From passionate_programmer at hotmail.com  Sat Oct  1 06:10:03 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 1 Oct 2016 04:10:03 +0000
Subject: Why GnuPG encrypted file has no icon?
Message-ID: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>

When you encrypt multiple files in a folder, GnuPG encrypted files have no icon. It is difficult to immediately identify which are the encrypted files.


Any specific reason why encrypted files have no icon?



...............

RP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161001/bb699e16/attachment.html>

From passionate_programmer at hotmail.com  Sat Oct  1 08:47:39 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 1 Oct 2016 06:47:39 +0000
Subject: Why GnuPG encrypted file has no icon?
In-Reply-To: <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com>
References: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com>
Message-ID: <MAXPR01MB0412AC29661336F74E91042A97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>

I am using Windows 7. Icons are there on all files. What I actually meant is when a file is encrypted with GnuPG, the resultant .pgp file has no icon.

________________________________
From: Paul R. Ramer <free10pro at gmail.com>
Sent: Saturday, October 1, 2016 11:17:54 AM
To: Rohit P
Subject: Re: Why GnuPG encrypted file has no icon?

On September 30, 2016 9:10:03 PM PDT, Rohit P <passionate_programmer at hotmail.com> wrote:
>When you encrypt multiple files in a folder, GnuPG encrypted files have
>no icon. It is difficult to immediately identify which are the
>encrypted files.
>
>
>Any specific reason why encrypted files have no icon?

I don't know which operating system you are using here, but icons are usually set for files that have known data types or file extensions.  It has to do with your operating system or desktop environment not GnuPG.  Apparently your operating system (probably Windows) does not have icons assigned for these types of files.

Hope that is helpful.

-Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161001/db70d78f/attachment.html>

From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Oct  1 14:10:36 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 1 Oct 2016 13:10:36 +0100
Subject: Why GnuPG encrypted file has no icon?
In-Reply-To: <MAXPR01MB0412AC29661336F74E91042A97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com>
 <MAXPR01MB0412AC29661336F74E91042A97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <151447885.20161001131036@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 1 October 2016 at 7:47:39 AM, in
<mid:MAXPR01MB0412AC29661336F74E91042A97C00 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-


> I am using Windows 7. Icons are there on all files. What I actually
> meant is when a file is encrypted with GnuPG, the resultant .pgp file
> has no icon.

If Windows has an application associated with the file extension, the
file will be shown with that application's icon. And double-clicking
the file will cause that application to perform a default action on
that file, for example double-clicking a .txt file on a Windows
machine will usually open the file using Notepad.

You could try right-clicking one of your .gpg files and selecting
"open with", keeping the "always use this app" box ticked, click "more
apps", and select GnuPG. (It might show as "GnuPG's OpenPGP Tool".)

Not sure why you get .pgp files; I get .asc.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Lotto: A tax on people who are bad at statistics!
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJX76e+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwPjQIAIf131Iczm1T00j/cvuVSECT
G/J5fMSWWgvfKau+2X6RpfVjgDpy9MMFhM4vf0AwhIoDwyYdlZ2srZ+r4iLJPkoW
gjNQwI1lAG2K795TiVBrs3GrwV2OLnoCMaCdPa5jFUwkW5P0JRFMrj+9d/oFWiqh
/72PWP2PkD81P7HgXy/86FrLBZ/lwPU1Ocx/Ew+2Gooj3vYSTEARYk/NnMTAqcwO
SOo2t6yFUDEF7hTnMTVeAIA7f7neb5fOhTEVVZf1k+h3WFsEtcS0u2NkbDk0wVwt
x4daONNQonBgQdbxKVScuqBqJI/ZEG6QcYQx+8qE8Q6GXwhKMD6sRDv6zly9LOiI
vgQBFgoAZgUCV++nvl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JfkAQCgCV+0Hst3ykF6q0uYGJQsp2Eu
cv+DKvX4yb37duVzHQEAy2KF9EFSvtJxqk4QblE7P7x8hGpVSJtakVO3CHC44QI=
=awAg
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Oct  1 19:44:42 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 1 Oct 2016 18:44:42 +0100
Subject: Why GnuPG encrypted file has no icon?
In-Reply-To: <MAXPR01MB041278423B6DB171AC87932497C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com>
 <MAXPR01MB0412AC29661336F74E91042A97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <151447885.20161001131036@riseup.net>
 <MAXPR01MB041278423B6DB171AC87932497C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <85753419.20161001184442@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 1 October 2016 at 6:23:17 PM, in
<mid:MAXPR01MB041278423B6DB171AC87932497C00 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-

> I guess .asc extension is only when you select "ASCII Armor" option.
> If you don't select this option it is .pgp.

I just tested and that's right. I always use -ear, so always get the
.asc extension appended.


> I tried "Open With", but don't know which .exe to select to associate
> .pgp extension.

Probably gpg.exe.
Try without the "always use this app" box ticked if you are unsure.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

The greatest of faults is to be conscious of none.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlfv9gxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOT4EwEAr+INRodzIKMq2H7/jY7jniAw
1GfZ1PIphdRxV/y6Y8QBAOeZUO9WpS1/H37LwDfSQm+dRIUav+OIvk93IzzWntcJ
iQF8BAEBCgBmBQJX7/YMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwOwEIAJ9H7Jr1Ns8Q0RpQHt0MoO0i
Nk2WujtspaUFJFqRqOB9dKCEkGx9DiZqvaPPHzeoFugvz5ou+GjYn3Drhs2PM+v0
yj+WONS8effurnaTd7yUTkIKd9UhH9jiCj6ThMZFsgKONMWG9SbFAqNS/AJq8hi4
uzwhV9cWRoX0i+5rFH0foMu3tuidP/zn+Lv9Z1bZQDpUpie+kWmcNu74z3Y/bwEK
zxOljnh3DpCLiB8+ET7lu6pkbzmVaArZe4R+R3Yo+qqh6jhXZsUM4u6tMO3hgIR9
IKwTCjllSrQAx8AKWOAAvb54BETevq8JjFsr3ZUYhVNv8PsUVn7+efxVhxCKcxg=
=rZun
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From wk at gnupg.org  Sat Oct  1 19:40:50 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 01 Oct 2016 19:40:50 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <20160930153055.GA30569@gnu.org> (ineiev@gnu.org's message of
 "Fri, 30 Sep 2016 11:30:56 -0400")
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
 <20160930153055.GA30569@gnu.org>
Message-ID: <87oa34rmql.fsf@wheatstone.g10code.de>

On Fri, 30 Sep 2016 17:30, ineiev at gnu.org said:

> There is one more: "secret key".

Well, I like "secret key" because "secret" stands out when reading
source code or text.  "private" and "public" are two similar and when it
comes to naming variables sk and pk or seckey and pubkey are easier to
distinguish that, well, what?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161001/e37ce640/attachment-0001.sig>

From wk at gnupg.org  Sat Oct  1 19:45:51 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 01 Oct 2016 19:45:51 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com> (Andrew
 Gallagher's message of "Fri, 30 Sep 2016 17:50:01 +0100")
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
 <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com>
Message-ID: <87k2dsrmi8.fsf@wheatstone.g10code.de>

On Fri, 30 Sep 2016 18:50, andrewg at andrewg.com said:

> with the same key. "Latch and key" is the best analogy I know of to

Frankly, I did not know how to translate the German term
"Schnappschloss".  I had in mind that a "latch" is similar to a
"deadbolt".


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161001/9acca1a0/attachment.sig>

From passionate_programmer at hotmail.com  Sat Oct  1 19:23:17 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 1 Oct 2016 17:23:17 +0000
Subject: Why GnuPG encrypted file has no icon?
In-Reply-To: <151447885.20161001131036@riseup.net>
References: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <18B48D6B-CDB4-4BF8-9B0A-6070271781E2@gmail.com>
 <MAXPR01MB0412AC29661336F74E91042A97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <151447885.20161001131036@riseup.net>
Message-ID: <MAXPR01MB041278423B6DB171AC87932497C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>


@MFPA:


I guess .asc extension is only when you select "ASCII Armor" option. If you don't select this option it is .pgp.


Not sure.


I tried "Open With", but don't know which .exe to select to associate .pgp extension.


Regards,

RP

________________________________
From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net>
Sent: Saturday, October 1, 2016 5:40 PM
To: Rohit P on GnuPG-Users
Cc: Rohit P
Subject: Re: Why GnuPG encrypted file has no icon?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 1 October 2016 at 7:47:39 AM, in
<mid:MAXPR01MB0412AC29661336F74E91042A97C00 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-


> I am using Windows 7. Icons are there on all files. What I actually
> meant is when a file is encrypted with GnuPG, the resultant .pgp file
> has no icon.

If Windows has an application associated with the file extension, the
file will be shown with that application's icon. And double-clicking
the file will cause that application to perform a default action on
that file, for example double-clicking a .txt file on a Windows
machine will usually open the file using Notepad.

You could try right-clicking one of your .gpg files and selecting
"open with", keeping the "always use this app" box ticked, click "more
apps", and select GnuPG. (It might show as "GnuPG's OpenPGP Tool".)

Not sure why you get .pgp files; I get .asc.

- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Lotto: A tax on people who are bad at statistics!
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJX76e+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwPjQIAIf131Iczm1T00j/cvuVSECT
G/J5fMSWWgvfKau+2X6RpfVjgDpy9MMFhM4vf0AwhIoDwyYdlZ2srZ+r4iLJPkoW
gjNQwI1lAG2K795TiVBrs3GrwV2OLnoCMaCdPa5jFUwkW5P0JRFMrj+9d/oFWiqh
/72PWP2PkD81P7HgXy/86FrLBZ/lwPU1Ocx/Ew+2Gooj3vYSTEARYk/NnMTAqcwO
SOo2t6yFUDEF7hTnMTVeAIA7f7neb5fOhTEVVZf1k+h3WFsEtcS0u2NkbDk0wVwt
x4daONNQonBgQdbxKVScuqBqJI/ZEG6QcYQx+8qE8Q6GXwhKMD6sRDv6zly9LOiI
vgQBFgoAZgUCV++nvl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45JfkAQCgCV+0Hst3ykF6q0uYGJQsp2Eu
cv+DKvX4yb37duVzHQEAy2KF9EFSvtJxqk4QblE7P7x8hGpVSJtakVO3CHC44QI=
=awAg
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161001/c46a4ab1/attachment.html>

From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Oct  1 21:01:59 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 1 Oct 2016 20:01:59 +0100
Subject: Terminology - certificate or key ?
In-Reply-To: <87k2dsrmi8.fsf@wheatstone.g10code.de>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com> 
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
 <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com>
 <87k2dsrmi8.fsf@wheatstone.g10code.de>
Message-ID: <1022601933.20161001200159@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 1 October 2016 at 6:45:51 PM, in
<mid:87k2dsrmi8.fsf at wheatstone.g10code.de>, Werner Koch wrote:-



> Frankly, I did not know how to translate the German term
> "Schnappschloss".  I had in mind that a "latch" is similar to a
> "deadbolt".


For latch, the Oxford dictionary gives "A metal bar with a catch and
lever used for fastening a door or gate" as the primary use. A
secondary meaning is "A spring lock for an outer door, which catches
when the door is closed and can only be opened from the outside with a
key."


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Coffee doesn't need a menu, it needs a cup.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlfwCClfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOQkawEAppG/RiB1M5Jy5afKUiEcVTiM
FvOzhKnZlMinYA+qdpwBAOW3e1t6tHubrAnYqV87FcNflEzh9N/E7e69WVHDeaQP
iQF8BAEBCgBmBQJX8Ag7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw7psH/RlbSNsaf6buLFk6KA1zJRzS
Fv9fYG/Q5DRH9C8e2ICjHvkTtjzDgSuzggq3mwvZjaUaLiMWhshkN9hicFifJbsj
CokF7GCXmRGmpHek1r4AksA5n34ys1arWh+jfHRQUfzspVEt3TEwj89bNJiAwcqX
U1aZO05KwTD4aN4Z0aw6vB16sq5WZVucc5gpbBF1DmCjQP5/fhKAC6pzxN6omrIq
lhyRKuP1iIlhyHPcqdgcnV8I3RDRXBTfHWJuMWcdRpqd7O1phgcc6rWiVY4VADLl
S2w2PmLah/Ma75i0JDemZZ1K35SDjHCe8XymjNu/Iu4KPyeUTlcVVWw6iT3UEUE=
=9j8Q
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From htd+ml at fritha.org  Sat Oct  1 21:00:15 2016
From: htd+ml at fritha.org (Heinz Diehl)
Date: Sat, 1 Oct 2016 21:00:15 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <87k2dsrmi8.fsf@wheatstone.g10code.de>
References: <507e341e-4cf0-bf91-3e90-7a4080bb257f@jelmail.com>
 <87eg41wua2.fsf@wheatstone.g10code.de>
 <59a5b5d1-2436-608d-5e20-814dc1748a9c@sixdemonbag.org>
 <87d1jlv55c.fsf@wheatstone.g10code.de>
 <2cab7221-0b52-77eb-a63e-497e281d50e2@andrewg.com>
 <87k2dsrmi8.fsf@wheatstone.g10code.de>
Message-ID: <20161001190015.GA19011@fritha.org>

On 01.10.2016, Werner Koch wrote: 

> Frankly, I did not know how to translate the German term
> "Schnappschloss".

Visualising a picture of what is meant by the German term, I would
intuitively translate it to something like a hasp, a snap lock or even
a spring lock. And you're right, I also heard the term latch lock.




From arbiel.perlacremaz at gmx.fr  Sun Oct  2 00:10:59 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Sun, 2 Oct 2016 00:10:59 +0200
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
 <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>
Message-ID: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>

Hi Stephan

The "Bash scripting" material, which I began reading, gave me some
valuable informations and I will go on reading it.

On the other hand, I did not understand the aim of the material
concerning bash for gpg, as it deals with issues which I am quite
unaware of. Maybe, when I get more confident in gpg concepts, will I
understand its purpose.

In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does,
and I am looking for tutorials which explain how to do so with bash
scripts, which are the only "programs" I am able to write.

Cheers

Arbiel


Le 30/09/2016 ? 17:30, Stephan Beck a ?crit :
> Hi Arbiel,
> 
> Arbiel (gmx):
>> Hi
>>
>> Thank you Andrew.
>>
>> In the material I've been ready lately, all examples are written in a
>> programming language and I only have abilities in bash scripting.
>>
>> Can somebody, please, direct me toward a url where they provide bash
>> scripting examples.
> [...]
> Bash scripting in general?
> http://bash-hackers.org
> 
> related to gpg? For instance,
> https://github.com/Whonix/gpg-bash-lib
> 
> Cheers,
> 
> Stephan
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161002/59e46360/attachment-0001.sig>

From dgouttegattat at incenp.org  Sun Oct  2 09:52:22 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Sun, 2 Oct 2016 09:52:22 +0200
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
 <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>
 <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>
Message-ID: <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org>

On 10/02/2016 12:10 AM, Arbiel (gmx) wrote:
> In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does,
> and I am looking for tutorials which explain how to do so with bash
> scripts, which are the only "programs" I am able to write.

Then you might have a look at the secret-tool program (in the 
libsecret-tools package), which is a command-line client (so, it should 
be scriptable with bash) to the secret service [1].

(The "secret service" is the service responsible for managing the 
keyrings. Seahorse is only a client for that service, it does not 
manipulate the keyring itself.)

E.g., to store a secret into the default keyring:

   $ echo -n "mysecret" | secret-tool store --label="A secret" \
     hostname www.example.com

where "mysecret" is the secret to store, "A secret" is the name that 
will be displayed in Seahorse, and "hostname www.example.com" is a key 
value pair that you can later use to search for this secret.

To retrieve this secret:

   $ secret-tool search hostname www.example.com

You will not have to use GnuPG. In fact, as far as I know GnuPG is not 
involved anywhere --- the secret service daemon encrypts the keyring 
itself, it does not use GnuPG for that.

Hope that helps,

Damien


[1] https://specifications.freedesktop.org/secret-service/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161002/e654db0d/attachment.sig>

From jhs at berklix.com  Sun Oct  2 12:44:16 2016
From: jhs at berklix.com (Julian H. Stacey)
Date: Sun, 02 Oct 2016 12:44:16 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: Your message "Sat, 01 Oct 2016 21:00:15 +0200."
 <20161001190015.GA19011@fritha.org>
Message-ID: <201610021044.u92AiGNA004672@fire.js.berklix.net>

https://lists.gnupg.org/pipermail/gnupg-users/2016-October/056809.html
> Frankly, I did not know how to translate the German term
> "Schnappschloss".  I had in mind that a "latch" is similar to a
> "deadbolt".

Heinz Diehl wrote:
> Visualising a picture of what is meant by the German term, I would
> intuitively translate it to something like a hasp, a snap lock or even
> a spring lock. And you're right, I also heard the term latch lock.

https://de.wikipedia.org/wiki/Schnappschloss is empty.

Schnappschloss seems to be a wide word covering all sorts,
English has more words than German, so probably a selection of pictures
offers best way to choose best word for the function.

A latch is not similar to a deadbolt though. 
A latch is weaker.
A latch is spring loaded, or gravity assisted.

https://www.google.de/?gws_rd=ssl#q=Schnappschloss	...  Pictures
The silver, one from right end, is a snap lock. 
The brass at far right is a latch.

http://www.ebay.de/bhp/schnappschloss
http://www.ebay.de/itm/Oberlichtschnaepper-Edelstahl-Optik-Federriegel-Schnappschloss-Fensterschloss-/331887421951
"Latch"

http://www.ebay.de/itm/4-x-Schnappschloss-mit-Ose-gross-97x50-mm-Kistenverschluss-Spannverschluss-/360829984297
"Snap lock" 
  May be OK, or maybe Catch, (I'd be happier with the word Lock if
  that picture also had a tiny hole for a key (as mine does, crappy
  key but it is then a primitive lock.

http://www.ebay.de/itm/2pcs-3-Spannverschluss-Kofferverschluss-Kistenverschluss-Schnappschloss-Latch-/351691384246
"Hasp"

http://www.diy.com/departments/blooma-galvanised-steel-tower-bolt-l102mm/307467_BQ.prd
http://www.diy.com/departments/yale-deadlock/
http://www.ebay.com/itm/15-2cm-ZOLL-TURM-BOLZEN-TURSCHLOSS-SCHUPPEN-GARTEN-TUR-/301978902053
"Dead bolts"

PS Wouldnt suprise me if British & American & other speakers of
English had different words for some of those things.  (I'm English
but decades in Germany so not always entirely certain translating back)

Cheers,
Julian
--
Julian Stacey, BSD Linux Unix Sys Eng Consultant Munich
 Reply below, Prefix '> '. Plain text, No .doc, base64, HTML, quoted-printable.
 http://berklix.eu/brexit/#stolen_votes


From idmsdba at nycap.rr.com  Sun Oct  2 19:48:01 2016
From: idmsdba at nycap.rr.com (Michael A. Yetto)
Date: Sun, 2 Oct 2016 13:48:01 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <201610021044.u92AiGNA004672@fire.js.berklix.net>
References: <20161001190015.GA19011@fritha.org>
 <201610021044.u92AiGNA004672@fire.js.berklix.net>
Message-ID: <20161002134801.2f887de3@braetac.lighthouse.yetnet>

On Sun, 02 Oct 2016 12:44:16 +0200
"Julian H. Stacey" <jhs at berklix.com> wrote:

>https://lists.gnupg.org/pipermail/gnupg-users/2016-October/056809.html
>> Frankly, I did not know how to translate the German term
>> "Schnappschloss".  I had in mind that a "latch" is similar to a
>> "deadbolt".  
>
>Heinz Diehl wrote:
>> Visualising a picture of what is meant by the German term, I would
>> intuitively translate it to something like a hasp, a snap lock or
>> even a spring lock. And you're right, I also heard the term latch
>> lock.  
>
>https://de.wikipedia.org/wiki/Schnappschloss is empty.
>
>Schnappschloss seems to be a wide word covering all sorts,
>English has more words than German, so probably a selection of pictures
>offers best way to choose best word for the function.
>
>A latch is not similar to a deadbolt though. 
>A latch is weaker.
>A latch is spring loaded, or gravity assisted.
>
>https://www.google.de/?gws_rd=ssl#q=Schnappschloss	...  Pictures
>The silver, one from right end, is a snap lock. 
>The brass at far right is a latch.
>
>http://www.ebay.de/bhp/schnappschloss
>http://www.ebay.de/itm/Oberlichtschnaepper-Edelstahl-Optik-Federriegel-Schnappschloss-Fensterschloss-/331887421951
>"Latch"
>
>http://www.ebay.de/itm/4-x-Schnappschloss-mit-Ose-gross-97x50-mm-Kistenverschluss-Spannverschluss-/360829984297
>"Snap lock" 
>  May be OK, or maybe Catch, (I'd be happier with the word Lock if
>  that picture also had a tiny hole for a key (as mine does, crappy
>  key but it is then a primitive lock.
>
>http://www.ebay.de/itm/2pcs-3-Spannverschluss-Kofferverschluss-Kistenverschluss-Schnappschloss-Latch-/351691384246
>"Hasp"
>
>http://www.diy.com/departments/blooma-galvanised-steel-tower-bolt-l102mm/307467_BQ.prd
>http://www.diy.com/departments/yale-deadlock/
>http://www.ebay.com/itm/15-2cm-ZOLL-TURM-BOLZEN-TURSCHLOSS-SCHUPPEN-GARTEN-TUR-/301978902053
>"Dead bolts"
>
>PS Wouldnt suprise me if British & American & other speakers of
>English had different words for some of those things.  (I'm English
>but decades in Germany so not always entirely certain translating back)
>
>

I think that was my cue.

I thought what might be meant is what I have always referred to as a
slam lock. That is, a locking mechanism that stays locked after opening
from the inside and locks itself after closing from the outside.

It is an easy way to lock yourself out of your car with the engine
running if you just had the door replaced and the new one has a slam
lock while the old one didn't.

Mike "not that this ever happened to me" Yetto
-- 
"If your belief system is not founded in an objective reality, you
should not be making decisions that affect other people."
 - Neil deGrasse Tyson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161002/89a7a33a/attachment.sig>

From maorlando at gmail.com  Sun Oct  2 01:30:33 2016
From: maorlando at gmail.com (Matthew Orlando)
Date: Sat, 1 Oct 2016 16:30:33 -0700
Subject: gpg4win --gen-key fails to connect to IPC when using --homedir
In-Reply-To: <20130402100008.69a67f4b@bigbox.christie.dr>
References: <20130402100008.69a67f4b@bigbox.christie.dr>
Message-ID: <1ff0d639-669e-7752-98f6-c0ef1d712ef6@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I had to do two things to solve this:

1: use absolute paths for the homedir. E.g.:
    gpg --homedir "C:\users\me\test\gpg" --gen-key

2: kill any existing GnuPG agents with task manager, and then start one
manually using the same homedir:
    gpg-agent --homedir="C:\users\me\test\gpg" --daemon

After you're done, kill the agent you started.

Cheers,

Cogwheel


Tim Chase gnupg at tim.thechases.com
Tue Apr 2 17:00:08 CEST 2013

> I found a similar thread here:
>
> http://lists.gnupg.org/pipermail/gnupg-users/2012-April/044164.html
>
> but it doesn't seem to have been resolved.  gpg4win was installed
> using the default location, and with none of the add-ons (no
> Outlook, shell, extensions, just gpg).  The same operation without
> --homedir works as expected.
>
> Any way to get this to work?
>
> Thanks,
>
> -tkc
>
>
> C:\work\tempgpg> gpg --homedir . --gen-key
> gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> gpg: keyring `./secring.gpg' created
> gpg: keyring `./pubring.gpg' created
> Please select what kind of key you want:
>    (1) RSA and RSA (default)
>    (2) DSA and Elgamal
>    (3) DSA (sign only)
>    (4) RSA (sign only)
> Your selection? 1
> RSA keys may be between 1024 and 4096 bits long.
> What keysize do you want? (2048) 2048
> Requested keysize is 2048 bits
> Please specify how long the key should be valid.
>          0 = key does not expire
>       <n>  = key expires in n days
>       <n>w = key expires in n weeks
>       <n>m = key expires in n months
>       <n>y = key expires in n years
> Key is valid for? (0) 0
> Key does not expire at all
> Is this correct? (y/N) y
>
> GnuPG needs to construct a user ID to identify your key.
>
> Real name: Joe User
> Email address: joe at example.com
> Comment: Test
> You selected this USER-ID:
>     "Joe User (Test) <joe at example.com>"
>
> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
> You need a Passphrase to protect your secret key.
>
> gpg: can't connect to the agent: Invalid value passed to IPC
> gpg: problem with the agent: No agent running
> gpg: can't connect to the agent: Invalid value passed to IPC
> gpg: problem with the agent: No agent running
> gpg: Key generation canceled.
>
> C:\work\tempgpg>gpg --version
> gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0)
> libgcrypt 1.4.6
> Copyright (C) 2011 Free Software Foundation, Inc.
> [snip]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJX8EcYAAoJEPro35Ne53Y9oHQIAKBKx+//QPuRMQXMVyb1bouk
nH5gNynV6n7K60a+w8N6Liky7a3FKTBpMi3wEkZo5Rw5wMtspuT0pqqT2E13Ml+L
Jw5/habejgQ84QMZB6FFbzM/tQBqnHUFn7EkOutq6ULqYMV7rt2MPba3c16tt/O6
9OoDj9phoXC0AABTDSBDS7AFyCvYJ61DJW6gTtAm8A7PCo39hjLQS5HiMviBWwLt
qqCogHQLuES7+4znA/kip3kuaPHcEiZ6BeG8dlxCkUc7flHlF3XsHg4TWmLwW118
Bv2VTNHMqSU9Mgyl+2qk/bJkSoUFcmxAjb3aVSNgRHoFBjCT89KzmZcikVmU4dE=
=eXvP
-----END PGP SIGNATURE-----



From tlikonen at iki.fi  Sun Oct  2 20:59:06 2016
From: tlikonen at iki.fi (Teemu Likonen)
Date: Sun, 02 Oct 2016 21:59:06 +0300
Subject: Confusing options for --tofu-(default-)policy=
Message-ID: <87h98uwpad.fsf@iki.fi>

First a quote from the gpg 2.1.15 man page:

    --trust-model pgp|classic|tofu|tofu+pgp|direct|always|auto

        [...]

            In the TOFU model, policies are associated with bindings
            between keys and email addresses (which are extracted from
            user ids and normalized). There are five policies, which can
            be set manually using the --tofu-policy option. The default
            policy can be set using the --tofu-default- policy policy.

            The TOFU policies are: auto, good, unknown, bad and ask. The
            auto policy is used by default (unless overridden by
            --tofu-default-policy) and marks a binding as marginally
            trusted. The good, unknown and bad policies mark a binding
            as fully trusted, as having unknown trust or as having trust
            never, respectively. [...]

So there's a mapping from tofu policy to trust: auto=marginal,
good=fully, unknown=unknown, bad=never. But why use different names? Why
not use the same names for tofu policy and trust?

-- 
/// Teemu Likonen   - .-..   <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: </pipermail/attachments/20161002/f5eb4a9d/attachment.sig>

From mls at bjoern-kahl.de  Sun Oct  2 21:36:49 2016
From: mls at bjoern-kahl.de (Bjoern Kahl)
Date: Sun, 2 Oct 2016 21:36:49 +0200
Subject: API documentation for Python GpgMe bindings?
Message-ID: <f5bad375-e5a3-5209-5498-a3082eb17724@bjoern-kahl.de>


 Dear All,

 I'd tried to play around with the (new) Python bindings announced just
 a few days ago, but I am a bit lost.  I am using Python-2.7 on MacOS
 "El Captain", with Python-2.7, gpg2, gpgme (1.6.0_2) and the bindings
 py27-pygpgme and pyme all installed using MacPorts.
 (Yes, that is not the newest gpgme-1.7.0 announced last week, the
  announcement last week just made me aware of the fact that there
  are Python binding at all.)

 I know the C-library documentation of GpgMe found here:
 https://www.gnupg.org/documentation/manuals/gpgme/

 Is there a similar documentation for the Python bindings "pyme" (or
 "pyme3")?

 Google didn't return helpful results for "gpgme python api reference"
 or "pyme api reference" for me.


 Looking at the C-library documentation and the help() output in the
 Python interpreter for pyme and objects accessible from there, I fail
 to see a clear mapping on how to call various functions.

 For example, I can create a GpgMe context with "ctx = pyme.core.Context()"
 and find a key "key = ctx.get_key("the-key-id").

 But how do I - for example - change context attributes like the
 pinentry mode?

 The "pyme.core.Context" object doesn't seem to have a "set_attributes"
 or a "set_pinentry_mode" or anything related.  I found
 "pyme.pygpgme.gpgme_set_pinentry_mode()", which takes a context,
 but apparently a different flavour of a "context" than returned
 from "pyme.core.Context()".  Trying to pass the result from
 "pyme.core.Context()" to "pyme.pygpgme.gpgme_set_pinentry_mode()"
 gives a type error.  Also, the context from "pyme.core.Context()"
 doesn't seem to have a function to retrieve the underlying gpgme
 context.


 So, were can I find documentation of the Python bindings or guidelines
 how to apply the C-library documentation to the pyme bindings for
 Python (either 2.7 or 3.x)?


 Thanks & best regards

    Bj?rn

-- 
|     Bjoern Kahl   +++   Siegburg   +++    Germany     |
|     "mls at -my-domain-"   +++    www.bjoern-kahl.de     |
| Languages: German, English, Ancient Latin (a bit :-)) |


From dkg at fifthhorseman.net  Mon Oct  3 15:40:02 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 03 Oct 2016 09:40:02 -0400
Subject: Terminology - certificate or key ?
In-Reply-To: <20161002134801.2f887de3@braetac.lighthouse.yetnet>
References: <20161001190015.GA19011@fritha.org>
 <201610021044.u92AiGNA004672@fire.js.berklix.net>
 <20161002134801.2f887de3@braetac.lighthouse.yetnet>
Message-ID: <87bmz1blfx.fsf@alice.fifthhorseman.net>

On Sun 2016-10-02 13:48:01 -0400, Michael A. Yetto wrote:
> I thought what might be meant is what I have always referred to as a
> slam lock. That is, a locking mechanism that stays locked after opening
> from the inside and locks itself after closing from the outside.

as a native en_US-speaker, I can confirm that the most precise term here
is "slam lock".  however, i've found that term is not particularly
widely-known or understood, which probably makes it a bad choice for
explanatory metaphor :(

fwiw, i disagree with Werner that X.509 certificates and OpenPGP
certificates are radically different.  There are differences for sure --
chief among them the composability (and decomposability) of OpenPGP
certificates, as well as their multi-issuer nature.  But conceptually
both formats provide transferable, cryptographically-verifiable
assertions about bindings between identities, capabilities, and public
key material.  This is roughly what "certificate" means to most people,
and that's the right term to use in my opinion.

            --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161003/1daa26e2/attachment.sig>

From wk at gnupg.org  Mon Oct  3 16:14:25 2016
From: wk at gnupg.org (Werner Koch)
Date: Mon, 03 Oct 2016 16:14:25 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <201610021044.u92AiGNA004672@fire.js.berklix.net> (Julian
 H. Stacey's message of "Sun, 02 Oct 2016 12:44:16 +0200")
References: <201610021044.u92AiGNA004672@fire.js.berklix.net>
Message-ID: <87ponhr03i.fsf@wheatstone.g10code.de>

On Sun,  2 Oct 2016 12:44, jhs at berklix.com said:

> Schnappschloss seems to be a wide word covering all sorts,

It might be that there are regional differences in Germany.  May be even
more here, close to the traditional area of lock fabrication.

Here are two padlocks:

  <https://de.wikipedia.org/wiki/Vorh%C3%A4ngeschloss#/media/File:3_Vorhangschloesser.jpg>

We would call the left one a "normales Vorhangeschloss" (simple
padlock).  But the middle one is known as a "Schappschloss" - referring
to the feature that you do not need a key to lock it.

So it seems, the term "lock" works only along with a picture.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161003/0eb2c580/attachment.sig>

From arbiel.perlacremaz at gmx.fr  Mon Oct  3 16:28:07 2016
From: arbiel.perlacremaz at gmx.fr (Arbiel (gmx))
Date: Mon, 3 Oct 2016 16:28:07 +0200
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
 <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>
 <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>
 <0e8e483c-9ec7-e6f6-bf28-1f8b15061eb4@incenp.org>
Message-ID: <9b008279-17b5-4f2c-6800-2261a826ad9c@gmx.fr>

Hi Damien

It's exactly what I was looking for.

Thank you a lot.

Arbiel

Le 02/10/2016 ? 09:52, Damien Goutte-Gattat a ?crit :
> On 10/02/2016 12:10 AM, Arbiel (gmx) wrote:
>> In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does,
>> and I am looking for tutorials which explain how to do so with bash
>> scripts, which are the only "programs" I am able to write.
> 
> Then you might have a look at the secret-tool program (in the
> libsecret-tools package), which is a command-line client (so, it should
> be scriptable with bash) to the secret service [1].
> 
> (The "secret service" is the service responsible for managing the
> keyrings. Seahorse is only a client for that service, it does not
> manipulate the keyring itself.)
> 
> E.g., to store a secret into the default keyring:
> 
>   $ echo -n "mysecret" | secret-tool store --label="A secret" \
>     hostname www.example.com
> 
> where "mysecret" is the secret to store, "A secret" is the name that
> will be displayed in Seahorse, and "hostname www.example.com" is a key
> value pair that you can later use to search for this secret.
> 
> To retrieve this secret:
> 
>   $ secret-tool search hostname www.example.com
> 
> You will not have to use GnuPG. In fact, as far as I know GnuPG is not
> involved anywhere --- the secret service daemon encrypts the keyring
> itself, it does not use GnuPG for that.
> 
> Hope that helps,
> 
> Damien
> 
> 
> [1] https://specifications.freedesktop.org/secret-service/
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161003/cf24f9f1/attachment.sig>

From jc.gnupg at unser.net  Mon Oct  3 16:53:19 2016
From: jc.gnupg at unser.net (Juergen Christoffel)
Date: Mon, 3 Oct 2016 16:53:19 +0200
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
Message-ID: <20161003145319.GA32265@unser.net>

On Fri, Sep 30, 2016 at 03:56:08PM +0200, Arbiel (gmx) wrote:
>
>Can somebody, please, direct me toward a url where they provide bash
>scripting examples.

Take a look at https://www.passwordstore.org/ which is written in bash and
stores secrets with gnupg.

       --jc

-- 
  Doctorow's Law: Anytime someone puts a lock on something you own, against
  your wishes, and doesn't give you the key, they're not doing it for your
  benefit.


From richard.hoechenberger at gmail.com  Mon Oct  3 18:34:41 2016
From: richard.hoechenberger at gmail.com (=?UTF-8?Q?Richard_H=C3=B6chenberger?=)
Date: Mon, 3 Oct 2016 18:34:41 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <87ponhr03i.fsf@wheatstone.g10code.de>
References: <201610021044.u92AiGNA004672@fire.js.berklix.net>
 <87ponhr03i.fsf@wheatstone.g10code.de>
Message-ID: <CAGm-8jOkwkBmD+soOfLmxEOQ_cmea6F5HOKvkjPMDysTnhUiSw@mail.gmail.com>

On Mon, Oct 3, 2016 at 4:14 PM, Werner Koch <wk at gnupg.org> wrote:
> Here are two padlocks:
>
>   <https://de.wikipedia.org/wiki/Vorh%C3%A4ngeschloss#/media/File:3_Vorhangschloesser.jpg>
>
> We would call the left one a "normales Vorhangeschloss" (simple
> padlock).  But the middle one is known as a "Schappschloss" - referring
> to the feature that you do not need a key to lock it.

Growing up in (East) Germany myself, I've never, ever, heard or read
this word before. I always assumed all padlocks would lock without a
key, hence be "Schnappschl?sser". Never seen or handled anything else.
:) But maybe I'm simply too young, the padlock-without-Schnappschloss
type appears to be kind of ancient?

Cheers,

    Richard


From wk at gnupg.org  Mon Oct  3 20:40:45 2016
From: wk at gnupg.org (Werner Koch)
Date: Mon, 03 Oct 2016 20:40:45 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <CAGm-8jOkwkBmD+soOfLmxEOQ_cmea6F5HOKvkjPMDysTnhUiSw@mail.gmail.com>
 ("Richard =?utf-8?Q?H=C3=B6chenberger=22's?= message of "Mon, 3 Oct 2016
 18:34:41 +0200")
References: <201610021044.u92AiGNA004672@fire.js.berklix.net>
 <87ponhr03i.fsf@wheatstone.g10code.de>
 <CAGm-8jOkwkBmD+soOfLmxEOQ_cmea6F5HOKvkjPMDysTnhUiSw@mail.gmail.com>
Message-ID: <877f9pqnrm.fsf@wheatstone.g10code.de>

On Mon,  3 Oct 2016 18:34, richard.hoechenberger at gmail.com said:

> :) But maybe I'm simply too young, the padlock-without-Schnappschloss
> type appears to be kind of ancient?

Heavy duty padlocks require a key for locking; you may have seen them
used to lock a motorbike.  The description at [1] lists this as a
feature:

  Schlie?zwang: Verriegelung nur mit Schl?ssel (Schl?ssel kann bei
  ge?ffnetem Zustand nicht abgezogen werden)



Salam-Shalom,

   Werner


[1] <https://www.abus.com/ger/Sicherheit-Zuhause/Vorhangschloesser/Diskus-R/Diskus-R-24RK>

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161003/190d88d3/attachment.sig>

From simon.albrecht at mail.de  Mon Oct  3 15:36:22 2016
From: simon.albrecht at mail.de (Simon Albrecht)
Date: Mon, 3 Oct 2016 15:36:22 +0200
Subject: What to do at failed integrity check?
Message-ID: <471bc952-018c-1f12-6648-15bb979ff842@mail.de>

Hello everybody,

I?m having a problem getting GnuPG set up: I downloaded the tarball and
signature (for v2.0.30), then did the integrity check as described on
<https://www.gnupg.org/download/integrity_check.html> using the packaged
version of GnuPG (1.4.something), and it failed with this message:

gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: public key not found

I already tried getting the files from a mirror ? same thing.

Now, the instructions on the linked webpage only say ?the file should be
treated suspiciously?. But what can I do now? Just use it anyway and
hope it?s not a real problem?

Best regards,
Simon Albrecht


From ca+gnupg-users at esmtp.org  Mon Oct  3 22:34:15 2016
From: ca+gnupg-users at esmtp.org (Claus Assmann)
Date: Mon, 3 Oct 2016 13:34:15 -0700
Subject: What to do at failed integrity check?
In-Reply-To: <471bc952-018c-1f12-6648-15bb979ff842@mail.de>
References: <471bc952-018c-1f12-6648-15bb979ff842@mail.de>
Message-ID: <20161003203415.GA14727@x2.esmtp.org>

On Mon, Oct 03, 2016, Simon Albrecht wrote:

> gpg: Signature made Do 31 M??r 2016 12:56:02 CEST using RSA key ID 4F25E3B6
> gpg: Can't check signature: public key not found
                              ^^^^^^^^^^^^^^^^^^^^^

> I already tried getting the files from a mirror ??? same thing.

Hmm... did you read the message?

You might want to download the key...


-- 
Reply-To: is set, please do not Cc' me.


From moritz at klammler.eu  Mon Oct  3 22:44:16 2016
From: moritz at klammler.eu (Moritz Klammler)
Date: Mon, 03 Oct 2016 22:44:16 +0200
Subject: What to do at failed integrity check?
In-Reply-To: Simon Albrecht's message of "Mon\, 3 Oct 2016 15\:36\:22 +0200 \(6
 hours\, 52 minutes\, 39 seconds ago\)"
Message-ID: <87mvil40yn.fsf@klammler.eu>


> gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6
> gpg: Can't check signature: public key not found

GnuPG didn't tell you that if found out that the file doesn't match the
signature.  It told you that it wasn't able to check whether it is valid
in the first place because your key-ring doesn't contain the key which
the signature says was used to create it.  Without the public key
(certificate) of the signer, you cannot verify the signature.  You can
import the certificate from a public key-server using this command.

    $ gpg --recv-key 4F25E3B6

Where "4F25E3B6" is the ID reported by the error message (and happens to
belong to Werner Koch).

Of course, when you download the certificate like so, an attacker that
has previously tampered with your internet connection, tricking you into
downloading a compromised version of GnuPG (together with a fake
signature) can potentially trick you again and you cannot be sure that
you've actually downloaded Werner Koch's certificate.  In order to
defend against this, you should check the fingerprint by running

    $ gpg --fingerprint 4F25E3B6
    pub   rsa2048 2011-01-12 [SC] [expires: 2019-12-31]
          D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
    uid           [ unknown] Werner Koch (dist sig)
    sub   rsa2048 2011-01-12 [A] [expires: 2019-12-31]

and checking the output against a trusted source of the fingerprint.
Where you obtain this from, I don't know.  As a minimum, it should match
the fingerprint shown above but of course, that could be tampered with,
too.  (The fingerprint is the hex sequence "D869 2123 C406 5DEA 5E0F
3AB5 249B 39D2 4F25 E3B6".  The other output might differ for legitimate
reasons.)

Alternatively, if you're lucky, you might have participated in enough
key-signings such that GnuPG finds a chain of trust to the key.  As you
can see from the "unknown" in the output shown above, I've not been that
lucky so far.
-- 
OpenPGP:

Public Key:   http://openpgp.klammler.eu
Fingerprint:  2732 DA32 C8D0 EEEC A081  BE9D CF6C 5166 F393 A9C0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161003/8ac30b41/attachment-0001.sig>

From sbutler at fchn.com  Mon Oct  3 22:31:35 2016
From: sbutler at fchn.com (Steve Butler)
Date: Mon, 3 Oct 2016 20:31:35 +0000
Subject: What to do at failed integrity check?
In-Reply-To: <471bc952-018c-1f12-6648-15bb979ff842@mail.de>
References: <471bc952-018c-1f12-6648-15bb979ff842@mail.de>
Message-ID: <f2ffcc125902491aaa32b7eb90404946@t1l1exchmbs-01.fchn.com>

Go to any public key server and get that key ID.

However, before doing that, I'd first verify the checksum without using GnuPG.  That process should also have been described on the download page.



-----Original Message-----
From: Gnupg-users [mailto:gnupg-users-bounces+sbutler=fchn.com at gnupg.org] On Behalf Of Simon Albrecht
Sent: Monday, October 03, 2016 6:36 AM
To: gnupg-users at gnupg.org
Subject: What to do at failed integrity check?

Hello everybody,

I?m having a problem getting GnuPG set up: I downloaded the tarball and signature (for v2.0.30), then did the integrity check as described on <https://www.gnupg.org/download/integrity_check.html> using the packaged version of GnuPG (1.4.something), and it failed with this message:

gpg: Signature made Do 31 M?r 2016 12:56:02 CEST using RSA key ID 4F25E3B6
gpg: Can't check signature: public key not found

I already tried getting the files from a mirror ? same thing.

Now, the instructions on the linked webpage only say ?the file should be treated suspiciously?. But what can I do now? Just use it anyway and hope it?s not a real problem?

Best regards,
Simon Albrecht

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.


From justus at g10code.com  Tue Oct  4 11:00:52 2016
From: justus at g10code.com (Justus Winter)
Date: Tue, 04 Oct 2016 11:00:52 +0200
Subject: API documentation for Python GpgMe bindings?
In-Reply-To: <f5bad375-e5a3-5209-5498-a3082eb17724@bjoern-kahl.de>
References: <f5bad375-e5a3-5209-5498-a3082eb17724@bjoern-kahl.de>
Message-ID: <87int8zdx7.fsf@europa.jade-hamburg.de>

Hello :)

Bjoern Kahl <mls at bjoern-kahl.de> writes:
>  I'd tried to play around with the (new) Python bindings announced just
>  a few days ago, but I am a bit lost.  I am using Python-2.7 on MacOS
>  "El Captain", with Python-2.7, gpg2, gpgme (1.6.0_2) and the bindings
>  py27-pygpgme and pyme all installed using MacPorts.

note that pygpgme is an entirely different project.

>  (Yes, that is not the newest gpgme-1.7.0 announced last week, the
>   announcement last week just made me aware of the fact that there
>   are Python binding at all.)

Note that 'pyme' as available from MacPorts is likely the old pyme.  You
can grab and build the new 'pyme3' bindings from pypi, provided that you
do have all the build dependencies.  I'm not familiar with MacPorts, but
that might help with that.

(Despite the name, 'pyme3' also works with Python 2.7.  Originally, it
was only for Python 3, but we backported it.  'pyme3' was the working
title, and it helps to differentiate between the old and the new
binding.)

>  I know the C-library documentation of GpgMe found here:
>  https://www.gnupg.org/documentation/manuals/gpgme/
>
>  Is there a similar documentation for the Python bindings "pyme" (or
>  "pyme3")?

No, unfortunately not at this point.

>  Looking at the C-library documentation and the help() output in the
>  Python interpreter for pyme and objects accessible from there, I fail
>  to see a clear mapping on how to call various functions.

'pyme3' has a high-level api with curated docstrings.


Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161004/3627d702/attachment.sig>

From stebe at mailbox.org  Tue Oct  4 13:00:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Tue, 04 Oct 2016 11:00:00 +0000
Subject: recording and retrieving "secrets" into gpg files
In-Reply-To: <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>
References: <e00adc61-5cb2-1f1b-334c-56d399792cb5@gmx.fr>
 <b3882195-baac-acc0-a505-3a67dbf1ffb3@andrewg.com>
 <32bde4af-b750-1f1b-1785-8d9c40e6330e@gmx.fr>
 <2f314e26-aec1-eaa0-80f4-4300cdc19470@mailbox.org>
 <151ea9e6-aefc-b9f5-e9cd-77aa4534f4de@gmx.fr>
Message-ID: <3a81d648-178f-c817-fa5c-92d87e73314a@mailbox.org>

Hi Arbiel,

Arbiel (gmx):
> Hi Stephan
> 
> The "Bash scripting" material, which I began reading, gave me some
> valuable informations and I will go on reading it.
> 
> On the other hand, I did not understand the aim of the material
> concerning bash for gpg, as it deals with issues which I am quite
> unaware of. Maybe, when I get more confident in gpg concepts, will I
> understand its purpose.
> 
> In fact, I wish to record "secrets" in gnome-keyrings, as seahorse does,
> and I am looking for tutorials which explain how to do so with bash
> scripts, which are the only "programs" I am able to write.

Ah, ok, you were still with that, so it was sort of misunderstanding.
For me it wasn't quite clear whether your new question really had
anything to do with your old (storing secrets in gnome-keyrings), or
whether (what I thought at last) it was a new one and generic. So I gave
you two links, one for bash scripting in general, and the one related to
gpg (as an example) for bash scripting concerning gpg. No, that file
verification bash scripting hasn't anything to do with storing secrets
in keyrings. I looked again but haven't found anything specific related
to your question.

Cheers,

Stephan


> Le 30/09/2016 ? 17:30, Stephan Beck a ?crit :
>> Hi Arbiel,
>>
>> Arbiel (gmx):
>>> Hi
>>>
>>> Thank you Andrew.
>>>
>>> In the material I've been ready lately, all examples are written in a
>>> programming language and I only have abilities in bash scripting.
>>>
>>> Can somebody, please, direct me toward a url where they provide bash
>>> scripting examples.
>> [...]
>> Bash scripting in general?
>> http://bash-hackers.org
>>
>> related to gpg? For instance,
>> https://github.com/Whonix/gpg-bash-lib
>>
>> Cheers,
>>
>> Stephan
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161004/bc59366d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161004/bc59366d/attachment.sig>

From aheinecke at intevation.de  Tue Oct  4 14:03:06 2016
From: aheinecke at intevation.de (Andre Heinecke)
Date: Tue, 04 Oct 2016 14:03:06 +0200
Subject: Agent forwarding failure when the socketdir was autodeleted
Message-ID: <3938401.1pLH0TdMhg@esus>

Hi,

Using GnuPG 2.1.15 I'm trying to SSH into a remote machine with OpenSSH 6.7 as 
described under:

https://wiki.gnupg.org/AgentForwarding

The problem is that the remote system uses systemd so /var/run/user/<uid> 
exits and GnuPG will use it.

But if I am not logged in or there is no gnupg process running. systemd 
autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of the 
Socket to fail because the directory for the socket does not exist and SSH 
won't create it. :-/

Any ideas how to solve this without requireing changes to the root 
configuration of the remote machine?

I would happily update the wiki with a solution.

Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161004/05c9ebf3/attachment.sig>

From aheinecke at intevation.de  Tue Oct  4 12:19:28 2016
From: aheinecke at intevation.de (Andre Heinecke)
Date: Tue, 04 Oct 2016 12:19:28 +0200
Subject: Why GnuPG encrypted file has no icon?
In-Reply-To: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB04120A33395BED49A73CFA2F97C00@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <3372410.p2aesyHPLG@esus>

Hi,

On Saturday 01 October 2016 04:10:03 Rohit P wrote:
> When you encrypt multiple files in a folder, GnuPG encrypted files have no
> icon. It is difficult to immediately identify which are the encrypted
> files.

If you are using Gpg4win you can try out our Beta of gpg4win-3.0

(See: https://wiki.gnupg.org/Gpg4win/Testversions ) There we added set up of 
file extensions and handling of files by "double click" for Windows.

> Any specific reason why encrypted files have no icon?

One problem was that the .pgp / .gpg / .asc extentions are pretty general. It 
could be Keys, signed data, detached signatures, etc.. so to bind them to an 
application the application would have to detect what a file is and handle it 
appropiately. This is done now by Kleopatra.
 
Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161004/76baeed6/attachment-0001.sig>

From htd+ml at fritha.org  Tue Oct  4 17:55:30 2016
From: htd+ml at fritha.org (Heinz Diehl)
Date: Tue, 4 Oct 2016 17:55:30 +0200
Subject: Terminology - certificate or key ?
In-Reply-To: <87ponhr03i.fsf@wheatstone.g10code.de>
References: <201610021044.u92AiGNA004672@fire.js.berklix.net>
 <87ponhr03i.fsf@wheatstone.g10code.de>
Message-ID: <20161004155530.GA2060@fritha.org>

On 03.10.2016, Werner Koch wrote: 

> We would call the left one a "normales Vorhangeschloss" (simple
> padlock).  But the middle one is known as a "Schappschloss" - referring
> to the feature that you do not need a key to lock it.

The left one is a modular padlock, and the one in the middle is an
integrated padlock. According to one of my friends who is a native
en_GB speaker. Not shure if this helps, though. I guess most languages
simply use "padlock" for both types. Haengeschloss in German,
hengel?s in NO, h?ngl?s (SE), h?ngel?s (DK)..



From dkg at fifthhorseman.net  Tue Oct  4 17:26:59 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 04 Oct 2016 11:26:59 -0400
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <3938401.1pLH0TdMhg@esus>
References: <3938401.1pLH0TdMhg@esus>
Message-ID: <874m4s9lto.fsf@alice.fifthhorseman.net>

On Tue 2016-10-04 08:03:06 -0400, Andre Heinecke wrote:

> Using GnuPG 2.1.15 I'm trying to SSH into a remote machine with OpenSSH 6.7 as 
> described under:
>
> https://wiki.gnupg.org/AgentForwarding
>
> The problem is that the remote system uses systemd so /var/run/user/<uid> 
> exits and GnuPG will use it.
>
> But if I am not logged in or there is no gnupg process running. systemd 
> autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of the 
> Socket to fail because the directory for the socket does not exist and SSH 
> won't create it. :-/

If you're not logged in, then how does the remote forward work?  aren't
you actually still logged in (via ssh) as long as your remote forward is
running?

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161004/42a0d5da/attachment.sig>

From aheinecke at intevation.de  Tue Oct  4 20:49:00 2016
From: aheinecke at intevation.de (Andre Heinecke)
Date: Tue, 04 Oct 2016 20:49 +0200
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <874m4s9lto.fsf@alice.fifthhorseman.net>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
Message-ID: <3772820.ua5IrI4zjK@esus>

Hi,

On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote:
> > But if I am not logged in or there is no gnupg process running. systemd
> > autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of
> > the
> > Socket to fail because the directory for the socket does not exist and SSH
> > won't create it. :-/
> 
> If you're not logged in, then how does the remote forward work?  aren't
> you actually still logged in (via ssh) as long as your remote forward is
> running?

Sorry for not formulating this better. You are of course right If I'm not 
logged in the remote forward is not working.

That is not what I meant to say. The problem is, that when I disconnect the 
/run/.../gnupg dir is deleted and the next time I want to connect and ssh 
tries to set up the forwarding this will fail because the /run/.../gnupg 
directory in which the forwarded socket should be created does not exist.

Warning: remote port forwarding failed for listen path 
/var/run/user/<uid>/gnupg/S.gpg-agent

My current workaround is to connect first and start dirmngr on the remote 
machine (to get the socketdir created and used). And then connect with ssh 
socket forwarding. This is a bit clunky to use.

I've tried placing files in that folder, or to set up permissions to 000 for 
the gnupg folder (so that gnupg itself does not use it) but to no avail. It's 
still removed when disconnecting and the next connect will fail.

Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161004/4350acff/attachment.sig>

From dkg at fifthhorseman.net  Tue Oct  4 21:34:25 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 04 Oct 2016 15:34:25 -0400
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <3772820.ua5IrI4zjK@esus>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus>
Message-ID: <87eg3v9ada.fsf@alice.fifthhorseman.net>

Hi Andre--

On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote:

> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote:
>> > But if I am not logged in or there is no gnupg process running. systemd
>> > autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of
>> > the
>> > Socket to fail because the directory for the socket does not exist and SSH
>> > won't create it. :-/
>> 
>> If you're not logged in, then how does the remote forward work?  aren't
>> you actually still logged in (via ssh) as long as your remote forward is
>> running?
>
> Sorry for not formulating this better. You are of course right If I'm not 
> logged in the remote forward is not working.
>
> That is not what I meant to say. The problem is, that when I disconnect the 
> /run/.../gnupg dir is deleted and the next time I want to connect and ssh 
> tries to set up the forwarding this will fail because the /run/.../gnupg 
> directory in which the forwarded socket should be created does not exist.

so /run/user/<uid> exists upon ssh connection, but
/run/user/<uid>/gnupg/  does not, and therefore sshd on the remote side
of the pipe can't auto-create the remote socket -- is that the concern?

> My current workaround is to connect first and start dirmngr on the remote 
> machine (to get the socketdir created and used). And then connect with ssh 
> socket forwarding. This is a bit clunky to use.

agreed, that sounds clunky and annoying.

I wonder whether ssh's remote socket forwarding ought to try to
automatically create the parent directories if they don't already exist.

This doesn't solve your problem in the near term if you can't update the
remote host, but it seems like the right place to fix this problem.

Maybe that's worth asking on openssh-unix-dev at mindrot.org ?

> I've tried placing files in that folder, or to set up permissions to 000 for 
> the gnupg folder (so that gnupg itself does not use it) but to no avail. It's 
> still removed when disconnecting and the next connect will fail.

right, session termination (or machine reboot, etc) should clean up
/run/user/<uid> entirely -- that's part of the explicit goal of
$XDG_RUNTIME_DIR, aiui.

                  --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161004/b821379d/attachment.sig>

From Swetan.Govenkar at pcm.com  Tue Oct  4 12:37:40 2016
From: Swetan.Govenkar at pcm.com (Govenkar, Swetan)
Date: Tue, 4 Oct 2016 10:37:40 +0000
Subject: Private Key Encryption
Message-ID: <9E2067DA11DEA44489C0B8F3CE39836C2EB29B5A@AFS-PW-EX102.afservice.org>

Hi Team,

We are performing encryption and decryption process.  We are using the SUSE Linux 11 SPS3 OS. We want to Encrypt and Sign the file using gpg encryption technique.

As a Linux OS root user, we are able to generate keys and perform Encryption, Signing, Verification and Decryption perfectly and we are also able to list the generated keys.

We want to use these keys in the SAP R/3 System. The administrator user for the SAP System is SIDADM. In our case it is SF2ADM.

We switch the user from root to sf2adm and try to generate the keys using the command gpg --gen-key. But we are not able to enter the passphrase for the key. Instead we are getting the error message stating that "gpg: Cancelled by user" "gpg: Key generation canceled."  Please find the attached screenshot of the same.

We have tried the following :

1)Adding a new user home using the command addgnupghome

2)gpg-agent --daemon and setting the link to the requires S-gpg-agent in /tmp/ directory.

3)We thought  the issue was because of terminal type to be set. We have tried setting GPG_TTY to $tty.

But the issue has not been resolved yet.


Could you please let us know what is the procedure to perform encryption and decryption using gpg technique on Linux OS without the root user( Using a different user)

Thanks and Regards,
Swetan G




_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

The information contained in this transmission is confidential. It is
intended solely for the use of the individual(s) or organization(s) to
whom it is addressed. Any disclosure, copying or further distribution is
not permitted unless such privilege is explicitly granted in writing by
PCM, Inc. Furthermore, PCM, Inc. is not responsible for
the proper and complete transmission of the substance of this
communication, nor for any delay in its receipt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161004/dccc99f0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption_Decryption_Error.JPG
Type: image/jpeg
Size: 99312 bytes
Desc: Encryption_Decryption_Error.JPG
URL: </pipermail/attachments/20161004/dccc99f0/attachment-0001.jpe>

From wk at gnupg.org  Wed Oct  5 09:42:21 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 05 Oct 2016 09:42:21 +0200
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <3772820.ua5IrI4zjK@esus> (Andre Heinecke's message of "Tue, 04
 Oct 2016 20:49 +0200")
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus>
Message-ID: <8760p7i6n6.fsf@wheatstone.g10code.de>

On Tue,  4 Oct 2016 20:49, aheinecke at intevation.de said:

> My current workaround is to connect first and start dirmngr on the remote 
> machine (to get the socketdir created and used). And then connect with ssh 
> socket forwarding. This is a bit clunky to use.

You may use 

  gpgconf --create-socketdir

to create the directory w/o running any daemon.  It is a NOP if the
directory already exists.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161005/8fc73572/attachment.sig>

From stebe at mailbox.org  Wed Oct  5 14:27:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 05 Oct 2016 12:27:00 +0000
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <87eg3v9ada.fsf@alice.fifthhorseman.net>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net>
Message-ID: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org>

Hi,

Daniel Kahn Gillmor:
> Hi Andre--
> 
> On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote:
> 
>> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote:
>>>> But if I am not logged in or there is no gnupg process running. systemd
>>>> autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of
>>>> the
>>>> Socket to fail because the directory for the socket does not exist and SSH
>>>> won't create it. :-/
>>>
>>> If you're not logged in, then how does the remote forward work?  aren't
>>> you actually still logged in (via ssh) as long as your remote forward is
>>> running?
>>
>> Sorry for not formulating this better. You are of course right If I'm not 
>> logged in the remote forward is not working.
>>
>> That is not what I meant to say. The problem is, that when I disconnect the 
>> /run/.../gnupg dir is deleted and the next time I want to connect and ssh 
>> tries to set up the forwarding this will fail because the /run/.../gnupg 
>> directory in which the forwarded socket should be created does not exist.
> 
> so /run/user/<uid> exists upon ssh connection, but
> /run/user/<uid>/gnupg/  does not, and therefore sshd on the remote side
> of the pipe can't auto-create the remote socket -- is that the concern?
> 
>> My current workaround is to connect first and start dirmngr on the remote 
>> machine (to get the socketdir created and used). And then connect with ssh 
>> socket forwarding. This is a bit clunky to use.
> 
> agreed, that sounds clunky and annoying.
> 
> I wonder whether ssh's remote socket forwarding ought to try to
> automatically create the parent directories if they don't already exist.

So, ssh does not even create the socket if you set
STREAMBINDUNLINK yes
in /etc/ssh/ssh_config (or give the correspondent -o option on the
command line, client-side)?
If this is the case (still no socket/socketdir creation), it may help
adjusting the ~/.profile of the remote account (if permissions allow it)
you log into, adding the following, as seen on (1), provided that you
log in from the console. Quote follows below.

Kyle Amon has provided the following bit for a .bash_profile:

        #
        # setup ssh-agent
        #

# set environment variables if user's agent already exists
[ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2>
/dev/null | grep $(whoami) | awk '{print $9}')
[ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] &&
SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1))
[ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK
[ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID

# start agent if necessary
if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then  # if no agent & not
in ssh
    eval `ssh-agent -s` > /dev/null
fi

[Quote end]
If you re-connect to the remote machine and login to the user account
(from the console) an ssh-agent (if not already started) is (hopefully)
being started on the remote machine and creates the directory and socket
in /tmp.
Or, another idea, is to use a specific local script and execute it on
the remote server (or to use COMMAND option from the command line and
execute it on the remote server): Quote from (2)

Executing a Local Script on a Remote Linux Server

$ ssh [user]@[server] 'bash -s' < [local_script]

If all this did not help, and, consequently, systemd (itself) on the
remote machine had to be tricked into preserving (or automatically
recreating) the /gnupg directory, I were a bit lost, but at least I had
read through a bunch of very interesting docs I can make use of myself.

(1) http://mah.everybody.org/docs/ssh
(2)
http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH


Cheers,

Stephan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4090 bytes
Desc: not available
URL: </pipermail/attachments/20161005/c67beb52/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161005/c67beb52/attachment.sig>

From stebe at mailbox.org  Wed Oct  5 14:44:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 05 Oct 2016 12:44:00 +0000
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net>
 <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org>
Message-ID: <dd864db9-98ac-c98e-0166-be7b8ca8c4a2@mailbox.org>

Oh, just seen Werner's answer :-)

Well, I had a good time reading the mentioned docs ;-)

Cheers,

Stephan

Stephan Beck:
> Hi,
> 
> Daniel Kahn Gillmor:
>> Hi Andre--
>>
>> On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote:
>>
>>> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote:
>>>>> But if I am not logged in or there is no gnupg process running. systemd
>>>>> autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of
>>>>> the
>>>>> Socket to fail because the directory for the socket does not exist and SSH
>>>>> won't create it. :-/
>>>>
>>>> If you're not logged in, then how does the remote forward work?  aren't
>>>> you actually still logged in (via ssh) as long as your remote forward is
>>>> running?
>>>
>>> Sorry for not formulating this better. You are of course right If I'm not 
>>> logged in the remote forward is not working.
>>>
>>> That is not what I meant to say. The problem is, that when I disconnect the 
>>> /run/.../gnupg dir is deleted and the next time I want to connect and ssh 
>>> tries to set up the forwarding this will fail because the /run/.../gnupg 
>>> directory in which the forwarded socket should be created does not exist.
>>
>> so /run/user/<uid> exists upon ssh connection, but
>> /run/user/<uid>/gnupg/  does not, and therefore sshd on the remote side
>> of the pipe can't auto-create the remote socket -- is that the concern?
>>
>>> My current workaround is to connect first and start dirmngr on the remote 
>>> machine (to get the socketdir created and used). And then connect with ssh 
>>> socket forwarding. This is a bit clunky to use.
>>
>> agreed, that sounds clunky and annoying.
>>
>> I wonder whether ssh's remote socket forwarding ought to try to
>> automatically create the parent directories if they don't already exist.
> 
> So, ssh does not even create the socket if you set
> STREAMBINDUNLINK yes
> in /etc/ssh/ssh_config (or give the correspondent -o option on the
> command line, client-side)?
> If this is the case (still no socket/socketdir creation), it may help
> adjusting the ~/.profile of the remote account (if permissions allow it)
> you log into, adding the following, as seen on (1), provided that you
> log in from the console. Quote follows below.
> 
> Kyle Amon has provided the following bit for a .bash_profile:
> 
>         #
>         # setup ssh-agent
>         #
> 
> # set environment variables if user's agent already exists
> [ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2>
> /dev/null | grep $(whoami) | awk '{print $9}')
> [ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] &&
> SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1))
> [ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK
> [ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID
> 
> # start agent if necessary
> if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then  # if no agent & not
> in ssh
>     eval `ssh-agent -s` > /dev/null
> fi
> 
> [Quote end]
> If you re-connect to the remote machine and login to the user account
> (from the console) an ssh-agent (if not already started) is (hopefully)
> being started on the remote machine and creates the directory and socket
> in /tmp.
> Or, another idea, is to use a specific local script and execute it on
> the remote server (or to use COMMAND option from the command line and
> execute it on the remote server): Quote from (2)
> 
> Executing a Local Script on a Remote Linux Server
> 
> $ ssh [user]@[server] 'bash -s' < [local_script]
> 
> If all this did not help, and, consequently, systemd (itself) on the
> remote machine had to be tricked into preserving (or automatically
> recreating) the /gnupg directory, I were a bit lost, but at least I had
> read through a bunch of very interesting docs I can make use of myself.
> 
> (1) http://mah.everybody.org/docs/ssh
> (2)
> http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH
> 
> 
> Cheers,
> 
> Stephan
> 

-- 
Hinweis: Diese E-Mail enth?lt vertrauliche Informationen und ist nur f?r
ihren legitimen Empf?nger bestimmt. Ihre Weitergabe oder
Vervielf?ltigung gleich welcher Art ist nicht gestattet. Sollten Sie
diese E-Mail irrt?mlich erhalten haben, l?schen Sie sie bitte und
informieren Sie den Absender.


From sbeck at mailbox.org  Wed Oct  5 14:43:00 2016
From: sbeck at mailbox.org (Stephan Beck)
Date: Wed, 05 Oct 2016 12:43:00 +0000
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus> <87eg3v9ada.fsf@alice.fifthhorseman.net>
 <6f310963-99d2-f1dd-2e68-fce0d6c3a8bc@mailbox.org>
Message-ID: <2cc9d35e-f747-250a-856a-0577a8d713d8@mailbox.org>

Oh, just seen Werner's answer :-)

Well, I had a good time reading the mentioned docs ;-)

Cheers,

Stephan

Stephan Beck:
> Hi,
> 
> Daniel Kahn Gillmor:
>> Hi Andre--
>>
>> On Tue 2016-10-04 14:49:00 -0400, Andre Heinecke wrote:
>>
>>> On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote:
>>>>> But if I am not logged in or there is no gnupg process running. systemd
>>>>> autodeletes /var/run/user/<uid>/gnupg this causes the remote forward of
>>>>> the
>>>>> Socket to fail because the directory for the socket does not exist and SSH
>>>>> won't create it. :-/
>>>>
>>>> If you're not logged in, then how does the remote forward work?  aren't
>>>> you actually still logged in (via ssh) as long as your remote forward is
>>>> running?
>>>
>>> Sorry for not formulating this better. You are of course right If I'm not 
>>> logged in the remote forward is not working.
>>>
>>> That is not what I meant to say. The problem is, that when I disconnect the 
>>> /run/.../gnupg dir is deleted and the next time I want to connect and ssh 
>>> tries to set up the forwarding this will fail because the /run/.../gnupg 
>>> directory in which the forwarded socket should be created does not exist.
>>
>> so /run/user/<uid> exists upon ssh connection, but
>> /run/user/<uid>/gnupg/  does not, and therefore sshd on the remote side
>> of the pipe can't auto-create the remote socket -- is that the concern?
>>
>>> My current workaround is to connect first and start dirmngr on the remote 
>>> machine (to get the socketdir created and used). And then connect with ssh 
>>> socket forwarding. This is a bit clunky to use.
>>
>> agreed, that sounds clunky and annoying.
>>
>> I wonder whether ssh's remote socket forwarding ought to try to
>> automatically create the parent directories if they don't already exist.
> 
> So, ssh does not even create the socket if you set
> STREAMBINDUNLINK yes
> in /etc/ssh/ssh_config (or give the correspondent -o option on the
> command line, client-side)?
> If this is the case (still no socket/socketdir creation), it may help
> adjusting the ~/.profile of the remote account (if permissions allow it)
> you log into, adding the following, as seen on (1), provided that you
> log in from the console. Quote follows below.
> 
> Kyle Amon has provided the following bit for a .bash_profile:
> 
>         #
>         # setup ssh-agent
>         #
> 
> # set environment variables if user's agent already exists
> [ -z "$SSH_AUTH_SOCK" ] && SSH_AUTH_SOCK=$(ls -l /tmp/ssh-*/agent.* 2>
> /dev/null | grep $(whoami) | awk '{print $9}')
> [ -z "$SSH_AGENT_PID" -a -z `echo $SSH_AUTH_SOCK | cut -d. -f2` ] &&
> SSH_AGENT_PID=$((`echo $SSH_AUTH_SOCK | cut -d. -f2` + 1))
> [ -n "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK
> [ -n "$SSH_AGENT_PID" ] && export SSH_AGENT_PID
> 
> # start agent if necessary
> if [ -z $SSH_AGENT_PID ] && [ -z $SSH_TTY ]; then  # if no agent & not
> in ssh
>     eval `ssh-agent -s` > /dev/null
> fi
> 
> [Quote end]
> If you re-connect to the remote machine and login to the user account
> (from the console) an ssh-agent (if not already started) is (hopefully)
> being started on the remote machine and creates the directory and socket
> in /tmp.
> Or, another idea, is to use a specific local script and execute it on
> the remote server (or to use COMMAND option from the command line and
> execute it on the remote server): Quote from (2)
> 
> Executing a Local Script on a Remote Linux Server
> 
> $ ssh [user]@[server] 'bash -s' < [local_script]
> 
> If all this did not help, and, consequently, systemd (itself) on the
> remote machine had to be tricked into preserving (or automatically
> recreating) the /gnupg directory, I were a bit lost, but at least I had
> read through a bunch of very interesting docs I can make use of myself.
> 
> (1) http://mah.everybody.org/docs/ssh
> (2)
> http://www.shellhacks.com/en/Running-Commands-on-a-Remote-Linux-Server-over-SSH
> 
> 
> Cheers,
> 
> Stephan
> 

-- 
Hinweis: Diese E-Mail enth?lt vertrauliche Informationen und ist nur f?r
ihren legitimen Empf?nger bestimmt. Ihre Weitergabe oder
Vervielf?ltigung gleich welcher Art ist nicht gestattet. Sollten Sie
diese E-Mail irrt?mlich erhalten haben, l?schen Sie sie bitte und
informieren Sie den Absender.


From gnupg at jelmail.com  Wed Oct  5 17:26:54 2016
From: gnupg at jelmail.com (gnupg at jelmail.com)
Date: Wed, 5 Oct 2016 16:26:54 +0100
Subject: Listing signatures in edit mode?
Message-ID: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>

I know how to list signatures with "gpg --list-sigs" but is it possible
to do so whilst in "gpg --edit-key" mode ?

Furthermore, is it possible to limit the list to my own sigs (i.e. when
editing/viewing a third-party's key), and without using something like
"grep" ?

And can I list the cross-certify signatures? The normal "--list-sigs"
doesn't show them.

Also, and kind-of related, is it possible to delete a specific sig (with
"delsig" in edit mode) without having to step through all sigs ?

(I did mean delete rather than revoke; the latter at least limits the
sig list to one's own.)

I've checked the docs but was unable to find the solution, I hope I've
missed something....

gpg (GnuPG) 2.1.14 libgcrypt 1.7.2 GNU/Linux 4.6.4-1-ARCH



From dkg at fifthhorseman.net  Wed Oct  5 19:46:51 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 05 Oct 2016 13:46:51 -0400
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <8760p7i6n6.fsf@wheatstone.g10code.de>
References: <3938401.1pLH0TdMhg@esus> <874m4s9lto.fsf@alice.fifthhorseman.net>
 <3772820.ua5IrI4zjK@esus> <8760p7i6n6.fsf@wheatstone.g10code.de>
Message-ID: <8760p67kok.fsf@alice.fifthhorseman.net>

On Wed 2016-10-05 03:42:21 -0400, Werner Koch wrote:
> On Tue,  4 Oct 2016 20:49, aheinecke at intevation.de said:
>
>> My current workaround is to connect first and start dirmngr on the remote 
>> machine (to get the socketdir created and used). And then connect with ssh 
>> socket forwarding. This is a bit clunky to use.
>
> You may use 
>
>   gpgconf --create-socketdir
>
> to create the directory w/o running any daemon.  It is a NOP if the
> directory already exists.

The trouble is that the socket directory needs to be created before ssh
tries to forward the socket.  when doing a forward from the command
line, the ssh channel that does socket forwarding is often established
before the channel that runs any shell or other interactive behavior.

I really think this ought to be handled in OpenSSH.

  --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161005/170f3d0d/attachment.sig>

From aheinecke at intevation.de  Wed Oct  5 21:35:12 2016
From: aheinecke at intevation.de (Andre Heinecke)
Date: Wed, 05 Oct 2016 21:35:12 +0200
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <8760p67kok.fsf@alice.fifthhorseman.net>
References: <3938401.1pLH0TdMhg@esus> <8760p7i6n6.fsf@wheatstone.g10code.de>
 <8760p67kok.fsf@alice.fifthhorseman.net>
Message-ID: <1692039.nYCvrdervT@esus>

Hi,

On Wednesday 05 October 2016 13:46:51 Daniel Kahn Gillmor wrote:
> > You may use
> > 
> >   gpgconf --create-socketdir
> > 
> > to create the directory w/o running any daemon.  It is a NOP if the
> > directory already exists.

Yes, that works but it's still a bit cludgy I'd like to have it working in a 
single ssh command.

> The trouble is that the socket directory needs to be created before ssh
> tries to forward the socket.  when doing a forward from the command
> line, the ssh channel that does socket forwarding is often established
> before the channel that runs any shell or other interactive behavior.
> 
> I really think this ought to be handled in OpenSSH.

Exactly. I wrote a mail to openssh-unix-dev as you suggested to ask about 
that. Let's see :-)

Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161005/6b867042/attachment.sig>

From gnupg at jelmail.com  Thu Oct  6 17:21:06 2016
From: gnupg at jelmail.com (John Lane)
Date: Thu, 6 Oct 2016 16:21:06 +0100
Subject: using with su/sudo
Message-ID: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>

The requirement for tty ownership for commands where pinentry is
required causes problems for shells opened with sudo or su, where
such commands generally result in a "permission denied" kind of error:

    $ gpg -d /tmp/encrypted.asc
    gpg: public key decryption failed: Permission denied

I can use "script" to work around this but it is a bit of a hack that
relies on the fact that "script" creates a new tty owned by the current
user:

    $ script -q -c 'gpg -d /tmp/encrypted.asc'

Is there a correct way to make gpg play nicely inside su/sudo ?

PS I am using su/sudo to change to another unprivileged user, not root.

Thanks,
John



From wk at gnupg.org  Thu Oct  6 09:11:04 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 06 Oct 2016 09:11:04 +0200
Subject: Listing signatures in edit mode?
In-Reply-To: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
 (gnupg@jelmail.com's message of "Wed, 5 Oct 2016 16:26:54 +0100")
References: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
Message-ID: <87twcqdkaf.fsf@wheatstone.g10code.de>

On Wed,  5 Oct 2016 17:26, gnupg at jelmail.com said:
> I know how to list signatures with "gpg --list-sigs" but is it possible
> to do so whilst in "gpg --edit-key" mode ?

There is a "check" command which does the same as --check-sigs.
However, I just realized that there is a regression in 2.1 in that it
does not list them anymore.  Needs to be fixed.

> Furthermore, is it possible to limit the list to my own sigs (i.e. when
> editing/viewing a third-party's key), and without using something like
> "grep" ?

No.

> And can I list the cross-certify signatures? The normal "--list-sigs"
> doesn't show them.

What to you mean by this?

> Also, and kind-of related, is it possible to delete a specific sig (with
> "delsig" in edit mode) without having to step through all sigs ?

No, there is no easy way to identify a signature and thus we have not
implemented it.

Note that we won't add new features before the release fo 2.2, though.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161006/30d2beb4/attachment.sig>

From gnupg at jelmail.com  Thu Oct  6 21:10:05 2016
From: gnupg at jelmail.com (John Lane)
Date: Thu, 6 Oct 2016 20:10:05 +0100
Subject: Listing signatures in edit mode?
In-Reply-To: <87twcqdkaf.fsf@wheatstone.g10code.de>
References: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
 <87twcqdkaf.fsf@wheatstone.g10code.de>
Message-ID: <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com>

On 06/10/16 08:11, Werner Koch wrote:
> On Wed,  5 Oct 2016 17:26, gnupg at jelmail.com said:
>> I know how to list signatures with "gpg --list-sigs" but is it possible
>> to do so whilst in "gpg --edit-key" mode ?
> 
> There is a "check" command which does the same as --check-sigs.
> However, I just realized that there is a regression in 2.1 in that it
> does not list them anymore.  Needs to be fixed.
> 

good to know, thanks.

> 
>> And can I list the cross-certify signatures? The normal "--list-sigs"
>> doesn't show them.
> 
> What to you mean by this?
> 

Perhaps I have misunderstood this:

    https://www.gnupg.org/faq/subkey-cross-certify.en.html

where it says "Subkey cross-certification (sometimes called "back
signing") involves the subkey issuing a signature on the primary key,
just like the primary key signature on the subkey."

I was wondering, just for my education, how I can see such signatures. I
don't think they show on "--list-sigs", for example:


gpg --keyid-format short --list-sigs freddy
pub   rsa2048/1E8BB8D0 2016-10-06 [SC]
uid         [ultimate] Freddy Test <freddy.test at example.org>
sig 3        1E8BB8D0 2016-10-06  Freddy Test
sub   rsa2048/FC91A390 2016-10-06 [E]
sig          1E8BB8D0 2016-10-06  Freddy Test <freddy.test at example.org>
sub   rsa2048/63AB1D1A 2016-10-06 [S]
sig          1E8BB8D0 2016-10-06  Freddy Test <freddy.test at example.org>


Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ?




From wk at gnupg.org  Thu Oct  6 20:27:19 2016
From: wk at gnupg.org (Werner Koch)
Date: Thu, 06 Oct 2016 20:27:19 +0200
Subject: Listing signatures in edit mode?
In-Reply-To: <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com> (John Lane's
 message of "Thu, 6 Oct 2016 20:10:05 +0100")
References: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
 <87twcqdkaf.fsf@wheatstone.g10code.de>
 <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com>
Message-ID: <8737k9e3js.fsf@wheatstone.g10code.de>

On Thu,  6 Oct 2016 21:10, gnupg at jelmail.com said:

> where it says "Subkey cross-certification (sometimes called "back
> signing") involves the subkey issuing a signature on the primary key,

Ah well, this is a property of the key binding signature for signature
subkeys.  You can look at them using --list-packets.  Gpg will warn if
the backsig is missing.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161006/6113c216/attachment.sig>

From peter at digitalbrains.com  Thu Oct  6 20:41:34 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 6 Oct 2016 20:41:34 +0200
Subject: Listing signatures in edit mode?
In-Reply-To: <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com>
References: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
 <87twcqdkaf.fsf@wheatstone.g10code.de>
 <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com>
Message-ID: <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com>

On 06/10/16 21:10, John Lane wrote:
> Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ?

No, the cross-certification signature is part of the signature of
1E8BB8D0 on 63AB1D1A. This cross-certification signature is not really
that well visible.

For instance, take my key:

-----------------8<------------------->8-----------------
pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
uid         [ultimate] Peter Lebbing <peter at digitalbrains.com>
sub   rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19]
sub   rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19]
sub   rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19]
-----------------8<------------------->8-----------------

If you do

$ gpg2 --export-options export-minimal --export de500b3e|gpg2
--list-packets |less

you get a big amount of technical detail (I've left out certifications
by other people, or I would have been swamped by irrelevant data and
would have lost track). Among it we see a signature of DE500B3E on DE6CDCA1:

-----------------8<------------------->8-----------------
:signature packet: algo 1, keyid AC46EFE6DE500B3E
        version 4, created 1445346807, md5len 0, sigclass 0x18
        digest algo 2, begin of digest 65 31
        hashed subpkt 27 len 1 (key flags: 02)
        hashed subpkt 2 len 4 (sig created 2015-10-20)
        hashed subpkt 9 len 4 (key expires after 7y342d23h58m)
        subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 2)
        subpkt 16 len 8 (issuer key ID AC46EFE6DE500B3E)
        data: [2046 bits]
-----------------8<------------------->8-----------------

If I'm not mistaken, the cross-certification signature is "subpkt 32",
but unfortunately it is not parsed by --list-packets. What broadly
happens, if memory serves me correctly, is that DE6CDCA1 issues a
signature on DE500B3E, which becomes the subpkt 32. Then DE500B3E issues
this whole signature packet, which includes the signature just made by
DE6CDCA1.

The gory details are in RFC 4880.

Note that only signing subkeys issue a cross-certification, not
encryption or authentication subkeys. Some encryption subkeys might even
be mathematically incapable of issuing such a signature, depending on
the type.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg at jelmail.com  Thu Oct  6 22:55:26 2016
From: gnupg at jelmail.com (John Lane)
Date: Thu, 6 Oct 2016 21:55:26 +0100
Subject: Listing signatures in edit mode?
In-Reply-To: <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com>
References: <da2d3b69-a0da-76c4-6af0-6cbfcc5c7338@jelmail.com>
 <87twcqdkaf.fsf@wheatstone.g10code.de>
 <c76d1573-c751-fa2b-9aae-378c459d8cbb@jelmail.com>
 <3b45153e-6e8c-ee8b-920e-96a0d4c5f2de@digitalbrains.com>
Message-ID: <be91ffa4-35f3-e211-3d37-f799211f596e@jelmail.com>

On 06/10/16 19:41, Peter Lebbing wrote:
> On 06/10/16 21:10, John Lane wrote:
>> Would I not expect to see sigs by FC91A390 and 63AB1D1A on E8BB8D0 ?
> No, the cross-certification signature is part of the signature of
> 1E8BB8D0 on 63AB1D1A. This cross-certification signature is not really
> that well visible.
>
> For instance, take my key:
>
> -----------------8<------------------->8-----------------
> pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
> uid         [ultimate] Peter Lebbing <peter at digitalbrains.com>
> sub   rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19]
> sub   rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19]
> sub   rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19]
> -----------------8<------------------->8-----------------
>
> If you do
>
> $ gpg2 --export-options export-minimal --export de500b3e|gpg2
> --list-packets |less
>
> you get a big amount of technical detail (I've left out certifications
> by other people, or I would have been swamped by irrelevant data and
> would have lost track). Among it we see a signature of DE500B3E on DE6CDCA1:
>
> -----------------8<------------------->8-----------------
> :signature packet: algo 1, keyid AC46EFE6DE500B3E
>         version 4, created 1445346807, md5len 0, sigclass 0x18
>         digest algo 2, begin of digest 65 31
>         hashed subpkt 27 len 1 (key flags: 02)
>         hashed subpkt 2 len 4 (sig created 2015-10-20)
>         hashed subpkt 9 len 4 (key expires after 7y342d23h58m)
>         subpkt 32 len 284 (signature: v4, class 0x19, algo 1, digest algo 2)
>         subpkt 16 len 8 (issuer key ID AC46EFE6DE500B3E)
>         data: [2046 bits]
> -----------------8<------------------->8-----------------
>
> If I'm not mistaken, the cross-certification signature is "subpkt 32",
> but unfortunately it is not parsed by --list-packets. What broadly
> happens, if memory serves me correctly, is that DE6CDCA1 issues a
> signature on DE500B3E, which becomes the subpkt 32. Then DE500B3E issues
> this whole signature packet, which includes the signature just made by
> DE6CDCA1.
>
> The gory details are in RFC 4880.
great explanation, thanks. found it in rfc too 0x19 "primary key binding
signature" (sec 5.2.1, 5.2.4, 11.1). Sec 15 notes interestingly that
"implementing software may handle these [keys without a back signature]
as it sees fit"

I think the page I quoted misled me when it said this binding signature
was "just like the primary key signature on the subkey" which, while
conceptually true, isn't technically true.

but I get it now, so another thing learnt. thanks v. much.

>
> Note that only signing subkeys issue a cross-certification, not
> encryption or authentication subkeys. Some encryption subkeys might even
> be mathematically incapable of issuing such a signature, depending on
> the type.
>
> HTH,
>
> Peter.
>




From jernst at invacarecontractor.com  Thu Oct  6 14:38:33 2016
From: jernst at invacarecontractor.com (Jim Ernst)
Date: Thu, 6 Oct 2016 12:38:33 +0000
Subject: Syntax Question on GPG2 on LINUX
Message-ID: <SN1PR0701MB19677F8AFFF1D733608EDEBEABC70@SN1PR0701MB1967.namprd07.prod.outlook.com>

Hello All -

I am working in a LINUX environment using GPG version 2.1.15

Can anyone give me the syntax to use gpg2  to create a signed, encrypted file using a passphrase in a LINUX shell script ?  This is being run from Oracle EBS on a schedule so there would not be a user interacting to answer prompts. With this mode, is there any terminal settings I would need to set ?

Thanks !!
Jim Ernst
NTT Data
NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161006/f05ef0cf/attachment.html>

From sbutler at fchn.com  Thu Oct  6 22:19:43 2016
From: sbutler at fchn.com (Steve Butler)
Date: Thu, 6 Oct 2016 20:19:43 +0000
Subject: Syntax Question on GPG2 on LINUX
In-Reply-To: <SN1PR0701MB19677F8AFFF1D733608EDEBEABC70@SN1PR0701MB1967.namprd07.prod.outlook.com>
References: <SN1PR0701MB19677F8AFFF1D733608EDEBEABC70@SN1PR0701MB1967.namprd07.prod.outlook.com>
Message-ID: <52ed70c72bc8454b946d0799fc097ffb@t1l1exchmbs-01.fchn.com>

Jim,

I don't use modern but I do have a script for classic that works in unattended mode on a Linux box.  The caller knows the input file name and the script knows my passphrase -- default gpg_pass2.  Hope this helps with gpg2! --Steve

$ cat gpg_encrypt
#!/bin/ksh
usage="gpg_encrypt [ -a -b -e ext -n -s ] PK_ID source"
#
#   Interface script for edi and ftpexec to encrypt files vi GnuPG
#
#   -a  Use Ascii Armor (--armor switch)
#   -b  Use binary (e.g. opposite of -a)
#   -e  Use ext as value of file extension (defaults to pgp when not specified)
#   -n  Do not sign (e.g. opposite of -s)
#   -s  Sign using key for helpdesk at fchn.com as signing key
# For conflicting options, the last one entered takes precedence.
#
#   PK_ID  Key ID to which the file is to be encrypted.
#   source Source file name to encrypt.
#
# Encryptes to a file of source.ext and name is echoed to stdlist

XRG_DBA=${XRG_DBA:=/usr/xrg_dba}
xrgbin=$XRG_DBA/bin
homedir=$($xrgbin/default gpg_home)

EXT=pgp
ARMOR=""
SIGN="--sign"

while getopts ":abe:ns" opt
do
  case $opt in
    a) ARMOR="--armor" ;;
    b) ARMOR="" ;;
    e) EXT=$OPTARG ;;
    n) SIGN="" ;;
    s) SIGN="--sign" ;;
    *) echo $usage
       exit 2
       ;;
  esac
done

shift $(($OPTIND - 1))

if [[ $# -ne 2 ]]; then
  echo "gpg_encrypt:  Must supply 2 parameters" >&2
  echo " usage: $usage" >&2
  exit 99
fi

rm -f "$2.$EXT" > /dev/null

if [[ -z $SIGN ]]; then
  gpg --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \
      --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2"
  x=$?
else
  $xrgbin/default gpg_pass2  | gpg \
     --batch --homedir $homedir --quiet --no-tty --always-trust $ARMOR \
      --sign --passphrase-fd 0 --default-key helpdesk at fchn.com \
      --no-permission-warning --recipient $1 --output "$2.$EXT" --encrypt "$2"
  x=$?
fi

if [ $x -ne 0 ]; then
  echo "gpg_encrypt: gpg failure code '$x'" >&2
fi
echo "$2.$EXT"
exit $x
#

From: Gnupg-users [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Jim Ernst
Sent: Thursday, October 06, 2016 5:39 AM
To: gnupg-users at gnupg.org
Subject: Syntax Question on GPG2 on LINUX

Hello All -

I am working in a LINUX environment using GPG version 2.1.15

Can anyone give me the syntax to use gpg2  to create a signed, encrypted file using a passphrase in a LINUX shell script ?  This is being run from Oracle EBS on a schedule so there would not be a user interacting to answer prompts. With this mode, is there any terminal settings I would need to set ?

Thanks !!
Jim Ernst
NTT Data
NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law.

-- 
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, 
is for the sole use of the intended recipient(s) and may contain 
confidential 
and privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161006/705da483/attachment-0001.html>

From gniibe at fsij.org  Fri Oct  7 04:56:14 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 7 Oct 2016 11:56:14 +0900
Subject: using with su/sudo
In-Reply-To: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
Message-ID: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>

On 10/07/2016 12:21 AM, John Lane wrote:
> The requirement for tty ownership for commands where pinentry is
> required causes problems for shells opened with sudo or su, where
> such commands generally result in a "permission denied" kind of error:
> 
>     $ gpg -d /tmp/encrypted.asc
>     gpg: public key decryption failed: Permission denied
> 
> I can use "script" to work around this but it is a bit of a hack that
> relies on the fact that "script" creates a new tty owned by the current
> user:
> 
>     $ script -q -c 'gpg -d /tmp/encrypted.asc'
> 
> Is there a correct way to make gpg play nicely inside su/sudo ?

One possible way is invoking gpg with an option
 --pinentry-mode=loopback.


I confirmed this issue with TTY.  The cause is that pinentry cannot
open the TTY in question in the situation of its owner is original
user.  It's EACCESS (Permission denied) to TTY device when pinentry
tries to open the TTY.

I created a ticket at the bug tracker.

    https://bugs.gnupg.org/gnupg/issue2739


With the situation of gpg-agent's allow-loopback-pinentry is default
now, perhaps, it would be the best (from the user's viewpoint) that
gpg-agent automatically fallbacks to loopback mode.

On window system, I think it doesn't work either...
-- 


From gnupg at jelmail.com  Fri Oct  7 12:45:02 2016
From: gnupg at jelmail.com (John Lane)
Date: Fri, 7 Oct 2016 11:45:02 +0100
Subject: using with su/sudo
In-Reply-To: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
 <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
Message-ID: <dc0463e2-2909-a589-aa9e-a667db6f6d09@jelmail.com>


> One possible way is invoking gpg with an option
>  --pinentry-mode=loopback.
Yes, just tried this. It works but you lose the pinentry dialog.
> I created a ticket at the bug tracker.
>
>     https://bugs.gnupg.org/gnupg/issue2739
>
thanks for creating the ticket.
> With the situation of gpg-agent's allow-loopback-pinentry is default
> now, perhaps, it would be the best (from the user's viewpoint) that
> gpg-agent automatically fallbacks to loopback mode.
I agree, although I think the loopback mode is less clear in what
password it's asking for (especially in keygen). At least it would work.




From rjh at sixdemonbag.org  Fri Oct  7 17:52:09 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 7 Oct 2016 11:52:09 -0400
Subject: gnupg-for-java
Message-ID: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org>

A while ago someone was trying to update gnupg-for-java to work with a more
modern environment.  Does anyone remember who did that work, or where I
could find it?  The version of gnupg-for-java I'm downloading from Guardian
Project's github account has dependencies on a lot of old stuff and I'm
having the devil's own time getting it built on macOS Sierra (Java 1.8,
GPGME 1.7).  Before I dig deeper into this to fix my problems and bring it
up to date, I thought I'd check and see if someone had already done so and
saved me the effort.  :)



From antony at blazrsoft.com  Fri Oct  7 21:15:26 2016
From: antony at blazrsoft.com (Antony Prince)
Date: Fri, 07 Oct 2016 15:15:26 -0400
Subject: gnupg-for-java
In-Reply-To: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org>
References: <02e301d220b2$c39a1bd0$4ace5370$@sixdemonbag.org>
Message-ID: <A306CC04-F88E-49BC-8D33-8F60D505B60D@blazrsoft.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On October 7, 2016 11:52:09 AM EDT, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
>A while ago someone was trying to update gnupg-for-java to work with a
>more
>modern environment.  Does anyone remember who did that work, or where I
>could find it?  The version of gnupg-for-java I'm downloading from
>Guardian
>Project's github account has dependencies on a lot of old stuff and I'm
>having the devil's own time getting it built on macOS Sierra (Java 1.8,
>GPGME 1.7).  Before I dig deeper into this to fix my problems and bring
>it
>up to date, I thought I'd check and see if someone had already done so
>and
>saved me the effort.  :)


I played around with it a bit months ago (maybe longer), but I never made any concrete progress on it other than compiling it on Ubuntu and doing some simple operations through it. I don't think I had anything that would have helped with the Mac situation.

- --
Antony
-----BEGIN PGP SIGNATURE-----

iQJCBAEBCgAsJRxBbnRvbnkgUHJpbmNlIDxhbnRvbnlAYmxhenJzb2Z0LmNvbT4F
Alf39EQACgkQrz1AhzAbGxnTAA//UrxwaxnTQS0euBgBMNK6KptCzY6CluVuD5VV
xp06aOrbtSb9ygCYt7xLsXFtPW8clkJwDqAjQ38fzfhJdby+BapiKzOgXEl7TfsX
vpdgFiLv42RnTazVcnWxkki0WI57u6RUSdoEwYfcsY6KAeIK6wbPK91z42ZllpLV
a2QW3r3BX0xHvZZi1tl5ZWjxIS2XLkCnacYtPSfsyJINFlntJHgFtMGbaHF/G3gC
YmApXOg7tomNkLDe7RLpyMcMLkYFuJaAe2gIxc5so5stxmVKb66SdAZKYEQDsmr4
s4kxKClue8inTLBl6BUyIaYfbsWi6SGwOT9NlGAoKHf49SxvJGWJczVwa2lAFYNH
Y4GeBeHrBMTPCcwN5J6CkxqgR0omBrARkUnQv2z6+UPYRw5wwdTyfG5jUa57QQzf
LJLiOtZHkQVYCaWT8+ljM0EN7uCkU5nuLm/ezBssNPxwyOYYuRATrIjSyePW7CaA
Y+FGYPAHOUKqAmuuABsNaJEKoYdkCeL/IkiW3pqETpjo3HRXGHiHOvF1+fRKBdIe
7jLsBybUCLs2TRzqFrazijY9HF28Ynm8Hstrgl0C5ssxIUde756as5djTEkWNi6B
xJp6bPKgBSfr4x1N/JOgmQQaBVYVuH/LM/V58Zot62S1Iz3NC36pzhoiFshJpROF
WmNyBLw=
=YTN+
-----END PGP SIGNATURE-----



From jernst at invacarecontractor.com  Fri Oct  7 22:59:44 2016
From: jernst at invacarecontractor.com (Jim Ernst)
Date: Fri, 7 Oct 2016 20:59:44 +0000
Subject: Linux GPG2 Encryption Getting Intermittent  gpg: signing failed:
 Inappropriate ioctl for device When Run From Oracle Apps 
Message-ID: <SN1PR0701MB1967DC84E70C80D4DCD438F2ABC60@SN1PR0701MB1967.namprd07.prod.outlook.com>

Hello All  -

I am using the following code with gpg (GnuPG) 2.1.15, and when run on Linux submitted from an Oracle EBS Apps request it errors with "gpg: signing failed: Inappropriate ioctl for device":

/usr/local/bin/gpg2 -v --batch --no-tty --output $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient --passphrase $v_passphrase --sign $v_sd_name/$v_fn
ame_in

The process will work then the error will suddenly occur when there has been no change in the statement. Has anyone hit something like this before ?

I notice the error message has "gpg:"; does gpg2 start its' messages this way or with "gpg2:" ?

Thanks,
James Ernst
NTT Data
NOTE: The sender of this email is an independent contractor of Invacare Corporation or one of its subsidiaries. CONFIDENTIALITY NOTICE: The information in this e-mail message and any attachments may contain privileged, confidential or proprietary information, including confidential health information, protected by applicable Federal or state laws. Such information is intended only for the recipient named above. If you are not the intended recipient, please notify the sender immediately, and take notice that any use, disclosure or distribution of such information is prohibited by law.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161007/221fc66b/attachment.html>

From passionate_programmer at hotmail.com  Sat Oct  8 08:58:12 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 8 Oct 2016 06:58:12 +0000
Subject: RSA 4096-bit Key
Message-ID: <MAXPR01MB0412F196E64D973776E35F5B97D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>

I am using latest version of GPG. I noticed there is no option to generate RSA 4096-bit key. The same goes with DSA.


In older versions of GnuPG, this key size was supported.


.........................

Regards,

RP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161008/51956fab/attachment-0001.html>

From passionate_programmer at hotmail.com  Sat Oct  8 09:02:00 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 8 Oct 2016 07:02:00 +0000
Subject: GnuPG vs. GPG4Win
Message-ID: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>

In Older versions of GnuPG, a system tray icon used to appear with an option to encrypt text on current window.


Newer versions of GnuPG has no such option.


I am not understanding the difference between GnuPG and GPG4Win. Are these one and the same thing?


Windows binary is not available for download from GnuPG site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161008/f5f7d78b/attachment.html>

From herbert at mailbox.org  Sat Oct  8 09:17:21 2016
From: herbert at mailbox.org (Herbert J. Skuhra)
Date: Sat, 08 Oct 2016 09:17:21 +0200
Subject: RSA 4096-bit Key
In-Reply-To: <MAXPR01MB0412F196E64D973776E35F5B97D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB0412F196E64D973776E35F5B97D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <86fuo7z4vy.wl-herbert@mailbox.org>

Rohit P skrev:
> 
> I am using latest version of GPG. I noticed there is no option to generate RSA 4096-bit key. The same goes with DSA.
> In older versions of GnuPG, this key size was supported.

% man gpg
% gpg --full-gen-key

--
Herbert


From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Oct  8 12:05:43 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 8 Oct 2016 11:05:43 +0100
Subject: Terminology - certificate or key ?
In-Reply-To: <20161004155530.GA2060@fritha.org>
References: <201610021044.u92AiGNA004672@fire.js.berklix.net> 
 <87ponhr03i.fsf@wheatstone.g10code.de> <20161004155530.GA2060@fritha.org>
Message-ID: <70523197.20161008110543@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Tuesday 4 October 2016 at 4:55:30 PM, in
<mid:20161004155530.GA2060 at fritha.org>, Heinz Diehl wrote:-



> The left one is a modular padlock, and the one in the middle is an
> integrated padlock. According to one of my friends who is a native
> en_GB speaker.

As a native en_GB speaker I had never heard those terms. A quick
internet search lead me to [0].

         "And while this was happening Yale was creating the first
         modular padlock (up until this point all padlocks had used
         integrated locking mechanisms). These new modular locking
         mechanics allowed the locks to be serviced and rekeyed
         because all components could be removed and reconstructed."


[0] <http://united-locksmith.net/blog/the-history-of-padlocks>


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Don't ask me, I'm making this up as I go!
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlf4xQFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORtbgD/SdtqmwhRwikMctU60kBlV1uL
25LDktr9ROYwIiLGz1EA/RxrxAt5sge054QBLQYhVfd9NquFYPGkGfANZcyRHjgB
iQF8BAEBCgBmBQJX+MUVXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwFtcH+wYIrS/sAk2+J/pVnK7o6oQR
tdFhFSUMvKuO/fQpliCSKRabYn1MOOsLA8ph06FF+mgdMrkTkyacNBbld7kaoL3b
VikeQk38+7RezBL7eBhkz+wthUPmLQNoBuI7jtgpM1aJTd3XTxmUmrl8PeAvwXp9
IMJNRqXsepdKBfCRxM2OHwo4rvJ4dWJME8ckYLRrKL6MKYSGju2veBtYiwOm/TIp
MXB115KgbM3Xaym2IMM7GZIJ9V3rux9T4zFmqfSfS31AryFohUWKwGZunckSUzLk
lKDpWeZdC9QTJVAVrKbL5cXsdvF7Q85f8MlGTbhUGb1kP7yjdaBvtHcZA8lsrsM=
=RnKK
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From 2014-667rhzu3dc-lists-groups at riseup.net  Sat Oct  8 12:24:57 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sat, 8 Oct 2016 11:24:57 +0100
Subject: GnuPG vs. GPG4Win
In-Reply-To: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <1552263190.20161008112457@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 8 October 2016 at 8:02:00 AM, in
<mid:MAXPR01MB04127ABD7BD6879C5EE2993197D90 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-


> In Older versions of GnuPG, a system tray icon used to appear with
> an option to encrypt text on current window. Newer versions of GnuPG
> has no such option.

That would come from some frontend or Explorer plugin, not from GnuPG
itself.



> I am not understanding the difference between GnuPG and GPG4Win.
> Are these one and the same thing?

GPG4win is GnuPG 2.0.x bundled with a choice of certificate managers,
plugins for Outlook and Windows Explorer, and the Gpg4win Compendium
documentation. They also have "light" and "vanilla" downloads that
eschew some or all of the extras.



> Windows binary is not available for download from GnuPG site.

Windows binaries for GnuPG versions 2.1.x and 1.4.x are the second and
third items listed at <https://gnupg.org/download/index.html#sec-1-2>.

The first list item points you to the GPG4win download page.



- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

It is easy to propose impossible remedies.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlf4yXlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOR2PgEApRaq79a3JIx8w5eTBIn8QnRh
h8uxU4uin0PUXPgKZQQA/0j5JyRNqlbmhc2xzuUc8ALK8PdPY+XUzcKXm72KS3AC
iQF8BAEBCgBmBQJX+Ml5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBCUIAIk1Aa9lGYWTp1ka17q1Fzki
XVYdXE6PQ+zDmS9D9v5MF1NDI281pkJmxE/fMe7zlxJ0I9QYJMS/XFBX/ZsrXZVE
bgwSJpVS2EPGh3WpAZihphImlkMZ59GzK6QVqdYGKuW6J3JaLpdUHV/MNle1g+sK
cWgXu9Qa+Jid56MTUnRimqngAFOjKpPBhPcsLgfs7xn7yEC3U/SCae5pUMjt98Lz
UKoMrQh1zPMGmArAyn2rSVMlKOzk+7GYC4++GNwXM3YciREuE8WLq+GKYRZu6Fcs
xD34jFGxvmMFu0Hk5kJMoEc72+eKrU3P3sf2EAsILCrIS0n12rEnodNgnuUgAzU=
=ymqs
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From peter at digitalbrains.com  Sat Oct  8 12:59:40 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 8 Oct 2016 12:59:40 +0200
Subject: Linux GPG2 Encryption Getting Intermittent gpg: signing failed:
 Inappropriate ioctl for device When Run From Oracle Apps
In-Reply-To: <SN1PR0701MB1967DC84E70C80D4DCD438F2ABC60@SN1PR0701MB1967.namprd07.prod.outlook.com>
References: <SN1PR0701MB1967DC84E70C80D4DCD438F2ABC60@SN1PR0701MB1967.namprd07.prod.outlook.com>
Message-ID: <920f0488-b9f8-d589-0a50-6f25ba110b93@digitalbrains.com>

On 07/10/16 22:59, Jim Ernst wrote:
> I am using the following code with gpg (GnuPG) 2.1.15, and when run on
> Linux submitted from an Oracle EBS Apps request it errors with ?gpg:
> signing failed: Inappropriate ioctl for device?:

This sounds like the bug <https://bugs.gnupg.org/gnupg/issue2680>. The
bug is that the error message is quite unclear, but means that the
program was unable to prompt for a passphrase with a pinentry.

> /usr/local/bin/gpg2 -v --batch --no-tty --output
> $v_outbound_dir/$v_fname_sign --encrypt --recipient $v_recipient
> --passphrase $v_passphrase --sign $v_sd_name/$v_fn

I find it odd that this even works as intended for you at all. I usually
get confused as to which versions of GnuPG support which methods of
unusual passphrase entry, but my GnuPG 2.1.11 [1] does not respect the
--passphrase argument at all. It simply prompts me for the passphrase
through a pinentry anyway.

So my guess is that the "intermittent" behaviour you see is that when
the passphrase is known and cached, it will run okay, ignoring your
--passphrase argument. But when it needs to know the passphrase, it will
error out since it can't locate a method to interact with you.

Usually, the --passphrase argument makes no sense from a security
standpoint. You encrypt the private key because you don't want anyone
with access to that file to directly have your private key. Yet, they
only need to access the file with your script to simply obtain the
passphrase there. You've only changed the scenario from "there's one
interesting file" to "you need two files". That's not very useful.
Another point is that the passphrase is plainly in the process list when
someone does a "ps ax" while GnuPG is running.

For unattended signing, I think usually you either store the private key
unencrypted (or at least, the signing subkey), or you prime the
passphrase cache when you boot the server, with gpg-preset-passphrase.

But I don't know much about scripting GnuPG effectively.

HTH,

Peter.

[1] I should start compiling my own newer versions, but haven't started
yet. I run Debian jessie/stable, and the newest versions of GnuPG 2.1
for testing and unstable are not easily installable on stable. That's
why I'm a tad behind.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From passionate_programmer at hotmail.com  Sat Oct  8 14:46:19 2016
From: passionate_programmer at hotmail.com (Rohit P)
Date: Sat, 8 Oct 2016 12:46:19 +0000
Subject: GnuPG vs. GPG4Win
In-Reply-To: <1552263190.20161008112457@riseup.net>
References: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <1552263190.20161008112457@riseup.net>
Message-ID: <MAXPR01MB04121F2FC1C27C8306DA54D797D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>

Thanks.


I downloaded the second item from the link you provided. It has no front-end and the readme file says it can be run only from command-line.


................

RP

________________________________
From: MFPA <2014-667rhzu3dc-lists-groups at riseup.net>
Sent: Saturday, October 8, 2016 3:54 PM
To: Rohit P on GnuPG-Users
Cc: Rohit P
Subject: Re: GnuPG vs. GPG4Win

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 8 October 2016 at 8:02:00 AM, in
<mid:MAXPR01MB04127ABD7BD6879C5EE2993197D90 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-


> In Older versions of GnuPG, a system tray icon used to appear with
> an option to encrypt text on current window. Newer versions of GnuPG
> has no such option.

That would come from some frontend or Explorer plugin, not from GnuPG
itself.



> I am not understanding the difference between GnuPG and GPG4Win.
> Are these one and the same thing?

GPG4win is GnuPG 2.0.x bundled with a choice of certificate managers,
plugins for Outlook and Windows Explorer, and the Gpg4win Compendium
documentation. They also have "light" and "vanilla" downloads that
eschew some or all of the extras.



> Windows binary is not available for download from GnuPG site.

Windows binaries for GnuPG versions 2.1.x and 1.4.x are the second and
third items listed at <https://gnupg.org/download/index.html#sec-1-2>.

The first list item points you to the GPG4win download page.



- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

It is easy to propose impossible remedies.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlf4yXlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOR2PgEApRaq79a3JIx8w5eTBIn8QnRh
h8uxU4uin0PUXPgKZQQA/0j5JyRNqlbmhc2xzuUc8ALK8PdPY+XUzcKXm72KS3AC
iQF8BAEBCgBmBQJX+Ml5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwBCUIAIk1Aa9lGYWTp1ka17q1Fzki
XVYdXE6PQ+zDmS9D9v5MF1NDI281pkJmxE/fMe7zlxJ0I9QYJMS/XFBX/ZsrXZVE
bgwSJpVS2EPGh3WpAZihphImlkMZ59GzK6QVqdYGKuW6J3JaLpdUHV/MNle1g+sK
cWgXu9Qa+Jid56MTUnRimqngAFOjKpPBhPcsLgfs7xn7yEC3U/SCae5pUMjt98Lz
UKoMrQh1zPMGmArAyn2rSVMlKOzk+7GYC4++GNwXM3YciREuE8WLq+GKYRZu6Fcs
xD34jFGxvmMFu0Hk5kJMoEc72+eKrU3P3sf2EAsILCrIS0n12rEnodNgnuUgAzU=
=ymqs
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161008/99087160/attachment-0001.html>

From lists at ssl-mail.com  Sun Oct  9 17:11:36 2016
From: lists at ssl-mail.com (lists at ssl-mail.com)
Date: Sun, 09 Oct 2016 08:11:36 -0700
Subject: every keyserver submit/retrieve returns " ERR 167772346 No keyserver
 available <Dirmngr>" ?
Message-ID: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>

I'm trying to get gpg2 up & running on linux.

I've installed

	gpg2 --version
		gpg (GnuPG) 2.1.15
		libgcrypt 1.7.3
		Copyright (C) 2016 Free Software Foundation, Inc.
		License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
		This is free software: you are free to change and redistribute it.
		There is NO WARRANTY, to the extent permitted by law.

		Home: /home/test/.gnupg
		Supported algorithms:
		Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
		Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
		        CAMELLIA128, CAMELLIA192, CAMELLIA256
		Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
		Compression: Uncompressed, ZIP, ZLIB, BZIP2

I can generate key pairs and rev certs OK.

But when I try to upload/retrieve from any keyserver, I get "ERR 167772346 No keyserver available <Dirmngr>".

Here's an attempt with keyserver == pool @ hkps://hkps.pool.sks-keyservers.net

	gpg -v --debug-all --recv-keys 0x673A03E4C1DB921F
		gpg: reading options from '/home/test/.gnupg/gpg.conf'
		gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing cardio ipc clock lookup extprog
		gpg: DBG: [not enabled in the source] start
		gpg: DBG: chan_3 <- # Home: /home/test/.gnupg
		gpg: DBG: chan_3 <- # Config: /home/test/.gnupg/dirmngr.conf
		gpg: DBG: chan_3 <- OK Dirmngr 2.1.15 at your service
		gpg: DBG: connection to the dirmngr established
		gpg: DBG: chan_3 -> GETINFO version
		gpg: DBG: chan_3 <- D 2.1.15
		gpg: DBG: chan_3 <- OK
		gpg: DBG: chan_3 -> KEYSERVER --clear hkps://hkps.pool.sks-keyservers.net
		gpg: DBG: chan_3 <- OK
		gpg: DBG: chan_3 -> KS_GET -- 0x673A03E4C1DB921F
		gpg: DBG: chan_3 <- ERR 167772346 No keyserver available <Dirmngr>
		gpg: keyserver receive failed: No keyserver available
		gpg: DBG: chan_3 -> BYE
		gpg: DBG: [not enabled in the source] stop
		gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
		              outmix=0 getlvl1=0/0 getlvl2=0/0
		gpg: secmem usage: 0/65536 bytes in 0 blocks


I've tried a bunch of different keyservers with always the same result.

What am I missing?


From kristian.fiskerstrand at sumptuouscapital.com  Sun Oct  9 19:26:45 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Sun, 9 Oct 2016 19:26:45 +0200
Subject: every keyserver submit/retrieve returns " ERR 167772346 No
 keyserver available <Dirmngr>" ?
In-Reply-To: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>
References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>
Message-ID: <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com>

On 10/09/2016 05:11 PM, lists at ssl-mail.com wrote:
> I'm trying to get gpg2 up & running on linux.


...

> 
> I've tried a bunch of different keyservers with always the same result.
> 
> What am I missing?

For one thing a

$ dig +trace hkps.pool.sks-keyservers.net to see resolver results,
additionally output of $ gpg-connect-agent --dirmngr 'KEYSERVER --help',
make sure hkps is listed as a supported schemata

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If you cannot convince them, confuse them"
(Harry S Truman)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161009/2611cf62/attachment.sig>

From lists at ssl-mail.com  Sun Oct  9 19:34:10 2016
From: lists at ssl-mail.com (lists at ssl-mail.com)
Date: Sun, 09 Oct 2016 10:34:10 -0700
Subject: every keyserver submit/retrieve returns " ERR 167772346 No
 keyserver available <Dirmngr>" ?
In-Reply-To: <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com>
References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>
 <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com>
Message-ID: <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com>

hi

On Sun, Oct 9, 2016, at 10:26 AM, Kristian Fiskerstrand wrote:
>> What am I missing?

> For one thing a

just fyi, more here @

	https://bugs.gnupg.org/gnupg/issue2745

> $ dig +trace hkps.pool.sks-keyservers.net to see resolver results,

>From the machine on which I'm running gpg

	dig +trace hkps.pool.sks-keyservers.net

		; <<>> DiG 9.10.3-P4 <<>> +trace hkps.pool.sks-keyservers.net
		;; global options: +cmd
		.                       173     IN      NS      b.root-servers.net.
		.                       173     IN      NS      g.root-servers.net.
		.                       173     IN      NS      e.root-servers.net.
		.                       173     IN      NS      a.root-servers.net.
		.                       173     IN      NS      d.root-servers.net.
		.                       173     IN      NS      c.root-servers.net.
		.                       173     IN      NS      i.root-servers.net.
		.                       173     IN      NS      l.root-servers.net.
		.                       173     IN      NS      h.root-servers.net.
		.                       173     IN      NS      f.root-servers.net.
		.                       173     IN      NS      j.root-servers.net.
		.                       173     IN      NS      k.root-servers.net.
		.                       173     IN      NS      m.root-servers.net.
		.                       3573    IN      RRSIG   NS 8 0 518400 20161022050000 20161009040000 39291 . SeIwCb0CKHIaVgEXAVNJ3UJdAmnNyOWmU0TpXSSM58RibXDGmtrJKPkj +EkxIRItWeRvECSa+oqsnc513uhilK94+t4P7395m4AokdlkXjaH3bjh Dxqt8CmA+k9+7/T54x/ZeAsYD2we3FAD7x/lyu8+zRDkFHO0wQ5MekhV WXebhc4OkXNbr5/b65xkjStFrWC7uvOxfVOHtxzObTi5OR8AFisYPsfQ 6Pwu0HtTaJim9wFQgjF60nhzqfFH82Z1qmxWpkTWsaUXKYdETwKmc5l/ ilDni8/Y0f6sQXUsv/J8oTLSDPw6A9n9lJrlKLa7vM3ZDSgw9NVLHtju tWECvA==
		;; Received 525 bytes from 10.19.2.100#53(10.19.2.100) in 0 ms

		net.                    172800  IN      NS      d.gtld-servers.net.
		net.                    172800  IN      NS      m.gtld-servers.net.
		net.                    172800  IN      NS      j.gtld-servers.net.
		net.                    172800  IN      NS      k.gtld-servers.net.
		net.                    172800  IN      NS      i.gtld-servers.net.
		net.                    172800  IN      NS      f.gtld-servers.net.
		net.                    172800  IN      NS      l.gtld-servers.net.
		net.                    172800  IN      NS      b.gtld-servers.net.
		net.                    172800  IN      NS      h.gtld-servers.net.
		net.                    172800  IN      NS      c.gtld-servers.net.
		net.                    172800  IN      NS      a.gtld-servers.net.
		net.                    172800  IN      NS      g.gtld-servers.net.
		net.                    172800  IN      NS      e.gtld-servers.net.
		net.                    86400   IN      DS      35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
		net.                    86400   IN      RRSIG   DS 8 1 86400 20161022050000 20161009040000 39291 . FKrdz/REDbJ/00oUK5owedOwz7rtKZlzdPH8Tv4XbcSgdzZRjoBSVy4N CSxgzJIn7TxhQSJtaVYNpGRNc2vN0uq9SUwntkFs5DOUUv7fGvuRGzgT QOl2u+XKjmDHbTem8RoFJvMMr0UeqS/v7cKnFSvZyxgM43y0IEaA42wt 1q3vOAk93+SD6C0GkYQCb6IQT+UfYACKlkPt/v7UC3S6CjovpLeJKvTv 7P7ON+AbDUaa9SVp+JBvOhAkgstAHQzbNY9uSeTo+gSEpIncqmnQnfO3 sFUt1iXyfDm7ySkq1u71OpMOxWR5e7DkvBR1trBNcfhqLekxEQztZFPx 4msUpQ==
		;; Received 877 bytes from 199.7.91.13#53(d.root-servers.net) in 102 ms

		sks-keyservers.net.     172800  IN      NS      ns2.kfwebs.net.
		sks-keyservers.net.     172800  IN      NS      ns2.sks-keyservers.net.
		sks-keyservers.net.     172800  IN      NS      ns6.sks-keyservers.net.
		sks-keyservers.net.     172800  IN      NS      ns9.sks-keyservers.net.
		sks-keyservers.net.     172800  IN      NS      ns13.sks-keyservers.net.
		sks-keyservers.net.     86400   IN      DS      30729 8 1 625547BEB5EEF7FDB7683462BD9453BD0A886542
		sks-keyservers.net.     86400   IN      RRSIG   DS 8 2 86400 20161015045546 20161008034546 2480 net. EiPMbb2zOb9Lt9rK/iYKN0d1FIWWpzyEEREngvVlbqK2WZASGvPpJbou ZQfS0YIUNVUaSd6mDYCJ21hibUwi7EJ++o4ChfUfrqxXFwF3Dy/j90pp 72G18kYgFtAEt9uA8xEpUrOR4yvKRmnh4FRemk8jYKVDw6bmhksJ1yh/ +sc=
		;; Received 574 bytes from 192.43.172.30#53(i.gtld-servers.net) in 42 ms

		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       140.211.169.202
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       193.224.163.43
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       212.12.48.27
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       94.142.242.225
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       178.62.203.205
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       92.43.111.21
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       18.9.60.141
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       104.236.209.43
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       37.191.220.247
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     A       193.164.133.100
		hkps.pool.SKS-KEYSERVERS.NET. 60 IN     RRSIG   A 8 4 60 20161108172011 20161009162011 30729 sks-keyservers.net. EQM/Uuss9isgA/kCf6PhF3xw/n/g1Rr0xYLeiI/0WAlYqpKZ4s+RaTqJ 66y4hnugzfGlUqfcNJ+14WI3H1GDIGqS9cEeQ5WYD+gRgUDNI043XRAD 0YsN/ueaNPW7ICUhOQdOtYNWIzsuZ9uJi5vQYSjTEq5u2tycU3dQeQvf iEyDwCooqfcac7PMyCO181yUNKVpjagwr0E2fDhZshOqRvJGZ8vIzpKM uQMwz42yBskwBUZk8I8UFOawyyYN5fee0mMuCSVnBF6JP4QbkKIGCQ2P OPsIHqcA/XCw1/sau+UOu0fmDymAR9cef0Mw1cAA3d+18gBIUOtPswyl mJTTBw==
		SKS-KEYSERVERS.NET.     60      IN      NS      ns9.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns2.kfwebs.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns1.kfwebs.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns6.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns13.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns10.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns7.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns2.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      NS      ns12.sks-keyservers.net.
		SKS-KEYSERVERS.NET.     60      IN      RRSIG   NS 8 2 60 20161024162716 20160924160638 30729 sks-keyservers.net. Jek/os9DufEHhA6jIrzLBXiv5CfYQSDt2xYhLKziq4REBfS0k0Nuu04o EeTIjWzZwBbPKLsnLglK3tf71hn8xEZiD9sUwn0wjLAM9vJMLb+EvduH /rnqPbXtOwDltVfyQjjHQyDCmM5otR/s1oHgEu/6fSdZj5N2OM2UIzns 7CdxVoah+E3QrUuitUzHJIDM9Ay/NItKqCBQMzxe1aJebV93+M7jzj5G eSaR8geWTgfWnNhqFDaxWd7ebjhwkC2zA4IJiHbut7CQ0R831IwwXnc3 obGjvzG9oiZXPVa+Okq198ketOQWiLeLfwfPrASHkHVd1DeXTFWnWQhj /+h0JQ==
		;; Received 4094 bytes from 199.74.220.4#53(ns6.sks-keyservers.net) in 51 ms

> gpg-connect-agent --dirmngr 'KEYSERVER --help', make sure hkps is listed as a supported schemata

	gpg-connect-agent --dirmngr 'KEYSERVER --help' /bye
		S # Known schemata:
		S #   hkp
>>>		S #   hkps
		S #   http
		S #   https
		S #   finger
		S #   kdns
		S #   ldap
		S # (Use an URL for engine specific help.)
		OK

It doesn't matter what schema+server I use.  The result's always the same so far.


From ben at adversary.org  Sun Oct  9 20:04:54 2016
From: ben at adversary.org (Ben McGinnes)
Date: Mon, 10 Oct 2016 05:04:54 +1100
Subject: Confusion about a statement in the FAQ
In-Reply-To: <63619217-eec6-59da-a409-db7378c606f2@sixdemonbag.org>
References: <137adf5b-e0e8-42e8-8e1f-c1a3ce0fe0f2@cajuntechie.org>
 <9636ea75-b9cd-088d-fc56-aae95089d4c0@sixdemonbag.org>
 <7d6317c8-da07-5e88-4632-daa6ef66b154@cajuntechie.org>
 <63619217-eec6-59da-a409-db7378c606f2@sixdemonbag.org>
Message-ID: <20161009180454.GA97681@adversary.org>

On Sat, Sep 10, 2016 at 07:36:27PM -0400, Robert J. Hansen wrote:
> > Hmm, OK that's kind of what I thought. But I'm still a little
> > confused. Doesn't the email server have to support it?
> 
> No.
> 
> > Or would the "to" be one of those things not encrypted?
> 
> Headers that are strictly required to process email are not armored.

Actually the "To:" and "From:" headers could be armoured without real
trouble since they're included in the data portion with the "Subject:"
and whatever else any given MUA wants to include.  It's the "rcpt to"
and "mail from" headers that couldn't be, along with the relay data
from SMTP, IMAP and/or POP3 transactions.  It's just that the "To:"
address usually matches the "rcpt to" address and the "From:" address
usually matches "mail from" (mailing lists being one of the more
common exceptions to that).


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: </pipermail/attachments/20161010/81eef497/attachment.sig>

From 2014-667rhzu3dc-lists-groups at riseup.net  Mon Oct 10 00:02:07 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Sun, 9 Oct 2016 23:02:07 +0100
Subject: GnuPG vs. GPG4Win
In-Reply-To: <MAXPR01MB04121F2FC1C27C8306DA54D797D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
 <1552263190.20161008112457@riseup.net> 
 <MAXPR01MB04121F2FC1C27C8306DA54D797D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <445900054.20161009230207@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Saturday 8 October 2016 at 1:46:19 PM, in
<mid:MAXPR01MB04121F2FC1C27C8306DA54D797D90 at MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>,
Rohit P wrote:-


> Thanks.

> I downloaded the second item from the link you provided. It has no
> front-end and the readme file says it can be run only from
> command-line.

That's as it should be. Well done.


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Don't cry because it is over - smile because it happened
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlf6vmFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOSs3gEA5B+myjR1hVNiwh2VDJvlGYXS
YcQohFmZKQDMsexY8OoA/Rr90ybWeEvgJ4L6HB2vGpaWNU9RM82LrOzAqDLqaGkE
iQF8BAEBCgBmBQJX+r5hXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwlzQH/iagwl9gPeWSw6DBcN2aaUwr
8aZSLZK6I/0uQTYgwkF8WmNO6ZZZs1+PDhwdMICQzB78vESd+tMWizsdXKPsc6Kr
5rLKYCZPPJSqXs4CHhvJ0usjgH456RVTjv+nn1VaXTMGNtfMuhP3s1xx5/owHLpf
1XdAq5mC3h+iNqtDpBDdXD71E6p7yawXuKohB6tBNGvc62nCrm3rPm68pHhFEHg+
ZFSrYcuIrUVYijjHx0rNEe/3TCJ5i6BCUjHAntXQcGRlux7wy96Kt+XpDBwUR2l7
cf5soE8EuDzEV7Wp6+xod4E2zsknqg/b0a057/cyrcw425JheQE+SN6F03uM1/A=
=N/vC
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From kristian.fiskerstrand at sumptuouscapital.com  Mon Oct 10 02:40:30 2016
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Mon, 10 Oct 2016 02:40:30 +0200
Subject: Agent forwarding failure when the socketdir was autodeleted
In-Reply-To: <1692039.nYCvrdervT@esus>
References: <3938401.1pLH0TdMhg@esus> <8760p7i6n6.fsf@wheatstone.g10code.de>
 <8760p67kok.fsf@alice.fifthhorseman.net> <1692039.nYCvrdervT@esus>
Message-ID: <7e2d4428-d228-1eac-1bf0-88365059d0a7@sumptuouscapital.com>

On 10/05/2016 09:35 PM, Andre Heinecke wrote:
>> I really think this ought to be handled in OpenSSH.
> Exactly. I wrote a mail to openssh-unix-dev as you suggested to ask about 
> that. Let's see :-)

For record purposes, this is
http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-October/035409.html

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"A committee is a group that keeps minutes and loses hours."
(Milton Berle)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161010/b858980c/attachment.sig>

From wk at gnupg.org  Mon Oct 10 11:17:29 2016
From: wk at gnupg.org (Werner Koch)
Date: Mon, 10 Oct 2016 11:17:29 +0200
Subject: every keyserver submit/retrieve returns " ERR 167772346 No
 keyserver available <Dirmngr>" ?
In-Reply-To: <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com>
 (lists@ssl-mail.com's message of "Sun, 09 Oct 2016 10:34:10 -0700")
References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>
 <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com>
 <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com>
Message-ID: <87twck4l7a.fsf@wheatstone.g10code.de>

On Sun,  9 Oct 2016 19:34, lists at ssl-mail.com said:

> It doesn't matter what schema+server I use.  The result's always the same so far.

To which ADNS version is dirmngr linked?  Did you build it yourself?


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161010/627c562d/attachment.sig>

From meno.abels at adviser.com  Mon Oct 10 12:04:40 2016
From: meno.abels at adviser.com (Meno Abels)
Date: Mon, 10 Oct 2016 12:04:40 +0200
Subject: Key-Grip unknown in --gen-key --batch
Message-ID: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com>

Hi, 

there is these manual:

https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation <https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation>

i tried to sign a csr with it and the command Key-Grip is missing some how.

In g10/keygen.c there is no equivalent command what can i do?

this is what i did:
cat <<GPG | gpg2  --full-gen-key --batch
Key-Type: RSA
Key-Length: 1024
Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
Key-Usage: cert
Serial: 1
Name-DN: CN=The STEED Self-Signing Nonthority
Not-Before: 2011-11-11
Not-After: 2106-02-06
Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
Extension: 2.5.29.19 c 30060101ff020101
Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
GPG
result: 
gpg: -:3: unknown keyword

thx 

meno

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161010/33de8a5f/attachment.html>

From dgouttegattat at incenp.org  Mon Oct 10 14:09:03 2016
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Mon, 10 Oct 2016 14:09:03 +0200
Subject: Key-Grip unknown in --gen-key --batch
In-Reply-To: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com>
References: <210DD9AA-665F-4051-9C04-C0F819B2AD28@adviser.com>
Message-ID: <b0fbf0d9-0455-aea6-dfb3-d4d548b706d0@incenp.org>

On 10/10/2016 12:04 PM, Meno Abels wrote:
> https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation <https://www.gnupg.org/documentation/manuals/gnupg/CSR-and-certificate-creation.html#CSR-and-certificate-creation>
>
> i tried to sign a csr with it and the command Key-Grip is missing some how.
>
> In g10/keygen.c there is no equivalent command what can i do?

To manipulate X.509 certificates (and related concepts such as CSRs), 
you should use the gpgsm program instead of gpg2. gpg2 is for OpenPGP 
material, gpgsm is for X.509/SMIME.

The Key-Grip keyword is recognized by gpgsm (see sm/certreqgen.c).


Damien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161010/2d516d9c/attachment.sig>

From lists at ssl-mail.com  Mon Oct 10 14:59:38 2016
From: lists at ssl-mail.com (lists at ssl-mail.com)
Date: Mon, 10 Oct 2016 05:59:38 -0700
Subject: every keyserver submit/retrieve returns " ERR 167772346 No
 keyserver available <Dirmngr>" ?
In-Reply-To: <87twck4l7a.fsf@wheatstone.g10code.de>
References: <1476025896.1517127.750372305.69E7CDF5@webmail.messagingengine.com>
 <14d7aceb-c894-933c-af67-50a6c793dfe7@sumptuouscapital.com>
 <1476034450.1541343.750451913.5AA49BD8@webmail.messagingengine.com>
 <87twck4l7a.fsf@wheatstone.g10code.de>
Message-ID: <1476104378.3313768.751161033.3E20D9E8@webmail.messagingengine.com>

hi

On Mon, Oct 10, 2016, at 02:17 AM, Werner Koch wrote:
> To which ADNS version is dirmngr linked?

libadnd1 v1.5.0

	ldd `which dirmngr`
		linux-vdso.so.1 (0x00007fffb67ed000)
	>>	libadns.so.1 => /usr/lib64/libadns.so.1 (0x00007f8ebb2d6000)
		libassuan.so.0 => /usr/lib64/libassuan.so.0 (0x00007f8ebb0c3000)
		libgpg-error.so.0 => /usr/lib64/libgpg-error.so.0 (0x00007f8ebaeaf000)
		libgcrypt.so.20 => /usr/lib64/libgcrypt.so.20 (0x00007f8ebaba2000)
		libksba.so.8 => /usr/lib64/libksba.so.8 (0x00007f8eba96b000)
		libnpth.so.0 => /usr/lib64/libnpth.so.0 (0x00007f8eba765000)
		libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8eba548000)
		libgnutls.so.28 => /usr/lib64/libgnutls.so.28 (0x00007f8eba232000)
		libldap-2.4.so.2 => /usr/lib64/libldap-2.4.so.2 (0x00007f8eb9fe4000)
		libc.so.6 => /lib64/libc.so.6 (0x00007f8eb9c3c000)
		libdl.so.2 => /lib64/libdl.so.2 (0x00007f8eb9a38000)
		/lib64/ld-linux-x86-64.so.2 (0x0000556c975e7000)
		libz.so.1 => /lib64/libz.so.1 (0x00007f8eb9821000)
		libp11-kit.so.0 => /usr/lib64/libp11-kit.so.0 (0x00007f8eb95df000)
		libtasn1.so.6 => /usr/lib64/libtasn1.so.6 (0x00007f8eb93cb000)
		libnettle.so.4 => /usr/lib64/libnettle.so.4 (0x00007f8eb9199000)
		libhogweed.so.2 => /usr/lib64/libhogweed.so.2 (0x00007f8eb8f6a000)
		libgmp.so.10 => /usr/lib64/libgmp.so.10 (0x00007f8eb8ce3000)
		liblber-2.4.so.2 => /usr/lib64/liblber-2.4.so.2 (0x00007f8eb8ad3000)
		libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f8eb88bc000)
		libsasl2.so.3 => /usr/lib64/libsasl2.so.3 (0x00007f8eb869f000)
		libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007f8eb8436000)
		libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007f8eb8042000)
		libffi.so.4 => /usr/lib64/libffi.so.4 (0x00007f8eb7e39000)

	rpm -q --whatprovides /usr/lib64/libadns.so.1
		libadns1-1.5.0-196.1.x86_64

> Did you build it yourself?

No, sourced from distro repo here,

	https://build.opensuse.org/package/show?project=security%3Aprivacy&package=gpg2



From cvimail81 at gmail.com  Sun Oct  9 11:24:26 2016
From: cvimail81 at gmail.com (Egon)
Date: Sun, 9 Oct 2016 11:24:26 +0200
Subject: PGP 2.6.3 IDEA encryption
Message-ID: <d2298379-fd1e-e69b-ddc8-cced3e8979ce@gmail.com>

Hi!

I have some files which was encrypted with PGP 2.6.3. The encryption 
algorithm was IDEA.
I forgotten the password. Can most modern technology give me a 
possibility to decrypt the files?

Best regards: Egon



From rjh at sixdemonbag.org  Mon Oct 10 21:54:58 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 10 Oct 2016 15:54:58 -0400
Subject: PGP 2.6.3 IDEA encryption
In-Reply-To: <d2298379-fd1e-e69b-ddc8-cced3e8979ce@gmail.com>
References: <d2298379-fd1e-e69b-ddc8-cced3e8979ce@gmail.com>
Message-ID: <7dcb6810-6f94-1623-8d0f-f5d6fcab0345@sixdemonbag.org>

> I forgotten the password. Can most modern technology give me a
> possibility to decrypt the files?

No.



From gnupg at jelmail.com  Mon Oct 10 22:56:44 2016
From: gnupg at jelmail.com (John Lane)
Date: Mon, 10 Oct 2016 21:56:44 +0100
Subject: Private key export for SSH
Message-ID: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>

I've been trying out the SSH compatibility. Everything working as per
the documentation, except I have one question.

How can I extract the SSH PRIVATE key ?

I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key
but I can't find an equivalent for the private key.

The reason why I would like the private key is so that I can use it on
another host where I don't have the benefit of gpg 2.1 (or any gpg, for
that matter).

Thanks,
John



From raubvogel at gmail.com  Mon Oct 10 22:12:55 2016
From: raubvogel at gmail.com (Mauricio Tavares)
Date: Mon, 10 Oct 2016 16:12:55 -0400
Subject: Private key export for SSH
In-Reply-To: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
Message-ID: <CAHEKYV7JFixnOf+hoDkmG+fGykWFG0V32EffwjTe99=1y8N9mQ@mail.gmail.com>

Would

gpg --export-secret-keys -a C00FFEE > secret

do the trick?

On Mon, Oct 10, 2016 at 4:56 PM, John Lane <gnupg at jelmail.com> wrote:
> I've been trying out the SSH compatibility. Everything working as per
> the documentation, except I have one question.
>
> How can I extract the SSH PRIVATE key ?
>
> I am using "gpg --export-ssh-key alice > ssh_key.pub" for the public key
> but I can't find an equivalent for the private key.
>
> The reason why I would like the private key is so that I can use it on
> another host where I don't have the benefit of gpg 2.1 (or any gpg, for
> that matter).
>
> Thanks,
> John
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


From 2014-667rhzu3dc-lists-groups at riseup.net  Mon Oct 10 23:48:59 2016
From: 2014-667rhzu3dc-lists-groups at riseup.net (MFPA)
Date: Mon, 10 Oct 2016 22:48:59 +0100
Subject: GnuPG vs. GPG4Win
In-Reply-To: <CACpWn9Q5seER_HY5rYKFaDeHxDmsLVP4aSySvNG3+HC1uvNGCw@mail.gmail.com>
References: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
 <1552263190.20161008112457@riseup.net>
 <MAXPR01MB04121F2FC1C27C8306DA54D797D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
 <445900054.20161009230207@riseup.net>
 <CACpWn9Q5seER_HY5rYKFaDeHxDmsLVP4aSySvNG3+HC1uvNGCw@mail.gmail.com>
Message-ID: <1667144200.20161010224859@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Sunday 9 October 2016 at 11:53:10 PM, in
<mid:CACpWn9Q5seER_HY5rYKFaDeHxDmsLVP4aSySvNG3+HC1uvNGCw at mail.gmail.com>,
Schlacta, Christ wrote:-


> What we need is whomever maintains
> gpg4win to release a guide on how to have it utilize the system's
> install gnupg, so we can get 2.1.x working with some decent
> management interfacen.


Note: I use GnuPG 2.1.15 under Windows but do not use gpg4win.

That said, have you tried gpg4win's beta version?
Gpg4win version 3.0.0-beta187 (2016-09-05) includes GnuPG 2.1.15.
I'm not sure what component in the package is a beta; GnuPG 2.1.15
isn't and most of the version numbers match those in Gpg4win version
2.3.3 (2016-08-18).


- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

After all is said and done, a lot more will be said than done.
-----BEGIN PGP SIGNATURE-----

iL4EARYKAGYFAlf8DNNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eORT5gD/YCLLia6cW6kUCyR4AZ2QWZX0
qUmu0ja8ucVU6ZuxHXIBAM56E3kCuT0kQoxurM2ULkCYj3sEr4hy0YAi8tB3vgsH
iQF8BAEBCgBmBQJX/AzoXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwdREH/jbicN5ACdngq2WH4FifZt+l
IpZogyi3yJq3PBxAakJ4128LjSVKngGw+azGAAKDgHOaPg5GGoZQgQVt6CTXgx2Q
XgYz7HjgF285PDy1pgZWsZdzLQrwH/8pTIlPCEeMWArhk1TucFkzmK42Ti96ngrE
HYn5ycmitGSI6D+A7oZRNyXfg92G3bWCCpKYojpnZ8KOjkBXImOpEN/XfbT5hPLb
7Usf3r/wRHooNISzXzAjJ4Ggj9JYwZ5HkV6HZ9LsDXAP1k9Xn8r99J5Kda46AjMX
wvVepdNqHMMV4h7gg1Fdwiwgymh5AnVPyOhaSc3b9XDztHBfabeptBFUJ3dggng=
=CJP2
-----END PGP SIGNATURE-----


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



From juanmi.3000 at gmail.com  Tue Oct 11 00:44:51 2016
From: juanmi.3000 at gmail.com (=?UTF-8?Q?Juan_Miguel_Navarro_Mart=c3=adnez?=)
Date: Tue, 11 Oct 2016 00:44:51 +0200
Subject: GnuPG vs. GPG4Win
In-Reply-To: <1667144200.20161010224859@riseup.net>
References: <MAXPR01MB04127ABD7BD6879C5EE2993197D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
 <1552263190.20161008112457@riseup.net>
 <MAXPR01MB04121F2FC1C27C8306DA54D797D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
 <445900054.20161009230207@riseup.net>
 <CACpWn9Q5seER_HY5rYKFaDeHxDmsLVP4aSySvNG3+HC1uvNGCw@mail.gmail.com>
 <1667144200.20161010224859@riseup.net>
Message-ID: <66a965bd-32e9-de2a-e3a1-401bcc041373@gmail.com>

On 2016-10-10 at 23:48, MFPA wrote:
> I'm not sure what component in the package is a beta; GnuPG 2.1.15
> isn't and most of the version numbers match those in Gpg4win version
> 2.3.3 (2016-08-18).
> 

I think it's mostly the GpgOl and GpgEx parts of the bundle that are in
beta, unless there's something different on Kleopatra and GPA Gpg4Win
builds.

-- 
Juan Miguel Navarro Mart?nez

GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF


From daniel at pocock.pro  Tue Oct 11 07:41:28 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Tue, 11 Oct 2016 07:41:28 +0200
Subject: making a Debian Live CD for managing GnuPG master key and
 smartcards
In-Reply-To: <571F1E62.30203@pocock.pro>
References: <571F1E62.30203@pocock.pro>
Message-ID: <6d52d6e6-020c-e8d4-eec8-8d9bc08c5c4b@pocock.pro>



On 26/04/16 09:53, Daniel Pocock wrote:
> 
> There has been some discussion on debian-devel[1] about making a
> bootable Debian Live CD specifically for GnuPG
> 


This can now be used, command line only for the moment, as described in
my blog[1] about it

If anybody wants to help take this further please join the list[2] I set
up for it

Regards,

Daniel


1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
2. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel


From gnupg at jelmail.com  Tue Oct 11 12:13:13 2016
From: gnupg at jelmail.com (John Lane)
Date: Tue, 11 Oct 2016 11:13:13 +0100
Subject: Private key export for SSH
In-Reply-To: <CAHEKYV7JFixnOf+hoDkmG+fGykWFG0V32EffwjTe99=1y8N9mQ@mail.gmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <CAHEKYV7JFixnOf+hoDkmG+fGykWFG0V32EffwjTe99=1y8N9mQ@mail.gmail.com>
Message-ID: <f7608d19-1669-d172-03eb-bfc5fe991e02@jelmail.com>

On 10/10/16 21:12, Mauricio Tavares wrote:
> Would
>
> gpg --export-secret-keys -a C00FFEE > secret
>
> do the trick?
No, because that exports a gpg keyring and not an ssh private key.

One might imply the below is possible, but the error would indicate that
it isnt:

    $ gpg --export-secret-keys --export-ssh-key alice
    gpg: conflicting commands



From peter at digitalbrains.com  Tue Oct 11 11:47:17 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 11 Oct 2016 11:47:17 +0200
Subject: Private key export for SSH
In-Reply-To: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
Message-ID: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>

On 10/10/16 22:56, John Lane wrote:
> The reason why I would like the private key is so that I can use it on
> another host where I don't have the benefit of gpg 2.1 (or any gpg, for
> that matter).

I don't know if you can do private key export; perhaps with monkeysphere?

Here's a different idea. An .ssh/authorized_keys file is a list of text
lines, each line being a single authentication key. Normally, you append
the contents of id_xxx.pub, a single line, to an .ssh/authorized_keys
file to add that key.

How about you just create a separate key for the machine where you don't
use GnuPG, and then create a .pub file that contains two lines, one for
the GnuPG key and one for the other key?

$ rsync other:.ssh/id_rsa.pub combined.pub
$ gpg --export-ssh-key alice >> combined.pub

Note the second command appends to combined.pub.

Then any time you add combined.pub to an .ssh/authorized_keys file,
you're adding both keys, with the same procedure you would normally add
a single key, no extra clicks, nothing :-).

HTH.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From gnupg at jelmail.com  Tue Oct 11 13:46:55 2016
From: gnupg at jelmail.com (John Lane)
Date: Tue, 11 Oct 2016 12:46:55 +0100
Subject: Private key export for SSH
In-Reply-To: <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
Message-ID: <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>

> I don't know if you can do private key export; perhaps with monkeysphere?

I have Monkeysphere on my radar but I haven't got around to trying it
out. I had hoped for a gpg solution without resorting to third party...

> How about you just create a separate key for the machine where you don't
> use GnuPG, and then create a .pub file that contains two lines, one for
> the GnuPG key and one for the other key? 

Yes sure I could do that (and do) but I hoped for way to export the ssh
private key from gpg. It feels cleaner to me to just have one key.

So it sounds like it isn't possible then. Is there a reason why, beyond
the possibility that it just hasn't been implemented? I would have
thought doing this would complete the circle as far as gpg keys being
used for ssh...



From peter at digitalbrains.com  Tue Oct 11 15:35:37 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 11 Oct 2016 15:35:37 +0200
Subject: Private key export for SSH
In-Reply-To: <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
Message-ID: <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>

On 11/10/16 13:46, John Lane wrote:
> I have Monkeysphere on my radar but I haven't got around to trying
> it out. I had hoped for a gpg solution without resorting to third
> party...

I think I vaguely remember Monkeysphere supporting it.

> Yes sure I could do that (and do) but I hoped for way to export the
> ssh private key from gpg. It feels cleaner to me to just have one
> key.

(I'd consider key-per-user/workstation-combo cleaner :-)

> Is there a reason why, beyond the possibility that it just hasn't
> been implemented?

I think other features simply were more important, and got priority...

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From dkg at fifthhorseman.net  Tue Oct 11 16:20:37 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 11 Oct 2016 10:20:37 -0400
Subject: Private key export for SSH
In-Reply-To: <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
Message-ID: <87y41vynka.fsf@alice.fifthhorseman.net>

On Tue 2016-10-11 09:35:37 -0400, Peter Lebbing wrote:
> On 11/10/16 13:46, John Lane wrote:
>> I have Monkeysphere on my radar but I haven't got around to trying
>> it out. I had hoped for a gpg solution without resorting to third
>> party...
>
> I think I vaguely remember Monkeysphere supporting it.

fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret
key material to arbitrary formats.

Rather, modern versions of monkeysphere (the ones that support gpg 2.1)
include agent-transfer, a tool that knows how to export secret key
material from a running gpg-agent and import into a running ssh agent.

See the agent-transfer(1) manual page for more details.

Regards,

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161011/56fb31e0/attachment.sig>

From gnupg at jelmail.com  Tue Oct 11 23:58:17 2016
From: gnupg at jelmail.com (John Lane)
Date: Tue, 11 Oct 2016 22:58:17 +0100
Subject: Private key export for SSH
In-Reply-To: <87y41vynka.fsf@alice.fifthhorseman.net>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
Message-ID: <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>


>>
>> I think I vaguely remember Monkeysphere supporting it.
> 
> fwiw, monkeysphere doesn't explicitly support exporting OpenPGP secret
> key material to arbitrary formats.
> 

Ok, I have done it using "openpgp2ssh" from monkeysphere (I just
installed 0.39 just to get that tool).

The key has to be extracted and its password removed before it can be
used with openpgp2ssh, hence my use of a temporary homedir in the below.

Here is what I have done:


First the public key:

$ ssh-add -L > alice.key.pub

or

$ gpg --export alice | openpgp2ssh DD53AC86 > alice.key.pub

where DD53AC86 is the id of the autentication subkey.

Next the secret key:

$ gpg --export-secret-key alice > alice.gpg
$ mkdir -m 700 .gnupg-temp
$ gpg --homedir .gnupg-temp --import alice.gpg
$ gpg --homedir .gnupg-temp --passwd alice
  (remove the passwords)
$ gpg --homedir .gnupg-temp --export-secret-key alice | \
  openpgp2ssh DD53AC86 > alice.key
$ chmod 600 alice.key

With the above, I successfully connect to a remote (after putting
alice.key.pub in its authorized_keys file):

$ ssh -i alice.key some_host

However, I note that the the agent complains with:

> sign_and_send_pubkey: signing failed: agent refused operation

so I unset the SSH_AUTH_SOCK after which the ssh command worked. I might
have done something else wrong because I would not expect to have to do
that.



From strauss at positive-internet.com  Wed Oct 12 01:29:48 2016
From: strauss at positive-internet.com (Nicholas Strauss)
Date: Tue, 11 Oct 2016 16:29:48 -0700
Subject: gnupg pinentry
Message-ID: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com>

All,

Trying to install thunderbird with gpg2 on ubuntu.

got this working with

/usr/local/bin/pinentry --> /usr/bin/pinentry

and

/usr/bin/pinentry --> /etc/alternatives/pinentry.

Look good?

Yours,

strauss



-- 
All postal correspondence to:
The Positive Internet Company, 24 Ganton Street, London. W1F 7QY

*Follow us on Twitter* @posipeople

The Positive Internet Company Limited is registered in England and Wales.
Registered company number: 3673639. VAT no: 726 7072 28.
Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xB3082430.asc
Type: application/pgp-keys
Size: 8578 bytes
Desc: not available
URL: </pipermail/attachments/20161011/c392e891/attachment.key>

From dkg at fifthhorseman.net  Wed Oct 12 05:23:43 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 11 Oct 2016 23:23:43 -0400
Subject: gnupg pinentry
In-Reply-To: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com>
References: <0dd4fd6a-146f-63fb-e57d-7b01bb3175c4@positive-internet.com>
Message-ID: <874m4ixnb4.fsf@alice.fifthhorseman.net>

On Tue 2016-10-11 19:29:48 -0400, Nicholas Strauss wrote:
>
> Trying to install thunderbird with gpg2 on ubuntu.
>
> got this working with
>
> /usr/local/bin/pinentry --> /usr/bin/pinentry
>
> and
>
> /usr/bin/pinentry --> /etc/alternatives/pinentry.
>
> Look good?

It's not clear what this means.  are these descriptions of symbolic
links?  If so, i don't know what you're trying to do here.  Is there a
reason to have /usr/local/bin/pinentry at all?  on ubuntu, i recommend
just installing the pinentry-* package that matches your preferred
desktop environment and allowing it to be automatically selected.

        --dkg


From gnupg at jelmail.com  Wed Oct 12 17:36:30 2016
From: gnupg at jelmail.com (John Lane)
Date: Wed, 12 Oct 2016 16:36:30 +0100
Subject: using with su/sudo
In-Reply-To: <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
 <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
Message-ID: <e5869a18-6371-aee9-d974-0f08922ee7a8@jelmail.com>


> 
> I created a ticket at the bug tracker.
> 
>     https://bugs.gnupg.org/gnupg/issue2739
> 
> 
> With the situation of gpg-agent's allow-loopback-pinentry is default
> now, perhaps, it would be the best (from the user's viewpoint) that
> gpg-agent automatically fallbacks to loopback mode.
> 
> On window system, I think it doesn't work either...
> 

I just wanted to bring this to your attention because I think it is related.

If you try to use "ssh-add" from within a sudo/su session to add a SSH
private key to the gpg-agent (with all other GnuPG SSH configuration
requirements satisfied), the request fails with an error:

$ ssh-add ~/.ssh/private.key
Enter passphrase for /home/alice/private.key:
Could not add identity "/home/alice/.ssh/private.key": agent refused
operation

I did some investigation and I think it is the pinentry problem again.

First, I tried the same from a non-su terminal and it worked: the agent
pops up a pinentry dialog to request a passphrase for its copy of the
private key (as explained in the gpg manual, chapter 2).

I tried from a sudo with the tty ownership corrected but it didn't work.

So I ran an agent with some logging and saw this:


DBG: error calling pinentry: Inappropriate ioctl for device <Pinentry>



From gnupg at jelmail.com  Wed Oct 12 17:52:19 2016
From: gnupg at jelmail.com (John Lane)
Date: Wed, 12 Oct 2016 16:52:19 +0100
Subject: Private key export for SSH
In-Reply-To: <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
Message-ID: <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>

This is just an observation. I thought that perhaps, if I had an
extracted private key, that I could use "ssh-add" to add it and remove
the need to manually edit "sshcontrol". I tried:

$ ssh-add alice.key
Identity added: alice.key (alice.key)

Looking good. However...

$ ssh-add -l
The agent has no identities.

No joy. I realise the documented way is to edit the sshcontrol file and
put the keygrip into it. But the positive output above is misleading.

That's where gpg knows about the key (e.g. on the machine where the
extract was done). The "ssh-add alice.key" works if the key is unknown
to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d.
furthermore, importing the alice.gpg key afterwards works fine too.

# RSA key added on: 2016-10-12 15:44:05
# MD5 Fingerprint:  d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16
817A3B5A8596096E8AC2932617C10E4181F09B55 0



From dkg at fifthhorseman.net  Wed Oct 12 23:51:30 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 12 Oct 2016 17:51:30 -0400
Subject: Private key export for SSH
In-Reply-To: <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
 <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
Message-ID: <878tttutgd.fsf@alice.fifthhorseman.net>

On Wed 2016-10-12 11:52:19 -0400, John Lane wrote:
> This is just an observation. I thought that perhaps, if I had an
> extracted private key, that I could use "ssh-add" to add it and remove
> the need to manually edit "sshcontrol". I tried:
>
> $ ssh-add alice.key
> Identity added: alice.key (alice.key)
>
> Looking good. However...
>
> $ ssh-add -l
> The agent has no identities.
>
> No joy. I realise the documented way is to edit the sshcontrol file and
> put the keygrip into it. But the positive output above is misleading.
>
> That's where gpg knows about the key (e.g. on the machine where the
> extract was done). The "ssh-add alice.key" works if the key is unknown
> to gpg - the keygrip is written to sshcontrol and to private-keys-v1.d.
> furthermore, importing the alice.gpg key afterwards works fine too.
>
> # RSA key added on: 2016-10-12 15:44:05
> # MD5 Fingerprint:  d0:d1:43:af:ec:4a:4c:92:7c:af:1f:70:92:13:89:16
> 817A3B5A8596096E8AC2932617C10E4181F09B55 0

It looks to me like you're referring to
https://bugs.gnupg.org/gnupg/issue2316 , which was marked as "resolved".

I just re-opened it to "chatting".

  --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161012/0b72433a/attachment-0001.sig>

From gniibe at fsij.org  Thu Oct 13 01:27:46 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Thu, 13 Oct 2016 08:27:46 +0900
Subject: using with su/sudo
In-Reply-To: <e5869a18-6371-aee9-d974-0f08922ee7a8@jelmail.com>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
 <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
 <e5869a18-6371-aee9-d974-0f08922ee7a8@jelmail.com>
Message-ID: <b38c3048-97b2-2606-2935-ddab5fab0ca4@fsij.org>

On 10/13/2016 12:36 AM, John Lane wrote:
> I just wanted to bring this to your attention because I think it is related.

Thank you.  Actually, I have a problem like that, everyday (literally).

> I tried from a sudo with the tty ownership corrected but it didn't work.
> 
> So I ran an agent with some logging and saw this:
> 
> 
> DBG: error calling pinentry: Inappropriate ioctl for device <Pinentry>

Yes, this is the same error for me, too.

In my case, I do:

    $ gpg-connect-agent updatestartuptty /bye

to fix the situation.

My case is that, I configure systemd to start up gpg-agent.  In this
case, gpg frontend works well with its session environment, but ssh
doesn't work.

In this configuration, gpg-agent starts with no env defined, like:

    $ gpg-connect-agent "getinfo std_startup_env" /bye
    OK
    $

Then, the command "updatestartuptty" can fix the situation.

I think that gpg-agent is unkind enough (for error message, at least),
it could/should know pinentry doesn't work well with not proper TTY
ownership, no GPG_TTY.

In the case of su/sudo, I would consider automatic fallback to
loopback mode, or argue about file discriptor passing of UNIX domain
socket.  I have no idea how gpg-agent with null std_startup_env can do
for SSH...
-- 


From strauss at positive-internet.com  Thu Oct 13 03:27:38 2016
From: strauss at positive-internet.com (Nicholas Strauss)
Date: Wed, 12 Oct 2016 18:27:38 -0700
Subject: Gnupg-users Digest, Vol 157, Issue 15
In-Reply-To: <mailman.1146.1476309101.8714.gnupg-users@gnupg.org>
References: <mailman.1146.1476309101.8714.gnupg-users@gnupg.org>
Message-ID: <bd2336b0-1d4a-0a1a-4cc0-64650fbe1582@positive-internet.com>

Hi dkg,

$ md5sum pinentry-gnome3
cf267ac78545eb9c3744b962082d4110  pinentry-gnome3
Look good?

Yours,

strauss



-- 
All postal correspondence to:
The Positive Internet Company, 24 Ganton Street, London. W1F 7QY

*Follow us on Twitter* @posipeople

The Positive Internet Company Limited is registered in England and Wales.
Registered company number: 3673639. VAT no: 726 7072 28.
Registered office: Northside House, Mount Pleasant, Barnet, Herts, EN4 9EE.


From justus at g10code.com  Thu Oct 13 11:33:32 2016
From: justus at g10code.com (Justus Winter)
Date: Thu, 13 Oct 2016 11:33:32 +0200
Subject: Private key export for SSH
In-Reply-To: <878tttutgd.fsf@alice.fifthhorseman.net>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
 <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
 <878tttutgd.fsf@alice.fifthhorseman.net>
Message-ID: <878ttsy4nn.fsf@europa.jade-hamburg.de>

Hi John :)

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> On Wed 2016-10-12 11:52:19 -0400, John Lane wrote:
>> This is just an observation. I thought that perhaps, if I had an
>> extracted private key, that I could use "ssh-add" to add it and remove
>> the need to manually edit "sshcontrol". I tried:
>>
>> $ ssh-add alice.key
>> Identity added: alice.key (alice.key)
>>
>> Looking good. However...
>>
>> $ ssh-add -l
>> The agent has no identities.
>>
>> No joy. I realise the documented way is to edit the sshcontrol file and
>> put the keygrip into it. But the positive output above is misleading.

John, can you please tell us which version of GnuPG you are using, and
just to be sure, also check that

  gpg-connect-agent 'getinfo version' /bye

prints the expected version number?


Thanks,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161013/be9915de/attachment.sig>

From gnupg at jelmail.com  Thu Oct 13 13:03:37 2016
From: gnupg at jelmail.com (John Lane)
Date: Thu, 13 Oct 2016 12:03:37 +0100
Subject: Private key export for SSH
In-Reply-To: <878ttsy4nn.fsf@europa.jade-hamburg.de>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
 <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
 <878tttutgd.fsf@alice.fifthhorseman.net>
 <878ttsy4nn.fsf@europa.jade-hamburg.de>
Message-ID: <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com>


> 
> John, can you please tell us which version of GnuPG you are using, and
> just to be sure, also check that
> 
>   gpg-connect-agent 'getinfo version' /bye
> 
> prints the expected version number?
> 
> 

$ gpg --version
gpg (GnuPG) 2.1.14
libgcrypt 1.7.2

$ gpg-agent --version
gpg-agent (GnuPG) 2.1.14
libgcrypt 1.7.2

$ gpg-connect-agent 'getinfo version' /bye
D 2.1.14
OK

Also, in case it's useful:

$ uname -srvm
Linux 4.6.4-1-ARCH #1 SMP PREEMPT Mon Jul 11 19:30:13 CEST 2016 i686

$ $ pacman -Qo gpg
/usr/bin/gpg is owned by gnupg 2.1.14-1

$ cat /etc/os-release
NAME="Arch Linux"
ID=arch
PRETTY_NAME="Arch Linux"
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"

HTH
John




From justus at g10code.com  Thu Oct 13 13:25:05 2016
From: justus at g10code.com (Justus Winter)
Date: Thu, 13 Oct 2016 13:25:05 +0200
Subject: Private key export for SSH
In-Reply-To: <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
 <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
 <878tttutgd.fsf@alice.fifthhorseman.net>
 <878ttsy4nn.fsf@europa.jade-hamburg.de>
 <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com>
Message-ID: <871szkxzhq.fsf@europa.jade-hamburg.de>

John Lane <gnupg at jelmail.com> writes:

>> 
>> John, can you please tell us which version of GnuPG you are using, and
>> just to be sure, also check that
>> 
>>   gpg-connect-agent 'getinfo version' /bye
>> 
>> prints the expected version number?
>> 
>> 
>
> $ gpg --version
> gpg (GnuPG) 2.1.14
> libgcrypt 1.7.2

Thanks.  That bug is fixed in GnuPG 2.1.15.

Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161013/b18fe37e/attachment.sig>

From brian at minton.name  Thu Oct 13 22:03:00 2016
From: brian at minton.name (Brian Minton)
Date: Thu, 13 Oct 2016 16:03:00 -0400
Subject: RSA 4096-bit Key
In-Reply-To: <MAXPR01MB0412F196E64D973776E35F5B97D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
References: <MAXPR01MB0412F196E64D973776E35F5B97D90@MAXPR01MB0412.INDPRD01.PROD.OUTLOOK.COM>
Message-ID: <f227855c-0f8f-45d8-6294-423d9bd813a9@minton.name>



On 10/08/2016 02:58 AM, Rohit P wrote:
>
> I am using latest version of GPG. I noticed there is no option to
> generate RSA 4096-bit key. The same goes with DSA.
>
>

It is, but you have to use the "full" key generation option:

$ gpg --full-gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161013/5a082c68/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 325 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161013/5a082c68/attachment.sig>

From ng0 at we.make.ritual.n0.is  Fri Oct 14 01:32:29 2016
From: ng0 at we.make.ritual.n0.is (ng0)
Date: Thu, 13 Oct 2016 23:32:29 +0000
Subject: unable to decrypt a mail coming from apple mail
Message-ID: <87mvi7vn8y.fsf@we.make.ritual.n0.is>

Hi,

I've just got an email where the X-Mailer is Apple Mail. It adds some
bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to
decrypt it with gpg --decrypt (applied to the email as a file and also
when applied to the BEGIN/END PGP block).
The key is imported, still valid and yet I get:
gpg: decryption failed: No secret key

I'm running an unaltered Guix build here:
ng0 at shadowwalker ~$ gpg --version
gpg (GnuPG) 2.1.13
libgcrypt 1.7.3


Help is welcome
-- ng0


From dkg at fifthhorseman.net  Fri Oct 14 02:59:26 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 13 Oct 2016 20:59:26 -0400
Subject: Gnupg-users Digest, Vol 157, Issue 15
In-Reply-To: <bd2336b0-1d4a-0a1a-4cc0-64650fbe1582@positive-internet.com>
References: <mailman.1146.1476309101.8714.gnupg-users@gnupg.org>
 <bd2336b0-1d4a-0a1a-4cc0-64650fbe1582@positive-internet.com>
Message-ID: <87pon3sq35.fsf@alice.fifthhorseman.net>

On Wed 2016-10-12 21:27:38 -0400, Nicholas Strauss wrote:

> Hi dkg,
>
> $ md5sum pinentry-gnome3
> cf267ac78545eb9c3744b962082d4110  pinentry-gnome3
> Look good?

sorry, i'm confused, and i don't have the context for this, or why
you're asking me in particular on the gnupg-users mailing list.  Can you
explain what you're asking about?

if you're asking whether that's the "right" md5sum for the
pinentry-gnome3 binary (i.e., /usr/bin/pinentry-gnome3), all i can tell
you is that it doesn't match my binary.  but this isn't a useful
question for a bunch of reasons, including:

 * you might have a different operating system than i do

 * you might have a different hardware platform than i do
 
 * either you or i might have built the binary independently or with
   different options

and so on...

if this is related to your earlier question about symlinks(?) that i
also didn't really understand, i'm still puzzled.

What problem are you trying to solve?  What behaviors have you observed?
What behaviors were you expecting to observe?  What debugging steps have
you tried?

here are some useful pointers for effective bug-reporting:

  http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

confusedly yours,

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161013/a8bbaa80/attachment-0001.sig>

From stebe at mailbox.org  Fri Oct 14 13:23:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Fri, 14 Oct 2016 11:23:00 +0000
Subject: unable to decrypt a mail coming from apple mail
In-Reply-To: <87mvi7vn8y.fsf@we.make.ritual.n0.is>
References: <87mvi7vn8y.fsf@we.make.ritual.n0.is>
Message-ID: <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org>

Hi,

ng0:
> Hi,
> 
> I've just got an email where the X-Mailer is Apple Mail. It adds some
> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to
> decrypt it with gpg --decrypt (applied to the email as a file and also
> when applied to the BEGIN/END PGP block).
> The key is imported, still valid and yet I get:
> gpg: decryption failed: No secret key
> 
> I'm running an unaltered Guix build here:
> ng0 at shadowwalker ~$ gpg --version
> gpg (GnuPG) 2.1.13
> libgcrypt 1.7.3

have you checked the bug tracker at (1) ?
There are several entries for
gpg: decryption failed: No secret key.

when you enter this very phrase into the search entry mask.

Maybe there you'll find what you are looking for.

Cheers

Stephan

(1) https://bugs.gnupg.org


From daniel at pocock.pro  Fri Oct 14 13:31:13 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Fri, 14 Oct 2016 13:31:13 +0200
Subject: mentors needed for the PGP Clean Room project in Outreachy/GSoC
Message-ID: <968f3619-936f-c496-3c20-7f7000284e00@pocock.pro>



Hi all,

I've advertised[1] the PGP Clean Room in the current round of Outreachy
and it will probably be promoted in GSoC 2017 too.

We already have a couple of applicants interested in working on it,
their details are in the pki-clean-room list archive[2]

Would anybody from the GnuPG community be interested in collaborating as
a co-mentor on this project?  If so, please feel free to email me and/or
subscribe to the pki-clean-room mailing list[3].

Regards,

Daniel


1. https://danielpocock.com/outreachy-gsoc-2017-pki-clean-room
2.
http://lists.alioth.debian.org/pipermail/pki-clean-room-devel/Week-of-Mon-20161010/date.html
3. https://lists.alioth.debian.org/mailman/listinfo/pki-clean-room-devel


From ng0 at we.make.ritual.n0.is  Fri Oct 14 20:28:31 2016
From: ng0 at we.make.ritual.n0.is (ng0)
Date: Fri, 14 Oct 2016 18:28:31 +0000
Subject: unable to decrypt a mail coming from apple mail
In-Reply-To: <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org>
References: <87mvi7vn8y.fsf@we.make.ritual.n0.is>
 <5ada1a8e-1c05-393e-cacf-b3789f126315@mailbox.org>
Message-ID: <87twce944w.fsf@we.make.ritual.n0.is>

Stephan Beck <stebe at mailbox.org> writes:

> Hi,
>
> ng0:
>> Hi,
>> 
>> I've just got an email where the X-Mailer is Apple Mail. It adds some
>> bits and pieces, is a 7bit Content-Transfer-Encoding and I fail to
>> decrypt it with gpg --decrypt (applied to the email as a file and also
>> when applied to the BEGIN/END PGP block).
>> The key is imported, still valid and yet I get:
>> gpg: decryption failed: No secret key
>> 
>> I'm running an unaltered Guix build here:
>> ng0 at shadowwalker ~$ gpg --version
>> gpg (GnuPG) 2.1.13
>> libgcrypt 1.7.3
>
> have you checked the bug tracker at (1) ?
> There are several entries for
> gpg: decryption failed: No secret key.
>
> when you enter this very phrase into the search entry mask.
>
> Maybe there you'll find what you are looking for.
>
> Cheers
>
> Stephan
>
> (1) https://bugs.gnupg.org
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

>From the subjects of those 9 bugs I don't see how they are related to my
problem. Nevertheless I will read into them in the next days.

Thanks


From gpg at noffin.com  Fri Oct 14 20:11:48 2016
From: gpg at noffin.com (gpg at noffin.com)
Date: Fri, 14 Oct 2016 11:11:48 -0700
Subject: Secret key Questions regarding expiration and backing up
Message-ID: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>

Hi there - pretty new with GPG, but have been getting going with it
without much issue. I'm just curious about a few best practices and so on.

1) Should you set an expiration on your secret key? Or do most people just
secure it appropriately (with no expiration)?

2) If you do have the secret key expire, and I have a backup of it (file
format) - And for some reason I forget to extend it before expiration -
can I still extend it?

I did a few tests exporting a secret key before and after extending the
expiration date - and obviously the file contents changed. I just want to
be sure that I have a good backup of it, however follow best practices.

Thank you.



From andrewg at andrewg.com  Fri Oct 14 23:01:49 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Fri, 14 Oct 2016 22:01:49 +0100
Subject: Secret key Questions regarding expiration and backing up
In-Reply-To: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>
References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>
Message-ID: <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com>

On 14 Oct 2016, at 19:11, gpg at noffin.com wrote:
> 
> Hi there - pretty new with GPG, but have been getting going with it
> without much issue. I'm just curious about a few best practices and so on.
> 
> 1) Should you set an expiration on your secret key? Or do most people just
> secure it appropriately (with no expiration)?

Secret keys don't have expiration dates, only public keys. Best practice is to set an expiration date of a year or two in the future on the primary key, and either the same or shorter on your subkeys (I use the same expiry myself, for simplicity). 

The reason for this is that you may lose your secret material or forget your password, and you don't want stale keys hanging around on the internet forever with no indication that they are no longer usable. 

> 2) If you do have the secret key expire, and I have a backup of it (file
> format) - And for some reason I forget to extend it before expiration -
> can I still extend it?

Yes. Just edit the public key and republish. The expiration date only informs other people that their software should stop using the key - it doesn't prevent you from doing anything.

Andrew


From gpg at noffin.com  Sat Oct 15 00:49:37 2016
From: gpg at noffin.com (gpg at noffin.com)
Date: Fri, 14 Oct 2016 15:49:37 -0700
Subject: Secret key Questions regarding expiration and backing up
In-Reply-To: <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com>
References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>
 <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com>
Message-ID: <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co>

> On 14 Oct 2016, at 19:11, gpg at noffin.com wrote:
>>
>> Hi there - pretty new with GPG, but have been getting going with it
>> without much issue. I'm just curious about a few best practices and so
>> on.
>>
>> 1) Should you set an expiration on your secret key? Or do most people
>> just
>> secure it appropriately (with no expiration)?
>
> Secret keys don't have expiration dates, only public keys. Best practice
> is to set an expiration date of a year or two in the future on the primary
> key, and either the same or shorter on your subkeys (I use the same expiry
> myself, for simplicity).
>
> The reason for this is that you may lose your secret material or forget
> your password, and you don't want stale keys hanging around on the
> internet forever with no indication that they are no longer usable.
>
>> 2) If you do have the secret key expire, and I have a backup of it (file
>> format) - And for some reason I forget to extend it before expiration -
>> can I still extend it?
>
> Yes. Just edit the public key and republish. The expiration date only
> informs other people that their software should stop using the key - it
> doesn't prevent you from doing anything.
>
> Andrew
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


So for clarification then:

If there are no expiry dates on secret keys, what does this output mean then?

#gpg --list-secret-keys

<snip>
sec   2048R/xxxxxxxx 2014-10-30 [expires: 2017-10-31]
</snip>

And my next question is then... When I exported my secret key and moved it
to another machine - why did the contents of the export to file change
between the extension of the expiration date? (I exported before and after
to test).

Thanks in advance!





From andrewg at andrewg.com  Sat Oct 15 01:16:45 2016
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sat, 15 Oct 2016 00:16:45 +0100
Subject: Secret key Questions regarding expiration and backing up
In-Reply-To: <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co>
References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>
 <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com>
 <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co>
Message-ID: <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com>

On 14 Oct 2016, at 23:49, gpg at noffin.com wrote:

> So for clarification then:
> 
> If there are no expiry dates on secret keys, what does this output mean then?
> 
> #gpg --list-secret-keys
> 
> <snip>
> sec   2048R/xxxxxxxx 2014-10-30 [expires: 2017-10-31]
> </snip>

The expiry date shown here is just a copy of the one on the public key. It is checked by gnupg to prevent it making signatures with a secret key that has an expired public key (and which are therefore unverifiable by others). I suppose you could think of this as being the expiry of the secret key, but it is always the same as that of the public key and the one on the public key is the important one.

> And my next question is then... When I exported my secret key and moved it
> to another machine - why did the contents of the export to file change
> between the extension of the expiration date? (I exported before and after
> to test).

I'll defer to someone more expert than me on the internals, but my understanding is that a copy of some public key information (such as expiry dates) is kept in the corresponding secret key store, and this will be updated when the public key is edited.

Andrew.


From dkg at fifthhorseman.net  Sat Oct 15 02:54:32 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 14 Oct 2016 20:54:32 -0400
Subject: Secret key Questions regarding expiration and backing up
In-Reply-To: <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com>
References: <392f3925d31b573fdf7170d4989d2bac.squirrel@isp.srvrs.co>
 <65006322-74A0-425C-8B97-2909F2161DE3@andrewg.com>
 <47b4714ec48c77cd316f22b91a95c3e9.squirrel@isp.srvrs.co>
 <9A4321E9-ED09-45F4-8982-CB1658682A45@andrewg.com>
Message-ID: <87mvi6ph2v.fsf@alice.fifthhorseman.net>

On Fri 2016-10-14 19:16:45 -0400, Andrew Gallagher wrote:

> my understanding is that a copy of some public key information (such
> as expiry dates) is kept in the corresponding secret key store, and
> this will be updated when the public key is edited.

This is exactly correct.  see:
https://tools.ietf.org/html/rfc4880#section-5.5.3

   The Secret-Key and Secret-Subkey packets contain all the data of the
   Public-Key and Public-Subkey packets, with additional algorithm-
   specific secret-key data appended, usually in encrypted form.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161014/3144dd93/attachment.sig>

From gnupg at jelmail.com  Sat Oct 15 17:19:12 2016
From: gnupg at jelmail.com (John Lane)
Date: Sat, 15 Oct 2016 16:19:12 +0100
Subject: Private key export for SSH
In-Reply-To: <871szkxzhq.fsf@europa.jade-hamburg.de>
References: <ec5e0baf-ed55-be7f-ba53-9f416a3e45e3@jelmail.com>
 <2bbb7513-321d-491d-925f-2334b1ddeff3@digitalbrains.com>
 <2ca2f361-48a4-c78e-945a-9af751bdb4f6@jelmail.com>
 <bc3976fd-52aa-5d1b-9fa3-62a20d111e8a@digitalbrains.com>
 <87y41vynka.fsf@alice.fifthhorseman.net>
 <36c45a4b-4c87-20cd-ff15-ece5d1d644d1@jelmail.com>
 <70d07b77-8956-1287-7bb2-8aee575a2b7d@jelmail.com>
 <878tttutgd.fsf@alice.fifthhorseman.net>
 <878ttsy4nn.fsf@europa.jade-hamburg.de>
 <91bbac7b-7ba7-7acb-4b1b-17a6579f3742@jelmail.com>
 <871szkxzhq.fsf@europa.jade-hamburg.de>
Message-ID: <52c56750-399f-0b92-9a24-1fbb82b2e8de@jelmail.com>


> 
> Thanks.  That bug is fixed in GnuPG 2.1.15.
> 
> Justus
> 

Thanks Justus. I have just updated my system and now have 2.1.15 and I
can confirm that it works as one would expect.



From gnupg at jelmail.com  Sat Oct 15 17:33:42 2016
From: gnupg at jelmail.com (John Lane)
Date: Sat, 15 Oct 2016 16:33:42 +0100
Subject: SSH public key comment field and gpg-agent
Message-ID: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com>


The SSH public key format contains a comment field (RFC4716, s3.3.2):

    The comment header contains a user-specified comment.
    user at example.com

>From "man sshd":

    Public keys consist of the following space-separated fields:
    options, keytype, base64-encoded key, comment.

    The comment field is not used for anything (but may be convenient
    for the user to identify the key).

If I load an SSH key from a file using 'ssh-add' the comment field is
populated with the file name (i.e. "alice.pem") if the gpg-agent does
not already contain that key.

If I do "ssh-add -L" I will see "alice.pem" at the end of the output:

        ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice.pem

If the key is in the agent because of the gpg keyring then it is known
as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the
output:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none)

The reason that I stumbled upon this was because I was debugging a ssh
connection that used the gpg-agent and the ssh debugging output
displayed the following misleading output:

    debug1: Offering RSA public key: (none)

which means the public key called "(none)" rather than, as I initially
interpreted it, no public key.

It's also useful client-side to see who a public key belongs to.

It would be good if the comment field reflected the key source, perhaps
the short (or long) key id. For example:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39)

Or even the primary uid of the key

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 alice at example.org

Incidentally, exporting the public key this way (which, I think, comes
from the pubring rather than the agent)

    gpg --export alice | ./openpgp2ssh 63A808C39

results in no comment field at all:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3


I have no idea whether this is a gpg-agent thing, but is it possible to
control how the comment field is populated ?

[gpg (GnuPG) 2.1.15 libgcrypt 1.7.3]



From gnupg at jelmail.com  Sat Oct 15 17:34:14 2016
From: gnupg at jelmail.com (John Lane)
Date: Sat, 15 Oct 2016 16:34:14 +0100
Subject: using with su/sudo
In-Reply-To: <b38c3048-97b2-2606-2935-ddab5fab0ca4@fsij.org>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
 <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
 <e5869a18-6371-aee9-d974-0f08922ee7a8@jelmail.com>
 <b38c3048-97b2-2606-2935-ddab5fab0ca4@fsij.org>
Message-ID: <acfdb0f0-7878-ad42-715b-f65a39450105@jelmail.com>


> 
> Then, the command "updatestartuptty" can fix the situation.
> 

I tried this and it worked, in a su/sudo I had to do this:

    $ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add
alice.subkey)'



From caro at nymph.paranoici.org  Sun Oct 16 03:22:50 2016
From: caro at nymph.paranoici.org (Carola Grunwald)
Date: Sun, 16 Oct 2016 01:22:50 +0000 (UTC)
Subject: Implications of a common private keys directory in 2.1
Message-ID: <20161016012250.2CB31101F1EA@remailer.paranoici.org>

Hi,

my next problem with 2.1.15 on Windows 7.

I add a pub/sec keypair to two different keyrings
  '--import ... --keyring a.kbx', then '--import ... --keyring b.kbx'.
Following this I delete that key from one of the keyrings
  '--delete-secret-and-public-key ... --keyring a.kbx',
which unfortunately as a side effect also removes the secret key
associated with the other public keyring (b.kbx), as for both public key
items there's only one single secret key file stored in the common
private-keys-v1.d directory.

Is there any chance to get that disentangled, maybe by defining a
separate secret key directory for each public .kbx keyring in use?

Kind regards,

Caro


From kevin at z.cash  Sun Oct 16 19:58:59 2016
From: kevin at z.cash (Kevin Gallagher)
Date: Sun, 16 Oct 2016 10:58:59 -0700
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
Message-ID: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>

Hi all,

I've tried to get this working to no avail. I've consulted past postings
to this list as well as various online references. Some people seem to
have got this to work, but most seem to have trouble. I would appreciate
any guidance or help anyone can offer.

I want my gpg-agent to be shared with another host, specifically a
Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is
a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket
forwarded, and I can talk to it with gpg-connect-agent, and even obtain
a list of keygrips for the keys residing on the local machine. However,
the forwarded gpg-agent socket does not seem to interface with the GPG
CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing.

This is important because I'm in the process of developing a
deterministic build environment for a project, and many of us prefer to
use smartcards or YubiKeys, so copying our secret keys into the VM is
not an option. The ability to forward the local gpg-agent into the VM
for signing operations would be very convenient.

GPG version on host: 2.1.15 (Debian stretch)
GPG version on VM: 2.0.26 (Debian jessie)

This illustrates what I'm doing:

    GPG_SOCK=$(echo "$GPG_AGENT_INFO" | cut -d: -f1)
    vagrant ssh vm -- -t -A \
        -R /home/vagrant/.gnupg/S.gpg-agent:$GPG_SOCK \
        -o StreamLocalBindUnlink=yes \
        -o ExitOnForwardFailure=yes

Setting some environment variables in the VM does not help:

    GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1
    GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent
    GPG_TTY=/dev/pts/1

I've tried alternate/matching versions of GnuPG, pored over the manpages
and options, and tried other stuff, with no luck. Does anyone have any
idea why it is that gpg-connect-agent can speak to the forwarded socket
but not gpg? Has someone here got this working before?

thanks in advance,
Kevin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161016/ee057671/attachment.sig>

From thomas at glanzmann.de  Mon Oct 17 07:45:39 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Mon, 17 Oct 2016 07:45:39 +0200
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
Message-ID: <20161017054539.GA17983@glanzmann.de>

Hello Kevin,

> GPG version on host: 2.1.15 (Debian stretch)
> GPG version on VM: 2.0.26 (Debian jessie)

gpg 2.0.26 does the gpg operations local and not using gnupg-agent.
Starting with the 2.1.x versions gnupg uses gnupg-agent for doing all
operations. As a result you need to have 2.1.x on the remote machine. On
the local you could have actually run 2.0 however your private key if
not stored on a smartcard would be exposed using the remote socket. Find
attached a build script do build gnupg 2.1.x for Debian jessie. Try not
to replace gnupg in the system because it would break to many things.
Instead install it to a separate location.

Build dependencies are:

sudo apt-get install texinfo transfig bison flex libbz2-dev libsqlite3-dev libgnutls28-dev pkg-config libusb-1.0-0-dev

Cheers,
        Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: build.sh
Type: application/x-sh
Size: 2181 bytes
Desc: not available
URL: </pipermail/attachments/20161017/f528a90a/attachment.sh>

From justus at g10code.com  Mon Oct 17 10:27:09 2016
From: justus at g10code.com (Justus Winter)
Date: Mon, 17 Oct 2016 10:27:09 +0200
Subject: SSH public key comment field and gpg-agent
In-Reply-To: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com>
References: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com>
Message-ID: <871szf8joi.fsf@europa.jade-hamburg.de>

Hi :)

-------------- next part --------------
John Lane <gnupg at jelmail.com> writes:
> If the key is in the agent because of the gpg keyring then it is known
> as "(none)". If I do "ssh-add -L" I will see "(none)" at the end of the
> output:
>
>     ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (none)
>
> The reason that I stumbled upon this was because I was debugging a ssh
> connection that used the gpg-agent and the ssh debugging output
> displayed the following misleading output:
>
>     debug1: Offering RSA public key: (none)
>
> which means the public key called "(none)" rather than, as I initially
> interpreted it, no public key.
>
> It's also useful client-side to see who a public key belongs to.
>
> It would be good if the comment field reflected the key source, perhaps
> the short (or long) key id. For example:
>
>     ssh-rsa AAAAB3NzaC1yc2EAAAADAQAHT...IfFoxh2j13b3 (3A808C39)

Agreed, that would be useful.  Feel free to open a bug report.


Cheers,
Justus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 454 bytes
Desc: not available
URL: </pipermail/attachments/20161017/9d3c709f/attachment.sig>

From gnupg at jelmail.com  Mon Oct 17 13:03:20 2016
From: gnupg at jelmail.com (John Lane)
Date: Mon, 17 Oct 2016 12:03:20 +0100
Subject: SSH public key comment field and gpg-agent
In-Reply-To: <871szf8joi.fsf@europa.jade-hamburg.de>
References: <0707c687-95e6-9644-2240-6fdeda9e512f@jelmail.com>
 <871szf8joi.fsf@europa.jade-hamburg.de>
Message-ID: <25ebbf98-22ec-dfd8-c760-d425d9bc369a@jelmail.com>

> 
> Agreed, that would be useful.  Feel free to open a bug report.
> 
raised https://bugs.gnupg.org/gnupg/issue2760



From m4rtntns at gmail.com  Mon Oct 17 12:31:16 2016
From: m4rtntns at gmail.com (Martin T)
Date: Mon, 17 Oct 2016 13:31:16 +0300
Subject: regular update of all keys from a keyserver
Message-ID: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>

Hi,

I am aware that one can update all the keys in local-keyring from a
keyserver using "gpg --refresh-keys". Are there any disadvantages to
simply put this command into user crontab and execute for example once
a day?


thanks,
Martin


From rjh at sixdemonbag.org  Mon Oct 17 15:48:13 2016
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 17 Oct 2016 09:48:13 -0400
Subject: regular update of all keys from a keyserver
In-Reply-To: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
References: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
Message-ID: <023901d2287d$1b8b9040$52a2b0c0$@sixdemonbag.org>

> I am aware that one can update all the keys in local-keyring from a
keyserver
> using "gpg --refresh-keys". Are there any disadvantages to simply put this
> command into user crontab and execute for example once a day?

Not that I know of.  Some people will tell you that "an attacker listening
in on your network connection could discover your social graph!", but
honestly, if people are eavesdropping on my network connection they already
have so many ways to discover my social graph that one more just doesn't
matter.  This 'problem' has always struck me as much ado about nothing much.



From dkg at fifthhorseman.net  Mon Oct 17 17:41:43 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 17 Oct 2016 11:41:43 -0400
Subject: regular update of all keys from a keyserver
In-Reply-To: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
References: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
Message-ID: <8737jvoudk.fsf@alice.fifthhorseman.net>

On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:

> I am aware that one can update all the keys in local-keyring from a
> keyserver using "gpg --refresh-keys". Are there any disadvantages to
> simply put this command into user crontab and execute for example once
> a day?

The only disadvantages are if you don't want to reveal the contents of
your keyring to the public keyservers, or to announce your presence on
the network.

If you prefer to do these things in an anonymized way, you might prefer
a tool like parcimonie, or if you're a coder (or have ways to encourage
other coders to work on things you think are interesting), you might
want to to look into ways to try to address
https://bugs.gnupg.org/gnupg/issue1827

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161017/7eaf5a44/attachment.sig>

From stebe at mailbox.org  Mon Oct 17 18:35:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Mon, 17 Oct 2016 16:35:00 +0000
Subject: Fwd: Re: regular update of all keys from a keyserver
In-Reply-To: <59a9f9aa-76bf-fa59-ff07-a902965c76fd@mailbox.org>
References: <59a9f9aa-76bf-fa59-ff07-a902965c76fd@mailbox.org>
Message-ID: <502aab67-d8b3-609b-1674-974f83088b98@mailbox.org>

I forgot to send it to the list as well...


-------- Forwarded Message --------
Subject: Re: regular update of all keys from a keyserver
Date: Mon, 17 Oct 2016 16:20:00 +0000
From: Stephan Beck <stebe at mailbox.org>
Reply-To: stebe at mailbox.org
To: Martin T <m4rtntns at gmail.com>

Hi Martin,

Martin T:
> Hi,
> 
> I am aware that one can update all the keys in local-keyring from a
> keyserver using "gpg --refresh-keys". Are there any disadvantages to
> simply put this command into user crontab and execute for example once
> a day?

Yes. To protect you and your contacts from an eavesdropper (may it be
the ISP or someone else), you may refresh your keyring over the Tor
Network, using Parcimonie (1), which opens another circuit for every
single refreshing action (one refreshing action, one refreshed key),
thus slowly refreshing the whole keyring. Actually, it works with gpg
v1, I've never got it working with gpg2, though. If someone out there
knows how to adapt it for use with gpg2, go ahead and tell us!

Well, you don't tell us anything about your system or your gpg version,
but another way (with gpg 2.1.10 or later) is using the in-built support
for refreshing your keyring via Tor using --use-tor option.
Quote from the 2.1.10 announce mail (2):
 * dirmngr: New option --use-tor.  For full support this requires
   libassuan version 2.4.2 and a patched version of libadns
   (e.g. adns-1.4-g10-7 as used by the standard Windows installer).

If you do not use or do not want to use Tor, I'd recommend using at
least https in any case, retrieving the certificate of
sks-keyservers.netCA.pem first (3), verifying it and copying it into
your gnupg home directory, and adding it to the keyserver section in
gpg.conf.

I'd never refresh my keyring over plain http, because, yes, we "should
all have something to hide" (4), whatever the threats may be that are
already knocking on our doors and whoever might tell us that this battle
is lost or useless.

(1) https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
(2) https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000381.html
(3) https://sks-keyservers.net/sks-keyservers.netCA.pe
(4) https://moxie.org/blog/we-should-all-have-something-to-hide/

Cheers

Stephan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161017/31b7ec2e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161017/31b7ec2e/attachment.sig>

From brian at minton.name  Mon Oct 17 18:52:40 2016
From: brian at minton.name (Brian Minton)
Date: Mon, 17 Oct 2016 12:52:40 -0400
Subject: regular update of all keys from a keyserver
In-Reply-To: <8737jvoudk.fsf@alice.fifthhorseman.net>
References: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
 <8737jvoudk.fsf@alice.fifthhorseman.net>
Message-ID: <49c61be3-77ba-295e-1833-994a0216284f@minton.name>



On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote:
> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:
>
>> I am aware that one can update all the keys in local-keyring from a
>> keyserver using "gpg --refresh-keys". Are there any disadvantages to
>> simply put this command into user crontab and execute for example once
>> a day?
> The only disadvantages are if you don't want to reveal the contents of
> your keyring to the public keyservers, or to announce your presence on
> the network.
>
> If you prefer to do these things in an anonymized way, you might prefer
> a tool like parcimonie, 

I run a key server, which allows me to do as many key-retrieval queries
as I like, without giving any information away to the rest of the
world.  It also helps a little, but not completely, with the problem of
adding keys to the keyserver network, with respect to my social
network.  In particular, it's not easy for any keyserver to see which of
its peers' peers a given key or set of keys, originated from.  However, 
in theory, an attacker could track the progress of a given key across
the network of keyservers by quick querying, but it's a pretty small
window between the introduction of keys to a single member of the pool,
and it being shared to all the keyservers.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 325 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161017/e24a0219/attachment.sig>

From dsaklad at gnu.org  Tue Oct 18 00:18:01 2016
From: dsaklad at gnu.org (Don Saklad)
Date: Mon, 17 Oct 2016 18:18:01 -0400
Subject: Please develop even easier materials for complete novice type folks...
Message-ID: <5i1szek4bq.fsf@fencepost.gnu.org>

Please develop even easier materials for complete novice type folks 
other than at
https://emailselfdefense.fsf.org/en/

and at
https://gnupg.org


From dkg at fifthhorseman.net  Tue Oct 18 03:19:55 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 17 Oct 2016 21:19:55 -0400
Subject: using with su/sudo
In-Reply-To: <acfdb0f0-7878-ad42-715b-f65a39450105@jelmail.com>
References: <5b0353b0-81e0-a02e-67dc-74d8bdeca3ad@jelmail.com>
 <02221751-161d-12d5-541f-f5a7959b74c8@fsij.org>
 <e5869a18-6371-aee9-d974-0f08922ee7a8@jelmail.com>
 <b38c3048-97b2-2606-2935-ddab5fab0ca4@fsij.org>
 <acfdb0f0-7878-ad42-715b-f65a39450105@jelmail.com>
Message-ID: <87wph6h2ro.fsf@alice.fifthhorseman.net>

On Sat 2016-10-15 11:34:14 -0400, John Lane wrote:
>> 
>> Then, the command "updatestartuptty" can fix the situation.
>> 
>
> I tried this and it worked, in a su/sudo I had to do this:
>
>     $ script -q -c '(gpg-connect-agent updatestartuptty /bye; ssh-add
> alice.subkey)'

so the use of script here is to allocate a new pseudoterminal, to get an
independent tty, right?

this seems like a pretty roundabout way to get the result the user is
naively looking for.  is it possible that we could offer some other
easier/simpler mechanism for users invoking gpg-agent for its ssh-agent
emulation across user accounts?

      --dkg


From m4rtntns at gmail.com  Tue Oct 18 09:09:53 2016
From: m4rtntns at gmail.com (Martin T)
Date: Tue, 18 Oct 2016 10:09:53 +0300
Subject: regular update of all keys from a keyserver
In-Reply-To: <49c61be3-77ba-295e-1833-994a0216284f@minton.name>
References: <CAJx5YvGtXdm52FBExajTQ-ku6VURT==QBoNJsGY72cCL457fkQ@mail.gmail.com>
 <8737jvoudk.fsf@alice.fifthhorseman.net>
 <49c61be3-77ba-295e-1833-994a0216284f@minton.name>
Message-ID: <CAJx5YvE7+d6azsWD9kzd8ktETOkX=JOzvWpWnrG3wcif6=OHvQ@mail.gmail.com>

Thank you for all the replies!




Martin

On Mon, Oct 17, 2016 at 7:52 PM, Brian Minton <brian at minton.name> wrote:
>
>
> On 10/17/2016 11:41 AM, Daniel Kahn Gillmor wrote:
>> On Mon 2016-10-17 06:31:16 -0400, Martin T wrote:
>>
>>> I am aware that one can update all the keys in local-keyring from a
>>> keyserver using "gpg --refresh-keys". Are there any disadvantages to
>>> simply put this command into user crontab and execute for example once
>>> a day?
>> The only disadvantages are if you don't want to reveal the contents of
>> your keyring to the public keyservers, or to announce your presence on
>> the network.
>>
>> If you prefer to do these things in an anonymized way, you might prefer
>> a tool like parcimonie,
>
> I run a key server, which allows me to do as many key-retrieval queries
> as I like, without giving any information away to the rest of the
> world.  It also helps a little, but not completely, with the problem of
> adding keys to the keyserver network, with respect to my social
> network.  In particular, it's not easy for any keyserver to see which of
> its peers' peers a given key or set of keys, originated from.  However,
> in theory, an attacker could track the progress of a given key across
> the network of keyservers by quick querying, but it's a pretty small
> window between the introduction of keys to a single member of the pool,
> and it being shared to all the keyservers.
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From daniel at pocock.pro  Tue Oct 18 09:51:20 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Tue, 18 Oct 2016 09:51:20 +0200
Subject: reviewing wiki / shortlist PIN-pad readers
Message-ID: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>



I was looking at this page:

https://wiki.gnupg.org/CardReader/PinpadInput

Are any of these more outstanding than the others, or it doesn't matter
which one somebody chooses?

Could anybody comment on which of those are easily available in small
quantities for developers, or suppliers who are cost effective for small
quantities?



From kevin at z.cash  Tue Oct 18 10:56:41 2016
From: kevin at z.cash (Kevin Gallagher)
Date: Tue, 18 Oct 2016 01:56:41 -0700
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <20161017054539.GA17983@glanzmann.de>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
 <20161017054539.GA17983@glanzmann.de>
Message-ID: <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash>

Hey Thomas,

Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15 on
the target machine as well (via the packages in Debian sid), and this
did not work. gpg2 is simply not speaking to the forwarded gpg-agent
socket, however gpg-connect-agent can. Any other ideas?

Kevin


On 10/16/2016 10:45 PM, Thomas Glanzmann wrote:
> Hello Kevin,
>
>> GPG version on host: 2.1.15 (Debian stretch)
>> GPG version on VM: 2.0.26 (Debian jessie)
> gpg 2.0.26 does the gpg operations local and not using gnupg-agent.
> Starting with the 2.1.x versions gnupg uses gnupg-agent for doing all
> operations. As a result you need to have 2.1.x on the remote machine. On
> the local you could have actually run 2.0 however your private key if
> not stored on a smartcard would be exposed using the remote socket. Find
> attached a build script do build gnupg 2.1.x for Debian jessie. Try not
> to replace gnupg in the system because it would break to many things.
> Instead install it to a separate location.
>
> Build dependencies are:
>
> sudo apt-get install texinfo transfig bison flex libbz2-dev libsqlite3-dev libgnutls28-dev pkg-config libusb-1.0-0-dev
>
> Cheers,
>         Thomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161018/bb29666a/attachment.html>

From gniibe at fsij.org  Tue Oct 18 10:58:31 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 18 Oct 2016 17:58:31 +0900
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
Message-ID: <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>

Sorry, I didn't have time to reply your call the other day.

I think that Gemalto Shelltoken Card Reader, which is available
at http://shop.kernelconcepts.de/ is good one.

Please note that OpenPGP card requires specific card readers.  Its
users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
sizes, the communication is somewhat difficult for old standard of ISO
7816.  (For RSA-1024, most smart card readers work well.)

I recommend TPDU readers, because readers which support extended APDU
level communication tend to have issues for larger size communication.

On 10/18/2016 04:51 PM, Daniel Pocock wrote:
> I was looking at this page:
> 
> https://wiki.gnupg.org/CardReader/PinpadInput
> 
> Are any of these more outstanding than the others, or it doesn't matter
> which one somebody chooses?
> 
> Could anybody comment on which of those are easily available in small
> quantities for developers, or suppliers who are cost effective for small
> quantities?

I implemented the pinpad input support in scdaemon.  While I know some
claims that it is good feature, I, for myself, don't think it's worth
to have.

I don't think the attack to USB communication could be mitigated by
pinpad card reader.  If such an attack is possible, a user already
would be defeated.

It is common for such card readers to have only numeric pads.  That
limits the entropy of passphrase, considerably.  And, as far as I
know, I don't know any implementation of card readers in the market,
which firmware is Free Software.  With user interface like pinpad
input, it is more difficult for me to trust an implementation of such
a card reader.
-- 


From gnudevliz at gmail.com  Mon Oct 17 22:50:22 2016
From: gnudevliz at gmail.com (Elizabeth Ferdman)
Date: Mon, 17 Oct 2016 13:50:22 -0700
Subject: smartcard reader
Message-ID: <20161017205021.GA3273@localhost>

Hello, 

I'm in the market for a smartcard reader and I live in the United
States. I found two ways to get an OpenPGP card already, either from
shop.kernelconcepts.de or from the FSFE as a sustaining member.
Does anyone know how I can get a smart card reader though?
It has to be one from this list:

SCM SPR 532
USB ID: 04e6:e003
PC/SC reader name: SPRx32

KAAN Advanced
USB ID: 0d46:

FSIJ Gnuk Token
USB ID: 234b:0000

Reiner cyberJack Go
USB ID: 0c4b:0504

Vasco DigiPASS 920
USB ID: 1a44:0920

Cherry ST2000
USB ID: 046a:003e

Thanks,
Liz


From daniel at pocock.pro  Tue Oct 18 12:31:52 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Tue, 18 Oct 2016 12:31:52 +0200
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
 <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
Message-ID: <ae19b670-36a7-7ae4-45f0-698f98271b17@pocock.pro>



On 18/10/16 10:58, NIIBE Yutaka wrote:

> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
> 
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
> 

Of those readers with PIN-pads on the wiki shortlist[1], which of them
are TPDU readers, or all of them?


> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>>
>> https://wiki.gnupg.org/CardReader/PinpadInput
>>
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>>
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
> 
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
> 
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.
> 

I thought that if the PIN is entered in the PIN-pad, it is never sent
over the USB connection?


> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.

Isn't it more a case of choosing the lesser evil:

- a PIN-pad reader with some proprietary firmware

- the possibility that the user's OS has been compromised or that
somebody fit a keystroke logger to their keyboard

There is no such thing as perfect security and I wasn't claiming that a
PIN-pad implies perfection.

Regards,

Daniel


1. https://wiki.gnupg.org/CardReader/PinpadInput


From m4rtntns at gmail.com  Tue Oct 18 12:42:24 2016
From: m4rtntns at gmail.com (Martin T)
Date: Tue, 18 Oct 2016 13:42:24 +0300
Subject: list revoked UIDs
Message-ID: <CAJx5YvH=4MEwn0dvSNkeEegRXTfL28sKCO5o-xBZ0VRx+qYc3w@mail.gmail.com>

Hi,

I imported a public key from keyserver which has multiple UIDs and one
of those UIDs is revoked. When I execute "gpg --list-keys <key-ID>"
then I see only active UIDs and not that one revoked UID. Is there a
way to list that revoked UID? Or wasn't that imported in the first
place?


thanks,
Martin


From stebe at mailbox.org  Tue Oct 18 13:11:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Tue, 18 Oct 2016 11:11:00 +0000
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
 <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
Message-ID: <fd009046-c720-92fb-863e-23a159981538@mailbox.org>

Hi,

NIIBE Yutaka:
> Sorry, I didn't have time to reply your call the other day.
>
> I think that Gemalto Shelltoken Card Reader, which is available
> at http://shop.kernelconcepts.de/ is good one.
>
> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
>
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
>
> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>>
>> https://wiki.gnupg.org/CardReader/PinpadInput
>>
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>>
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
>
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
>
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.
>
> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.
>

Just one note for now:
For example, The Nitrokey Storage (1,2), a usb crypto stick with
integrated card reader) is 100% open source, free software, verifiable
firmware. On the other hand, it has no pinpad.
There may be others (with free software), but I don't know of them. I
just use the Nitrokey, without having any ties with its makers.
If lack of PIN-pad device is not a knock-out criteria, you might ask
them about quantities and conditions.


(1) https://www.nitrokey.com/ (comparison table at bottom of page)
(2) https://www.nitrokey.com/news/2016/nitrokey-storage-available
(3) https://www.nitrokey.com/introduction (quick overview)
(4)
https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit
(with links to the actual security audit pdf's)

Cheers

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.sig>

From peter at digitalbrains.com  Tue Oct 18 13:25:32 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 18 Oct 2016 13:25:32 +0200
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
 <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
Message-ID: <3a344a7c-6991-1495-256a-fbacf6fc6abf@digitalbrains.com>

On 18/10/16 10:58, NIIBE Yutaka wrote:
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.

It would IMO not prevent key usage, so in that sense the user is defeated. It
would still limit the time of exposure, since key extraction should still be
prohibitively difficult.

This is a contentious topic I think :-). People put different amounts of stock
in the protection afforded by smartcards, and the likelihood of attack scenarios.

> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.

But luckily, entropy demands on a smartcard PIN are really low. The card locks
after three tries.

Conversely, if you protect your on-disk key with a 10-digit decimal number, an
attacker having the encrypted file could do the required average of 500 million
tries in less time than it takes you to make a cup of coffee.

A PIN just needs to be unguessable, i.e., properly random. It doesn't have to
withstand keyspace enumeration.

My 2 cents,

Peter.

Note to self: make cup of coffee.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From peter at digitalbrains.com  Tue Oct 18 13:29:36 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 18 Oct 2016 13:29:36 +0200
Subject: list revoked UIDs
In-Reply-To: <CAJx5YvH=4MEwn0dvSNkeEegRXTfL28sKCO5o-xBZ0VRx+qYc3w@mail.gmail.com>
References: <CAJx5YvH=4MEwn0dvSNkeEegRXTfL28sKCO5o-xBZ0VRx+qYc3w@mail.gmail.com>
Message-ID: <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com>

On 18/10/16 12:42, Martin T wrote:
> Is there a
> way to list that revoked UID?

I think it's:

gpg --list-options show-unusable-uids --list-keys <...>

I grepped the man page for "revoked" until I hit upon this.

> Or wasn't that imported in the first
> place?

That is a possibility, depending on import-options.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



From m4rtntns at gmail.com  Tue Oct 18 13:37:52 2016
From: m4rtntns at gmail.com (Martin T)
Date: Tue, 18 Oct 2016 14:37:52 +0300
Subject: list revoked UIDs
In-Reply-To: <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com>
References: <CAJx5YvH=4MEwn0dvSNkeEegRXTfL28sKCO5o-xBZ0VRx+qYc3w@mail.gmail.com>
 <9416a9e1-a1de-a5e3-ebdc-adfbf5e4b8db@digitalbrains.com>
Message-ID: <CAJx5YvFOhjoOgj8vdkYFbR869pztvpeA_MNiGwrT+-FGA+F_Rg@mail.gmail.com>

Thanks! This did the trick.


Martin

On Tue, Oct 18, 2016 at 2:29 PM, Peter Lebbing <peter at digitalbrains.com> wrote:
> On 18/10/16 12:42, Martin T wrote:
>> Is there a
>> way to list that revoked UID?
>
> I think it's:
>
> gpg --list-options show-unusable-uids --list-keys <...>
>
> I grepped the man page for "revoked" until I hit upon this.
>
>> Or wasn't that imported in the first
>> place?
>
> That is a possibility, depending on import-options.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>


From meno.abels at adviser.com  Tue Oct 18 15:09:57 2016
From: meno.abels at adviser.com (Meno Abels)
Date: Tue, 18 Oct 2016 15:09:57 +0200
Subject: gpgsm --verify back to back gpgsm --gen-key
Message-ID: <1AF3736E-0199-4BD6-93A4-062F1A1C9517@adviser.com>

Hi,

i tried to run some combinations of "gpgsm ?verify? all without any success.

# gpgsm --batch --gen-key <  gpgsm-keygen | gpgsm  ?verify
gpgsm (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpgsm: about to sign the certificate for key: &sjfwdfdkjafdkfsd
gpgsm: certificate created
gpgsm: ksba_cms_parse failed: No CMS object

I did not have any success with any filetype which i send to gpgsm ?verify

I tried the:
 - bin (without -a)
 - pem (with -a)
 - pem?s other sources
file?s.

i checked all the pem?s with openssl x509 -in?. all good.

I tried to understand, the documentation without any success.

I tried to read the source and i don?t understand why ?ksba_cms_parse? could fail on these filetypes.

Is there somebody out who knows how ?verify should work?

thx in advance

Meno
gpgsm (GnuPG) 2.1.15
libgcrypt 1.7.3
libksba 1.3.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/menabe/.gnupg
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL

From jurgenpolster at gmail.com  Tue Oct 18 16:39:44 2016
From: jurgenpolster at gmail.com (=?utf-8?Q?J=C3=BCrgen_Polster?=)
Date: Tue, 18 Oct 2016 16:39:44 +0200
Subject: Please develop even easier materials for complete novice type
 folks...
In-Reply-To: <5i1szek4bq.fsf@fencepost.gnu.org>
References: <5i1szek4bq.fsf@fencepost.gnu.org>
Message-ID: <9B95C8EB-914C-4EA1-B65E-4CBEB578FC15@gmail.com>

Give this a try:
	https://gpg4win.de/doc/en/gpg4win-compendium.html

Kind regards
JP

> Please develop even easier materials for complete novice type folks 
> other than at
> https://emailselfdefense.fsf.org/en/
> 
> and at
> https://gnupg.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161018/beb4f2ea/attachment.html>

From stebe at mailbox.org  Tue Oct 18 17:40:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Tue, 18 Oct 2016 15:40:00 +0000
Subject: smartcard reader
In-Reply-To: <20161017205021.GA3273@localhost>
References: <20161017205021.GA3273@localhost>
Message-ID: <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>

Hi Liz,

Elizabeth Ferdman:
> Hello, 
> 
> I'm in the market for a smartcard reader and I live in the United
> States. I found two ways to get an OpenPGP card already, either from
> shop.kernelconcepts.de or from the FSFE as a sustaining member.
> Does anyone know how I can get a smart card reader though?
> It has to be one from this list:
[...]

> FSIJ Gnuk Token
> USB ID: 234b:0000

As stated at

https://www.gnupg.org/blog/index.html

you can order gnuk token at/from
https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html
https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator.

I just picked out this one, may another one pick out a different list item.

Cheers

Stephan



From thomas at glanzmann.de  Tue Oct 18 21:58:12 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Tue, 18 Oct 2016 21:58:12 +0200
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
 <20161017054539.GA17983@glanzmann.de>
 <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash>
Message-ID: <20161018195812.GI9435@glanzmann.de>

Hello Kevin,

> Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15
> on the target machine as well (via the packages in Debian sid), and
> this did not work. gpg2 is simply not speaking to the forwarded
> gpg-agent socket, however gpg-connect-agent can. Any other ideas?

Check your configuration (gpg-agent.conf and gpg.conf). You have to put
this two files on the remote and local machine. Also Understand how gpg
2.1.x interacts with gnupg from the diagram below. Enable debugging in
the gpg agent.

Forward GPG socket
------------------
# On the server
echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

# On the client
ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de

List secret keys
----------------
gpg-connect-agent "keyinfo --list" /bye

GPG Agent Configuration
-----------------------
.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry
extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra
enable-ssh-support
default-cache-ttl 600
max-cache-ttl 7200
keep-tty
keep-display
# debug-level guru
# debug-all
# log-file /tmp/gpg-agent.log

Remote GPG Setup
----------------
# Achtung vorher Backup machen
rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/*
# For every public key
gpg2 --recv-key 0x9D106472D6D50DBA
gpg2 --recv-key 0x03BF970657E19B02

# After that private keys should be listed
gpg2 -K

cat <<EOF > .gnupg/gpg.conf
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
cert-digest-algo SHA512
no-greeting
lock-once
default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
keyid-format 0xlong
use-agent
with-fingerprint
quiet
default-recipient-self
no-secmem-warning
keyserver-options auto-key-retrieve
no-auto-check-trustdb
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
EOF

GNUPG Interaction
-----------------

Here are steps and the interaction.

(1) here are the processes
 [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
                  ^--- possibly by forwarded socket

(2) A client program (Mutt, in your case) asks decryption through gpgme
       decrypt
 [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]

(3) it goes to scdaemon
               decrypt
 [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]

                              decrypt
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(4) if the token is not authenticated yet,
    scdaemon asks a user PIN back through gpg-agent
                               "PIN please"
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]


(5) Then, gpg-agent invokes pinentry.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
            [pinentry]<---/

(6) pinentry pops up GUI dialog window to user.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User <----[pinentry]----/

(7) User inputs PIN by the dialog.
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          |
  User ---->[pinentry]----/
        PIN

 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
                          ^
            [pinentry]----/
                      PIN

                                PIN
 [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]

(8) scdaemon sends the pin to the token to authenticate.
                                              PIN
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(9) Token is ready to decrypt, now.
    scdaemon sends encrypted message to the token.
                                              decrypt
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]

(10) token replies back by decrypted message.... to gpgme.
                                            decrypted
 [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]

                                decrypted
 [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]

                 decrypted
 [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]

       decrypted
 [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]

Cheers,
        Thomas


From stebe at mailbox.org  Wed Oct 19 00:21:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Tue, 18 Oct 2016 22:21:00 +0000
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
Message-ID: <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org>

Hi Kevin,

Kevin Gallagher:
> Hi all,
> 
> I've tried to get this working to no avail. I've consulted past postings
> to this list as well as various online references. Some people seem to
> have got this to work, but most seem to have trouble. I would appreciate
> any guidance or help anyone can offer.
> 
> I want my gpg-agent to be shared with another host, specifically a
> Vagrant/VirtualBox virtual machine, via Unix socket forwarding, which is
> a feature that arrived with OpenSSH 6.7. I can get my gpg-agent's socket
> forwarded, and I can talk to it with gpg-connect-agent, and even obtain
> a list of keygrips for the keys residing on the local machine. However,
> the forwarded gpg-agent socket does not seem to interface with the GPG
> CLI utility, i.e. running `gpg2 --use-agent --list-keys` shows nothing.

Have you considered adding the debug flag to the command (--debug-level
expert)?
> 
> This is important because I'm in the process of developing a
> deterministic build environment for a project, and many of us prefer to
> use smartcards or YubiKeys, so copying our secret keys into the VM is
> not an option. The ability to forward the local gpg-agent into the VM
> for signing operations would be very convenient.
> 
> GPG version on host: 2.1.15 (Debian stretch)
> GPG version on VM: 2.0.26 (Debian jessie)

> Setting some environment variables in the VM does not help:
> 
>     GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1
>     GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent
>     GPG_TTY=/dev/pts/1

And if you'd try to add this to the VM's .bashrc file via ssh/scp
(assuming that the Vagrant's VM is headless and has a bash)

if [ -f "${HOME}/.gpg-agent-info" ]; then
     . "${HOME}/.gpg-agent-info"
       export GPG_AGENT_INFO
       export SSH_AUTH_SOCK
       export SSH_AGENT_PID
fi

Wouldn't that start the "target shell" (forcibly) with the agent being
fired up and all ready for sshing?

Cheers

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/9ddb9d2d/attachment.sig>

From gniibe at fsij.org  Wed Oct 19 01:36:27 2016
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Wed, 19 Oct 2016 08:36:27 +0900
Subject: smartcard reader
In-Reply-To: <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>
References: <20161017205021.GA3273@localhost>
 <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>
Message-ID: <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org>

On 10/19/2016 12:40 AM, Stephan Beck wrote:
>> FSIJ Gnuk Token
>> USB ID: 234b:0000

Ah...  This is not a card reader.  It is the project of Free Software
Initiative of Japan (FSIJ) since 2010.  FSIJ acquired USB vendor ID,
specifically for this project.  Please visit:

    https://www.fsij.org/category/gnuk.html

Card reader products are more complex than the hardware requirement of
Gnuk.  If you like KISS philosophy, you might prefer Gnuk Token.

> you can order gnuk token at/from
> https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html

It is sold as an evaluation board.  It happened to have Gnuk 1.0.1
installed.   It is an implementation of reader+card.

> https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator.

This has TRNG implementation (NeuG 1.0.4), instead.  The source of
noise is not that exotic, though.  You can replace the firmware to
Gnuk by yourself.  The upgrade process doesn't require JTAG/SWD
debugger, but having JTAG/SWD debugger is highly recommended to
control your computing (or just in case when failure of upgrade).

Hardware is same (sans cover).  The support page is here:

    https://www.gniibe.org/category/fst-01.html

I tried to sell the hardware widely as possible with help by Seeed and
FSF, but my capability is limited.  Selling hardware product means
we need to follow regulations.  That's difficult for me.


For Europe, I heard that Nitrokey Start runs Gnuk 1.0.4.  Availability
of this product is better, I suppose.

I think that Nitrokey Start and Nitrokey Pro is based on the hardware
design of mine (although I was not involved).  I got a report to Gnuk
Mailing list about firmware upgrade of Gnuk doesn't work well on
Nitrokey Start.  If someone can investigate the cause and possibly fix
an issue, it will be great.


I gave a talk of Gnuk at https://openpgp-conf.org/program.html
There is a link to my slides.
-- 


From stebe at mailbox.org  Wed Oct 19 10:29:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 19 Oct 2016 08:29:00 +0000
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
 <20932fa2-e987-fce1-53eb-6896d65a1539@mailbox.org>
Message-ID: <a2350ff4-9cb8-15c3-205c-21e9a54de006@mailbox.org>

Hi, (update)

Stephan Beck:
> Hi Kevin,
> 

>> Setting some environment variables in the VM does not help:
>>
>>     GPG_AGENT_INFO=/home/vagrant/.gnupg/S.gpg-agent:0:1
>>     GPG_SOCK=/home/vagrant/.gnupg/S.gpg-agent
>>     GPG_TTY=/dev/pts/1
> 
> And if you'd try to add this to the VM's .bashrc file via ssh/scp


No, positively not via ssh, as you reported that this, precisely, ssh
access is failing! So, just modifiying .bashrc manually.
> (assuming that the Vagrant's VM is headless and has a bash)
> 
> if [ -f "${HOME}/.gpg-agent-info" ]; then
>      . "${HOME}/.gpg-agent-info"
>        export GPG_AGENT_INFO
>        export SSH_AUTH_SOCK
>        export SSH_AGENT_PID
> fi
> 
> Wouldn't that start the "target shell" (forcibly) with the agent being
> fired up and all ready for sshing?
> 
> Cheers
> 
> Stephan
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


From stebe at mailbox.org  Wed Oct 19 10:17:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 19 Oct 2016 08:17:00 +0000
Subject: smartcard reader
In-Reply-To: <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org>
References: <20161017205021.GA3273@localhost>
 <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>
 <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org>
Message-ID: <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org>

Hi,

NIIBE Yutaka:
> On 10/19/2016 12:40 AM, Stephan Beck wrote:
>>> FSIJ Gnuk Token
>>> USB ID: 234b:0000
> 
> Ah...  This is not a card reader.  It is the project of Free Software
> Initiative of Japan (FSIJ) since 2010.  FSIJ acquired USB vendor ID,
> specifically for this project.  Please visit:
> 
>     https://www.fsij.org/category/gnuk.html

Went there and bookmarked it. I even went to
https://www.fsij.org/doc-gnuk/index.html and gave it a thorough read.
It's a clear, concise and well-structured doc.
> 
> Card reader products are more complex than the hardware requirement of
> Gnuk.  If you like KISS philosophy, you might prefer Gnuk Token.

The next one I'll try out will be the gnuk token.
> 
>> you can order gnuk token at/from
>> https://www.seeedstudio.com/FST-01-without-Enclosure-p-1276.html
> 
> It is sold as an evaluation board.  It happened to have Gnuk 1.0.1
> installed.   It is an implementation of reader+card.

I haven't found any information on whether gnuk token (as an
implementation of reader and card) accepts the exchange of the
integrated card (for another one)? That was one of the main reasons for
the Nitrokey Storage (based on Atmel
AT32UC3A3256S) now (in theory) permitting the exchange of the integrated
card, people like FSFE members, for instance, could not use Nitrokey Pro
as they have their own card.

> 
>> https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator.
> 
> This has TRNG implementation (NeuG 1.0.4), instead.  The source of
> noise is not that exotic, though.  You can replace the firmware to
> Gnuk by yourself.  The upgrade process doesn't require JTAG/SWD
> debugger, but having JTAG/SWD debugger is highly recommended to
> control your computing (or just in case when failure of upgrade).
> 
> Hardware is same (sans cover).  The support page is here:
> 
>     https://www.gniibe.org/category/fst-01.html
> 
> I tried to sell the hardware widely as possible with help by Seeed and
> FSF, but my capability is limited.  Selling hardware product means
> we need to follow regulations.  That's difficult for me.
> 
> 
> For Europe, I heard that Nitrokey Start runs Gnuk 1.0.4.  Availability
> of this product is better, I suppose.

Yes, I also read that they use Gnuk.
> 
> I think that Nitrokey Start and Nitrokey Pro is based on the hardware
> design of mine (although I was not involved).  I got a report to Gnuk
> Mailing list about firmware upgrade of Gnuk doesn't work well on
> Nitrokey Start.  If someone can investigate the cause and possibly fix
> an issue, it will be great.
> 
> 
> I gave a talk of Gnuk at https://openpgp-conf.org/program.html
> There is a link to my slides.

Thanks, I read the report on gnupg.org, I'll take a look at the slides.
Thanks again for this very valuable first-hand information.

Cheers (cup of coffee!)

Stephan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161019/97a373b2/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161019/97a373b2/attachment-0001.sig>

From wk at gnupg.org  Wed Oct 19 12:56:05 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 19 Oct 2016 12:56:05 +0200
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <fd009046-c720-92fb-863e-23a159981538@mailbox.org> (Stephan
 Beck's message of "Tue, 18 Oct 2016 11:11:00 +0000")
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
 <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
 <fd009046-c720-92fb-863e-23a159981538@mailbox.org>
Message-ID: <87zim0mwu2.fsf@wheatstone.g10code.de>

On Tue, 18 Oct 2016 13:11, stebe at mailbox.org said:

> For example, The Nitrokey Storage (1,2), a usb crypto stick with
> integrated card reader) is 100% open source, free software, verifiable
> firmware. On the other hand, it has no pinpad.

and using a proprietary card for the reader ;-)

SCNR,

  Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161019/cd156034/attachment.sig>

From wk at gnupg.org  Wed Oct 19 13:01:44 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 19 Oct 2016 13:01:44 +0200
Subject: smartcard reader
In-Reply-To: <20161017205021.GA3273@localhost> (Elizabeth Ferdman's message of
 "Mon, 17 Oct 2016 13:50:22 -0700")
References: <20161017205021.GA3273@localhost>
Message-ID: <87vawomwkn.fsf@wheatstone.g10code.de>

On Mon, 17 Oct 2016 22:50, gnudevliz at gmail.com said:

> SCM SPR 532
> USB ID: 04e6:e003
> PC/SC reader name: SPRx32

FWIW, the company is known indentive but the readers still work.

> KAAN Advanced
> USB ID: 0d46:

Has problems with larger signing keys - I used it in the past.

> FSIJ Gnuk Token
> USB ID: 234b:0000

Not a reader but a token which im-plements the same interface as a
reader.  I used it all the time; despite that it is not taper
resistant.

> Reiner cyberJack Go
> USB ID: 0c4b:0504

Does not work.

> Vasco DigiPASS 920
> USB ID: 1a44:0920

Never tried.

> Cherry ST2000
> USB ID: 046a:003e

I used it for some weeks.  I stopped using it only due to local
problems.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161019/fdbc129a/attachment.sig>

From wk at gnupg.org  Wed Oct 19 13:06:48 2016
From: wk at gnupg.org (Werner Koch)
Date: Wed, 19 Oct 2016 13:06:48 +0200
Subject: smartcard reader
In-Reply-To: <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org> (Stephan
 Beck's message of "Wed, 19 Oct 2016 08:17:00 +0000")
References: <20161017205021.GA3273@localhost>
 <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>
 <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org>
 <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org>
Message-ID: <87r37cmwc7.fsf@wheatstone.g10code.de>

On Wed, 19 Oct 2016 10:17, stebe at mailbox.org said:

> I haven't found any information on whether gnuk token (as an
> implementation of reader and card) accepts the exchange of the
> integrated card (for another one)? That was one of the main reasons for

There is no integrated card.  gnuk uses an SM32 MCU which implements the
OpenPGP card and CCID interface specs.  This has the huge advantage that
all software (firmware) is free software.  The drawback is that it is
not tamper resistant - your safe with important woodware documents or
your gpg key backup isn't tamper resistant either.  I prefer the free
software solution given that the attack surface is smaller.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161019/91ec0b67/attachment.sig>

From stebe at mailbox.org  Wed Oct 19 14:15:00 2016
From: stebe at mailbox.org (Stephan Beck)
Date: Wed, 19 Oct 2016 12:15:00 +0000
Subject: reviewing wiki / shortlist PIN-pad readers
In-Reply-To: <87zim0mwu2.fsf@wheatstone.g10code.de>
References: <dde77016-22b8-2e96-099f-995d59870d0d@pocock.pro>
 <e29a5b1e-e233-249f-3859-58c41f1cb1ca@fsij.org>
 <fd009046-c720-92fb-863e-23a159981538@mailbox.org>
 <87zim0mwu2.fsf@wheatstone.g10code.de>
Message-ID: <f3f2afdc-c3be-826d-880e-26d8f6c4aac6@mailbox.org>



Werner Koch:
> On Tue, 18 Oct 2016 13:11, stebe at mailbox.org said:
> 
>> For example, The Nitrokey Storage (1,2), a usb crypto stick with
>> integrated card reader) is 100% open source, free software, verifiable
>> firmware. On the other hand, it has no pinpad.
> 
> and using a proprietary card for the reader ;-)

Unfortunately, yes. At the time I was interested in beginning to use a
smart card, my focus was on the USB tokens, as I wanted to have a device
where card and reader are integrated. At that time, I didn't know of any
free software implementation other than this (which is only partially
resolved, it's true), and I did/do have a particular threat model. With
NK Storage, it should be easy to exchange the cards. On the other hand,
everyone has to know the budget he/she can spend on new devices every x
months. I'm unemployed at the moment, so I can't whitewash my free
software chemise that quickly and will have to wait a bit...

Cheers (another cup),

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161019/03889016/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161019/03889016/attachment.sig>

From gpg at noffin.com  Wed Oct 19 18:16:23 2016
From: gpg at noffin.com (gpg at noffin.com)
Date: Wed, 19 Oct 2016 09:16:23 -0700
Subject: Why are my expiration dates different?
Message-ID: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co>

When I run the command:

gpg --list-secret-keys
<snip>
/home/repo-owner/.gnupg/secring.gpg
-----------------------------------
sec   2048R/XXXXXXXXX 2014-10-30 [expires: 2016-10-29]
</snip>

It shows the expiration date as: [expires: 2016-10-2.

But then when I edit the key with:

gpg --edit-key XXXXXXXXX
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/XXXXXXXXX  created: 2014-10-30  expires: 2017-10-31  usage: SC
                               trust: ultimate      validity: ultimate
sub  2048R/XXXXXXXXX  created: 2014-10-30  expires: 2017-10-31  usage: E

The keys show: expires: 2017-10-31 (which is what I expected).

I had done to extend:

# extend the expiration date on your key (Be sure to review sub keys).
$ gpg --edit-key <key id>
gpg> expire
gpg> save
# extend the expiration date on your sub key
$ gpg --edit-key <subkey id>
gpg> key <key #>
gpg> expire
gpg> save

I just want to be safe that my key expiration was updated properly.

Thank you in advance.



From kevin at z.cash  Wed Oct 19 18:45:42 2016
From: kevin at z.cash (Kevin Gallagher)
Date: Wed, 19 Oct 2016 09:45:42 -0700
Subject: Invalid packet/keyring. How to find out what's responsible?
Message-ID: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash>

I've been seeing this error lately both with one of my local GPG
keyrings, and with apt.

    gpg: [don't know]: invalid packet (ctb=2d)
    gpg: keydb_get_keyblock failed: Value not found
    gpg: [don't know]: invalid packet (ctb=2d)
    gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to
    '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet
    gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg':
    Invalid packet
    gpg: [don't know]: invalid packet (ctb=2d)
    gpg: error reading '-': Invalid packet
    gpg: import from '-' failed: Invalid packet

In the latter case, I solved it by exporting all my keys and importing
them back again. But that doesn't work this time:

apt-key exportall says: gpg: key export failed: Invalid keyring

How can I figure out which specific key is corrupted or responsible for
this, so I can repair my keyring?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161019/d4c0042d/attachment.html>

From ndk.clanbo at gmail.com  Wed Oct 19 21:47:21 2016
From: ndk.clanbo at gmail.com (NdK)
Date: Wed, 19 Oct 2016 21:47:21 +0200
Subject: smartcard reader
In-Reply-To: <87r37cmwc7.fsf@wheatstone.g10code.de>
References: <20161017205021.GA3273@localhost>
 <be98bfe2-1ac2-aa58-7d2c-2f638040ca3d@mailbox.org>
 <06f81884-d8eb-5032-f4fa-75affba265c6@fsij.org>
 <454a6247-e618-451a-2a07-d375aacedf82@mailbox.org>
 <87r37cmwc7.fsf@wheatstone.g10code.de>
Message-ID: <f8519e70-9a70-7bf4-e309-7f0995e7a325@gmail.com>

Il 19/10/2016 13:06, Werner Koch ha scritto:

> There is no integrated card.  gnuk uses an SM32 MCU which implements the
> OpenPGP card and CCID interface specs.  This has the huge advantage that
> all software (firmware) is free software.  The drawback is that it is
> not tamper resistant - your safe with important woodware documents or
> your gpg key backup isn't tamper resistant either.  I prefer the free
> software solution given that the attack surface is smaller.
Well, actually the situation is a bit better: the keys at rest are
stored encrypted, even if kdf function uses less rounds not to slow down
unlocking too much... So even if an adversary manages to get the token
and retrieve the memory contents, he still have to find the passphrase
to decode the keys. Quite like the situation where he somehow accesses
your privring from a powered down computer.

BYtE,
 Diego



From dkg at fifthhorseman.net  Wed Oct 19 23:22:35 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 19 Oct 2016 17:22:35 -0400
Subject: Invalid packet/keyring. How to find out what's responsible?
In-Reply-To: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash>
References: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash>
Message-ID: <87zim0dof8.fsf@alice.fifthhorseman.net>

Hi Kevin--

On Wed 2016-10-19 12:45:42 -0400, Kevin Gallagher wrote:
> I've been seeing this error lately both with one of my local GPG
> keyrings, and with apt.
>
>     gpg: [don't know]: invalid packet (ctb=2d)
>     gpg: keydb_get_keyblock failed: Value not found
>     gpg: [don't know]: invalid packet (ctb=2d)
>     gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to
>     '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet
>     gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg':
>     Invalid packet
>     gpg: [don't know]: invalid packet (ctb=2d)
>     gpg: error reading '-': Invalid packet
>     gpg: import from '-' failed: Invalid packet
>
> In the latter case, I solved it by exporting all my keys and importing
> them back again. But that doesn't work this time:
>
> apt-key exportall says: gpg: key export failed: Invalid keyring
>
> How can I figure out which specific key is corrupted or responsible for
> this, so I can repair my keyring?

what version of apt?  what version of gpg?  it sounds to me like you
have some public keyring that is ascii-armored instead of raw.  you
might manually (individually) test /etc/apt/trusted.gpg and
/etc/apt/trusted.gpg.d/*.gpg to see whether they're ascii-armored or
not.

for example:

    grep 'BEGIN PGP' /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.gpg

hth,

        --dkg


From kevin at z.cash  Wed Oct 19 23:41:06 2016
From: kevin at z.cash (Kevin Gallagher)
Date: Wed, 19 Oct 2016 14:41:06 -0700
Subject: Invalid packet/keyring. How to find out what's responsible?
In-Reply-To: <87zim0dof8.fsf@alice.fifthhorseman.net>
References: <40454d9f-6d34-6d44-248b-57d1f65087de@z.cash>
 <87zim0dof8.fsf@alice.fifthhorseman.net>
Message-ID: <42d2abde-6ba9-7bae-226f-21cf7d91329e@z.cash>

That'll do it! Thanks.


On 10/19/2016 02:22 PM, Daniel Kahn Gillmor wrote:
> Hi Kevin--
>
> On Wed 2016-10-19 12:45:42 -0400, Kevin Gallagher wrote:
>> I've been seeing this error lately both with one of my local GPG
>> keyrings, and with apt.
>>
>>     gpg: [don't know]: invalid packet (ctb=2d)
>>     gpg: keydb_get_keyblock failed: Value not found
>>     gpg: [don't know]: invalid packet (ctb=2d)
>>     gpg: /tmp/tmp.rObzKgJEj5/pubring.gpg: copy to
>>     '/tmp/tmp.rObzKgJEj5/pubring.gpg.tmp' failed: Invalid packet
>>     gpg: error writing keyring '/tmp/tmp.rObzKgJEj5/pubring.gpg':
>>     Invalid packet
>>     gpg: [don't know]: invalid packet (ctb=2d)
>>     gpg: error reading '-': Invalid packet
>>     gpg: import from '-' failed: Invalid packet
>>
>> In the latter case, I solved it by exporting all my keys and importing
>> them back again. But that doesn't work this time:
>>
>> apt-key exportall says: gpg: key export failed: Invalid keyring
>>
>> How can I figure out which specific key is corrupted or responsible for
>> this, so I can repair my keyring?
> what version of apt?  what version of gpg?  it sounds to me like you
> have some public keyring that is ascii-armored instead of raw.  you
> might manually (individually) test /etc/apt/trusted.gpg and
> /etc/apt/trusted.gpg.d/*.gpg to see whether they're ascii-armored or
> not.
>
> for example:
>
>     grep 'BEGIN PGP' /etc/apt/trusted.gpg /etc/apt/trusted.gpg.d/*.gpg
>
> hth,
>
>         --dkg



From dkg at fifthhorseman.net  Thu Oct 20 00:44:53 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 19 Oct 2016 18:44:53 -0400
Subject: Why are my expiration dates different?
In-Reply-To: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co>
References: <62de007d347e6d00ae45a80e42991af8.squirrel@isp.srvrs.co>
Message-ID: <87r37cdkm2.fsf@alice.fifthhorseman.net>

On Wed 2016-10-19 12:16:23 -0400, gpg at noffin.com wrote:
> When I run the command:
>
> gpg --list-secret-keys
> <snip>
> /home/repo-owner/.gnupg/secring.gpg
> -----------------------------------
> sec   2048R/XXXXXXXXX 2014-10-30 [expires: 2016-10-29]
> </snip>
 [...]
> gpg --edit-key XXXXXXXXX
> gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Secret key is available.
>
> pub  2048R/XXXXXXXXX  created: 2014-10-30  expires: 2017-10-31  usage: SC

the difference here is looking at secret keys and public keys.  in
gpg version 1.4.x or 2.0.x, those are not well-synchronized.  the
expiration date seen in the pubring.gpg is the thing that any other user
will see, so that's the one to rely on.

in gpg version 2.1.x or later, the metadata is synchronized across
secret keys and publicly (more specifically, the view of the secret keys
shows the date that comes from the public keyring).

      --dkg


From daniel at pocock.pro  Thu Oct 20 09:49:20 2016
From: daniel at pocock.pro (Daniel Pocock)
Date: Thu, 20 Oct 2016 09:49:20 +0200
Subject: smartcard reader
In-Reply-To: <87vawomwkn.fsf@wheatstone.g10code.de>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
Message-ID: <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>



On 19/10/16 13:01, Werner Koch wrote:
> On Mon, 17 Oct 2016 22:50, gnudevliz at gmail.com said:
> 
>> SCM SPR 532 USB ID: 04e6:e003 PC/SC reader name: SPRx32
> 
> FWIW, the company is known indentive but the readers still work.
> 
>> KAAN Advanced USB ID: 0d46:
> 
> Has problems with larger signing keys - I used it in the past.
> 
>> FSIJ Gnuk Token USB ID: 234b:0000
> 
> Not a reader but a token which im-plements the same interface as a 
> reader.  I used it all the time; despite that it is not taper 
> resistant.
> 
>> Reiner cyberJack Go USB ID: 0c4b:0504
> 
> Does not work.
> 
>> Vasco DigiPASS 920 USB ID: 1a44:0920
> 
> Never tried.
> 
>> Cherry ST2000 USB ID: 046a:003e
> 
> I used it for some weeks.  I stopped using it only due to local 
> problems.
> 

Thanks for helping eliminate some of those from the list, is anybody
able to update the wiki?

Are there any new options that weren't listed already?

I also added another blog about choosing hardware today:


https://danielpocock.com/choosing-smartcards-readers-hardware-for-outreachy-2016


Regards,

Daniel


From initramfs at initramfs.io  Thu Oct 20 12:29:05 2016
From: initramfs at initramfs.io (initramfs)
Date: Thu, 20 Oct 2016 06:29:05 -0400
Subject: Concerning subkey passwords: changes to private key storage method?
Message-ID: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io>

Dear GnuPG mailing list,

Recently I've attempted to create a new GPG key (one master + 2 subkeys)
with gpg --full-gen-key --expert and at the end of the key generation
process (including gpg --edit-key --expert) I noticed I never got to set
specific passwords/passphrases per subkey. This comes in contrast to my
older GPG 2.1 master key, which requires a separate password per subkey
(and one for the master).

If I recall correctly, GPG private keys are stored under symmetric
encryption where a PBKDF derives the symmetric encryption key,
protecting the keys in case of compromise. Having separate passwords per
subkey implies that each key is encrypted and stored separately. This
does not seem to be the case with newer keys. Has the key storage method
changed? Or I am missing an obvious option to set it as such?

What's even more weird is that if I import my old master key into
keychain, I get the "old" behavior of separate passwords for that
specific key. Exporting and reimporting does not change the behavior.
Whereas there doesn't seem to be an option (at least in --edit-key) to
use the behavior of one password per subkey.

Was there a change made within the 2.1.x branch that changed the
behavior of key storage/encryption? If so, is there a way to toggle
between the aforementioned behaviors?

Regards,
initramfs

N.B. I'm fairly certain the "old" key I have was created with GPG 2.1
given that it's an ECC key. I've recently moved from Arch to Gentoo, if
that matters at all (using the same GnuPG version).


From lists at michel-messerschmidt.de  Thu Oct 20 19:46:32 2016
From: lists at michel-messerschmidt.de (lists at michel-messerschmidt.de)
Date: Thu, 20 Oct 2016 17:46:32 +0000
Subject: smartcard reader
In-Reply-To: <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
Message-ID: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>Are there any new options that weren't listed already?

yubikey4

Although I had very good experience with the SPR 532 (and a lot of trouble with another Cyberjack reader, the Comfort IIRC), the yubikey token has a better trade-off between usability and security for me.

Mainly because its usable on mobile devices through openkeychain, but good support of 4k RSA keys is also welcome. Lack of a pin-pad is the main drawback. Tamper resistance and firmware source may be other discussion topics.


Regards,
Michel
- --
This mail scanned by NSA Internet Security
-----BEGIN PGP SIGNATURE-----

iQJRBAEBCgA7NBxNaWNoZWwgTWVzc2Vyc2NobWlkdCA8bWFpbEBtaWNoZWwtbWVz
c2Vyc2NobWlkdC5kZT4FAlgJAu8ACgkQvTGBzyTSHbXPgw/+MQF13bXPrfVB6PS/
QkmVWiXJV2T18hm7jeg3V3eusGX2pgiRxZ6quK0xuB1zYpSOqmBHJYwE7CE+AZcK
x0Z95JQSGGQ5cnZl1npsk41vMibdvr5LVYLRGT4h5VNPubOzp6BAV+Az9yMk1q8d
wE8AU2mONWyoyWhZibZ/K5wFWG8neoIJKB1c9xh7FskncdCd3F/Hf0w0MdfAuf5H
q8lDXaMfhTBBqNk913V04cp/tn5rTTiTQ2MqyNglqhmNBUDD6DaCD3KF8ycgqXmC
WGNgWNnmxfDdEI7sGo+p9IF0lQNYdRWcTtUyNs3QZZr0+xw0qLQI3cDMm+VKoes6
3RTZc3/m6kltjVOoq8vcPl7HAoiBojHzt1oC4ggXsQ3NQCJaiLKns15TlQ4QzI3Y
0Z5admjxEKq9rZ84knwwXWVucHLBUZ2+lQm7vZISyHkFXHZhCb9BwOlRKv//Jxsd
DAhlKjOoryWae23P5NtOyRLaY9OSQQi8iNGKevgAqLMiboTr6L4gj6fIhRBp3BG+
72nKUsWyTxs89mvx3rDtbRJ+6LzWt1njOoozbxm3fc844ml3Nh1P1SIe709sy0iH
yzoMFv3iiLC3WB/vYEkSjGQaDRk3FYu8c0wcushInSBHG+gDTjQgTxxbtOoL1sx+
TPTWrPpI1yWWlUx2mS7ffXkDfy4=
=hCnc
-----END PGP SIGNATURE-----



From thomas.jarosch at intra2net.com  Fri Oct 21 18:36:33 2016
From: thomas.jarosch at intra2net.com (Thomas Jarosch)
Date: Fri, 21 Oct 2016 18:36:33 +0200
Subject: smartcard reader
In-Reply-To: <87vawomwkn.fsf@wheatstone.g10code.de>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
Message-ID: <e2f09131-da62-b833-c3b2-dc95de2bc902@intra2net.com>

Am 19.10.2016 um 13:01 schrieb Werner Koch:
[list of card readers]
>> SCM SPR 532
>> USB ID: 04e6:e003
>> PC/SC reader name: SPRx32
>
> ..
>
>> Reiner cyberJack Go
>> USB ID: 0c4b:0504
> 
> Does not work.

I've posted a "success report" about card readers a year ago:
https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054102.html

The Reiner cyberJack Go "plus" (USB id 0c4b:0504) works fine,
not sure about the version with "plus" though.

The Cherry ST-2000 reader is a bit bulky, personally I like
the SPR 532 but the cyberJack Go has a nice display
and is easy to carry around.


Yesterday I've came up with the idea if the cyberJack Go reader would
also work with a USB OTG adapter on an Android based phone. Might be a
nice alternative to NFC + software based pinpad.
-> I will test this once I get my hands on an USB OTG adapter.

HTH,
Thomas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161021/b011eb3e/attachment.sig>

From thomas at glanzmann.de  Sat Oct 22 10:46:29 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Sat, 22 Oct 2016 10:46:29 +0200
Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader]
In-Reply-To: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
 <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
Message-ID: <20161022084629.GD11644@glanzmann.de>

Hello Michel,

[RESEND: forgot list]

> Mainly because its usable on mobile devices through openkeychain

I have two yubikeys myself, one yubikey 4 nano constantly plugged into
my main workstation and another yubikey4 on my keychain. I use it for
ssh authentication and gpg also using ssh and gpg agent forwarding.
Works like a charm. But since the yubikey has no option for RFID I
wonder how you can use it on android? I use maildroid to read my email
on android. Is there a step by step howto how to get that working?

Cheers,
        Thomas


From wk at gnupg.org  Sat Oct 22 12:43:15 2016
From: wk at gnupg.org (Werner Koch)
Date: Sat, 22 Oct 2016 12:43:15 +0200
Subject: Concerning subkey passwords: changes to private key storage
 method?
In-Reply-To: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io>
 (initramfs@initramfs.io's message of "Thu, 20 Oct 2016 06:29:05
 -0400")
References: <0e31c534-9df7-5a69-1e70-8f78259fe3aa@initramfs.io>
Message-ID: <87a8dwk6kc.fsf@wheatstone.g10code.de>

On Thu, 20 Oct 2016 12:29, initramfs at initramfs.io said:

> If I recall correctly, GPG private keys are stored under symmetric
> encryption where a PBKDF derives the symmetric encryption key,
> protecting the keys in case of compromise. Having separate passwords per
> subkey implies that each key is encrypted and stored separately. This

Right.  However, gpg tries to make sure that the same passphrase is used
for the primary and the subkeys.  This has always been the case.

A new thing we do in 2.1 is to try a cached passphrase from any key on
the keyblock.  This solves the common use case to first decrypt a
message (using a subkey) and then send a signed reply (using the primary
key).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 162 bytes
Desc: not available
URL: </pipermail/attachments/20161022/070b595c/attachment.sig>

From thomas.jarosch at intra2net.com  Sat Oct 22 14:32:39 2016
From: thomas.jarosch at intra2net.com (Thomas Jarosch)
Date: Sat, 22 Oct 2016 14:32:39 +0200
Subject: smartcard reader
In-Reply-To: <20161021222626.6ugpnkn56kmgnbwn@len.workgroup>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <e2f09131-da62-b833-c3b2-dc95de2bc902@intra2net.com>
 <20161021222626.6ugpnkn56kmgnbwn@len.workgroup>
Message-ID: <fa36de91-e7e8-6957-de0e-305695b6e9b0@intra2net.com>

Am 22.10.2016 um 00:26 schrieb Gregor Zattler:
>> I've posted a "success report" about card readers a year ago:
>> https://lists.gnupg.org/pipermail/gnupg-users/2015-August/054102.html
>>
>> The Reiner cyberJack Go "plus" (USB id 0c4b:0504) works fine,
>> not sure about the version with "plus" though.
> 
> Isn't there a contradiction between the last line and the line
> before the last one?  Sorry: did you test the "plus" version or not?

yes, I noticed, too, after sending the message :o)
I tested the plus version. The "with" should be a "without".
See the earlier success report.

May be we can add pictures to the wiki of some readers
or include a side-by-side picture. I still have all three
of them sitting on my desk. That might help others to decide.

Cheers,
Thomas



From keastes at gmail.com  Sat Oct 22 20:26:18 2016
From: keastes at gmail.com (kendrick eastes)
Date: Sat, 22 Oct 2016 12:26:18 -0600
Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader]
In-Reply-To: <20161022084629.GD11644@glanzmann.de>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
 <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
 <20161022084629.GD11644@glanzmann.de>
Message-ID: <CAEydrT8LOmu8jyzmzsU3YPD75pTiyxgduJKqL6rakbcdKBw2ow@mail.gmail.com>

The Yubikey Neo has NFC which is how it is usable with android. There is a
video of it in action here:
https://grepular.com/An_NFC_PGP_SmartCard_For_Android

On Sat, Oct 22, 2016 at 2:46 AM, Thomas Glanzmann <thomas at glanzmann.de>
wrote:

> Hello Michel,
>
> [RESEND: forgot list]
>
> > Mainly because its usable on mobile devices through openkeychain
>
> I have two yubikeys myself, one yubikey 4 nano constantly plugged into
> my main workstation and another yubikey4 on my keychain. I use it for
> ssh authentication and gpg also using ssh and gpg agent forwarding.
> Works like a charm. But since the yubikey has no option for RFID I
> wonder how you can use it on android? I use maildroid to read my email
> on android. Is there a step by step howto how to get that working?
>
> Cheers,
>         Thomas
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161022/f2ddc449/attachment.html>

From mls at bjoern-kahl.de  Sun Oct 23 00:16:57 2016
From: mls at bjoern-kahl.de (Bjoern Kahl)
Date: Sun, 23 Oct 2016 00:16:57 +0200
Subject: smartcard reader
In-Reply-To: <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
 <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
Message-ID: <53ad93a4-1ede-b8fd-9193-a973aa6fe37f@bjoern-kahl.de>


 Hi All,

Am 20.10.16 um 19:46 schrieb lists at michel-messerschmidt.de:
>> Are there any new options that weren't listed already?
> 
> yubikey4
> 
> Although I had very good experience with the SPR 532 (and a lot of trouble with another Cyberjack reader, the Comfort IIRC), the yubikey token has a better trade-off between usability and security for me.
> 
> Mainly because its usable on mobile devices through openkeychain, but good support of 4k RSA keys is also welcome. Lack of a pin-pad is the main drawback. Tamper resistance and firmware source may be other discussion topics.

 Not sure the YubiKey4 is a good choice to start with.  I bought one
 specifically for use with GnuPG (and for its U2F support).  I had a
 lot of troubles getting my YubiKey on it.  It finally worked using a
 recent Ubuntu, but on my Macbook with MacOS "El Capitan" I am unable
 to access the keys.  I only get "card error".  Digging deeper with
 dtruss (kind of "strace") I got as far as that scdaemon gets a "pcsc:
 sharing violation".

 I /think/ it worked exactly once.  But then I played a bit with the
 PIV applet on the YubiKey (using yubico's piv-tool), and since then
 I can not get to the OpenPGP applet on the YubiKey.  Only the PIV
 works (I see my x509 certificates in there in Keychain and can used
 in Safari to authenticate to for example StartSSL.com)

 (Any hints to get PIV and OpenPGP work side-by-side are most welcome.)


 Tl;dr:

 If adding the YubiKey, then there should be a warning not to never
 play with the PIV applet on it.


 Best regards

    Bj?rn

-- 
|     Bjoern Kahl   +++   Siegburg   +++    Germany     |
|     "mls at -my-domain-"   +++    www.bjoern-kahl.de     |
| Languages: German, English, Ancient Latin (a bit :-)) |


From thomas at glanzmann.de  Sun Oct 23 08:20:04 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Sun, 23 Oct 2016 08:20:04 +0200
Subject: yubikey 4 openkeychain rsa [WAS: smartcard reader]
In-Reply-To: <CAEydrT8LOmu8jyzmzsU3YPD75pTiyxgduJKqL6rakbcdKBw2ow@mail.gmail.com>
References: <20161017205021.GA3273@localhost>
 <87vawomwkn.fsf@wheatstone.g10code.de>
 <cadbb8d0-911d-2c1c-2c86-57ba7f968a4f@pocock.pro>
 <57F6B1EC-02E1-4496-B0B8-E8C0EE939484@michel-messerschmidt.de>
 <20161022084629.GD11644@glanzmann.de>
 <CAEydrT8LOmu8jyzmzsU3YPD75pTiyxgduJKqL6rakbcdKBw2ow@mail.gmail.com>
Message-ID: <20161023062004.GE12077@glanzmann.de>

Hello,

> The Yubikey Neo has NFC which is how it is usable with android. There is a
> video of it in action here:
> https://grepular.com/An_NFC_PGP_SmartCard_For_Android

I know about the Yubikey Neo. However it can only do 2048 Bit RSA. So
I'm really interested how to use the Yubikey 4 or Yubikey 4 Nano without
NFC with Android. Googeling a little bit around it seems there is patch
which works for some people but I was unable to find a howto use it.

Cheers,
        Thomas


From kevin at z.cash  Sun Oct 23 09:34:14 2016
From: kevin at z.cash (Kevin Gallagher)
Date: Sun, 23 Oct 2016 00:34:14 -0700
Subject: Why doesn't gpg-agent forwarding work?
In-Reply-To: <20161018195812.GI9435@glanzmann.de>
References: <d87fe2fe-4a3b-c51b-a9a0-385c8f557493@z.cash>
 <1e39042d-f319-9170-4c89-c38c0c84028a@z.cash>
 <20161017054539.GA17983@glanzmann.de>
 <86a9a7a8-351c-6152-6f39-697422b09fbb@z.cash>
 <20161018195812.GI9435@glanzmann.de>
Message-ID: <63eeeb87-477d-049d-1c81-c268438f1b1f@z.cash>

Ok, I figured out the cause of the problem I was having. As is indicated
in your message, one must have the corresponding public keys in the
remote keyring before the secret keys from the forwarded gpg-agent are
listed as available.

Thank you Thomas. I hope others will find this useful.


On 10/18/2016 12:58 PM, Thomas Glanzmann wrote:
> Hello Kevin,
>
>> Thanks for the advice. But as I mentioned, I tried using GnuPG 2.1.15
>> on the target machine as well (via the packages in Debian sid), and
>> this did not work. gpg2 is simply not speaking to the forwarded
>> gpg-agent socket, however gpg-connect-agent can. Any other ideas?
> Check your configuration (gpg-agent.conf and gpg.conf). You have to put
> this two files on the remote and local machine. Also Understand how gpg
> 2.1.x interacts with gnupg from the diagram below. Enable debugging in
> the gpg agent.
>
> Forward GPG socket
> ------------------
> # On the server
> echo 'StreamLocalBindUnlink yes' >> /etc/ssh/sshd_config
> sudo /etc/init.d/ssh restart
>
> # On the client
> ssh -R /home/sithglan/.gnupg/S.gpg-agent:/home/sithglan/.gnupg/S.gpg-agent-extra gmvl.de
>
> List secret keys
> ----------------
> gpg-connect-agent "keyinfo --list" /bye
>
> GPG Agent Configuration
> -----------------------
> .gnupg/gpg-agent.conf
> pinentry-program /usr/bin/pinentry
> extra-socket /home/sithglan/.gnupg/S.gpg-agent-extra
> enable-ssh-support
> default-cache-ttl 600
> max-cache-ttl 7200
> keep-tty
> keep-display
> # debug-level guru
> # debug-all
> # log-file /tmp/gpg-agent.log
>
> Remote GPG Setup
> ----------------
> # Achtung vorher Backup machen
> rm .gnupg/secring* .gnupg/pubring* .gnupg/private-keys-v1.d/*
> # For every public key
> gpg2 --recv-key 0x9D106472D6D50DBA
> gpg2 --recv-key 0x03BF970657E19B02
>
> # After that private keys should be listed
> gpg2 -K
>
> cat <<EOF > .gnupg/gpg.conf
> keyserver hkps://hkps.pool.sks-keyservers.net
> keyserver-options no-honor-keyserver-url
> cert-digest-algo SHA512
> no-greeting
> lock-once
> default-key 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
> encrypt-to 1DD3BBDC897A94CD03F451B09D106472D6D50DBA
> keyid-format 0xlong
> use-agent
> with-fingerprint
> quiet
> default-recipient-self
> no-secmem-warning
> keyserver-options auto-key-retrieve
> no-auto-check-trustdb
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> EOF
>
> GNUPG Interaction
> -----------------
>
> Here are steps and the interaction.
>
> (1) here are the processes
>  [gpgme]----[gpg]====[gpg-agent]----[scdaemon]
>                   ^--- possibly by forwarded socket
>
> (2) A client program (Mutt, in your case) asks decryption through gpgme
>        decrypt
>  [gpgme]--->[gpg]----[gpg-agent]----[scdaemon]
>
> (3) it goes to scdaemon
>                decrypt
>  [gpgme]----[gpg]--->[gpg-agent]----[scdaemon]
>
>                               decrypt
>  [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
>
> (4) if the token is not authenticated yet,
>     scdaemon asks a user PIN back through gpg-agent
>                                "PIN please"
>  [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
>
>
> (5) Then, gpg-agent invokes pinentry.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>             [pinentry]<---/
>
> (6) pinentry pops up GUI dialog window to user.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>   User <----[pinentry]----/
>
> (7) User inputs PIN by the dialog.
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           |
>   User ---->[pinentry]----/
>         PIN
>
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]
>                           ^
>             [pinentry]----/
>                       PIN
>
>                                 PIN
>  [gpgme]----[gpg]----[gpg-agent]--->[scdaemon]
>
> (8) scdaemon sends the pin to the token to authenticate.
>                                               PIN
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
>
> (9) Token is ready to decrypt, now.
>     scdaemon sends encrypted message to the token.
>                                               decrypt
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]-->[token]
>
> (10) token replies back by decrypted message.... to gpgme.
>                                             decrypted
>  [gpgme]----[gpg]----[gpg-agent]----[scdaemon]<--[token]
>
>                                 decrypted
>  [gpgme]----[gpg]----[gpg-agent]<---[scdaemon]
>
>                  decrypted
>  [gpgme]----[gpg]<---[gpg-agent]----[scdaemon]
>
>        decrypted
>  [gpgme]<---[gpg]----[gpg-agent]----[scdaemon]
>
> Cheers,
>         Thomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161023/26217d90/attachment-0001.html>

From amiteshmishra2005 at gmail.com  Tue Oct 25 05:06:30 2016
From: amiteshmishra2005 at gmail.com (Amitesh Mishra)
Date: Mon, 24 Oct 2016 23:06:30 -0400
Subject: pinentry dialog
Message-ID: <CABUdgPCryLDVy+dVpp2s4Z4HwNc14bfOBq3iAQxSeJGveGKKyA@mail.gmail.com>

hi ,

I am using GnuPG 2.1.15 version installation on  windows 2008 R2.
[image: Inline image 1]
While decryption , the pinentry pop up shows up although i have tried the
following:

1.  Added the passphrase to the perl script in the following manner

system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output
$CONTACTDECRYPT --yes --decrypt $CONTACTTARGET");

where
$PASSFILE = 'abc123$$';
$CONTACTTARGET = "XXX.pgp";
$CONTACTDECRYPT = "text.dat";

2. preset passphrase as shown below :
C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir C:\Users\XXX\Ap
pData\Roaming\gnupg "preset_passphrase
B6938993903C4590B75FA651035A38377BE10CD8
-1 53656324537465663123313233" /bye
OK

Please suggest what i need to do so that i am able to pass on the
passphrase without the pop up.

-- 
############################
Thanks & Regards,
 Amitesh Mishra
###########################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161024/98f79818/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 11064 bytes
Desc: not available
URL: </pipermail/attachments/20161024/98f79818/attachment.png>

From janardhan.bonthu at isd.sccgov.org  Wed Oct 26 01:18:40 2016
From: janardhan.bonthu at isd.sccgov.org (Bonthu, Janardhan)
Date: Tue, 25 Oct 2016 23:18:40 +0000
Subject: Cant decrypt in IIS hosted wcf service but works fine in console
Message-ID: <BY1PR09MB0613E668A07666BD0EFA8195A2A80@BY1PR09MB0613.namprd09.prod.outlook.com>

Hello Team,

.Net WCF service development issues with GPG.

I am using GPG for Encryption and Decryption of the message, however, I could not decrypt the message in WCF service hosted in IIS. But I can decrypt using the same code in console application.

Please check the same and do the needful.

Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"}

Thanks & Regards,
Janardhan Bonthu
Information Services Department
1555 Berger Drive, Bldg. 2, Floor 2
San Jose, CA 95112
Phone:  408.918.2705

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161025/45564598/attachment.html>

From dkg at fifthhorseman.net  Wed Oct 26 15:39:59 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 26 Oct 2016 09:39:59 -0400
Subject: Cant decrypt in IIS hosted wcf service but works fine in console
In-Reply-To: <BY1PR09MB0613E668A07666BD0EFA8195A2A80@BY1PR09MB0613.namprd09.prod.outlook.com>
References: <BY1PR09MB0613E668A07666BD0EFA8195A2A80@BY1PR09MB0613.namprd09.prod.outlook.com>
Message-ID: <8737jjfcuo.fsf@alice.fifthhorseman.net>

On Tue 2016-10-25 19:18:40 -0400, Bonthu, Janardhan wrote:

> .Net WCF service development issues with GPG.
>
> I am using GPG for Encryption and Decryption of the message, however,
> I could not decrypt the message in WCF service hosted in IIS. But I
> can decrypt using the same code in console application.
>
> Please check the same and do the needful.
>
> Error : {"gpg: encrypted with RSA key, ID 642C729C\r\ngpg: encrypted with RSA key, ID 765F4971\r\ngpg: decryption failed: No secret key\r\n"}

Is IIS running as the same user account as the console application?  If
they're different user accounts, it seems likely that they'd have access
to different secret keyrings.

   --dkg


From peter at digitalbrains.com  Wed Oct 26 18:12:21 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 26 Oct 2016 18:12:21 +0200
Subject: pinentry dialog
In-Reply-To: <CABUdgPCryLDVy+dVpp2s4Z4HwNc14bfOBq3iAQxSeJGveGKKyA@mail.gmail.com>
References: <CABUdgPCryLDVy+dVpp2s4Z4HwNc14bfOBq3iAQxSeJGveGKKyA@mail.gmail.com>
Message-ID: <af7b2aee-c2ac-9768-8598-7b9e04f4d6d2@digitalbrains.com>

On 25/10/16 05:06, Amitesh Mishra wrote:
> 1.  Added the passphrase to the perl script in the following manner
> 
> system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output
> $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET");

You need to add "--pinentry-mode loopback" to the arguments.

Also, while this is all fine for testing and debugging, it doesn't appear to
make sense in production. What use is it to encrypt file A with a passphrase
that is in plaintext in file B? Better not to encrypt file A, your private key,
in the first place, since you gain nothing in protection in the general case.
Then you don't need passphrase entry anymore, the key will Just Work(TM).

> 2. preset passphrase as shown below :
> C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir C:\Users\XXX\Ap
> pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38377BE10CD8
> -1 53656324537465663123313233" /bye
> OK

preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the
keygrip as follows:

$ gpg2 --with-keygrip -K 035A38377BE10CD8

For my test key, it's as follows:

sec   rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02]
      Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7
uid         err Test extra UID
uid         err Test more extra UID
uid         err Testkey
ssb   rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02]
      Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201

If I want to prime the passphrase for decryption, I would use the keygrip
815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing, I
would need the other keygrip instead.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From amiteshmishra2005 at gmail.com  Wed Oct 26 19:57:53 2016
From: amiteshmishra2005 at gmail.com (Amitesh Mishra)
Date: Wed, 26 Oct 2016 13:57:53 -0400
Subject: pinentry dialog
In-Reply-To: <af7b2aee-c2ac-9768-8598-7b9e04f4d6d2@digitalbrains.com>
References: <CABUdgPCryLDVy+dVpp2s4Z4HwNc14bfOBq3iAQxSeJGveGKKyA@mail.gmail.com>
 <af7b2aee-c2ac-9768-8598-7b9e04f4d6d2@digitalbrains.com>
Message-ID: <CABUdgPAWufYQmF0fsfCbJo7jJbV_zCi8AEA+-R827xgxf4JC4Q@mail.gmail.com>

Thanks Peter for your reply. When i tried adding "--pinentry-mode loopback"
in the argument, i dont get the pinentry dialog but it says:

*gpg: encrypted with 2048-bit RSA key, ID 035A38377BE10CD8, created
2016-09-23*
*      "XXX Inc. <ABC at XXX.com>"*
*gpg: public key decryption failed: Bad passphrase*
*gpg: decryption failed: No secret key*

If i remove the pinentry parameter, the same password works fine. Any
suggestions on that ?

Regards,
Amitesh

On Wed, Oct 26, 2016 at 12:12 PM, Peter Lebbing <peter at digitalbrains.com>
wrote:

> On 25/10/16 05:06, Amitesh Mishra wrote:
> > 1.  Added the passphrase to the perl script in the following manner
> >
> > system ("type $PASSFILE | gpg --no-tty --batch --passphrase-fd 0 --output
> > $CONTACTDECRYPT --yes --decrypt $CONTACTTARGET");
>
> You need to add "--pinentry-mode loopback" to the arguments.
>
> Also, while this is all fine for testing and debugging, it doesn't appear
> to
> make sense in production. What use is it to encrypt file A with a
> passphrase
> that is in plaintext in file B? Better not to encrypt file A, your private
> key,
> in the first place, since you gain nothing in protection in the general
> case.
> Then you don't need passphrase entry anymore, the key will Just Work(TM).
>
> > 2. preset passphrase as shown below :
> > C:\Program Files (x86)\GnuPG\bin>gpg-connect-agent --homedir
> C:\Users\XXX\Ap
> > pData\Roaming\gnupg "preset_passphrase B6938993903C4590B75FA651035A38
> 377BE10CD8
> > -1 53656324537465663123313233" /bye
> > OK
>
> preset_passphrase takes a *keygrip* not a *fingerprint*. You can find the
> keygrip as follows:
>
> $ gpg2 --with-keygrip -K 035A38377BE10CD8
>
> For my test key, it's as follows:
>
> sec   rsa2048/3E7F0306 2013-07-26 [SC] [expires: 2016-11-02]
>       Keygrip = BDAB81746D3696C48746896F4EA1670D312148C7
> uid         err Test extra UID
> uid         err Test more extra UID
> uid         err Testkey
> ssb   rsa2048/459A39FE 2014-01-09 [E] [expires: 2016-11-02]
>       Keygrip = 815F15F918ECF9922D4CF60D0ED5C03143746201
>
> If I want to prime the passphrase for decryption, I would use the keygrip
> 815F15F918ECF9922D4CF60D0ED5C03143746201. For the passphrase for signing,
> I
> would need the other keygrip instead.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>



-- 
############################
Thanks & Regards,
 Amitesh Mishra
Mobile: +1-248 497 4746
Home: +1-248 233 0593
###########################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161026/6c25c66e/attachment.html>

From m4rtntns at gmail.com  Wed Oct 26 22:21:48 2016
From: m4rtntns at gmail.com (Martin T)
Date: Wed, 26 Oct 2016 23:21:48 +0300
Subject: ways to ensure that GPG public key belongs to right person in
 business to business communication
Message-ID: <CAJx5YvGd3vXYnd4xyVh57_pD2tFYpxyKsmWDh7RaLzorcH=pVg@mail.gmail.com>

Hi,

let's say that Alice from company A and Bob from company B need to
exchange some private data with each other. Alice and Bob need to
encrypt data just that one time, they do not belong to web-of-trust,
but both company A and company B websites are trusted by certification
authority, secure and available only over TLS. This gives a first
option where both Alice and Bob ask their IT departments to publish
their public keys on the company website so Alice can get Bobs public
key over TLS from company B website and the other way around. Or when
for example website of company B is not trusted by CA, then Alice can
pick up the phone, call the customer-support of the company B and ask
for Bob and then ask Bob to send her an e-mail with a public key and
verify the fingerprint of the public key over a phone? Are there
better(easier to use or more secure) ways to ensure that GPG public
key belongs to right person in business to business communication?


thanks,
Martin


From dkg at fifthhorseman.net  Wed Oct 26 22:51:40 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 26 Oct 2016 16:51:40 -0400
Subject: ways to ensure that GPG public key belongs to right person in
 business to business communication
In-Reply-To: <CAJx5YvGd3vXYnd4xyVh57_pD2tFYpxyKsmWDh7RaLzorcH=pVg@mail.gmail.com>
References: <CAJx5YvGd3vXYnd4xyVh57_pD2tFYpxyKsmWDh7RaLzorcH=pVg@mail.gmail.com>
Message-ID: <87oa26esv7.fsf@alice.fifthhorseman.net>

Hi Martin--

On Wed 2016-10-26 16:21:48 -0400, Martin T wrote:

> let's say that Alice from company A and Bob from company B need to
> exchange some private data with each other. Alice and Bob need to
> encrypt data just that one time, they do not belong to web-of-trust,
> but both company A and company B websites are trusted by certification
> authority, secure and available only over TLS. This gives a first
> option where both Alice and Bob ask their IT departments to publish
> their public keys on the company website so Alice can get Bobs public
> key over TLS from company B website and the other way around. Or when
> for example website of company B is not trusted by CA, then Alice can
> pick up the phone, call the customer-support of the company B and ask
> for Bob and then ask Bob to send her an e-mail with a public key and
> verify the fingerprint of the public key over a phone? Are there
> better(easier to use or more secure) ways to ensure that GPG public
> key belongs to right person in business to business communication?

It depends on how much involvement you want the IT department to have.

There are a few more options:

 * if Alice and Bob can meet in person, they can give each other
   business cards with their fingerprints on them.  If this is how Alice
   finds Bob's e-mail address in the first place, this is a natural
   place to exchange cryptographic details as well.

 * the two companies could use WKD (web key directory), which is in its
   infancy, but is at least supported by GnuPG 2.1.x.

 * Alice and Bob could submit their keys to a third-party notary like
   Symantec's PGP Global Directory (if such a thing still exists)

 * Alice and Bob could publish their public keys in the public
   keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their
   keys.  Then they could look each other up in the public keyservers;
   if Alice finds only one public key associated with Bob's e-mail
   address, she might just decide to assume it's the right one.

These all have slightly different security properties and failure modes,
which might have different value to Alice and Bob, depending on their
threat model and any other economic or logistical pressure they're
under.

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161026/0afb746e/attachment.sig>

From aheinecke at intevation.de  Thu Oct 27 17:33:45 2016
From: aheinecke at intevation.de (Andre Heinecke)
Date: Thu, 27 Oct 2016 17:33:45 +0200
Subject: Hosting a Web Key Directory
Message-ID: <5946421.vGOQITrRMC@esus>

Hi!

I just published how to host your own Web Key Directory on the gnupg blog.

Find below a plain text version of my blog entry
https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html

 Andre


1 Hosting a Web Key Directory
?????????????????????????????

  With the improvements in GnuPG for Key Discovery (see: [Key Discovery
  Made Simple]) you may want to provide the OpenPGP keys for your
  domain. The Web Key Service (WKS) describes a protocol for Mail
  Service Providers or large organisations to maintain a Web Key
  Directory (WKD) for their users.

  A Web Key Directory is a static collection of keys provided under well
  known URLs under your domain. This directory can also be manually
  generated without using the Web Key Service protocol.


  By providing a Web Key Directory other people (or their Mail Software)
  can obtain the OpenPGP keys for your domain with a simple query like:

  ?????
  ? $ gpg --auto-key-locate wkd --locate-keys <mail address>
  ?????

  In this note, I explain how to do that.


  Note: An updated version of this article may be available in the
  [GnuPG Wiki]


  [Key Discovery Made Simple]
  https://www.gnupg.org/blog/20160830-web-key-service.html

  [GnuPG Wiki]
  https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory


1.1 Requirements
????????????????

  ? A web server that provides https with a trusted certificate for your
    domain.
  ? A client machine with Python and PyME installed (debian package
    python-pyme)
  ? The script: [generate-openpgpkey-hu] (in the [Mercurial repository
    "wkd-tools"])


  [generate-openpgpkey-hu]
  https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu

  [Mercurial repository "wkd-tools"]
  https://hg.intevation.de/gnupg/wkd-tools/


1.2 Setup
?????????

  You can either export all the keys in your keyring that belong to a
  domain or provide an explicit keyring containing just those keys that
  you want to publish.

  The call:

  ?????
  ? $ ./generate-openpgpkey-hu example.com hu
  ?????


  Will create a directory called hu containing all the keys with user
  ids that include @example.com.

  If there are multiple valid keys for a user in your keyring this
  command will error out. In that case you can prepare a keyring with
  only the keys that you want to publish. For example:

  ?????
  ? $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
  ? >   gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import
  ?????

  And then provide that keyring to generate-openpgpkey-hu:

  ?????
  ? ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg
  ?????


1.3 Publishing
??????????????

  The hu directory has to be published on your server as

  ?????
  ? https://example.com/.well-known/openpgpkey/hu/
  ?????

  Create the directory structure and set the permissions accordingly.

  This example [Makefile] automates the hu directory generation and
  publishing. Edit the variables at the top of the makefile to set
  `RSYNC_TARGET' The `KEYRING' variable is optional and can be left
  empty.

  That's it. You can now test your setup by calling:

  ?????
  ? $ gpg --auto-key-locate wkd --locate-keys <mail address>
  ?????

  you should see something like this:

  ?????
  ? gpg: key AC12F94881D28CB7: public key "testuser10 at test.gnupg.org" imported
  ? gpg: Total number processed: 1
  ? gpg:               imported: 1
  ? gpg: automatically retrieved 'testuser10 at test.gnupg.org' via WKD
  ? pub   ed25519 2016-07-15 [SC]
  ?       5506894357DC548CC65B0BCFAC12F94881D28CB7
  ? uid           [ unknown] testuser10 at test.gnupg.org
  ? sub   cv25519 2016-07-15 [E]
  ?????


  [Makefile]
  https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example
-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161027/30cfd0c8/attachment-0001.sig>

From vitruvio-42 at yandex.com  Thu Oct 27 19:10:07 2016
From: vitruvio-42 at yandex.com (MARCOS VITRUVIO BACCUS)
Date: Thu, 27 Oct 2016 20:10:07 +0300
Subject: small question...
Message-ID: <119281477588207@web17j.yandex.ru>

An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161027/3e835940/attachment.html>

From m4rtntns at gmail.com  Thu Oct 27 22:52:23 2016
From: m4rtntns at gmail.com (Martin T)
Date: Thu, 27 Oct 2016 23:52:23 +0300
Subject: ways to ensure that GPG public key belongs to right person in
 business to business communication
In-Reply-To: <87oa26esv7.fsf@alice.fifthhorseman.net>
References: <CAJx5YvGd3vXYnd4xyVh57_pD2tFYpxyKsmWDh7RaLzorcH=pVg@mail.gmail.com>
 <87oa26esv7.fsf@alice.fifthhorseman.net>
Message-ID: <CAJx5YvGfSggecJAf-N86+4=uzTs=q9+H8FFUh4dUtULc8Nw1-w@mail.gmail.com>

Hi,

thanks for reply! Unfortunately, Alice and Bob cannot meet in person
because of geographical distance. If they could, then this would
definitely be the best way to exchange public keys. I further
simplified my initial idea:

Alice from company A asks Bob from company B to send her Bobs public
key using an e-mail. Both Alice and Bob know each other e-mail
addresses because they have been in contact before during a project
which involves both company A and company B. Now when Alice receives
Bobs public key, she will send hers in return to same e-mail address
which she received the Bobs public key. Then she looks up the phone
number of the customer support department of company B from company B
official website and calls there and asks for Bob. Once she gets Bob
on the phone, she asks Bob to tell the fingerprint of his public key
and then Alice tells her public key fingerprint to Bob and asks Bob to
confirm that it matches.

I guess this provides reasonable security?


thanks,
Martin


On Wed, Oct 26, 2016 at 11:51 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> Hi Martin--
>
> On Wed 2016-10-26 16:21:48 -0400, Martin T wrote:
>
>> let's say that Alice from company A and Bob from company B need to
>> exchange some private data with each other. Alice and Bob need to
>> encrypt data just that one time, they do not belong to web-of-trust,
>> but both company A and company B websites are trusted by certification
>> authority, secure and available only over TLS. This gives a first
>> option where both Alice and Bob ask their IT departments to publish
>> their public keys on the company website so Alice can get Bobs public
>> key over TLS from company B website and the other way around. Or when
>> for example website of company B is not trusted by CA, then Alice can
>> pick up the phone, call the customer-support of the company B and ask
>> for Bob and then ask Bob to send her an e-mail with a public key and
>> verify the fingerprint of the public key over a phone? Are there
>> better(easier to use or more secure) ways to ensure that GPG public
>> key belongs to right person in business to business communication?
>
> It depends on how much involvement you want the IT department to have.
>
> There are a few more options:
>
>  * if Alice and Bob can meet in person, they can give each other
>    business cards with their fingerprints on them.  If this is how Alice
>    finds Bob's e-mail address in the first place, this is a natural
>    place to exchange cryptographic details as well.
>
>  * the two companies could use WKD (web key directory), which is in its
>    infancy, but is at least supported by GnuPG 2.1.x.
>
>  * Alice and Bob could submit their keys to a third-party notary like
>    Symantec's PGP Global Directory (if such a thing still exists)
>
>  * Alice and Bob could publish their public keys in the public
>    keyservers (e.g. gpg --send-key $FINGERPRINT) when they create their
>    keys.  Then they could look each other up in the public keyservers;
>    if Alice finds only one public key associated with Bob's e-mail
>    address, she might just decide to assume it's the right one.
>
> These all have slightly different security properties and failure modes,
> which might have different value to Alice and Bob, depending on their
> threat model and any other economic or logistical pressure they're
> under.
>
>       --dkg


From Daniel.Ranft at giepa.de  Fri Oct 28 10:50:47 2016
From: Daniel.Ranft at giepa.de (Daniel Ranft)
Date: Fri, 28 Oct 2016 10:50:47 +0200
Subject: Decrypting a non-mdc encrypted message results in Exitcode 0 but
 also in status DECRYPTION_FAILED
Message-ID: <1DC3C8C67280FB4C9A402CB6DB1358F51BCCB65A44@S2008SBS.intern.giepa.de>

Hi,

we have a customer that receives emails from totemomail. These messages are not MDC protected and therefore will cause a warning. Sadly this will (since GnuPG modern) also result in a DECRYPTION_FAILED status message, which we are parsing.

Is this intended like that? What should we parse instead?

Thanks,
Daniel Ranft
gpg4o developer

-- 
Verschl?sseln Sie Ihre E-Mails mit gpg4o f?r Outlook | Encrypt your email with gpg4o
Meinen PGP-Schl?ssel finden Sie auf hkp://pgp.mit.edu. Key-ID: B8DAE2A2
-------------------------------------------------------------------------------------------------------------------
Daniel Ranft
Softwareentwickler

Giegerich & Partner GmbH? 
Robert-Bosch-Stra?e 18 | D-63303 Dreieich
Tel. +49 6103 5881-50 |?Fax +49 6103 5881-49
daniel.ranft at giepa.de | http://www.giepa.de 

Gesch?ftsf?hrer: Dipl.-Ing. (TU) Hans-Joachim Giegerich
Amtsgericht Offenbach/Main | HRB 33236
-------------------------------------------------------------------------------------------------------------------

                   



From listofactor at mail.ru  Fri Oct 28 13:50:48 2016
From: listofactor at mail.ru (listo factor)
Date: Fri, 28 Oct 2016 11:50:48 +0000
Subject: self-decrypting message
In-Reply-To: <119281477588207@web17j.yandex.ru>
References: <119281477588207@web17j.yandex.ru>
Message-ID: <5b05a5c6-702f-5661-33b6-071c8c8caf11@mail.ru>

> ...Can I send an encrypted e-mail so that it decodes itself automatically once it reaches the recipient?

An e-mail message is just a piece of data; it is always a
computer program (i.e., a piece of software, not data) that
performs either encryption or decryption. It is therefore
not possible to construct a message that would somehow
"decrypt itself" upon arrival on ~any~ computer, but it is
possible to set up a program on a specific recipient's
computer to do that. Details would depend on the nature
of recipient's computer and software - specifically the
e-mail client program - used on it. This would of course
only make sense if the attacker has absolutely no access
to recipient's computer, not even via the network.


From dkg at fifthhorseman.net  Fri Oct 28 18:40:08 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 28 Oct 2016 12:40:08 -0400
Subject: web-based manpage version?
Message-ID: <87mvhobf6f.fsf@alice.fifthhorseman.net>

Hi all--

I just noticed (from interactions on IRC) that the web-based manual page
for GnuPG isn't clear about which version of GnuPG it documents:

     https://www.gnupg.org/documentation/manpage.html

I believe it's either from the "classic" or "stable" branch, but it
doesn't say so explicitly.  As a result, it documents things like
"--force-v3-sigs" even though the "modern" branch of GnuPG explicitly
says:

>        --force-v3-sigs
>        --no-force-v3-sigs
> 
>        --force-v4-certs
>        --no-force-v4-certs
>                These options are obsolete and have no effect since GnuPG 2.1.


How is the web-based manpage maintained?  Can we update it to contain
relevant information like the above option deprecation?

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161028/e9654a4f/attachment.sig>

From wk at gnupg.org  Fri Oct 28 21:09:55 2016
From: wk at gnupg.org (Werner Koch)
Date: Fri, 28 Oct 2016 21:09:55 +0200
Subject: web-based manpage version?
In-Reply-To: <87mvhobf6f.fsf@alice.fifthhorseman.net> (Daniel Kahn Gillmor's
 message of "Fri, 28 Oct 2016 12:40:08 -0400")
References: <87mvhobf6f.fsf@alice.fifthhorseman.net>
Message-ID: <87k2cs47ek.fsf@wheatstone.g10code.de>

On Fri, 28 Oct 2016 18:40, dkg at fifthhorseman.net said:

> How is the web-based manpage maintained?  Can we update it to contain
> relevant information like the above option deprecation?

Not really maintained.  Can you please open an issue that we create
that, and the other man pages, always from the latest released version?

Needs a bit of script but it is worth the work.  I think the current
version was once manually HTMLized (and later converted to org).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161028/316d8b8d/attachment.sig>

From ml.throttle at xoxy.net  Sat Oct 29 08:01:54 2016
From: ml.throttle at xoxy.net (Helmut Waitzmann)
Date: Sat, 29 Oct 2016 08:01:54 +0200
Subject: How to fold long lines in the gpg.conf file?
Message-ID: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de>

Is there a way to fold long lines in the gpg.conf file?


From peter at digitalbrains.com  Sat Oct 29 14:21:10 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 29 Oct 2016 14:21:10 +0200
Subject: pinentry dialog
In-Reply-To: <CABUdgPAWufYQmF0fsfCbJo7jJbV_zCi8AEA+-R827xgxf4JC4Q@mail.gmail.com>
References: <CABUdgPCryLDVy+dVpp2s4Z4HwNc14bfOBq3iAQxSeJGveGKKyA@mail.gmail.com>
 <af7b2aee-c2ac-9768-8598-7b9e04f4d6d2@digitalbrains.com>
 <CABUdgPAWufYQmF0fsfCbJo7jJbV_zCi8AEA+-R827xgxf4JC4Q@mail.gmail.com>
Message-ID: <0d469410-5228-6042-b0f9-1cfa23232c13@digitalbrains.com>

On 26/10/16 19:57, Amitesh Mishra wrote:
> If i remove the pinentry parameter, the same password works fine. Any
> suggestions on that ?

I just used

$ echo test | gpg2 --no-tty --batch --pinentry-mode loopback --passphrase-fd 0
-o test.out --yes -d test.gpg

as a variation on the precise invocation you provided, and it worked fine; under
Linux. And yes, the passphrase for the key is the word test.

Are you completely sure that the command correctly accesses the file "abc123$$$"
in your current directory when invoked, and that the password in that file is
correct? If so, all I can think of is line endings. DOS files end in CR LF where
most Unix-like systems end lines in just LF. Sure enough:

-------------------------8<------------->8-------------------------
$ cat test-crlf.txt | gpg2 --no-tty --batch --pinentry-mode loopback
--passphrase-fd 0 -o test.out --yes -d test.gpg
gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09
      "Test extra UID"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
-------------------------8<------------->8-------------------------

Here I made the text file have DOS line endings. On Linux, it's not very
surprising, but maybe gpg also wants just an LF as a line end on DOS/Windows. It
works for me with either LF or no line end:

-------------------------8<------------->8-------------------------
$ hd test-lf.txt
00000000  74 65 73 74 0a                                    |test.|
00000005
$ hd test-noend.txt
00000000  74 65 73 74                                       |test|
00000004
$ hd test-crlf.txt
00000000  74 65 73 74 0d 0a                                 |test..|
00000006
$ cat test-lf.txt | gpg2 --no-tty --batch --pinentry-mode loopback
--passphrase-fd 0 -o test.out --yes -d test.gpg
gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09
      "Test extra UID"
$ gpgconf --reload gpg-agent
$ cat test-noend.txt | gpg2 --no-tty --batch --pinentry-mode loopback
--passphrase-fd 0 -o test.out --yes -d test.gpg
gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09
      "Test extra UID"
$ gpgconf --reload gpg-agent
$ cat test-crlf.txt | gpg2 --no-tty --batch --pinentry-mode loopback
--passphrase-fd 0 -o test.out --yes -d test.gpg
gpg: encrypted with 2048-bit RSA key, ID 459A39FE, created 2014-01-09
      "Test extra UID"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
-------------------------8<------------->8-------------------------

Since my agent caches passphrases, I need to flush the cache in between each
invocation or the results would make no sense.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


From wk at gnupg.org  Sun Oct 30 11:49:48 2016
From: wk at gnupg.org (Werner Koch)
Date: Sun, 30 Oct 2016 11:49:48 +0100
Subject: How to fold long lines in the gpg.conf file?
In-Reply-To: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de> (Helmut
 Waitzmann's message of "Sat, 29 Oct 2016 08:01:54 +0200")
References: <87d1ijitg3.fsf@helmutwaitzmann.news.arcor.de>
Message-ID: <87eg2y2jsj.fsf@wheatstone.g10code.de>

On Sat, 29 Oct 2016 08:01, ml.throttle at xoxy.net said:
> Is there a way to fold long lines in the gpg.conf file?

No.  However there is no limit on the length of a line.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161030/8d0aa126/attachment.sig>

From dkg at fifthhorseman.net  Sun Oct 30 20:20:11 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Sun, 30 Oct 2016 15:20:11 -0400
Subject: web-based manpage version?
In-Reply-To: <87k2cs47ek.fsf@wheatstone.g10code.de>
References: <87mvhobf6f.fsf@alice.fifthhorseman.net>
 <87k2cs47ek.fsf@wheatstone.g10code.de>
Message-ID: <87eg2xabkk.fsf@alice.fifthhorseman.net>

On Fri 2016-10-28 15:09:55 -0400, Werner Koch wrote:
> On Fri, 28 Oct 2016 18:40, dkg at fifthhorseman.net said:
>
>> How is the web-based manpage maintained?  Can we update it to contain
>> relevant information like the above option deprecation?
>
> Not really maintained.  Can you please open an issue that we create
> that, and the other man pages, always from the latest released version?

Sure, here you go:

    https://bugs.gnupg.org/gnupg/issue2823

It would be great to make this happen automatically at each release.

Thanks,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161030/2d06f581/attachment.sig>

From mpiaser at novexsystems.com  Sun Oct 30 21:23:08 2016
From: mpiaser at novexsystems.com (Michael Piaser)
Date: Sun, 30 Oct 2016 20:23:08 +0000
Subject: GNU Privacy Assistance Signing help
Message-ID: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local>

I'm hoping somebody can give me an idea of what I'm doing wrong.  I can't get any of the keys to show up in the Sign As box.  I had a key there yesterday (and have been encrypting and signing with that key for two years).  Today I'm trying to implement a new key and I deleted the old key.    The key says it can be used for signing but I can't get it in the Sign As box.  Please email me your ideas at mpiaser at novexsystems.com<mailto:mpiaser at novexsystems.com>

Thanks in Advance

[cid:image003.jpg at 01D232C9.E0D64600][cid:image004.jpg at 01D232C9.E0D64600]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161030/4aa0237f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 80527 bytes
Desc: image003.jpg
URL: </pipermail/attachments/20161030/4aa0237f/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.jpg
Type: image/jpeg
Size: 44998 bytes
Desc: image004.jpg
URL: </pipermail/attachments/20161030/4aa0237f/attachment-0003.jpg>

From peter at digitalbrains.com  Mon Oct 31 11:20:31 2016
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 31 Oct 2016 11:20:31 +0100
Subject: GNU Privacy Assistance Signing help
In-Reply-To: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local>
References: <574EE815C9292A489763C5E06EAA700B1D2D60FC@SBS2011.novex.local>
Message-ID: <986e139f-cc9c-851b-56c5-9434d73d708a@digitalbrains.com>

The key manager at the bottom says
"The key has only a public part"
so you can't sign or decrypt with it, as that needs the secret part.

If you exported and then imported this key, you should export the secret
part as well. Usually, you only export public keys, so it's a different
procedure for secret keys.

I could fire up a different computer that has GPA installed and try to
see what you should do, but perhaps you can figure it out with just this
hint, so I'll leave it at this first. Do ask for more information if you
can't figure it out.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>