46EFE6DE500B3E, and put this in your gpg.conf (watch out what you're doing here, though!): encrypt-to AC46EFE6DE500B3E Now encrypt a test message to anyone, something like: echo "I'm talking to myself" | gpg2 -o test.gpg -r E3EDFAE3 -e Note how happy GnuPG is to do all this, and then do gpg2 --list-only --list-packets test.gpg Note how the unvalidated key is silently encrypted to without a peep from GnuPG. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From peter at digitalbrains.com Thu Feb 25 15:56:32 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 15:56:32 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <56CF133B.4020505@wheniwork.com> References: <56CF03BA.70907@wheniwork.com> <56CF1430.2080501@sumptuouscapital.com> <56CF133B.4020505@wheniwork.com> Message-ID: <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> On 2016-02-25 15:44, Richard Genthner wrote: > How do I delete the stubs with out deleting key? and when I do gpg > --card-status never updates the application id. gpg --delete-secret-keys XXX But don't do this when your primary key is on-disk, only do this when all your secret key material is stubs. Note that it is very impractical to regularly use two smartcards on the same computer because of all this. You should probably stick to using a single smartcard on any single computer. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From richard.genthner at wheniwork.com Thu Feb 25 15:58:30 2016 From: richard.genthner at wheniwork.com (Richard Genthner) Date: Thu, 25 Feb 2016 09:58:30 -0500 Subject: Single GPG key and multiple yubikeys In-Reply-To: <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> References: <56CF03BA.70907@wheniwork.com> <56CF1430.2080501@sumptuouscapital.com> <56CF133B.4020505@wheniwork.com> <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> Message-ID: <56CF1696.1070002@wheniwork.com> Yeah, what I'm hoping to do is be able to carry my card with me and jump on a terminal while traveling and sign and login to things. > Peter Lebbing > February 25, 2016 at 9:56 AM > > > gpg --delete-secret-keys XXX > > But don't do this when your primary key is on-disk, only do this when > all your secret key material is stubs. > > Note that it is very impractical to regularly use two smartcards on > the same computer because of all this. You should probably stick to > using a single smartcard on any single computer. > > HTH, > > Peter. > > Kristian Fiskerstrand > February 25, 2016 at 9:48 AM > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Delete the stubs and do gpg --card-status to learn of the new smartcard > > > - -- > - ---------------------------- > Kristian Fiskerstrand > Blog: https://blog.sumptuouscapital.com > Twitter: @krifisk > - ---------------------------- > Public OpenPGP key at hkp://pool.sks-keyservers.net > fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 > - ---------------------------- > Aquila non capit muscas > The eagle does not hunt flies > -----BEGIN PGP SIGNATURE----- > > iQEcBAEBCgAGBQJWzxQsAAoJECULev7WN52FVoIIAMSkMuc0/v01e9qHYsC7GL+K > eVbUBKtZlmOQIhigVs9dU5hXYVMs9kGLDkCmPQJ8M38VzkpELtwOXUiZq7Bm/4rn > 5NEvzL+PBbHfYo+yAn5ddhUv/usQP3dxVjKNDAF7vsf7arETiddDcuz3xJ6xdDaJ > A3DlqfTAMqzZaOi0iSMMniXcyn/YsMzoB+WXF0FAKzWZQRuh/BOdfV9h/jZTRShe > 4WKP26KBwCKViJQGfOzdwIfsSUG54eCh5nL+sMmkBBR942hDQceLcJtw1QRLZc5e > 0lZqQrVHciJRSOClL4Tr8T5lp2dlVGVb2QepMfsFZNX1JXVBqkgCnBCId/EIxKQ= > =xZws > -----END PGP SIGNATURE----- > Richard Genthner > February 25, 2016 at 9:44 AM > How do I delete the stubs with out deleting key? and when I do gpg > --card-status never updates the application id. > > > Richard Genthner > February 25, 2016 at 8:38 AM > So I have a single gpg key for work with 3 sub keys. I have copied it > to a yubikey nano just fine. Removed the yubi and removed my gpg key > and then reimported the gpg key and inserted yubikey number two and > did keytocard again for the second yubikey. When ever I do > > ssh -l git github.com > > gpg-agent[99732]: chan_10 -> SETDESC Please remove the current card > and insert the one with serial number:%0A%0A > "D2760001240102010006041632600000" -- Richard Genthner Sr DevOps Engineer When I Work, Inc. St Paul, MN Meet Sam orGet a free T-Shirt here. -------------- next part -------------- An HTML attachment was scrubbed... URL: From muri+gnupg-users at immerda.ch Thu Feb 25 18:59:53 2016 From: muri+gnupg-users at immerda.ch (Muri Nicanor) Date: Thu, 25 Feb 2016 18:59:53 +0100 Subject: Specify UID for --sign-key Message-ID: <56CF4119.10504@immerda.ch> hello gnupg-users, is it possible to specifiy the uid for --sign-key (so i don't have to go through the gpg --edit dialog)? i tried using =Name or just as described on [0], but i always get asked if i want to sign all the uids and then i have to say no and choose the one i specified... thanks & cheers, muri [0] https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 19:11:39 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 19:11:39 +0100 Subject: FAQ maintenance In-Reply-To: <0c5a0516844e365c0225d8980ff02941@butters.digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <0c5a0516844e365c0225d8980ff02941@butters.digitalbrains.com> Message-ID: <56CF43DB.2020901@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/25/2016 03:54 PM, Peter Lebbing wrote: > On 2016-02-25 15:50, Kristian Fiskerstrand wrote: >> (in particular in cases where action from yourself is required, >> default key for signing etc). > > I agree. Note that the discussed case, encrypt-to, silently > encrypts to unvalidated keys that happen to be on a keyring. Just > pick any key on your keyring that isn't valid, say it's mine, > AC46EFE6DE500B3E, and put this in your gpg.conf (watch out what > you're doing here, though!): Yeah, the no validation mode of encrypt-to really does call for prudence in this specific case - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWz0PWAAoJECULev7WN52FzHkIAKX4xajf5KpXJOXw5dnvd2qi 1246DTAAKs1kqpOMvGWtmJ6cHVB5oAzhrClu93iceCfIYBuOl5GPSruvKfm8A0gt dS/FKyofu3lkyVHhmrwVNsl+zwNYgYdbgTxtzI6GDIj2iP0HywwXbCoBm0JmGVun FOeba0/zD82QncDcSVTq6dX7x3bP6tXwszzh9zOzUwjHTw6gPYtj34dOFd+a6fBW bMtzEhQz9mrRdgkvKU1v26NJ1PubsPOFzra3ws/Y7SPNje0lV9cZvUHwzCPG9H43 1YZkZImz+hAoj/a7Fn/Xb3CSpzG59PsCO1KJsdyt5BD/sjX+ofA/yqUHI3LUmdg= =jMFi -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 25 19:11:55 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 25 Feb 2016 13:11:55 -0500 Subject: FAQ maintenance In-Reply-To: <56CF43DB.2020901@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <0c5a0516844e365c0225d8980ff02941@butters.digitalbrains.com> <56CF43DB.2020901@sumptuouscapital.com> Message-ID: <56CF43EB.5000000@sixdemonbag.org> > Yeah, the no validation mode of encrypt-to really does call for > prudence in this specific case If an attacker can control your gpg.conf file, there are so many worse things to do that it's hard for me to take this seriously. From peter at digitalbrains.com Thu Feb 25 19:20:28 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 19:20:28 +0100 Subject: FAQ maintenance In-Reply-To: <56CF43EB.5000000@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <0c5a0516844e365c0225d8980ff02941@butters.digitalbrains.com> <56CF43DB.2020901@sumptuouscapital.com> <56CF43EB.5000000@sixdemonbag.org> Message-ID: <56CF45EC.4060606@digitalbrains.com> On 25/02/16 19:11, Robert J. Hansen wrote: > If an attacker can control your gpg.conf file, there are so many worse > things to do that it's hard for me to take this seriously. I never, ever, once, argued the opposite. I sure hope you're not implying I am, or that Kristian is. If you recall, I talked about public keys being attached to e-mail messages, adding as a mitigating factor that your own key would probably be earlier on the keyring. By now, we can add the mitigating factor that GnuPG will bork on the key import. Plus, as was already established, the rather major fact that as far as we know, nobody has pulled off a second-preimage attack against a long keyID. But take things as seriously as you see fit. As I indicated, this is more of the variety of "what is prudence in user education", not "oh my God they are H4xx0rzing our keez". Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dshaw at jabberwocky.com Thu Feb 25 19:04:33 2016 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 25 Feb 2016 13:04:33 -0500 Subject: Possible values for --compress-level and --bzip2-compress-level In-Reply-To: <56CDBA19.5030301@gmx.at> References: <56CDBA19.5030301@gmx.at> Message-ID: <398285CF-24D0-4FF6-BA95-4309C321EB55@jabberwocky.com> On Feb 24, 2016, at 9:11 AM, Josef Carnap wrote: > > Hello everyone, > > I have a question to the options --compress-level and > --bzip2-compress-level. Which are the supportet (possible) > values of each of the options? -- Numbers from 0 up to 6? 1 through 9, with 1 being the least compression (but generally runs faster) and 9 being the most compression (but generally runs slower). David From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 20:24:37 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 20:24:37 +0100 Subject: FAQ maintenance In-Reply-To: <56B48619.3000907@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <56B48619.3000907@digitalbrains.com> Message-ID: <56CF54F5.3000502@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/05/2016 12:23 PM, Peter Lebbing wrote: > Furthermore, I think a reasonably often asked question is "Why > can't I provide the password in a pipe to GnuPG anymore?". Old 1.4 > allowed this, but 2.0 is incapable of it and 2.1 needs a loopback > pinentry. But of course, the answe 2.0 supports --batch --passphrase-fd 0 - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWz1TxAAoJECULev7WN52F/fsH/0nf7didqSH/QIM53PloxKRY KzbItT5yhma2LZwRyWEukQfYJLi2RUJ0LGCoupSsnSIr0WC5267BmCSZucpx2892 3C7510uchV0tA3SKkbkc3uqXD9tH/3HQU0rRxgI3wf9Zl/ko9jg5ajjGgyK2Ci2e 0TyGpMdd+XNlmoVyCexOdXl/cMKSZru3M302T6Usnkz9to2QO5Dt0M9DOH+4wQiW 8O645zeT8i/fEeUjRW1abXpK/9T+4NsY6n8Bsc83iBEmfOmOsvPUlnx6/D55ItMe LS1vu9jVvE6TVPP0u3B+s5/y/zwDhSmc2cecjaWlCsL+6zwQ372mrPES5yEL/dQ= =D0ZZ -----END PGP SIGNATURE----- From peter at digitalbrains.com Thu Feb 25 20:30:02 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 25 Feb 2016 20:30:02 +0100 Subject: FAQ maintenance In-Reply-To: <56CF54F5.3000502@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <56B48619.3000907@digitalbrains.com> <56CF54F5.3000502@sumptuouscapital.com> Message-ID: <56CF563A.9020309@digitalbrains.com> On 25/02/16 20:24, Kristian Fiskerstrand wrote: > 2.0 supports --batch --passphrase-fd 0 Oh! I must have mixed up some things. Thanks for the rectification! I think perhaps I was thinking of entering a smartcard PIN, for which you do need a loopback pinentry (right??), and which was impossible to do on 2.0 (right??). Oh man, let's hope I don't start to question everything now. I might end up like Kyle in The Toothfairy's Tats episode of South Park... Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From kristian.fiskerstrand at sumptuouscapital.com Thu Feb 25 20:42:58 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 25 Feb 2016 20:42:58 +0100 Subject: FAQ maintenance In-Reply-To: <56CF563A.9020309@digitalbrains.com> References: <56B25F4B.4000603@sixdemonbag.org> <56B48619.3000907@digitalbrains.com> <56CF54F5.3000502@sumptuouscapital.com> <56CF563A.9020309@digitalbrains.com> Message-ID: <56CF5942.4060209@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/25/2016 08:30 PM, Peter Lebbing wrote: > On 25/02/16 20:24, Kristian Fiskerstrand wrote: >> 2.0 supports --batch --passphrase-fd 0 > > Oh! I must have mixed up some things. > > Thanks for the rectification! > > I think perhaps I was thinking of entering a smartcard PIN, for > which you do need a loopback pinentry (right??), and which was > impossible to do on 2.0 (right??). Oh man, let's hope I don't start > to question everything now. I might smartcard pin is a different story, indeed, I don't recall the details sufficiently to say "impossible" and frankly I have not tried it with a loopback pinentry, but it seems probable. - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWz1k9AAoJECULev7WN52FGUYIAMA1YawzRo0DZcwCxrI/D/tq 01tJpxM3t384jtv/tHOu2fFnh9HdvS+DFTRZGBi6Iy+lHUTpv7mMuITiBJnIG7tM MCiUtj/B3nM7EmwQpXdRHa00c69NLOPYcMHxvwXFWNeVuccQqYjGc1nJmJfGxpTg LlLN4N+f97tGPH82slanlGAdfvUP4RVgdxb25OMD+egkCUzYSY9LWH/hk9RaBFKK cNW00VQTZSAmz2Lfb6hmPU+9M4juOs46x+LfQNLlMUJXjeDH4Jl6Lc58wDLSivvh eqlU8Afh5V0SPJoDHNmsIcx6Z9/N0WT6mIP77N4+ehohm6EFsWL7MGyoD+mgkbY= =mENj -----END PGP SIGNATURE----- From martini5468 at gmail.com Thu Feb 25 15:42:32 2016 From: martini5468 at gmail.com (Martin Ilchev) Date: Thu, 25 Feb 2016 14:42:32 +0000 Subject: cipher used when both --encrypt and --symmetric is specified Message-ID: I am looking for some help to figure out what cipher is used for symmetric encryption when both pass phrase and public keys are used. I have configured my gpg.conf with my preferred cipher algorithms as follows: personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES I have ran the following tests: 1. Symmetrically encrypt a file: $gpg2 --symmetric somefile decrypting that file shows the correct cipher being used (I am looking at symkey enc packet field cipher 9 - aes256): $ gpg2 -vvv --decrypt somefile.gpg gpg: using character set `utf-8' :symkey enc packet: version 4, cipher 9, s2k 3, hash 10 salt 7ff4f273bd71e14e, count 24117248 (231) gpg: AES256 encrypted data :encrypted data packet: length: 360 mdc_method: 2 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1456410134, name="somefile", raw data: 1551 bytes gpg: original file name='somefile' 2. Symmetrically encrypt and also encrypt for my own public key: gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile decrypting the file shows that the cipher used is CAST5 (again looking at the same symkey enc packet field cipher 3 - CAST5): $ gpg2 -vvv --decrypt somefile.gpg gpg: using character set `utf-8' :pubkey enc packet: version 3, algo 1, keyid 1234567890ABCDEF data: [4096 bits] gpg: public key is 0x1234567890ABCDEF gpg: using subkey 0x1234567890ABCDEF instead of primary key 0x1234567890ABCDEF gpg: selecting openpgp failed: Card not present :symkey enc packet: version 4, cipher 3, s2k 3, hash 10, seskey 256 bits salt 7fa903ae28975d77, count 24117248 (231) gpg: CAST5 encrypted session key :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase gpg: using subkey 1234567890ABCDEF instead of primary key 1234567890ABCDEF gpg: encrypted with 4096-bit RSA key, ID 1234567890ABCDEF, created 2018-13-34 "Martin" gpg: public key decryption failed: Operation cancelled gpg: AES256 encrypted data :compressed packet: algo=2 :onepass_sig packet: keyid 1234567890ABCDEF version 3, sigclass 0x00, digest 10, pubkey 1, last=1 :literal data packet: mode b (62), created 1456410193, name="somefile", raw data: 1551 bytes gpg: original file name='somefile' To get the cipher name from the cipher numbers I check RFC4880 ( https://tools.ietf.org/html/rfc4880#section-9.2). My expectation is that symmetric encryption should use the same cipher (AES256) in both cases. Can someone please explain if the above is the expected behaviour or if my expectations are wrong? I am running Debin 8.3 with gnupg2 2.0.26-6. I use gpg2 because my 4096b public/private keys are on a smart card. I also apologies for the really long e-mail. Kind Regards, Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.email Fri Feb 26 04:20:57 2016 From: dougb at dougbarton.email (Doug Barton) Date: Thu, 25 Feb 2016 19:20:57 -0800 Subject: FAQ maintenance In-Reply-To: <56CF14D1.70209@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> Message-ID: <56CFC499.300@dougbarton.email> On 02/25/2016 06:50 AM, Kristian Fiskerstrand wrote: > On 02/25/2016 02:38 PM, Peter Lebbing wrote: >> (If this feels like droning on to you, just stop reading and go do >> something fun!) > >> On 2016-02-25 14:25, Kristian Fiskerstrand wrote: >>> Now, the real question discussed here though isn't really >>> collission but preimage attack, that is a different story and far >>> more difficult :) > >> Thanks for the link! But my approach to it wasn't really from "is >> it a problem in practice" but more "should this be the advice we >> give" and "what's wrong with just using the fingerprint and be done >> with it forever". We always tell users to use the fingerprint if >> they need to be sure of authenticity. Or if I'm mistaken about >> that, I think we should. > > > Well, it depends. Sure, should always use full fingerprint for > certificate validation etc, no question asked. But the internal keyid > and the packet structure use 64 bit keyid as identifier, so using > fingerprint in quite a number of other cases is more resource > intensive without necessarily improving too much (in particular in > cases where action from yourself is required, default key for signing > etc). There is a value in future-proofing advice. It's true *today* that the 64-bit key ID is used internally, but that may not be the case tomorrow. There is also value in giving consistent advice. "Use the full fingerprint everywhere you need to identify a key" is much easier for users to understand than for them to try to remember which places they can/should use which method. Keep in mind that users are not going to be "doing PGP" on a day to day basis with the FAQ open in a neighboring window. If we can provide clear, consistent advice that's easy for users to remember we're way ahead of the game. Doug From dkg at fifthhorseman.net Fri Feb 26 03:49:26 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 26 Feb 2016 03:49:26 +0100 Subject: Specify UID for --sign-key In-Reply-To: <56CF4119.10504@immerda.ch> References: <56CF4119.10504@immerda.ch> Message-ID: <871t80yymh.fsf@alice.fifthhorseman.net> Hi Muri-- On Thu 2016-02-25 18:59:53 +0100, Muri Nicanor wrote: > is it possible to specifiy the uid for --sign-key (so i don't have to go > through the gpg --edit dialog)? i tried using > =Name > or just > > as described on [0], but i always get asked if i want to sign all the > uids and then i have to say no and choose the one i specified... In GnuPG 2.1: --quick-sign-key fpr [names] --quick-lsign-key fpr [names] Directly sign a key from the passphrase without any further user interaction. The fpr must be the verified primary fingerprint of a key in the local keyring. If no names are given, all useful user ids are signed; with given [names] only useful user ids matching one of theses names are signed. The command --quick- lsign-key marks the signatures as non-exportable. If such a non-exportable signature already exists the --quick-sign-key turns it into a exportable signature. This command uses reasonable defaults and thus does not provide the full flexibility of the "sign" subcommand from --edit-key. Its intended use is to help unattended key signing by utilizing a list of verified fingerprints. hth, --dkg From dkg at fifthhorseman.net Fri Feb 26 03:45:48 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 25 Feb 2016 21:45:48 -0500 Subject: FAQ maintenance In-Reply-To: <56CF14D1.70209@sumptuouscapital.com> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> Message-ID: <874mcwyysj.fsf@alice.fifthhorseman.net> On Thu 2016-02-25 09:50:57 -0500, Kristian Fiskerstrand wrote: > Well, it depends. Sure, should always use full fingerprint for > certificate validation etc, no question asked. But the internal keyid > and the packet structure use 64 bit keyid as identifier I consider it a bug that GnuPG uses the 64-bit keyid as the internal identifier, and that the packet structure uses the 64-bit keyid as well. there's simply no justification for "saving those bits" on any modern hardware. We shouldn't embed the assumption that these limits will be permanent in our documentation. > so using fingerprint in quite a number of other cases is more resource > intensive without necessarily improving too much (in particular in > cases where action from yourself is required, default key for signing > etc). Why is it more resource intensive? the user will be copying and pasting this string one way or another, we should have them copy/pasting something cryptographically strong, not something that is marginal and only getting weaker with time. --dkg From dkg at fifthhorseman.net Fri Feb 26 04:49:47 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 26 Feb 2016 04:49:47 +0100 Subject: What are key helpers? In-Reply-To: <56CEB999.60601@gmx.at> References: <56CEB999.60601@gmx.at> Message-ID: <878u28ceqs.fsf@alice.fifthhorseman.net> On Thu 2016-02-25 09:21:45 +0100, Josef Carnap wrote: > In the option desription of --exec-path and in some descriptions of > other options as well I can read of "Key helpers". > What kind of program is a key helpers? Are key helpers part of the GnuPG > suite oder are they external programs? they're separate programs that operate over more-or-less well-defined interfaces (stdin/stdout text-based interaction, usually), most of which are shipped as part of the GnuPG suite. > Does anybody know some examples and for wehat purposes one could use hey > helpers? take a look at the execpath in your installed system (e.g. /usr/lib/gnupg/ or /usr/lib/gnupg2/ on debian systems) for examples. many of the helpers in gnupg 1.4.x are related to connections to keyservers. in 2.1.x all the network connections are handled by dirmngr, so they aren't needed. in 2.0.x and 2.1.x, gpg-check-pattern is an example -- its --help output shows: ----------- Syntax: gpg-check-pattern [options] patternfile Check a passphrase given on stdin against the patternfile Options: -v, --verbose verbose --check run only a syntax check on the patternfile -0, --null input is expected to be null delimited ----------- hth, --dkg From peter at digitalbrains.com Fri Feb 26 10:55:46 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 26 Feb 2016 10:55:46 +0100 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: References: Message-ID: <56D02122.8040906@digitalbrains.com> On 25/02/16 15:42, Martin Ilchev wrote: > I am looking for some help to figure out what cipher is used for > symmetric encryption when both pass phrase and public keys are used. I > have configured my gpg.conf with my preferred cipher algorithms as follows: > personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 > CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES Those preferences are not what is used when encrypting to your own key. To see those do: $ gpg2 --edit-key {KEYID} > showpref To change them do: > setpref Note that this refers to all types of preferences, not just ciphers. To set a default preference list for setpref, include in your gpg.conf: default-preference-list I'd suggest a bit of browsing through the man page with a search term of "preference" :). Note that these key preferences are part of your public key, and if you want others to respect them as well, they need to refresh your public key with the new preferences if you change them. > 2. Symmetrically encrypt and also encrypt for my own public key: > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile > decrypting the file shows that the cipher used is CAST5 It would be helpful to know what your key preferences are, since it might just be the most preferred algorithm from the intersection of personal preferences and key preferences. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From martin.konold at erfrakon.com Fri Feb 26 11:00:52 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Fri, 26 Feb 2016 11:00:52 +0100 Subject: Decrypt without importing key to keyring In-Reply-To: <87lh69z1hb.fsf@wheatstone.g10code.de> References: <87lh69z1hb.fsf@wheatstone.g10code.de> Message-ID: <5509385.O88K5bknzh@sony-01.tue.hq.erfrakon.de> Am Donnerstag, 25. Februar 2016, 08:35:28 CET schrieb Werner Koch: Hi, > On Wed, 24 Feb 2016 11:34, thecissou98 at hotmail.fr said: > > Hi, is there a way to use a private key (PGP) to decrypt a message > > without adding it to the keyring. There is of course the option to leave the private key exclusivly on an OpenPGP Smartcard. This only requires a stub in the keyring which can be recreated on demand. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From martini5468 at gmail.com Fri Feb 26 11:44:27 2016 From: martini5468 at gmail.com (Martin Ilchev) Date: Fri, 26 Feb 2016 10:44:27 +0000 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: <56D02122.8040906@digitalbrains.com> References: <56D02122.8040906@digitalbrains.com> Message-ID: Hi Peter, Thanks for the reply. I did browse the man pages quite a bit (I am a bit afraid I browsed too much and touched stuff I should leave well alone :)) I did set my key preferences a few months ago and made sure the key had them as well. Here is the output of showperf: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Also here is all the stuff I have in my gpg.conf: ``` personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed s2k-digest-algo SHA512 keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/home/martin/.gnupg/sks-keyservers.netCA.pem keyserver-options no-honor-keyserver-url keyid-format 0xlong with-fingerprint cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed use-agent ``` Let me know if you need more info. Regards, Martin On Fri, 26 Feb 2016 at 09:55 Peter Lebbing wrote: > On 25/02/16 15:42, Martin Ilchev wrote: > > I am looking for some help to figure out what cipher is used for > > symmetric encryption when both pass phrase and public keys are used. I > > have configured my gpg.conf with my preferred cipher algorithms as > follows: > > personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 > > CAMELLIA192 AES CAST5 CAMELLIA128 BLOWFISH IDEA 3DES > > Those preferences are not what is used when encrypting to your own key. > To see those do: > > $ gpg2 --edit-key {KEYID} > > showpref > > To change them do: > > > setpref > > Note that this refers to all types of preferences, not just ciphers. > > To set a default preference list for setpref, include in your gpg.conf: > > default-preference-list > > I'd suggest a bit of browsing through the man page with a search term of > "preference" :). Note that these key preferences are part of your public > key, and if you want others to respect them as well, they need to > refresh your public key with the new preferences if you change them. > > > 2. Symmetrically encrypt and also encrypt for my own public key: > > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF somefile > > decrypting the file shows that the cipher used is CAST5 > > It would be helpful to know what your key preferences are, since it > might just be the most preferred algorithm from the intersection of > personal preferences and key preferences. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin.konold at erfrakon.com Fri Feb 26 12:31:50 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Fri, 26 Feb 2016 12:31:50 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> References: <56CF03BA.70907@wheniwork.com> <56CF133B.4020505@wheniwork.com> <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> Message-ID: <1583759.5A2Ocgpdyd@sony-01.tue.hq.erfrakon.de> Am Donnerstag, 25. Februar 2016, 15:56:32 CET schrieb Peter Lebbing: Hi, > Note that it is very impractical to regularly use two smartcards on the > same computer because of all this. You should probably stick to using a > single smartcard on any single computer. In case there is an urgent need to use two smartcards on the same computer and account I recommend to make use of scdaemon.conf and seperate GNUHOME directories. You may then differentiate between the two cards with the gpg -- homedir commandline option. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From kristian.fiskerstrand at sumptuouscapital.com Fri Feb 26 12:43:54 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 26 Feb 2016 12:43:54 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <1583759.5A2Ocgpdyd@sony-01.tue.hq.erfrakon.de> References: <56CF03BA.70907@wheniwork.com> <56CF133B.4020505@wheniwork.com> <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> <1583759.5A2Ocgpdyd@sony-01.tue.hq.erfrakon.de> Message-ID: <56D03A7A.1090908@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/26/2016 12:31 PM, Martin Konold wrote: > Am Donnerstag, 25. Februar 2016, 15:56:32 CET schrieb Peter > Lebbing: > > Hi, > >> Note that it is very impractical to regularly use two smartcards >> on the same computer because of all this. You should probably >> stick to using a single smartcard on any single computer. > > In case there is an urgent need to use two smartcards on the same > computer and account I recommend to make use of scdaemon.conf and > seperate GNUHOME directories. You may then differentiate between > the two cards with the gpg -- homedir commandline option. This sounds somewhat complex given that the it'd require duplication of configuration and pubring and a separate private key store. A workaround currently could be to remove the specific keygrip files from private-keys-v1.d (for gnupg 2.1) for the known stubs and doing a gpg-connect-agent learn /bye or gpg --card status during e.g smartcard attachment in an udev rule etc, etc. But see the thread "Re: stub-key migration from gpg 1.4/2.0 to 2.1" where it is also discussed some options. - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJW0Dp1AAoJECULev7WN52Fh+0H/Ruw6bBUfAXrwzqf2Z0hi1YB E3Uuz6GD0U1/1x8C682VriZPoKrW7PYNCQnWHG3/+FV8QvUJoYvbyW0UYX9bjFVl QFSgDVi7aSVNDoVnUpHpC92CBvm5p4VCcocki3a/5umsncT8ka2o9VoA8sPm9g/u GGooX59Y9Dyd3K9PpHdn7oai2S9NeWoKsNxaPeIS4mFmtAikJ3e8yVZkJDSnr5x0 TB8s0cVWdc3+4y/FLR/9BtQRFoJ4HEeYjZQVadCB5U9xVtydiaPGE8Oc0xPgCUjW x81pHi6/NCHKPBDoS5SNhUhIymiblmV9NJp1v4FEunHhHH5mlHo9Yt1XhlvwVis= =dZCh -----END PGP SIGNATURE----- From bozho at kset.org Fri Feb 26 10:55:39 2016 From: bozho at kset.org (=?UTF-8?B?TWFya28gQm/Fvmlrb3ZpxIc=?=) Date: Fri, 26 Feb 2016 09:55:39 +0000 Subject: Single GPG key and multiple yubikeys In-Reply-To: <56CF1696.1070002@wheniwork.com> References: <56CF03BA.70907@wheniwork.com> <56CF1430.2080501@sumptuouscapital.com> <56CF133B.4020505@wheniwork.com> <79dc433b8250bac483da8147bbd2bdc8@butters.digitalbrains.com> <56CF1696.1070002@wheniwork.com> Message-ID: <56D0211B.6030201@kset.org> On 25/02/2016 14:58, Richard Genthner wrote: > Yeah, what I'm hoping to do is be able to carry my card with me and jump on a > terminal while traveling and sign and login to things. Maybe keep two separate gpg home dirs, one for each yubikey? -- Marko ICQ: 5990814 I'm not under the alkafluence of inkahol that some thinkle peep I am. It's just the drunker I sit here the longer I get. From ndk.clanbo at gmail.com Fri Feb 26 14:31:31 2016 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 26 Feb 2016 14:31:31 +0100 Subject: gnupg-pkcs11 status & future Message-ID: <56D053B3.4090408@gmail.com> Hello all. Is gnupg-pkcs11 still maintained? Files on sourceforge are from 2011... The idea of using a "standard" key container for GPG keys is appealing, and it could solve my (very personal, I admit, but maybe others feel the same) "problem" with having only 3 keypairs (for example I can't rotate encryption key every year unless I'm prepared to have a different card per year). With nearly every card I could have a look at, I can keep at least a dozen keypairs, so that would reduce to one smartcard every 10 years. BYtE, Diego From wk at gnupg.org Fri Feb 26 15:18:55 2016 From: wk at gnupg.org (Werner Koch) Date: Fri, 26 Feb 2016 15:18:55 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <56D053B3.4090408@gmail.com> (NdK's message of "Fri, 26 Feb 2016 14:31:31 +0100") References: <56D053B3.4090408@gmail.com> Message-ID: <87oab3wo4w.fsf@wheatstone.g10code.de> On Fri, 26 Feb 2016 14:31, ndk.clanbo at gmail.com said: > same) "problem" with having only 3 keypairs (for example I can't rotate > encryption key every year unless I'm prepared to have a different card > per year). Wy do you want to rotate keys and still keep all the old keys on your smartcard? Rotating does only make sense if you take the old key soon offline. I can thus see the reason for one additional key on the card so that it is possible to decrypt with the old or the new key for some time. Then delete the old key from the card. In any case you need to load the keys onto the card and don't have the card create the key. Smartcards may break and then you would not be able to decrypt anything if you don't have an offline backup the key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Fri Feb 26 16:02:14 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 26 Feb 2016 16:02:14 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <87oab3wo4w.fsf@wheatstone.g10code.de> References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> Message-ID: <56D068F6.2000509@digitalbrains.com> On 26/02/16 15:18, Werner Koch wrote: > Rotating does only make sense if you take the old key soon offline. Why is this the case? I must admit I'm fairly comfortable not rotating my keys (which are on OpenPGP smartcards). But I can think of lines of reasoning where it makes sense to rotate, but still keep the old decryption key available. Think: "There's a non-zero chance that someone got my private key material, but at least they can only decrypt stuff encrypted in 2011, all other years use a different key". Note in this scenario it is nice if I can still easily access my 2011 material as well. I'm not saying this is a solid line of reasoning. I'm just curious why limiting access to the decryption key is the only thing that makes sense. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From rjh at sixdemonbag.org Fri Feb 26 16:29:53 2016 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 26 Feb 2016 10:29:53 -0500 Subject: FAQ maintenance In-Reply-To: <874mcwyysj.fsf@alice.fifthhorseman.net> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <874mcwyysj.fsf@alice.fifthhorseman.net> Message-ID: <56D06F71.4000408@sixdemonbag.org> > Why is it more resource intensive? It's far more intensive of a much more limited resource: user happiness. Normal users tend to find hexadecimal frustrating: "It's a *number*? But it uses A through F." "I don't understand. Why do I need the long ID?" "Wait, now I need to use the *entire* fingerprint?" "You can't be serious: I need to give a 40-character serial number whenever I need to identify a key?" "What do you *mean*, future keys will be expanding to 64 characters?!" ... In all this discussion about what's mathematically optimal, I'm dejected to see how little we're talking about human factors. From vedaal at nym.hush.com Fri Feb 26 15:52:09 2016 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Fri, 26 Feb 2016 09:52:09 -0500 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: References: <56D02122.8040906@digitalbrains.com> Message-ID: <20160226145209.D4F1D404FB@smtp.hushmail.com> On 2/26/2016 at 5:48 AM, "Martin Ilchev" wrote: >I did set my key preferences a few months ago and made sure the >key had >them as well. Here is the output of showperf: > > Cipher: AES256, AES192, AES, CAST5, 3DES ..... >> > 2. Symmetrically encrypt and also encrypt for my own public >key: >> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF >> > decrypting the file shows that the cipher used is CAST5 ===== 0x1234567890ABCDEF is obviously not your real key id. I suspect the key was generated some time ago, when the default cipher to protect one's secret key, was CAST5 GnuPG's default choice for the encryption algorithm for a symmetric cipher will be what the s2k-cipher-algo is. In your case for that key, it is CAST 5 Try This: gpg2 --s2k-cipher-algo AES256 --symmetric --encrypt --sign -r 0x1234567890ABCDEF filename The encryptions should now be with AES256 for both the symmetric part and the part encrypted to your key. vedaal From andrewg at andrewg.com Fri Feb 26 17:59:06 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 26 Feb 2016 16:59:06 +0000 Subject: FAQ maintenance In-Reply-To: <56D06F71.4000408@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <874mcwyysj.fsf@alice.fifthhorseman.net> <56D06F71.4000408@sixdemonbag.org> Message-ID: <56D0845A.6@andrewg.com> On 26/02/16 15:29, Robert J. Hansen wrote: > > "It's a *number*? But it uses A through F." > > "I don't understand. Why do I need the long ID?" > > "Wait, now I need to use the *entire* fingerprint?" > > "You can't be serious: I need to give a 40-character serial number > whenever I need to identify a key?" > > "What do you *mean*, future keys will be expanding to 64 characters?!" > > > ... In all this discussion about what's mathematically optimal, I'm > dejected to see how little we're talking about human factors. :-) The fundamental problem here is that computers have become so powerful that they can generate more data objects than human beings can ever give distinct names(*) to. Hell, we can't even give *ourselves* unique names, and there's a mere 7 billion of us. A (*) IDs, serial numbers, handles, identifiers... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From muri+gnupg-users at immerda.ch Fri Feb 26 19:23:20 2016 From: muri+gnupg-users at immerda.ch (Muri Nicanor) Date: Fri, 26 Feb 2016 19:23:20 +0100 Subject: Specify UID for --sign-key In-Reply-To: <871t80yymh.fsf@alice.fifthhorseman.net> References: <56CF4119.10504@immerda.ch> <871t80yymh.fsf@alice.fifthhorseman.net> Message-ID: <56D09818.80409@immerda.ch> hi dkg and list, On 02/26/2016 03:49 AM, Daniel Kahn Gillmor wrote: [...] > On Thu 2016-02-25 18:59:53 +0100, Muri Nicanor wrote: >> is it possible to specifiy the uid for --sign-key (so i don't have to go >> through the gpg --edit dialog)? i tried using [...] > In GnuPG 2.1: > > --quick-sign-key fpr [names] > > --quick-lsign-key fpr [names] > Directly sign a key from the passphrase without any further user > interaction. The fpr must be the verified primary fingerprint > of a key in the local keyring. If no names are given, all useful > user ids are signed; with given [names] only useful user ids > matching one of theses names are signed. The command --quick- > lsign-key marks the signatures as non-exportable. If such a > non-exportable signature already exists the --quick-sign-key > turns it into a exportable signature. > > This command uses reasonable defaults and thus does not provide > the full flexibility of the "sign" subcommand from --edit-key. > Its intended use is to help unattended key signing by utilizing > a list of verified fingerprints. thanks a lot! are these reasonable defaults whats explained in the first paragraph or is there more to it? in particular i'm interested in the cert-expire option- i tried to use --quick-sign-key with --default-cert-expire 1y, but then i didn't find a way to review the expiry date of the signature (is there a switch to see the expiry date of signatures?) thanks and cheers, muri From dougb at dougbarton.email Fri Feb 26 19:41:41 2016 From: dougb at dougbarton.email (Doug Barton) Date: Fri, 26 Feb 2016 10:41:41 -0800 Subject: FAQ maintenance In-Reply-To: <56D06F71.4000408@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <874mcwyysj.fsf@alice.fifthhorseman.net> <56D06F71.4000408@sixdemonbag.org> Message-ID: <56D09C65.1070402@dougbarton.email> On 02/26/2016 07:29 AM, Robert J. Hansen wrote: >> Why is it more resource intensive? > > It's far more intensive of a much more limited resource: user happiness. > Normal users tend to find hexadecimal frustrating: > > "It's a *number*? But it uses A through F." This is something that only experience can fix. > "I don't understand. Why do I need the long ID?" This is something the FAQ should explain :) > "Wait, now I need to use the *entire* fingerprint?" Ditto. > "You can't be serious: I need to give a 40-character serial number > whenever I need to identify a key?" I'm not sure users care much how many characters they are copying and pasting. > "What do you *mean*, future keys will be expanding to 64 characters?!" > > > ... In all this discussion about what's mathematically optimal, I'm > dejected to see how little we're talking about human factors. ... you might note that in my recent response I did mention a very important human factor. Consistent advice (always use the complete fingerprint to identify a key) is MUCH easier for users to remember than trying to teach them when they need it, and when they don't. Doug From peter at digitalbrains.com Fri Feb 26 20:11:00 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Fri, 26 Feb 2016 20:11:00 +0100 Subject: Specify UID for --sign-key In-Reply-To: <56D09818.80409@immerda.ch> References: <56CF4119.10504@immerda.ch> <871t80yymh.fsf@alice.fifthhorseman.net> <56D09818.80409@immerda.ch> Message-ID: <56D0A344.1070900@digitalbrains.com> On 26/02/16 19:23, Muri Nicanor wrote: > (is there a switch to see the expiry date of signatures?) --list-options show-sig-expire Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From anthony at cajuntechie.org Fri Feb 26 20:23:12 2016 From: anthony at cajuntechie.org (Anthony Papillion) Date: Fri, 26 Feb 2016 13:23:12 -0600 Subject: Are ZLIB and ZLIB2 no longer supported in GnuPG? Message-ID: <56D0A620.3080500@cajuntechie.org> I recently compiled the latest version of GnuPG 2 from source (.29, I believe) and, when I tried to use it, was told that I had invalid options in my .conf file. Specifically, it told me that ZLIB and ZLIB2 weren't supported as compression algos. Are those two algos no longer supported by GnuPG or was this just a compile flag that I didn't pass it? If they aren't supported, are there any security or usability implications to only using ZIP for compression? Thanks, Anthony From muri+gnupg-users at immerda.ch Fri Feb 26 20:31:20 2016 From: muri+gnupg-users at immerda.ch (Muri Nicanor) Date: Fri, 26 Feb 2016 20:31:20 +0100 Subject: Specify UID for --sign-key In-Reply-To: <56D0A344.1070900@digitalbrains.com> References: <56CF4119.10504@immerda.ch> <871t80yymh.fsf@alice.fifthhorseman.net> <56D09818.80409@immerda.ch> <56D0A344.1070900@digitalbrains.com> Message-ID: <56D0A808.10601@immerda.ch> hi, On 02/26/2016 08:11 PM, Peter Lebbing wrote: > On 26/02/16 19:23, Muri Nicanor wrote: >> (is there a switch to see the expiry date of signatures?) > > --list-options show-sig-expire thanks! and thanks to this option my other question about --default-cert-expire 1y is lapsed, because that output shows that it works! cheers, muri From ndk.clanbo at gmail.com Fri Feb 26 20:40:26 2016 From: ndk.clanbo at gmail.com (NdK) Date: Fri, 26 Feb 2016 20:40:26 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <56D068F6.2000509@digitalbrains.com> References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> <56D068F6.2000509@digitalbrains.com> Message-ID: <56D0AA2A.2030804@gmail.com> Il 26/02/2016 16:02, Peter Lebbing ha scritto: >> Rotating does only make sense if you take the old key soon offline. > Why is this the case? I must admit I'm fairly comfortable not rotating > my keys (which are on OpenPGP smartcards). But I can think of lines of > reasoning where it makes sense to rotate, but still keep the old > decryption key available. In my case: every year will have its own PIN, different from the one used for signing, and *really* different from the one for certification. > Think: "There's a non-zero chance that someone > got my private key material, but at least they can only decrypt stuff > encrypted in 2011, all other years use a different key". Extreme case: a judge orders to hand over the key to a set of messages ('cause they won't trust your decryption). Rotating keys minimizes exposure of other material. > Note in this scenario it is nice if I can still easily access my > 2011 material as well. Exactly. > I'm not saying this is a solid line of reasoning. I'm just curious why > limiting access to the decryption key is the only thing that makes sense. Well, everybody can have his own perfectly valid reasons... Why limit keys on smartcards more than technically necessary? Years ago cards had space only for 3 keys, but a 144K Javacard can handle many more! And if PKCS#11 was useable, one could use as many keys as needed by his policy. Note that I really don't like PKCS#11, but it's the de-facto standard to access nearly every crypto-capable device. BYtE, Diego From gnupg at soondae.co.uk Fri Feb 26 19:26:14 2016 From: gnupg at soondae.co.uk (keith) Date: Fri, 26 Feb 2016 18:26:14 +0000 Subject: Help with FreePascal/Lazarus TProcess. Message-ID: <1456511174.2979.13.camel@keith> Hi.. I've been looking at TProcess in FreePascal/Lazarus, http://wiki.freepascal.org/Executing_External_Programs and had some success using it to generate key/certificate pairs using OpenSSL as the TProcess. I thought I would try it with GnuPG and used the same program structure I had created for OpenSSL. This thread more or less describes the problem, http://forum.lazarus.freepascal.org/index.php/topic,31701.0.html but unless you subscribe to the forum you will not see the picture so, http://i.imgur.com/Bjkg88g.png As suggested the TProcess as called form Lazurus stalls after "permitted by law" and as a result my program does the same. I'm sure someone on the FreePascal forums will provide some help assuming they have experience but I kind of get the impression that TProcess is a bit of a 'black art' so I thought I would ask here as well. Any Ideas? Regards Keith From muelli at cryptobitch.de Fri Feb 26 09:35:47 2016 From: muelli at cryptobitch.de (Tobias Mueller) Date: Fri, 26 Feb 2016 09:35:47 +0100 Subject: A problem in the web of trust model or a gnupg bug? In-Reply-To: <87twkxz1zb.fsf@wheatstone.g10code.de> References: <56C6FD73.4010304@andrewg.com> <56C717F4.1050402@digitalbrains.com> <87ziupzn8x.fsf@alice.fifthhorseman.net> <87twkxz1zb.fsf@wheatstone.g10code.de> Message-ID: <1456475747.17535.1.camel@cryptobitch.de> Hi. On Do, 2016-02-25 at 08:24 +0100, Werner Koch wrote: > Thus I am not convinced that the revocation reasons are useful for > any automated evaluation. Can I tell GnuPG that I, as a user, am convinced that the superseded revocation reason is correct? I've grepped through the gpg man page and only found "superseded" once, not related to evaluating trust in a key. Cheers, ? Tobi From joshterrill.dev at gmail.com Fri Feb 26 23:08:06 2016 From: joshterrill.dev at gmail.com (Joshua Terrill) Date: Fri, 26 Feb 2016 14:08:06 -0800 Subject: Question about getting started with PGP and smart cards Message-ID: Hello, I am looking to play around/experiment with gnupg and smart cards. From what little research I've done, I've read about OpenPGP smart cards don't reveal private keys, and do all decrypting/signing on the device itself after entering a PIN. Do I have a correct understanding of this, and if so, is this the common/most secure way to use these cards? For simple encrypting, decrypting, and signing what card and card reader would you recommend? I have a windows environment and an ubuntu environment that I can play with it on. Thanks! -Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin.konold at erfrakon.com Sat Feb 27 09:29:21 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Sat, 27 Feb 2016 09:29:21 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <87oab3wo4w.fsf@wheatstone.g10code.de> References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> Message-ID: <2335567.sY0E4oOAMq@sony-01.tue.hq.erfrakon.de> Am Freitag, 26. Februar 2016, 15:18:55 CET schrieb Werner Koch: Hi, > In any case you need to load the keys onto the card and don't have the > card create the key. Smartcards may break and then you would not be > able to decrypt anything if you don't have an offline backup the key. Please allow me to mention that many smartcards disallow cleartext export of keys generated on the card while also don't allow to import cleartext private keys. But this is not a backup issue as most cards also allow for n-of-m threshold schemes and DKEK/key-wrapping e.g. http://www.smartcard-hsm.com/2014/09/25/ Desaster_Recovery_for_your_SmartCard-HSM.html IMHO there are additional legit use cases where having multiple private keys for decryption would be more than useful. Today I circumvent the limit by using multiple OpenPGP Cards and multiple GNUPGHOME directories each configured for a different USB device (scdaemon.conf) While imho pkcs#11 is ugly it really is a tool to gain interoperability while cleaning up a lot of mess (many people are confused with the current situation) and make encryption available to the masses. Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From martin.konold at erfrakon.com Sat Feb 27 10:17:46 2016 From: martin.konold at erfrakon.com (Martin Konold) Date: Sat, 27 Feb 2016 10:17:46 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <56D03A7A.1090908@sumptuouscapital.com> References: <56CF03BA.70907@wheniwork.com> <1583759.5A2Ocgpdyd@sony-01.tue.hq.erfrakon.de> <56D03A7A.1090908@sumptuouscapital.com> Message-ID: <2573966.lzy2CgfTG7@sony-01.tue.hq.erfrakon.de> Am Freitag, 26. Februar 2016, 12:43:54 CET schrieb Kristian Fiskerstrand: Hi Kristian, > > the two cards with the gpg -- homedir commandline option. > A workaround currently could be to remove the specific keygrip files > from private-keys-v1.d (for gnupg 2.1) for the known stubs and doing a > gpg-connect-agent learn /bye or gpg --card status during e.g smartcard > attachment in an udev rule etc. This looks really good though it does not allow to have multiple smartcards connected simultaneously. It is my understanding that 'gpg-connect-agent learn /bye' cannot deal with multiple cards visible simultaneously via scdaemon and pscd. Did I overlook something? I therefore would like to whish to be able to choose the smartcard (maybe indirectly via keyid) as I am today already able to achieve on the commandline using keyrings. Why should the commandline user interface of gpg be different if the private keys reside on smartcards compared to a keyring in the filesystem? What do you think? Kind Regards --martin konold -- Dipl.-Physiker Martin Konold e r f r a k o n Partnerschaftsgesellschaft Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Registergericht: Amtsgericht Stuttgart PR 126 Firmensitz: Adolfstra?e 23, 70469 Stuttgart fon: 0711 67400963 fax: 0711 67400959 email: martin.konold at erfrakon.de http://www.erfrakon.com From peter at digitalbrains.com Sat Feb 27 14:41:46 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 27 Feb 2016 14:41:46 +0100 Subject: Question about getting started with PGP and smart cards In-Reply-To: References: Message-ID: <56D1A79A.9070108@digitalbrains.com> On 26/02/16 23:08, Joshua Terrill wrote: > For simple encrypting, decrypting, and signing what card and card reader > would you recommend? Though I still need to experience it myself, I think I would recommend GnuK[1] by NIIBE. Otherwise, a standard OpenPGP card[2], which you can also get through an FSF fellowship. As a reader, in a large form-factor I like the SCM SPR532, which seems to have been superseded by the SPR332[3][4]? In a small form-factor, I bought a Chipdrive MyKey for something like ? 15, because it includes an SCM cardreader that identifies itself as: $ lsusb -s 1:6 Bus 001 Device 006: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader The disadvantage of this reader is that it is totally not dust tight, despite what the manufacturer may claim. If kept in a trouser pocket, it'll accumulate dust inside the USB connector quickly. I remedied this by buying a new shell, which turned out to be ever so slightly too small in one direction. This I fixed by filing off a part of the PCB of the reader, since I could determine I would not damage any traces by doing so. Long story short, if you want to keep it in your trouser pocket and have an easy solution, look further, don't buy the MyKey. HTH, Peter. [1] http://www.fsij.org/category/gnuk.html [2] http://shop.kernelconcepts.de/#openpgp [3] http://www.scm-pc-card.de/index.php?page=product&function=show_product&lang=en&product_id=670 [4] http://www.chipdrive.de/index.php/en/smart-card-reader-writer/spr332-sicherer-pinpad-chipkartenleser.htm -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From kristian.fiskerstrand at sumptuouscapital.com Sat Feb 27 14:48:04 2016 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Sat, 27 Feb 2016 14:48:04 +0100 Subject: Single GPG key and multiple yubikeys In-Reply-To: <2573966.lzy2CgfTG7@sony-01.tue.hq.erfrakon.de> References: <56CF03BA.70907@wheniwork.com> <1583759.5A2Ocgpdyd@sony-01.tue.hq.erfrakon.de> <56D03A7A.1090908@sumptuouscapital.com> <2573966.lzy2CgfTG7@sony-01.tue.hq.erfrakon.de> Message-ID: <56D1A914.5070801@sumptuouscapital.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/27/2016 10:17 AM, Martin Konold wrote: > Am Freitag, 26. Februar 2016, 12:43:54 CET schrieb Kristian > Fiskerstrand: > > Hi Kristian, > >>> the two cards with the gpg -- homedir commandline option. > >> A workaround currently could be to remove the specific keygrip >> files from private-keys-v1.d (for gnupg 2.1) for the known stubs >> and doing a gpg-connect-agent learn /bye or gpg --card status >> during e.g smartcard attachment in an udev rule etc. > > This looks really good though it does not allow to have multiple > smartcards connected simultaneously. > > It is my understanding that 'gpg-connect-agent learn /bye' cannot > deal with multiple cards visible simultaneously via scdaemon and > pscd. > Not for the same key material, but what would you gain by having two smartcards with the same key material available at the same time? - -- - ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk - ---------------------------- Public OpenPGP key at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - ---------------------------- Aquila non capit muscas The eagle does not hunt flies -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJW0akQAAoJECULev7WN52FokQH/2xAJ8fIWjEfZ996xZHfag0P k3gA60SY/csFLQXn/C2Ocg0SPuVJiTfCitnJh/9XPtRjrr8Is6UWa5mdJ2f3H2Fl JqUJv961fl13Kx+N6zEftPnrnEuinmP02vUow8fs1QyfIqb+QHaM+3FPSfMiFWAG aoJKE2qhGDKyTb/EP1FKBszVXUcolaVYm6yyK1Hu9jG86qSg/IclHbiEYj7cyQrZ nM5Sz+YdwPDdv/6jBj1D/rrn30W5wEBANT6q1bYNXzmxzyiZx7VZ4XopI3mLCIMH YJSu0uTst18w32gjc9AmhQs3iyWVEjZsuQFXpG6ro9kENQWogdelM2sPSqTjWbQ= =RTRx -----END PGP SIGNATURE----- From antoine.michard at chezgeek.fr Sat Feb 27 17:58:00 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Sat, 27 Feb 2016 17:58:00 +0100 Subject: Question about getting started with PGP and smart cards In-Reply-To: References: Message-ID: <56D1D598.8000902@chezgeek.fr> Hi Josh, I used my OpenPGP SmartCard [1] since last year and It works very well. You're right when you say all decrypting/signing is on the device, but you have to know it's little slower than when private key is on disk. You can bought one on FSFE but it's more expensive [2] Another thing to know, if you generate your key on the card, you have NO WAY TO BACKUP IT !!! So a common thing to do, it's to generate your master key from LiveUSB (Tails for exemple), generate your subkey and copy to your smart card. Don't forget to backup your master key. [3] About the smartcard reader, it's your choice of level security. I've choosen standard USB PC/SC Gemalto or small +ID reader [4]. With this, I have to enter my PIN on my computer with Pinentry. Other want physical reader to enter the pin for better security. On Windows, it's very easy with GPG4Win to use or configure the card. Everything on Windows is made to make things easier. But on Linux is not so easy. You have to install all needed depencies for the reader (pcscd) and sometimes Gnome Keyring will make harder to make it work [5]. In conclusion, I love my card but I have always my reader with me. Is not very simple for day-to-day use and I waiting FS-BB48 [6] from NIIBE to switch to full USB device. [1] http://shop.kernelconcepts.de/ [2] https://fsfe.org/fellowship/card.en.html [3] http://wiki.fsfe.org/Card_howtos/Card_with_subkeys_using_backups [4] http://www.pluss-id.com/ [5] http://www.ozonesolutions.com/programming/2014/04/pgp-smart-card-ssh-login-gpg-agent-ubuntu/ [6] http://www.gniibe.org/memo/development/fs-bb48/fs-bb48-idea.html Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 26/02/2016 23:08, Joshua Terrill a ?crit : > Hello, > > I am looking to play around/experiment with gnupg and smart cards. From > what little research I've done, I've read about OpenPGP smart cards > don't reveal private keys, and do all decrypting/signing on the device > itself after entering a PIN. Do I have a correct understanding of this, > and if so, is this the common/most secure way to use these cards? For > simple encrypting, decrypting, and signing what card and card reader > would you recommend? I have a windows environment and an ubuntu > environment that I can play with it on. > > Thanks! > -Josh > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From peter at digitalbrains.com Sat Feb 27 18:14:30 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sat, 27 Feb 2016 18:14:30 +0100 Subject: Question about getting started with PGP and smart cards In-Reply-To: <56D1D598.8000902@chezgeek.fr> References: <56D1D598.8000902@chezgeek.fr> Message-ID: <56D1D976.3000203@digitalbrains.com> On 27/02/16 17:58, Antoine Michard wrote: > But on Linux is not so easy. You have to install all needed depencies for the > reader (pcscd) I should note that pcscd is not needed for the readers I mentioned in my reply, since they are well supported through the builtin driver of scdaemon (and GnuPG 1.4). In fact, installing pcscd will make it more difficult to use. I suggest to only use pcscd for readers that are not natively supported by GnuPG, unless you have specific needs (usually when you want to use smartcards for more things than GnuPG). > and sometimes Gnome Keyring will make harder to make it work [5]. Heck, yeah. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From 2014-667rhzu3dc-lists-groups at riseup.net Sat Feb 27 17:02:53 2016 From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA) Date: Sat, 27 Feb 2016 16:02:53 +0000 Subject: FAQ maintenance In-Reply-To: <56D06F71.4000408@sixdemonbag.org> References: <56B25F4B.4000603@sixdemonbag.org> <20160204051612.GA2284@gnu.org> <56B319ED.4010701@sixdemonbag.org> <56B3DDE1.1050905@gbenet.com> <56B47FAB.4050304@digitalbrains.com> <56B48848.40206@digitalbrains.com> <56B4902F.9070406@sixdemonbag.org> <56B4941B.4050703@digitalbrains.com> <56B496E2.3080306@sixdemonbag.org> <56CF00E0.4030502@sumptuouscapital.com> <56CF14D1.70209@sumptuouscapital.com> <874mcwyysj.fsf@alice.fifthhorseman.net> <56D06F71.4000408@sixdemonbag.org> Message-ID: <18540809.20160227160253@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Friday 26 February 2016 at 3:29:53 PM, in , Robert J. Hansen wrote: > "What do you *mean*, future keys will be expanding > to 64 characters?!" That could be mitigated against by switching from hexadecimal to, for example, base 32. Preferably in one of the variants that precludes visual clashes, such as O0 Z2 I1l B8 b6 S5. - -- Best regards MFPA ETHERNET(n): device used to catch the Ether bunny -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJW0civXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwq38IALyy+9aPBFk+gmf8Smec4Swg ECEZsz3RrjrKCFFMcf/nTYpwPi4fOm/pqwJNQx2+0iw5AylY8glHTqX0Y+rbLQ/D ZHsTRtPq9FqmDmnN+heQ+mOYn7db3BQ9QIz3yVHW79O/KiqyHaKh4WSdAGquGgKE luUMbRAmjgQhGa8oyfk2Kab6NHS/foU62sqrSvUxgbevlJSyK883ZJ04BzQ/aCXJ bFQFgKiYD9cCCxNKYpgHf8DjX5sgmEutJgRdZNAu8RW/wBPiHGPPvvZLA5twdMB3 PwPTqLlvoCEF11/6z1QfwOWnXm+iIwZO6BaJfqhZxfQNUjzucIJ4pzhCYBN0igiI vgQBFgoAZgUCVtHIw18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BReAQC3BuWYuwx9Er2X/Af7d66xYrVT 6+dYfnPKUQx83wlNhAD/Ur5sx2NUUeaY3Ne3jUuKKRKynYVHj/Li/1uhqK/N0AM= =HLn7 -----END PGP SIGNATURE----- --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From antoine.michard at chezgeek.fr Sat Feb 27 18:38:26 2016 From: antoine.michard at chezgeek.fr (Antoine Michard) Date: Sat, 27 Feb 2016 18:38:26 +0100 Subject: Question about getting started with PGP and smart cards In-Reply-To: <56D1D976.3000203@digitalbrains.com> References: <56D1D598.8000902@chezgeek.fr> <56D1D976.3000203@digitalbrains.com> Message-ID: <56D1DF12.2060403@chezgeek.fr> I've try, on Fedora 23 I can't use my USB smartcard reader without PCSC daemon This package are needed: pcsc-lite pcsc-lite-ccid pcsc-tools Antoine Michard GPG Key: 0xF5C9E7CD0882B381 Le 27/02/2016 18:14, Peter Lebbing a ?crit : > On 27/02/16 17:58, Antoine Michard wrote: >> But on Linux is not so easy. You have to install all needed depencies for the >> reader (pcscd) > > I should note that pcscd is not needed for the readers I mentioned in my reply, > since they are well supported through the builtin driver of scdaemon (and GnuPG > 1.4). > > In fact, installing pcscd will make it more difficult to use. I suggest to only > use pcscd for readers that are not natively supported by GnuPG, unless you have > specific needs (usually when you want to use smartcards for more things than GnuPG). > >> and sometimes Gnome Keyring will make harder to make it work [5]. > > Heck, yeah. > > HTH, > > Peter. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From antony at blazrsoft.com Sat Feb 27 18:57:08 2016 From: antony at blazrsoft.com (Antony Prince) Date: Sat, 27 Feb 2016 12:57:08 -0500 Subject: Fwd: Re: Are ZLIB and ZLIB2 no longer supported in GnuPG? In-Reply-To: References: Message-ID: <56D1E374.6060209@blazrsoft.com> >On February 26, 2016 2:23:12 PM EST, Anthony Papillion > wrote: > > I recently compiled the latest version of GnuPG 2 from source >(.29, I believe) and, when I tried to use it, was told that I had >invalid options in my .conf file. Specifically, it told me that ZLIB >and ZLIB2 weren't supported as compression algos. >Are those two algos no longer supported by GnuPG or was this just a >compile flag that I didn't pass it? If they aren't supported, are >there any security or usability implications to only using ZIP for >compression? > >Thanks, >Anthony I replied to this yesterday, but forgot to reply to the list. I also top-posted and used HTML. LOL. Forgot to change the defaults in K-9 mail. Anyway, my reply was as follows: Depending on your distro, you'll need to install the bzip or bzip2 development libraries. I had the same issue on Ubuntu until I installed libbz2-devel I believe it was. If the compression development libraries are missing, gnupg will just compile without support for them. Hopefully this will point you in the right direction. I could be mistaken though. -- Antony -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sun Feb 28 09:41:02 2016 From: wk at gnupg.org (Werner Koch) Date: Sun, 28 Feb 2016 09:41:02 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <2335567.sY0E4oOAMq@sony-01.tue.hq.erfrakon.de> (Martin Konold's message of "Sat, 27 Feb 2016 09:29:21 +0100") References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> <2335567.sY0E4oOAMq@sony-01.tue.hq.erfrakon.de> Message-ID: <877fhpw7kx.fsf@wheatstone.g10code.de> On Sat, 27 Feb 2016 09:29, martin.konold at erfrakon.com said: > Please allow me to mention that many smartcards disallow cleartext export of > keys generated on the card while also don't allow to import cleartext private > keys. Actually it is a core feature of all smartcards that you can't extract the private key. Importing of keys is also a very common features, although this is often done by the issuer during the personalization stage. > But this is not a backup issue as most cards also allow for n-of-m threshold Nope, unless you have a different definition of MOST. There is also the problem of API based attacks for such complex card APIs. For example the 4758, which had very advanced private key management features, could be cracked by such an attack. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Feb 28 09:46:37 2016 From: wk at gnupg.org (Werner Koch) Date: Sun, 28 Feb 2016 09:46:37 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <56D068F6.2000509@digitalbrains.com> (Peter Lebbing's message of "Fri, 26 Feb 2016 16:02:14 +0100") References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> <56D068F6.2000509@digitalbrains.com> Message-ID: <8737sdw7bm.fsf@wheatstone.g10code.de> On Fri, 26 Feb 2016 16:02, peter at digitalbrains.com said: >> Rotating does only make sense if you take the old key soon offline. > > Why is this the case? I must admit I'm fairly comfortable not rotating > my keys (which are on OpenPGP smartcards). But I can think of lines of I personally agree in the case of smartcard stored keys. The OP requested that feature for smartcards and I can see no use case for this unless the old key will be remove from the smartcard after some time. The threat model would be based on the premise that keys can extracted from a smartcard with some effort and an offline stored or deleted key is more safe. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Feb 28 09:54:12 2016 From: wk at gnupg.org (Werner Koch) Date: Sun, 28 Feb 2016 09:54:12 +0100 Subject: Are ZLIB and ZLIB2 no longer supported in GnuPG? In-Reply-To: <56D0A620.3080500@cajuntechie.org> (Anthony Papillion's message of "Fri, 26 Feb 2016 13:23:12 -0600") References: <56D0A620.3080500@cajuntechie.org> Message-ID: <87y4a5usej.fsf@wheatstone.g10code.de> On Fri, 26 Feb 2016 20:23, anthony at cajuntechie.org said: > options in my .conf file. Specifically, it told me that ZLIB and ZLIB2 > weren't supported as compression algos. You need to install a zlib development package before building GnuPG so that it can add support for this. You may also want to add bzlib2 support. On Debian based system: apt-get install zlib1g-dev libbz2-dev > compile flag that I didn't pass it? If they aren't supported, are there > any security or usability implications to only using ZIP for compression? As with most compression algorithms you are subject to DoS because it is possible to create very small compressed file which will expand into a huge output. (Use --max-output to mitigate such attacks.) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at digitalbrains.com Sun Feb 28 14:12:06 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Sun, 28 Feb 2016 14:12:06 +0100 Subject: gnupg-pkcs11 status & future In-Reply-To: <8737sdw7bm.fsf@wheatstone.g10code.de> References: <56D053B3.4090408@gmail.com> <87oab3wo4w.fsf@wheatstone.g10code.de> <56D068F6.2000509@digitalbrains.com> <8737sdw7bm.fsf@wheatstone.g10code.de> Message-ID: <56D2F226.3080200@digitalbrains.com> On 28/02/16 09:46, Werner Koch wrote: > The threat model would be based on the premise that keys can extracted > from a smartcard with some effort and an offline stored or deleted key > is more safe. Ah, that makes sense, thanks for the clarification! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From martini5468 at gmail.com Mon Feb 29 11:51:39 2016 From: martini5468 at gmail.com (Martin Ilchev) Date: Mon, 29 Feb 2016 10:51:39 +0000 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: <20160226145209.D4F1D404FB@smtp.hushmail.com> References: <56D02122.8040906@digitalbrains.com> <20160226145209.D4F1D404FB@smtp.hushmail.com> Message-ID: Hi Vedaal, You are correct that is not my real key ID. Funny enough the key was generated in Nov-2015. However you are absolutely correct about the --s2k-cipher-algo option. I added that to my gpg.conf and after that symmetric + public works exactly as I expected. I get AES256 every time. There is one thing I would like to understand - the man page says: --s2k-cipher-algo name Use name as the cipher algorithm used to protect secret keys. The default cipher is CAST5. This cipher is also used for conventional encryption if --personal-cipher-pref? erences and --cipher-algo is not given. So CAST5 is the preferred cipher for secret keys and is also the default for symmetric. On the other hand using --personal-cipher-preferences does not seem to apply to symmetric + public encryption. Is this by design? Regards, Martin On Fri, 26 Feb 2016 at 14:52 wrote: > > On 2/26/2016 at 5:48 AM, "Martin Ilchev" wrote: > > >I did set my key preferences a few months ago and made sure the > >key had > >them as well. Here is the output of showperf: > > > > Cipher: AES256, AES192, AES, CAST5, 3DES > ..... > > >> > 2. Symmetrically encrypt and also encrypt for my own public > >key: > >> > gpg2 -vvv --symmetric --encrypt --sign -r 0x1234567890ABCDEF > > >> > decrypting the file shows that the cipher used is CAST5 > > ===== > > 0x1234567890ABCDEF is obviously not your real key id. > > I suspect the key was generated some time ago, when the default cipher to > protect one's secret key, was CAST5 > > GnuPG's default choice for the encryption algorithm for a symmetric cipher > will be what the s2k-cipher-algo is. > > In your case for that key, it is CAST 5 > > > Try This: > > gpg2 --s2k-cipher-algo AES256 --symmetric --encrypt --sign -r > 0x1234567890ABCDEF filename > > The encryptions should now be with AES256 for both the symmetric part and > the part encrypted to your key. > > > vedaal > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Mon Feb 29 12:12:53 2016 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 29 Feb 2016 12:12:53 +0100 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: References: <56D02122.8040906@digitalbrains.com> <20160226145209.D4F1D404FB@smtp.hushmail.com> Message-ID: <56D427B5.9000506@digitalbrains.com> On 29/02/16 11:51, Martin Ilchev wrote: > So CAST5 is the preferred cipher for secret keys and is also the default > for symmetric. On the other hand using --personal-cipher-preferences > does not seem to apply to symmetric + public encryption. Is this by design? For me, GnuPG 1.4 behaves as you indicate, which is counterintuitive, especially given the text in the man page. But GnuPG 2.1 correctly gives me the preferred algo from the intersection of --personal-cipher-preferences and key prefs. It's a bit difficult for me to test GnuPG 2.0 at the moment. I should do something about that. I faintly recall some discussion about this, but that's it, I don't remember more than that. You could try a search on this mailing list. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From martini5468 at gmail.com Mon Feb 29 15:26:49 2016 From: martini5468 at gmail.com (Martin Ilchev) Date: Mon, 29 Feb 2016 14:26:49 +0000 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: <56D427B5.9000506@digitalbrains.com> References: <56D02122.8040906@digitalbrains.com> <20160226145209.D4F1D404FB@smtp.hushmail.com> <56D427B5.9000506@digitalbrains.com> Message-ID: Hi Peter, Thanks for the advice. I will have a look at the mailing list. For now I am happy that I have a working solution. Thank you and Vedaal for the help. Regards, Martin On Mon, 29 Feb 2016 at 11:12 Peter Lebbing wrote: > On 29/02/16 11:51, Martin Ilchev wrote: > > So CAST5 is the preferred cipher for secret keys and is also the default > > for symmetric. On the other hand using --personal-cipher-preferences > > does not seem to apply to symmetric + public encryption. Is this by > design? > > For me, GnuPG 1.4 behaves as you indicate, which is counterintuitive, > especially given the text in the man page. But GnuPG 2.1 correctly gives > me the preferred algo from the intersection of > --personal-cipher-preferences and key prefs. It's a bit difficult for me > to test GnuPG 2.0 at the moment. I should do something about that. > > I faintly recall some discussion about this, but that's it, I don't > remember more than that. You could try a search on this mailing list. > > HTH, > > Peter. > > -- > I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. > You can send me encrypted mail if you want some privacy. > My key is available at > -------------- next part -------------- An HTML attachment was scrubbed... URL: From martini5468 at gmail.com Mon Feb 29 16:31:52 2016 From: martini5468 at gmail.com (Martin Ilchev) Date: Mon, 29 Feb 2016 15:31:52 +0000 Subject: Question about getting started with PGP and smart cards In-Reply-To: <56D1DF12.2060403@chezgeek.fr> References: <56D1D598.8000902@chezgeek.fr> <56D1D976.3000203@digitalbrains.com> <56D1DF12.2060403@chezgeek.fr> Message-ID: Hi Josh, I am using a smart card and reader for about 6 months now. The set up I went with is: Smart-card "OpenPGP Smartcard V2.1" from kernel concepts ( http://shop.kernelconcepts.de/). The card supports keys up to 4096 length with gpg2. Card-reader - Gemalto GemPC Twin/TR (IDBridge CT30) - works out of the box on linux and windows (tested it on windows 7 SP1 and windows 8.1). I got mine here http://www.smartcardfocus.com/shop/ilp/id~463/gemalto-gempc-twin-tr-idbridge-ct30-/p/index.shtml To get the card reader working in Linux I used this guide to get me started (was able to set everything up with no hassle) - https://www.corsac.net/?rub=blog&post=1548. I only needed to install pcsc-tools and pcscd. For Windows I installed gpg4win and migrated my linux gpg.conf and keys over and it just worked. Also in windows if you want to use putty with a smart card you will need a patched putty agent. You can get one from here http://smartcard-auth.de/ssh-en.html. It is free to use with OpenPGP Smartcards from kernel concepts so a win-win :). Last but not least - make sure to back up your private keys! Once a key is on the card it is impossible to get it back. I only got the above for test use but now I am using it every day at work, at home and on my laptop without any issues. I can sign, encrypt/decrypt as well as authenticate for SSH with a single smart card. Let me know if you need any additional information. Regards, Martin On Sat, 27 Feb 2016 at 17:44 Antoine Michard wrote: > I've try, on Fedora 23 I can't use my USB smartcard reader without PCSC > daemon > > This package are needed: pcsc-lite pcsc-lite-ccid pcsc-tools > > Antoine Michard > GPG Key: 0xF5C9E7CD0882B381 > > Le 27/02/2016 18:14, Peter Lebbing a ?crit : > > On 27/02/16 17:58, Antoine Michard wrote: > >> But on Linux is not so easy. You have to install all needed depencies > for the > >> reader (pcscd) > > > > I should note that pcscd is not needed for the readers I mentioned in my > reply, > > since they are well supported through the builtin driver of scdaemon > (and GnuPG > > 1.4). > > > > In fact, installing pcscd will make it more difficult to use. I suggest > to only > > use pcscd for readers that are not natively supported by GnuPG, unless > you have > > specific needs (usually when you want to use smartcards for more things > than GnuPG). > > > >> and sometimes Gnome Keyring will make harder to make it work [5]. > > > > Heck, yeah. > > > > HTH, > > > > Peter. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewg at andrewg.com Mon Feb 29 17:52:27 2016 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 29 Feb 2016 16:52:27 +0000 Subject: Question about getting started with PGP and smart cards In-Reply-To: References: <56D1D598.8000902@chezgeek.fr> <56D1D976.3000203@digitalbrains.com> <56D1DF12.2060403@chezgeek.fr> Message-ID: <56D4774B.5040908@andrewg.com> On 29/02/16 15:31, Martin Ilchev wrote: > > For Windows I installed gpg4win and migrated my linux gpg.conf and keys > over and it just worked. Also in windows if you want to use putty with a > smart card you will need a patched putty agent. You can get one from > here http://smartcard-auth.de/ssh-en.html. It is free to use with > OpenPGP Smartcards from kernel concepts so a win-win :). Unfortunately the developer of that pageant replacement distributes unsigned binary blobs over plain HTTP. The Windows build of GnuPG 2.1 on the other hand (linked from the official gnupg site) has a gpg-agent that can run as a pageant replacement for putty (same idea as ssh-agent replacement). You don't get all the graphical tools that come with GPG4Win, but it's a safer (and more future-proof) solution IMO. A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From vedaal at nym.hush.com Mon Feb 29 20:26:30 2016 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 29 Feb 2016 14:26:30 -0500 Subject: cipher used when both --encrypt and --symmetric is specified In-Reply-To: References: <56D02122.8040906@digitalbrains.com> <20160226145209.D4F1D404FB@smtp.hushmail.com> Message-ID: <20160229192630.3A92CE054E@smtp.hushmail.com> On 2/29/2016 at 5:51 AM, "Martin Ilchev" wrote: >There is one thing I would like to understand - the man page says: > --s2k-cipher-algo name > Use name as the cipher algorithm used to protect >secret >keys. The default cipher is CAST5. This cipher is also used for >conventional encryption if --personal-cipher-pref? > erences and --cipher-algo is not given. > >So CAST5 is the preferred cipher for secret keys and is also the >default >for symmetric. On the other hand using --personal-cipher- >preferences does >not seem to apply to symmetric + public encryption. Is this by >design? ===== Sort-of, yes ... The user's most important part of GnuPG, is the user's private key. So it seems reasonable, that the symmetric algorithm the user picked to protect the private key, (--s2k-algo ciphername), is the symmetric algorithm that the user would prefer for symmetric encryption, as long as the receiver can decrypt it. In practice, (standard, not hacked, non-customized ) GnupG, can decrypt ANY of the symmetric algorithms any GnuPG user can use. Since the original user, the sender, is encrypting the message, it is again reasonable that the sender be able to choose the algorithm with which the sender feels most comfortable. vedaal From daniel at hillsdalecorp.com Mon Feb 29 20:03:08 2016 From: daniel at hillsdalecorp.com (Daniel H. Werner) Date: Mon, 29 Feb 2016 11:03:08 -0800 Subject: Retrieval of passphrase Message-ID: <1E8BC9C4-07E4-4B93-A77E-A20F946B3C2F@hillsdalecorp.com> Hi everyone, I hope someone can give me some advice. I have been a Mac user for years (and years!) and used PGP most of that time. I was running v. 9.7.1 when I upgraded my old G5 to a new iMac. And, of course, that old version of PGP does not run on OS X 10.11. I downloaded the GPG Installer Suite and read some of the online Tutorials. And I now have a question: How do I retrieve my existing key pair so I can continue to use them. Thanks. Daniel _______________________________ Daniel H. Werner, President Hillsdale Corporation 9 Oregon Yacht Club Portland, OR 97202 USA www.hillsdalecorp.com Cell: (503) 709-0950 Confidentiality Notice: The information contained in this e-mail is confidential and for the intended recipient(s) alone. It may contain privileged and confidential information and is covered by Non-Disclosure Agreements. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, please notify us immediately. Thank You. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: HSDL_Logo_H.smjpg.jpg Type: image/jpeg Size: 8411 bytes Desc: not available URL: