From wk at gnupg.org Mon Jul 2 08:37:15 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jul 2018 08:37:15 +0200 Subject: Generating NIST/Brainpool subkeys with GPGME In-Reply-To: (Jacob Adams's message of "Fri, 29 Jun 2018 16:07:00 -0400") References: Message-ID: <87y3euxhwk.fsf@wheatstone.g10code.de> On Fri, 29 Jun 2018 22:07, tookmund at gmail.com said: > It appears that one cannot currently generate NIST or Brainpool subkeys > with GPGME. Using GPG itself works fine with --expert, so am I missing > an option or is this simply not possible yet? That is likely a bug. However there is an easy workaround: > ./eccsubkeys brainpoolP384r1 In contrast to the cv25519 and ed25519 curves this (and the NIST curves) don't have an implict algorithm. Thus gpg tries to deduce this from the usage parameter but that seems not to work. What you hsould do is to make it explicit: ./eccsubkeys brainpoolP384r1/ecdsa sign You can test this also without GPGME: gpg --quick-add-key F5CA66142BAEAFD2BEBF37C0937DDA086A0B7A36 \ brainpoolP384r1/ecdsa sign Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 2 08:40:34 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jul 2018 08:40:34 +0200 Subject: gpg2 --refresh-keys does not talk to dirmngr? In-Reply-To: <99e966302e0c9db4c169414ea3b8753f4fc7ae96.camel@googlemail.com> (Dirk Gottschalk via Gnupg-users's message of "Fri, 29 Jun 2018 16:12:20 +0200") References: <99e966302e0c9db4c169414ea3b8753f4fc7ae96.camel@googlemail.com> Message-ID: <87tvpixhr1.fsf@wheatstone.g10code.de> On Fri, 29 Jun 2018 16:12, gnupg-users at gnupg.org said: > I have set up a local proxy server with a squid/privoxy/TOR chain and > set it up in dirmngr.conf. Now, after deleting the keyserver line from > gpg.conf, I found out that gpg2 seems not to talk to dirmngr when using > gpg2 --refresh keys. Note that dirmngr has its own Tor support bypassing your proxies. > Is there something I have to set up in one of the configs, especially > gpg.conf and gpg-agent.conf? No. It works for me. You can check this by adding the option --debug ipc to the gpg invocation. If you don't have a log-file option in your gpg.conf the output will go to stderr. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 2 08:48:17 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jul 2018 08:48:17 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> (john doe's message of "Sat, 30 Jun 2018 21:26:13 +0200") References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> Message-ID: <87po06xhe6.fsf@wheatstone.g10code.de> On Sat, 30 Jun 2018 21:26, johndoe65534 at mail.com said: > How can I force dirmngr to use port "9150"? So Tor ports are fixed. As Niibe-san already explained Dirmngr will first try port 9050 and if it is not able to connect (ECONNREFUSED) it will try port 9150. This is implemented for Dirmngr in Libassuan. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 2 08:53:31 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Jul 2018 08:53:31 +0200 Subject: Choice of ECC curve on usb token In-Reply-To: <87lgax7f0o.fsf@cassou.me> (Damien Cassou's message of "Fri, 29 Jun 2018 18:07:19 +0200") References: <87wouioxh4.fsf@cassou.me> <877emhn86p.fsf@fsij.org> <87lgax7f0o.fsf@cassou.me> Message-ID: <87lgauxh5g.fsf@wheatstone.g10code.de> On Fri, 29 Jun 2018 18:07, damien at cassou.me said: > Moreover, Nitrokey Storage only supports NIST and Brainpool, nothing > else. That is because the Nitrokey token includes a Zeitcontrol card which only implements the government approved curves. If that ever changes we can close the feature request https://dev.gnupg.org/T4004 . Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From damien at cassou.me Mon Jul 2 09:09:35 2018 From: damien at cassou.me (Damien Cassou) Date: Mon, 02 Jul 2018 09:09:35 +0200 Subject: Choice of ECC curve on usb token In-Reply-To: <20180629235106.GA23508@osmium.lan> References: <87wouioxh4.fsf@cassou.me> <877emhn86p.fsf@fsij.org> <87lgax7f0o.fsf@cassou.me> <20180629235106.GA23508@osmium.lan> Message-ID: <874lhi6rm8.fsf@cassou.me> Phil Pennock writes: > On 2018-06-29 at 18:07 +0200, Damien Cassou wrote: >> I'm not sure I want ECC after reading this: >> https://crypto.stackexchange.com/a/60394/60027 > > Curve25519 is not NIST ECC. It is ECC. I was referring to the discussion around RSA vs. ECC in https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 I read several texts of people preferring RSA over ECC. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill From wiktor at metacode.biz Mon Jul 2 10:12:43 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 2 Jul 2018 10:12:43 +0200 Subject: Choice of ECC curve on usb token In-Reply-To: <874lhi6rm8.fsf@cassou.me> References: <87wouioxh4.fsf@cassou.me> <877emhn86p.fsf@fsij.org> <87lgax7f0o.fsf@cassou.me> <20180629235106.GA23508@osmium.lan> <874lhi6rm8.fsf@cassou.me> Message-ID: Hi Damien, > I was referring to the discussion around RSA vs. ECC in > https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 > > I read several texts of people preferring RSA over ECC. That's an excellent answer, thanks for posting this! I've came up with the same exact answer when deciding on the key type for my primary key (I used RSA 4096). As for subkeys: they can fortunately be rotated so you can use anything (ECC, and if it's broken, rotate the key, [0]; RSA 2048 if 4096 is too slow; just mind the key expiry dates). There is one argument brought in favor of ECC in context of OpenPGP - that you could share the primary public keys directly, instead of fingerprints, but that in my opinion protects only against the hash function being broken, as the primary public key cannot (usually) be used alone (one needs the subkeys and signatures). Kind regards, Wiktor [0]: as a side note I haven't seen tamper resistant devices with ECC, e.g. YubiKey supports NIST curves via PIV applet but not OpenPGP one :( -- https://metacode.biz/@wiktor From tookmund at gmail.com Mon Jul 2 18:03:44 2018 From: tookmund at gmail.com (Jacob Adams) Date: Mon, 2 Jul 2018 12:03:44 -0400 Subject: Generating NIST/Brainpool subkeys with GPGME In-Reply-To: <87y3euxhwk.fsf@wheatstone.g10code.de> References: <87y3euxhwk.fsf@wheatstone.g10code.de> Message-ID: <4a57c2c1-967a-8d60-11b5-b217be51d615@gmail.com> On 07/02/2018 02:37 AM, Werner Koch wrote: > On Fri, 29 Jun 2018 22:07, tookmund at gmail.com said: >> It appears that one cannot currently generate NIST or Brainpool subkeys >> with GPGME. Using GPG itself works fine with --expert, so am I missing >> an option or is this simply not possible yet? > > That is likely a bug. > In contrast to the cv25519 and ed25519 curves this (and the NIST curves) > don't have an implict algorithm. Thus gpg tries to deduce this from the > usage parameter but that seems not to work. Should I file a bug against GPGME? GPG? Not really sure where the problem is here. > What you hsould do is to > make it explicit: > > ./eccsubkeys brainpoolP384r1/ecdsa sign Some testing confirms that I just need to add "/ecdsa" when creating a signing or authentication key. Thanks for your help! Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From johndoe65534 at mail.com Mon Jul 2 20:46:03 2018 From: johndoe65534 at mail.com (john doe) Date: Mon, 2 Jul 2018 20:46:03 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87po06xhe6.fsf@wheatstone.g10code.de> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> Message-ID: <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> On 7/2/2018 8:48 AM, Werner Koch wrote: > On Sat, 30 Jun 2018 21:26, johndoe65534 at mail.com said: > >> How can I force dirmngr to use port "9150"? > > So Tor ports are fixed. As Niibe-san already explained Dirmngr will > first try port 9050 and if it is not able to connect (ECONNREFUSED) it > will try port 9150. This is implemented for Dirmngr in Libassuan. > On Debian Stretch I tried to do the same thing: $ dirmngr --version dirmngr (GnuPG) 2.1.18 Tor browser for linux (7.5.6) downloaded from the torproject.org site. On linux it works out of the box! :) Which bring me to two possible causes: 1) Cygwin dirmngr can't be used in that way. If I start "tor.exe" from the Tor Browser for windows bundle it works like a charm because Tor then listen on port 9050. So I don't thing this is the issue. 2) Regression in dirmngr between version 2.1.18 and 2.2.8. It looks like the code that is responsible for falling back to port 9150 when port 5090 is not available is somehow failing. I'm stuck here and would appriciate any help on finding a solution to this issue. If any one can test dirmngr 2.2.8 and Tor Browser for linux 7.5.6 and can let me know how it goes? beyond '-v' and '--debug-all' what can I do to furder troubleshoot? -- John Doe From dirk.gottschalk1980 at googlemail.com Mon Jul 2 21:22:01 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Mon, 02 Jul 2018 21:22:01 +0200 Subject: gpg2 --refresh-keys does not talk to dirmngr? In-Reply-To: <87tvpixhr1.fsf@wheatstone.g10code.de> References: <99e966302e0c9db4c169414ea3b8753f4fc7ae96.camel@googlemail.com> <87tvpixhr1.fsf@wheatstone.g10code.de> Message-ID: <7d8309f6975c8421bfafbd0f3c1d2028d853cf06.camel@googlemail.com> Hello Werner, thanks for your answer. The Issue with Proxy was my fault. I didn't recognize a running dirmngr in background. After I killed this process, it worked. Am Montag, den 02.07.2018, 08:40 +0200 schrieb Werner Koch: > On Fri, 29 Jun 2018 16:12, gnupg-users at gnupg.org said: > > Note that dirmngr has its own Tor support bypassing your proxies. I'm aware of this. But AFAIK it sup?ports only connecting to TOR on localhost. This is not my intention. I have a running server in my network which rund Suid/Provoxy/TOR. Is it possible to connect to this tor server on the socks port for doing LDAP, WKD, or DANE Lookups? AFAIK squid and friends could not do this for me. > > Is there something I have to set up in one of the configs, > > especially > > gpg.conf and gpg-agent.conf? > No. It works for me. You can check this by adding the option > > --debug ipc > to the gpg invocation. If you don't have a log-file option in your > gpg.conf the output will go to stderr. As Told earlier, this Problem is solved. Thanks for your advice. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From wk at gnupg.org Tue Jul 3 11:37:44 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Jul 2018 11:37:44 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> (john doe's message of "Mon, 2 Jul 2018 20:46:03 +0200") References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> Message-ID: <87efgky80n.fsf@wheatstone.g10code.de> On Mon, 2 Jul 2018 20:46, johndoe65534 at mail.com said: > It looks like the code that is responsible for falling back to port > 9150 when port 5090 is not available is somehow failing. ... on Windows. Actually I developed the fallback on Windows becuase there it is easier to install the Tor browser. Anyway, Gniibe probably found and fixed the problem in our DNS resolver. I suggest to wait for the next release - probably next week. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Jul 3 11:41:56 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Jul 2018 11:41:56 +0200 Subject: gpg2 --refresh-keys does not talk to dirmngr? In-Reply-To: <7d8309f6975c8421bfafbd0f3c1d2028d853cf06.camel@googlemail.com> (Dirk Gottschalk's message of "Mon, 02 Jul 2018 21:22:01 +0200") References: <99e966302e0c9db4c169414ea3b8753f4fc7ae96.camel@googlemail.com> <87tvpixhr1.fsf@wheatstone.g10code.de> <7d8309f6975c8421bfafbd0f3c1d2028d853cf06.camel@googlemail.com> Message-ID: <87a7r8y7tn.fsf@wheatstone.g10code.de> On Mon, 2 Jul 2018 21:22, dirk.gottschalk1980 at googlemail.com said: > localhost. This is not my intention. I have a running server in my > network which rund Suid/Provoxy/TOR. Is it possible to connect to this > tor server on the socks port for doing LDAP, WKD, or DANE Lookups? No, this is currently not possible. I can imagine an option or even envvar to give the IP address of the Tor server. An envvar would have the advantage that it can all be handled in Libassuan without any new code in GnuPG. Please open a feature request on dev.gnupg.org Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Jul 3 11:43:43 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Jul 2018 11:43:43 +0200 Subject: Generating NIST/Brainpool subkeys with GPGME In-Reply-To: <4a57c2c1-967a-8d60-11b5-b217be51d615@gmail.com> (Jacob Adams's message of "Mon, 2 Jul 2018 12:03:44 -0400") References: <87y3euxhwk.fsf@wheatstone.g10code.de> <4a57c2c1-967a-8d60-11b5-b217be51d615@gmail.com> Message-ID: <87601wy7qo.fsf@wheatstone.g10code.de> On Mon, 2 Jul 2018 18:03, tookmund at gmail.com said: > Should I file a bug against GPGME? GPG? Not really sure where the > problem is here. Against gpg. I won't assign it a high priority, though. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From tookmund at gmail.com Tue Jul 3 23:12:05 2018 From: tookmund at gmail.com (Jacob Adams) Date: Tue, 3 Jul 2018 17:12:05 -0400 Subject: Pinentry: Inappropriate ioctl for device when getting smartcard PIN In-Reply-To: <5341d22f-2234-88ab-3655-d305ee92d334@gmail.com> References: <733b219b-86c0-d177-4999-15da2a285930@gmail.com> <5341d22f-2234-88ab-3655-d305ee92d334@gmail.com> Message-ID: <3a4631ee-5090-bbc7-d913-f31576d59c6d@gmail.com> On 06/29/2018 07:45 PM, Jacob Adams wrote: > On 06/27/2018 04:50 PM, Jacob Adams wrote: >> I've got another pinentry problem unfortunately. >> The tty is owned by the correct user this time and $GPG_TTY is set >> correctly. >> >> I have two gpgme contexts, one for openpgp and another for assuan >> commands to the smartcard. Pinentry triggered by the openpgp context >> works perfectly, but any pinentry launched in service of the assuan >> context fails with the error in the subject. They're both using the same >> gpg-agent launched shortly after the creation of the openpgp context >> with gpgconf --launch gpg-agent. >> >> The relevant logs are available at: >> https://salsa.debian.org/tookmund-guest/pgpcr/issues/10 >> > It appears that tty_name is not being set, despite the fact that GPG_TTY > is set and thus gpg-agent has this information from the previous Context. > >> I'm really not sure what's going wrong here and any insight would be >> much appreciated. I have a solution for this but it's definitely the wrong solution. I've applied the following patch to pinentry to fix this problem: --- a/pinentry/pinentry-curses.c +++ b/pinentry/pinentry-curses.c @@ -1187,7 +1187,8 @@ alarm (pinentry->timeout); } #endif - + if (pinentry->ttyname == NULL) + pinentry->ttyname = getenv("GPG_TTY"); rc = dialog_run (pinentry, pinentry->ttyname, pinentry->ttytype); do_touch_file (pinentry); return rc; Clearly this is not the right approach as it appears that gpg-agent is supposed to handle the GPG_TTY variable. For some reason, it is simply not passing it on to pinentry in this one case. I've tried to reproduce this issue in a separate program but have been unsuccessful. However it's consistently reproducible without this patch in my program. Does anyone have an insight into why this patch would be required? Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From gniibe at fsij.org Wed Jul 4 04:05:27 2018 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 04 Jul 2018 11:05:27 +0900 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87efgky80n.fsf@wheatstone.g10code.de> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> Message-ID: <87fu0zvjq0.fsf@iwagami.gniibe.org> Werner Koch wrote: > ... on Windows. Actually I developed the fallback on Windows becuase > there it is easier to install the Tor browser. Anyway, Gniibe probably > found and fixed the problem in our DNS resolver. I suggest to wait for > the next release - probably next week. That's not for Cygwin on Windows, but for GNU/Linux. In dirmngr, the DNS resolver using Tor assumes that it returns ECONNREFUSED when Tor doesn't run at 9050, then, it tries to the port 9150. There was a bug of the DNS resolver. When there are multiple "nameserver" in /etc/resolv.conf, it should try all. It was fixed, but this fix had a side effect for ECONNREFUSED fallback mechanism for using Tor. This was fixed on Monday. For the particular issue for Cygwin, it seems that connect(2) in Cygwin environment may return EPERM instead of ECONNREFUSED. I suspect this. We can add the case of EPERM for Cygwin for workaround... -- From johndoe65534 at mail.com Wed Jul 4 08:01:34 2018 From: johndoe65534 at mail.com (john doe) Date: Wed, 4 Jul 2018 08:01:34 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87fu0zvjq0.fsf@iwagami.gniibe.org> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> <87fu0zvjq0.fsf@iwagami.gniibe.org> Message-ID: On 7/4/2018 4:05 AM, NIIBE Yutaka wrote: > Werner Koch wrote: >> ... on Windows. Actually I developed the fallback on Windows becuase >> there it is easier to install the Tor browser. Anyway, Gniibe probably >> found and fixed the problem in our DNS resolver. I suggest to wait for >> the next release - probably next week. > > That's not for Cygwin on Windows, but for GNU/Linux. > > In dirmngr, the DNS resolver using Tor assumes that it returns > ECONNREFUSED when Tor doesn't run at 9050, then, it tries to the port > 9150. > > There was a bug of the DNS resolver. When there are multiple > "nameserver" in /etc/resolv.conf, it should try all. It was fixed, but > this fix had a side effect for ECONNREFUSED fallback mechanism for using > Tor. This was fixed on Monday. > > > For the particular issue for Cygwin, it seems that connect(2) in Cygwin > environment may return EPERM instead of ECONNREFUSED. I suspect this. > I'm willing to confirm that but I'm not sure how I would do that!? -- John Doe From gniibe at fsij.org Wed Jul 4 09:11:15 2018 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 04 Jul 2018 16:11:15 +0900 Subject: dirmngr cygwin resolv.conf In-Reply-To: References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> <87fu0zvjq0.fsf@iwagami.gniibe.org> Message-ID: <87y3erfpbg.fsf@fsij.org> Hello, john doe wrote: > I'm willing to confirm that but I'm not sure how I would do that!? I am considering a patch like following. If you can build GnuPG for Cygwin, you can try. Or, you can ask Cygwin's package maintainer for GnuPG. The patch is: Don't try to look the error code, but fallback TOR_PORT2 always. ========================== diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c index ffac816f9..88a4fce5c 100644 --- a/dirmngr/dns-stuff.c +++ b/dirmngr/dns-stuff.c @@ -735,13 +735,12 @@ libdns_res_open (struct dns_resolver **r_res) static int libdns_switch_port_p (gpg_error_t err) { - if (tor_mode && gpg_err_code (err) == GPG_ERR_ECONNREFUSED - && libdns_tor_port == TOR_PORT) + if (tor_mode && libdns_tor_port == TOR_PORT) { /* Switch port and try again. */ if (opt_debug) - log_debug ("dns: switching from SOCKS port %d to %d\n", - TOR_PORT, TOR_PORT2); + log_debug ("dns: switching from SOCKS port %d to %d (%s)\n", + TOR_PORT, TOR_PORT2, gpg_strerror (err)); libdns_tor_port = TOR_PORT2; libdns_reinit_pending = 1; return 1; -- From johndoe65534 at mail.com Wed Jul 4 13:21:41 2018 From: johndoe65534 at mail.com (john doe) Date: Wed, 4 Jul 2018 13:21:41 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87y3erfpbg.fsf@fsij.org> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> <87fu0zvjq0.fsf@iwagami.gniibe.org> <87y3erfpbg.fsf@fsij.org> Message-ID: <687c354a-2ab0-4500-eff7-d87844fc3a54@mail.com> On 7/4/2018 9:11 AM, NIIBE Yutaka wrote: > Hello, > > john doe wrote: >> I'm willing to confirm that but I'm not sure how I would do that!? > > I am considering a patch like following. If you can build GnuPG for > Cygwin, you can try. Or, you can ask Cygwin's package maintainer for > GnuPG. > > The patch is: Don't try to look the error code, but fallback TOR_PORT2 > always. > > ========================== > diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c > index ffac816f9..88a4fce5c 100644 > --- a/dirmngr/dns-stuff.c > +++ b/dirmngr/dns-stuff.c > @@ -735,13 +735,12 @@ libdns_res_open (struct dns_resolver **r_res) > static int > libdns_switch_port_p (gpg_error_t err) > { > - if (tor_mode && gpg_err_code (err) == GPG_ERR_ECONNREFUSED > - && libdns_tor_port == TOR_PORT) > + if (tor_mode && libdns_tor_port == TOR_PORT) > { > /* Switch port and try again. */ > if (opt_debug) > - log_debug ("dns: switching from SOCKS port %d to %d\n", > - TOR_PORT, TOR_PORT2); > + log_debug ("dns: switching from SOCKS port %d to %d (%s)\n", > + TOR_PORT, TOR_PORT2, gpg_strerror (err)); > libdns_tor_port = TOR_PORT2; > libdns_reinit_pending = 1; > return 1; > I have applied your patch on top of master in the gnupg repository I'm now in the process of building all the libraries require by 'gnupg' but I'm still missing the following libraries: gcrypt libiconv How can I clone gcrypt and libiconv from git? $ git clone git://git.gnupg.org/gcrypt.git Cloning into 'gcrypt'... fatal: remote error: access denied or repository not exported: /gcrypt.git -- John Doe From wk at gnupg.org Wed Jul 4 14:25:41 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Jul 2018 14:25:41 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87y3erfpbg.fsf@fsij.org> (NIIBE Yutaka's message of "Wed, 04 Jul 2018 16:11:15 +0900") References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> <87fu0zvjq0.fsf@iwagami.gniibe.org> <87y3erfpbg.fsf@fsij.org> Message-ID: <87va9vw5kq.fsf@wheatstone.g10code.de> On Wed, 4 Jul 2018 09:11, gniibe at fsij.org said: > The patch is: Don't try to look the error code, but fallback TOR_PORT2 > always. I don't like this patch because it is not specific enough. If Cygwin really returns EPERM, than this is a bug in the Cygwin emulation because all Unix systems (and actually all BSD sockets based systems) return ECONNREFUSED. We should not try to fix bugs for Cygwin given that Cygwin is not offically supported. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Jul 4 14:38:10 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Jul 2018 14:38:10 +0200 Subject: Pinentry: Inappropriate ioctl for device when getting smartcard PIN In-Reply-To: <733b219b-86c0-d177-4999-15da2a285930@gmail.com> (Jacob Adams's message of "Wed, 27 Jun 2018 16:50:25 -0400") References: <733b219b-86c0-d177-4999-15da2a285930@gmail.com> Message-ID: <87r2kjw4zx.fsf@wheatstone.g10code.de> On Wed, 27 Jun 2018 22:50, tookmund at gmail.com said: > I have two gpgme contexts, one for openpgp and another for assuan > commands to the smartcard. Pinentry triggered by the openpgp context > works perfectly, but any pinentry launched in service of the assuan > context fails with the error in the subject. They're both using the same The gpg-agent log shows that the pinentry started on behalf of the "SCD PASSWD 1" does not send the ttyname to pinentry. I will do some code staring ... Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Jul 4 19:23:29 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 04 Jul 2018 19:23:29 +0200 Subject: Pinentry: Inappropriate ioctl for device when getting smartcard PIN In-Reply-To: <87r2kjw4zx.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed, 04 Jul 2018 14:38:10 +0200") References: <733b219b-86c0-d177-4999-15da2a285930@gmail.com> <87r2kjw4zx.fsf@wheatstone.g10code.de> Message-ID: <87fu0yx6cu.fsf@wheatstone.g10code.de> Hi! Are you setting the homedir in your code also for the Assuan context? That might explain the behaviour. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wiktor at metacode.biz Wed Jul 4 21:48:24 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Wed, 4 Jul 2018 21:48:24 +0200 Subject: Verifying signatures with critical notations Message-ID: Hello, Is it possible to verify a signature with critical notations that I recognize? I created the signature with: echo x | gpg --sign --sig-notation !test at metacode.biz=node-1 > f.sig Now when I pass this file to gpgme_op_verify I get only summary GPGME_SIGSUM_RED and status GPG_ERR_BAD_SIGNATURE (with source GPGME). That's obviously correct as the notation is critical and not recognized but I don't see a function to mark "test at metacode.biz=node-1" as a recognized notation for verification purposes. Is it possible? Thank you in advance! Kind regards, Wiktor -- https://metacode.biz/@wiktor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From aheinecke at intevation.de Wed Jul 4 22:07:50 2018 From: aheinecke at intevation.de (Andre Heinecke) Date: Wed, 04 Jul 2018 22:07:50 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87va9vw5kq.fsf@wheatstone.g10code.de> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87y3erfpbg.fsf@fsij.org> <87va9vw5kq.fsf@wheatstone.g10code.de> Message-ID: <3064962.NFYV8OzoR6@esus> On Wednesday, July 4, 2018 2:25:41 PM CEST Werner Koch wrote: > We should not try to fix bugs for Cygwin > given that Cygwin is not offically supported. I think that you have spent already way too much time with this thread. ;-) IMO even a #ifdef __CYGWIN__ # error No you don't #endif in a central place would be appropiate. As the same policy is implicitly already applied for the much more important MSVC Windows target. There is one maintained way to get gnupg on windows. Cross compile it with mingw-w64 and run it natively. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From johndoe65534 at mail.com Thu Jul 5 12:18:10 2018 From: johndoe65534 at mail.com (john doe) Date: Thu, 5 Jul 2018 12:18:10 +0200 Subject: dirmngr cygwin resolv.conf In-Reply-To: <87va9vw5kq.fsf@wheatstone.g10code.de> References: <2668e804-4468-774b-702f-62a3695e0e9a@mail.com> <87zhzgkw9c.fsf@wheatstone.g10code.de> <4b9eb287-7ef3-ff97-6838-943af8a92ca7@mail.com> <871scr17br.fsf@wheatstone.g10code.de> <5f12448e-fab6-6eba-325b-7273677cf822@mail.com> <87wouim4ma.fsf@iwagami.gniibe.org> <874lhln7ln.fsf@fsij.org> <6d5be269-6474-f829-c3d0-7bd9d278aeb0@mail.com> <87po06xhe6.fsf@wheatstone.g10code.de> <3ce5c37f-0bc7-3b69-7750-987fadd95226@mail.com> <87efgky80n.fsf@wheatstone.g10code.de> <87fu0zvjq0.fsf@iwagami.gniibe.org> <87y3erfpbg.fsf@fsij.org> <87va9vw5kq.fsf@wheatstone.g10code.de> Message-ID: <41f7fd06-22b3-c2c7-b6a5-f9374072be8b@mail.com> On 7/4/2018 2:25 PM, Werner Koch wrote: > On Wed, 4 Jul 2018 09:11, gniibe at fsij.org said: > >> The patch is: Don't try to look the error code, but fallback TOR_PORT2 >> always. > > I don't like this patch because it is not specific enough. > > If Cygwin really returns EPERM, than this is a bug in the Cygwin > emulation because all Unix systems (and actually all BSD sockets based > systems) return ECONNREFUSED. We should not try to fix bugs for Cygwin > given that Cygwin is not offically supported. > What would it take to make Cygwin officially supported? I'm not able to register to the bug portal that is why I'm sending it here. I have installed all required libraries and I got so far as: $ gnupg ./configure --sysconfdir=/etc --enable-maintainer-mode && make snip make all-recursive make[1]: Entering directory '/home/john/git/gnupg' Making all in m4 make[2]: Entering directory '/home/john/git/gnupg/m4' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/home/john/git/gnupg/m4' Making all in common make[2]: Entering directory '/home/john/git/gnupg/common' make all-am make[3]: Entering directory '/home/john/git/gnupg/common' make[3]: Nothing to be done for 'all-am'. make[3]: Leaving directory '/home/john/git/gnupg/common' make[2]: Leaving directory '/home/john/git/gnupg/common' Making all in kbx make[2]: Entering directory '/home/john/git/gnupg/kbx' make[2]: Nothing to be done for 'all'. make[2]: Leaving directory '/home/john/git/gnupg/kbx' Making all in g10 make[2]: Entering directory '/home/john/git/gnupg/g10' gcc -I/usr/local/include -I/usr/local/include -I/usr/local/include -O3 -Wall -Wcast-align -Wshadow -Wstrict-prototypes -Wformat -Wno-format-y2k -Wformat-security -W -Wno-sign-compare -Wno-format-zero-length -Wno-missing-field-initializers -Wdeclaration-after-statement -Wlogical-op -Wvla -Wno-pointer-sign -Wpointer-arith -g -O2 -o gpg.exe gpg.o keyedit.o server.o build-packet.o compress.o free-packet.o getkey.o keydb.o keyring.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o misc.o rmd160.o openfile.o keyid.o parse-packet.o cpr.o plaintext.o sig-check.o keylist.o pkglue.o ecdh.o pkclist.o skclist.o pubkey-enc.o passphrase.o decrypt.o decrypt-data.o cipher-cfb.o cipher-aead.o encrypt.o sign.o verify.o revoke.o dearmor.o import.o export.o migrate.o delkey.o keygen.o helptext.o keyserver.o call-dirmngr.o photoid.o call-agent.o trust.o trustdb.o tdbdump.o tdbio.o card-util.o exec.o key-check.o ../kbx/libkeybox.a ../common/libcommon.a ../common/libgpgrl.a -lintl -L/usr/local/lib -lgcrypt -lgpg-error -lassuan -L/usr/local/lib -lgpg-error -L/usr/local/lib -lgpg-error /usr/local/lib/libiconv.dll.a -L/usr/local/lib /usr/local/lib/libgpg-error.a(libgpg_error_la-strsource.o): In function `_gpg_strsource': /home/john/git/libgpg-error/src/strsource.c:36: undefined reference to `libintl_dgettext' /home/john/git/libgpg-error/src/strsource.c:36:(.text+0x45): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `libintl_dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `_gpg_strerror_r': /home/john/git/libgpg-error/src/strerror.c:161: undefined reference to `libintl_dgettext' /home/john/git/libgpg-error/src/strerror.c:161:(.text+0x2f5): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `libintl_dgettext' /usr/local/lib/libgpg-error.a(libgpg_error_la-strerror.o): In function `_gpg_strerror': /home/john/git/libgpg-error/src/strerror.c:50: undefined reference to `libintl_dgettext' /home/john/git/libgpg-error/src/strerror.c:50:(.text+0xef): relocation truncated to fit: R_X86_64_PC32 against undefined symbol `libintl_dgettext' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:789: gpg.exe] Error 1 make[2]: Leaving directory '/home/john/git/gnupg/g10' make[1]: *** [Makefile:614: all-recursive] Error 1 make[1]: Leaving directory '/home/john/git/gnupg' make: *** [Makefile:534: all] Error 2 $ make check Making check in m4 make[1]: Entering directory '/home/john/git/gnupg/m4' make[1]: Nothing to be done for 'check'. make[1]: Leaving directory '/home/john/git/gnupg/m4' Making check in common make[1]: Entering directory '/home/john/git/gnupg/common' make check-am make[2]: Entering directory '/home/john/git/gnupg/common' make check-TESTS make[3]: Entering directory '/home/john/git/gnupg/common' PASS: t-stringhelp.exe PASS: t-timestuff.exe PASS: t-convert.exe PASS: t-percent.exe PASS: t-gettime.exe PASS: t-sysutils.exe PASS: t-sexputil.exe > Known envvars: GPG_TTY(ttyname) TERM(ttytype) DISPLAY(display) > XAUTHORITY(xauthority) XMODIFIERS GTK_IM_MODULE DBUS_SESSION_BUS_ADDRESS > QT_IM_MODULE INSIDE_EMACS PINENTRY_USER_DATA(pinentry-user-data) PASS: t-session-env.exe standard ECC curve missing FAIL: t-openpgp-oid.exe t-ssh-utils.c:351: error getting fingerprint for sample key 0: Not operational FAIL: t-ssh-utils.exe PASS: t-mapstrings.exe PASS: t-zb32.exe PASS: t-mbox-util.exe PASS: t-iobuf.exe PASS: t-strlist.exe PASS: t-name-value.exe PASS: t-ccparray.exe PASS: t-recsel.exe PASS: t-exechelp.exe error running '/bin/false': exit status 1 PASS: t-exectool.exe ======================================= 2 of 20 tests failed Please report to https://bugs.gnupg.org ======================================= make[3]: *** [Makefile:2701: check-TESTS] Error 1 make[3]: Leaving directory '/home/john/git/gnupg/common' make[2]: *** [Makefile:2824: check-am] Error 2 make[2]: Leaving directory '/home/john/git/gnupg/common' make[1]: *** [Makefile:2826: check] Error 2 make[1]: Leaving directory '/home/john/git/gnupg/common' make: *** [Makefile:614: check-recursive] Error 1 I really appriciate any help. -- John Doe From tookmund at gmail.com Thu Jul 5 17:34:57 2018 From: tookmund at gmail.com (Jacob Adams) Date: Thu, 5 Jul 2018 11:34:57 -0400 Subject: Pinentry: Inappropriate ioctl for device when getting smartcard PIN In-Reply-To: <87fu0yx6cu.fsf@wheatstone.g10code.de> References: <733b219b-86c0-d177-4999-15da2a285930@gmail.com> <87r2kjw4zx.fsf@wheatstone.g10code.de> <87fu0yx6cu.fsf@wheatstone.g10code.de> Message-ID: On 07/04/2018 01:23 PM, Werner Koch wrote: > Hi! > > Are you setting the homedir in your code also for the Assuan context? > That might explain the behaviour. I had been manually setting the Assuan context's homedir to ~/.gnupg by accident (Was originally using a temporary directory, but that caused all kinds of issues). Setting it to NULL instead appears to have fixed the problem. Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From lian.sebe at virusbulletin.com Thu Jul 5 14:31:50 2018 From: lian.sebe at virusbulletin.com (Lian Sebe) Date: Thu, 5 Jul 2018 14:31:50 +0200 Subject: uncompressing failed: Unknown compression algorithm In-Reply-To: <87h8lspnvm.fsf@wheatstone.g10code.de> References: <905b43fb-c93f-8791-dc94-b47dc46e9c6f@virusbulletin.com> <87h8lspnvm.fsf@wheatstone.g10code.de> Message-ID: <0126b10b-89dc-5894-ed10-f06d6cc267b7@virusbulletin.com> Hello Werner, Thank you for your reply and apologizes for my slow reply. The problem is that I am on CentOS 7 and this is the latest gnupg version that comes with the distribution. I can see there is no easy upgrade (no rpms or repository) readily available and I am afraid that installing in from source might cause some problems with any other parts of CentOS that depends on the other version of gnupg or libgpg-error, libgcrypt, libassuan, .... Lacking any clear upgrade path I am forced to stick with the current version and hope that my scripts will not receive another corrupt file. Thanks again, Lian On 24/06/18 10:52, Werner Koch wrote: > On Thu, 21 Jun 2018 11:40, lian.sebe at virusbulletin.com said: > >> 1. Is it "normal" to hang like this or it is a bug ? > No, that should not happen. Compression 42 is clearly an indication for > a corrupt file. > >> 2. Is there any option I can pass to gnupg in command line so that it >> goes on in case of errors instead of hanging? > No, the above looks like a bug which needs to be fixed. > >> /gpg (GnuPG) 2.0.22// > That version is close to 5 years old and its 2.0 branch reached > end-of-life half a year ago. We might have fixed such a bug already in > current versions. > > Please let us know if you can replicate this with a current GnuPG > version and we will dig into it. > > > Shalom-Salam, > > Werner > -- Virus Bulletin Ltd, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, Oxon, United Kingdom. From wk at gnupg.org Sat Jul 7 12:19:59 2018 From: wk at gnupg.org (Werner Koch) Date: Sat, 07 Jul 2018 12:19:59 +0200 Subject: Verifying signatures with critical notations In-Reply-To: (Wiktor Kwapisiewicz via Gnupg-users's message of "Wed, 4 Jul 2018 21:48:24 +0200") References: Message-ID: <87sh4vtkj4.fsf@wheatstone.g10code.de> On Wed, 4 Jul 2018 21:48, gnupg-users at gnupg.org said: > recognized but I don't see a function to mark > "test at metacode.biz=node-1" as a recognized notation for verification > purposes. > > Is it possible? Yes. Please create a feature request at dev.gnupg.org Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From giuseppe at vitillaro.org Sat Jul 7 10:44:47 2018 From: giuseppe at vitillaro.org (Giuseppe Vitillaro) Date: Sat, 7 Jul 2018 10:44:47 +0200 (CEST) Subject: gpg-agent ssh access with OpenPGP card V1.1. Message-ID: I'm experimenting a problem using the gpg-agent of the last available version of gnupg, gnupg-2.2.8, under a Gentoo system. I'm using an "aged" OpenPGP card, V1.1: Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 00001045 to authenticate my ssh access, without problems, from about ten years. With gnupg-2.2.8 something seems to be wrong, the authentication against new versions of the sshd daemon (version SSH-2.0-OpenSSH_7.5p1) fails while gpg-agent log show the error: gpg-agent[9939] DBG: chan_11 <- ERR 100663427 Conditions of use not satisfied gpg-agent[9939] smartcard signing failed: Conditions of use not satisfied gpg-agent[9939] ssh sign request failed: Conditions of use not satisfied Instead authentication with older versions (SSH-2.0-OpenSSH_5.3) seem to work correctly. I know very few things about ciphering and the gnupg implementation, but, because gnupg-2.2.4 works correctly in this setup, I tried some naive debugging to trace the origin of the problem. Comparing 2.2.8 against 2.2.4, I've found is a small patch of "agent/command-ssh.c" which seems to let gpg-agent(2.2.8) to work with my OpenPGP card, a small fragment of code I'm attaching to this message as "sign.patch". I'm pretty sure this is just the "surface" of the problem, as, from my tests, the call "stream_read_uint32 (request, &flags);" returns 0x04 into the "flags" variables, which, reading the code, I think is SSH_AGENT_RSA_SHA2_512, which "match" with the "request" the sshd is sending to my ssh client (same version OpenSSH_7.5p1): Server accepts key: pkalg rsa-sha2-512 blen 151 The OpenPGP card V1.1 only accepts: SHA1, SHA256, RIPEMD160 and it looks to my naive eyes the "agent/command-ssh.c" code is "forcing", when it receive "flags==0x04": spec.hash_algo = GCRY_MD_SHA512; while my OpenPGP card seems to work only with: hash_algo = GCRY_MD_SHA1; the "default". My patch is just a way to debug the problem, I'm coming to the list to ask advices about the correct way to fix this problem. Regards, G. Vitillaro. -------------- next part -------------- --- a/agent/command-ssh.c 2018-04-10 07:56:52.000000000 +0200 +++ b/agent/command-ssh.c 2018-07-06 18:49:38.979118383 +0200 @@ -2890,31 +2890,6 @@ err = stream_read_uint32 (request, &flags); if (err) goto out; - - if (spec.algo == GCRY_PK_RSA) - { - if ((flags & SSH_AGENT_RSA_SHA2_512)) - { - flags &= ~SSH_AGENT_RSA_SHA2_512; - spec.ssh_identifier = "rsa-sha2-512"; - spec.hash_algo = GCRY_MD_SHA512; - } - if ((flags & SSH_AGENT_RSA_SHA2_256)) - { - /* Note: We prefer SHA256 over SHA512. */ - flags &= ~SSH_AGENT_RSA_SHA2_256; - spec.ssh_identifier = "rsa-sha2-256"; - spec.hash_algo = GCRY_MD_SHA256; - } - } - - /* Some flag is present that we do not know about. Note that - * processed or known flags have been cleared at this point. */ - if (flags) - { - err = gpg_error (GPG_ERR_UNKNOWN_OPTION); - goto out; - } } hash_algo = spec.hash_algo; From wiktor at metacode.biz Sat Jul 7 22:44:29 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Sat, 7 Jul 2018 22:44:29 +0200 Subject: Verifying signatures with critical notations In-Reply-To: <87sh4vtkj4.fsf@wheatstone.g10code.de> References: <87sh4vtkj4.fsf@wheatstone.g10code.de> Message-ID: <17c7c546-dd4c-b385-44f4-ca54ab06ea9e@metacode.biz> >> Is it possible? > > Yes. Please create a feature request at dev.gnupg.org The FR has been created: https://dev.gnupg.org/T4060 Thank you! Kind regards, Wiktor -- https://metacode.biz/@wiktor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Jul 12 16:42:31 2018 From: wk at gnupg.org (Werner Koch) Date: Thu, 12 Jul 2018 16:42:31 +0200 Subject: [Announce] GnuPG 2.2.9 released Message-ID: <874lh4seg8.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.9. This is a maintenance release; see below for a list of fixed bugs. About GnuPG =========== The GNU Privacy Guard (GnuPG) is a complete and free implementation of the OpenPGP standard which is commonly abbreviated as PGP. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries making use of GnuPG are available. As an Universal Crypto Engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.9 =================================== * dirmngr: Fix recursive resolver mode and other bugs in the libdns code. [#3374,#3803,#3610] * dirmngr: When using libgpg-error 1.32 or later a GnuPG build with NTBTLS support (e.g. the standard Windows installer) does not anymore block for dozens of seconds before returning data. If you still have problems on Windows, please consider to use one of the options disable-ipv4 or disable-ipv6. * gpg: Fix bug in --show-keys which actually imported revocation certificates. [#4017] * gpg: Ignore too long user-ID and comment packets. [#4022] * gpg: Fix crash due to bad German translation. Improved printf format compile time check. * gpg: Handle missing ISSUER sub packet gracefully in the presence of the new ISSUER_FPR. [#4046] * gpg: Allow decryption using several passphrases in most cases. [#3795,#4050] * gpg: Command --show-keys now enables the list options show-unusable-uids, show-unusable-subkeys, show-notations and show-policy-urls by default. * gpg: Command --show-keys now prints revocation certificates. [#4018] * gpg: Add revocation reason to the "rev" and "rvs" records of the option --with-colons. [#1173] * gpg: Export option export-clean does now remove certain expired subkeys; export-minimal removes all expired subkeys. [#3622] * gpg: New "usage" property for the drop-subkey filters. [#4019] Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.9 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.9.tar.bz2 (6503k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.9.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180712.exe (3922k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.8_20180712.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new Gpg4win installer featuring this version of GnuPG will be available soon. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.9.tar.bz2 you would use this command: gpg --verify gnupg-2.2.9.tar.bz2.sig gnupg-2.2.9.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.9.tar.bz2, you run the command like this: sha1sum gnupg-2.2.9.tar.bz2 and check that the output matches the next line: e6ef18c2e06175bbe563959c9acc682c02bcd572 gnupg-2.2.9.tar.bz2 aa6753b8443d2b81330dcf1b5d17be743bf1a36a gnupg-w32-2.2.9_20180712.tar.xz a0c234781d85d5ef530636622f3d6d80a8d46b5e gnupg-w32-2.2.9_20180712.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese, Czech, French, German, Japanese, Norwegian, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details availabale only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . The chapters on gpg-agent, gpg and gpgsm include information on how to set up the whole thing. You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support check out . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and two contractors. All work exclusively on GnuPG and closely related software like Libgcrypt, GPGME, and GPA. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. =========== -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From heavytull at hotmail.com Fri Jul 13 11:13:06 2018 From: heavytull at hotmail.com (J. Tull) Date: Fri, 13 Jul 2018 09:13:06 +0000 Subject: mute output of gpg2 -d Message-ID: It seems the usual way to supress the output of a command in linux is not working for gpg2: $gpg2 -d my_file.gpg 2>/dev/null still outputs some data through stderr. So could someone try to find out a way to get rid of everything gpg2 is outputting but the decrypted output of the gpg file? From johndoe65534 at mail.com Fri Jul 13 16:14:11 2018 From: johndoe65534 at mail.com (john doe) Date: Fri, 13 Jul 2018 16:14:11 +0200 Subject: mute output of gpg2 -d In-Reply-To: References: Message-ID: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> On 7/13/2018 11:13 AM, J. Tull wrote: > It seems the usual way to supress the output of a command in linux is not > working for gpg2: > > $gpg2 -d my_file.gpg 2>/dev/null > > still outputs some data through stderr. So could someone try to find out a > way to get rid of everything gpg2 is outputting but the decrypted output of > the gpg file? > It is working fine here, which version of gpg2 do you have and which distro are you using? Output redirection is more a shell issue then a gpg2 problem. Can you redirect STDERR of other commands to the null device? -- John Doe From gpgff00 at lacutt.com Fri Jul 13 16:57:30 2018 From: gpgff00 at lacutt.com (gpgff00 at lacutt.com) Date: Fri, 13 Jul 2018 09:57:30 -0500 Subject: mute output of gpg2 -d In-Reply-To: References: Message-ID: <20180713145730.GC11120@gray.71.to> On Fri, Jul 13, 2018 at 09:13:06AM +0000, J. Tull wrote: > It seems the usual way to supress the output of a command in linux is not > working for gpg2: > > $gpg2 -d my_file.gpg 2>/dev/null Have you tried "gpg -qd my_file.gpg" ? From aajaxx at gmail.com Fri Jul 13 22:50:44 2018 From: aajaxx at gmail.com (Ajax) Date: Fri, 13 Jul 2018 20:50:44 +0000 Subject: Building gnupg using the Speedo method Message-ID: After export LD_LIBRARY_PATH=(pwd)/PLAY/inst/lib then make -f build-aux/speedo.mk native How does one do the equilivent of make check and then install? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heavytull at hotmail.com Fri Jul 13 20:27:38 2018 From: heavytull at hotmail.com (J. Tull) Date: Fri, 13 Jul 2018 18:27:38 +0000 Subject: mute output of gpg2 -d In-Reply-To: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> References: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> Message-ID: On +0200, john doe wrote: > On 7/13/2018 11:13 AM, J. Tull wrote: > > It seems the usual way to supress the output of a command in linux is not > > working for gpg2: > > > > $gpg2 -d my_file.gpg 2>/dev/null > > > > still outputs some data through stderr. So could someone try to find out a > > way to get rid of everything gpg2 is outputting but the decrypted output of > > the gpg file? > > > > It is working fine here, which version of gpg2 do you have and which distro > are you using? > > Output redirection is more a shell issue then a gpg2 problem. > Can you redirect STDERR of other commands to the null device? > > -- > John Doe of course i can redirect STDERR to /dev/null. i retried with "find /root" as a normal user and it worked. I use it daily to run irssi through proxyserve. $ gpg2 --version gpg (GnuPG) 2.0.31 libgcrypt 1.7.10 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA, RSA, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 On -0500, gpgff00 at lacutt.com wrote: > On Fri, Jul 13, 2018 at 09:13:06AM +0000, J. Tull wrote: > > It seems the usual way to supress the output of a command in linux is not > > working for gpg2: > > > > $gpg2 -d my_file.gpg 2>/dev/null > > Have you tried "gpg -qd my_file.gpg" ? below is a copy of some tests. Running normally, then with STDERR redirected to the null device, and then with -q option. Only redirecting STDOUT to the null device works normally, i.e. the decrypted output is not displayed. [user at linuxbox ~]$ gpg2 -d my_file.gpg You need a passphrase to unlock the secret key for user: "user " 2048-bit ELG key, ID xxxxxxxxxxx, created 2018-07-13 (main key ID XxXxXxXxXxXxX) gpg: encrypted with 2048-bit ELG key, ID xxxxxxxxxxx, created 2018-07-13 "user " """ decrypted content of file """ [user at linuxbox ~]$ gpg2 -d .my_pwds.gpg 2>/dev/null You need a passphrase to unlock the secret key for user: "user " 2048-bit ELG key, ID xxxxxxxxxxx, created 2018-07-13 (main key ID XxXxXxXxXxXxX) """ decrypted content of file """ [user at linuxbox ~]$ gpg2 -qd .my_pwds.gpg You need a passphrase to unlock the secret key for user: "user " 2048-bit ELG key, ID xxxxxxxxxxx, created 2018-07-13 (main key ID XxXxXxXxXxXxX) """ decrypted content of file """ From tookmund at gmail.com Sat Jul 14 00:00:07 2018 From: tookmund at gmail.com (Jacob Adams) Date: Fri, 13 Jul 2018 18:00:07 -0400 Subject: GPGME python bindings query In-Reply-To: <20180713024249.7rqou4sxowpjpbcu@adversary.org> References: <20180709074252.pygp7ys6gmzm3ncl@adversary.org> <20180713024249.7rqou4sxowpjpbcu@adversary.org> Message-ID: <5444d1c5-7ed0-ab7c-70e9-7d3dea25bdcc@gmail.com> (Redirecting to -users since that seems more appropriate) On 07/12/2018 10:42 PM, Ben McGinnes wrote: > On Tue, Jul 10, 2018 at 01:01:10PM -0400, Jacob Adams wrote: >> I would prefer to use the automatically generated certificate as it >> also comes with some useful explanation text, but the problem I'm >> having is that there is no way to trigger this generation from GPGME >> and it appears to happen whenever you generate your first subkey (or >> perhaps your first signing subkey, haven't dug that much into it). > > It's generated with the certification key and this comment indicates > there may be a little misunderstanding about the revocation > certificate. It's used to revoke an entire key, including subkeys and > it does this by the simple expedient of revoking the certification > key. Once the certification key is revoked, the certification > signatures can't be validated without throwing the disabled key errors > which prevent the subkeys from being used. > > So even if subkeys are added later, there are no additional revocation > certificates generated for the subkeys. Which is why you'll find .rev > files in $GNUPGHOME/openpgp-revocs.d/ directory matching the > fingerprint of the primary key, but nothing for the subkeys; while the > $GNUPGHOME/private-keys-v1.d/ is populated with multiple .key files > matching the keygrips for all the keys and subkeys generated. > Oh ok that makes a lot more sense now! Most of what I know about GPG is just picked up from random Internet tutorials of dubious quality so I end up with a very spotty understanding of how all this works. Thank you for the clear overview. >> and a random extra password prompt > > There are no random extra password prompts, they're all necessary for > a secure system. Sorry random was the wrong word here. I meant only that the generation of this revocation certificate seems to happen later than I would expect. (Actually I was entirely wrong here about the order of events anyway, see below.) > >> for the revocation certificate that I can't control doesn't really >> help there. If there's some way I could manually trigger this >> process that would be great. > > It should have already occurred when the key was first generated. The > only time it needs to be done manually is when issuing a specific > revocation certificate with a less generic revocation reason or if the > key was generated with an older version of GPG that did not generate > such a certificate by default. > When I don't generate my own revocation certificate, I get a second password prompt when generating the first subkey. I had been assuming that this was for the revocation certificate, but some testing confirms that the certificate already exists before this. I'm still not sure why I would be getting a second prompt however. Any ideas? Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Sat Jul 14 09:52:21 2018 From: wk at gnupg.org (Werner Koch) Date: Sat, 14 Jul 2018 09:52:21 +0200 Subject: mute output of gpg2 -d In-Reply-To: (J. Tull's message of "Fri, 13 Jul 2018 18:27:38 +0000") References: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> Message-ID: <877elyqmoa.fsf@wheatstone.g10code.de> On Fri, 13 Jul 2018 20:27, heavytull at hotmail.com said: > [user at linuxbox ~]$ gpg2 -d .my_pwds.gpg 2>/dev/null > > You need a passphrase to unlock the secret key for That output goes directly to the tty. Without a pinentry you will need to enter the passphrase also directly via the tyy (because we need direct control to avoid echoing of the passphrase. It seems that this is a left-over which should not be displayed (or to stderr) iff the pinentry is used. Use --batch or --no-tty to suppress this output Shalom-Salam, Werner -- Too old to Go, too young to Rust. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From guru at unixarea.de Sat Jul 14 15:15:36 2018 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 14 Jul 2018 15:15:36 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server Message-ID: <20180714131536.GA1114@sh4-5.1blu.de> Hello, We have large application servers (written in C and C++), but also Perl and Java applications which all contact a Sybase database server over the network to do its work. They have to present a USER and a PASSWORD information to connect to the Sybase ASE listening on some port. As the USER and the PASSWORD are not entered by humans, at least not in the moment when the access of the application is made, they are stored in clear text in files in the UNIX (Linux, SunOS) file system. They are entered once, when the software is installed, or get modified with a text editor, when the credentials for whatever reason should be changed. Ofc, storing them in clear text was always a bad idea. Any person with access to the server and a bit of knowledge could read and misuse them, even for dropping the complete database or manipulating accountancy data. We are looking for a way to change this situation and one of the options or ideas I have, is crypt the credentials with GnuPG in some file. Any application have to decrypt this file on the flight (perhaps with a shell command) to get the USER and PASSWORD into its environment variables or internal variables to make use of them to connect to the database server, and will forget the credentials again asap. Decrypting with GnuPG needs a passphrase, normally read from /dev/tty which can not be done here in this case. My idea here is to write a special 'pinentry' program which provides the passphrase, which is crypted itself with blowfish internally in the 'pinentry' program, and the 'pinentry' will only work, if the proc which is calling GnuPG send over a socket or a file some information to authorize the access to this special 'pinentry'. Any other and better ideas for this? Thanks in advance. matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From heavytull at hotmail.com Sat Jul 14 14:09:20 2018 From: heavytull at hotmail.com (J. Tull) Date: Sat, 14 Jul 2018 12:09:20 +0000 Subject: mute output of gpg2 -d In-Reply-To: <877elyqmoa.fsf@wheatstone.g10code.de> References: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> <877elyqmoa.fsf@wheatstone.g10code.de> Message-ID: On +0200, Werner Koch wrote: > On Fri, 13 Jul 2018 20:27, heavytull at hotmail.com said: > > > [user at linuxbox ~]$ gpg2 -d .my_pwds.gpg 2>/dev/null > > > > You need a passphrase to unlock the secret key for > > That output goes directly to the tty. Without a pinentry you will need > to enter the passphrase also directly via the tyy (because we need > direct control to avoid echoing of the passphrase. It seems that this > is a left-over which should not be displayed (or to stderr) iff the > pinentry is used. > > Use --batch or --no-tty to suppress this output both options worked. So you mean it's a bug in gpg2? > > > Shalom-Salam, > > Werner > > -- > Too old to Go, too young to Rust. Too old to rock'n'roll, too young too die From gnupg at raf.org Mon Jul 16 05:25:00 2018 From: gnupg at raf.org (gnupg at raf.org) Date: Mon, 16 Jul 2018 13:25:00 +1000 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <20180714131536.GA1114@sh4-5.1blu.de> References: <20180714131536.GA1114@sh4-5.1blu.de> Message-ID: <20180716032500.sgw3gwv2vtaluq3q@raf.org> Matthias Apitz wrote: > Hello, > > We have large application servers (written in C and C++), but also Perl > and Java applications which all contact a Sybase database server over > the network to do its work. They have to present a USER and a PASSWORD > information to connect to the Sybase ASE listening on some port. As the USER > and the PASSWORD are not entered by humans, at least not in the moment > when the access of the application is made, they are stored in clear > text in files in the UNIX (Linux, SunOS) file system. They are entered > once, when the software is installed, or get modified with a text editor, > when the credentials for whatever reason should be changed. Ofc, storing > them in clear text was always a bad idea. Any person with access to the > server and a bit of knowledge could read and misuse them, even for > dropping the complete database or manipulating accountancy data. > > We are looking for a way to change this situation and one of the options > or ideas I have, is crypt the credentials with GnuPG in some file. Any > application have to decrypt this file on the flight (perhaps with a shell > command) to get the USER and PASSWORD into its environment variables or > internal variables to make use of them to connect to the database > server, and will forget the credentials again asap. > > Decrypting with GnuPG needs a passphrase, normally read from /dev/tty > which can not be done here in this case. My idea here is to write a > special 'pinentry' program which provides the passphrase, which is crypted itself > with blowfish internally in the 'pinentry' program, and the 'pinentry' will > only work, if the proc which is calling GnuPG send over a socket or a > file some information to authorize the access to this special 'pinentry'. > > Any other and better ideas for this? > > Thanks in advance. > > matthias investigate vault by hashicorp. From mkesper at fsfe.org Mon Jul 16 09:06:58 2018 From: mkesper at fsfe.org (Michael Kesper) Date: Mon, 16 Jul 2018 09:06:58 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <20180714131536.GA1114@sh4-5.1blu.de> References: <20180714131536.GA1114@sh4-5.1blu.de> Message-ID: <1531724818.2892.4.camel@fsfe.org> Hi all, Am Samstag, den 14.07.2018, 15:15 +0200 schrieb Matthias Apitz: > We are looking for a way to change this situation and one of the > options > or ideas I have, is crypt the credentials with GnuPG in some file. I use pass [0] for this. It uses gnupg under the hood and also has ansible integration. Adding and removing users is a bit of hassle but it integrates much better with git than e.g. keepass or the like. Best wishes Michael [0] https://www.passwordstore.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part URL: From guru at unixarea.de Mon Jul 16 09:29:29 2018 From: guru at unixarea.de (Matthias Apitz) Date: Mon, 16 Jul 2018 09:29:29 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <1531724818.2892.4.camel@fsfe.org> References: <20180714131536.GA1114@sh4-5.1blu.de> <1531724818.2892.4.camel@fsfe.org> Message-ID: <20180716072929.GA13234@sh4-5.1blu.de> El d?a Monday, July 16, 2018 a las 09:06:58AM +0200, Michael Kesper escribi?: > Hi all, > > Am Samstag, den 14.07.2018, 15:15 +0200 schrieb Matthias Apitz: > > We are looking for a way to change this situation and one of the > > options > > or ideas I have, is crypt the credentials with GnuPG in some file. > > I use pass [0] for this. > It uses gnupg under the hood and also has ansible integration. > Adding and removing users is a bit of hassle but it integrates much > better with git than e.g. keepass or the like. > Hi, Michael, I do use pass too for all my firefox credentials for access of webpages and services, i.e. I know how this works. I use for this GnuPG together with an OpenPGP card and to unlock the password storage I have to provide the 6 digit PIN of the card. The storage remains unlocked until card removal. This works all fine. But, I do not see how this could fit into the scene I described. When an application server starts on the UNIX host, it needs the database access credentials and there is no human to key in any PIN, for example when the server start at boot time ... How do you think, that pass could fit? Maybe I do overlook something... Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, ? http://www.unixarea.de/ ? +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From wk at gnupg.org Mon Jul 16 09:51:17 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Jul 2018 09:51:17 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <20180714131536.GA1114@sh4-5.1blu.de> (Matthias Apitz's message of "Sat, 14 Jul 2018 15:15:36 +0200") References: <20180714131536.GA1114@sh4-5.1blu.de> Message-ID: <87va9fpqiy.fsf@wheatstone.g10code.de> On Sat, 14 Jul 2018 15:15, guru at unixarea.de said: > Decrypting with GnuPG needs a passphrase, normally read from /dev/tty It only needs passphrase if you set a passphrase. For public key encryption it is perfectly fine not to set a passphrase because it is expected that there are no other users on that machine. If there would be other users on that machine it would be just to easy to snoop the passphrase despite the protections we have in place. IMHO, local exploits are too numerous to all get fixed. If you use a smartcard there is a hack in scdaemon which allows to work without a PIN. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wiktor at metacode.biz Mon Jul 16 10:17:00 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 16 Jul 2018 10:17:00 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <87va9fpqiy.fsf@wheatstone.g10code.de> References: <20180714131536.GA1114@sh4-5.1blu.de> <87va9fpqiy.fsf@wheatstone.g10code.de> Message-ID: <8b7e8df7-a9db-f55a-85e4-ca5c3f364f18@metacode.biz> > If you use a smartcard there is a hack in scdaemon which allows to work > without a PIN. Another alternative to an unlocked smartcard would be to use the TPM as the key would be non-exportable and bound to just one machine. There was a series of patches to add TPM keys support but I don't know if it was merged: https://lists.gnupg.org/pipermail/gnupg-devel/2018-January/033350.html Kind regards, Wiktor -- https://metacode.biz/@wiktor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From mkesper at fsfe.org Mon Jul 16 12:57:17 2018 From: mkesper at fsfe.org (Michael Kesper) Date: Mon, 16 Jul 2018 12:57:17 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <20180716072929.GA13234@sh4-5.1blu.de> References: <20180714131536.GA1114@sh4-5.1blu.de> <1531724818.2892.4.camel@fsfe.org> <20180716072929.GA13234@sh4-5.1blu.de> Message-ID: <1531738637.2892.11.camel@fsfe.org> Hi all, Am Montag, den 16.07.2018, 09:29 +0200 schrieb Matthias Apitz: > Michael, I do use pass too for all my firefox credentials for access > of > webpages and services, i.e. I know how this works. I use for this > GnuPG > together with an OpenPGP card and to unlock the password storage I > have > to provide the 6 digit PIN of the card. The storage remains unlocked > until card removal. This works all fine. > > But, I do not see how this could fit into the scene I described. When > an > application server starts on the UNIX host, it needs the database > access > credentials and there is no human to key in any PIN, for example when > the server start at boot time ... Please have a look at Werner's answer. Best wishes Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part URL: From andrewg at andrewg.com Mon Jul 16 12:57:37 2018 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 16 Jul 2018 11:57:37 +0100 Subject: key distribution/verification/update mechanisms other than keyservers [was: Re: a step in the right direction] In-Reply-To: <87vaam4xal.fsf@fifthhorseman.net> References: <1268467b-1add-eb1c-4856-a1cb30f64463@sixdemonbag.org> <24d32263-7b8a-9bad-beb4-5d42d7b8d909@gaspard.io> <20180115173652.14f43a5d@iria.my-fqdn.de> <545A5DDC-3846-414C-8F15-3CE49993593D@andrewg.com> <8de7b9ab-2586-4c70-278a-3ce649b4691b@mail.ru> <3de247cc-a008-f415-07fe-a12b17cb6872@sixdemonbag.org> <87zi5dwst7.fsf@fifthhorseman.net> <0d49da6c-01d7-ef3d-af50-75764fd5a961@sumptuouscapital.com> <87efmpwd26.fsf@fifthhorseman.net> <87vaam4xal.fsf@fifthhorseman.net> Message-ID: On 13/06/18 14:43, Daniel Kahn Gillmor wrote: > the proposed revocation distribution network wouldn't allow any user IDs > or third-party certifications, so most of the "trollwot" would not be > relevant. As I see it, the keyservers perform two related but distinct functions - finding unknown keys by UID, and finding updates to known keys by fingerprint. All the current issues are related to the first function, but the first function has several alternative solutions available (DNS, WKD, Keybase, attaching pubkeys to every email...). If this first function were to fail overnight, it would be an inconvenience but not a disaster. But there is no known alternative to the second function, which is the distribution of key updates, including revocations. Therefore I believe the immediate priority should be to protect update distribution. How to prevent abuse of a distributed, unauthenticated store of arbitrary data remains an unsolved problem (see: usenet). If the keyservers are to remain unauthenticated and distributed, then the only option is to prohibit arbitrary data. That means no arbitrary data fields (i.e. no UIDs) and no arbitrary data in structured data fields (i.e. validity checks on self-sigs). This will shrink the size of the database significantly, but impose some processing cost. There are two ways forward: a new network of key-material-only servers, or restricting the existing network to key material only. In the first case, we would still need a means to propagate keys between the old and new networks during the transition. And in the second case, we would need to handle an intermediate state where only some servers have been upgraded to the new version. So no matter what we do, we will still need to have some method of doing fake recon with legacy sks instances. The question is how to arrive at this state most efficiently. I would suggest that since recon is at the root of the problems, we should concentrate on the recon process itself. If uploading a bad key takes down one server then fine, we can lose one server. But the badness must not infect other servers automatically. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From chrisbcoutinho at gmail.com Mon Jul 16 12:36:44 2018 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Mon, 16 Jul 2018 12:36:44 +0200 Subject: Forwarding both gpg and ssh agents Message-ID: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> Hello, I use the ssh-agent functionality of gnupg (version 2.2.8) to handle connecting to remote hosts, which works great. I'm also able to forward my gpg-agent to remote machines to e.g. decrypt files using the `RemoteForward` flag in my ~/.ssh/config: Host myremote RemoteForward /path/to/remote/S.gpg-agent /path/to/local/S.gpg-agent.extra I have a few remotes where I would also like to forward my ssh-agent so that I can make a third connection to a remote machine using my local ssh-agent (through gpg-agent). Specifically, I'm trying to ssh into a FreeBSD remote, and from there connect to a third remote git server using the ssh credentials from my local machine. Is this functionality available? Regards, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From peter at digitalbrains.com Mon Jul 16 14:30:12 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 16 Jul 2018 14:30:12 +0200 Subject: Forwarding both gpg and ssh agents In-Reply-To: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> References: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> Message-ID: <0c263350-0ac7-cfe9-199a-28c6eb8ada44@digitalbrains.com> On 16/07/18 12:36, Chris Coutinho wrote: > I have a few remotes where I would also like to forward my ssh-agent Have you played with OpenSSH's ForwardAgent option or its -A command line argument counterpart? I'm fairly sure I had success with it in the past with an authentication key on an OpenPGP smartcard, but it's quite a while back. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Mon Jul 16 14:56:48 2018 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 16 Jul 2018 13:56:48 +0100 Subject: Forwarding both gpg and ssh agents In-Reply-To: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> References: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> Message-ID: On 16/07/18 11:36, Chris Coutinho wrote: > I have a few remotes where I would also like to forward my ssh-agent so > that I can make a third connection to a remote machine using my local > ssh-agent (through gpg-agent). Specifically, I'm trying to ssh into a > FreeBSD remote, and from there connect to a third remote git server > using the ssh credentials from my local machine. > > Is this functionality available? Yes, but remember you have to enable ssh-agent support on your local machine and forward both gpg and ssh agents separately down the full chain of connections. You can't patch one into the other at some intermediate stage, it has to be at your end. So long as you have agent forwarding enabled at each step in the chain, you should be able to forward it through an unlimited number of chained hops. I use this arrangement myself every day, and have written some (basic) documentation for internal use in my company. Let me know if you need any further help. -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From alex at nitrokey.com Mon Jul 16 14:22:50 2018 From: alex at nitrokey.com (Alexander Paetzelt | Nitrokey) Date: Mon, 16 Jul 2018 14:22:50 +0200 Subject: Forwarding both gpg and ssh agents In-Reply-To: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> References: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> Message-ID: <904b025a-00bd-013e-e8e2-1d1a78d007bd@nitrokey.com> Hi, as far as I know this is independently of GnuPG and just depends on the configuration of the SSH client. Maybe have a search for "Stepping Stone" configuration or alike. This should use your local keys. For Example (based on something I used in the past): Host thirdMachine-alias HostName thirdMachine ProxyCommand ssh user at FreeBSDmachine -W %h:%p User user or alike... As I said, this is not GnuPG specific, but a SSH thing. Kind regards Alex On 16.07.2018 12:36, Chris Coutinho wrote: > Hello, > > I use the ssh-agent functionality of gnupg (version 2.2.8) to handle > connecting to remote hosts, which works great. I'm also able to forward > my gpg-agent to remote machines to e.g. decrypt files using the > `RemoteForward` flag in my ~/.ssh/config: > > Host myremote > ????RemoteForward /path/to/remote/S.gpg-agent > /path/to/local/S.gpg-agent.extra > > I have a few remotes where I would also like to forward my ssh-agent so > that I can make a third connection to a remote machine using my local > ssh-agent (through gpg-agent). Specifically, I'm trying to ssh into a > FreeBSD remote, and from there connect to a third remote git server > using the ssh credentials from my local machine. > > Is this functionality available? > > Regards, > Chris > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From chrisbcoutinho at gmail.com Mon Jul 16 23:35:15 2018 From: chrisbcoutinho at gmail.com (Chris Coutinho) Date: Mon, 16 Jul 2018 23:35:15 +0200 Subject: Forwarding both gpg and ssh agents In-Reply-To: <0c263350-0ac7-cfe9-199a-28c6eb8ada44@digitalbrains.com> References: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> <0c263350-0ac7-cfe9-199a-28c6eb8ada44@digitalbrains.com> Message-ID: <20180716213515.q3oroagiftant7ws@tumbleweed> Thanks for your reply Peter, the ForwardAgent flag is exactly what I was looking for. Although some sources note the potential security holes of using this method, it works great for my use case https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/ Regards, Chris On Jul-16-18, Peter Lebbing wrote: >On 16/07/18 12:36, Chris Coutinho wrote: >> I have a few remotes where I would also like to forward my ssh-agent > >Have you played with OpenSSH's ForwardAgent option or its -A command >line argument counterpart? I'm fairly sure I had success with it in the >past with an authentication key on an OpenPGP smartcard, but it's quite >a while back. > >HTH, > >Peter. > >-- >I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. >You can send me encrypted mail if you want some privacy. >My key is available at > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From peter at digitalbrains.com Tue Jul 17 11:00:04 2018 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 17 Jul 2018 11:00:04 +0200 Subject: Forwarding both gpg and ssh agents In-Reply-To: <20180716213515.q3oroagiftant7ws@tumbleweed> References: <20180716103644.o2zd5xjfmsfupwet@tumbleweed> <0c263350-0ac7-cfe9-199a-28c6eb8ada44@digitalbrains.com> <20180716213515.q3oroagiftant7ws@tumbleweed> Message-ID: On 16/07/18 23:35, Chris Coutinho wrote: > Although some sources note the potential security holes of > using this method, it works great for my use case Well, yes, even the man page warns about the security implications. There's a reason I said "it's quite a while back" :-). I try to avoid it. The security implications are severe. If it's just about passing a firewall, the ProxyJump / -J options of OpenSSH are much more useful. You can even chain them easily to pass ever more firewalls :-). ssh -J outerbastion.example.org -J nextlayer.example.org destination.example.org > https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/ The ProxyCommand mentioned there has been made more convenient with the ProxyJump option that was added later; especially if we're talking about multiple jump hosts. Agent forwarding is really about connecting two remote hosts together, which Proxy can't do. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Jul 17 19:02:55 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Jul 2018 19:02:55 +0200 Subject: Using gnupg to crypt credentials used by application to access a database server In-Reply-To: <87va9fpqiy.fsf@wheatstone.g10code.de> (Werner Koch's message of "Mon, 16 Jul 2018 09:51:17 +0200") References: <20180714131536.GA1114@sh4-5.1blu.de> <87va9fpqiy.fsf@wheatstone.g10code.de> Message-ID: <87efg1okw0.fsf@wheatstone.g10code.de> On Mon, 16 Jul 2018 09:51, wk at gnupg.org said: > If you use a smartcard there is a hack in scdaemon which allows to work > without a PIN. Here is what scdaemon's code has to say about this hack: GnuPG makes special use of the login-data DO, this function parses the login data to store the flags for later use. It may be called at any time and should be called after changing the login-data DO. Everything up to a LF is considered a mailbox or account name. If the first LF is followed by DC4 (0x14) control sequence are expected up to the next LF. Control sequences are separated by FS (0x18) and consist of key=value pairs. There are two keys defined: F= Where FLAGS is a plain hexadecimal number representing flag values. The lsb is here the rightmost bit. Defined flags bits are: Bit 0 = CHV1 and CHV2 are not syncronized Bit 1 = CHV2 has been set to the default PIN of "123456" (this implies that bit 0 is also set). P= Where PINPAD_REQUEST is in the format of: or ,. N for user PIN, M for admin PIN. If M is missing it means M=N. 0 means to force not to use pinpad. I have not used this for ages but something like $ printf "\n\x14F=03\x18" >login.data $ gpg --card-edit gpg/card> admin gpg/card> login From benjamin.d.low at gmail.com Wed Jul 18 06:37:13 2018 From: benjamin.d.low at gmail.com (Ben Low) Date: Wed, 18 Jul 2018 14:37:13 +1000 Subject: gpg-agent's SSH agent emulation: how to remove keys? Message-ID: gpg-agent's enable-ssh-support option makes it "possible to use the gpg-agent as a drop-in replacement for the well known ssh-agent" gpp-agent(1). There is a caveat in this 'drop-in replacement': unlike the well-known ssh-agent which caches keys only for the duration of the agent's process lifetime, gpg-agent makes its own copy that persists. The man page does implicitly note this by way of "gpg-agent [asks] for a passphrase, which is to be used for encrypting the newly received key and _storing_ it in a gpg-agent specific directory" (emphasis mine). Practically, this means that once a key is added to gpg-agent it's unclear as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring to those files. Seems like the only(?) method to remove SSH keys from gpg-agent is to look up the keygrip for the desired key in sshcontrol, then remove it from there as well as rm the matching file in private-keys-v1.d/ ? Is there anything else that needs cleaning up after doing that? -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin.d.low at gmail.com Wed Jul 18 07:11:45 2018 From: benjamin.d.low at gmail.com (Ben Low) Date: Wed, 18 Jul 2018 15:11:45 +1000 Subject: gpg-agent's SSH agent emulation: how to remove keys? In-Reply-To: References: Message-ID: Ah, I found the thread 'Deleting SSH key(s) from agent' from 2016, wherein it was pointed out that gpg-connect-agent's keyinfo and delete_key commands can be used to delete keys: https://lists.gnupg.org/pipermail/gnupg-users/2016-August/056499.html On 18 July 2018 at 14:37, Ben Low wrote: > gpg-agent's enable-ssh-support option makes it "possible to use the > gpg-agent as a drop-in replacement for the well known ssh-agent" > gpp-agent(1). > > There is a caveat in this 'drop-in replacement': unlike the well-known > ssh-agent which caches keys only for the duration of the agent's process > lifetime, gpg-agent makes its own copy that persists. The man page does > implicitly note this by way of "gpg-agent [asks] for a passphrase, which is > to be used for encrypting the newly received key and _storing_ it in a > gpg-agent specific directory" (emphasis mine). > > Practically, this means that once a key is added to gpg-agent it's unclear > as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply > remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring > to those files. > > Seems like the only(?) method to remove SSH keys from gpg-agent is to look > up the keygrip for the desired key in sshcontrol, then remove it from > there as well as rm the matching file in private-keys-v1.d/ ? Is there > anything else that needs cleaning up after doing that? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Jul 18 22:19:49 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 18 Jul 2018 22:19:49 +0200 Subject: gpg-agent's SSH agent emulation: how to remove keys? In-Reply-To: (Ben Low's message of "Wed, 18 Jul 2018 14:37:13 +1000") References: Message-ID: <874lgwjnyy.fsf@wheatstone.g10code.de> On Wed, 18 Jul 2018 06:37, benjamin.d.low at gmail.com said: > Practically, this means that once a key is added to gpg-agent it's unclear > as to how to remove it. ssh-add -d/-D doesn't work, and you can't simply > remove keys from ~/.ssh/ and restart the agent as gpg-agent's not referring Right, gpg-agent takes a copy of the files from .ssh/ and you can even delete the private keys files in .ssh after that. If you don't do this you have two protected (i.e. encrypted) copies of the private keys on your disk. Now ssh-add -D when used with OpenSSH's ssh-agent does not delete the key it merely removes it from ssh-agent's cache. The private key is still on the disk. So the question is not how often you do "ssh-add -D" but how often do you rm ~/.ssh/a-private-key ? > up the keygrip for the desired key in sshcontrol, then remove it from there > as well as rm the matching file in private-keys-v1.d/ ? Is there anything You only need to remove it from private-keys-v1.d; ssh-control only enables a key for use in the ssh-agent protocol. This way you can decide which of your keys (even OpenPGP keys) can be used for ssh. In any case I would suggest to get rid of on-disk keys and use a smartcard for ssh keys. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From stefan.claas at posteo.de Sat Jul 21 06:59:59 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Sat, 21 Jul 2018 06:59:59 +0200 Subject: Timestamping signed documents or detached signature files Message-ID: <20180721065959.3f3b89d1@iria.my-fqdn.de> Hi all, while i have the option, for example with the free Adobe Acrobat DC Reader, to sign my .pdf documents with my x.509 certificate and use a timestamp service, i thought why not give GnuPG a try. So i googled a bit and found this service, which uses the Bitcoin blockchain to store the timestamp proof. https://opentimestamps.org One can simply do a gpg --clearsign doc.txt && ots stamp doc.txt.asc, or gpg --detach-sign myfile && ots stamp myfile.sig. :-) Of course one can also use their web interface. Maybe you find this little info useful too, because i have not seen this topic discussed here yet. I'm aware that there is or was an old Timestamping Service in England available, but i thought that the blockchain is cool. Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas From stefan.claas at posteo.de Sat Jul 21 11:59:18 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Sat, 21 Jul 2018 11:59:18 +0200 Subject: Governikus Certification Service is back online Message-ID: <20180721115918.1623ec86@iria.my-fqdn.de> Hi all, in case you are in possession of a German ID-CARD (nPA) you may find this service useful too: https://pgp.governikus.de/pgp/ Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas From shawn at git.icu Sun Jul 22 02:46:15 2018 From: shawn at git.icu (Shawn Landden) Date: Sat, 21 Jul 2018 17:46:15 -0700 Subject: TLS 1.3 with ssh-like authentication Message-ID: >From what I understand TLS 1.3 only supports X.509 and PSK, and won't let me authenticate against public key fingerprints. I really want the performance of single-route-trip handshakes, as this is important for my use case (distcc), which makes alot of new connections (as it is mostly stateless between invocations, except for some rate limiting). Thank You, Shawn Landden -------------- next part -------------- An HTML attachment was scrubbed... URL: From chandra.velpula at in.ibm.com Sun Jul 22 07:36:16 2018 From: chandra.velpula at in.ibm.com (Chandrasekhar Velpula) Date: Sun, 22 Jul 2018 11:06:16 +0530 Subject: random seeds file hung on AIX 7.2 Message-ID: Hi Team, Could you pls some one help me while running the encrypt process the process is getting hung and random seed file is not updating.... AIX version: 7.2 GPG version: gpg (GnuPG) 1.4.7 Regards, Chandra Sekhar Velpula SME - Unix Email: chandra.velpula at in.ibm.com Unix DL: Cemex_unix_india From wiktor at metacode.biz Sun Jul 22 20:39:52 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Sun, 22 Jul 2018 20:39:52 +0200 Subject: Timestamping signed documents or detached signature files In-Reply-To: <20180721065959.3f3b89d1@iria.my-fqdn.de> References: <20180721065959.3f3b89d1@iria.my-fqdn.de> Message-ID: Hi Stefan, > Maybe you find this little info useful too, because i have not seen > this topic discussed here yet. I'm aware that there is or was an > old Timestamping Service in England available, but i thought > that the blockchain is cool. Yep, this is definitely cool. I don't know if you've seen it but there is also a helper script for timestamping git commits: https://github.com/opentimestamps/opentimestamps-client/blob/master/doc/git-integration.md And one minor note, that it's actually possible to (ab)use X.509 timestamping servers for OpenPGP because they just timestamp any hash that you give them (see e.g. [0]). You could embed the TimeStampResp [1] in a signature notation (assuming you would timestamp file hash, not the signature itself, of course). Another interesting tidbit, RFC 4880 contains a Timestamp signature flag (0x40 [2]) and a way to nest signatures, that could be used to provide timestamping or notary services [3]. Kind regards, Wiktor [0]: https://tsa.safecreative.org/ [1]: https://tools.ietf.org/html/rfc3161#section-2.4.2 [2]: https://tools.ietf.org/html/rfc4880#section-5.2.1 [3]: https://gnupg.org/ftp/people/neal/an-advanced-introduction-to-gnupg/an-advanced-introduction-to-gnupg.pdf section 4.5.1 -- https://metacode.biz/@wiktor From stefan.claas at posteo.de Sun Jul 22 21:44:29 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Sun, 22 Jul 2018 21:44:29 +0200 Subject: Timestamping signed documents or detached signature files In-Reply-To: References: <20180721065959.3f3b89d1@iria.my-fqdn.de> Message-ID: <20180722214429.5829f072@iria.my-fqdn.de> On Sun, 22 Jul 2018 20:39:52 +0200, Wiktor Kwapisiewicz wrote: Hi Wiktor, thanks for your reply, much appreciated! > Yep, this is definitely cool. > > I don't know if you've seen it but there is also a helper script for > timestamping git commits: > > https://github.com/opentimestamps/opentimestamps-client/blob/master/doc/git-integration.md No, i haven't seen it, but just went through it. The author made some interesting points, even if i don't use git. > And one minor note, that it's actually possible to (ab)use X.509 > timestamping servers for OpenPGP because they just timestamp any hash > that you give them (see e.g. [0]). You could embed the TimeStampResp > [1] in a signature notation (assuming you would timestamp file hash, > not the signature itself, of course). > > Another interesting tidbit, RFC 4880 contains a Timestamp signature > flag (0x40 [2]) and a way to nest signatures, that could be used to > provide timestamping or notary services [3]. Thank you very much for the additional infos and links, i will read them all. Best regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas From wiktor at metacode.biz Sun Jul 22 21:57:13 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Sun, 22 Jul 2018 21:57:13 +0200 Subject: Timestamping signed documents or detached signature files In-Reply-To: <20180722214429.5829f072@iria.my-fqdn.de> References: <20180721065959.3f3b89d1@iria.my-fqdn.de> <20180722214429.5829f072@iria.my-fqdn.de> Message-ID: > Thank you very much for the additional infos and links, i will read them > all. Oh, I forgot to mention that timestamping using blockchains is actually very easy, for example I timestamped my key's fingerprint: https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&search=0x653909A2F0E37C106F5FAF546C8857E0D8E8F074&op=vindex (look for timestamp+bitcoin-transaction at metacode.biz afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a) And you can check out the transaction here: https://blockexplorer.com/api/tx/afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a (look for "OP_RETURN 653909a2f0e37c106f5faf546c8857e0d8e8f074" that is my key's fingerprint). If you convert "time": 1507539820 seconds from there to date you'll get something like 2017-10-09T09:03:40.000Z. OpenTimestamps (I think) uses Merkle trees to minimize fees but the downside is that the hash is not directly embedded in the blockchain and you need the extra files to reconstruct the tree root. Have a nice day! Kind regards, Wiktor -- https://metacode.biz/@wiktor From stefan.claas at posteo.de Mon Jul 23 00:17:10 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Mon, 23 Jul 2018 00:17:10 +0200 Subject: Timestamping signed documents or detached signature files In-Reply-To: References: <20180721065959.3f3b89d1@iria.my-fqdn.de> <20180722214429.5829f072@iria.my-fqdn.de> Message-ID: <20180723001710.5944f67c@iria.my-fqdn.de> On Sun, 22 Jul 2018 21:57:13 +0200, Wiktor Kwapisiewicz wrote: > > Thank you very much for the additional infos and links, i will read > > them all. > > Oh, I forgot to mention that timestamping using blockchains is > actually very easy, for example I timestamped my key's fingerprint: > > https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&search=0x653909A2F0E37C106F5FAF546C8857E0D8E8F074&op=vindex > > (look for timestamp+bitcoin-transaction at metacode.biz > afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a) > > And you can check out the transaction here: > https://blockexplorer.com/api/tx/afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a > > (look for "OP_RETURN 653909a2f0e37c106f5faf546c8857e0d8e8f074" that > is my key's fingerprint). > > If you convert "time": 1507539820 seconds from there to date you'll > get something like 2017-10-09T09:03:40.000Z. Thanks! I also checked the transaction via blockchain.com. https://www.blockchain.com/btc/tx/afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a > OpenTimestamps (I think) uses Merkle trees to minimize fees but the > downside is that the hash is not directly embedded in the blockchain > and you need the extra files to reconstruct the tree root. Yes, and the service is free. In the past i played also with OP_RETURN, via WWW based services and my Electrum Wallet. > Have a nice day! Thanks, have a nice day too! Here it is already very late and i go to bed now. Best regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas From wk at gnupg.org Mon Jul 23 14:27:40 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jul 2018 14:27:40 +0200 Subject: TLS 1.3 with ssh-like authentication In-Reply-To: (Shawn Landden's message of "Sat, 21 Jul 2018 17:46:15 -0700") References: Message-ID: <87r2jugmrn.fsf@wheatstone.g10code.de> On Sun, 22 Jul 2018 02:46, shawn at git.icu said: > I really want the performance of single-route-trip handshakes, as this is > important for my use case (distcc), which makes alot of new connections (as I don't understand how this is related to GnuPG. Granted, we use TLS for keyserver access but compared to the keyserver and import operations the TLS handshake takes only a little time. Did you wanted to report to GNUTLS? They have their onw mailing lists. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Mon Jul 23 14:30:36 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 23 Jul 2018 14:30:36 +0200 Subject: random seeds file hung on AIX 7.2 In-Reply-To: (Chandrasekhar Velpula's message of "Sun, 22 Jul 2018 11:06:16 +0530") References: Message-ID: <87muuigmmr.fsf@wheatstone.g10code.de> On Sun, 22 Jul 2018 07:36, chandra.velpula at in.ibm.com said: > AIX version: 7.2 > GPG version: gpg (GnuPG) 1.4.7 That version of GnuPG is more than 11 years old and should not be in use anymore. Anyway, if you need paid support please see https://gnupg.org/service.html for options. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From hoelzelj at mailbox.org Mon Jul 23 18:45:40 2018 From: hoelzelj at mailbox.org (=?UTF-8?Q?H=c3=b6lzel?=) Date: Mon, 23 Jul 2018 18:45:40 +0200 Subject: Problems interacting with keyserver on Linux Message-ID: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> Hello, interacting with the keyserver 'hkps.pool.sks-keyservers.net' seems to be broken as of lately under Arch Linux 4.17.8-1 using GnuPG 2.2.9-1. Please see attached the output of 'env LANG=en_US.UTF-8 gpg -vvv --debug-all --search-keys Torvalds'. The output of 'gpg-connect-agent --dirmngr 'KS_GET 0x4D1E900E14C1CC04' /bye' is as follows: > ERR 167805009 No such file or directory The problem might be related to: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060681.html Thank you for your consideration! Sincerely Julian -------------- next part -------------- gpg: Note: no default option file '/home/julian/.gnupg/gpg.conf' gpg: using character set 'utf-8' gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: chan_3 <- # Home: /home/julian/.gnupg gpg: DBG: chan_3 <- # Config: [none] gpg: DBG: chan_3 <- OK Dirmngr 2.2.9 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.2.9 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_SEARCH -- Torvalds gpg: DBG: chan_3 <- ERR 167805009 No such file or directory gpg: error searching keyserver: No such file or directory gpg: keyserver search failed: No such file or directory gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/32768 bytes in 0 blocks From hoelzelj at mailbox.org Mon Jul 23 18:33:36 2018 From: hoelzelj at mailbox.org (=?utf-8?Q?H=C3=B6lzel?=) Date: Mon, 23 Jul 2018 18:33:36 +0200 Subject: Problem refreshing keys on Linux Message-ID: <20180723163336.ghapdw23fbzodbcy@arche> Hello, recently, interacting with the keyserver 'hkps.pool.sks-keyservers.net' is apparently broken on GnuPG 2.2.9-1 on Arch Linux 4.17.8-1. Please find attached the ouput of 'env LANG=en_US.UTF-8 gpg -vvv --debug-all --search-keys Torvalds'. The output of 'gpg-connect-agent --dirmngr 'KS_GET 0x4D1E900E14C1CC04' /bye' is as follows: ERR 167805009 No such file or directory This issue might be similar to: https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060663.html Any help is appreciated. Sincerely Julian From wk at gnupg.org Tue Jul 24 08:57:10 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 24 Jul 2018 08:57:10 +0200 Subject: Problem refreshing keys on Linux In-Reply-To: <20180723163336.ghapdw23fbzodbcy@arche> (=?utf-8?Q?=22H=C3=B6?= =?utf-8?Q?lzel=22's?= message of "Mon, 23 Jul 2018 18:33:36 +0200") References: <20180723163336.ghapdw23fbzodbcy@arche> Message-ID: <876015glyx.fsf@wheatstone.g10code.de> On Mon, 23 Jul 2018 18:33, hoelzelj at mailbox.org said: > Please find attached the ouput of 'env LANG=en_US.UTF-8 gpg -vvv --debug-all --search-keys Torvalds'. Missing. > The output of 'gpg-connect-agent --dirmngr 'KS_GET 0x4D1E900E14C1CC04' /bye' is as follows: > ERR 167805009 No such file or directory Add a -v to the command line to see more. The error code indicates that dirmngr whas not able to find some file or other object. Run dirmngr -v --server and enter KS_GET 0x4D1E900E14C1CC04 that may give more insight. Adding the option --debug network, dns might also be useful. Use --debug help to see a list of all debug options. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Jul 24 09:07:43 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 24 Jul 2018 09:07:43 +0200 Subject: Problems interacting with keyserver on Linux In-Reply-To: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> (=?utf-8?Q?=22H=C3=B6lzel=22's?= message of "Mon, 23 Jul 2018 18:45:40 +0200") References: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> Message-ID: <871sbtglhc.fsf@wheatstone.g10code.de> Hi agains different subject so I didn't read that before replying to the other mail. > gpg: error searching keyserver: No such file or directory > gpg: keyserver search failed: No such file or directory Might be a DNS problem: Similar to the other report you mentioned, please run dirmngr -v --debug dns --no-use-tor --server and enter keyserver --resolve --hosttable what does it show? Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From matthew561 at aol.com Tue Jul 24 09:44:22 2018 From: matthew561 at aol.com (Mark Drew) Date: Tue, 24 Jul 2018 01:44:22 -0600 Subject: No subject Message-ID: <3f1733d7-41db-4b2c-9df7-ba9b15ba74bb@STMATT-BUS04.stmatt-bus010> http://deal.icmma.in John -------------- next part -------------- An HTML attachment was scrubbed... URL: From hoelzelj at mailbox.org Tue Jul 24 13:39:10 2018 From: hoelzelj at mailbox.org (=?utf-8?Q?H=C3=B6lzel?=) Date: Tue, 24 Jul 2018 13:39:10 +0200 Subject: Problems interacting with keyserver on Linux In-Reply-To: <871sbtglhc.fsf@wheatstone.g10code.de> References: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> <871sbtglhc.fsf@wheatstone.g10code.de> Message-ID: <20180724113910.wa7tjivwdbsx6a6h@arche> Hello Werner, excuse my double post; I had some mailserver issues and was not sure whether the mail has been sent. Thank you very much for your help! That indeed pointed me to the right issue (DNS resolver not running). For reference attached the output of the command below. Best Julian On Tue, 24. Jul 09:07, Werner Koch wrote: > Hi agains > > different subject so I didn't read that before replying to the other > mail. > > > gpg: error searching keyserver: No such file or directory > > gpg: keyserver search failed: No such file or directory > > Might be a DNS problem: Similar to the other report you mentioned, > please run > > dirmngr -v --debug dns --no-use-tor --server > > and enter > > keyserver --resolve --hosttable > > what does it show? > > > Salam-Shalom, > > Werner > > -- > # Please read: Daniel Ellsberg - The Doomsday Machine # > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Tue Jul 24 17:36:37 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 24 Jul 2018 17:36:37 +0200 Subject: Problems interacting with keyserver on Linux In-Reply-To: <20180724113910.wa7tjivwdbsx6a6h@arche> (=?utf-8?Q?=22H=C3=B6?= =?utf-8?Q?lzel=22's?= message of "Tue, 24 Jul 2018 13:39:10 +0200") References: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> <871sbtglhc.fsf@wheatstone.g10code.de> <20180724113910.wa7tjivwdbsx6a6h@arche> Message-ID: <87a7qgfxx6.fsf@wheatstone.g10code.de> On Tue, 24 Jul 2018 13:39, hoelzelj at mailbox.org said: > Thank you very much for your help! That indeed pointed me to the right issue (DNS resolver not running). > For reference attached the output of the command below. Can you you please post that attachment or send it by PM?. I will see whether we can show a better error message. Shalom-Salam, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Jul 25 10:07:47 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jul 2018 10:07:47 +0200 Subject: mute output of gpg2 -d In-Reply-To: (J. Tull's message of "Sat, 14 Jul 2018 12:09:20 +0000") References: <68e975c1-fd24-12a7-a30c-b9d7359ca008@mail.com> <877elyqmoa.fsf@wheatstone.g10code.de> Message-ID: <87o9eveo18.fsf@wheatstone.g10code.de> On Sat, 14 Jul 2018 14:09, heavytull at hotmail.com said: >> Use --batch or --no-tty to suppress this output > > both options worked. So you mean it's a bug in gpg2? Yes. I created https://dev.gnupg.org/T4088 for this. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From hoelzelj at mailbox.org Wed Jul 25 11:00:20 2018 From: hoelzelj at mailbox.org (=?utf-8?Q?H=C3=B6lzel?=) Date: Wed, 25 Jul 2018 11:00:20 +0200 Subject: Problems interacting with keyserver on Linux In-Reply-To: <87a7qgfxx6.fsf@wheatstone.g10code.de> References: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> <871sbtglhc.fsf@wheatstone.g10code.de> <20180724113910.wa7tjivwdbsx6a6h@arche> <87a7qgfxx6.fsf@wheatstone.g10code.de> Message-ID: <20180725090020.bkekx6rxdg2u3okm@arche> Yes, please excuse my confusion. Best J On Tue, 24. Jul 17:36, Werner Koch wrote: > On Tue, 24 Jul 2018 13:39, hoelzelj at mailbox.org said: > > > Thank you very much for your help! That indeed pointed me to the right issue (DNS resolver not running). > > For reference attached the output of the command below. > > Can you you please post that attachment or send it by PM?. I will see > whether we can show a better error message. > > > Shalom-Salam, > > Werner > > -- > # Please read: Daniel Ellsberg - The Doomsday Machine # > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- keyserver --resolve --hosttable dirmngr[6476.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[6476.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[6476.0]: failed to load '/etc/resolv.conf': No such file or directory dirmngr[6476.0]: DBG: dns: getsrv(_pgpkey-https._tcp.hkps.pool.sks-keyservers.net): No such file or directory S # hkps://hkps.pool.sks-keyservers.net:443: resolve failed: No such file or directory S # hosttable (idx, ipv6, ipv4, dead, name, time): dirmngr[6476.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[6476.0]: stat'ing '/etc/resolv.conf' failed: No such file or directory dirmngr[6476.0]: failed to load '/etc/resolv.conf': No such file or directory dirmngr[6476.0]: DBG: dns: resolve_dns_name(hkps.pool.sks-keyservers.net): No such file or directory S # 0 hkps.pool.sks-keyservers.net OK From wk at gnupg.org Wed Jul 25 12:31:58 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 25 Jul 2018 12:31:58 +0200 Subject: Problems interacting with keyserver on Linux In-Reply-To: <20180725090020.bkekx6rxdg2u3okm@arche> (=?utf-8?Q?=22H=C3=B6?= =?utf-8?Q?lzel=22's?= message of "Wed, 25 Jul 2018 11:00:20 +0200") References: <86e5b62c-7a37-c8d1-b9c3-9c4d3a2501b2@mailbox.org> <871sbtglhc.fsf@wheatstone.g10code.de> <20180724113910.wa7tjivwdbsx6a6h@arche> <87a7qgfxx6.fsf@wheatstone.g10code.de> <20180725090020.bkekx6rxdg2u3okm@arche> Message-ID: <878t5zehcx.fsf@wheatstone.g10code.de> On Wed, 25 Jul 2018 11:00, hoelzelj at mailbox.org said: > Yes, please excuse my confusion. Thanks. It turned out that printing a more visible warning will require quite some code changes but they are straightforward. Thus I can't promise that this will go into 2.2. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From paul at paulfurley.com Thu Jul 26 12:50:29 2018 From: paul at paulfurley.com (Paul M Furley) Date: Thu, 26 Jul 2018 11:50:29 +0100 Subject: Empty keyring after upgrade to Ubuntu 18.04 :/ Message-ID: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> Hi folks, I upgraded from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS and restored my `.gnupg` directory from a backup disk. Now gpg doesn't see any keys... `gpg --list-keys` just exists with no output. I've attached the strace output of `strace gpg --list-keys`, and here's the output of `tree .gnupg/`: ``` /home/paul/.gnupg ??? crls.d ??? ??? DIR.txt ??? gpg-agent.conf ??? gpg-agent-info-xps ??? gpg.conf ??? hkps.pool.sks-keyservers.net.pem ??? openpgp-revocs.d ??? ??? [REDACTED x2].rev ??? private-keys-v1.d ??? ??? [REDACTED x8].key ??? pubring.gpg ??? pubring.kbx ??? random_seed ??? S.dirmngr ??? secring.gpg ??? S.gpg-agent ??? sshcontrol ??? trustdb.gpg 3 directories, 23 files ``` Is there anything else I can provide to help debug this? Thanks! Paul [unsigned... obviously ;) ] -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: strace-gpg-list-keys.txt URL: From franek.wiertara at onet.eu Thu Jul 26 17:17:58 2018 From: franek.wiertara at onet.eu (Franek Wiertara) Date: Thu, 26 Jul 2018 16:17:58 +0100 Subject: Empty keyring after upgrade to Ubuntu 18.04 :/ In-Reply-To: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> References: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> Message-ID: <8D837D13-853E-44E1-8F76-7BF7E063450B@onet.eu> Is it possible the two Ubuntu distributions you mentioned ship different versions of gnupg? I am asking about it because gnupg v. 2.0 and earlier and gnupg v. 2.1.x and later have different ways of storing keys. I don?t know the details because i started using gpg from version 2.1.x but this might be where you could start to investigate the issue. > On 26 Jul 2018, at 11:50, Paul M Furley wrote: > > Hi folks, > > I upgraded from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS and restored my `.gnupg` directory from a backup disk. > > Now gpg doesn't see any keys... `gpg --list-keys` just exists with no output. > > I've attached the strace output of `strace gpg --list-keys`, and here's the output of `tree .gnupg/`: > > ``` > /home/paul/.gnupg > ??? crls.d > ? ??? DIR.txt > ??? gpg-agent.conf > ??? gpg-agent-info-xps > ??? gpg.conf > ??? hkps.pool.sks-keyservers.net.pem > ??? openpgp-revocs.d > ? ??? [REDACTED x2].rev > ??? private-keys-v1.d > ? ??? [REDACTED x8].key > ??? pubring.gpg > ??? pubring.kbx > ??? random_seed > ??? S.dirmngr > ??? secring.gpg > ??? S.gpg-agent > ??? sshcontrol > ??? trustdb.gpg > > 3 directories, 23 files > > ``` > > Is there anything else I can provide to help debug this? > > Thanks! > > Paul > > [unsigned... obviously ;) ] > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From kloecker at kde.org Thu Jul 26 21:00:44 2018 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Thu, 26 Jul 2018 21:00:44 +0200 Subject: Empty keyring after upgrade to Ubuntu 18.04 :/ In-Reply-To: <8D837D13-853E-44E1-8F76-7BF7E063450B@onet.eu> References: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> <8D837D13-853E-44E1-8F76-7BF7E063450B@onet.eu> Message-ID: <3355818.xgHbovasQA@thufir> On Donnerstag, 26. Juli 2018 17:17:58 CEST Franek Wiertara wrote: > > On 26 Jul 2018, at 11:50, Paul M Furley wrote: > > I upgraded from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS and restored my > > `.gnupg` directory from a backup disk. > > > > Now gpg doesn't see any keys... `gpg --list-keys` just exists with no > > output. > > > > I've attached the strace output of `strace gpg --list-keys`, and here's > > the output of `tree .gnupg/`: > > > > ``` > > /home/paul/.gnupg > > ??? crls.d > > ? ??? DIR.txt > > ??? gpg-agent.conf > > ??? gpg-agent-info-xps > > ??? gpg.conf > > ??? hkps.pool.sks-keyservers.net.pem > > ??? openpgp-revocs.d > > ? ??? [REDACTED x2].rev > > ??? private-keys-v1.d > > ? ??? [REDACTED x8].key > > ??? pubring.gpg > > ??? pubring.kbx > > ??? random_seed > > ??? S.dirmngr > > ??? secring.gpg > > ??? S.gpg-agent > > ??? sshcontrol > > ??? trustdb.gpg "tree .gnupg" does not list hidden files, but I guess there is a file named .gpg-v21-migrated in your .gnupg. > Is it possible the two Ubuntu distributions you mentioned ship different > versions of gnupg? Yes. In Ubuntu 18.04, gpg is actually GnuPG 2.x (according to the release notes). > I am asking about it because gnupg v. 2.0 and earlier > and gnupg v. 2.1.x and later have different ways of storing keys. I don?t > know the details because i started using gpg from version 2.1.x but this > might be where you could start to investigate the issue. gpg1 stored your private keys in secring.gpg and the public keys in pubring.gpg. gpg2 uses the private-keys-v1.d folder for private keys and pubring.kbx for public keys. When gpg2 is run for the first time, then gpg2 migrates all old keys to the new locations. Maybe you ran gpg(2) after the upgrade before you restored your .gnupg folder. To re-run the migration remove the file .gpg-v21-migrated in your .gnupg and then run gpg. Regards, Ingo From wiktor at metacode.biz Sun Jul 22 21:57:13 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Sun, 22 Jul 2018 21:57:13 +0200 Subject: Timestamping signed documents or detached signature files In-Reply-To: <20180722214429.5829f072@iria.my-fqdn.de> References: <20180721065959.3f3b89d1@iria.my-fqdn.de> <20180722214429.5829f072@iria.my-fqdn.de> Message-ID: > Thank you very much for the additional infos and links, i will read them > all. Oh, I forgot to mention that timestamping using blockchains is actually very easy, for example I timestamped my key's fingerprint: https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&search=0x653909A2F0E37C106F5FAF546C8857E0D8E8F074&op=vindex (look for timestamp+bitcoin-transaction at metacode.biz afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a) And you can check out the transaction here: https://blockexplorer.com/api/tx/afcb092c5ca6409526d18ae9cf22d3b55d37e723eb1b74e3f84f7e6b052a162a (look for "OP_RETURN 653909a2f0e37c106f5faf546c8857e0d8e8f074" that is my key's fingerprint). If you convert "time": 1507539820 seconds from there to date you'll get something like 2017-10-09T09:03:40.000Z. OpenTimestamps (I think) uses Merkle trees to minimize fees but the downside is that the hash is not directly embedded in the blockchain and you need the extra files to reconstruct the tree root. Have a nice day! Kind regards, Wiktor -- https://metacode.biz/@wiktor From felix at crowfix.com Fri Jul 27 06:50:59 2018 From: felix at crowfix.com (felix at crowfix.com) Date: Thu, 26 Jul 2018 21:50:59 -0700 Subject: Empty keyring after upgrade to Ubuntu 18.04 :/ In-Reply-To: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> References: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> Message-ID: <20180727045059.GB6756@crowfix.com> I ran into a similar problem a few months ago, upgrading from a much older gentoo system with 1.something. I don't know what specific action fixed it, but after a couple of cycles of restoring the original and trying different commands, it suuddenly migrated correctly. Memory says the first couple of attempts, I tried to do something which would have to do the migration first, and it worked when I restored the original and did just the migration by itself. But I didn't take enough notes to figure it out after it started working. -- ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._. Felix Finch: scarecrow repairman & wood chipper / felix at crowfix.com GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933 I've found a solution to Fermat's Last Theorem but I see I've run out of room o From dirk.gottschalk1980 at googlemail.com Fri Jul 27 10:57:15 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Fri, 27 Jul 2018 10:57:15 +0200 Subject: Empty keyring after upgrade to Ubuntu 18.04 :/ In-Reply-To: <20180727045059.GB6756@crowfix.com> References: <1532602229.792398.1453528840.43DC9888@webmail.messagingengine.com> <20180727045059.GB6756@crowfix.com> Message-ID: <7B66B0A4-7994-4C38-91F1-BB2EA8EC0AB0@googlemail.com> You could just import the old GPG files with appropriate options. I did this a while ago as my kbx got damaged when I had a hdd failure. Am 27. Juli 2018 06:50:59 MESZ schrieb felix at crowfix.com: >I ran into a similar problem a few months ago, upgrading from a much >older gentoo system with 1.something. I don't know what specific >action fixed it, but after a couple of cycles of restoring the original >and trying different commands, it suuddenly migrated correctly. Memory >says the first couple of attempts, I tried to do something which would >have to do the migration first, and it worked when I restored the >original and did just the migration by itself. But I didn't take >enough notes to figure it out after it started working. -- Diese Nachricht wurde von meinem Android-Ger?t mit K-9 Mail gesendet. From felix.klee at inka.de Fri Jul 27 16:49:07 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Fri, 27 Jul 2018 16:49:07 +0200 Subject: Cannot decrypt file encrypted with enQsig Message-ID: To receive a document in encrypted form, I provided my public key to the sender. See attachment. The key contains a sub key for encryption: sec rsa4096/BEF6EFD38FE8DCA0 created: 2016-12-17 expires: 2018-12-17 usage: SC card-no: 0005 00004980 trust: ultimate validity: ultimate ssb rsa4096/04FDF78D1679DD94 created: 2016-12-17 expires: 2018-12-17 usage: E card-no: 0005 00004980 [ultimate] (1). Felix E. Klee The sender then prepared the encrypted file using a software called enQsig: ?wir verwenden eine zentrale Gateway Verschl?sselungsl?sung (EnQsig).? (German) After I received `encrypted.asc` from the sender, I tried to decrypt it, to no avail: C:\Users\Felix\Desktop>gpg -v -d encrypted.asc gpg: armor header: Version: enQsig gpg: public key is BEF6EFD38FE8DCA0 gpg: no running gpg-agent - starting 'C:\Program Files (x86)\Gpg4win \..\GnuPG\bin\gpg-agent.exe' gpg: waiting for the agent to come up ... (5s) gpg: waiting for the agent to come up ... (4s) gpg: connection to agent established gpg: pinentry launched (9620 qt 1.1.1-beta5 - - -) gpg: public key is 04FDF78D1679DD94 gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F E8DCA0 gpg: pinentry launched (4608 qt 1.1.1-beta5 - - -) gpg: public key is 92663E7CA68E4EC6 gpg: public key is 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 gpg: using subkey 04FDF78D1679DD94 instead of primary key BEF6EFD38F E8DCA0 gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Missing item in object gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key >From what I can tell, the file has been encrypted with four keys. My encryption key is the sub key 04FDF78D1679DD94. The private key is on a smart card. As you can see, decryption fails with an error message: ?gpg: public key decryption failed: Missing item in object? *What does the error message mean? Why does encryption fail?* I wonder if perhaps enQsig cannot properly deal with encryption sub keys: *Would it be possible to extract the public encryption sub key?* (to only provide that to the sender) I am using Gpg4win 3.1.2 on Windows 7x64. If more information is needed, then I am happy to provide it! -------------- next part -------------- A non-text attachment was scrubbed... Name: 5EF8B6017F668171259945D6BEF6EFD38FE8DCA0.asc Type: application/octet-stream Size: 3949 bytes Desc: not available URL: From tookmund at gmail.com Fri Jul 27 22:23:54 2018 From: tookmund at gmail.com (Jacob Adams) Date: Fri, 27 Jul 2018 16:23:54 -0400 Subject: Second unexplained pinentry when generating subkeys with GPGME Message-ID: <5e6c5813-4b86-c16a-9786-01cbe211fe1c@gmail.com> When generating a new GPG master key and some subkeys with GPGME I noticed some odd behavior. I get a second passphrase pinentry when generating the first subkey and I don't know why. I initially thought it was for creating the automatic revocation certificate, as it doesn't seem to happen if I suppress the creation of the automatic one by generating my own directly. However, the revocation certificate exists before these passphrase prompts. Does any know what might be happening here? Thanks, Jacob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From dirk.gottschalk1980 at googlemail.com Sun Jul 29 23:37:02 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Sun, 29 Jul 2018 23:37:02 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: Message-ID: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Hi. Am Freitag, den 27.07.2018, 16:49 +0200 schrieb Felix E. Klee: > From what I can tell, the file has been encrypted with four keys. My > encryption key is the sub key 04FDF78D1679DD94. The private key is on > a smart card. As you can see, decryption fails with an error message: > ?gpg: public key decryption failed: Missing item in object? Does this key work as expected in other programs, MUAs for example? > *What does the error message mean? Why does encryption fail?* > I wonder if perhaps enQsig cannot properly deal with encryption sub > keys: > *Would it be possible to extract the public encryption sub key?* (to > only provide that to the sender) IIRC, a "gpg --export " should do exactly this. I didn't test it mysqlf, but exporting a only a sub key should be no problem. > I am using Gpg4win 3.1.2 on Windows 7x64. If more information is > needed, > then I am happy to provide it! Could you provide an example file with this error, in best case generated from the Sender? Have you tried to inspect the packets in the file with "--list-packets"? This would show the key IDs which were used to encrypt, probably enQsig really uses the wrong key to encrypt. Your primary key will fail then when it's not capable to encrypt, which is the default. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From felix.klee at inka.de Mon Jul 30 11:26:31 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 30 Jul 2018 11:26:31 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: On Sun, Jul 29, 2018 at 11:37 PM, Dirk Gottschalk via Gnupg-users wrote: >> My encryption key is the sub key 04FDF78D1679DD94. The private key is >> on a smart card. [?] > > Does this key work as expected in other programs, MUAs for example? I use it daily for encryption/decryption of documents, though only with GnuPG. > I didn't test it mysqlf, but exporting a only a sub key should be no > problem. *But how?* Your suggestion doesn?t seem to work: >gpg --export 04FDF78D1679DD94 | gpg --keyid-format long gpg: WARNING: no command supplied. Trying to guess what you mean .. . pub rsa4096/BEF6EFD38FE8DCA0 2016-12-17 [SC] [expires: 2018-12-17] 5EF8B6017F668171259945D6BEF6EFD38FE8DCA0 uid Felix E. Klee sub rsa4096/04FDF78D1679DD94 2016-12-17 [E] [expires: 2018-12-17] > Could you provide an example file with this error, in best case > generated from the Sender? I can ask him of course. First I would like to see, though, if GnuPG can tell us what?s the problem. > Have you tried to inspect the packets in the file with > "--list-packets"? Here you go (again my encryption key is `04FDF78D1679DD94`): >gpg --list-packets encrypted.asc # off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0 data: [4096 bits] # off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 data: [4095 bits] # off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6 data: [4096 bits] # off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE data: [4094 bits] gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Missing item in object gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key # off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb :encrypted data packet: length: 1718 mdc_method: 2 I wonder what ?Missing item in object? means. From felix.klee at inka.de Mon Jul 30 12:18:40 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 30 Jul 2018 12:18:40 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: Zum Vergleich eine Datei, die ich selbst f?r mich verschl?sselt habe, und die ich erfolgreich entschl?sseln kann: >gpg --list-packets foo.gpg gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2 016-12-17 "Felix E. Klee " # off=0 ctb=85 tag=1 hlen=3 plen=524 :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 data: [4094 bits] # off=527 ctb=d2 tag=18 hlen=2 plen=76 new-ctb :encrypted data packet: length: 76 mdc_method: 2 # off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate :compressed packet: algo=2 # off=550 ctb=cb tag=11 hlen=2 plen=23 new-ctb :literal data packet: mode b (62), created 1532945681, name="", raw data: 17 bytes From felix.klee at inka.de Mon Jul 30 12:40:30 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 30 Jul 2018 12:40:30 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: Now I tried a different card reader (after restarting Windows 7x64). This time it?s a Cherry ST-2000. Previously it was a ReinerSCT cyberJack. With the Cherry I get a different error message! This time it?s ?Invalid value? instead of ?Invalid ID?! *What does that mean?* >gpg --list-packets encrypted.asc # off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0 data: [4096 bits] # off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 data: [4095 bits] # off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6 data: [4096 bits] # off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb :pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE data: [4094 bits] gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Invalid value gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, created 2 016-12-17 "Felix E. Klee " gpg: public key decryption failed: Invalid ID gpg: decryption failed: No secret key # off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb :encrypted data packet: length: 1718 mdc_method: 2 From felix.klee at inka.de Mon Jul 30 13:05:12 2018 From: felix.klee at inka.de (Felix E. Klee) Date: Mon, 30 Jul 2018 13:05:12 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: On Mon, Jul 30, 2018 at 12:40 PM, Felix E. Klee wrote: > ?Invalid value? Same on Linux BTW (with the Cherry ST-2000). From dirk.gottschalk1980 at googlemail.com Mon Jul 30 17:14:01 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Mon, 30 Jul 2018 17:14:01 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: <0fae8df52f3831a02481d6e950c5a218f392b178.camel@googlemail.com> Hi. Am Montag, den 30.07.2018, 11:26 +0200 schrieb Felix E. Klee: > On Sun, Jul 29, 2018 at 11:37 PM, Dirk Gottschalk via Gnupg-users > wrote: > > > My encryption key is the sub key 04FDF78D1679DD94. The private > > > key is > > > on a smart card. [?] > > > > Does this key work as expected in other programs, MUAs for example? > > I use it daily for encryption/decryption of documents, though only > with > GnuPG. > > > I didn't test it mysqlf, but exporting a only a sub key should be > > no > > problem. > > *But how?* > > Your suggestion doesn?t seem to work: > > >gpg --export 04FDF78D1679DD94 | gpg --keyid-format long > gpg: WARNING: no command supplied. Trying to guess what you mean > .. Try "gpg --key-id-long -a --export 04FDF78D1679DD94". But, I just tested it and it unfortunately seems to export the whole key bundle. I'll look deeper into this. > > Have you tried to inspect the packets in the file with > > "--list-packets"? > > Here you go (again my encryption key is `04FDF78D1679DD94`): > > >gpg --list-packets encrypted.asc > # off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb > :pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0 > data: [4096 bits] > # off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb > :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 > data: [4095 bits] > # off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb > :pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6 > data: [4096 bits] > # off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb > :pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE > data: [4094 bits] > gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE > gpg: encrypted with RSA key, ID 92663E7CA68E4EC6 > gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, > created 2 > 016-12-17 > "Felix E. Klee " > gpg: public key decryption failed: Missing item in object > gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0, > created 2 > 016-12-17 > "Felix E. Klee " > gpg: public key decryption failed: Invalid ID > gpg: decryption failed: No secret key > # off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb > :encrypted data packet: > length: 1718 > mdc_method: 2 > > I wonder what ?Missing item in object? means. The file seems to be encrypted (also) for the correct subkey. I wonder about the signature key being mentioned in the first encrypted package line, but I didn't test if this is normal. Probably enQsig does not format the OpenPGP packet correctly. Missing object is an error message that I've never seen before. Your key bundle ist okay, otherwise you should habe the same problems with other encrypted files. The last packet mentions your signature key as used for encryption, this is an error for sure. Invalid ID means that the key with this ID does nor have the capabelity to encrypt or decrypt, which is correct. In this case you really have no secret key to decrypt the file. EnQsif seems really to mess up the encryption thing for unknown reasons. I'll check for a way to eyport a public subkey. This schould work because exporting a secret subkey is also possible. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac id="-x-evo-selection-start-marker"> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From dirk.gottschalk1980 at googlemail.com Mon Jul 30 17:19:54 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Mon, 30 Jul 2018 17:19:54 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: <6fc9001baa5e2908ef2951489166c880201c5e19.camel@googlemail.com> Hi. Am Montag, den 30.07.2018, 12:18 +0200 schrieb Felix E. Klee: > Zum Vergleich eine Datei, die ich selbst f?r mich verschl?sselt habe, > und die ich erfolgreich entschl?sseln kann: > > >gpg --list-packets foo.gpg > gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94, > created 2 > 016-12-17 > "Felix E. Klee " > # off=0 ctb=85 tag=1 hlen=3 plen=524 > :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94 > data: [4094 bits] > # off=527 ctb=d2 tag=18 hlen=2 plen=76 new-ctb > :encrypted data packet: > length: 76 > mdc_method: 2 > # off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate > :compressed packet: algo=2 > # off=550 ctb=cb tag=11 hlen=2 plen=23 new-ctb > :literal data packet: > mode b (62), created 1532945681, name="", > raw data: 17 bytes As a dirty workaroung you could generate a dedicated key without subkeys with the capabilities set to [SCE] and try this key, which should work. This will not fix the Issue per se, but should get your decryption working while you try to solve the main problem. I don't npw how important the data exchange in your case is. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac id="-x-evo-selection-start-marker"> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From dirk.gottschalk1980 at googlemail.com Mon Jul 30 17:32:56 2018 From: dirk.gottschalk1980 at googlemail.com (Dirk Gottschalk) Date: Mon, 30 Jul 2018 17:32:56 +0200 Subject: Cannot decrypt file encrypted with enQsig In-Reply-To: References: <40bc9febfe2c7f90cc7d56df04846cd8afe47a53.camel@googlemail.com> Message-ID: Hello Again. :-D Am Montag, den 30.07.2018, 12:18 +0200 schrieb Felix E. Klee: To compare the output of your packet analysis, I encrypted a file for myself and got this result with --list-packets: $ gpg -v --list-packets WoV-Logs.7z.gpg gpg: ?ffentlicher Schl?ssel ist CAE07B251AE3F69E gpg: der Unterschl?ssel CAE07B251AE3F69E wird anstelle des Hauptschl?ssels 40810B181ED8E838 verwendet gpg: der Unterschl?ssel CAE07B251AE3F69E wird anstelle des Hauptschl?ssels 40810B181ED8E838 verwendet gpg: verschl?sselt mit 4096-Bit RSA Schl?ssel, ID CAE07B251AE3F69E, erzeugt 2018-03-01 "Dirk Gottschalk " gpg: AES256 verschl?sselte Daten # off=0 ctb=85 tag=1 hlen=3 plen=524 :pubkey enc packet: version 3, algo 1, keyid CAE07B251AE3F69E data: [irrelevant hex data snipped] # off=527 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb :encrypted data packet: length: unknown mdc_method: 2 # off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate :compressed packet: algo=2 # off=550 ctb=90 tag=4 hlen=2 plen=13 :onepass_sig packet: keyid 40810B181ED8E838 version 3, sigclass 0x00, digest 10, pubkey 1, last=1 # off=565 ctb=ae tag=11 hlen=5 plen=191470 :literal data packet: mode b (62), created 1532964524, name="WoV-Logs.7z", raw data: 191453 bytes # off=192040 ctb=89 tag=2 hlen=3 plen=563 :signature packet: algo 1, keyid 40810B181ED8E838 version 4, created 1532964524, md5len 0, sigclass 0x00 digest algo 10, begin of digest e0 4e hashed subpkt 33 len 21 (issuer fpr v4 DDCBAF8E0132AA5420ABB86440810B181ED8E838) hashed subpkt 2 len 4 (sig created 2018-07-30) subpkt 16 len 8 (issuer key ID 40810B181ED8E838) data: [irrelevant hex data snipped] The signature key is only mentioned in the signature packet, but not in combination with the en-/decryption. I really think this is an enQsig issue and should be filed as a bug report to it's developers. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac id="-x-evo-selection-start-marker"> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From sebastian at karotte.org Tue Jul 31 18:22:49 2018 From: sebastian at karotte.org (Sebastian Wiesinger) Date: Tue, 31 Jul 2018 18:22:49 +0200 Subject: Pinentry does not show "please insert smartcard" dialog In-Reply-To: <7caacdf33f7192a5d41752816544a0dfab70ee7c.camel@googlemail.com> References: <20180627074208.dpn2z2mi3agswev3@danton.fire-world.de> <7caacdf33f7192a5d41752816544a0dfab70ee7c.camel@googlemail.com> Message-ID: <20180731162249.rorosljshypjo5si@danton.fire-world.de> * GnuPG Users [2018-06-30 13:22]: > > What doesn't work is the "please insert smartcard" dialog when the > > key > > is not plugged in. I manually added the correct keygrip to the > > sshcontrol file but this does not work. On my MacOS the same config > > does display the "insert smartcard" dialog. > > > > Any idea why it doesn't work on my Linux system or how to find out? I > > already tried multiple debug options but no helpful info showed up in > > the logs. > > There is no card reader available, when yubikey is not plugged in. I > use the smartcard with a external reader. I also do not see this dialof > when the Reader is not connected. > > I think, there is a dependence to a connected reader to schow this > dialog. I don't think this is the reason because the same setup works under OSX. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 614 bytes Desc: not available URL: