From mac3iii at gmail.com  Wed Nov  1 01:10:45 2017
From: mac3iii at gmail.com (murphy)
Date: Tue, 31 Oct 2017 20:10:45 -0400
Subject: GnuPG public key vulnerability?
Message-ID: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>

I got a signed notification from facebook (good signature, enigmail)
that claims my GnuPG generated public key has a "recently disclosed
vulnerability".? This is the full text:

We have detected that the OpenPGP key on your Facebook profile may be
susceptible to attacks due to a recently disclosed vulnerability.? We
recommend that you revoke and replace your public key immediately to
minimize the risk to your encrypted communications.? You can update your
public key by visiting your Security and Login settings.? To help reduce
the risk of your key being attacked, we have set the privacy of your
potentially vulnerable public key on your profile to "Only Me" to limit
further distribution.? We will continue to encrypt your notification
emails using this OpenPGP public key.

This is doubly weird since the private/public key was generated on a
Yubikey-4 nano and it is safe at home.? Does anyone know what this may
be about?

Facebook public key (it is valid, see:
https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302/):

pub?? rsa4096 2015-05-17 [SC] [expires: 2018-05-17]
???????? 31A70953D8D590BA1FAB37762F3898CEDEE958CF
uid?????????? [? full? ] Facebook, Inc.
sub?? rsa4096 2017-07-24 [S] [expires: 2018-02-19]

My public key is uploaded to keyservers and is:

pub?? rsa4096 2016-10-17 [SC] [expires: 2018-10-17]
???????? D89A29A3E1DA59DFBF516EA73E450D1BCF78C26B
uid?????????? [ultimate] orange
uid?????????? [ultimate] Murphy Chesney (facebook communication)
<mac3iii at gmail.com>
sub?? rsa4096 2016-10-17 [A] [expires: 2018-10-17]
sub?? rsa2048 2016-10-17 [E] [expires: 2018-10-17]

Murphy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171031/c50886ed/attachment.sig>

From frase at frase.id.au  Wed Nov  1 03:00:36 2017
From: frase at frase.id.au (Fraser Tweedale)
Date: Wed, 1 Nov 2017 12:00:36 +1000
Subject: GnuPG public key vulnerability?
In-Reply-To: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
References: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
Message-ID: <20171101020034.GG1295@bacardi.hollandpark.frase.id.au>

On Tue, Oct 31, 2017 at 08:10:45PM -0400, murphy wrote:
> I got a signed notification from facebook (good signature, enigmail)
> that claims my GnuPG generated public key has a "recently disclosed
> vulnerability".? This is the full text:
> 
> We have detected that the OpenPGP key on your Facebook profile may be
> susceptible to attacks due to a recently disclosed vulnerability.? We
> recommend that you revoke and replace your public key immediately to
> minimize the risk to your encrypted communications.? You can update your
> public key by visiting your Security and Login settings.? To help reduce
> the risk of your key being attacked, we have set the privacy of your
> potentially vulnerable public key on your profile to "Only Me" to limit
> further distribution.? We will continue to encrypt your notification
> emails using this OpenPGP public key.
> 
> This is doubly weird since the private/public key was generated on a
> Yubikey-4 nano and it is safe at home.? Does anyone know what this may
> be about?
> 
Some versions of the YubiKey 4 were affected by the ROCA
vulnerability, which caused weak keys to be generated.

https://www.yubico.com/support/security-advisories/ysa-2017-01/
https://crocs.fi.muni.cz/public/papers/rsa_ccs17

I would say that is what the email is about.

Cheers,
Fraser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171101/d18e889f/attachment.sig>

From fulanoperez at cryptolab.net  Wed Nov  1 05:34:43 2017
From: fulanoperez at cryptolab.net (Fulano Diego Perez)
Date: Wed, 1 Nov 2017 15:34:43 +1100
Subject: permission denied searching keys WAS: [gpg 2.2.x devuan jessie no
 TOFU TLS]
In-Reply-To: <417718a0-a866-9fc0-0057-efb93b15d435@cryptolab.net>
References: <7bd82df4-b18c-8734-3251-bbb7eaba2bf4@cryptolab.net>
 <87mv4c4zgt.fsf@wheatstone.g10code.de>
 <417718a0-a866-9fc0-0057-efb93b15d435@cryptolab.net>
Message-ID: <b1ffbf7c-5084-b484-a0eb-cad3f4cfb1c0@cryptolab.net>

later:

im not sure what to do now

most functionality seems ok except for searching/importing keys from
keyservers

i can see my local pub/pri keyrings

Fulano Diego Perez:
> 
> 
> Werner Koch:
>> On Thu, 26 Oct 2017 16:00, fulanoperez at cryptolab.net said:
>>
>>> checking for LIBGNUTLS... no
>>
>> The minimal requirement is GNUTLS 3.0 - please check that you have the
>> 3.x -dev package installed.  You should also consult config.log to check
>> why GNUTLS was not found.
>>
>>
>> Salam-Shalom,
>>
>>    Werner
> 
> installing pkg-config found them !

$ gpg -vvv --keyserver jirk5u4osbsr34t5.onion --search-keys sexypgp
gpg: using character set 'utf-8'
gpg: error searching keyserver: Operation not permitted
gpg: keyserver search failed: Operation not permitted

$ gpgconf --check-programs
gpg:OpenPGP:/usr/local/bin/gpg:1:1:
gpg-agent:Private Keys:/usr/local/bin/gpg-agent:1:1:
scdaemon:Smartcards:/usr/local/libexec/scdaemon:1:1:
gpgsm:S/MIME:/usr/local/bin/gpgsm:1:1:
dirmngr:Network:/usr/local/bin/dirmngr:1:1:
pinentry:Passphrase Entry:/usr/local/bin/pinentry:1:1:

$ ls -la /usr/local/bin/
drwxrwsr-x  2 root staff    4096 Oct 30 17:39 .
drwxrwsr-x 11 root staff    4096 Oct 28 02:12 ..
lrwxrwxrwx  1 root staff       3 Oct 26 00:02 captoinfo -> tic
-rwxr-xr-x  1 root staff   90200 Oct 26 00:02 clear
-rwxr-xr-x  1 root staff 2407640 Oct 30 17:39 dirmngr
-rwxr-xr-x  1 root staff  481760 Oct 30 17:39 dirmngr-client
-rwxr-xr-x  1 root staff   34744 Oct 25 23:45 dumpsexp
-rwxr-xr-x  1 root staff 4216344 Oct 30 17:39 gpg
-rwxr-xr-x  1 root staff 1667432 Oct 30 17:39 gpg-agent
-rwxr-xr-x  1 root staff  591960 Oct 30 17:39 gpgconf
-rwxr-xr-x  1 root staff  674176 Oct 30 17:39 gpg-connect-agent
-rwxr-xr-x  1 root staff   81640 Oct 25 23:11 gpg-error
-rwxr-xr-x  1 root staff    2201 Oct 25 23:11 gpg-error-config
-rwxr-xr-x  1 root staff   92800 Oct 30 17:39 gpgparsemail
-rwxr-xr-x  1 root staff  837064 Oct 30 17:39 gpgscm
-rwxr-xr-x  1 root staff 2163056 Oct 30 17:39 gpgsm
-rwxr-xr-x  1 root staff  671016 Oct 30 17:39 gpgtar
-rwxr-xr-x  1 root staff 2053392 Oct 30 17:39 gpgv
-rwxr-xr-x  1 root staff   43720 Oct 25 23:45 hmac256
-rwxr-xr-x  1 root staff  234984 Oct 26 00:02 infocmp
lrwxrwxrwx  1 root staff       3 Oct 26 00:02 infotocap -> tic
-rwxr-xr-x  1 root staff  799952 Oct 30 17:39 kbxutil
-rwxr-xr-x  1 root staff    2647 Oct 25 23:47 ksba-config
-rwxr-xr-x  1 root staff    2522 Oct 25 23:48 libassuan-config
-rwxr-xr-x  1 root staff    4003 Oct 25 23:45 libgcrypt-config
-rwxr-xr-x  1 root staff   51256 Oct 25 23:45 mpicalc
-rwxr-xr-x  1 root staff    6016 Oct 26 00:02 ncurses6-config
-rwxr-xr-x  1 root staff    3108 Oct 25 22:58 npth-config
lrwxrwxrwx  1 root staff      14 Oct 30 17:32 pinentry -> pinentry-gtk-2
-rwxr-xr-x  1 root staff  466328 Oct 30 17:32 pinentry-curses
-rwxr-xr-x  1 root staff  556120 Oct 30 17:32 pinentry-gtk-2
lrwxrwxrwx  1 root staff       4 Oct 26 00:02 reset -> tset
-rwxr-xr-x  1 root staff  107384 Oct 26 00:02 tabs
-rwxr-xr-x  1 root staff  265896 Oct 26 00:02 tic
-rwxr-xr-x  1 root staff  161352 Oct 26 00:02 toe
-rwxr-xr-x  1 root staff  107872 Oct 26 00:02 tput
-rwxr-xr-x  1 root staff   96184 Oct 26 00:02 tset
-rwxr-xr-x  1 root staff   41248 Oct 30 17:39 watchgnupg

dirmngr.conf:

use-tor
keyserver hkp://jirk5u4osbsr34t5.onion


any advice to proceed ?





From gnupg at jmillican.co.uk  Wed Nov  1 04:05:17 2017
From: gnupg at jmillican.co.uk (Jonathan Millican)
Date: Wed, 1 Nov 2017 03:05:17 +0000
Subject: GnuPG public key vulnerability?
In-Reply-To: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
References: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
Message-ID: <CAODjCxdcM723spA8QufKvbSORtsgpMnzFCFYjkPGg=mYU-_mpQ@mail.gmail.com>

Hi Murphy,

This email refers to the ROCA vulnerability (https://crocs.fi.muni.cz/
public/papers/rsa_ccs17), which affects a number of hardware devices
including some versions of the Yubikey 4-nano (https://www.yubico.com/
keycheck/). I believe Yubico are offering to replace affected Yubikeys.

One aspect of this vulnerability is that RSA public keys can be very easily
checked to determine if they are vulnerable - so at Facebook, we checked
the public keys that have been uploaded to people's profiles, and notified
people whose keys are affected. Unfortunately it seems like you were one of
the unlucky ones! Details here: https://www.facebook.com/
protectthegraph/posts/1954548564785285.

Hope that helps,
Jon

On 1 November 2017 at 00:10, murphy <mac3iii at gmail.com> wrote:

> I got a signed notification from facebook (good signature, enigmail)
> that claims my GnuPG generated public key has a "recently disclosed
> vulnerability".  This is the full text:
>
> We have detected that the OpenPGP key on your Facebook profile may be
> susceptible to attacks due to a recently disclosed vulnerability.  We
> recommend that you revoke and replace your public key immediately to
> minimize the risk to your encrypted communications.  You can update your
> public key by visiting your Security and Login settings.  To help reduce
> the risk of your key being attacked, we have set the privacy of your
> potentially vulnerable public key on your profile to "Only Me" to limit
> further distribution.  We will continue to encrypt your notification
> emails using this OpenPGP public key.
>
> This is doubly weird since the private/public key was generated on a
> Yubikey-4 nano and it is safe at home.  Does anyone know what this may
> be about?
>
> Facebook public key (it is valid, see:
> https://www.facebook.com/notes/protect-the-graph/
> securing-email-communications-from-facebook/1611941762379302/):
>
> pub   rsa4096 2015-05-17 [SC] [expires: 2018-05-17]
>          31A70953D8D590BA1FAB37762F3898CEDEE958CF
> uid           [  full  ] Facebook, Inc.
> sub   rsa4096 2017-07-24 [S] [expires: 2018-02-19]
>
> My public key is uploaded to keyservers and is:
>
> pub   rsa4096 2016-10-17 [SC] [expires: 2018-10-17]
>          D89A29A3E1DA59DFBF516EA73E450D1BCF78C26B
> uid           [ultimate] orange
> uid           [ultimate] Murphy Chesney (facebook communication)
> <mac3iii at gmail.com>
> sub   rsa4096 2016-10-17 [A] [expires: 2018-10-17]
> sub   rsa2048 2016-10-17 [E] [expires: 2018-10-17]
>
> Murphy
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171101/ce91e75f/attachment.html>

From fulanoperez at cryptolab.net  Wed Nov  1 05:46:16 2017
From: fulanoperez at cryptolab.net (Fulano Diego Perez)
Date: Wed, 1 Nov 2017 15:46:16 +1100
Subject: devuan jessie gpg 2.2.x thunderbird/apparmor/enigmail rules
Message-ID: <278504ce-d74d-dc08-fa7c-e141b3b8a017@cryptolab.net>


any suggestions to complete apparmor rules to enable all functionality
for a /usr/local gpg install with thunderbird/gpg/enigmail ?

currently appended rules below to the default thunderbird profile allow
mostly all functionality except i cannot enable the commented out rules
otherwise enigmail does not detect gnupg and fails to start

as soon i comment out, enigmail fails...

i think my previous email with problems with dirmngr could be related
and if those are debugged, could help here

below allows most thunderbird/enigmail functionality except importing
keyserver keys

/etc/apparmor.d/local/usr.bin.thunderbird:

/usr/local/bin/gpg               Cx -> gpg,
/usr/local/bin/gpg-error         Cx -> gpg,
#/usr/local/bin/dirmngr           Cx -> gpg,
/usr/local/bin/gpg-agent         Cx -> gpg,
/usr/local/bin/gpgconf           Cx -> gpg,
/usr/local/bin/gpg-connect-agent Cx -> gpg,

#/proc/**/fd/ r,
owner @{HOME}/.gnupg/tofu.db rwk,
#owner @{HOME}/.gnupg/tofu.db-journal rwk,
/usr/local/bin/gpg mr,
/usr/local/bin/gpg-error mr,
#/usr/local/bin/dirmngr mr,
/usr/local/bin/gpg-agent mr,
/usr/local/bin/gpgconf mr,
/usr/local/bin/gpg-connect-agent mr,
/usr/lib/gnupg/gpgkeys_* ix,

/usr/local/lib/** mr,

this profile still logs below possible problems:

[51155.130813] audit: type=1400 audit(1509507779.968:128572837):
apparmor="DENIED" operation="mknod" profile="thunderbird//gpg"
name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[51155.139191] audit: type=1400 audit(1509507779.976:128572838):
apparmor="DENIED" operation="mknod" profile="thunderbird//gpg"
name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[51161.198110] audit: type=1400 audit(1509507786.040:128572839):
apparmor="DENIED" operation="open" profile="thunderbird//gpg"
name="/proc/20077/fd/" pid=20077 comm="gpg" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[51161.198390] audit: type=1400 audit(1509507786.040:128572840):
apparmor="DENIED" operation="exec" profile="thunderbird//gpg"
name="/usr/local/bin/dirmngr" pid=20077 comm="gpg" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
[51177.540706] audit: type=1400 audit(1509507802.392:128572841):
apparmor="DENIED" operation="open" profile="thunderbird//gpg"
name="/proc/20080/fd/" pid=20080 comm="gpg" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[51177.541002] audit: type=1400 audit(1509507802.392:128572842):
apparmor="DENIED" operation="exec" profile="thunderbird//gpg"
name="/usr/local/bin/dirmngr" pid=20080 comm="gpg" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0







From dshaw at jabberwocky.com  Wed Nov  1 04:29:24 2017
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 31 Oct 2017 23:29:24 -0400
Subject: GnuPG public key vulnerability?
In-Reply-To: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
References: <d365a8dd-ecb0-cadc-024d-da7db6860a38@gmail.com>
Message-ID: <59E0B283-D1CA-47E0-9E35-BA0F50C5514F@jabberwocky.com>

On Oct 31, 2017, at 8:10 PM, murphy <mac3iii at gmail.com> wrote:
> 
> I got a signed notification from facebook (good signature, enigmail)
> that claims my GnuPG generated public key has a "recently disclosed
> vulnerability".  This is the full text:
> 
> We have detected that the OpenPGP key on your Facebook profile may be
> susceptible to attacks due to a recently disclosed vulnerability.  We
> recommend that you revoke and replace your public key immediately to
> minimize the risk to your encrypted communications.  You can update your
> public key by visiting your Security and Login settings.  To help reduce
> the risk of your key being attacked, we have set the privacy of your
> potentially vulnerable public key on your profile to "Only Me" to limit
> further distribution.  We will continue to encrypt your notification
> emails using this OpenPGP public key.
> 
> This is doubly weird since the private/public key was generated on a
> Yubikey-4 nano and it is safe at home.  Does anyone know what this may
> be about?

Yes.

Recently, a flaw in the firmware for some Infineon hardware crypto was found.  RSA keys that were generated with this faulty firmware are not nearly as strong as their key length would imply.

You mention a Yubikey 4 nano, and unfortunately, that is one of the devices that used Infineon components.  In the case of a Yubikey and OpenPGP, if you generate the key *on* a vulnerable Yubikey, you may have a problem.  If you generate the OpenPGP key elsewhere and *import* the key to your Yubikey, you are not affected.

The Yubico people have a site up to check your device serial number to see if it is vulnerable and are offering a replacement program.  See https://www.yubico.com/keycheck/

There has been some discussion of the implications of this vulnerability on this list.  Search the list archives for "ROCA" to see more.

The original paper is at https://crocs.fi.muni.cz/public/papers/rsa_ccs17

David



From johan.ho at gmail.com  Wed Nov  1 10:52:43 2017
From: johan.ho at gmail.com (Johan Ho)
Date: Wed, 1 Nov 2017 10:52:43 +0100
Subject: cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down?
Message-ID: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com>

I tried to look up the "keysigning party howto" on the GnuPG website 
(https://gnupg.org/documentation/howtos.html), but apparently 
www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the 
language links there don't work.

I tried a few days ago and today, but it still doesn't work.

Anyone know the status of that server and whether it might get fixed?

Johan Ho


From kloecker at kde.org  Wed Nov  1 22:37:44 2017
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Wed, 01 Nov 2017 22:37:44 +0100
Subject: cryptnet.net (which hosts "GnuPG Keysigning Party HOWTO") down?
In-Reply-To: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com>
References: <5c717194-66f5-a003-aabe-b44ae01d3766@gmail.com>
Message-ID: <2228562.iyPU8pELWJ@thufir>

On Mittwoch, 1. November 2017 10:52:43 CET Johan Ho wrote:
> I tried to look up the "keysigning party howto" on the GnuPG website
> (https://gnupg.org/documentation/howtos.html), but apparently
> www.cryptnet.net is down (ERR_CONNECTION_REFUSED) so most of the
> language links there don't work.
> 
> I tried a few days ago and today, but it still doesn't work.

Luckily, there's archive.org and it has archived the howto:
https://web.archive.org/web/*/www.cryptnet.net/fdp/crypto/keysigning_party/en/
keysigning_party.html


Regards,
Ingo



From ramsdenj at riseup.net  Thu Nov  2 03:55:07 2017
From: ramsdenj at riseup.net (John Ramsden)
Date: Wed, 01 Nov 2017 19:55:07 -0700
Subject: GPG Subkey decryption
Message-ID: <1509591307.4120812.1158843272.2D704309@riseup.net>

I think I may be misunderstanding how I'm supposed to be decrypting with
a subkey. From what I thought, the public key should be the same on a
subkey as it is on a primary key. I see the same public key when I list
them on my machine which stores the primary key and the machine that
stores the subkey.

I want to send a message to the public key and be able to decrypt it on
any machine where I have any subkey of the primary key. I'm encrypting
from my primary key and using my public key from the same key as the
recipient. Do I have to define multiple recipients based on all the
subkeys? If so where do I find the public key for these subkeys that are
supposed to be the recipient?

When I'm on the machine that holds the sub key and I attempt to decrypt
I get the message:

> gpg: decryption failed: No secret key

-- 
  John


From thomas at glanzmann.de  Thu Nov  2 14:41:23 2017
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Thu, 2 Nov 2017 14:41:23 +0100
Subject: Decrypt RSA encrypted secret by using gpg authentication key stored
 on yubikey
Message-ID: <20171102134123.GA4753@glanzmann.de>

Hello,
I have a yubikey that I use as gpg smartcard. On that yubikey I have an
authentication subkey. I uploaded the pubkey to AWS cloud. When I create
a Windows instance they use that pubkey to encrypt a password using RSA
to my privkey. Since my privkey is stored on the smartcard, I can't use
openssl to decrypt it.

So I'm looking of the equivalent of:

base64 -d /tmp/file | openssl rsautl -decrypt -inkey /path/to/aws/private/key.pem

Only that my key is not on the file system but the authentication key
stored on my gpg card.

Cheers,
        Thomas

References:
https://docs.aws.amazon.com/cli/latest/reference/ec2/get-password-data.html#examples
https://serverfault.com/questions/603984/windows-password-wont-decrypt-on-aws-ec2-even-with-the-correct-private-key


From psusi at ubuntu.com  Thu Nov  2 16:58:08 2017
From: psusi at ubuntu.com (Phil Susi)
Date: Thu, 2 Nov 2017 11:58:08 -0400
Subject: Why does import refuse to merge a new subkey?
Message-ID: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com>

Whenever my subkeys expire and I have to generate a new one, I try to
import the keys on my less secure machines and gpg stupidly refuses to
update the already existing key with the new subkey.  I have to delete
the key, then import to get the new subkey into the keyring.  Why is this?



From rehevkor5 at gmail.com  Thu Nov  2 18:56:21 2017
From: rehevkor5 at gmail.com (Shannon C)
Date: Thu, 2 Nov 2017 12:56:21 -0500
Subject: GnuPG public key vulnerability?
Message-ID: <CAHiwhzJgOUJdPqm1AjLmoHCHUz+vCOZQ4sXz6FsPsWHFHXk+hA@mail.gmail.com>

>
> so at Facebook, we checked
> the public keys that have been uploaded to people's profiles, and notified
> people whose keys are affected


 Jon,

FYI your detection logic seems a bit overzealous, because (last time I
checked) it detects revoked ROCA-vulnerable subkeys as making the whole
public key unacceptable, even if the private key is not affected by ROCA.
According to the responses on this thread
https://lists.gnupg.org/pipermail/gnupg-users/2017-October/059417.html
ROCA-affected subkeys have no effect on the validity of the private key or
other subkeys, so if they're revoked everything should be ok.

Rejecting public keys in this way is problematic for two reasons I can
think of:
1. It confuses people because it implies that there's something wrong with
your whole key even though the problem is only with a subkey. And it
implies that revoking the subkey doesn't solve the problem.
2. It will force people to do extra work to remove their subkeys before
exporting their public key for upload to Facebook. This is annoying to do
and might lead to people deleting their subkeys from their local keyring
permanently, which is probably a bad idea.

I'm not certain, but I think keybase might be getting this wrong too.

-Shannon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171102/37d6629f/attachment.html>

From peter at digitalbrains.com  Thu Nov  2 20:04:31 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 2 Nov 2017 20:04:31 +0100
Subject: Why does import refuse to merge a new subkey?
In-Reply-To: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com>
References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com>
Message-ID: <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com>

On 02/11/17 16:58, Phil Susi wrote:
> Why is this?

What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4
and 2.0, but my 2.1.18 allows me to add secret subkeys through --import.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171102/5f5092cc/attachment-0001.sig>

From psusi at ubuntu.com  Thu Nov  2 20:37:08 2017
From: psusi at ubuntu.com (Phil Susi)
Date: Thu, 2 Nov 2017 15:37:08 -0400
Subject: Why does import refuse to merge a new subkey?
In-Reply-To: <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com>
References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com>
 <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com>
Message-ID: <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com>

On 11/2/2017 3:04 PM, Peter Lebbing wrote:
> On 02/11/17 16:58, Phil Susi wrote:
>> Why is this?
> 
> What version of GnuPG is this? It's a well-known limitation of GnuPG 1.4
> and 2.0, but my 2.1.18 allows me to add secret subkeys through --import.

Looks like I've still got 1.4.20 on one machine ( when I usually forget
to run gpg2 instead of just gpg ) but 2.0.28 on another also did it I'm
pretty sure.  I guess I'll try again and make sure to use a recent gpg2.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171102/1cbccd54/attachment.sig>

From peter at digitalbrains.com  Thu Nov  2 20:46:29 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 2 Nov 2017 20:46:29 +0100
Subject: Why does import refuse to merge a new subkey?
In-Reply-To: <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com>
References: <8859b47c-2806-b2ba-60f0-3f2e41296fd7@ubuntu.com>
 <242715eb-b340-08b3-2bef-62715fe89891@digitalbrains.com>
 <4a527e99-68b4-aad1-eb46-9d4fc6aa3781@ubuntu.com>
Message-ID: <0cc28025-407d-dcc5-691f-2e97cec9e344@digitalbrains.com>

On 02/11/17 20:37, Phil Susi wrote:
> [..] but 2.0.28 on another also did it I'm pretty sure.

Yes, I'm pretty sure of that as well. 2.0 can't update secret keys; it
was introduced with 2.1 or somewhere during 2.1.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171102/d23d9724/attachment.sig>

From 2017-r3sgs86x8e-lists-groups at riseup.net  Fri Nov  3 01:16:48 2017
From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA)
Date: Fri, 3 Nov 2017 00:16:48 +0000
Subject: GPG Subkey decryption
In-Reply-To: <1509591307.4120812.1158843272.2D704309@riseup.net>
References: <1509591307.4120812.1158843272.2D704309@riseup.net>
Message-ID: <797795066.20171103001648@my_localhost_LG>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Thursday 2 November 2017 at 2:55:07 AM, in
<mid:1509591307.4120812.1158843272.2D704309 at riseup.net>, John Ramsden
wrote:-


> I think I may be misunderstanding how I'm supposed to
> be decrypting with
> a subkey. From what I thought, the public key should
> be the same on a
> subkey as it is on a primary key. I see the same
> public key when I list
> them on my machine which stores the primary key and
> the machine that
> stores the subkey.

You possibly mean you see the same user-id?

The primary key is a public key with a corresponding private key. Each
subkey is a public key with a corresponding private key. Each subkey
is bound to the primary key by a key binding signature



> I want to send a message to the public key and be
> able to decrypt it on
> any machine where I have any subkey of the primary
> key. I'm encrypting
> from my primary key and using my public key from the
> same key as the
> recipient. Do I have to define multiple recipients
> based on all the
> subkeys? If so where do I find the public key for
> these subkeys that are
> supposed to be the recipient?

GnuPG usually encrypts to the newest available encryption-capable
subkey. Or to the primary key if it is encryption-capable and there
are no encryption-capable subkeys. If you wish to specify the primary
key or a specific subkey you can list as a recipient the (sub)key-id
followed by an exclamation mark.

Something like gpg -ear 0x1CAC08E8DEFAFDFE! -r  0xEAC88A2823F99DEC!



- --
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

Hard work never killed anyone, but why take a risk?
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWfu1cl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+nYcAP0RoVdNwIbIQIyasmZ7l5Kv5lCZ2ytWFmAfVH08H+JwqgD/fvMS6No8GHAo
rNxeuIfAsdQhxbQBRjFcA2tXZOm+4Q6JApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWfu1cl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/yLDEACp7Io19utgvWKkOgGAMO1PDqDf
eE4vUs5D1pUs1E15W7ks0JUz5PDseakeYmSixGXw+wY769EE/vapmhOR7KG/AGRI
4NSuvkOZRdlDpDoownT5gFWBpdbw8kWWSBCdp4AdW9Ao8rwsTuwycyu5YvtIk6V0
6zDHfYEb2AfSgD7x6APHaPT7JqdLqHWlOJNKGRyd0EmSWm0S22lr2DIBEkq4oDOm
OO1FFBllFCsHqMtRiFxQjHT5pSItBpgbJMmb3y8kLn73yoCGFxzzQeUxGeNbvQI6
J05bkug7nmWRFdYCfEBgoGd3Z9yIaPubglSeafkQa+aVi6NUfsWcSU4DxyP1zVw6
WUMIKmu6MXOktJb4w8MQNFgg3eEtHTIwX/ZNLreY5MfckyKTj/teTC8+7cuSZsJy
sSueVQQYb1AtjM7w/yqo+5UuGWIVRPYp2GLctYy2kSboBr1t0+WNUsnmaXFzp4au
K+NZzzSUxWrzCOLSytPmeOh4B1bGGpwP7kxqSEYSiMLzguNao1qnMHCWMSHmA/dg
gKcZIYMQdXrIv7ujYzJo3TQyQvX66OuU4xf0AnnH+OgckWX06d3QhnnxQNeCaW0q
465Gic8CqHug1PEKhP40L0otbMi3G6Tfzk9rhJ5ojDhHDjwXiDP/+pg9bjwVOCYK
/m57uaSJyoWcpjmXvA==
=S6D+
-----END PGP SIGNATURE-----



From robbat2 at gentoo.org  Fri Nov  3 06:20:21 2017
From: robbat2 at gentoo.org (Robin H. Johnson)
Date: Fri, 3 Nov 2017 05:20:21 +0000
Subject: Efficent batch fetching with verification?
Message-ID: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>

What's a reasonably efficient way to fetch a lot of keys, by
fingerprint, from keyserver pools with HKPS?

Presently, the code is effectively this:
...cat-list-of-fingerprints... | xargs gpg --recv

This has the downside of causing many execs.

As an alternate, it was suggested that I could do manual HTTP fetches
for each of the fingerprints, then verify the keyserver returned only
the correct keys. This however, still runs into the problem of calling
gpg many times.

gpgme does an exec behind the scenes, for each call, so I'm wondering
what other solutions are out there.

Most useful would be feeding a list of fingerprints to
--recv via a file descriptor, or feeding entire commands to a 
long-running GPG instance (but Assuan doesn't support RECV).

The Assuan part echos a much older request of mine, that more operations
should be available via Assuan, to efficiently sign or verify many
files.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   : robbat2 at gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1113 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171103/21a55e15/attachment.sig>

From peter at digitalbrains.com  Fri Nov  3 12:50:06 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 3 Nov 2017 12:50:06 +0100
Subject: Efficent batch fetching with verification?
In-Reply-To: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
Message-ID: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com>

On 03/11/17 06:20, Robin H. Johnson wrote:
> Presently, the code is effectively this:
> ...cat-list-of-fingerprints... | xargs gpg --recv
> 
> This has the downside of causing many exec
I just tried this and a list of 1319 fingerprints caused one single call
to "gpg --recv FPR1 FPR2 FPR3 ... FPR1319". I don't understand why my
gpg is then doing trust database calculations every so many keys, so
what I ended up doing was:

$ cat list-of-fingerprints | xargs strace -ff -o gpgtrace -e
trace=process gpg --no-auto-check-trustdb --recv

And this ran happily until killed by me, fetching and updating keys,
with just a single execve, no spawns.

Anyway, I didn't look any further, but what is exec'ing much here then?
Which version of GnuPG are you using? I'm using the Debian stretch
provided 2.1.18 with a systemd supervised dirmngr. I can't readily think
of which process would be starting often here... am I completey
forgetting about something? :-)

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171103/9b627656/attachment.sig>

From wk at gnupg.org  Fri Nov  3 20:17:38 2017
From: wk at gnupg.org (Werner Koch)
Date: Fri, 03 Nov 2017 20:17:38 +0100
Subject: Efficent batch fetching with verification?
In-Reply-To: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net> (Robin
 H. Johnson's message of "Fri, 3 Nov 2017 05:20:21 +0000")
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
Message-ID: <87zi83rx2l.fsf@wheatstone.g10code.de>

On Fri,  3 Nov 2017 06:20, robbat2 at gentoo.org said:

> Presently, the code is effectively this:
> ...cat-list-of-fingerprints... | xargs gpg --recv
>
> This has the downside of causing many execs.

Right after a clean startup of your user session you will
see these execs:

  1. xargs execs gpg
  2. gpg execs gpg-agent
  3. gpg execs dirmngr

If xargs needs to exec another gpg you won't see new execs for gpg-agent
or dirmngr.  And the startup time of gpg can be neglecated compared to
the latency of the keyservers.

Or may it be that you are using gpg 1.4 or 2.0?  Those invoke keyserver
helpers and that may very well be one exec per supplied fingerprint.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171103/9815209b/attachment.sig>

From robbat2 at gentoo.org  Fri Nov  3 21:06:13 2017
From: robbat2 at gentoo.org (Robin H. Johnson)
Date: Fri, 3 Nov 2017 20:06:13 +0000
Subject: Efficent batch fetching with verification?
In-Reply-To: <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com>
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
 <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com>
Message-ID: <robbat2-20171103T195225-085552954Z@orbis-terrarum.net>

On Fri, Nov 03, 2017 at 12:50:06PM +0100, Peter Lebbing wrote:
> On 03/11/17 06:20, Robin H. Johnson wrote:
> > Presently, the code is effectively this:
> > ...cat-list-of-fingerprints... | xargs gpg --recv
> > 
> > This has the downside of causing many exec
...
> Anyway, I didn't look any further, but what is exec'ing much here then?
> Which version of GnuPG are you using? I'm using the Debian stretch
> provided 2.1.18 with a systemd supervised dirmngr. I can't readily think
> of which process would be starting often here... am I completey
> forgetting about something? :-)
You missed xargs itself, this mostly centers around the command-line
length limit. I can get in about ~3200 fingerprints per GPG call.

GnuPG 2.2.1, findutils/xargs 4.6.0.

Thanks for the idea of --no-auto-check-trustdb, I did miss that and it
helps for speedups.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   : robbat2 at gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1113 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171103/3f375176/attachment-0001.sig>

From robbat2 at gentoo.org  Sat Nov  4 06:06:59 2017
From: robbat2 at gentoo.org (Robin H. Johnson)
Date: Sat, 4 Nov 2017 05:06:59 +0000
Subject: Efficent batch fetching with verification?
In-Reply-To: <87zi83rx2l.fsf@wheatstone.g10code.de>
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
 <87zi83rx2l.fsf@wheatstone.g10code.de>
Message-ID: <robbat2-20171104T045433-578736664Z@orbis-terrarum.net>

On Fri, Nov 03, 2017 at 08:17:38PM +0100, Werner Koch wrote:
> On Fri,  3 Nov 2017 06:20, robbat2 at gentoo.org said:
> 
> > Presently, the code is effectively this:
> > ...cat-list-of-fingerprints... | xargs gpg --recv
> >
> > This has the downside of causing many execs.
> 
> Right after a clean startup of your user session you will
> see these execs:
> 
>   1. xargs execs gpg
>   2. gpg execs gpg-agent
>   3. gpg execs dirmngr
> 
> If xargs needs to exec another gpg you won't see new execs for gpg-agent
> or dirmngr.  And the startup time of gpg can be neglecated compared to
> the latency of the keyservers.
> 
> Or may it be that you are using gpg 1.4 or 2.0?  Those invoke keyserver
> helpers and that may very well be one exec per supplied fingerprint.
Yes, the older versions do perform much worse, but even with gnupg2.2,
each exec of gpg is still at least 100ms, which adds up over time.

Part this may be having a huge keyring present (50k+ keys).

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer
E-Mail   : robbat2 at gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1113 bytes
Desc: Digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171104/8f30295d/attachment.sig>

From peter at digitalbrains.com  Sat Nov  4 11:45:22 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 4 Nov 2017 11:45:22 +0100
Subject: Efficent batch fetching with verification?
In-Reply-To: <robbat2-20171103T195225-085552954Z@orbis-terrarum.net>
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
 <6b864265-53e2-b76a-6235-46e845ce5363@digitalbrains.com>
 <robbat2-20171103T195225-085552954Z@orbis-terrarum.net>
Message-ID: <c8852a5d-93b5-5cba-4e92-9b3629132c90@digitalbrains.com>

On 03/11/17 21:06, Robin H. Johnson wrote:
> You missed xargs itself,

Actually, I did not :-).

> this mostly centers around the command-line
> length limit. I can get in about ~3200 fingerprints per GPG call.

I asked "what is exec'ing much". I don't see one exec every 3200
fingerprints as overhead at all.

In your other reply, you say the 100 ms exec overhead for these 3200
keyserver fetches is significant. But I see a lot of round trips to the
keyserver; I didn't check the docs, but it must not be fetching many
keys in every HKP request. Perhaps even just a single key per request.
That is 3200 round trips to a remote server. And then the data will be
checked: this means running expensive asymmetric crypto.

So how long does this one gpg with 3200 key fetches run for you, as wall
time, and as cpu time? TBH, I'm having a hard time believing the
starting up of gpg.exe is relevant.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171104/9cc5a183/attachment.sig>

From wk at gnupg.org  Sat Nov  4 19:15:47 2017
From: wk at gnupg.org (Werner Koch)
Date: Sat, 04 Nov 2017 19:15:47 +0100
Subject: Efficent batch fetching with verification?
In-Reply-To: <robbat2-20171104T045433-578736664Z@orbis-terrarum.net> (Robin
 H. Johnson's message of "Sat, 4 Nov 2017 05:06:59 +0000")
References: <robbat2-20171103T050342-758022129Z@orbis-terrarum.net>
 <87zi83rx2l.fsf@wheatstone.g10code.de>
 <robbat2-20171104T045433-578736664Z@orbis-terrarum.net>
Message-ID: <87d14xsyek.fsf@wheatstone.g10code.de>

On Sat,  4 Nov 2017 06:06, robbat2 at gentoo.org said:

> Yes, the older versions do perform much worse, but even with gnupg2.2,
> each exec of gpg is still at least 100ms, which adds up over time.

I doubt that, let's see:

  $ time sh -c 'seq 1 1 | xargs -n 1 gpg --version >/dev/null'
  
  real    0m0.010s
  user    0m0.004s
  sys     0m0.004s
  $ time sh -c 'seq 1 100 | xargs -n 1 gpg --version >/dev/null'
  
  real    0m0.361s
  user    0m0.068s
  sys     0m0.024s

This is less than 4ms per exec.  So you problem is for sure not the
fork/exec.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171104/1078338c/attachment.sig>

From seby2kt14 at gmail.com  Sun Nov  5 02:15:14 2017
From: seby2kt14 at gmail.com (Seby)
Date: Sat, 4 Nov 2017 22:15:14 -0300
Subject: Cannot control GnuPG from shell (IPC parameter error)
Message-ID: <CAHEKVbpansouUiqk8x6wXOshgRdmgtCYnrx4A56W-JUSHwH0ow@mail.gmail.com>

Hello,

I have a script that interacts with GnuPG in an automated / unattended
way, but it cannot control the keyring. I keep getting this:

gpg: key generation failed: IPC parameter error

I am running 2.3.0-beta82. I tried to search for this error and I
could only find clues that lead to gpg-agent, but # gpg-agent --help
doesn't allow me to disable it. What is the good approach here?

Thanks in advance.


From olalereabass at outlook.com  Sat Nov  4 15:01:02 2017
From: olalereabass at outlook.com (olalereabass at outlook.com)
Date: Sat, 4 Nov 2017 14:01:02 +0000
Subject: Request for assistance 
Message-ID: <CY4PR05MB27890753BC302C7609491914C2520@CY4PR05MB2789.namprd05.prod.outlook.com>

Dear sir/ma,
I hereby humbly seek your assistance with respect to the file decryption.
I installed GPG4WIN  version 2.0.4 and the Open PGP certificate was successfully with a 40-charater fingerprint. "My Certificates" were also created. While attempting to use Kleopatra (which showed my certificate) to decrypt/verify a tgz.gpg file, it continually gave me results in the Decrypt/ Verify Files window showing  (1) All operations completed at 100% (2) Decryption failed.
Consequently, kind bail me out to know what has gone wrong and the possible ways out to decrypt  my files.
Thanks for your anticipated response.
Regards.
Olalere Abass

--
Sent from Outlook Email App for Android
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171104/570eaa92/attachment.html>

From knaack.h at gmx.de  Sun Nov  5 18:47:07 2017
From: knaack.h at gmx.de (Hartmut Knaack)
Date: Sun, 5 Nov 2017 18:47:07 +0100
Subject: gpg-agent/pinentry: How to verify calling application
In-Reply-To: <980c339a-5fde-7022-f51e-d6c00fedf6c9@gmx.de>
References: <980c339a-5fde-7022-f51e-d6c00fedf6c9@gmx.de>
Message-ID: <448944b6-b942-042d-1ea6-6a438652e933@gmx.de>

Hartmut Knaack wrote on 15.07.2017 16:02:
> Hi,
> on my machine running Linux and a recent KDE/Plasma, pinentry-qt
> occasionally starts right after logging in and asks for my passphrase.
> Is there any way to track down, which process asks gpg-agent for my private
> key? Preferably, I would like pinentry to inform, which process actually is
> the source of the key request.
> Thanks
>
> Hartmut
>

Hi,
I just wanted to report back on my issue. So, I actually ran the KWallet
configuration program (kwalletmanager5) and found the main switch in the
properties-menu to disable KWallet in my user account. It has been some
months now, and I have never been annoyed by randomly popping up pinentry
ever since.
Thanks for the help to guide me into the right direction.

Hartmut



From gniibe at fsij.org  Mon Nov  6 00:56:37 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Mon, 06 Nov 2017 08:56:37 +0900
Subject: Cannot control GnuPG from shell (IPC parameter error)
In-Reply-To: <CAHEKVbpansouUiqk8x6wXOshgRdmgtCYnrx4A56W-JUSHwH0ow@mail.gmail.com>
References: <CAHEKVbpansouUiqk8x6wXOshgRdmgtCYnrx4A56W-JUSHwH0ow@mail.gmail.com>
Message-ID: <87wp342say.fsf@iwagami.gniibe.org>

Seby <seby2kt14 at gmail.com> wrote:
> I am running 2.3.0-beta82. I tried to search for this error and I
> could only find clues that lead to gpg-agent, but # gpg-agent --help
> doesn't allow me to disable it. What is the good approach here?

Please update your installation.

IIUC, you are talking about (old version of) gpg4win, which is based on
GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like
ECC.
-- 


From seby2kt14 at gmail.com  Mon Nov  6 01:39:43 2017
From: seby2kt14 at gmail.com (Seby)
Date: Sun, 5 Nov 2017 21:39:43 -0300
Subject: Cannot control GnuPG from shell (IPC parameter error)
In-Reply-To: <87wp342say.fsf@iwagami.gniibe.org>
References: <CAHEKVbpansouUiqk8x6wXOshgRdmgtCYnrx4A56W-JUSHwH0ow@mail.gmail.com>
 <87wp342say.fsf@iwagami.gniibe.org>
Message-ID: <CAHEKVbrZZw10TCp5GOVuDNq2zXFUwgug0Pi6+B93FqMT9UYYZg@mail.gmail.com>

Hello,

"NIIBE Yutaka" <gniibe at fsij.org> wrote:

Seby <seby2kt14 at gmail.com> wrote:
> I am running 2.3.0-beta82. I tried to search for this error and I
> could only find clues that lead to gpg-agent, but # gpg-agent --help
> doesn't allow me to disable it. What is the good approach here?

Please update your installation.

IIUC, you are talking about (old version of) gpg4win, which is based on
GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like
ECC.


I am running on linux (Debian) and i am on git master (2.3.0-beta82) and it
complains:
WARNING: server 'gpg-agent' is older than us (2.1.8 < 2.3.0-beta82)

And then:
IPC parameter error.

When trying to pass a batch from shell.

I don't know if the warning causes the second fatal error but probably.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171105/97d9a70c/attachment.html>

From seby2kt14 at gmail.com  Mon Nov  6 01:59:04 2017
From: seby2kt14 at gmail.com (Seby)
Date: Mon, 6 Nov 2017 00:59:04 +0000
Subject: Cannot control GnuPG from shell (IPC parameter error)
In-Reply-To: <CAHEKVbrZZw10TCp5GOVuDNq2zXFUwgug0Pi6+B93FqMT9UYYZg@mail.gmail.com>
References: <CAHEKVbpansouUiqk8x6wXOshgRdmgtCYnrx4A56W-JUSHwH0ow@mail.gmail.com>
 <87wp342say.fsf@iwagami.gniibe.org>
 <CAHEKVbrZZw10TCp5GOVuDNq2zXFUwgug0Pi6+B93FqMT9UYYZg@mail.gmail.com>
Message-ID: <CAHEKVbraogJAPT8dGCG3Qqo7LionDQnYysuTj4ZWwammyNJCVw@mail.gmail.com>

Fixed the problem by killing the PID of gpg-agent and also by
correcting a typo in my syntax that was having a permission problem. I
am now 100% confident that the version mismatch warning between
gpg-agent and gpg is just a warning, it was not the cause of the
problem, the typo in the syntax bares the fault.

Thank you.

 Seby <seby2kt14 at gmail.com> wrote:
> Hello,
>
> "NIIBE Yutaka" <gniibe at fsij.org> wrote:
>
> Seby <seby2kt14 at gmail.com> wrote:
>> I am running 2.3.0-beta82. I tried to search for this error and I
>> could only find clues that lead to gpg-agent, but # gpg-agent --help
>> doesn't allow me to disable it. What is the good approach here?
>
> Please update your installation.
>
> IIUC, you are talking about (old version of) gpg4win, which is based on
> GnuPG 2.0.x, and you are trying to use new feature(s) of GnuPG 2.2, like
> ECC.
>
>
> I am running on linux (Debian) and i am on git master (2.3.0-beta82) and it
> complains:
> WARNING: server 'gpg-agent' is older than us (2.1.8 < 2.3.0-beta82)
>
> And then:
> IPC parameter error.
>
> When trying to pass a batch from shell.
>
> I don't know if the warning causes the second fatal error but probably.


From ryan at splintermail.com  Mon Nov  6 03:08:24 2017
From: ryan at splintermail.com (Ryan Beethe)
Date: Sun, 5 Nov 2017 20:08:24 -0600
Subject: Request for assistance
In-Reply-To: <CY4PR05MB27890753BC302C7609491914C2520@CY4PR05MB2789.namprd05.prod.outlook.com>
References: <CY4PR05MB27890753BC302C7609491914C2520@CY4PR05MB2789.namprd05.prod.outlook.com>
Message-ID: <mailman.0.1509934121.30378.gnupg-users@gnupg.org>

Hi Olalere,

Three things:

1) Why are you using such and old version of GPG4WIN?  Version 2.0.4 is
from 2010...

2) What did Kleopatra say when the decryption failed?  It should say,
"Decryption Failed: xyz", where "xyz" is the reason.  It is easier to
help if you give the full failure message.

3) Also, you should check the recipient of the message.  When you try to
decrypt the file with Kleopatra, Kleopatra should say:

    Recipient: (40-character fingerprint)

and you should make sure that recipient is the same 40-character
fingerprint for the certificate you created.

Ryan

On Sat, Nov 04, 2017 at 02:01:02PM +0000, olalereabass at outlook.com
wrote:
> Dear sir/ma,
> I hereby humbly seek your assistance with respect to the file decryption.
> I installed GPG4WIN  version 2.0.4 and the Open PGP certificate was
> successfully with a 40-charater fingerprint. "My Certificates" were also
> created. While attempting to use Kleopatra (which showed my certificate) to
> decrypt/verify a tgz.gpg file, it continually gave me results in the Decrypt/
> Verify Files window showing  (1) All operations completed at 100% (2)
> Decryption failed.
> Consequently, kind bail me out to know what has gone wrong and the possible
> ways out to decrypt  my files.
> Thanks for your anticipated response.
> Regards.
> Olalere Abass
>
> --
> Sent from Outlook Email App for Android
>

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



From t at crp.to  Mon Nov  6 16:28:28 2017
From: t at crp.to (Tim Steiner)
Date: Mon, 6 Nov 2017 15:28:28 +0000 (UTC)
Subject: New smart card / token alternative
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
Message-ID: <1247832004.2932812.1509982108841@mail.yahoo.com>

We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

Tim Steiner
CISSP-ISSAP, C|EH, OSCP, PMP
Email: T at crp.to
CryptoTrust | crp.to


From vedaal at nym.hush.com  Mon Nov  6 23:26:47 2017
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Mon, 06 Nov 2017 17:26:47 -0500
Subject: New smart card / token alternative
In-Reply-To: <1247832004.2932812.1509982108841@mail.yahoo.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com> 
Message-ID: <20171106222647.85FF6E034E@smtp.hushmail.com>



On 11/6/2017 at 4:55 PM, "Tim Steiner" <t at crp.to> wrote:

\We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

=====

Using this on anything except your own computer, or laptop, is problematic, 
as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted.

Can it be made to work with Tails/Tor which uses GunPG ?

(The  'insecure' browser on Tails not involving Tor, is a Firefox variant.   
If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger.

But even so, there are problems with using it on an 'unknown' computer :

https://tails.boum.org/doc/about/warning/index.en.html#index2h1


vedaal



From ssmeenk at freshdot.net  Mon Nov  6 22:49:26 2017
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Mon, 6 Nov 2017 22:49:26 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
Message-ID: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>

Hi!

Some time ago in March i was asking about the way the pinentry works and
i have not yet been able to get this working properly.

I have this vim macro that automatically decrypts and encrypts files
named .gpg. I use this in a terminal through SSH on my server and it
basically pipes a buffer through 'gpg -qd' and 'gpg -ae'.

Recently upgraded that server, and now this does not work anymore.
GPG just exists stating 'No secret key' while running that exact
command on the shell pops up the pinentry thingy and works fine.

Another situation (still) is my PC at work. It has my X session running
mostly always. I access it through SSH too with the same user account
and like to work there, but i can't do anything with GPG on a remotely
connected shell to this machine: The pinentry will consistently pop up
on the X display on that machine instead of the controlling tty (my ssh)
requesting the decryption. 

I've had varying success with exporting GPG_TTY and updatestartuptty,
usually having to restart gpg-agent. To try and keep this workable i
ended up wrapping gpg in a script that sets GPG_TTY, kills all
gpg-agent, starts it, runs gpg...

Then when a tool is not using the wrapper this results in pinentry
plopping up on terminals where i did not expect them, but it is the
terminal i last used the wrapper in.

It's rather cumbersome and very dodgy at least. How do others deal with
this? Or is everyone using GPG solely in GUI environments nowadays? ;)

Any insights welcome!
Sorry for the ranty mail.
I'm a nice guy. Really.

Rgds,
Sndr.
-- 
| Rookworst zonder 'r' is ook worst!
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


From ryan at splintermail.com  Tue Nov  7 01:11:56 2017
From: ryan at splintermail.com (Ryan Beethe)
Date: Mon, 6 Nov 2017 18:11:56 -0600
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
Message-ID: <mailman.1.1510013526.30378.gnupg-users@gnupg.org>

Hi Sander,

I also was frustrated with how GPG pinentry worked by default.  In
particular, I *almost* always want to use the ncurses pinentry, unless
through a key shortcut my window manager tries to call gpg (for my
password manager).  But if I want to encrypt a file with mutt, I don't
want a popup!  I hate popups!

What I did was write a custom pinentry wrapper, which I call rpinentry.
It just dispaches either the curses-based pinentry or a gui pinentry
based on the environment variable PINENTRY_USER_DATA which is read by
gpg and passed to the pinentry program, for jobs like this:

    #!/bin/sh

    if [ "$PINENTRY_USER_DATA" == "terminal" ] ; then
        # always use the terminal if one is handy
        /usr/bin/pinentry-curses
    else
        # otherwise DISPLAY info is passed on command line, just forward it
        /usr/bin/pinentry-qt "$@"
    fi

Then in ~/.gnupg/gpg-agent.conf I set it to be my default pinentry
program:

    pinentry-program /path/to/rpinentry

In my ~/.bashrc I have the following two lines:

    export PINENTRY_USER_DATA="terminal"
    export GPG_TTY=$(tty)

Then in the config file for my window manager, I have the equivalent of:

    export PINENTRY_USER_DATA=qt

So this covers all of my bases.  If I do something that calls GPG from a
terminal, I get a curses-based pinentry prompt, because each individual
terminal has PINENTRY_USER_DATA set to "terminal" and GPG_TTY set
properly as soon as it is opened, thanks to my ~/.bashrc.

If my window manager does something which calls GPG (just my password
manager, really), then when the window manager spawns gpg it passes
PINENTRY_USER_DATA set to "qt" and I get a gui popup.

I think my setup might be almost a drop-in fix for your gpg-over-ssh
issue, although you will have to figure out where to set the environment
variable for your particular window manager.

Ryan


From seby2kt14 at gmail.com  Tue Nov  7 00:12:16 2017
From: seby2kt14 at gmail.com (Seby)
Date: Mon, 6 Nov 2017 23:12:16 +0000
Subject: New smart card / token alternative
In-Reply-To: <CAHEKVbqMetKWZSVkusOcN693GXN1HyztJBof_a6M9pKjXctzcw@mail.gmail.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <CAHEKVbqdP=7htR09J0JNjnraDpXZnbyEtgwS975D7PvnTiPW4Q@mail.gmail.com>
 <CAHEKVbqMetKWZSVkusOcN693GXN1HyztJBof_a6M9pKjXctzcw@mail.gmail.com>
Message-ID: <CAHEKVbpeVAc3czSEifQo0jsN1DNeUDMHYKbQmOeOXkNddRjY6A@mail.gmail.com>

Hello,


"Tim Steiner" <t at crp.to> wrote:

We have been working on a project to build a direct interface for PGP/GPG
usage using U2F for web apps and browser extensions. This is similar to
existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP
message, or send this message, or open this file, or sign this file, but I
don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it
works even on a computer where you can't install software -
https://www.kickstarter.com/projects/1048259057/onlykey-
quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

Tim Steiner
CISSP-ISSAP, C|EH, OSCP, PMP
Email: T at crp.to
CryptoTrust | crp.to


Your product provides a false sense of security. Educating users that is is
somehow safe is a terrible mistake. Telling users it is safe to plug in any
computer and encrypt decrypt stuff is a terrible idea.

How was your budget distributed? What hardware and firmware do you use what
security audit have you done?

Even if the things in second paragraph are fixed first paragraph still
stands.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171106/c372f325/attachment.html>

From pkk at spth.de  Tue Nov  7 08:29:57 2017
From: pkk at spth.de (Philipp Klaus Krause)
Date: Tue, 7 Nov 2017 08:29:57 +0100
Subject: New smart card / token alternative
In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
Message-ID: <e22004f7-9435-3751-1327-17b7be0a3776@spth.de>

Am 06.11.2017 um 23:26 schrieb vedaal at nym.hush.com:
> 
> 
> On 11/6/2017 at 4:55 PM, "Tim Steiner" <t at crp.to> wrote:
> 
> \We have been working on a project to build a direct interface for
> PGP/GPG usage using U2F for web apps and browser extensions. This is
> similar to existing smart cards and tokens but no software install is
> required.
> 
> We set out to solve this problem -"Man, I really wish I could read
> this PGP message, or send this message, or open this file, or sign
> this file, but I don't have my laptop with me"
> 
> With this solution you can keep the key offline, carry it with you
> and it works even on a computer where you can't install software -
> https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo
>
>  We are interested to hear feedback on this approach from the
> community.
> 
> =====
> 
> Using this on anything except your own computer, or laptop, is
> problematic, as the 'host' computer can have a key-logger or screen
> capturer, and copy the decrypted plaintext, or the plaintext to be
> encrypted.

I have often been insituations, where I had access to a friend's
computer, and you trust the friend and their computer skills enough to
handle a message on their computer.

A typical scenario might even be a sending a signed message where the
contents are intentionally known to that friend.

While I tend to carry my laptop with me often, not everyone does.

Philipp


From wk at gnupg.org  Tue Nov  7 11:45:31 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 07 Nov 2017 11:45:31 +0100
Subject: [Announce] GnuPG 2.2.2 released
Message-ID: <87375qmkok.fsf@wheatstone.g10code.de>

Hello!

We are is pleased to announce the availability of a new GnuPG release:
version 2.2.2.  This is a maintenance release; see below for a list of
fixed bugs.


About GnuPG
===========

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.2
===================================

  * gpg: Avoid duplicate key imports by concurrently running gpg
    processes. [#3446]

  * gpg: Fix creating on-disk subkey with on-card primary key. [#3280]

  * gpg: Fix validity retrieval for multiple keyrings. [Debian#878812]

  * gpg: Fix --dry-run and import option show-only for secret keys.

  * gpg: Print "sec" or "sbb" for secret keys with import option
    import-show. [#3431]

  * gpg: Make import less verbose. [#3397]

  * gpg: Add alias "Key-Grip" for parameter "Keygrip" and new
    parameter "Subkey-Grip" to unattended key generation.  [#3478]

  * gpg: Improve "factory-reset" command for OpenPGP cards.  [#3286]

  * gpg: Ease switching Gnuk tokens into ECC mode by using the magic
    keysize value 25519.

  * gpgsm: Fix --with-colon listing in crt records for fields > 12.

  * gpgsm: Do not expect X.509 keyids to be unique.  [#1644]

  * agent: Fix stucked Pinentry when using --max-passphrase-days. [#3190]

  * agent: New option --s2k-count.  [#3276 (workaround)]

  * dirmngr: Do not follow https-to-http redirects. [#3436]

  * dirmngr: Reduce default LDAP timeout from 100 to 15 seconds. [#3487]

  * gpgconf: Ignore non-installed components for commands
    --apply-profile and --apply-defaults. [#3313]

  * Add configure option --enable-werror.  [#2423]


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.2.2 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2 (6394k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.2.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe (3807k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.2_20171107.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  A new Gpg4win 3.0 installer
featuring this version of GnuPG will be available soon.  In the meantime
you may install this version on top of an installed Gpg4win 3.0 version.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.2.tar.bz2 you would use this command:

     gpg --verify gnupg-2.2.2.tar.bz2.sig gnupg-2.2.2.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.2.tar.bz2, you run the command like this:

     sha1sum gnupg-2.2.2.tar.bz2

   and check that the output matches the next line:

efa00fc20295b1cafe467359107ea170258870e2  gnupg-2.2.2.tar.bz2
19224023f5a7750743d042b0bfbd5e44fbc9aeb2  gnupg-w32-2.2.2_20171107.exe
0bb69eb774f8c39b8092b5615a19e656bb681084  gnupg-w32-2.2.2_20171107.tar.xz


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
completely translated.


Documentation and Support
=========================

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details availabale only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how to
set up the whole thing.  You may also want to search the GnuPG mailing
list archives or ask on the gnupg-users mailing list for advise on how
to solve problems.  Most of the new features are around for several
years and thus enough public experience is available.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support check out <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs one full-time developer and one
contractor.  Both work exclusivly on GnuPG and closely related software
like Libgcrypt, GPGME, and GPA.  We are planning to extend our team
again.  Right now we are looking for an admin for our bug tracker; see
<https://lists.gnupg.org/pipermail/gnupg-devel/2017-November/033225.html>

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing lists,
and with financial support.


Happy hacking,

   Gniibe and Werner



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these five keys:

  2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048/E0856959 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048/33BD3F06 2014-10-29 [expires: 2016-10-28]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa2048/7EFD60D9 2014-10-19 [expires: 2020-12-31]
  Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
  Werner Koch (Release Signing Key)

  rsa3072/4B092E28 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at <https://gnupg.org/signature_key.html> and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/a64a55b3/attachment.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From wk at gnupg.org  Tue Nov  7 12:14:59 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 07 Nov 2017 12:14:59 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net> (Sander Smeenk
 via Gnupg-users's message of "Mon, 6 Nov 2017 22:49:26 +0100")
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
Message-ID: <87d14ul4r0.fsf@wheatstone.g10code.de>

On Mon,  6 Nov 2017 22:49, gnupg-users at gnupg.org said:

> It's rather cumbersome and very dodgy at least. How do others deal with
> this? Or is everyone using GPG solely in GUI environments nowadays? ;)

If I want to test the curses Pinentry I simply run

  DISPLAY= gpg ...

and get the curses pinentry even when using an xterm (which is my usual
environment). For example you could start mutt the same way

  DISPLAY= mutt 

and you get the curses.  Drawback is that you won't get an image viewer
either.

Instead of using the envvar you could also invoke gpg like

  gpg --display=none ....

which sets the display to none and pinentry will fallback to curses.
Using "none" is not really correct but --display requires an option and
does not like an empty string.

It is also possible to write a pinentry which depends on the actual
program invoking gpg: gpg-agent tells pinentry the pid of the process
invoking gpg; e.g.

  OPTION owner=9798 wheatstone

The current develppment version of Pinentry uses this info on Linux to
to show the process name in the titlebar.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/912c0dc8/attachment.sig>

From ssmeenk at freshdot.net  Tue Nov  7 14:42:35 2017
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Tue, 7 Nov 2017 14:42:35 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
Message-ID: <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>

Quoting Ryan Beethe (ryan at splintermail.com):

> I think my setup might be almost a drop-in fix for your gpg-over-ssh
> issue, although you will have to figure out where to set the
> environment variable for your particular window manager.

Thanks for your tips and tricks. It's the less bodgy version of the
"wrapper" i wrote. I've adapted them to my system and it seems this is
actually working for the remote-ssh-on-a-system-running-X issue.

However; i still can't use 'gpg -qd' in vim like so:

| augroup GPGEncrypted
|     au!
|     au BufReadPre,FileReadPre      *.asc,*.gpg set viminfo=
|     au BufReadPre,FileReadPre      *.asc,*.gpg set noswapfile
|     au BufReadPre,FileReadPre      *.asc,*.gpg set bin
|     au BufReadPre,FileReadPre      *.asc,*.gpg let ch_save = &ch|set ch=2
|     au BufReadPost,FileReadPost    *.asc,*.gpg '[,']!gpg -qd 2> /dev/null
|     au BufReadPost,FileReadPost    *.asc,*.gpg set nobin
|     au BufReadPost,FileReadPost    *.asc,*.gpg let &ch = ch_save|unlet ch_save
|     au BufReadPost,FileReadPost    *.asc,*.gpg execute ":doautocmd BufReadPost " . expand("%:r")
|     au BufReadPost,FileReadPost    *.asc,*.gpg set ff=unix
|     au BufWritePre,FileWritePre    *.asc,*.gpg '[,']!gpg -ae 2>/dev/null
|     au BufWritePost,FileWritePost  *.asc,*.gpg u
| augroup END

It seems pinentry(-curses) doesn't want to start from within vim.

Do you also have any brilliant ideas there?

Rgds,
Sndr.
-- 
| Cat, n.: Lapwarmer with built-in buzzer.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


From ssmeenk at freshdot.net  Tue Nov  7 14:45:56 2017
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Tue, 7 Nov 2017 14:45:56 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <87d14ul4r0.fsf@wheatstone.g10code.de>
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <87d14ul4r0.fsf@wheatstone.g10code.de>
Message-ID: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net>

Quoting Werner Koch (wk at gnupg.org):

> > It's rather cumbersome and very dodgy at least. How do others deal with
> > this? Or is everyone using GPG solely in GUI environments nowadays? ;)
> The current develppment version of Pinentry uses this info on Linux to
> to show the process name in the titlebar.

Thanks for your insights and continued efforts to keep our data safe!

Could you elaborate on the 'why' part of this enforced pinentry usage
with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.

Where did that come from?
What problem did it solve?

Thanks again,
-Sndr.
-- 
| Bakers trade bread recipes on a knead to know basis.  
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/091e5b65/attachment.sig>

From listofactor at mail.ru  Tue Nov  7 15:58:49 2017
From: listofactor at mail.ru (listo factor)
Date: Tue, 7 Nov 2017 14:58:49 +0000
Subject: New smart card / token alternative
In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
Message-ID: <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>

On 11/06/2017 10:26 PM, vedaal at nym.hush.com wrote:
> 
> On 11/6/2017 at 4:55 PM, "Tim Steiner" <t at crp.to> wrote:
> 
> With this solution you can keep the key offline, carry it with you and it  > works even on a computer where you can't install software...
 >
> We are interested to hear feedback on this approach from the community.
> 
>> =====
>> 
>> Using this on anything except your own computer, or laptop, is problematic...

=====

This is a mantra from another, more gentle time.

Today, there is a whole class of real-world use cases where the
protection of the user demands that it not be known to the adversary
he or she is communicating with someone, as much - or even more -
than it is required that the content of the communication is kept
confidential. If the connection between the user and the computer
is transient, there may well be many instances where the adversary
will not be able to identify the user, even if he manages to learn
the content, and where the content, without the identity of the
communicator, is of very limited value to the adversary.

It therefore appears to me this is a worthwhile project, provided,
like always, *and for any crypto*, the user understands his or her
threat model.




From mac3iii at gmail.com  Tue Nov  7 16:29:09 2017
From: mac3iii at gmail.com (murphy)
Date: Tue, 7 Nov 2017 10:29:09 -0500
Subject: GnuPG 2.2.2 speedo swdb.lst
Message-ID: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com>

Hi Werner - I had trouble compiling GnuPG on my Raspberry Pi with error:

make -f /home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk UPD_SWDB=1
TARGETOS=native WHAT=release WITH_GUI=0 all
make[1]: Entering directory '/home/pi/Downloads/gnupg-2.2.2'
gpgv: Signature made Thu 21 Sep 2017 03:51:24 AM EDT
gpgv:??????????????? using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpgv: Good signature from "Werner Koch (dist sig)"
GnuPG version in swdb.lst is less than this version!
? This version: 2.2.2
? SWDB version: 2.2.1
/home/pi/Downloads/gnupg-2.2.2/build-aux/speedo.mk:272: *** Error
getting GnuPG software version database.? Stop.
make[1]: Leaving directory '/home/pi/Downloads/gnupg-2.2.2'
build-aux/speedo.mk:72: recipe for target 'native' failed
make: *** [native] Error 2

$ cat swdb.lst
gnupg22_ver 2.2.1
gnupg22_date 2017-09-19

Does this need to be updated to 2.2.2 ?

Thanks for your attention!

Murphy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/e6139c2d/attachment.sig>

From peter at digitalbrains.com  Tue Nov  7 18:05:53 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 7 Nov 2017 18:05:53 +0100
Subject: New smart card / token alternative
In-Reply-To: <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
 <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
Message-ID: <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com>

On 07/11/17 15:58, listo factor via Gnupg-users wrote:
> If the connection between the user and the computer
> is transient, there may well be many instances where the adversary
> will not be able to identify the user, even if he manages to learn
> the content, and where the content, without the identity of the
> communicator, is of very limited value to the adversary.

I'm not commenting on the rest of this topic, but let me pick this one
thing out.

How exactly can the identity ever be unknown when we're talking about
stuff encrypted to an OpenPGP public key or signed by one? That's a
completely unique identifier!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/ac28e93c/attachment.sig>

From ryan at splintermail.com  Tue Nov  7 19:59:23 2017
From: ryan at splintermail.com (Ryan Beethe)
Date: Tue, 7 Nov 2017 12:59:23 -0600
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>
Message-ID: <mailman.2.1510081180.30378.gnupg-users@gnupg.org>

Well... it happens that when I copy your script to my archlinux machine,
everything works fine.

It also happens that when I copy your script into my ubuntu machine, I
had to change both references of `gpg` to `gpg2`, since in ubuntu gpg is
not the same program as gpg2.  I also would find it convenient to add a
`--default-recipient-self` to the `gpg2 -ea` line, but maybe that's just
me.  If the same change works for you, perhaps you have an
"alias gpg=gpg2" in your ~/.bashrc, causing your shell to behave
differently that vim?

Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and I
have never had problems.  Then in my ~/.vimrc, I just had to set:

    let GPGUsePipes=1
    let GPGDefaultRecipients=['my.email at address.com']


Ryan


From wk at gnupg.org  Tue Nov  7 21:04:34 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 07 Nov 2017 21:04:34 +0100
Subject: GnuPG 2.2.2 speedo swdb.lst
In-Reply-To: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com> (murphy's
 message of "Tue, 7 Nov 2017 10:29:09 -0500")
References: <0ca33b02-98a2-bfb1-13c4-a2df17a69384@gmail.com>
Message-ID: <87inelj1nx.fsf@wheatstone.g10code.de>

On Tue,  7 Nov 2017 16:29, mac3iii at gmail.com said:

> $ cat swdb.lst
> gnupg22_ver 2.2.1
> gnupg22_date 2017-09-19

Oh sorry.  I only generated the new swdb.lst but forgot the "make
upload".  Done now.

Thanks,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/daec906c/attachment.sig>

From timothy.steiner at yahoo.com  Tue Nov  7 18:15:36 2017
From: timothy.steiner at yahoo.com (timothy.steiner at yahoo.com)
Date: Tue, 7 Nov 2017 17:15:36 +0000 (UTC)
Subject: New smart card / token alternative
In-Reply-To: <20171106222647.85FF6E034E@smtp.hushmail.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
Message-ID: <539981193.3830304.1510074936643@mail.yahoo.com>

If you are using something like Tails you would probably just install the GPG agent. Tails allows installing additional software -?https://tails.boum.org/doc/advanced_topics/additional_software/index.en.html. U2F is available in the new version of Firefox being released later this year so if that is included in future Tails release then there would be in-browser support in Tails.
The risk mentioned with a key-logger/screen capture is the same for all smart cards/tokens, and really all methods of composing a message on a computer. The risk would even apply to Tails if say the user installed malicious software or browsed to a site that exploited a browser vulnerability. 

    On Monday, November 6, 2017, 5:26:51 PM EST, <vedaal at nym.hush.com> wrote:  
 
 

On 11/6/2017 at 4:55 PM, "Tim Steiner" <t at crp.to> wrote:

\We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required.

We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me"

With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo

We are interested to hear feedback on this approach from the community.

=====

Using this on anything except your own computer, or laptop, is problematic, 
as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted.

Can it be made to work with Tails/Tor which uses GunPG ?

(The? 'insecure' browser on Tails not involving Tor, is a Firefox variant.? 
If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger.

But even so, there are problems with using it on an 'unknown' computer :

https://tails.boum.org/doc/about/warning/index.en.html#index2h1


vedaal

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/8b81cae6/attachment-0001.html>

From dank at kegel.com  Tue Nov  7 23:09:10 2017
From: dank at kegel.com (Dan Kegel)
Date: Tue, 7 Nov 2017 14:09:10 -0800
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net>
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <87d14ul4r0.fsf@wheatstone.g10code.de>
 <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net>
Message-ID: <CAPF-yOaauRiAaEbtyGJMuP6ZT5pjgx8ANBEgyNpOf7h5XEE8Cw@mail.gmail.com>

On Tue, Nov 7, 2017 at 5:45 AM, Sander Smeenk via Gnupg-users
<gnupg-users at gnupg.org> wrote:
> Could you elaborate on the 'why' part of this enforced pinentry usage
> with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.
>
> Where did that come from?
> What problem did it solve?

I'm curious, too.

It sure makes scripting hard.
- Dan


From ssmeenk at freshdot.net  Wed Nov  8 10:50:45 2017
From: ssmeenk at freshdot.net (Sander Smeenk)
Date: Wed, 8 Nov 2017 10:50:45 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>
Message-ID: <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net>

Quoting Ryan Beethe (ryan at splintermail.com):

> Well... it happens that when I copy your script to my archlinux
> machine, everything works fine.

Are you sure your key wasn't already unlocked in the gpg-agent?


> It also happens that when I copy your script into my ubuntu machine, I
> had to change both references of `gpg` to `gpg2`, [ .. ]

Yes, thanks for that hint but it is not my case.
I made the deliberate step and now only use GnuPG 2.x


> Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and
> I have never had problems.  Then in my ~/.vimrc, I just had to set:
>     let GPGUsePipes=1
>     let GPGDefaultRecipients=['my.email at address.com']

Wow! Quite some code for decrypting a file!
I'll give it a shot after i learn how to use that beast.


Rgds,
Sndr.
-- 
| It?s hard to explain puns to kleptomaniacs
| because they always take things literally.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2


From ryan at splintermail.com  Wed Nov  8 12:28:44 2017
From: ryan at splintermail.com (Ryan Beethe)
Date: Wed, 8 Nov 2017 05:28:44 -0600
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net>
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>
 <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net>
Message-ID: <mailman.3.1510140533.30378.gnupg-users@gnupg.org>

On Wed, Nov 08, 2017 at 10:50:45AM +0100, Sander Smeenk via Gnupg-users wrote:
> Quoting Ryan Beethe (ryan at splintermail.com):
>
> > Well... it happens that when I copy your script to my archlinux
> > machine, everything works fine.
>
> Are you sure your key wasn't already unlocked in the gpg-agent?

Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was
prompted with a pinentry prompt each time.

> > Personally, I use a plugin (https://github.com/jamessan/vim-gnupg) and
> > I have never had problems.  Then in my ~/.vimrc, I just had to set:
> >     let GPGUsePipes=1
> >     let GPGDefaultRecipients=['my.email at address.com']
>
> Wow! Quite some code for decrypting a file!
> I'll give it a shot after i learn how to use that beast.

Hm... now that I think about it I think the pinentry prompt has been
broken in my vim with that plugin for some time (due to improper
handling of stderr from the looks of it).  It just hasn't bothered me
because I almost never use vim until after I have entered the gpg
password for something else.

So it might be worth a shot but I can't make any promises.

Ryan


From vedaal at nym.hush.com  Wed Nov  8 16:27:08 2017
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Wed, 08 Nov 2017 10:27:08 -0500
Subject: New smart card / token alternative
In-Reply-To: <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
 <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
 <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com> 
Message-ID: <20171108152708.841BCC0536@smtp.hushmail.com>

On 11/7/2017 at 12:10 PM, "Peter Lebbing" <peter at digitalbrains.com> wrote:

>How exactly can the identity ever be unknown when we're talking 
>about stuff encrypted to an OpenPGP public key or signed by one? That's a
>completely unique identifier!

=====

 Well, if someone were really *crazy enough* he could send the PGP encrypted message using --throw-keyid to all email sites listed on PGP keyservers ... (i hope no one is *that* crazy ... ;-)   )

or, more practically, just post anonymously to a blog or website, using --throw-keyid,
with a pre-arranged understanding that the sender and receiver post to and check certain websites

This could be facilitated by Tails/Tor, although there are still some vulnerabilities:
https://tails.boum.org/doc/about/warning/index.en.html#index2h1

vedaal



From peter at digitalbrains.com  Wed Nov  8 16:45:27 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Wed, 8 Nov 2017 16:45:27 +0100
Subject: New smart card / token alternative
In-Reply-To: <20171108152708.841BCC0536@smtp.hushmail.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
 <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
 <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com>
 <20171108152708.841BCC0536@smtp.hushmail.com>
Message-ID: <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com>

On 08/11/17 16:27, vedaal at nym.hush.com wrote:
> or, more practically, just post anonymously to a blog or website,
> using --throw-keyid, with a pre-arranged understanding that the
> sender and receiver post to and check certain websites

I did not phrase it properly, leading to a misunderstanding.

We are talking about using a smartcard on a compromised computer. I
reasoned from the OpenPGP Card specification[1]. You can simply ask the
smartcard for the public key; the actual cryptographic public key.

So as an attacker with control over the computer, you see that someone
succesfully decrypts a document using his OpenPGP card. You ask the
smartcard for the public key that was used to encrypt the document, and
you have a fully unique identifier for the key that was used.

HTH,

Peter.

[1] It isn't clear to me whether this project is actually adhering to
the OpenPGP card specification, though, I didn't check. I realised this
only later.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171108/d04cf3e0/attachment.sig>

From listofactor at mail.ru  Thu Nov  9 00:39:06 2017
From: listofactor at mail.ru (listo factor)
Date: Wed, 8 Nov 2017 23:39:06 +0000
Subject: New smart card / token alternative
In-Reply-To: <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
 <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
 <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com>
 <20171108152708.841BCC0536@smtp.hushmail.com>
 <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com>
Message-ID: <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru>

On 11/08/2017 03:45 PM, Peter Lebbing wrote:
> On 08/11/17 16:27, vedaal at nym.hush.com wrote:
>> or, more practically, just post anonymously to a blog or website,
>> using --throw-keyid, with a pre-arranged understanding that the
>> sender and receiver post to and check certain websites
> 
> I did not phrase it properly, leading to a misunderstanding.
> 
> We are talking about using a smartcard on a compromised computer. I
> reasoned from the OpenPGP Card specification[1]. You can simply ask the
> smartcard for the public key; the actual cryptographic public key.
> 
> So as an attacker with control over the computer, you see that someone
> succesfully decrypts a document using his OpenPGP card. You ask the
> smartcard for the public key that was used to encrypt the document, and
> you have a fully unique identifier for the key that was used.

there are many real-world use cases where the recipient does not mind
that an adversary knows he is receiving encrypted communication, as
long as the content is secure, but where the sender can be exposed
to various levels of unpleasantness if the adversary can find out
he is communicating with a specific recipient, using encryption.

The ownership of a device such as one discussed in this thread is
trivial to conceal, especially when compared to a computer equipped
to participate in encrypted communications.

Real-life threat-models are much more varied than what Alice, Bob
and Eve would have us believe.



From wk at gnupg.org  Thu Nov  9 09:01:45 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 09 Nov 2017 09:01:45 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <E1eCOYa-0004cW-Nh@wheatstone.g10code.de> (Ryan Beethe's message
 of "Wed, 8 Nov 2017 05:28:44 -0600")
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <20171107134235.fey372sbiggnhjv2@dot.freshdot.net>
 <20171108095045.paqvb5p3iu23pcvl@dot.freshdot.net>
 <E1eCOYa-0004cW-Nh@wheatstone.g10code.de>
Message-ID: <871sl7j2xi.fsf@wheatstone.g10code.de>

On Wed,  8 Nov 2017 12:28, ryan at splintermail.com said:

> Yes, I reset my gpg-agent (killall -1 gpg-agent) each time, and was
> prompted with a pinentry prompt each time.

[ Please use "pkill -HUP gpg-agent" and never ever killall - which has,
  aehm, funny effects on other Unices. ]

  gpgconf --reload gpg-agent

is the suggest way to reload the gpg-agent configuraion and flush the
caches.

> Hm... now that I think about it I think the pinentry prompt has been
> broken in my vim with that plugin for some time (due to improper

Not sure what your problem is but nevertheless here this hint: When
calling gpg you should watch the status fd (commonly stderr,
"--status-fd 2") for a line

  [GNUPG:] PINENTRY_LAUNCHED

and set a flag to redraw your screen after gpg returned.  The other
approach would be to write an vim-internal pinentry in the same way the
pinentry-emacs pinentry works.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171109/3ed3fb3c/attachment.sig>

From wk at gnupg.org  Thu Nov  9 09:24:46 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 09 Nov 2017 09:24:46 +0100
Subject: GnuPGv2 & 'pinentry' on Linux w/ remote access
In-Reply-To: <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net> (Sander Smeenk
 via Gnupg-users's message of "Tue, 7 Nov 2017 14:45:56 +0100")
References: <20171106214926.d64gfdtdpepopbvx@dot.freshdot.net>
 <87d14ul4r0.fsf@wheatstone.g10code.de>
 <20171107134556.4uc4cbdwq2kqvfnb@dot.freshdot.net>
Message-ID: <87wp2zhnap.fsf@wheatstone.g10code.de>

On Tue,  7 Nov 2017 14:45, gnupg-users at gnupg.org said:

> Could you elaborate on the 'why' part of this enforced pinentry usage
> with GnuPG? It wasn't mandatory in 1.x, now it's forced on us.

It is definitely not new.  GnuPG 1.9 was released 14 years ago (it was
renamed to 2.0 2.0 11 years ago).  It has been used at quite some places
right away from that time on.  The new thing with 2.0 was the
modularized system: The private keys were only managed and accessible by
gpg-agent and gpgsm (gpg for S/MIME) used it this way.

Unfortunately it took until the summer of 2010 before I was able to port
gpg to use the same system as gpgsm and let gpg-agent handle the private
keys.  (Before that gpg used gpg-agent only for passphrase caching.)

Not having to care about private keys in gpg allowed us to remove a lot
of semi-duplicated code from gpg.  This instantly fixed the long
standing import/merging of secret key bugs.

For an architectural point of view gpg-agent can be viewed as a token
which can be accessed only via a well defined API.  gpg does not take
precautions against leaking secret keys.  The actual code to do secret
key operations (decrypt, signing) is done only at one place so that gpg
and gpgsm, and other possible crypto protocols share the same code.

Smartcard access is unified - gpg, gpgsm, and ssh can use the same
smartcard.

gpg-agent can be theoretically be run under a different account.
gpg-agent can actually be run on a remote machine, so that you don't
need to have a secret key on a server but delegate that work to a
desktop box or even a box which is used as a HSM.

The drawback is that application don't need to handle passphrases
anymore.  However, I would call that a huge benefit because applications
are relieved from handling the sensitive passphrase and can let another
process (pinentry) do that on demand from gpg-agent.  On X this works
very well, with curses it is more complicated and needs some adjustments
(or hitting Ctrl-L).  On Windows it was easy as well but later got
complicated due to new Windows security measurements so that there is a
small chance that the pinentry won't pop up but blonk only in the
taskbar.

While preparing for the 2.1 release, we decided to add a loopback mode
to gpg-agent/gpg/gpgsm so that instead of writing one's own loopback
pinentry it is in most cases possible to keep on using existing code
which expects to handle the passphrase.  Adding --pinentry-mode=loopback
to the gpg invocation does this.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171109/e710241c/attachment-0001.sig>

From peter at digitalbrains.com  Thu Nov  9 12:52:22 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 9 Nov 2017 12:52:22 +0100
Subject: New smart card / token alternative
In-Reply-To: <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru>
References: <1247832004.2932812.1509982108841.ref@mail.yahoo.com>
 <1247832004.2932812.1509982108841@mail.yahoo.com>
 <20171106222647.85FF6E034E@smtp.hushmail.com>
 <82e6b981-2fe4-5089-3e8a-1c728c876ce9@mail.ru>
 <9c3eb3d0-4b23-5832-52fb-6a348b55d448@digitalbrains.com>
 <20171108152708.841BCC0536@smtp.hushmail.com>
 <1ac2931a-e729-21ee-49c9-44a351a795cc@digitalbrains.com>
 <73dffa2c-da9a-48b7-d3c4-96ee6d2fa8ed@mail.ru>
Message-ID: <d9681b40-d632-77dd-d295-449c6b2cd7e0@digitalbrains.com>

On 09/11/17 00:39, listo factor via Gnupg-users wrote:
> Real-life threat-models are much more varied than what Alice, Bob
> and Eve would have us believe.

Hey, note that I'm not advocating against this proposed new alternative;
it sounds like you think I do. I explicitly said I'm not commenting on
it. I currently don't have the time to invest.

(I didn't understand the relevance of the part of your reply I snipped
at all, though. I must be overlooking a bit of context. But let's just
end that line of discussion, I merely wanted to quickly point out what I
said about unique identifiers and don't have the time to look at it more.)

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171109/1297e948/attachment.sig>

From cderr at simons-rock.edu  Fri Nov 10 06:27:22 2017
From: cderr at simons-rock.edu (charlie derr)
Date: Fri, 10 Nov 2017 00:27:22 -0500
Subject: a bunch of questions
Message-ID: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>

Please forgive me for piling several questions into a single post. If
anyone wants to just answer a subset, I'll still be very happy to read
your advice.

I believe that the key I'm signing this message with is 2048 bits and
will expire next year. If I've got either of those details wrong, please
correct my error(s).

I would like to generate a new key (which never expires) and begin to
transition to using it. Mostly I sign messages, but occasionally I
receive encrypted messages from friends. I hope that in the future I
will use gnupg more.

What size key do you recommend I create in order to be future proof (for
the rest of my life -- I'm in my early 50s)?

I believe that the master key for the subkey I'm currently using will
also expire next year. How would I go about confirming/refuting that
assumption?

I currently use gnupg with two different email accounts (this one and a
gmail address) and I use different mail clients for each: thunderbird
with enigmail here and claws-mail (and whatever debian gnupg plugin is
appropriate for claws) with gmail. How can I set things up so that I can
switch back and forth between two keys (for signing) until this one
expires in 2018?

I'm on debian 9 stretch on two different computers with this setup.

?? thanks so very much in advance for any answers (or pointers to
appropriate documentation),
????????? ~c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x31A9367F.asc
Type: application/pgp-keys
Size: 3074 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171110/70a17f28/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171110/70a17f28/attachment.sig>

From rjh at sixdemonbag.org  Fri Nov 10 07:42:31 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 10 Nov 2017 01:42:31 -0500
Subject: a bunch of questions
In-Reply-To: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>
References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>
Message-ID: <8d17ce49-255a-918a-1f79-1e57de40a2d3@sixdemonbag.org>

> I believe that the key I'm signing this message with is 2048 bits and
> will expire next year. If I've got either of those details wrong, please
> correct my error(s).

No.  There's no expiration date on your certificate, and it's a 4096-bit
RSA keypair.

> What size key do you recommend I create in order to be future proof (for
> the rest of my life -- I'm in my early 50s)?

I personally think it's unlikely 4096-bit RSA keys will be broken in the
next twenty years.  Over that timeframe, RSA-4096 is probably stronger
than elliptical curve cryptography: we might (*might*) have quantum
computers large enough to tackle ECC by 2040, but RSA-4096 would require
a far larger quantum computer.

> I believe that the master key for the subkey I'm currently using will
> also expire next year. How would I go about confirming/refuting that
> assumption?

quorra:~ rjh$ gpg --edit-key "Charlie Derr"

pub  rsa4096/BB8B3D7331A9367F
     created: 2010-12-16  expires: never       usage: SCA
     trust: unknown       validity: unknown
sub  rsa4096/F44E4BC7C1F121DD
     created: 2010-12-16  expires: never       usage: E
[ unknown] (1). Charlie Derr <cderr at simons-rock.edu>

> I currently use gnupg with two different email accounts (this one and a
> gmail address) and I use different mail clients for each: thunderbird
> with enigmail here and claws-mail (and whatever debian gnupg plugin is
> appropriate for claws) with gmail. How can I set things up so that I can
> switch back and forth between two keys (for signing) until this one
> expires in 2018?

I don't use Claws, so I can't answer that; but Thunderbird+Enigmail
allows you to use whichever key you wish -- just set it up according to
the instructions on the Enigmail webpage.  If the instructions there are
unclear or confusing, I'm happy to help you with it further.


From fa-ml at ariis.it  Fri Nov 10 09:50:38 2017
From: fa-ml at ariis.it (Francesco Ariis)
Date: Fri, 10 Nov 2017 09:50:38 +0100
Subject: a bunch of questions
In-Reply-To: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>
References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>
Message-ID: <20171110085038.yguqnonmgz72wb2h@x60s.casa>

On Fri, Nov 10, 2017 at 12:27:22AM -0500, charlie derr wrote:
> I believe that the key I'm signing this message with is 2048 bits and
> will expire next year. If I've got either of those details wrong, please
> correct my error(s). [...]

Hello Charlie,
    I see no expiration date on your key (4096, not 2048). Maybe *did*
input an expiration date and then forgot to upload the key again to
a key-server?

A general word on expiry dates: you can always modify them as you
go (that's what I do), they are not set in stone?
So why are they useful? Because this way you can encourage your
friends/workmates to refresh your keys every now and then, getting
all the new subkeys/revocations/etc.

Any reasonable client (I use mutt) should allow you to switch keys,
but since the one you are using is 4096 (very strong!), if it is
not compromised you could use this for the rest of your life.

Does this address your questions?


From peter at digitalbrains.com  Fri Nov 10 12:20:36 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 10 Nov 2017 12:20:36 +0100
Subject: a bunch of questions
In-Reply-To: <20171110085038.yguqnonmgz72wb2h@x60s.casa>
References: <30df82f0-2422-a3fb-7768-7e7bd9410fae@simons-rock.edu>
 <20171110085038.yguqnonmgz72wb2h@x60s.casa>
Message-ID: <c6522679-b3ed-d07b-c944-00f783243adc@digitalbrains.com>

On 10/11/17 09:50, Francesco Ariis wrote:
> A general word on expiry dates: you can always modify them as you
> go (that's what I do), they are not set in stone?

Well, this depends on your threat model. If I can control what one of
your peers sees, I could strip the self-signatures that change the
expiry date, only keeping the ones that I agree with.

So if you have a self-signature from 16 Dec 2010 that says the key does
not expire, and a self-signature from 10 Nov 2017 that says the key
expires in two years, I could manipulate it such that the second
self-signature never reaches this peer but everything still verifies.
Then the manipulated peer thinks the key will never expire, and I can
"keep the key going" forever.

If however you only ever extend the expiry dates, an attacker could only
fake your still valid key to be expired, rather than the more
troublesome case of faking your expired key to be still valid.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171110/2358ebed/attachment.sig>

From Cathy.Smith at pnnl.gov  Tue Nov 14 22:08:30 2017
From: Cathy.Smith at pnnl.gov (Smith, Cathy)
Date: Tue, 14 Nov 2017 21:08:30 +0000
Subject: question about determining the key length
Message-ID: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>

Hello

 Is there a way to determine the key length and the type of key (RSA or other) used when generating  the keyring?  I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated.    Even on an Ubuntu box using gpg2, the -list-secret-keys option does not print out that information.

Thank you.


Cathy

--
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax:       509.375.4399
Email: cathy.smith at pnnl.gov<mailto:cathy.smith at pnnl.gov>




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171114/b7a350a0/attachment-0001.html>

From rjh at sixdemonbag.org  Tue Nov 14 23:54:00 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 14 Nov 2017 17:54:00 -0500
Subject: question about determining the key length
In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
Message-ID: <1cd2cda3-a4e3-b7b4-bcf2-1e113aa4f974@sixdemonbag.org>

> Is there a way to determine the key length and the type of key (RSA or
> other) used when generating? the keyring?

There seems to be a misunderstanding here.  A keyring is just a
collection of certificates (which used to be called "keys").  Each
individual certificate will have various subkeys of different
algorithms, but the keyring *as a whole* has no algorithm nor bit length.

To get a detailed look at an individual key, try --list-key.  (Which
should really be "--list-certificate".  We're changing our language very
slowly.)

E.g.:

quorra:~ rjh$ gpg --list-key b44427c7
pub   rsa3072/1DCBDC01B44427C7 2015-07-16 [SC]
      CC11BE7CBBED77B120F37B011DCBDC01B44427C7
uid                 [ultimate] Robert J. Hansen <rjh at sixdemonbag.org>
uid                 [ultimate] Robert J. Hansen <rob at hansen.engineering>
uid                 [ultimate] Robert J. Hansen <rob at enigmail.net>
sub   rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub   ed25519/A83CAE94D3DC3873 2017-04-05 [S]
sub   cv25519/AA24CC81B8AED08B 2017-04-05 [E]

The primary subkey is RSA-3072, made on July 16, 2015.  There are three
other subkeys: an RSA-3072 useful for encryption (same date), an
Edwards-25519 key useful for signing (dating April 5, 2017); and an
ECC-25519 key useful for encryption (April 5, 2017).


From vedaal at nym.hush.com  Wed Nov 15 00:17:25 2017
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 14 Nov 2017 18:17:25 -0500
Subject: question about determining the key length
In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
Message-ID: <20171114231726.0DA63C0536@smtp.hushmail.com>


On 11/14/2017 at 5:46 PM, "Cathy Smith"  wrote:   Is there a way to
determine the key length and the type of key  (RSA or other) used when
generating  the keyring?  I have a RHEL 5 box  using gpg 1.4.5 where I
need to determine how a key ring was generated.     Even on an Ubuntu
box using gpg2, the ?list-secret-keys option does not print out that
information.
=====
To find the details about a key generated some time ago, export the
key in .asc form and do:
gpg --list-packets keyname.asc

To see all the information about the key as it is being generated, use
the options of --expert --verbose --verbose

The full command would then be:
gpg --expert --verbose --verbose --gen-key

vedaal
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171114/65c92951/attachment.html>

From marioxcc.MT at yandex.com  Wed Nov 15 00:17:26 2017
From: marioxcc.MT at yandex.com (=?UTF-8?Q?Mario_Castel=c3=a1n_Castro?=)
Date: Tue, 14 Nov 2017 17:17:26 -0600
Subject: question about determining the key length
In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
Message-ID: <fbaf4655-d2eb-008e-f58b-5f6ec5eeb81b@yandex.com>

On 14/11/17 15:08, Smith, Cathy wrote:
>  Is there a way to determine the key length and the type of key (RSA or other) used when generating  the keyring?  I have a RHEL 5 box using gpg 1.4.5 where I need to determine how a key ring was generated.    Even on an Ubuntu box using gpg2, the -list-secret-keys option does not print out that information.

Gnu PG 1.4.5 was released in 2006. You should not use software so old,
especially cryptographic software. In that time, a lot of _known_ bugs
accumulate in nearly all pieces of software, including security
vulnerabilities.

Using ?--list-keys? should display the information you want. It works
that way since as far as I have used it, and definitely including 2.0.

???
mario at svetlana [0] [/home/mario/hacking/hol]
$ gpg --list-keys 'mario'
pub   rsa3072/0642D919 2017-08-02 [SC] [expires: 2020-08-01]
      E053A25BCC302BBB2DADEC033003BEC50642D919
uid         [ultimate] Mario Castel?n Castro
sub   secp256k1/B92640D9 2017-08-02 [S] [expires: 2020-08-01]
sub   secp256k1/69F40765 2017-08-02 [E] [expires: 2020-08-01]
???

Here ?rsa3072? and ?secp256k1? are the key types. The RSA main key is
3072 bits long, as the string suggests. Some key types are fixed size
(for example, secp256k1 is always 256 bits long).

If you are still unable to find the key type, paste the output of ?gpg
--list-keys <QUERY>? (where <QUERY> is something used to narrow the
results. e.g.: the holder e-mail or part of his name).

> Cathy L. Smith
> IT Engineer
> 
> Pacific Northwest National Laboratory
> Operated by Battelle for the
> U.S. Department of Energy

Well, then I feel very fortunate to NOT to live in the US. ?

-- 
Do not eat animals; respect them as you respect people.
https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171114/158d7147/attachment.sig>

From guru at unixarea.de  Wed Nov 15 09:06:32 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Wed, 15 Nov 2017 09:06:32 +0100
Subject: Using the OpenPGP Card on Unix && Win7
Message-ID: <20171115080632.GA2621@c720-r314251>


Hello,

I'm using the OpenPGP Card on Unix (FreeBSD) and on my Ubuntu mobile
phone (see https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html)
mostly for storing credentials with the password manager 'pass' and using them
from the browser, and as well for signing mails.

At work I have to use a Win7 desktop and OutLook for the company mails
and FreeBSD with GnuPG must run in a Vbox, which works fine with the OpenPGP
Card too.

I'd like to use the same Card with OutLook (please don't blame me :-))
and have already installed gpg4win-3.0.0.exe which seems to work
together with OutLook.

Before digging into all the details by my own and esp. because in Windows I'm only a
DAU(*), is there some step by step guide to configure the OpenPGP Card in
Windows and using the files from the GNUPGHOME on FreeBSD in Windows?

Thanks

	matthias

DAU(*): This is German spelled for "D?mmster Anzunehmender User" (the most
stupid imaginable user)

-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171115/9ca042e0/attachment.sig>

From seby2kt14 at gmail.com  Wed Nov 15 09:25:26 2017
From: seby2kt14 at gmail.com (Seby)
Date: Wed, 15 Nov 2017 08:25:26 +0000
Subject: question about determining the key length
In-Reply-To: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
References: <270838A78E5A5342BB9669898FB4CF20197AA5C7@EX10MBOX06.pnnl.gov>
Message-ID: <CAHEKVbquEtXg==oKBtYgWAmSy-752AuscQEir7GF_=L=p+bprg@mail.gmail.com>

Hello Cathy,

On Nov 15, 2017 00:40, "Smith, Cathy" <Cathy.Smith at pnnl.gov> wrote:

Hello

Is there a way to determine the key length and the type of key (RSA or
other) used when generating  the keyring?  I have a RHEL 5 box using gpg
1.4.5 where I need to determine how a key ring was generated.    Even on an
Ubuntu box using gpg2, the ?list-secret-keys option does not print out that
information.

Thank you.


Cathy

-- 
Cathy L. Smith
IT Engineer

Pacific Northwest National Laboratory
Operated by Battelle for the
U.S. Department of Energy

Phone: 509.375.2687
Fax:       509.375.4399
Email: *cathy.smith at pnnl.gov <cathy.smith at pnnl.gov>*


gpg -K or gpg --list-keys or gpg --list-secret-keys should all print the
information you are interested in.


In my example the primary key is rsa3072 and encryption subkey is rsa4096.
You can see this info before creation date if the key.

Note that gnupg older 1.x does not support ecc, only rsa/rsa and rsa/dsa.

~# gpg --list-secret-keys

sec   rsa3072 2017-11-15 [SC]
      8275276834C8F08567185C92FB3157AB136ED940
uid           [ultimate] Test Test
ssb   rsa4096 2017-11-15 [E]

This is gnupg 2.2. How does it look at your side?


Sebastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171115/6665c0a4/attachment.html>

From wk at gnupg.org  Wed Nov 15 12:19:30 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 15 Nov 2017 12:19:30 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171115080632.GA2621@c720-r314251> (Matthias Apitz's message of
 "Wed, 15 Nov 2017 09:06:32 +0100")
References: <20171115080632.GA2621@c720-r314251>
Message-ID: <87mv3n6b7h.fsf@wheatstone.g10code.de>

On Wed, 15 Nov 2017 09:06, guru at unixarea.de said:

> Before digging into all the details by my own and esp. because in Windows I'm only a
> DAU(*), is there some step by step guide to configure the OpenPGP Card in
> Windows and using the files from the GNUPGHOME on FreeBSD in Windows?

Actually you could copy the entire GNUPGHOME to the respective Windows
directory.  The name of the lock files and some temporary files are
different but that does matter.  "gpg --version" (or "gpgconf
--list-dirs") shows you the standard home directory on Windows.

If you only want to copy some keys, you can use the same procedure you
would use between Unix boxes.

Kleopatra's card manager is pretty basics.  If you don't like it you can
use the one in gpa (which can optionally be installed), or just resort
to the command line.  


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171115/16ff7c1d/attachment-0001.sig>

From jonathan at emitting.com  Wed Nov 15 19:26:52 2017
From: jonathan at emitting.com (Jonathan)
Date: Wed, 15 Nov 2017 10:26:52 -0800
Subject: Help with error please
Message-ID: <aba7c670-53ce-9c6a-c814-c6ed2e39c648@emitting.com>

An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171115/d3e5e90d/attachment.html>

From wk at gnupg.org  Thu Nov 16 12:43:05 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 16 Nov 2017 12:43:05 +0100
Subject: Help with error please
In-Reply-To: <aba7c670-53ce-9c6a-c814-c6ed2e39c648@emitting.com>
 (jonathan@emitting.com's message of "Wed, 15 Nov 2017 10:26:52 -0800")
References: <aba7c670-53ce-9c6a-c814-c6ed2e39c648@emitting.com>
Message-ID: <87zi7mxxdi.fsf@wheatstone.g10code.de>

On Wed, 15 Nov 2017 19:26, jonathan at emitting.com said:

> Provided object is too short

This a bug in gpgsm on Windows when there are no keys.  We are currently
testing a a new revision of gpg4win which will solve the problem.  As a
workaround you may start GPA on the command line:

  gpa --disable-x509

after you create an OpenPGP key, the X.509 keys should work again.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171116/e9e9ac3c/attachment.sig>

From guru at unixarea.de  Thu Nov 16 13:56:34 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Thu, 16 Nov 2017 13:56:34 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <87mv3n6b7h.fsf@wheatstone.g10code.de>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
Message-ID: <20171116125634.GA3841@c720-r314251>

El d?a mi?rcoles, noviembre 15, 2017 a las 12:19:30p. m. +0100, Werner Koch escribi?:

> On Wed, 15 Nov 2017 09:06, guru at unixarea.de said:
> 
> > Before digging into all the details by my own and esp. because in Windows I'm only a
> > DAU(*), is there some step by step guide to configure the OpenPGP Card in
> > Windows and using the files from the GNUPGHOME on FreeBSD in Windows?
> 
> Actually you could copy the entire GNUPGHOME to the respective Windows
> directory.  The name of the lock files and some temporary files are
> different but that does matter.  "gpg --version" (or "gpgconf
> --list-dirs") shows you the standard home directory on Windows.
> 
> If you only want to copy some keys, you can use the same procedure you
> would use between Unix boxes.
> 
> Kleopatra's card manager is pretty basics.  If you don't like it you can
> use the one in gpa (which can optionally be installed), or just resort
> to the command line.  

I copied over GNUPGHOME and gpa and OutLook can see/use the pub key. To
get access to the Card, I need some driver in Win7. Do you know any
reliable place to fetch from.

	matthias


-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub


From jeandavid8 at verizon.net  Thu Nov 16 14:55:31 2017
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Thu, 16 Nov 2017 08:55:31 -0500
Subject: your message could not,be delivered to one or more recipients.
Message-ID: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>

This is the mail system at host omr-m007e.mx.aol.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<gnupg-users at gnupg.org>: host kerckhoffs.g10code.com[217.69.77.222] said:
    451-204.29.186.9 is not yet authorized to deliver mail from 451
    <jeandavid8 at verizon.net> to <gnupg-users at gnupg.org>. Please try
later. (in
    reply to RCPT TO command)

_____

Reporting-MTA: dns; omr-m007e.mx.aol.com
X-Outbound-Mail-Relay-Queue-ID: 58F77380004C
X-Outbound-Mail-Relay-Sender: rfc822; jeandavid8 at verizon.net
Arrival-Date: Wed, 15 Nov 2017 09:01:43 -0500 (EST)

Final-Recipient: rfc822; gnupg-users at gnupg.org
Original-Recipient: rfc822;gnupg-users at gnupg.org
Action: failed
Status: 4.0.0
Remote-MTA: dns; kerckhoffs.g10code.com
Diagnostic-Code: smtp; 451-204.29.186.9 is not yet authorized to deliver
mail
    from 451 <jeandavid8 at verizon.net> to <gnupg-users at gnupg.org>. Please try
    later.

__________
>From where does it get port 451? My SMTP port is 465
204.29.186.9 is my ISP for e-mail: AOL.

-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jersey    http://linuxcounter.net
 ^^-^^ 08:40:01 up 1 day, 15:55, 2 users, load average: 4.81, 4.90, 4.72


From peter at digitalbrains.com  Thu Nov 16 16:22:30 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Thu, 16 Nov 2017 16:22:30 +0100
Subject: your message could not,be delivered to one or more recipients.
In-Reply-To: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>
References: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>
Message-ID: <c132cb90-6b7c-2b08-5a2a-73c2115d90ca@digitalbrains.com>

On 16/11/17 14:55, Jean-David Beyer wrote:
> From where does it get port 451? My SMTP port is 465
> 204.29.186.9 is my ISP for e-mail: AOL.

It's probably not a port. Note that the port 465 you are using to submit
mail has nothing to do with how mail is delivered from there on. Port
465 is never used between mail servers[1].

It's probably SMTP status code 451, which is a temporary error message
inviting the sending server to try again at a later time. Combined with
the error message, I'm inclined to think it's a greylisting system on
the receiving server. But apparently your ISP's mail server has given up
on trying to deliver it and bounced it to you. Either your ISP is giving
up too soon, or the receiving server is holding it off for too long. The
latter might be because of a configuration error.

The mail I'm replying to got through, though.

I have to admit the formatting of the message with the 451 code was
pretty odd, "deliver mail from 451 <jeandavid8 at verizon.net>" like the
451 is somehow part of the address. Weird.

HTH,

Peter.

[1] Unless someone explicitly configures two mail servers to chat to
each other on that port because... well, because they wanted to do that.
A mail server can be configured to inscribe your mail on a stone with a
chisel if you configure it to do so, but that doesn't mean it's a normal
thing to do.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171116/dce4ee53/attachment.sig>

From wk at gnupg.org  Thu Nov 16 19:23:03 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 16 Nov 2017 19:23:03 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171116125634.GA3841@c720-r314251> (Matthias Apitz's message of
 "Thu, 16 Nov 2017 13:56:34 +0100")
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
Message-ID: <87tvxuw0ag.fsf@wheatstone.g10code.de>

On Thu, 16 Nov 2017 13:56, guru at unixarea.de said:

> I copied over GNUPGHOME and gpa and OutLook can see/use the pub key. To
> get access to the Card, I need some driver in Win7. Do you know any
> reliable place to fetch from.

Usually the Windows hardware detection (a menu item like "Install new
hardware", ot a small icon in the taskbar) can locate all common reader
types and their drivers.  It not, you need to check the website of the
reder's vendor.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171116/875333ec/attachment.sig>

From w at uter.be  Thu Nov 16 17:56:34 2017
From: w at uter.be (Wouter Verhelst)
Date: Thu, 16 Nov 2017 17:56:34 +0100
Subject: your message could not,be delivered to one or more recipients.
In-Reply-To: <c132cb90-6b7c-2b08-5a2a-73c2115d90ca@digitalbrains.com>
References: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>
 <c132cb90-6b7c-2b08-5a2a-73c2115d90ca@digitalbrains.com>
Message-ID: <20171116165634.w3g6m65rxcyjpo2i@grep.be>

On Thu, Nov 16, 2017 at 04:22:30PM +0100, Peter Lebbing wrote:
> On 16/11/17 14:55, Jean-David Beyer wrote:
> > From where does it get port 451? My SMTP port is 465
> > 204.29.186.9 is my ISP for e-mail: AOL.
> 
> It's probably not a port. Note that the port 465 you are using to submit
> mail has nothing to do with how mail is delivered from there on. Port
> 465 is never used between mail servers[1].
> 
> It's probably SMTP status code 451, which is a temporary error message
> inviting the sending server to try again at a later time. Combined with
> the error message, I'm inclined to think it's a greylisting system on
> the receiving server. But apparently your ISP's mail server has given up
> on trying to deliver it and bounced it to you. Either your ISP is giving
> up too soon, or the receiving server is holding it off for too long. The
> latter might be because of a configuration error.

Alternatively, AOL might be trying to send the mail from a different
server every time. If the receiving server does implement graylisting,
then every time it sees a new IP address, sends it a 4xx status, and
waits for it to reappear. Only when it does reappear the IP address is
new, so it graylists again. Rince, repeat.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab


From mkesper at schokokeks.org  Thu Nov 16 10:36:27 2017
From: mkesper at schokokeks.org (Michael Kesper)
Date: Thu, 16 Nov 2017 10:36:27 +0100
Subject: Help with error please
In-Reply-To: <aba7c670-53ce-9c6a-c814-c6ed2e39c648@emitting.com>
References: <aba7c670-53ce-9c6a-c814-c6ed2e39c648@emitting.com>
Message-ID: <c711ad4b-89fd-3c3b-8979-6bcfe939dcb6@schokokeks.org>

Hello Jonathan,

On 15.11.2017 19:26, Jonathan wrote:
> Just installed GPA/Kleopatra.? Whenever I start up GPA I get 3 windows
> pop-up:

People can only help you if you provide all the necessary details.
Most important:
- Used Operating System (and version)
- GPA/Kleopatra version (from where did you get it?)

Best wishes
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 691 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171116/7346b6f9/attachment-0001.sig>

From wk at gnupg.org  Fri Nov 17 09:09:10 2017
From: wk at gnupg.org (Werner Koch)
Date: Fri, 17 Nov 2017 09:09:10 +0100
Subject: your message could not,be delivered to one or more recipients.
In-Reply-To: <20171116165634.w3g6m65rxcyjpo2i@grep.be> (Wouter Verhelst's
 message of "Thu, 16 Nov 2017 17:56:34 +0100")
References: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>
 <c132cb90-6b7c-2b08-5a2a-73c2115d90ca@digitalbrains.com>
 <20171116165634.w3g6m65rxcyjpo2i@grep.be>
Message-ID: <87d14hwcm1.fsf@wheatstone.g10code.de>

On Thu, 16 Nov 2017 17:56, w at uter.be said:

> Alternatively, AOL might be trying to send the mail from a different

Very likely - greylistd comes with a list of whitelisted AOL server
pools.  204.29.186.0/24 is not yet in this list - I added it to the
local installations.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171117/9d85d25a/attachment.sig>

From jeandavid8 at verizon.net  Fri Nov 17 14:57:59 2017
From: jeandavid8 at verizon.net (Jean-David Beyer)
Date: Fri, 17 Nov 2017 08:57:59 -0500
Subject: your message could not,be delivered to one or more recipients.
In-Reply-To: <87d14hwcm1.fsf@wheatstone.g10code.de>
References: <f5a65960-7903-bcf7-5078-fe811afa75f7@verizon.net>
 <c132cb90-6b7c-2b08-5a2a-73c2115d90ca@digitalbrains.com>
 <20171116165634.w3g6m65rxcyjpo2i@grep.be>
 <87d14hwcm1.fsf@wheatstone.g10code.de>
Message-ID: <16be7aac-4dd9-12d4-adad-d14016530936@verizon.net>

On 11/17/2017 03:09 AM, Werner Koch wrote:
> On Thu, 16 Nov 2017 17:56, w at uter.be said:
> 
>> Alternatively, AOL might be trying to send the mail from a different
> 
> Very likely - greylistd comes with a list of whitelisted AOL server
> pools.  204.29.186.0/24 is not yet in this list - I added it to the
> local installations.
> 
> 
> Salam-Shalom,
> 
>    Werner
> 
Thank you.

I used to use Verizon as my SMTP provider, but when they bought AOL,
they discontinued serving e-mail and transferred everything to AOL's
servers. I usually have no trouble posting to

gnupg-users at gnupg.org

but that one did not go through.

Yesterday, I did a whois on 204.29.186.9 and it came up as AOL, but AOL
for the .ru area (it came up with other areas where presumably AOL
serves). But today there seems to be only the main entry in Dulles, VA.

If someone had been messing with the DNS, no wonder gnupg.org would be
suspicious.

Right now everything looks OK.

$ dig -x 204.29.186.9

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 204.29.186.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63531
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;9.186.29.204.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
9.186.29.204.in-addr.arpa. 300	IN	PTR	omr-m007e.mx.aol.com.

;; AUTHORITY SECTION:
186.29.204.in-addr.arpa. 3600	IN	NS	dns-07.ns.aol.com.
186.29.204.in-addr.arpa. 3600	IN	NS	dns-02.ns.aol.com.
186.29.204.in-addr.arpa. 3600	IN	NS	dns-01.ns.aol.com.
186.29.204.in-addr.arpa. 3600	IN	NS	dns-06.ns.aol.com.

;; ADDITIONAL SECTION:
dns-01.ns.aol.com.	126866	IN	A	64.12.51.132
dns-02.ns.aol.com.	126866	IN	A	205.188.157.232
dns-07.ns.aol.com.	126866	IN	A	64.236.1.107
dns-06.ns.aol.com.	126866	IN	A	207.200.73.80

;; Query time: 123 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 08:53:27 2017
;; MSG SIZE  rcvd: 228


-- 
  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key:166D840A 0C610C8B Registered Machine  1935521.
 /( )\ Shrewsbury, New Jersey    http://linuxcounter.net
 ^^-^^ 08:35:01 up 2 days, 15:50, 2 users, load average: 4.42, 4.27, 4.14

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171117/fc7d4625/attachment.sig>

From guru at unixarea.de  Sat Nov 18 10:47:27 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Sat, 18 Nov 2017 10:47:27 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171117150925.GA3957@c720-r314251>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
Message-ID: <20171118094727.GA2422@c720-r314251>

El d?a jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch escribi?:

> Usually the Windows hardware detection (a menu item like "Install new
> hardware", ot a small icon in the taskbar) can locate all common reader
> types and their drivers.  It not, you need to check the website of the
> reder's vendor.

Hi,

It seems that the USB token is fine, but the Card is not (see
http://www.unixarea.de/SnipToolPlusImg.jpg )

I installed some driver and after this the the problem symbol (!) is away,
but neither GPA nor Kleopatra can use the Card.

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171118/57d101f3/attachment.sig>

From guru at unixarea.de  Fri Nov 17 16:09:25 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Fri, 17 Nov 2017 16:09:25 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <87tvxuw0ag.fsf@wheatstone.g10code.de>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
Message-ID: <20171117150925.GA3957@c720-r314251>

El d?a jueves, noviembre 16, 2017 a las 07:23:03p. m. +0100, Werner Koch escribi?:

> Usually the Windows hardware detection (a menu item like "Install new
> hardware", ot a small icon in the taskbar) can locate all common reader
> types and their drivers.  It not, you need to check the website of the
> reder's vendor.

Hi,

It seems that the USB token is fine, but the Card is not (see
attachment).

I installed some driver and after this the the problem symbol is away,
but neither GPA nor Kleopatra can use the Card.

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SnipToolPlusImg.jpg
Type: image/jpeg
Size: 87667 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171117/05cb0dfa/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171117/05cb0dfa/attachment-0001.sig>

From raysatiro at yahoo.com  Sat Nov 18 21:36:20 2017
From: raysatiro at yahoo.com (Ray Satiro)
Date: Sat, 18 Nov 2017 15:36:20 -0500
Subject: Getting more verbose details of a key
Message-ID: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>

I would like to know why --list-key (or --list-keys) doesn't always show
subkeys and their expiration dates.

gpg (GnuPG) 2.2.1
libgcrypt 1.8.1

To reproduce:

cd foo
set GNUPGHOME=.
gpg --import CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA.asc
gpg --list-key CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA

pub?? rsa4096 2010-02-16 [SC]
????? CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA
uid?????????? [ unknown] Brad King
uid?????????? [ unknown] Brad King [EMAIL REMOVED]
uid?????????? [ unknown] [jpeg image of size 4005]

Notice no subkeys w/ expiration, and yet:

gpg -a --export CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA | gpg

gpg: WARNING: no command supplied.? Trying to guess what you mean ...
pub?? rsa4096 2010-02-16 [SC]
????? CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA
uid?????????? Brad King
uid?????????? Brad King [EMAIL REMOVED]
uid?????????? [jpeg image of size 4005]
sub?? rsa4096 2010-02-16 [E] [expired: 2017-08-12]
sub?? rsa4096 2015-08-13 [S] [expired: 2017-08-12]

Is that a bug? Also, is that the best way to get key details? I seem to
recall there was a way to list a key and all its subkeys in more detail
with sub key fingerprints and expiration? How can I do that? I know of
--with-colons but it's not a human readable format.

-------------- next part --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBEt7AhsBEADQuTs3bHgYUBT8W5hFgWiY5gRpgVHv428dzABCQ7AIaAlyvAD+
g+tFl8YMez9/aY7xPeOcWGbv+wrMjXeEsq8JnN7L4r4C/g9eNmdWkXe/6xHt9m3k
0VUBpO5mhr0YGQX70SOVSJaZ+eV/kjxTEVYQ7bUOMM66lmX9MHd3PAARhw+woDES
TbrLA6jHqFPYSeVJR3iiVYDflAWOv1DZmGDoUDIblhxqhKeqv8ZJ+dil39mQDkEO
eCqP9sqpxcTmE4FGvEIzVaBYhEBZGlb1LqFTgPVL82a6hp+61OgLfpyRLtP5F84Q
4DHSlny08T91NkMOzz4JTajRHMv1lyKIcMRwvem7jRp5rsZmEHCvK8MmBTBsSbsT
rDrG8UKfofGSEzFi1Ac0HPlY1+lrYpNlOo+fnZQJ01RNrsxfKchXnn4R6IbuECTM
GXXATA0BvcyZdGB5cV3j/ikHZSc4DlzYSa1Ip3UWEF68e8qpgwD5z3c3vp4TMVwj
hSwJBZ7u0KbAo2GFkyQ7C+P36O0fiAcKHOMRg948hF4kDFSJR3lx+KMfCd7w+uOt
upOVgpkNrdV5tgQouUyRE+sDtS9FJ1NCzlgtZ5ZZ9q+96nH1kwKSaupAHD3FkRWo
2iv6NWTulbyWVV+RzQ7VD5F8u7UHej+j5Z3iWH9t2UIQcYz0BFOLo2YKdwARAQAB
tAlCcmFkIEtpbmeJAjkEEwEIACMFAlXM06MCGwMHCwkIBwMCAQYVCAIJCgsEFgID
AQIeAQIXgAAKCRDsj+86e/tO2q0VD/9fxsXBjiFoXWAqTPTbJmHocY8EGNrLgnFK
JXfbflWipN5CKzQ3VANhNH3u88xHcEA3a1TQZ2wn0i5dSAE2mw99Qs49gO2clU6/
+Ct3D1cWZTYxUtWYv4Tx9F9IRiOcDzmZ948hkkZixgoaSnJNIYNn+F6L1/MwQOKW
yrsSN/VfejMrf2+ym3Q3DPEJJrM6f1dNUa+kURkqPOf8WH02KOf2IVh91V/XxhQO
7zDM/dIybKg7dyC/5l8c+P/uCuOYzyu3oUmvc9sXHP0goRZ/V7bq9oC26+gD1hap
QyxdXTeXXOYmrVCo6NC31iSRrw6xpZWKW9K6qqJ2rljffYdwTWdd5Tz8nxtWQZu1
Pj8aF+bgtaFBAtzPed5JTD6oqgwe9IPXXHBkMKvL/dA554cwAN6FYB5Oxqz4EIo2
kQ79/AYayHv7BVdQySH356S/ZDIW9ogDVNOlwIv5KlQ+LnSWd8PxM7Exm4pWdwCL
E9Cb6dulFdqhtjgVS181s4YqRWhsCzpyKU3ouD/hWCmMq4XFFX6yUt9Rlyt4b22M
oVrsvOEa3eFuBJESwMV/XN+p7Q306NP03yK7dR9T72t0Ct1GYsB+gat/w6gz823X
6vZeGSoqb3ge5adPt+tutdUme33dU3oL6hnnf2fRg3pDUvBPDvw4RFRwOLYkzZ/n
HzCMIyoKHbQhQnJhZCBLaW5nIDxicmFkLmtpbmdAa2l0d2FyZS5jb20+iEYEEBEC
AAYFAkt8TQYACgkQzgRsaX1BF72XNQCfa+D91ZuaHxBkpXgveRTbSXOUgicAn2t3
bYTFMSMF9yANDCjgzNC7c5U3iEYEEBEIAAYFAk/Z7D0ACgkQjRFFY3XAJMi7swCg
mXh6sc0RikAKmyHqCESap0MZTnIAnRPwMmV3pXWo5Jqdan0B0JVjj6KOiQEcBBAB
AgAGBQJMWDfnAAoJEAeJsEDfjLbXE6gIAJAVM1PZPAsvNLNnP2wkI9f2FmOxLRx5
D7g3e/qVD9M/2D3Fz2JvE9n7R98bE8i9ddS7MrTrtenneet/W3nxLLwATFeHKdnQ
BqQcPgsKe6ph6VP1iDbDkrkcIyEATHKbg31liK5GSstyfHQ9oearak4AUOykLPns
Jh4smE98y9DyWWmMo1mLL9T5snFVGuZXoU0w35nCvRzwKMVsqibnygvCQ/O0sS4p
4mTRDRbo0hWoKFIhE1lgAc3inDxF3WKXXKwhNICLAMLG2nuNLS7gn5nvvCMjRxtG
nTXjcdPrPH9rEpYwS5+bTLDgNd4YiB+S1VDvx/LdTXBotf5+XuD29SOJAhwEEAEC
AAYFAkvgHswACgkQUN86iZIJyrJ47BAAg8mYVuLseU8q72I3POWIDo8RNtoYaD9H
mQQMOYjLbAEVj/btw3DO8pmlwM9Digg+H/gWT2/HAfpNbhW0mStwXK8GhwfecGlW
wfGbwca6kF95WPME8y36DKdi2CZpxdMMMw3J5QojdaXjrFnDdP08QobD0qrcjwMf
FZcVOSiTYoSl8X7VUPsw2K+G17FxMOzpNBSMdg4r9bf9OHakHYbk/PzV7se8C0cb
GayiMT2/qiGGCECmGja56PUG49bBY7YE/J4tYwum/gac7m+IqkwwxsK2MCl2xSBX
j4Y0yl7NjvJxYJ3E24qtWHVCghPHdqlXLg9IzutJxSBFrULQk6WW1L+eCl0qfaPW
iaHoKKr37QcmW/AaHQ3EE/T00ukbGg7B0/9oUer8i5bnN+p6T5xxzMNsWaOIdrAy
qt+akK1dbsmWwxntVBFJkBg6/Hi9ixozLwNI3ElJfR4WCyGbJmYZBLC2+eagHPIa
MQmidFRjO6TOwPGfP5OiJuazjySjfA6od0oziVC0QLYk8IKcfhCfdpZVn6xuHOej
RpiTnyNbK3PAYZORtI4QPiQnayvOJc5MplRj9q3EuWKTJ84WIcNQ6SAswVh/IN+X
/XSB5Y1qmLx0v0tkhevjgyHDRd5TTvs0GsxJWklVyGKmq83LP+0WrvaUQhdu1/Od
L1UC9ZcgYU2JAhwEEAECAAYFAk8+tOUACgkQ4FEfp7gXTVJ8qRAAh+ADwiIJbHCE
E45Bm8oOR3ZZw2dTMNVldinFGxVgi5dHzaZYO04UO9Zlq0CZtcs7QfQqxG18cufG
T/237n19EWljAY7EhiDRDjmmalLxCz9nsktLy+Nw4Gc5tLKG6UNLhYWoOSOjQnFU
0RXkZLbH2unRMmi8qFs+vCSch8EywQXplH3AjXOG+IDkBxINN+RM/UosImobgA2N
KjSAdsgeqY8SmiXPNaGpx8NTjcOKEEhG7d2KemZ/o8efncJ5eQNlLUQiPAWG6iBL
/CzIv0Rbkbh5VVTsoY1mfm3+OtFUd1o9Ow4xozpmIi9lgi8oc7GlQm4KGw2+WJjk
L1EN1eB0hXxMKP1DHhAPAiAZ6qWecWAc3XOI6wxDf0ilHq2qqavrz+oCDYMqC6hQ
2GQ2I4MjM0bnMx/y3KMH32K8LYcB4mB+avEj6xbSKR6BIWb8VR5mpBdSMDfK/DwQ
Ok10QhUJBwzNsM9Vyc/xz1BzfDty4fGDNa2ZwHJkmzWK2zolElrVZXzuwAQnnf9g
J3GOccuPxMiVTHlGJymUpgH7sgEOd9QhpCbDiTdBR9C6q7Yj72J1SN1JX+QPs9MM
ywa6/j33c5yBhq8F+Q6HJV2251Qd2kvtZbW84dMWmoPSCc6VAUt8Ph4dPYPiFVzO
mA3/phgIdnymJRcdxAHlrB9UtYw3yKuJAhwEEAECAAYFAk9wwQMACgkQx1Y6F0zo
YM2hCBAAiityKnwvSBfE/IAlMqQEyy1xu5wSyO61aYmebH+beiLMkwj9sxyVJCRe
70krNJa8IRW1neN9wFbIg+spVpUhycC5TMCnz2wUsmqTRo4QAjiwe3hnrJicxqLE
FMi01BnQHON5lEj4D5SHr53fkOW/5cTwIsR6qE6yTAXmmH4lf75oC8ps+veJYnnL
lzynJ3SaRT6v17QG/GImwNcwT91/1CnPnSBr7MI+mrX/QDJwDaM9Swn4iLZGzJeP
fhKcls4tTtLPJ/iZ0ZGpjNl/dfqjOGrWGe8zoBI9+1LR2ikC9Feum9qk/0OJRAcS
Sc/SHBCMSWjantkBpqR6D5YmM2KN5wQb3fP4YuKQBIVP6fX5zgkzxY8x7I7R6wnB
F5MT6rv1cYuRf03TKb3hes8gCQ2u9mFaiDJPootq0XDbsQmmg4mdt+2B0fzHV2ay
fV/nwkfm9oYBfTVvLsNy07xWn3JQqriV0XfURR2/9VNAYn7W8TzU/uDeMNqYV1tm
XWYZZ/cE/njMo4kJVncJCtOU/+ZfvazB5LsCz7givz7oXh1fiK6FOXHAZCx9d+nI
/VTlfosL3LWDNoUR6AA/eXTH/SLM33foO6+162ofVDGpnGNnrXcGFFMQDX1wa9Ga
iTC179NARGSVgfSY/jQo0jN3JvRlzGIQI1JbRceaTJUEIpCaQqqJAhwEEAEIAAYF
Ak5yDSIACgkQprFq9VfgLVe9IxAA3wS26SvyVUn+NjDwS1yxb2Zne3fA4VyWY06G
GegrGMp7V9FXHNJvU7K6ncPccN407edW/ITQfd5l2LD0eqQiA0O7JLbZaFe0nWX5
e9VlI2jmM0q/OPqsIf+1Lcgn2ci0JbuTAsRxpwd1Sd/mP7/EgTGa+baico2B8TFW
d062biTSrHc6XsBikWlEgaYrt21ads8ltnhiBDfrcvJp3wWRYlMVEU3+4w9VtFp4
luhPC9s5Re2nxe7bzxBRlK35Y1We9P7RNWSEuxpV3INSuXNzOQKwWcy9qH9GjIRZ
Cr1w4p34pvRo7iX3rrdpIDFgiM4ot8h5leyRBN0mM4Z3+Lks88lFk1LBRYXkQqyF
peCYvHeDA1Lpx2oGmYWDJKWoqAWPhPqXrdOerefPHCeYTuIKExJiqB7uYncuMzpU
CKNMQ8DsYF+YJGiJfl9uv24hHHjdPIQQrS9OLt8wxon4cLBebhl5A4ae+tOR4aIG
oJaLkuLL7SCBSez1xdJZmzsmyH5/PhAn7XC8Q6A914NBUXybtxCgwbucTiReU/Nh
qQDicWEg6ZFj2SRXz1HkLNnlG2z4h5H6dOEj4Xy7RI2Cu/gmjIV0pttzIhhpMIHI
st96OnOUugDRfSwLOFVPSJet9JkWm+QGvN3U0ltyosX7W85PDSJPLlch71BocIiW
ny07i4SJAhwEEAEIAAYFAk5yDSIACgkQprFq9VfgLVe9IxAA3wS26SvyVUn+NjDw
S1yxb2Zne3fA4VyWY06GGegrGMp7V9FXHNJvU7K6ncPccN407edW/ITQfd5l2LD0
eqQiA0O7JLbZaFe0nWX5e9VlI2jmM0q/OPqsIf+1Lcgn2ci0JbuTAsRxpwd1Sd/m
P7/EgTGa+baico2B8TFWd062biTSrHc6XsBikWlEgaYrt21ads8ltnhiBDfrcvJp
3wWRYlNl3viuVN3gDtzknffxY/N5PNwquvA2fucVueBEIW2gAf7RNWSEuxpV3INS
uXNzOQKwWcy9qH9GjIRZCr1w4p34pvRo7iX3rrdpIDFgiM4ot8h5leyRBN0mM4Z3
+Lks88lFk1LBRYXkQqyFpeCYvHeDA1Lpx2oGmYWDJKWoqAWPhPqXrdOerefPHCeY
TuIKExJiqB7uYncuMzpUCKNMQ8DsYF+YJGiJfl9uv24hHHjdPIQQrS9OLt8wxon4
cLBebhl5A4ae+tOR4aIGoJaLkuLL7SCBSez1xdJZmzsmyH5/PhAn7XC8Q6A914NB
UXybtxCgwbucTiReU/NhqQDicWEg6ZFj2SRXz1HkLNnlG2z4h5H6dOEj4Xy7RI2C
u/gmjIV0pttzIhhpMIHIst96OnOUugDRfSwLOFVPSJet9JkWm+QGvN3U0ltyosX7
W85PDSJPLlch71BocIiWny07i4SJAhwEEAEIAAYFAk/Z7pYACgkQot4jUGLaM/qS
XxAAm9PSJbp8g8on+58DZQjCJcDhOnk5g22zvxD3LBLBKONYXL13IKUBHnMjV1PU
IPvwC0Lc4PaomKrhBRvjzNgzNzCQjOE2MHo2XFIcazeM9QZyYRFJ1DrrTyHHbDjG
Cbg2w6CvYQMvVSmiobtrO0E4DbqO6wzngKU5dbDEinxCACttE/c1qCpm163yIgpA
FMRKkj73VTHC7HLr7pjMU9lvcyUq+RGH0BckSUUSdWKek9i7fZohRcUPua/kgt7r
C3BeFtqA++Nnv2P1+MNyODOW0KCXVzk6/QyG58nkV1qEkkFknZU3ERuYYdz7wcAs
o4Lo6dJBV7rX3SJsspFADV4gD6Q4ZpnUgyldq/Ygpwsu7NmZRp9zXgP/iwT3c4Eh
Y9S9LI66t9sm+wU1WiZfPmBvlpXrgMWN1IWicZElSsardqPF1XCHcCqzc6INkT9L
dXd7PTfKsNx0VK2ZwMsOCKdfwlruw+34IZObc4qw8Q1i0KhMfx24zK7epY+icL5z
arh5TNYJUhaPI6/+XlmL2EQhQEqlBR8vl1ZvdbSxLy2q6MtMkvvTdp/Z8VA0dFWh
zvQZ848kvh6QOahMAF/6dWXXSW/ueU4eyDfThQcYYmsLRLia3NPw0sBPseW5uthJ
5+oEDw2g/yI68x7yuuUzzm/U0e7rABCPAoCNQNg9sAJRepaJAhwEEAEKAAYFAk8U
dFAACgkQARvS29cq0O+d8xAAh///XNmntoPTpoj7QSvS+D1Ore8xHODbg3l6RHuI
+lmw46JWK0+OGFScVxqZdZAFxOOOKtMxfRD6kZXsdG486kQrAY0DRD6KET9yhNvx
vkClp/ZEeymtjvrDN8ofsgCd0n2f/jTeAabpAPs8xYDT9e5KYmm5EZkqbslab+i1
7OUW+cCW7FDsbTOogIwdMGHmVJ5CVCZCxaK6RbzBgEQtSMHuosd9fS4SN+SCK1gy
ApPRCT0tvG2VYBGgIqmO3OD5Tb9bvA787j7Wxc7/Q1VVj0v9kWmOxJOK0mz711Uz
pCbuUg3peyYwIW7AKjzGWmUtlh4F9IHMUPxZvI7EG7hMhQ11yHmr8p0LQw7NCkSP
cr0Vru+HfP5nObrIFh4VliJ5qQaf7aCqughBrCYhUaPmAcEq9zfZs8/GODkjBnbX
1NAORRaprsxVNWvYpXLE7Rozv3j0f7ohxaLaOJkyIPACp8som7gDwBlXTzLzuptW
Cu4e9g1D/avQ3qz30ThmVdBvNdfh/45SCUBXi8a1kZT39ruzE9W4HsVVKgs6AgQD
tbGCqu6WvXiK9rvdlEtGlwmlo4xEKaWrQE/JtVwn7KeEqRCbSWk0TGuFagNO5kXe
7de/1XyCyYFu6CSokpgBUJWELc7iYCSz/AztalmofHOGm5k635rEWyqTicEN/51I
SR6JAjgEEwECACIFAkt7AhsCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
EOyP7zp7+07aY4QP/iYt7VkirBynOVWbzacvPhiYBQ9JK7mm1E5o3oJeshOEQqzA
yJKyhJGmsi5sISVHjWhWVzdZcV0Jpuv1gUjebOZ44QFC8VIPeP+5Euf6LyjANp1U
F3OMTr1xb4zpHaNHF9Mmm+ICuH/p9VmtjcZIg5nrbVyOqhzG39CQbKImO8KYwcS6
5j/ne0dhtYAE5+d5KBO0REHP/AGwkOlu5LIoWvriJEYZTJ9rKGV7RnEGGWjFtSGp
RL5lPl85c5QG/BWtaEFpjM937THJKrVEwffkSjKvtEliZ4R4D/khD/0BQCtYKvfO
nh599EuFf+5Sp8Xhyk5If5qKyDfpRg1GI4qbHzIvJ+jUKfKkgQAu0ppSNFWgXqC3
uYFicBlK8S1nuUMriNH3hG6uWQ8hKYa75JFKMyMMDoNyRNXMvANARSqgS7xjLk0Y
cpYWJLwiDQ4R0bafHFuzOy0n0hiyZV+bPLO0pe73PYeWs3ofh4AxochZ2gXHte5k
3+pWPfNtfT0etHcdIj9DLLg65UpbJ5q7yoA1JsDQyoxtQM0B3k1lotNmfOv4CKF4
v9Ul2NPFKRlnGUOPLSpzGZ9bu4ecamoy5RRSQI73+NjkYvmxOkVjK3QjLim+v6xi
ZydW8irK3H8i0jSu3m3ejHYOfTgFkS6StoPiFdcJ4A62m+uNooB8IFQXmAKc0c74
zvYBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEBAJYAlgAA/+EAFkV4aWYA
AE1NACoAAAAIAAAAAAAA//4AHFNvZnR3YXJlOiBNaWNyb3NvZnQgT2ZmaWNl/9sA
QwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERgh
GBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4e
Hh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8AAEQgAlgB4
AwEiAAIRAQMRAf/EABwAAAAHAQEAAAAAAAAAAAAAAAABAgQFBgcDCP/EADgQAAED
AwIEAwYFAwQDAAAAAAECAwQABRESIQYxQVEHE2EUInGBkaEVMkJisVLB0RYjJPAI
M+H/xAAaAQACAwEBAAAAAAAAAAAAAAACAwEEBQAG/8QAJBEAAgICAgMAAQUAAAAA
AAAAAAECEQMhBBIiMUEyEzNRcfD/2gAMAwEAAhEDEQA/APRoFHjGDR4owCaAYxOO
veiIxXXAG+aIp2z2riKOY2G1GnOd6OiB9aF+zqFkDFFtyqOuF6tkDIlzWm1DmnOS
PkKgJfHtuQrEVlyQOisgA/CglmhH8mEscn6LgOVA8qpcfjxhSsSIK2x1wrJHy6/K
rHbLvAuQHsslCyRnTyV9KGOeE9RZLxyitoeqFFSlDNJFMIBSF9a6DGcGkFJB57dK
44SnlQpQOKFQcOT8KNIxR4+dACmEBKwBQ5AGhjeuFwktRIbkh1WENjJ9fShbJI/i
K+W+xwVzJ76W2x0zuT2FZBxH4kz7u6tqEowooJwWl++oep/xTTxHem364t75Or3E
fpSKhnrImHbytSv97oQNh3FZmbl9l4l/FxvrGbk5pStT8l0I1YKlq5/WnKLmGQVt
vOLQkbK1DSc9OWPvUN+GLedU6ScJIwVDIJ7elPGITg0uBlKDnBT5YOfrtVN5I/yW
o4pFptN7afWhpZGo/myKc+2KakJ8t1bbgPuY5EVXolr1Tm3nmloSjfUkn3T3FSC4
vtV1LcbVoJ5AYx61SyTSdxGxxW6Zp3DPFY1tw7ivdY9xajk9OdXNKgoZBBFYuAtl
YjSuQGW3U/3/AJq+8EXRxbQt8twLUgZacH6h2rW4PNc/CZm8nj9NotdGcUnPICjr
Usp0ERQoE7bUKizhyjO9GCc7ij5UVNOBg1SfFi7/AIXa2EjfzFk4HM4Gw+pFXesi
8fnSJNtaCsHy1kAepAz9qr53WNjMKuaK5aXFSgZDwyrGkHHKnzjIkDQrJB7VG8P4
EADrU5BG4Ku9Ysq9GzFJDOLw+sEhtGxHOpu28NI8tKVoGeaSOhqYtpRpGTUrFSnm
OXShjx0/YTyUQAsCygDUhsdQE0RtSYaDpwv101Y3lYO3OmElROdRNIngUQoTZW5L
AdQptQ36elQDkiTZ5kV1hxxJS7gpJylQz9jVslN4c1cqqPHCkoS0oJ21AKxSYdoy
TOyJS9m0WqSmZb2ZCRjWnPwNOwKhuC8nh+Pkk8/5qbFepxycoJswJKm0FihRihRk
DiixvQxRijtkAFYj46NyhxlCW6CIy4ulsgbZCjqFbhjfFYr/AOQExD95t7DalJVE
CtZztleMUjPXTY3An30RVtb0MggggjIqbip/JttUDBJatjS1k/kCvjRQ71clZ9ng
lw9AvYVkuNs10y+W5pR2FTLSVIQByrOoPGj8dwtz7U+0RzUj3hVptPEDdyQFsKJ9
CMGmKKTObbJrC1KJPKuEhrbnuahL1xMq3qKPZ1uL6ISOdV9XFl7lZLUeNHCeZcdB
pWTGp7WyVa9louAIawedUjjtQbt6F7ZK9qkxc7k4tAWhDravzqSoc6juOo6nbWy6
j9LwB+e1Ut99jPhrHAK/M4djHtVhIxvVV8M5CXLElhSFJcbCSrV1yP8A5Vs5jAr0
XHd44mFlTU2mIoUZGBQpws6UKLI6mhqxypgNi+Q/msz8S7O3MucjzEJV57SdGf6u
WftWlZ22qq+IEBclqLJRkBtZSpQ5pzjB+1JzxuBZ4s+uT+yjtxGclhac6EgCoCZZ
Zsia5/yy2yUlLaEqKN8bHI596sa14nLUd8bGpWEyl/AKAcjbasxtxlpGpGNxKPbe
GFxYrjb0pMqSspKV5WdAxvsSc5O/+KnbalEO+tNtDAKAFDfBUOtWiQ0mOwopQNQH
aqkgqVc0uhW+vn2ocuSUntDMWJJUSV9t6JlwcBOlRawjIyM/DrUFO4Rh3EteeVRn
Gk6SEN5Dm+cknNWZ9z/noXyIA3qbaQHUA5GaTxs0ouSROXEmlZWrPw2xEuCpTa1p
QobtckD4J6Ud+isSFpYUQhIdQrOOxFT0shvZKsVFKQ27cG/OGUYJIO/IHFInalsJ
RS2ywcEgIkTUIHuApAP1q1JIwQarPArSvJlPfoW4EpPfHWrLj0rb4n7S/wB9MTkN
PLIPV7tCk6aFWRIZNFn1ouQoZpwqxQWRSH2m5LC2Hk6kLGCKME0Y23rmjkzKrxHM
S7y46VFQbWQCeZHOlW+5piqC3To096k+N2PZuI1ukHRIQlSfiBg/x96ZNwW5UfzU
48xAOKyZpxyNG1hyXBWdXbol9CnFBQGNgdiarkKRHRMQXkuIQFfm5jc86QH5ibqu
2TWUa9OppaVYDg7DPX51LR4fkrUiTClNcxqLJUNue4zUfpdnssLIkdLjcYLzjbUN
K3CRp2H3Jp65NdhtoWjUtIABA502YjM5DURiUvrlLJA+pwKYmVPnXJNvgsBDKMF9
5Ss6R2GOZ+e1VljcJtxJc1KNP2Sf4h7UMpOSe9cVIUt9lClHKlAHHrXcQRGbJ1e8
Tk+poogMq8R2kbkLSPvVfOrkgJz8GaNborMKGiPHGEpHzJ704BzsaCRgUMb5r0KS
SpGKEo+tCgqhUkHM0XKhQJp4kMGldNqQNqUM42qDiueIkdK7D7Tpy6w4kpPcE4I/
72qj2i5lKggEAKON6mvEniVtF5hcMsrSVvJU7I7gJHuj6kGqbc2jCcD4/wDU5uT/
AEq71mcuXno1OGvDZMcRw0zEJdSrSsbpWOhrtwpeLjGc8iVKczg6VOp1J3Oc5/zX
CyXBmZHDbpBUNiPWpJq3eahQbyPWk48lOi8knGmrO1+vD74QyJrhUjHux0YCiOpJ
+J9KRYI6Y0VRwlPVXx+NG1ay2ffdWfnXK9zWYsYR21AZ5+g6mq2bJuwtKHVKhvc7
jqWEo5k6UDuas/h/aF6zcJAyBsgnqepqhKK022TdlpOGmlqZQTjkCc/OtQ4AurF1
4bYcaGlTX+24jqkjvRcSCyZE5fCny5OMEl9LCUfCkKT0POlUSjk9jW0ZogjGN6FE
o5UTQrjjmaOk03nzolvjqkTJLTDSRkqWrAqwJ9jqofijiK2cPwFvzpTSHfLUppkr
Gt0gcgOdULjLxdYt6izZoAkE7JfeXpST3CeePU4rF+JrzPuvESbrcZ3tLruEHOyW
+wSOicYoLC6smX71JkcTW++S1Z85ThfWeQKj/A/tWnPR25tuCSMhSftWKy9czhxT
TagPZV5WcbkhR2+is/KtG8Kr81crP+HuOhUmIAnc7qR0P9qoZsfbZpYZ0qGLrdwt
ExTjCS42DunqBUvA45LCQlbStXUVMXSEpRDrKd+ooQ4drnpUh+K0XkjJCkjNV1Fo
tdrIyXx0HG8NMK1HlmuFnjzrxL9pmApbPJB/V6fCpxVsgML0x4bSVftSMipCBHSy
3qO2B06UjJHYcZaIHjyYxBsfsy1BJkqSwMfu2P2zXbwiuTsTjOZbkqKo0hIUBnO+
Bg/QgfKqdxpcV3PiOB5CPNhMuFSiCMZTuD88fx3qCg3Ry38QR7hFnuxnmXCpvRgh
QCsb56acbU7jY+rv6yryJqSo9anlXNdZ9wd4oW+6JSzdPJiOk6Q62vLZPqOafv8A
Gr+hbbraXGlpWhQyFJOQa0k0/RntNAoUKFSQZx4geKdo4dzDt6fxK4HI0tnLbZ/c
r+wrFr7e77e5irjdZy3VHdLTRwlI/pxXHh2Q1LiPeZAWClehWDz3Tgnry1UxjXFA
tzqEMrDuSlWdsbH+4FC8jbGLHStD2525MjhpMt8q853S6Sk7Jxox0/eaauRYYghJ
cQ0pS0hSircJ9zJ5+nalOsLf4RCg6vUloJJ35hzf7AUzchtrthWskq8oHc8z73+B
Qwv6wp1rQq2qXDnvQLg2W2pA0r/eMYJHxG1O+GZSrFfES2kBDLTymSvfCwD7wPbn
n6VErdfebhuPuh1pxKmylR7E4I7Hfn6V3djrYQC+8XGHQEKcCveAznf19aNoFSo9
B2uVGuUJMiO6lxtY2IrjKgr80Psr0OJ6isP4C4rmcN3ZrzFFcFZ8t9vVkHsoDoa3
uDKj3KG3LgOB1pf1HoR0NV546LEMnb0HCjlKMLOTjcnrUR4g3Rq18MyVeboUtPlp
I55Pb1xmp+OhzHvjGKyXxJuzN/vMe3wtTkWMpSnHRyKh29NsZ+NJWLtIbLLSKTYZ
chqROkpdGh1pbaUFWcHbBx6f2p9OtSY8i3PyXCnWdS+2g6SAfkd6j7JFbjeQFqI8
x1KQSemoZNP+IWWnZ8P3+YJPvd0oA/jNPk13VFaP4Oxzb4DC2ruIT/lPJT5iCFZB
xnbrzyKneFuKOIrDb21wZ/ugailSdSCeyknp8MGoGxxow4mkDzClDrZOyhySoK/h
Jpohq4xWZEVb+XGlKQe4xvkfLNdG1L2S6a2b7wN4nxrq22zf4f4XJUQA4k6mV+ue
afn9aFYY1PnucNpkMMpW4ghLqwf0jAOOx94fQ0KNZG70LcEvpBcNcYQ4ol/8eSrK
wscuYQv17kU0PEUJ2TKjoakIDjy/e0gkDPxoUKOEV2YLk+qH1vukb/TMhkOSuShk
oHcn+r0psxdLZ7EEOmcpWgjIQkcsfu9TQoVC9ky+HIzrevh0hr2tt6O8SlRAIUkk
bHfbmaMXOAlgun2xenBUk4wTv0ztyH3oUKlHfThOvEB1aS208lDjYSpJQOeNiN/+
4qzcBcfO2C8+WpUh6KUpU43pB1JOO5/MMjfr1oUKJq1sCMmpaNA8Q/Ea3/6ZcZgs
3BlyUNGspQClOMnkrqNvnWYRr9bWIgwiWp144UChOkAJ5fm32WofQ0KFKqloc27R
zeuFqNztpcRNKA8jWkacYyCQN/U09uV2si77CdMeWEIYAKdIwSCQNtXYDrQoUElT
R1iUz7ML1GfSzNSFpUlQBT+pJHU+tHxFfoLNxDsVMvQ42orStKeZUoZ2PYj6UKFQ
tyQTbURvwfeYxjTmVqkYU7hKfLSQEqSoK/Vz5UKFCpmkpshO4o//2YhGBBARAgAG
BQJLfE0GAAoJEM4EbGl9QRe9BBYAnR0UKbO9WdXrRDi0mXU7qKY7jUz8AKCL5+Rg
22Qnmsc1uLeW47Kj5M+FjohGBBARCAAGBQJP2ew9AAoJEI0RRWN1wCTISiAAoKtK
wgULtBatb8nMtS09Iv1al4gtAJ0UrZG3hJd8W0itBHnwLxxKwxLOeokBHAQQAQIA
BgUCTFg35wAKCRAHibBA34y2118eB/9xt0gcYts4ihEi2dkm83wLRjlTCw4RT4ZI
Hm+imiFRexIuo8b45p/HXZXf0hw+p41VhJNt8wuJOL/eMwQ3VFN+ZWHyVLQv8hIz
kR2VwPJ++ugeJUIAQem5NC888befJ2S5783104NCbId7vSvhFinrTLWg8tO3Ytzk
XSzv7/hm4C4tZtdY4hys+7S5r7ouXYIeLP0720kiVhQfIWefEXmAsRpl7HQnzSuq
HCptTMH0GN0O94XbCFcPXINxInY9G17M+SBk1bjh8aMOnFDfJnrI/VY3t0C51PJJ
X3uaQ71DwIsILH5hEoYF8Zuy6MB20nlrC9unNtvy3+ZAzGwOQkFtiQIcBBABAgAG
BQJL4B7UAAoJEFDfOomSCcqyQjcP/1cs1LLSEzoAMR807WTFrtlfRO1dd//UvMoF
pfzO9ptAlkVc+sUeUZ/7r7tDBQteBjMYR6gBdShTXmxnsII5byaCZmAuCA+SobbG
XU3rF9l41Dc9xubB+xIcbljR9D5OghN+iiWY05eEO2CoaMxp97vrJtiZ6RcksG54
OzXbrH9lgIh5qXBBV0O+3a+yk7XmI1mMsHdPlD+LGPTTLzBvZ9rWITKlCoh5T12Y
pkPJgk11i1pUuiPB4u4lM241XbXtfflweew7CSRMvvjGz+QhDVPKrFnA3GZP434Z
4Iw4F0m96q09cBtpOnBWxoPcjZAHncwnk6kEF57abyGZlw8ppmhoPGmjeWuL/f87
KDaP3ZVnoUdWWrrVaH6VdqT53Pekau6mWfZZOpLDExBq7McTXlzAgBMBokd8eHCK
I52+cIYC6O9PamPt9DQsHAkXDn21IRzVcSEn/EwP/n5McdwTkl+XoO77OkDZnf1l
x67fc3zsrpmGK9/zG1u+Wf1M+l3GoGRe2AK6BqGCMpzp08ChzRaMMRahiwaRxrLA
ll13npCSXuEmxd+Tqwo4Jcy+uRu1lRbOm6abYPYF+Mh1kdUtr+jmHkhKFQYermtn
3b5hHSgW6hzlRtDZvhl7s8hl9JS8s26aBRKyVuLhen10kiWm3KtupZHQcoeT82HH
mpou3w3ViQIcBBABAgAGBQJPPrT0AAoJEOBRH6e4F01SmKYP/0eHSx9cKsAWi5mX
KwRumiM9vi5TbJ+g9cg5X6eHqnKgz1SviRIstGUrY8BLAVdnsbHneSTiUpIoHp/1
x9ryK/MAjzqn/Nler5VUgIaMmgrDkufYdibTm9njYX/iJz1wbxJpSYgY55lN2eD4
IhmRTgYf75ncAFifQ+jbE+PigHODxYx31twoPYTVjWSVBlpeYSBgxZnW/0VwHfnI
TuEhDLpRj5Ol9jk3QpYLdVqQ7zmMZPpRHQHHOSXHwqH2FUVWjPwLjWXO4AV3NArx
lw5W5uaDB3oIV+fdAbNe7mx9lp6eQM9W1Mo4H7aqrBIx1trpym0O6iw1DSgnf73D
DhY/zaqXHqGkrkDSPd5cjFQ0HFpXvEtpLx20SG0qKH+VXX/a5uUt5D30cKrpuKfl
GRZ9nVNYKFEIgpKaJdcKHZfj+xCcS8CFqVorlsl96RRNQ9cjwC21kNKmy7R6PyaA
+k85EUmjAwH60gxvKZ1XEXxioxxRWbLcHkzFUDfIC1Rh070NZ0jeB44LpLtMGbGi
J546/J4CbGRwReoU6lPEm7sHr+6LesG11MfzUc0JDQicRhpo9KqQVCoYJyZZ8dJ8
I8DptPwnGEsWqEtWlv6q/r0ifKfnP7CCCuO8NmxLj8SJagvrO5iflE/W6bh+K9oX
SkkU74zQ2gy84NtlgBXd1qjze8nDiQIcBBABAgAGBQJPcMFHAAoJEMdWOhdM6GDN
27kQAJ4vE3cjoYxqDRIUxE5RVkYXl7IkL1UCxHcsJdtezQ2cS0GbsHQCYnBZLTwO
N5p2UWSDgCVe1BuKaKdFnA/ZglYjLdTTgibF/6MEaL/YpQTBeGINi8sKawrWgPJ7
Is8El5m3SeQC2IGikcKDyyjN/PL7am9teJvb1cI2weLE8Rr5kW10X7RIrQn4Nh+H
hRbhtsBH2trB7TwvXHAN7goh13kkTfkFz0MMiuFnyGR47JNf3A7Tgla1dspr9rBR
Ju7qxsrfh4tHAHpXhC6mlXvpJhFbWxn1gFlObHlyS5fniS/eNd6Gu9zomqZa3i1F
tB2GYMAKH+yR/mTimS7VwVO3EUg/xUZms7cfrBZcd/RVC7PUrLXJxFm0qCdQQ5dZ
3Vx/zzFYObQSviZxqJQNe5o0OmGmrHtZoqNGacxwnEeYcyvkoYApr3jFRosNWoXI
Z3jpyDjrETKi7qXNCL+28mo98WZ/qiWwvZh6snWdzGu4nFSomaL3AXPafsJWslk3
HWGjynP85ciCmyF6atSTzmI+lYvb+UZdVOVN/+TgK8xbZdzAfCb1mOeFE4yQdO3D
aKOxkMOX2bQMtY6VywYHh9QZ33TQFaV1+eNgoAlxr9VLtlxrUjZEuNwjpAH80sl5
9FfwjmiGQ6mSul/nbpPAB4DRXWxtm3aKSlgktCb4SxWw9vsOiQIcBBABCAAGBQJO
cg0pAAoJEKaxavVX4C1XS+kQAK8ynedkQlA74tMDboaSF+oWoxBV5Ba6k1huUBQ1
/GmnkL2bHAoRReow52ktXwBWlLq0lDGxLdQa156KUTEH/j250n5DKMXGm1+RXhAf
wWWSQt7M9niCBREYllIQAKDAUfk9jcUj78HiNsfNK/neXA1DJzYRFLqRWvGXVxU3
mAd6EVfiXtp4KFwtGM92QD+UYviT9Mf3CwpVLS9HmOWM0sr6xVgYOKJIxxZ+/Pv6
QY9+26m+8ig/hD7/yZnbiTr932oZZo/r8CyqLHdSzbHR7vtZLJGcUSafxWnAaN0U
LlG8yxMcca77zOipeiQnGFyBMsH8Mk+ZYZmhbUwb9Ah+tkSUMt1mDNV1B1xp6mHw
FwXYyahejSdlP1MqQiM9EctpVQmMt4sX8R35TTx+DxoMNRj4FFCnZEiwLgc9GcSk
WhcGrATs7gPbpvmTAvxwsmiHrUHofuCt8MyFNDP6n0KNkW528GiFQX/FdEGuiUJt
9W59aLqBbomaMmZIxNGg+p8PCp6dNIcQDhth8KAbFzKHtKkCiEPpilM7vRQ7LkiV
qIlAlWEuMW/fdEPnGDcl7E8YeCPeJFr/UrwNYsmHvABjRR5HDEWa0mRxyAsjQ0N8
oy1ZSWhAiUZoJRecQKlf8ME6Fg1CsYPk3z8VSTO4uGk9xvT7IOMBtNBR2Leb8RjJ
V6jLiQIcBBABCAAGBQJP2e6WAAoJEKLeI1Bi2jP6p6kQAIG85BBgEdJ7MiVmaO7h
OP5brt6ZL6E1pPpeJ7kkrX10jBaK2b0+2zuWGXN7xTNHLv9UOJn/RZmCUH2+nC27
1u/rIvbO0UDfOS39yHWuX1oEljdoO2JWNJ3bLh5/njN8qycw0IFHL+T0FNwNAfcb
sVAofR/gJtPEEsNRQnby73Zzqu/FzdLrNF7gHVG3kEPkW+ogNGFxvVEMEff1Oofk
V+ngS3oPEzxBtV7Qu1Af/ScK8a3f9FrwI/0TxraA2lgMEG7yMonTopJfO/HIfqBS
mKC6C1d0m9vfeSublZT/dPIfFqCIwVlwI8Y/8YKvKD0NRI6SStvXhbRbttfQj4o4
d/YLee/2TV7w89H4gZRV3ByX3qlT0qz4ApEbHCXFmkm77+HwLanbfpWe0IlS2/67
FgqHKhErtz05jCtTRmFfwaqEtw5Gf/zBF6NcIjBPj1FlWCq7H4/6eZARoRDOsvf8
H+Y4zzdXG6vojMo8EI1h76kUDasd+6EIFVywrzeD2zNf6b0hTnleKu9F+cw1qOVN
bhaqm1DIlTGHbl+gQ97rHcO9HMajTcpLPIL58ErDKdhqqBMmrQbxjKGLwRHgzZBK
CgL+Cn37faK5w/NUlVmU/rnr2G7cjGscQLxaboEM4wZzyNvUkRtgQjYtkGCFGjUy
io5pdmSkbgmgXAbvUUpvju0AiQIcBBABCgAGBQJPFHRUAAoJEAEb0tvXKtDvMXwP
+QGvUax7Q1oVT5GoDGdqJ74mqLnnJy0lYS+ulGBuMmvFomwCVsEQP9ZisQgfpSTi
lW9o10zOMYKKicT92kl7o3eqMgQ3gb5WUcwiISIG/3zRFVgXWbY2+eL4WMeU/smT
vJlJNf4PzfG+TtcUWXte3CJ4fAxMCm4M0WvPtBMkuo0ZFr6YkPsLyK7dUsyoHeWL
3nPNooHpL0w0oHoxcXnksQR0u3gbD6aV4XOQn5qjdf2Mjb3S0XuNyxqtqcGa3FVP
sMIJjGA0Mj7ZD9g1IjnSmBtx7M1SYXy/Z9HMxNxO2aqdMeGvBBeoIrVsqdG1ATNy
wm6cG3Vsr9ZZJEZDV7DMXWtqojn4ooNtkQm4Se4TRX+XU7A32gf2x9WFPK8Uruki
eillwhW4f2Qxnx5YXQ5awZrA1J8F3L2uXLrf8kNtMgaElZOeI2piKOe8ONOONg2t
k5hIOMNXeK92IazAlmFmotRt4V7k4XBFlAvvIlFDEjqhNRcYL8ikVACvybdnZNPW
E21YrphffT6qaz5qheP+J04EZWiIMQk2TfSGUVtMrXeG12LbxzbREfuyVUVe2WyL
EjOW68mXA3Ha0Xyx7+iczsUoWMr/oP0i669xJ3x6xq44N4mx5sc5peIxseOtHO4u
LCKVcIZTykmF7COV5EmDPmUztGC6jhLcFF+CzPkmfFrPiQI4BBMBAgAiBQJLewSZ
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDsj+86e/tO2n2PD/wMEkPi
ffHxstfOINXKpUsz10j3G1IDrY+6KzkMNOp7Oz3v1hWZugnFCcNrp2Bhdm1mWTpn
HHrQzkroE/jS7xZo2klKsDqPvIZmOawgZKqaBXSKOMsRyaP+exMMj9Sx5aTfpct1
B/PVfUJw9BQaoors0GBxT8HXtIZnbVr0HXnvO6KeZixy3uQgqRCIEvGaPCCE8UBl
0rY4bFgD6tZWwBAnIZEvsRr7h9HKvku4dy5v1gu//0IUklhb3b0rEXfQAKHpUMX0
8hwib30DnUIrhnHIUuAv1pEDFyZIkfxn0Gd74HYr9ZrPX52mYlLroUsvDWh0UfHn
A2zRgOHHfTjP7h78JeAL8fp9HprrsYuiBAldAeOhMBFA6nSz5IYa4EGvBf7nyKcy
mLTKTGRAe0pkXFBEWUvfLGSY58A8VKiRo5CwPQgUeqzXlEUBXib7hUgt4291zwKk
4on/0ijX0lOdrEKMxCLlWFaETyTSxHrHt+rQpZCzDXzNCMxfzt98egN0xIlj7xlk
XFlvNYynjxqWJnJNtL3HZVWZeLev/4yf33FE+hq0ud9ik52kITOZHdC/tYYW/l4O
0sxrfB238wjDY7w9vDv3h+5ju77KrlzjqahWleFdstad1SLMGP58IbZA/+L771bZ
rvxEIB5nsccVjqKBEHsVW2tWEXl08aWBdkIgQbkCDQRLewIbARAA2zPPUQrdBHFC
NqOg1UxRceXslFcpJengQbl6No6I9pz1cFK/g7uTJD2ph9nooXIEkUaI8ftqFCic
wJYYFY1lJmdSq16udIgHF6i2sqIkWp5c37puySCHzim0ANI44SvG0zkH0R5FUKZR
Zzy3lEmBa3CUCWMajOQ25AYyjzL1sZ2tsAf5GxZrXnmJ2y88dYSDnpecKJx0tqy+
8qv7fI6GSZyPvX1yLse8rJBidYcc/P2BWLlIKxPn5R9Zf3hL3NCDIqCboroidwGt
lv85bQ8VLp6GjrzmXmOf5eSZfiNceuPLQA26uee6BBB+pbdXAk0Dx8fEkZjPEgO1
0sUxIZoyRNSBwmd0JGbI3fl+JeNi1RHcamgThSkajtYhl25o1FpEBQRtYwZg2dAt
6bN6TfJOUVHfeBBZbCXeTPnVH4TLHSpE2aw4NLwyvT6ugJVvIdyeIqRC45SpFA7X
JMSYXt066yFdnizwtiRNQhQQ88Yrxw+7XaWszQuR1CoyZBr/kOZRowLJL62+4JdL
U+dM2b/gQJAHDhmUnpWTx7nkfjXLVLFUji0EPJ3sessCiLaiJj61luwg1eW4Cd/V
o0oHyCo7cQsTn91Io/zI4X3ZtmRbiyrpC9HFxCVKmKcnhrS7nv949w/2f1hXYrTb
Xs0hr1SzE2cbJtrt9f5PPxW8RZpzYWcAEQEAAYkCJQQYAQIADwIbDAUCV59h9gUJ
DhQTzQAKCRDsj+86e/tO2suCD/9XtxLYG/93JeePAx4twuj7t9p+wP2/quUBP+l+
Ww+5+q6/B1vdgBvShnIAnUZjpMEh2HmYrAJucDaSMJE07RPz6jDEz1iaGDBg8Nvk
vbllNlh8azh2gTom4VkrmuSiLpATeXiYU4OEuEsQgs3xbhdC8cyJye7nvUpJmRSW
LeUa04qm65/kE7c3upT9uwHRBzRmFnOxY7zBPdOyqglOwdWYWR0gEaO6fwfYEQXj
DDEq6VxONmUXnJxiuGOMr5gQyXmjxYHG2xN+dcLJBvMP/9Zir7jXBeKIgSrVdtrg
SDfzTeW/eZUR37IGBPjUswAMz1v91qHckU8ilg+EIy4LPkyYaJE9HUTRxThM+SdX
0yd5XhlqBj9ds4R1WfxBTTMu1czTmhOQosTlat+5wch/9T5qIInuegq5fhLIxAC+
TtNhpN3QB+FOeEYk8VKfPEPx2Rigk7ByUxLMmDTrRmvcT/6E2DbxsZWIo6CtZzqX
CQY0cIpcFGWVsYA2HxiWYBFUK+ieSB1J59EwtLuDOBOVrBe2n9ewk2KCR4/81BmW
EMXkii6Sbs9sZgx4KDV9qRMBNfmWN5POrdwY0qSp3Z4JrwPKLpCj5HpbJL3krvkl
pxzvzYngd2aNMmMJAwqyG594dZH710eytgSFjX4ne2RM5VGwLU+0lrxHdmd+TgX1
WugElrkCDQRVzNJfARAAto8dasB5UD8z2mcqu0ajLjGe5WnUt/CI3ohZiQ5hbBqw
X6ORhLS+cjkkF3UPoDMfeiwAUbdg4cHfA3H3HQBs0AI+f4wcBe1kutODLUSnx39V
eVySR+W+Na9qGJA2mJXHKO64zClsUk4mdrlAAXf8PPUxv1WAi9ZH8GL5AI68WYv8
tJP9AmcHuQUm2zkA/yaaIn9KuJwfD7ESsOVZgqcGp4eXsHcSFzXq15Mq0KTFAKM2
NKBl/pYxnyNiDJ8Rg3KQUstG3yQ1GVJIwOzF3/ehebg5KWy/cWANo2vgVgiWZedw
aWrFXDggSdq6cT4hxr64EHfeonyvfnaT2ptDNFmGhZCIf8VS43B4BpfOJJOiLTCh
il0+G/0IihNjO5fBZAApQAQjcBD0/BUS2rz6GvdnM2e5IWLy1mPFY7bqnwZ2cF93
gEOuGlFKQY6nCwkA3ds0ICTbX0zkLpO24Jk5wO95YI0r72zaBRk816hcj2IZJiUn
y2ekhpg8H2OyZSpS7lVMyKAydfzOVy3vsIm6sQ/3a+2Rn+vaHHt2Hx/+HHMjHWux
Tg3ALBLwpDn9z4BFzifG7Do2qFcwnN6DHfo5tsR+snqDowOnJiBCKPrVdtIk6snS
nEJzy+pkakXGnj3jDzHzkfWHD3yZuQ/W5dRHP+nnBqGY2Hrkr9brKhpG4jC7o8sA
EQEAAYkEQwQYAQgADwIbAgUCV59iEAUJA8JDqgIpwV0gBBkBCAAGBQJVzNJfAAoJ
EC0s7xA0khaEF5gQAKe9pvu/QvOZcvpu9SuKiGidtzNjzzt3TQ5HKHK67NwRq5H+
gJ1/lobkCbEpTskSKHEM8gnJOvm0IBsu771butt43lYhduv1g7r9cSa6zOInboGl
+oBfaBJvFZYv+FcZ6FkRHP3WoekhsfMkWEBBESU3EyXiHKpL3yf+P2ONMGza04s1
dDRxdMxnGmPyBGhWNlpNp+YuWpNK7tqRsXdjL9TiXt5WSm6qiE0CvbCJ6ia//2eQ
oA6ZFQtF18yFLbCP1p3QmB1JY7zHS6EwaeDehjhqZsxPXbfv5ZuhSPqEAsRkYG2m
1LyFDXO2zDDfpYnWS/4/84zNRscaiDHUI/40pqooq61FTrmIiZiwgLTes5p4tykZ
4lhG7zf2tNK3ydrZQzrLeerMqGTegeZZYuYS0VYche+c/EI4GzJU8R6piBaM8ixq
Ce07f+bwTdqC/TZgub2i6/kXY17ZlV9Pe51/DTXfdgkKplyrO2Y8+92SNw53HiWo
2PQaGCEB7uv8k+PNuJ7evnQw5r57tXPK5U46ZHmOBkfaC6JckYu5rUbSrRMX5e6a
Rc8/41itN2O9QC3W/3kQBED4A1gME47lIZG41xUoYBVYqk1skvBxVDZ6PeesDdbE
VU2tVkPZYzgHzRvAjVu+i050x8Uk9EiBozCUwNZo2uQyAScRVjD+X+4J7/GgCRDs
j+86e/tO2iXDD/dJeTbkC+Za7lIetPFPv6gK9L7SOcNks7h8GwSD+NznFoOHCPsf
u9SKkzhkSoAxmUfcNzPwZ3qj7bFDphyDywMbXtASsTdmZlGqyxYGHiXS01KsZa0r
hlD3z0UTNSYhZ6sOPKeU6XM6lp8wIfaVEfS+mxVIb6PoWoB4yeTM+Xs6b6ZB/K3z
rZtTz+G52pseFZKsg+RN2zxFqLmZSQc+mVsPTjADO3sSJBV3/n87WHIUYZD9iJYJ
JPyAH54Ao2rV8n8PdBGsg+HgeW6vvn3CzeTXidE1x+HauggfzT6FRilGBNikldg+
jk6+wpCgh2jRdcG7wKMedHWwc32S26SzLXLcfZWZT/vDe1tvJyFJ8l2la5JLChvL
6gHBMunZw1RV63LzOpaZZ04/YcEbesKETYxR/1XZTaZBb2H49DtftuHMtLpfMON3
Ew1J9Uq/5wES4Bu6CWkHKI1CcMzdvFYto0JqwYla3O6uYNJDxIKNEz3xBHFv8LRA
5uJ1NZhxtXqmTKBOVIcAPQO9T0d4572LoPsfVrtFa0lvtfoarRyn+4QeuqQuHxjx
EnFBcbiQkZFOJH1l2YGdW+gVAPtp5wmqZ6oS5B4UkjSTjr+bLEiCCT1JDURsHFF/
T2EL9GEVFLVFthqmgoNyi4Yy9JvLdZCZP38cOoooqGX75p9N3QcEGohP
=dgPr
-----END PGP PUBLIC KEY BLOCK-----

From 2017-r3sgs86x8e-lists-groups at riseup.net  Sun Nov 19 01:03:38 2017
From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA)
Date: Sun, 19 Nov 2017 00:03:38 +0000
Subject: Getting more verbose details of a key
In-Reply-To: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
Message-ID: <1581232046.20171119000338@my_localhost_LG>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 18 November 2017 at 8:36:20 PM, in
<mid:eb27c759-c28d-08f8-dbb5-3c9c1e3c074c at yahoo.com>, Ray Satiro via
Gnupg-users wrote:-


> Also, is that the best way to get key
> details? I seem to
> recall there was a way to list a key and all its
> subkeys in more detail
> with sub key fingerprints and expiration? How can I
> do that? I know of
> --with-colons but it's not a human readable format.  


I seem to get the creation and expiry dates and usage flags by
default:-

gpg --no-options --list-keys 0xACE56971D555DAA5
pub   rsa4096 2017-08-05 [C] [expires: 2018-06-16]
      7910C45F89FC8CC2CBD24AB0ACE56971D555DAA5
uid           [ unknown] 0xACE56971D555DAA5
sub   rsa4096 2017-08-05 [S] [expires: 2017-12-16]
sub   rsa4096 2017-08-05 [E] [expires: 2017-12-16]
sub   ed25519 2017-08-05 [S] [expires: 2017-12-16]
sub   cv25519 2017-08-05 [E] [expires: 2017-12-16]


But there are options to get more output (which will probably wrap 
horribly in this email):-

gpg --no-options --with-fingerprint --with-subkey-fingerprint --with-
keygrip --keyid-format 0xLONG --list-keys 0xACE56971D555DAA5
pub   rsa4096/0xACE56971D555DAA5 2017-08-05 [C] [expires: 2018-06-16]
      Key fingerprint = 7910 C45F 89FC 8CC2 CBD2  4AB0 ACE5 6971 D555
DAA5
      Keygrip = 9F115F0D0FC92E983F27D7331E7ABEBB4EFB20D8
uid                   [ unknown] 0xACE56971D555DAA5
sub   rsa4096/0x130DF516112FC0FF 2017-08-05 [S] [expires: 2017-12-16]
      Key fingerprint = 525F A928 9F17 798D B33B  2728 130D F516 112F
C0FF
      Keygrip = EC8686A74101CF30518E152DC36272F00693DB21
sub   rsa4096/0x1CAC08E8DEFAFDFE 2017-08-05 [E] [expires: 2017-12-16]
      Key fingerprint = 95F9 4462 F81E DEB5 27E8  4D5A 1CAC 08E8 DEFA
FDFE
      Keygrip = CEB8C7FBC9B61D2D844E4DEE6C80CA76767D6503
sub   ed25519/0xE0E2DEE1D6C8EEFA 2017-08-05 [S] [expires: 2017-12-16]
      Key fingerprint = 960C 8628 D592 FF8C DE8B  B0BF E0E2 DEE1 D6C8
EEFA
      Keygrip = 9BB73B4ACED2CD1693C989B634B8F7E99884F786
sub   cv25519/0xEAC88A2823F99DEC 2017-08-05 [E] [expires: 2017-12-16]
      Key fingerprint = 3ABC A084 4547 9C02 1A9A  DB13 EAC8 8A28 23F9
9DEC
      Keygrip = D89391EAED4F9D523EDB8937BAD5B6849C5DAEDF


- -- 
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

What's another word for synonym?
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWhDKP18UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+uuiAP0bUnryHdQqFiOVzNLvYB5o2nJB/52VdFdnDXFRcN852AD5AdWX5yYjA4Cu
R9rIE3Fu+iB2V5aIJaXEpxyrW+R0GgeJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWhDKP18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/7biEACoMqKo2zoKP/uonbu9kJMZW6QS
dtr/L08LLaR4lQoML5fg790xYUF2LaLVY5Qqw/v4z4dbdMThLE4ApIwIXfapzNYd
IKzeX+Z/kNrFJBswhaUuG/3PGY1SBCujGCg07eEXP9xzEnAgzOhkaZfPzzkODB5K
dUINf5vUqmL/5YZfjN4G2UW6Ligqy9WD4H4PoPMtfb5ib7XH4xG1DAZanjDoUCAq
/uTGzzI9MebQgx2ijqyqlX3SWSBd8kZrk/HfcOa+Bh1dP68PD2/WaKjpL9w7MvWM
j22v4Ut1QO3JkMeAeNCg2MiAmSSUo8j1ysSAYm0c+JEHajwiaPqzXdocii4nEN9E
lXVAXFwvTmpGU1CgI1pY5h8EYq6709UHFOgchLX0gbacAL8YKCtqTZL55VRALPms
UQKNfHFYPFM8ZusCuo2EDr6gptsgBsT16/SL+ilEPRO6X+OvOYtIU5i0g6F/LYol
kh8mG0SCvg9w+4g0zXjOFNIfbRT3S9bzEgQTd5FqhNVzmCsOU+mk65YE+jJEpDDQ
vUj1hh/rk0zSNa9wpNvynvs/bU666SZKR9hHKNbW0G/rclq+adXpcy6RbDwjpPTl
+X5SYp7UsCfpPdajLbzcA9/83qiBMBHxXI+UlM0n2IUTjjnwNqRIVwiwMSGT6XYb
XP8vMLeACMPwvJ3F0w==
=SvDu
-----END PGP SIGNATURE-----



From peter at digitalbrains.com  Sun Nov 19 15:10:52 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 19 Nov 2017 15:10:52 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
Message-ID: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>

On 18/11/17 21:36, Ray Satiro via Gnupg-users wrote:
> sub?? rsa4096 2010-02-16 [E] [expired: 2017-08-12]
> sub?? rsa4096 2015-08-13 [S] [expired: 2017-08-12]

Well, there's your problem.

GnuPG by default does not show *expired* subkeys. Use --list-options
show-unusable-subkeys to do that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171119/d0dd55d4/attachment.sig>

From peter at digitalbrains.com  Sun Nov 19 15:20:16 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 19 Nov 2017 15:20:16 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171117150925.GA3957@c720-r314251>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251>
Message-ID: <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>

On 17/11/17 16:09, Matthias Apitz wrote:
> It seems that the USB token is fine, but the Card is not (see
> attachment).

I don't use Windows myself, but AFAIK, this is normal and not a problem.

AFAIK, the exclamation mark triangle on the smartcard means that the OS
has no driver to work with that specific smartcard. But GnuPG
communicates directly with the smartcard; the "driver" so to speak is
inside GnuPG. In fact, if you found another OS-level driver that is
happy to work with your smartcard, you are probably /creating/ an issue
since it will keep a lock on the smartcard so GnuPG no longer can get
access to it. While shared access to a smartcard is not impossible per
se, often you'll find that programs want exclusive access, and you can't
use two programs with the same smartcard at the same time.

An exclamation mark triangle on the /reader/ would probably indicate an
issue, but an exclamation mark triangle on the /smartcard/ is probably
for the best.

Still, I've only used different types of smartcards on Windows, and only
very sporadically, so I don't think I can be of much further help.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171119/0a602739/attachment.sig>

From guru at unixarea.de  Mon Nov 20 08:56:12 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Mon, 20 Nov 2017 08:56:12 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
Message-ID: <20171120075612.GA2475@c720-r314251>

El d?a domingo, noviembre 19, 2017 a las 03:20:16p. m. +0100, Peter Lebbing escribi?:

> On 17/11/17 16:09, Matthias Apitz wrote:
> > It seems that the USB token is fine, but the Card is not (see
> > attachment).
> 
> I don't use Windows myself, but AFAIK, this is normal and not a problem.
> 
> AFAIK, the exclamation mark triangle on the smartcard means that the OS
> has no driver to work with that specific smartcard. But GnuPG
> communicates directly with the smartcard; the "driver" so to speak is
> inside GnuPG. In fact, if you found another OS-level driver that is
> happy to work with your smartcard, you are probably /creating/ an issue
> since it will keep a lock on the smartcard so GnuPG no longer can get
> access to it. While shared access to a smartcard is not impossible per
> se, often you'll find that programs want exclusive access, and you can't
> use two programs with the same smartcard at the same time.
> 
> An exclamation mark triangle on the /reader/ would probably indicate an
> issue, but an exclamation mark triangle on the /smartcard/ is probably
> for the best.
> 
> Still, I've only used different types of smartcards on Windows, and only
> very sporadically, so I don't think I can be of much further help.

Hello,

Thanks for your feedback, Peter.

I killed a running SmartCard Service on Win7 and tested GnuPG on a
Cygwin command line. It says:


$ uname -a
CYGWIN_NT-6.1 APITZM-LTOH 2.7.0(0.306/5/3) 2017-02-12 13:18 x86_64 Cygwin

$ gpg --version
gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/apitzm/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

$ gpg --card-status --debug-all --debug-level guru 
gpg: reading options from 'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_0x000000d8 <- OK Pleased to meet you
gpg: DBG: connection to agent established
gpg: DBG: chan_0x000000d8 -> RESET
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> OPTION ttytype=xterm
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> GETINFO version
gpg: DBG: chan_0x000000d8 <- D 2.2.1
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> OPTION allow-pinentry-notify
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> OPTION agent-awareness=2.1.0
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> SCD GETINFO version
gpg: DBG: chan_0x000000d8 <- D 2.2.1
gpg: DBG: chan_0x000000d8 <- OK
gpg: DBG: chan_0x000000d8 -> SCD SERIALNO openpgp
gpg: DBG: chan_0x000000d8 <- ERR 100696144 No such device <SCD>
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks

It does not make any difference, if I also start the scdaemon with
$ scdaemon --daemon &

or not.

	matthias

-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/a0197267/attachment.sig>

From wk at gnupg.org  Mon Nov 20 08:56:24 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 20 Nov 2017 08:56:24 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com> (Peter
 Lebbing's message of "Sun, 19 Nov 2017 15:10:52 +0100")
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
Message-ID: <87ine5v0wn.fsf@wheatstone.g10code.de>

On Sun, 19 Nov 2017 15:10, peter at digitalbrains.com said:

> GnuPG by default does not show *expired* subkeys. Use --list-options
> show-unusable-subkeys to do that.

Let me also add that using gpg without any command (as in "...|gpg") is
deprecated because the output you see is more of a debug message than a
weel defined output.  This is also the reason why you see the expired
keys with that command.

To view a key wityhout first importing it you can do:

  gpg --import-options show-only --import 

(Suggestions for the name of a shortcut command are welcome)


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/b4418816/attachment.sig>

From me at wadadli.me  Mon Nov 20 11:45:00 2017
From: me at wadadli.me (Michael S Singh)
Date: Mon, 20 Nov 2017 10:45:00 +0000
Subject: Dead link for the Mutt-GnuPG HOWTO
Message-ID: <f73f2072-5f40-3997-0a05-2e23594b4ff6@wadadli.me>

Hi all,

I was just skimming through the HOWTOs section and noticed that the link
for the guide on using Mutt and GnuPG doesn't load, instead Firefox is
saying Secure Connection Failed:

An error occurred during a connection to codesorcery.net. SSL received a
record that exceeded the maximum permissible length. Error code:
SSL_ERROR_RX_RECORD_TOO_LONG

-- 
Sincerely Michael S Singh,
M: 914-266-0601
W: www.wadadli.me
F: 5E0E FD46 4592 1682 A4B6 5F62 761E 4940 A177 3B38
-------------- next part --------------
A non-text attachment was scrubbed...
Name: me.vcf
Type: text/x-vcard
Size: 351 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/ace4dabc/attachment-0001.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/ace4dabc/attachment-0001.sig>

From peter at digitalbrains.com  Mon Nov 20 15:07:44 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 20 Nov 2017 15:07:44 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171120075612.GA2475@c720-r314251>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
Message-ID: <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com>

On 20/11/17 08:56, Matthias Apitz wrote:
> I killed a running SmartCard Service on Win7 and tested GnuPG on a
> Cygwin command line.

Involving Cygwin is yet another non-trivial hurdle to take. I think it's
best if you get it working on Windows first, and only then try to
involve another layer in the form of Cygwin.

You can see what happens when you use gpg.exe from the Windows command
prompt. If that works out, see what happens in the GUI manager(s)
included with gpg4win-3.0.0.exe. Assuming it does include GUI software :-).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/99f19966/attachment.sig>

From wk at gnupg.org  Mon Nov 20 17:00:05 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 20 Nov 2017 17:00:05 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171120075612.GA2475@c720-r314251> (Matthias Apitz's message of
 "Mon, 20 Nov 2017 08:56:12 +0100")
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
Message-ID: <87lgj1os8q.fsf@wheatstone.g10code.de>

On Mon, 20 Nov 2017 08:56, guru at unixarea.de said:

> I killed a running SmartCard Service on Win7 and tested GnuPG on a
> Cygwin command line. It says:

Cygwin - I would not suggest to use this.  We have no idea on whether
the RNG does what we want it to do.  The IPC mechanism and
descriptor/handle passing may have surprising effects .

There is a new gnupg 2.2.3 installer available, I better use that


> $ gpg --card-status --debug-all --debug-level guru 

Smartcard access is done by scdaemon.  Thus you have to modify or
create scdaemon.conf: 

  log-file tcp://192.168.x.y:42042
  verbose
  debug ipc,cardio

The tcp line is what I use to debug on Windows.  On my Unix box I run

  watchgnupg --time-only --tcp 42042

so that I can work with the logs without resorting to strange Windows
tools.  After changing scdaemon.conf you should kill scdaemon; gpg-agent
will start it as neede.  Tetsing with gpg is okay, but you can also use

  gpg-connect-agent 
  
and then enter

  scd help

to see all commands supported by scdameon.  The "scd " prefix simply
routes the rest of the command to scdaemon.

  scd help serialno

shows you help for scdaemon's "serialno" command. 

  scd serialno

and runs the command which select the "best" appliication on the current
card.  If the OpenPGP card does not work, try you banking card - there
is a simple application for the "Geldkarte" included.
 

Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/8e24adb4/attachment.sig>

From guru at unixarea.de  Mon Nov 20 20:09:29 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Mon, 20 Nov 2017 20:09:29 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
 <8c73f066-6c03-bbf0-1e91-5cbdf9ee72b8@digitalbrains.com>
Message-ID: <20171120190929.GA2527@c720-r314251>

El d?a lunes, noviembre 20, 2017 a las 03:07:44p. m. +0100, Peter Lebbing escribi?:

> On 20/11/17 08:56, Matthias Apitz wrote:
> > I killed a running SmartCard Service on Win7 and tested GnuPG on a
> > Cygwin command line.
> 
> Involving Cygwin is yet another non-trivial hurdle to take. I think it's
> best if you get it working on Windows first, and only then try to
> involve another layer in the form of Cygwin.
> 
> You can see what happens when you use gpg.exe from the Windows command
> prompt. If that works out, see what happens in the GUI manager(s)
> included with gpg4win-3.0.0.exe. Assuming it does include GUI software :-).


This gives the same output as from Cygwin:


C:\Users\apitzm\vb\GnuPG\bin>gpg.exe --card-status --debug-all --debug-level guru
gpg: Optionen werden aus
'C:/Users/apitzm/AppData/Roaming/gnupg/gpg.conf' gelesen
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_0x000000d0 <- OK Pleased to meet you
gpg: DBG: connection to agent established
gpg: DBG: chan_0x000000d0 -> RESET
gpg: DBG: chan_0x000000d0 <- OK
gpg: DBG: chan_0x000000d0 -> GETINFO version
gpg: DBG: chan_0x000000d0 <- D 2.2.1
gpg: DBG: chan_0x000000d0 <- OK
gpg: DBG: chan_0x000000d0 -> OPTION allow-pinentry-notify
gpg: DBG: chan_0x000000d0 <- OK
gpg: DBG: chan_0x000000d0 -> OPTION agent-awareness=2.1.0
gpg: DBG: chan_0x000000d0 <- OK
gpg: DBG: chan_0x000000d0 -> SCD GETINFO version
gpg: DBG: chan_0x000000d0 <- D 2.2.1
gpg: DBG: chan_0x000000d0 <- OK
gpg: DBG: chan_0x000000d0 -> SCD SERIALNO openpgp
gpg: DBG: chan_0x000000d0 <- ERR 100696144 No such device <SCD>
gpg: selecting openpgp failed: No such device
gpg: OpenPGP Karte ist nicht vorhanden: No such device
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x00000000 calls=0 bytes=0
gpg: secmem usage: 0/32768 bytes in 0 blocks

C:\Users\apitzm\vb\GnuPG\bin>

I saw the next mail from Werner, and will try to follow this.
Thanks

	matthias

-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171120/ec6ef67c/attachment.sig>

From w at uter.be  Tue Nov 21 01:47:45 2017
From: w at uter.be (Wouter Verhelst)
Date: Tue, 21 Nov 2017 01:47:45 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de>
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
 <87ine5v0wn.fsf@wheatstone.g10code.de>
Message-ID: <20171121004745.b42vf6pukf2okkm6@grep.be>

On Mon, Nov 20, 2017 at 08:56:24AM +0100, Werner Koch wrote:
> On Sun, 19 Nov 2017 15:10, peter at digitalbrains.com said:
> 
> > GnuPG by default does not show *expired* subkeys. Use --list-options
> > show-unusable-subkeys to do that.
> 
> Let me also add that using gpg without any command (as in "...|gpg") is
> deprecated because the output you see is more of a debug message than a
> weel defined output.  This is also the reason why you see the expired
> keys with that command.
> 
> To view a key wityhout first importing it you can do:
> 
>   gpg --import-options show-only --import 
> 
> (Suggestions for the name of a shortcut command are welcome)

--display-input
--decode-input
--parse-input

I'd focus on the word "input" there, and add a verb that doesn't imply
something is being written somewhere.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab


From wk at gnupg.org  Tue Nov 21 08:51:58 2017
From: wk at gnupg.org (Werner Koch)
Date: Tue, 21 Nov 2017 08:51:58 +0100
Subject: [Announce] GnuPG 2.2.3 released
Message-ID: <87bmjwkr1d.fsf@wheatstone.g10code.de>

Hello!

We are is pleased to announce the availability of a new GnuPG release:
version 2.2.3.  This is a maintenance release; see below for a list of
fixed bugs.


About GnuPG
===========

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.3
===================================

  * gpgsm: Fix initial keybox creation on Windows. [#3507]

  * dirmngr: Fix crash in case of a CRL loading error. [#3510]

  * Fix the name of the Windows registry key. [Git#4f5afaf1fd]

  * gpgtar: Fix wrong behaviour of --set-filename. [#3500]

  * gpg: Silence AKL retrieval messages. [#3504]

  * agent: Use clock or clock_gettime for calibration. [#3056]

  * agent: Improve robustness of the shutdown pending
    state. [Git#7ffedfab89]


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.2.3 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.3.tar.bz2 (6393k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.3.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.3_20171120.exe (3806k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.3_20171120.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  A new Gpg4win 3.0 installer
featuring this version of GnuPG will be available soon.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.3.tar.bz2 you would use this command:

     gpg --verify gnupg-2.2.3.tar.bz2.sig gnupg-2.2.3.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.3.tar.bz2, you run the command like this:

     sha1sum gnupg-2.2.3.tar.bz2

   and check that the output matches the next line:

68ed37d363166b5bd79971537484148eb8f2958c  gnupg-2.2.3.tar.bz2
9914e93d5ac50b4e542b4320e1e130dc1552e24b  gnupg-w32-2.2.3_20171120.exe
74d3d9565b4baa5627932b20af557645d7915e77  gnupg-w32-2.2.3_20171120.tar.xz


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
completely translated.


Documentation and Support
=========================

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details availabale only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how to
set up the whole thing.  You may also want to search the GnuPG mailing
list archives or ask on the gnupg-users mailing list for advise on how
to solve problems.  Most of the new features are around for several
years and thus enough public experience is available.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support check out <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs one full-time developer and one
contractor.  Both work exclusivly on GnuPG and closely related software
like Libgcrypt, GPGME, and GPA.  We are planning to extend our team
again.  Right now we are looking for an admin for our bug tracker; see
<https://lists.gnupg.org/pipermail/gnupg-devel/2017-November/033225.html>

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing lists,
and with financial support.


Happy hacking,

   Your GnuPG hackers



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  rsa2048 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at <https://gnupg.org/signature_key.html> and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171121/ff3d1167/attachment-0001.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From guru at unixarea.de  Tue Nov 21 09:15:07 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 21 Nov 2017 09:15:07 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <87lgj1os8q.fsf@wheatstone.g10code.de>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
 <87lgj1os8q.fsf@wheatstone.g10code.de>
Message-ID: <20171121081507.GA2467@c720-r314251>




Hello,

Thanks, Werner, for the helping hand. I did so to capture the log of the scdaemon.
But did not used the nice trick of TCP, because I did not wanted to have the VM
up and running and blocking the OpenPGP Card on USB. I run all the GnuPG commands
from the DOS cmd shell, only the tail of the scdaemon.log was done in Cygwin.

The scdaemon.conf used was:

$ cat /cygdrive/c/Users/apitzm/AppData/Roaming/gnupg/scdaemon.conf
log-file scdaemon.log
debug-level guru
debug-all
debug-log-tid
card-timeout 30

The produced log is:

$ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log
2017-11-21 08:24:04 scdaemon[3868.1] Es wird auf Socket `C:\Users\apitzm\AppData\Roaming\gnupg\S.scdaemon' geh?rt
2017-11-21 08:24:04 scdaemon[3868.2] Handhabungsroutine f?r fd -1 gestartet
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK GNU Privacy Guard's Smartcard server ready
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- GETINFO socket_name
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> D C:\Users\apitzm\AppData\Roaming\gnupg\S.scdaemon
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- OPTION event-signal=f0
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno
2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null)
2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0'
2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0'
2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1'
2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0'
2017-11-21 08:24:04 scdaemon[3868.2] detected reader ''
2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0
2017-11-21 08:24:04 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069)
2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008
2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0
2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0
2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0
2017-11-21 08:24:04 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2017-11-21 08:24:04 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device <SCD>
2017-11-21 08:24:23 scdaemon[3868.2] DBG: chan_0x000000b0 <- RESTART
2017-11-21 08:24:23 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:26:07 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno
2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null)
2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0'
2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0'
2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1'
2017-11-21 08:26:07 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0'
2017-11-21 08:26:07 scdaemon[3868.2] detected reader ''
2017-11-21 08:26:07 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0
2017-11-21 08:26:07 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069)
2017-11-21 08:26:07 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008
2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0
2017-11-21 08:26:07 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0
2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0
2017-11-21 08:26:07 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2017-11-21 08:26:07 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device <SCD>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 <- help
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # NOP
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # CANCEL
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # OPTION
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # BYE
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # AUTH
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RESET
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # END
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # HELP
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SERIALNO [--demand=<serialno>] [<apptype>]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # LEARN [--force] [--keypairinfo]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # READCERT <hexified_certid>|<keyid>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # READKEY [--advanced] <keyid>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SETDATA [--append] <hexstring>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKSIGN [--hash=[rmd160|sha{1,224,256,384,512}|md5]] <hexified_id>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKAUTH <hexified_id>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PKDECRYPT <hexified_id>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # INPUT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # OUTPUT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GETATTR <name>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # SETATTR <name> <value>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # WRITECERT <hexified_certid>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # WRITEKEY [--force] <keyid>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GENKEY [--force] [--timestamp=<isodate>] <no>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RANDOM <nbytes>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # PASSWD [--reset] [--nullpin] <chvno>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # CHECKPIN <idstr>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # LOCK [--wait]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # UNLOCK
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # GETINFO <what>
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # RESTART
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # DISCONNECT
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # APDU [--[dump-]atr] [--more] [--exlen[=N]] [hexstring]
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> # KILLSCD
2017-11-21 08:26:46 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x000000b0 <- restart
2017-11-21 08:27:09 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x000000b0 <- RESTART
2017-11-21 08:28:18 scdaemon[3868.2] DBG: chan_0x000000b0 -> OK
2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x000000b0 <- serialno
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null)
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0'
2017-11-21 08:29:15 scdaemon[3868.2] detected reader ''
2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_open_reader => slot=0 [pc/sc]
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_connect: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] pcsc_connect failed: removed card (0x80100069)
2017-11-21 08:29:15 scdaemon[3868.2] reader slot 0: not connected
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_connect => sw=0x10008
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_close_reader: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: enter: apdu_disconnect: slot=0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_disconnect => sw=0x0
2017-11-21 08:29:15 scdaemon[3868.2] DBG: leave: apdu_close_reader => 0x0 (close_reader)
2017-11-21 08:29:15 scdaemon[3868.2] DBG: chan_0x000000b0 -> ERR 100696144 No such device <SCD>
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi? la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171121/98ec2faf/attachment.sig>

From gniibe at fsij.org  Tue Nov 21 10:50:18 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Tue, 21 Nov 2017 18:50:18 +0900
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171121081507.GA2467@c720-r314251>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de> <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de> <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251> <87lgj1os8q.fsf@wheatstone.g10code.de>
 <20171121081507.GA2467@c720-r314251>
Message-ID: <87lgj06jvp.fsf@fsij.org>

Matthias Apitz <guru at unixarea.de> wrote:
> The produced log is:
>
> $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log
[...]
> 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null)
> 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0'
> 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0'
> 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1'
> 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0'
> 2017-11-21 08:24:04 scdaemon[3868.2] detected reader ''
> 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected

You have five card readers (the last one looks strange, though).

GnuPG's scdaemon select the first one as default.  IIUC, you want to use
'Identiv uTrust 3512 SAM slot Token 0'.

In .gnupg/scdaemon.conf, you should have something like:
===================
reader-port "Identiv uTrust 3512 SAM slot Token"
===================

... to select the token.
-- 


From peter at digitalbrains.com  Tue Nov 21 14:01:51 2017
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 21 Nov 2017 14:01:51 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de>
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
 <87ine5v0wn.fsf@wheatstone.g10code.de>
Message-ID: <a2fcae1b-3b84-e139-f429-5b4c3fd13670@digitalbrains.com>

On 20/11/17 08:56, Werner Koch wrote:
> (Suggestions for the name of a shortcut command are welcome)
How about just --show? It was suggested in an unfriendly manner at
LWN[1], but apart from the unfriendliness, I do think it makes sense.

It does imply that it works for more than just keys, though. I wonder if
that is a bad thing. Wouldn't a command that just shows the contents of
a file without processing it make sense? It could show all that
--import-options show-only shows for keys, or show recipients for
encrypted files, signers for signed files (no verification), etcetera. A
less techy version of --list-only --list-packets.

Peter.

[1] <https://lwn.net/Articles/736139/>

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171121/5cf1730a/attachment.sig>

From guru at unixarea.de  Tue Nov 21 15:59:21 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Tue, 21 Nov 2017 15:59:21 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <87lgj06jvp.fsf@fsij.org>
References: <20171115080632.GA2621@c720-r314251>
 <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
 <87lgj1os8q.fsf@wheatstone.g10code.de>
 <20171121081507.GA2467@c720-r314251> <87lgj06jvp.fsf@fsij.org>
Message-ID: <20171121145921.GA2874@c720-r314251>

El d?a martes, noviembre 21, 2017 a las 06:50:18p. m. +0900, NIIBE Yutaka escribi?:

> Matthias Apitz <guru at unixarea.de> wrote:
> > The produced log is:
> >
> > $ cat ../AppData/Local/VirtualStore/Windows/SysWOW64/scdaemon.log
> [...]
> > 2017-11-21 08:24:04 scdaemon[3868.2] DBG: enter: apdu_open_reader: portstr=(null)
> > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contacted SmartCard 0'
> > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Broadcom Corp Contactless SmartCard 0'
> > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'BROADCOM NFC Smartcard Reader 1'
> > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader 'Identiv uTrust 3512 SAM slot Token 0'
> > 2017-11-21 08:24:04 scdaemon[3868.2] detected reader ''
> > 2017-11-21 08:24:04 scdaemon[3868.2] reader slot 0: not connected
> 
> You have five card readers (the last one looks strange, though).
> 
> GnuPG's scdaemon select the first one as default.  IIUC, you want to use
> 'Identiv uTrust 3512 SAM slot Token 0'.
> 
> In .gnupg/scdaemon.conf, you should have something like:
> ===================
> reader-port "Identiv uTrust 3512 SAM slot Token"
> ===================
> 
> ... to select the token.

Thanks! Adding the above line to GNUPGHOME/scdaemon.conf makes it all work,
even the GPA and other GUI tools.

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171121/a7d69f84/attachment.sig>

From dustincr at hotmail.com  Tue Nov 21 17:40:17 2017
From: dustincr at hotmail.com (Dustin Rogers)
Date: Tue, 21 Nov 2017 16:40:17 +0000
Subject: Which gnupg2-smime should I use for this build?
Message-ID: <DM5PR12MB16759F4D97E6CA596EEFDF8CCF230@DM5PR12MB1675.namprd12.prod.outlook.com>

Hi gnupg users:


Which gnupg2-smime should I use here with this amazn linux?


Error: Package: gnupg2-smime-2.0.14-8.el6.x86_64 (/gnupg2-smime-2.0.14-8.el6.x86_64)

           Requires: gnupg2 = 2.0.14-8.el6

           Installed: gnupg2-2.0.28-1.30.amzn1.x86_64 (installed)

               gnupg2 = 2.0.28-1.30.amzn1

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles --nodigest


I found a 2.0.28 version for fedora core? Should I try that?


Thank you,

-Dustin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171121/d24cfa20/attachment-0001.html>

From mac3iii at gmail.com  Wed Nov 22 03:44:03 2017
From: mac3iii at gmail.com (murphy)
Date: Tue, 21 Nov 2017 21:44:03 -0500
Subject: Complete Ubuntu compile of GnuPG
Message-ID: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>

My goal is to compile the latest version of GnuPG for Ubuntu.? The
following bash file does pretty well:

cd ~/Downloads
version=gnupg-2.2.3
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig
tar xf $version.tar.bz2
cd $version
sudo apt-get update
sudo apt-get install -y libldap2-dev
sudo apt-get install -y gtk+-2
sudo apt-get install -y rng-tools
sudo apt-get install -y libbz2-dev
sudo apt-get install -y zlib1g-dev
sudo apt-get install -y libgmp-dev
sudo apt-get install -y nettle-dev
sudo apt-get install -y libgnutls28-dev
sudo apt-get install -y libsqlite3-dev
sudo apt-get install -y adns-tools
sudo apt-get install -y libreadline-dev
sudo apt-get install -y pinentry-gtk2
sudo apt-get install -y pcscd scdaemon
sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local
sudo ldconfig

But there are a couple of no answers I would like to eliminate:

GnuPG v2.2.3 has been configured as follows:

Revision:? 97f4fea? (38900)
Platform:? GNU/Linux (x86_64-pc-linux-gnu)

OpenPGP:?? yes
S/MIME:??? yes
Agent:???? yes
Smartcard: yes (without internal CCID driver)
G13:?????? no
Dirmngr:?? yes
Gpgtar:??? yes
WKS tools: no

Protect tool:????? (default)
LDAP wrapper:????? (default)
Default agent:???? (default)
Default pinentry:? (default)
Default scdaemon:? (default)
Default dirmngr:?? (default)

Dirmngr auto start:? yes
Readline support:??? yes
LDAP support:??????? yes
TLS support:???????? gnutls
TOFU support:??????? yes
Tor support:???????? yes

Specifically G13 and WKS tools are not supported.? Am I missing some
dependencies?? Preferably they should be available via 'sudo apt-get
install' since this is checked for in new compiles and not reinstalled.

The bash file works on a fresh install of Ubuntu 16.04, 17.10 and
Raspbian Stretch (for Raspberry Pi).? Any suggestions for improvements?

Murphy




From rjh at sixdemonbag.org  Wed Nov 22 08:54:36 2017
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 22 Nov 2017 02:54:36 -0500
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
Message-ID: <fb99cdda-90d8-f5f8-7751-a0320d6c0901@sixdemonbag.org>

> The bash file works on a fresh install of Ubuntu 16.04, 17.10 and
> Raspbian Stretch (for Raspberry Pi).? Any suggestions for improvements?

Pass --enable-g13 --enable-wks-tools to your make invocation.

make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local \
  speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools' \
  native

Also see https://wiki.gnupg.org/WKS .

Hope this helps!


From wk at gnupg.org  Wed Nov 22 10:11:19 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 Nov 2017 10:11:19 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <a2fcae1b-3b84-e139-f429-5b4c3fd13670@digitalbrains.com> (Peter
 Lebbing's message of "Tue, 21 Nov 2017 14:01:51 +0100")
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
 <87ine5v0wn.fsf@wheatstone.g10code.de>
 <a2fcae1b-3b84-e139-f429-5b4c3fd13670@digitalbrains.com>
Message-ID: <87bmjuhe4o.fsf@wheatstone.g10code.de>

On Tue, 21 Nov 2017 14:01, peter at digitalbrains.com said:

> How about just --show? It was suggested in an unfriendly manner at

Similar to Wouter's suggestions --show is not specific enough and does
not explain that this is to show the keys and not messages.

> a file without processing it make sense? It could show all that
> --import-options show-only shows for keys, or show recipients for

Unless we want to continue the current and mostly debugish output of
whatever gpg shows without commands, this requires that the type of the
input is first detected.  In GPGME we have code to do this which could
be lifted for use in gpg.  With that --show would make sense.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/906fb557/attachment.sig>

From wk at gnupg.org  Wed Nov 22 10:18:33 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 Nov 2017 10:18:33 +0100
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> (murphy's
 message of "Tue, 21 Nov 2017 21:44:03 -0500")
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
Message-ID: <877euihdsm.fsf@wheatstone.g10code.de>

On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said:

> sudo apt-get install -y adns-tools

You should not need this.  

> sudo apt-get install -y pcscd scdaemon

I guess you install scdaemon to get some infrastructure provided by
Ubuntu in their scdameon package.

> Specifically G13 and WKS tools are not supported.? Am I missing some

WKS tools is just the gpg-wks-server which is commonly not needed.  The
gpg-wks-client will be build anyway.  --enable-g13 is too Linux specific
to be enabled by default and is missing all documentation.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/c4998034/attachment.sig>

From wk at gnupg.org  Wed Nov 22 10:20:22 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 22 Nov 2017 10:20:22 +0100
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com> (murphy's
 message of "Tue, 21 Nov 2017 21:44:03 -0500")
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
Message-ID: <873756hdpl.fsf@wheatstone.g10code.de>

On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said:

> sudo apt-get install -y libgmp-dev
> sudo apt-get install -y nettle-dev
> sudo apt-get install -y libgnutls28-dev

These are also not needed because the speedo Makefile will download and
use ntbtls instead.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/52431d25/attachment.sig>

From seby2kt14 at gmail.com  Wed Nov 22 11:16:44 2017
From: seby2kt14 at gmail.com (Seby)
Date: Wed, 22 Nov 2017 10:16:44 +0000
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
Message-ID: <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>

Hello,

Is there any possibility i could encrypt some text to a public key but
without importing it to my keyring? Passing it to gnupg via command line or
something (i do know and accept that if i want to encrypt multiple messages
or files to the same key i will have to provide it every time) .

Sebastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/42c7bba1/attachment.html>

From mac3iii at gmail.com  Wed Nov 22 14:09:32 2017
From: mac3iii at gmail.com (murphy)
Date: Wed, 22 Nov 2017 08:09:32 -0500
Subject: Complete Ubuntu compile of GnuPG
Message-ID: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com>

Thanks to all for the suggested improvements!!

One think I forgot to mention was to add the configuration:

nano ~/.gnupg/gpg-agent.conf

pinentry-program /usr/bin/pinentry-gtk-2

This is required since pinentry is not compiled from source but
installed as an Ubuntu package.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/32cb2810/attachment.sig>

From bereska at hotmail.com  Wed Nov 22 12:00:53 2017
From: bereska at hotmail.com (Dmitry Gudkov)
Date: Wed, 22 Nov 2017 11:00:53 +0000
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <873756hdpl.fsf@wheatstone.g10code.de>
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
 <873756hdpl.fsf@wheatstone.g10code.de>
Message-ID: <DM5PR01MB2236B2A6335738CA49A80A2CA6200@DM5PR01MB2236.prod.exchangelabs.com>

Dear Werner,

Could you give me (a gnupg newbie) clear instructions to compile the latest version for Ubuntu 16.04.3?
I?m running it as a VM in VirtualBox on my Mac.

Also I need you advice on my keys. Now I have rsa2048 but want to switch to rsa4096. What?s the best way of doing? Migrate or delete & create a new one? On the other hand I?ve noticed you have rsa2048. Maybe just keep rsa2048?

P.S. I have been happily using GnuPG 2.1.22 on my Mac, which I installed as binary. Now it?s time to move on with building my own like a pro) on Linux

Danke
Dmitry

22.11.2017, 12:31 ???????????? "Gnupg-users ?? ????? Werner Koch" <gnupg-users-bounces at gnupg.org ?? ????? wk at gnupg.org> ???????:

    On Wed, 22 Nov 2017 03:44, mac3iii at gmail.com said:
    
    > sudo apt-get install -y libgmp-dev
    > sudo apt-get install -y nettle-dev
    > sudo apt-get install -y libgnutls28-dev
    
    These are also not needed because the speedo Makefile will download and
    use ntbtls instead.
    
    
    Shalom-Salam,
    
       Werner
    
    -- 
    Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    _______________________________________________
    Gnupg-users mailing list
    Gnupg-users at gnupg.org
    https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users&data=02%7C01%7Cbereska%40hotmail.com%7C63437d0ef6f64667f31808d5318bc7e9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636469398771031091&sdata=RLHdOolYXmecqfk4ME6mEmRGgtLKlDhSC9%2FvoAngZE8%3D&reserved=0
    



From mac3iii at gmail.com  Wed Nov 22 17:49:53 2017
From: mac3iii at gmail.com (murphy)
Date: Wed, 22 Nov 2017 11:49:53 -0500
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <DM5PR01MB2236B2A6335738CA49A80A2CA6200@DM5PR01MB2236.prod.exchangelabs.com>
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
 <873756hdpl.fsf@wheatstone.g10code.de>
 <DM5PR01MB2236B2A6335738CA49A80A2CA6200@DM5PR01MB2236.prod.exchangelabs.com>
Message-ID: <507d3f1c-56f1-26b9-27c2-169a1120acca@gmail.com>



On 11/22/2017 06:00 AM, Dmitry Gudkov wrote:
> ...clear instructions to compile the latest version for Ubuntu 16.04.3?
Hi Dmitry - I haven't finished testing Werner's suggestions but this
will work on Ubuntu 16.04:
1.? create an empty file: gpg223.sh and cut, paste and save the following:

cd ~/Downloads
version=gnupg-2.2.3
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig
tar xf $version.tar.bz2
cd $version
sudo apt-get update
sudo apt-get install -y libldap2-dev
sudo apt-get install -y gtk+-2
sudo apt-get install -y rng-tools
sudo apt-get install -y libbz2-dev
sudo apt-get install -y zlib1g-dev
sudo apt-get install -y libgmp-dev
sudo apt-get install -y nettle-dev
sudo apt-get install -y libgnutls28-dev
sudo apt-get install -y libsqlite3-dev
sudo apt-get install -y adns-tools
sudo apt-get install -y libreadline-dev
sudo apt-get install -y qtbase5-dev
sudo apt-get install -y pinentry-gtk2
sudo apt-get install -y pcscd scdaemon
sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local
speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools' native
sudo ldconfig

2. run the above in the location you saved it: sudo bash gpg223.sh
3. after maybe 5-10 minutes it should complete the compilation, check
the install: gpg --version
4. create subdirectories (if necessary) with: gpg -K
5. use nano to create a configuration file: nano ~/.gnupg/gpg-agent.conf
6. add the line: pinentry-program /usr/bin/pinentry-gtk-2
7. save by ctrl-x, y, enter

One final note for 32 bit machines or operating systems (VM in 32 bit
mode or Raspberry Pi) I found the following change is needed:

1. sudo nano /etc/ld.so.conf
2. add as the first line:? include /etc/ld.so.conf.d/libc.conf
3. save
4. sudo ldconfig

Hope it works for you!
Murphy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/b6366499/attachment.sig>

From seby2kt14 at gmail.com  Wed Nov 22 20:32:25 2017
From: seby2kt14 at gmail.com (Seby)
Date: Wed, 22 Nov 2017 19:32:25 +0000
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
 <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
Message-ID: <CAHEKVbraAZ1t=n9ucGD3Ez9qVpHLs-279E4+xsJ+dGS=usSTxw@mail.gmail.com>

I need to pass it via batch or something... Like this:
$pgp_public_key = 'pgp public key text armored'
 gpg -e -r $pgp_public_key --always_trust

Basically use gnupg without a keyring or trustdb. And the pass the armored
pgp public key with each command and operation.

Thank you in advance.

On Nov 22, 2017 12:16, "Seby" <seby2kt14 at gmail.com> wrote:

> Hello,
>
> Is there any possibility i could encrypt some text to a public key but
> without importing it to my keyring? Passing it to gnupg via command line or
> something (i do know and accept that if i want to encrypt multiple messages
> or files to the same key i will have to provide it every time) .
>
> Sebastian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/54c5394a/attachment.html>

From mac3iii at gmail.com  Wed Nov 22 21:05:26 2017
From: mac3iii at gmail.com (murphy)
Date: Wed, 22 Nov 2017 15:05:26 -0500
Subject: Complete Ubuntu compile of GnuPG
Message-ID: <6587b49c-b671-3998-3740-97adeda8bd51@gmail.com>

Note that the last lines of the bash file in my previous post didn't
print right (arrrgh, my attempt to clarify backfired).? It is probably
best to leave it as Werner hinted anyway:

sudo make -f build-aux/speedo.mk native INSTALL_PREFIX=/usr/local

sudo ldconfig


murphy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/db7e2052/attachment.sig>

From dustincr at hotmail.com  Wed Nov 22 19:53:20 2017
From: dustincr at hotmail.com (Dustin Rogers)
Date: Wed, 22 Nov 2017 18:53:20 +0000
Subject: Which gnupg2-smime should I use for this build?
In-Reply-To: <DM5PR12MB16759F4D97E6CA596EEFDF8CCF230@DM5PR12MB1675.namprd12.prod.outlook.com>
References: <DM5PR12MB16759F4D97E6CA596EEFDF8CCF230@DM5PR12MB1675.namprd12.prod.outlook.com>
Message-ID: <DM5PR12MB16758CFB0F8EDB3A7E9270E0CF200@DM5PR12MB1675.namprd12.prod.outlook.com>

Hi All:


Outside of the RPM package that I was using, for some reason I was trying
yum install gpgsm.


I used
yum install gnupg2-smime

and it found the correct pkg.


I just needed to use the correct command.


Thank you,

-Dustin


________________________________
From: Dustin Rogers <dustincr at hotmail.com>
Sent: Tuesday, November 21, 2017 10:40 AM
To: gnupg-users at gnupg.org; informationsecurityencryption at capitalone.com
Subject: Which gnupg2-smime should I use for this build?


Hi gnupg users:


Which gnupg2-smime should I use here with this amazn linux?


Error: Package: gnupg2-smime-2.0.14-8.el6.x86_64 (/gnupg2-smime-2.0.14-8.el6.x86_64)

           Requires: gnupg2 = 2.0.14-8.el6

           Installed: gnupg2-2.0.28-1.30.amzn1.x86_64 (installed)

               gnupg2 = 2.0.28-1.30.amzn1

You could try using --skip-broken to work around the problem

You could try running: rpm -Va --nofiles --nodigest


I found a 2.0.28 version for fedora core? Should I try that?


Thank you,

-Dustin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/e9e97913/attachment.html>

From gnupg-users at spodhuis.org  Wed Nov 22 23:45:05 2017
From: gnupg-users at spodhuis.org (Phil Pennock)
Date: Wed, 22 Nov 2017 17:45:05 -0500
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com>
References: <6e8f4238-059a-70bc-1ef7-eb1435fee481@gmail.com>
Message-ID: <20171122224505.GA18967@tower.spodhuis.org>

On 2017-11-22 at 08:09 -0500, murphy wrote:
> pinentry-program /usr/bin/pinentry-gtk-2
> 
> This is required since pinentry is not compiled from source but
> installed as an Ubuntu package.

GnuPG's configure takes --with-pinentry-pgm=... to override the default.

(I build the https://public-packages.pennock.tech/ packages (Xenial,
Trusty, Jessie, Stretch; amd64; all installing into /opt/gnupg) using
Vagrant on macOS, VirtualBox driver.  The repos are maintained with
aptly.)

-Phil


From mac3iii at gmail.com  Thu Nov 23 01:57:00 2017
From: mac3iii at gmail.com (murphy)
Date: Wed, 22 Nov 2017 19:57:00 -0500
Subject: Complete Ubuntu compile of GnuPG
Message-ID: <1cbbe5fe-ed97-c84e-5297-019c8a14b2d0@gmail.com>

Thanks Robert and Werner.? Goal accomplished :)


OpenPGP:?? yes
S/MIME:??? yes
Agent:???? yes
Smartcard: yes (without internal CCID driver)
G13:?????? yes
Dirmngr:?? yes
Gpgtar:??? yes
WKS tools: yes

The deletion of adns-tools, libgmp-dev, nettle-dev and libgnutls28-dev
from my bash file resulted in a failure to find a suitable c/c++
compiler when using a new install of ubuntu.? I'm not sure which one
loaded the required compiler yet...or which compiler it is... but I'm
still looking (a new installation of Ubuntu for each change takes time
;-)? The pcscd and scdaemon was to enable the Yubikey smart card (per
their recommendation)? I will also try without the Ubuntu version of
scdaemon to see if it still works.

Thanks (I feel complete now)

murphy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171122/e5b5c9c0/attachment.sig>

From mac3iii at gmail.com  Fri Nov 24 00:57:51 2017
From: mac3iii at gmail.com (murphy)
Date: Thu, 23 Nov 2017 18:57:51 -0500
Subject: Complete Ubuntu compile of GnuPG
Message-ID: <0390549d-69e9-8e90-61d1-9f9bbfba93f3@gmail.com>

Thanks to all for suggestions.? For a complete compile on a fresh
install of Ubuntu, I managed to get the bash file down to a minimum of:

cd ~/Downloads
version=gnupg-2.2.3
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig
tar xf $version.tar.bz2
cd $version
sudo apt-get update
sudo apt-get install -y libldap2-dev
sudo apt-get install -y gtk+-2
sudo apt-get install -y rng-tools
sudo apt-get install -y libbz2-dev
sudo apt-get install -y zlib1g-dev
sudo apt-get install -y libgnutls28-dev
sudo apt-get install -y libsqlite3-dev
sudo apt-get install -y libreadline-dev
sudo apt-get install -y pinentry-gtk2
sudo apt-get install -y pcscd scdaemon
sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local \
? speedo_pkg_gnupg_configure='--enable-g13 \
? --enable-wks-tools' native
sudo ldconfig

Without the libgnutls28-dev install Ubuntu is without a suitable
compiler or even the make command.? This installs make, gcc+-7 and
probably lots of unnecessary stuff but at least it is a one-liner.? For
the Yubikey smart card the Ubuntu package scdaemon seems to be required
as gpg --card-edit complains and fails if it is not included in the
ubuntu installation list.? This bash file has the advantage of using
only Ubuntu packages and speedo, so the only update change needed is
changing a single digit in version=gnupg-2.2.3 for the near future
upgrades.? No unnecessary repeat compiles are done since pinentry is a
package, although it is necessary to include the configuration file at
least once:

nano ~/.gnupg/gpg-agent.conf
pinentry-program /usr/bin/pinentry-gtk-2

or the pinentry version of your choice (-gnome3, -qt, -tty, -x11,
-curses packages are all available for install and configure).

I'm sure this can be improved upon and I am eager to see if it can be
made even smaller and faster while keeping the convenience of changing a
single digit and renaming gpg223.sh to gpg224.sh.

Thanks - murphy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171123/5733b0e3/attachment.sig>

From gniibe at fsij.org  Fri Nov 24 01:48:43 2017
From: gniibe at fsij.org (NIIBE Yutaka)
Date: Fri, 24 Nov 2017 09:48:43 +0900
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbraAZ1t=n9ucGD3Ez9qVpHLs-279E4+xsJ+dGS=usSTxw@mail.gmail.com>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
 <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
 <CAHEKVbraAZ1t=n9ucGD3Ez9qVpHLs-279E4+xsJ+dGS=usSTxw@mail.gmail.com>
Message-ID: <87efooh578.fsf@iwagami.gniibe.org>

Seby <seby2kt14 at gmail.com> wrote:
> Basically use gnupg without a keyring or trustdb. And the pass the armored
> pgp public key with each command and operation.

AFAIK, such a usage is not supported by GnuPG.

Well, I would imagine some use cases when we want to avoid any
dependency to specific user's configuration, keyring, and trustdb, of
his own.

Approximation would be using ephemeral GNUPGHOME.

I mean, starting your GnuPG session (or script) with:

   $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d)
   $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME

and remove the $GNUPGHOME after its use.

This is very useful for testing GnuPG, for example. 
-- 


From seby2kt14 at gmail.com  Fri Nov 24 02:02:50 2017
From: seby2kt14 at gmail.com (Seby)
Date: Fri, 24 Nov 2017 01:02:50 +0000
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <87efooh578.fsf@iwagami.gniibe.org>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
 <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
 <CAHEKVbraAZ1t=n9ucGD3Ez9qVpHLs-279E4+xsJ+dGS=usSTxw@mail.gmail.com>
 <87efooh578.fsf@iwagami.gniibe.org>
Message-ID: <CAHEKVbpctGpYsABPgGmxuzT10xjCZGXwZjPHCddvbu6p7QLAqg@mail.gmail.com>

Hello,

Thanks a lot for the reply.

NIIBE Yutaka <gniibe at fsij.org> wrote:
> Seby <seby2kt14 at gmail.com> wrote:
>> Basically use gnupg without a keyring or trustdb. And the pass the armored
>> pgp public key with each command and operation.
>
> AFAIK, such a usage is not supported by GnuPG.
>
> Well, I would imagine some use cases when we want to avoid any
> dependency to specific user's configuration, keyring, and trustdb, of
> his own.
>
> Approximation would be using ephemeral GNUPGHOME.
>
> I mean, starting your GnuPG session (or script) with:
>
>    $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d)
>    $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME
>
> and remove the $GNUPGHOME after its use.
>
> This is very useful for testing GnuPG, for example.
> --

The use case is that a script encrypts stuff for different public
keys. I don't want to save those public keys to files, then import
them in the keyring, do the operation and then delete from the keyring
because this is a lot of operations plus using files might be
problematic on edge cases.

Am I correct that a way around changing the GNUPGHOME variable is
using the --no-default-keyring argument?

So no way for me to do an operation just by having the public key in
clipboard for example (no saving to file, no import, etc.)?

Seby


From seby2kt14 at gmail.com  Fri Nov 24 02:44:08 2017
From: seby2kt14 at gmail.com (Seby)
Date: Fri, 24 Nov 2017 01:44:08 +0000
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbpctGpYsABPgGmxuzT10xjCZGXwZjPHCddvbu6p7QLAqg@mail.gmail.com>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
 <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
 <CAHEKVbraAZ1t=n9ucGD3Ez9qVpHLs-279E4+xsJ+dGS=usSTxw@mail.gmail.com>
 <87efooh578.fsf@iwagami.gniibe.org>
 <CAHEKVbpctGpYsABPgGmxuzT10xjCZGXwZjPHCddvbu6p7QLAqg@mail.gmail.com>
Message-ID: <CAHEKVbqDwVm6K1Hcb4xcEKu5Z9U=XRAkUfM5e6iH=UdFK1AvyA@mail.gmail.com>

 Seby <seby2kt14 at gmail.com> wrote:
>> Approximation would be using ephemeral GNUPGHOME.
>>
>> I mean, starting your GnuPG session (or script) with:
>>
>>    $ export GNUPGHOME=$(mktemp -p /run/user/$(id -u) -d)
>>    $ chmod og-rwx $GNUPGHOME; echo $GNUPGHOME
>>
>> and remove the $GNUPGHOME after its use.
>>
>> This is very useful for testing GnuPG, for example.
[SNIP]
> Am I correct that a way around changing the GNUPGHOME variable is
> using the --no-default-keyring argument?

(No, that is not correct. --homedir is what overrides $GNUPGHOME)

Back to the subject, saving to at least a temporary keyring is my only
solution? Nothing else I can use in batch mode to serve the armored
key from clipboard somehow and do the operation?

If this is the only solution, what are the safety recommendations for
a use case where many many parallel requests will be sent to do
operations (possibly even using the same public key) so things don't
break? Does it help if I randomize --homedir and make it different
with every request / command?

Thanks.


From kloecker at kde.org  Fri Nov 24 08:13:12 2017
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Fri, 24 Nov 2017 08:13:12 +0100
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbqDwVm6K1Hcb4xcEKu5Z9U=XRAkUfM5e6iH=UdFK1AvyA@mail.gmail.com>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbpctGpYsABPgGmxuzT10xjCZGXwZjPHCddvbu6p7QLAqg@mail.gmail.com>
 <CAHEKVbqDwVm6K1Hcb4xcEKu5Z9U=XRAkUfM5e6iH=UdFK1AvyA@mail.gmail.com>
Message-ID: <2918182.x3P4M4sRDf@thufir>

On Freitag, 24. November 2017 02:44:08 CET Seby wrote:
> Back to the subject, saving to at least a temporary keyring is my only
> solution? Nothing else I can use in batch mode to serve the armored
> key from clipboard somehow and do the operation?

Yes.


> If this is the only solution, what are the safety recommendations for
> a use case where many many parallel requests will be sent to do
> operations (possibly even using the same public key) so things don't
> break? Does it help if I randomize --homedir and make it different
> with every request / command?

A possible solution for many parallel requests (you need to verify its 
viability) could be some kind of containerization (e.g. Docker or something 
more low-level). If every request is handled by a new container then all 
operations are nicely isolated and nothing can break.


Regards,
Ingo



From seby2kt14 at gmail.com  Fri Nov 24 10:01:10 2017
From: seby2kt14 at gmail.com (Seby)
Date: Fri, 24 Nov 2017 09:01:10 +0000
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <2918182.x3P4M4sRDf@thufir>
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbpctGpYsABPgGmxuzT10xjCZGXwZjPHCddvbu6p7QLAqg@mail.gmail.com>
 <CAHEKVbqDwVm6K1Hcb4xcEKu5Z9U=XRAkUfM5e6iH=UdFK1AvyA@mail.gmail.com>
 <2918182.x3P4M4sRDf@thufir>
Message-ID: <CAHEKVbqQ2Sy7RYGOgzCXvWheBnD6aUNBnx0b8=-kxAwKGF3BhQ@mail.gmail.com>

"Ingo Kl?cker" <kloecker at kde.org> wrote:

On Freitag, 24. November 2017 02:44:08 CET Seby wrote:
> Back to the subject, saving to at least a temporary keyring is my only
> solution? Nothing else I can use in batch mode to serve the armored
> key from clipboard somehow and do the operation?

Yes.


> If this is the only solution, what are the safety recommendations for
> a use case where many many parallel requests will be sent to do
> operations (possibly even using the same public key) so things don't
> break? Does it help if I randomize --homedir and make it different
> with every request / command?

A possible solution for many parallel requests (you need to verify its
viability) could be some kind of containerization (e.g. Docker or something
more low-level). If every request is handled by a new container then all
operations are nicely isolated and nothing can break.


Regards,
Ingo


Thanks for the answer. If i run the command every time in a different shell
or with a different user, will this help? I am not familiar with docker.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171124/5fed417c/attachment.html>

From guru at unixarea.de  Fri Nov 24 10:55:13 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Fri, 24 Nov 2017 10:55:13 +0100
Subject: Using the OpenPGP Card on Unix && Win7
In-Reply-To: <20171121145921.GA2874@c720-r314251>
References: <87mv3n6b7h.fsf@wheatstone.g10code.de>
 <20171116125634.GA3841@c720-r314251>
 <87tvxuw0ag.fsf@wheatstone.g10code.de>
 <20171117150925.GA3957@c720-r314251>
 <d3794f4a-1597-c3dc-5be0-2ce91af092ae@digitalbrains.com>
 <20171120075612.GA2475@c720-r314251>
 <87lgj1os8q.fsf@wheatstone.g10code.de>
 <20171121081507.GA2467@c720-r314251> <87lgj06jvp.fsf@fsij.org>
 <20171121145921.GA2874@c720-r314251>
Message-ID: <20171124095513.GA19318@c720-r314251>


One last question on this. The gpg4win-3.0.0.exe installs among others an
OutLook plugin (GpgOl DLL) which let you encrypt and sign mails in
OutLook. Ofc, my keypair I'm using with the OpenPGP Card was built for 
'Matthias Apitz  <guru at unixarea.de>' and not for my company mail addr 
Matthias.Apitz at oclc.org; this brings always on signing up a Window like this
http://www.unixarea.de/kleo3.jpg of Kleopatra because it can not choose
by its own the correct certificate. Is there a way to configure this
within Kleopatra or GpgOl?

Thanks

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/  ? +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171124/cbd1e5fe/attachment.sig>

From nicolas.boullis at ecp.fr  Fri Nov 24 10:30:44 2017
From: nicolas.boullis at ecp.fr (Nicolas Boullis)
Date: Fri, 24 Nov 2017 10:30:44 +0100
Subject: Ask gpg-agent/scdaemon to release a smartcard?
Message-ID: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr>

Hi,

I just got a new Yubikey 4 token, that I?m willing to use for its PIV 
applet. Unfotunately, as soon as I connect it, gpg-agent/scdaemon sees 
its OpenPGP applet and connects to it. Then, if I try to use the PIV 
applet, I get error messages like:
  Failed to connect to card: Reader in use by another application

Is there a way I can ask gpg-agent/scdaemon to release this smartcard, 
so I can use it with another application? Or even better some way to 
?share? the reader?

Note that killing gpg-agent or completely disabling smartcard support 
would not be an option, since I also use an OpenPGP Smart Card.

I also know that I have the option to use my token with 
gpg-agent/scdaemon and Scute, but I think more complex to set up for end 
users.


Best regards,

-- 
Nicolas


From wk at gnupg.org  Fri Nov 24 12:10:24 2017
From: wk at gnupg.org (Werner Koch)
Date: Fri, 24 Nov 2017 12:10:24 +0100
Subject: Encrypt to a key without importing it to keyring
In-Reply-To: <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
 (Seby's message of "Wed, 22 Nov 2017 10:16:44 +0000")
References: <CAHEKVbr_9MmDwBt+STAsVtZKZuhSnd27Ey-CdkiRsjG4DovEdg@mail.gmail.com>
 <CAHEKVbqrg=AAE-jPVFNLvnRuwTziK7gsv4-Kr+NS0QchyGYjTg@mail.gmail.com>
 <CAHEKVbqowCnkJhDudZzmt3vUwVLd=Lbw8ARtR+5rtTJ3=w_Aqw@mail.gmail.com>
 <CAHEKVbrXKbgE2P-FAs4qj1_B5rAcS3xQ3XrWxiTb0DYps3e4rw@mail.gmail.com>
 <CAHEKVbprb=fyuvT7uoCdVUHBCo=YOXHu5APcEeb=-4Jm+9XAmg@mail.gmail.com>
 <CAHEKVbq+LJDyKgiSPdCQR3A4LLdtX+6C0uaYZmF19-c8tvoUPQ@mail.gmail.com>
Message-ID: <877eug53vj.fsf@wheatstone.g10code.de>

On Wed, 22 Nov 2017 11:16, seby2kt14 at gmail.com said:

> Is there any possibility i could encrypt some text to a public key but
> without importing it to my keyring? Passing it to gnupg via command line or

  gpg -e -f FILE_WITH_KEY 

or -F for hidden recipient.

   --recipient-file file
   -f   This option is similar to --recipient except that it encrypts to
        a key stored in the given file.  file must be the name of
        a file containing exactly one key.  gpg assumes that the
        key in this file is fully valid.

Requires at least 2.1.14


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171124/d9fe498e/attachment.sig>

From 2017-r3sgs86x8e-lists-groups at riseup.net  Sat Nov 25 11:54:15 2017
From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA)
Date: Sat, 25 Nov 2017 10:54:15 +0000
Subject: Getting more verbose details of a key
In-Reply-To: <87ine5v0wn.fsf@wheatstone.g10code.de>
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com> 
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
 <87ine5v0wn.fsf@wheatstone.g10code.de>
Message-ID: <94683068.20171125105415@my_localhost_LG>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Monday 20 November 2017 at 7:56:24 AM, in
<mid:87ine5v0wn.fsf at wheatstone.g10code.de>, Werner Koch wrote:-


>   gpg --import-options show-only --import 

> (Suggestions for the name of a shortcut command are
> welcome)

How about gpg --list-keys --file filename?

- -- 
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

You're only young once; you can be immature forever
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCWhlLyV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+g7qAP94pel8wyaQkXXdP0G+bPh9ldw37YI1sl1+NWK/cdmtoQD9E/TizezsFlpT
GgCfnThznJGeqhR9q+OJbsBykwfuuwSJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCWhlLyV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/6LhD/9MTUH3MVIHFrrSJN6iw9VdXiuY
HKg5RILGQj6em/dRdO15xfEqJQcg9D+PeAx71cwtcDDVMnrIneeZ1kH6Q+HSqf7e
mZ0KWamKqh16FjRbDJFTdD1XA/O8+YnZ9hUoTsqEMWMT4OU9lCi+lIMpYyVkNa+b
AoeHQJdqNDA5z8ghqopBdNvVq+Wu5FLtIRQ6Q9RtNUXa7J5kpt3ODsd2T8AqhlmN
md7oaRXd0QhvFphTCXghI0H7sOJZsKRE1d8pXHckTUFVou5Wcrq9k/bGesYC/Zea
tDzUP7Oi0HkCDiA45W16cDM8GCBRyw6NMaSxPF3Ax9yOps3sbfdcGe09jEvtssbv
efS0lfu8Lu+IkxFb4arvLYjREfHNtDWUupG/1b/uPaTkmGC3A4d5t38zLCWBnuKP
STXHLHBgZlHEr/BBnP40u7XUDc7n5GTZRXA4TPx2MYxoNjMg0N3C/5igcxWmFpSU
byfRwyisZEiBliDW+iMuE0fsBcXbagZsXB7zvTdfzIRGMq18/FQcZ9RfBBAMfl+r
9HjEzFD9YCVXy7VkQE4vJuLUA/kxxYf5XUJNUsNTu5YrgiWZTaUGuhjpvFV3bIFu
+QSVl5pOcUlWejD2qHPVPhM55ktQ5TMWdJi4+rFnT6Iw0/7vQjG+5Y2NfYFcGvry
+V+XJVWHoABDO/tSaw==
=ecKP
-----END PGP SIGNATURE-----



From mac3iii at gmail.com  Sat Nov 25 13:40:22 2017
From: mac3iii at gmail.com (murphy)
Date: Sat, 25 Nov 2017 07:40:22 -0500
Subject: Complete Ubuntu compile of GnuPG
In-Reply-To: <DM5PR01MB223640E2BE2E726E16F29799A6270@DM5PR01MB2236.prod.exchangelabs.com>
References: <135b2a53-5000-8f86-8611-c17e107986b0@gmail.com>
 <873756hdpl.fsf@wheatstone.g10code.de>
 <DM5PR01MB2236B2A6335738CA49A80A2CA6200@DM5PR01MB2236.prod.exchangelabs.com>
 <507d3f1c-56f1-26b9-27c2-169a1120acca@gmail.com>
 <DM5PR01MB223640E2BE2E726E16F29799A6270@DM5PR01MB2236.prod.exchangelabs.com>
Message-ID: <ba4d622e-5de4-ced7-b52d-3a9344fcd16e@gmail.com>

Yes, the permissions and gpg-agent.conf creation is a problem I would
like to find an easy way around.? As it turns out a fresh install of
ubuntu 16.04.3 already has /usr/bin/pinentry-gnome3 installed.? That,
plus the fact that libgnutls28-dev also installs a bunch of stuff on my
bash file means I can reduce it to:


cd ~/Downloads
version=gnupg-2.2.3
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2
wget https://gnupg.org/ftp/gcrypt/gnupg/$version.tar.bz2.sig
tar xf $version.tar.bz2
cd $version
sudo apt-get update
sudo apt-get install -y libldap2-dev
sudo apt-get install -y gtk+-2
sudo apt-get install -y rng-tools
sudo apt-get install -y libbz2-dev
sudo apt-get install -y libgnutls28-dev
sudo apt-get install -y libsqlite3-dev
sudo apt-get install -y libreadline-dev
sudo apt-get install -y pcscd scdaemon
sudo make -f build-aux/speedo.mk INSTALL_PREFIX=/usr/local
speedo_pkg_gnupg_configure='--enable-g13 --enable-wks-tools
--with-pinentry-pgm=/usr/bin/pinentry-gnome3' native
sudo ldconfig


Of course the line "sudo make -f ... native" is all one line.? This
enables pinentry-gnome3 without having to do a separate creation of
gpg-agent.conf and the whole issue of permissions is avoided.? I would
like to thank Werner, Robert, and Phil for the very helpful suggestions.


murphy


On 11/25/2017 04:02 AM, Dmitry Gudkov wrote:
>
> hi murphy,
>
>
> i dare suggest adding this command after creating gpg-agent.conf file:
>
>
> *chmod 600 agp-agent.conf*
>
>
> i came across an old thread on gnupg 2.xxx where its said that .gnupg
> directory?must have 700 and all files inside this directory 600
> permissions
>
>
> cheers
>
> Dmitry
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171125/bc576834/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171125/bc576834/attachment-0001.sig>

From bnsmall69169 at gmail.com  Fri Nov 24 09:10:44 2017
From: bnsmall69169 at gmail.com (Brent Small)
Date: Fri, 24 Nov 2017 00:10:44 -0800
Subject: SHA1 collision found
Message-ID: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com>

What?s up 

Sent from my iPhone

From jerry at seibercom.net  Sat Nov 25 14:24:29 2017
From: jerry at seibercom.net (Jerry)
Date: Sat, 25 Nov 2017 08:24:29 -0500
Subject: SHA1 collision found
In-Reply-To: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com>
References: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com>
Message-ID: <20171125082429.00007442@seibercom.net>

On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated:

>What?s up 

up

ADVERB

    toward the sky or a higher position:
    "he jumped up" ? [more]

    synonyms: up ? higher ? uphill ? upslope ? to the top ? skyward ?
    heavenward to the place where someone is:
    "Dot didn't hear Mrs. Parvis come creeping up behind her"

    at or to a higher level of intensity, volume, or activity:
    "she turned the volume up" ? [more]

    into the desired or a proper condition:
    "the mayor agreed to set up a committee"

PREPOSITION

    from a lower to a higher point on (something); upward along:
    "she climbed up a flight of steps"

ADJECTIVE

    directed or moving toward a higher place or position:
    "the up escalator"

    in a cheerful mood; ebullient:
    "the mood here is resolutely up"

    (of a computer system or industrial process) functioning properly:
    "the system is now up"

    at an end:
    "his contract was up in three weeks" ? [more]

NOUN

    a period of good fortune:
    "you can't have ups all the time in football"

VERB

    do something abruptly or boldly:
    "she upped and left him"

    cause (a level or amount) to be increased:
    "capacity will be upped by 70 percent next year"

    lift (something) up:
    "everybody was cheering and upping their glasses"


From guru at unixarea.de  Sat Nov 25 16:45:12 2017
From: guru at unixarea.de (Matthias Apitz)
Date: Sat, 25 Nov 2017 16:45:12 +0100
Subject: SHA1 collision found
In-Reply-To: <20171125082429.00007442@seibercom.net>
References: <3E3AA1F9-0D07-4857-90D2-1888299DE498@gmail.com>
Message-ID: <91c8bcda-0c87-44d8-94a5-633c409cdeea@unixarea.de>

On Saturday, 25 November 2017 14:24:29 CET, Jerry <jerry at seibercom.net> 
wrote:
> On Fri, 24 Nov 2017 00:10:44 -0800, Brent Small stated:
>
>>What?s up 
>
> up
>
> ADVERB
>
>     ...

Maybe the OP wanted to sent this to What's Ape.

matthias




-- 
Sent from my Ubuntu phone
http://www.unixarea.de/


From wk at gnupg.org  Sat Nov 25 18:27:02 2017
From: wk at gnupg.org (Werner Koch)
Date: Sat, 25 Nov 2017 18:27:02 +0100
Subject: Ask gpg-agent/scdaemon to release a smartcard?
In-Reply-To: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr> (Nicolas
 Boullis's message of "Fri, 24 Nov 2017 10:30:44 +0100")
References: <20171124093044.3tq3nrcvpqnk6l3c@eridan.ccs.ecp.fr>
Message-ID: <87bmjqw9p5.fsf@wheatstone.g10code.de>

On Fri, 24 Nov 2017 10:30, nicolas.boullis at ecp.fr said:

> Is there a way I can ask gpg-agent/scdaemon to release this smartcard, 

gpg-connect-agent 'scd killscd' /bye


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171125/3e728661/attachment.sig>

From raysatiro at yahoo.com  Sun Nov 26 07:26:49 2017
From: raysatiro at yahoo.com (Ray Satiro)
Date: Sun, 26 Nov 2017 01:26:49 -0500
Subject: gpg in windows hanging rarely
Message-ID: <da421c9f-9ed2-6837-e713-5477badb7152@yahoo.com>

I'm using gpg and I notice rarely I will run a command and it will just
hang. What could be the reasons for that? The two commands I've noticed
it happening are --import and --delete-keys. I've noticed it in my
regular key database and was able to reproduce it once when I set
GNUPGHOME to an empty directory to make a new database (unfortunately I
did not have the foresight to run --debug-all at that time).

gpg (GnuPG) 2.2.1
libgcrypt 1.8.1

In an attempt to coax out the hang I imported in a loop a few thousand
times, but it didn't hang.

cd foo
set GNUPGHOME=.

then I run a batch file ..\a.bat that does the loop:

:restart
gpg --debug-all --import c:\fedora.gpg
rm -rf *
goto restart

One thing I did notice was I ended up with a number of gpg-agent
processes that did not immediately terminate. After a minute they did
though. I also notice there's 4 gpg-agent processes still running from
earlier in the day.




From raysatiro at yahoo.com  Sun Nov 26 09:05:25 2017
From: raysatiro at yahoo.com (Ray Satiro)
Date: Sun, 26 Nov 2017 03:05:25 -0500
Subject: gpg in windows hanging rarely
In-Reply-To: <da421c9f-9ed2-6837-e713-5477badb7152@yahoo.com>
References: <da421c9f-9ed2-6837-e713-5477badb7152@yahoo.com>
Message-ID: <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com>

On 11/26/2017 1:26 AM, Ray Satiro wrote:
> I'm using gpg and I notice rarely I will run a command and it will just
> hang. What could be the reasons for that? The two commands I've noticed
> it happening are --import and --delete-keys. I've noticed it in my
> regular key database and was able to reproduce it once when I set
> GNUPGHOME to an empty directory to make a new database (unfortunately I
> did not have the foresight to run --debug-all at that time).
>
> gpg (GnuPG) 2.2.1
> libgcrypt 1.8.1
>
> In an attempt to coax out the hang I imported in a loop a few thousand
> times, but it didn't hang.
>
> cd foo
> set GNUPGHOME=.
>
> then I run a batch file ..\a.bat that does the loop:
>
> :restart
> gpg --debug-all --import c:\fedora.gpg
> rm -rf *
> goto restart
>
> One thing I did notice was I ended up with a number of gpg-agent
> processes that did not immediately terminate. After a minute they did
> though. I also notice there's 4 gpg-agent processes still running from
> earlier in the day.

https://dev.gnupg.org/T3378 might be it. Let me know if I can be of any
assistance.



From wk at gnupg.org  Mon Nov 27 08:01:41 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 27 Nov 2017 08:01:41 +0100
Subject: gpg in windows hanging rarely
In-Reply-To: <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com> (Ray Satiro via
 Gnupg-users's message of "Sun, 26 Nov 2017 03:05:25 -0500")
References: <da421c9f-9ed2-6837-e713-5477badb7152@yahoo.com>
 <473b26d3-d3a8-2469-d882-db6232724f39@yahoo.com>
Message-ID: <871skkurvu.fsf@wheatstone.g10code.de>

On Sun, 26 Nov 2017 09:05, gnupg-users at gnupg.org said:

> https://dev.gnupg.org/T3378 might be it. Let me know if I can be of any
> assistance.

Right.  It is hard to replicate and, worse, we can't replicate it with
any debug logging enabled.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171127/d6dbbd7d/attachment.sig>

From wk at gnupg.org  Mon Nov 27 08:04:08 2017
From: wk at gnupg.org (Werner Koch)
Date: Mon, 27 Nov 2017 08:04:08 +0100
Subject: Getting more verbose details of a key
In-Reply-To: <94683068.20171125105415@my_localhost_LG> (MFPA's message of
 "Sat, 25 Nov 2017 10:54:15 +0000")
References: <eb27c759-c28d-08f8-dbb5-3c9c1e3c074c@yahoo.com>
 <8616047a-3c10-3287-c630-1d0593c136a2@digitalbrains.com>
 <87ine5v0wn.fsf@wheatstone.g10code.de>
 <94683068.20171125105415@my_localhost_LG>
Message-ID: <87wp2ctd7b.fsf@wheatstone.g10code.de>

On Sat, 25 Nov 2017 11:54, 2017-r3sgs86x8e-lists-groups at riseup.net said:

> How about gpg --list-keys --file filename?

Well, a single command would be better.  I am currently thinking about

  --show     detect type of input and use approriate listing
  --show-key assume a key and list that
  --show-msg assume a message and print something without decryption.



Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171127/6b28cf10/attachment.sig>

From hexumg at gmail.com  Mon Nov 27 20:32:12 2017
From: hexumg at gmail.com (Eugene Bright)
Date: Mon, 27 Nov 2017 22:32:12 +0300
Subject: gpg --card-status doesn't create key stubs
Message-ID: <CAMEXTZrXbAX-1v8BeGnMe2wvBhuNZg2T3dxP56TBv6UQtaOGTA@mail.gmail.com>

Hello!

I'm truing to make my hand-made OpenPGP smart card work.
Card status are looks good and I can move keys with keytocard command.
But I can't find a way to encrypt data by card-stored keys.

Public keys are imported and can be shown by `gpg -k`.
`gpg --card-status` shows that keys are on the card.
`gpg -K` show no private keys available.

Can someone give me an advice what step should I do next to make my card work?

I've posted full reproduction scenario. It can be found here
https://github.com/jderuiter/javacard-openpgpcard/issues/5

Regards,
Eugene Bright.


From gnupgpacker at on.yourweb.de  Tue Nov 28 11:27:13 2017
From: gnupgpacker at on.yourweb.de (gnupgpacker)
Date: Tue, 28 Nov 2017 11:27:13 +0100
Subject: Extending validity of main- and subkeys in one step possible?
Message-ID: <000001d36833$74acd160$5e067420$@on.yourweb.de>

Hello,
is there any possibility to extend key's validity of *all* keys in a keyset
in *one* step?
So 2017-12-31 should be changed to 2019-12-31 for all subkeys...

Otherwise it would be necessary to choose every subkey with key 1, key 2 and
so on, than 'expire', than passphrase...

--example--
Geheimer Schl?ssel ist vorhanden.

pub  4096R/7BF4xxxx  erzeugt: 2015-01-08  verf?llt: 2017-12-31  Aufruf: C
                     Vertrauen: uneingeschr?nkt G?ltigkeit: uneingeschr?nkt
sub  4096R/13EDxxxx  erzeugt: 2015-01-08  verf?llt: 2017-12-31  Aufruf: A
sub  4096R/CCFCxxxx  erzeugt: 2015-01-08  verf?llt: 2017-12-31  Aufruf: S
sub  4096R/EBB9xxxx  erzeugt: 2015-01-08  verf?llt: 2017-12-31  Aufruf: E
[ uneing.] (1). xy xz <xy at xz.de>

?ndern des Verfallsdatums des Hauptschl?ssels.
Bitte w?hlen Sie, wie lange der Schl?ssel g?ltig bleiben soll.
         0 = Schl?ssel verf?llt nie
      <n>  = Schl?ssel verf?llt nach n Tagen
      <n>w = Schl?ssel verf?llt nach n Wochen
      <n>m = Schl?ssel verf?llt nach n Monaten
      <n>y = Schl?ssel verf?llt nach n Jahren
Wie lange bleibt der Schl?ssel g?ltig? (0) 24m
--example-end--

Thx + regards, Chris



From wk at gnupg.org  Wed Nov 29 18:16:59 2017
From: wk at gnupg.org (Werner Koch)
Date: Wed, 29 Nov 2017 18:16:59 +0100
Subject: Extending validity of main- and subkeys in one step possible?
In-Reply-To: <000001d36833$74acd160$5e067420$@on.yourweb.de>
 (gnupgpacker@on.yourweb.de's message of "Tue, 28 Nov 2017 11:27:13
 +0100")
References: <000001d36833$74acd160$5e067420$@on.yourweb.de>
Message-ID: <87po81knsk.fsf@wheatstone.g10code.de>

On Tue, 28 Nov 2017 11:27, gnupgpacker at on.yourweb.de said:

> is there any possibility to extend key's validity of *all* keys in a keyset
> in *one* step?

key *

selects all keys.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171129/903baed4/attachment.sig>

From gnupgpacker at on.yourweb.de  Thu Nov 30 11:19:04 2017
From: gnupgpacker at on.yourweb.de (gnupgpacker)
Date: Thu, 30 Nov 2017 11:19:04 +0100
Subject: Extending validity of main- and subkeys in one step possible?
In-Reply-To: <87po81knsk.fsf@wheatstone.g10code.de>
References: <000001d36833$74acd160$5e067420$@on.yourweb.de>
 <87po81knsk.fsf@wheatstone.g10code.de>
Message-ID: <003b01d369c4$a61755d0$f2460170$@on.yourweb.de>

Sorry, it doesn't work for GPG v1.4.22...

Key set is called, then
gpg> key * => Changing date with 'expire' is not working for all (sub)keys.

gpg> key 1 => working

Any additional hint?
Thx + regards, Chris


>> is there any possibility to extend key's validity of *all* keys in a
>> keyset
>> in *one* step?
> 
> key *
> 
> selects all keys.
> 



From lechtitseb at gmail.com  Wed Nov 29 21:50:54 2017
From: lechtitseb at gmail.com (Sebastien)
Date: Wed, 29 Nov 2017 21:50:54 +0100
Subject: Using gpg-agent as ssh-agent on Windows with MSYS
Message-ID: <CALPZHjNXo-2WbepwAPb76HodaPdY2i3F3MMrFfFW8oZdpqzPFw@mail.gmail.com>

Hello,

I think I'm currently facing the issue described in
https://lists.gnupg.org/pipermail/gnupg-users/2016-September/056771.html
(sorry, couldn't find how to just reply to that thread).

I'm using GnuPG, gpg and gpg-agent in my Windows Git bash environment
(MSYS) (on Windows 10 x64). I like having everything in there for ease of
use and portability.

I'd like to know if this is just a known issue/limitation with a known
workaround or if it's just not supported?

Some more background about what I've configured/tried:

Just starting gpg-agent with gpg-connect-agent/bye doesn't work for me, it
always gives the following error:
$ gpg-connect-agent /bye
ERR 67109139 Unknown IPC command <GPG Agent>

I could work around that error using: MSYS_NO_PATHCONV=1 gpg-connect-agent
--homedir $GNUPGHOME_WIN /bye

Where $GNUPGHOME_WIN just contains the Windows style path to my gnupg
folder (in my case c:\CloudStation\Configuration\SebHome\.gnupg).
Effectively like that MSYS doesn't perform path conversions and
gpg-connect-agent / gpg-agent seem to receive the correct path.

In my ~/.gnupg folder I then do find those files:
gnupg_spawn_agent_sentinel.lock
S.gpg-agent
...
S.gpg-agent.ssh

And the agent seems to be running:
$ gpg-agent
gpg-agent[14380]: gpg-agent running and available

Unfortunately if I execute ssh-add -L, I get:
$ ssh-add -L
Error connecting to agent: Bad file descriptor

Here's the part of my bash profile with comments about things I've tried
and that didn't help:

# GnuPG home
export GPG4WIN_HOME=$TOOLS_HOME/Gpg4Win_3.0.1
export GPG_HOME=$GPG4WIN_HOME/GnuPG
export KLEOPATRA_HOME=$GPG4WIN_HOME/Gpg4win

append_to_path $GPG_HOME
append_to_path $GPG_HOME/bin
append_to_path $KLEOPATRA_HOME/bin_64
append_to_path $KLEOPATRA_HOME/bin

# where it puts its files and looks for its configuration
export GNUPGHOME=$HOME/.gnupg

# path conversion ref: https://stackoverflow.com/questions/13701218/windows-
path-to-posix-path-conversion-in-bash
export GNUPGHOME_WIN=$(eval "echo $GNUPGHOME" | sed -e 's/^\///' -e
's/\//\\/g' -e 's/^./\0:/')

# create the home folder otherwise gpg will complain
mkdir -p `echo $GNUPGHOME`
alias gpg='gpg.exe'
alias pgp='gpg'
alias kleopatra='kleopatra.exe'

# Start the gpg-agent (daemon)
# Eliminate path conversion issues for that specific command
# Reference: https://stackoverflow.com/questions/7250130/how-to-stop-
mingw-and-msys-from-mangling-path-names-given-at-the-command-line

# daemon that will manage the gpg keys and allow to perform ssh auth
#eval $( MSYS_NO_PATHCONV=1 gpg-agent --daemon --enable-ssh-support
--enable-putty-support  --homedir $GNUPGHOME_WIN ) &

# Ref: https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
# Ref: https://www.gnupg.org/documentation/manuals/gnupg/
Invoking-gpg_002dconnect_002dagent.html
MSYS_NO_PATHCONV=1 gpg-connect-agent --homedir $GNUPGHOME_WIN /bye

# Configure SSH_AUTH_SOCK (so that ssh-add can contact the gpg-agent)
#export GPG_AGENT_PID=$$
#export GPG_AUTH_SOCK=$(echo $HOME/.gnupg/S.gpg-agent.ssh)
#export SSH_AUTH_SOCK=$GPG_AUTH_SOCK

# with Win path (not helping)
#export GPG_AUTH_SOCK=$(echo $GNUPGHOME_WIN/S.gpg-agent.ssh)
#export SSH_AUTH_SOCK=$GPG_AUTH_SOCK

#export SSH_ENV="$HOME/.ssh/environment"


Any help would really be appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171129/10092e2d/attachment.html>

From wk at gnupg.org  Thu Nov 30 12:39:03 2017
From: wk at gnupg.org (Werner Koch)
Date: Thu, 30 Nov 2017 12:39:03 +0100
Subject: Extending validity of main- and subkeys in one step possible?
In-Reply-To: <003b01d369c4$a61755d0$f2460170$@on.yourweb.de>
 (gnupgpacker@on.yourweb.de's message of "Thu, 30 Nov 2017 11:19:04
 +0100")
References: <000001d36833$74acd160$5e067420$@on.yourweb.de>
 <87po81knsk.fsf@wheatstone.g10code.de>
 <003b01d369c4$a61755d0$f2460170$@on.yourweb.de>
Message-ID: <87bmjkj8rs.fsf@wheatstone.g10code.de>

On Thu, 30 Nov 2017 11:19, gnupgpacker at on.yourweb.de said:
> Sorry, it doesn't work for GPG v1.4.22...

That is quite possible.  Won't be changed.  Please use 2.2.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171130/508b1cce/attachment.sig>

From gnupg-users.dirk at o.banes.ch  Thu Nov 30 22:53:35 2017
From: gnupg-users.dirk at o.banes.ch (gnupg-users.dirk at o.banes.ch)
Date: Thu, 30 Nov 2017 22:53:35 +0100
Subject: Decryption fails with error: ERR 100663364 Missing item in object
 <SCD>
Message-ID: <4bad4a09-303f-642d-a6e9-6a9dbf7006e3@o.banes.ch>

Dear list,

I'm using GnuPG with OpenPGP SmartCard.
The Key is available on two smartcards which use on two different readers.
This setup works good since about 1 year.

Now I have a new person mailing me - using the correct key but
decryption fails "ERR 100663364 Missing item in object <SCD>"

The Problem sound exactly like [1].
Can you let me know what debugging information you need and where and if
I should open a defect.

best regards

Dirk


[1]https://dev.gnupg.org/T2285