From aheinecke at intevation.de Tue Oct 2 10:43:44 2018 From: aheinecke at intevation.de (Andre Heinecke) Date: Tue, 02 Oct 2018 10:43:44 +0200 Subject: converting gpg files into PEM and certification change confusion In-Reply-To: <87h8iacgvb.fsf@wheatstone.g10code.de> References: <1538071627836.86861@pacificorp.com> <87h8iacgvb.fsf@wheatstone.g10code.de> Message-ID: <2403588.3dKXlsaUT6@esus> Hi, On Friday, September 28, 2018 7:48:08 AM CEST Werner Koch wrote: > It is not possible to mix both protocols. There is one exception: With > a bit of magic it is possible to use a key stored on a a smartcard by > both protocols. This is because down at the lowest math level both use > the same algorithms. Oh! I would personally be very interested in that. I was asked this in Support and so far have answered -> Impossible. Any hints / documentation on how to achive this? Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Oct 2 17:00:24 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Oct 2018 17:00:24 +0200 Subject: converting gpg files into PEM and certification change confusion In-Reply-To: <2403588.3dKXlsaUT6@esus> (Andre Heinecke's message of "Tue, 02 Oct 2018 10:43:44 +0200") References: <1538071627836.86861@pacificorp.com> <87h8iacgvb.fsf@wheatstone.g10code.de> <2403588.3dKXlsaUT6@esus> Message-ID: <87o9cc75rr.fsf@wheatstone.g10code.de> On Tue, 2 Oct 2018 10:43, aheinecke at intevation.de said: > Any hints / documentation on how to achive this? That is easy if you have the keygrip (gpg --with-keygrip -K) --8<---------------cut here---------------start------------->8--- $ gpgsm --gen-key gpgsm (GnuPG) 2.3.0-beta459; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! Please select what kind of key you want: (1) RSA (2) Existing key (3) Existing key from card Your selection? 2 Enter the keygrip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B Possible actions for a RSA key: (1) sign, encrypt (2) sign (3) encrypt Your selection? 1 Enter the X.509 subject name: CN=test Enter email addresses (end with an empty line): > test at example.net > Enter DNS names (optional; end with an empty line): > Enter URIs (optional; end with an empty line): > Create self-signed certificate? (y/N) y These parameters are used: Key-Type: RSA Key-Length: 1024 Key-Grip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B Key-Usage: sign, encrypt Serial: random Name-DN: CN=test Name-Email: test at example.net Proceed with creation? (y/N) y Now creating self-signed certificate. This may take a while ... gpgsm: about to sign the certificate for key: &69DE053632BD10D51A34C23B9D45A3655F9E0A6B gpgsm: certificate created Ready. -----BEGIN CERTIFICATE----- MIIB8DCCAVmgAwIBAgIIf9VW1oAzgtcwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE AxMEdGVzdDAgFw0xODEwMDIxNDUzMDVaGA8yMDYzMDQwNTE3MDAwMFowDzENMAsG A1UEAxMEdGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwoOWEbhVS69l [...] --8<---------------cut here---------------end--------------->8--- or to create anpother OpenPGP key from an existing (gpg) key: --8<---------------cut here---------------start------------->8--- $ gpg --expert --full-gen-key gpg: WARNING: unsafe permissions on homedir '/home/wk/b/gnupg/test-kbxd' gpg (GnuPG) 2.3.0-beta459; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key Your selection? 13 Enter the keygrip: 69DE053632BD10D51A34C23B9D45A3655F9E0A6B Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Sign Certify Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? q Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Email address: test2 at example.net Comment: You selected this USER-ID: "test2 at example.net" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: key D2B554FFDE4135B7 marked as ultimately trusted gpg: revocation certificate stored as '/home/wk/b/gnupg/test-kbxd/openpgp-revocs.d/FC7123F7C24BF9929836F44ED2B554FFDE4135B7.rev' public and secret key created and signed. pub rsa1024 2018-10-02 [SCE] FC7123F7C24BF9929836F44ED2B554FFDE4135B7 uid test2 at example.net --8<---------------cut here---------------end--------------->8--- Works also with stock 2.2 versions, Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From madhu.narisetty at gmail.com Tue Oct 2 17:41:52 2018 From: madhu.narisetty at gmail.com (Madhav Narisetty) Date: Tue, 2 Oct 2018 16:41:52 +0100 Subject: GPG 2.1.0 Compatibility Metrix(Solaris/Linux/HP Unix) and Installation Message-ID: Hello Team, Can someone let me know the GPG 2.1.0 compatibility Metrix for Unix(Solaris/Linux/HP Unix). Also, I would require installation binaries and steps on Solaris / Linux and HP UX systems. Any kind of help would be appreciated. Regards, Venu Madhav -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Wed Oct 3 01:53:23 2018 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 03 Oct 2018 08:53:23 +0900 Subject: GPG 2.1.0 Compatibility Metrix(Solaris/Linux/HP Unix) and Installation In-Reply-To: References: Message-ID: <87h8i33nyk.fsf@iwagami.gniibe.org> Madhav Narisetty wrote: > Can someone let me know the GPG 2.1.0 compatibility Metrix for > Unix(Solaris/Linux/HP Unix). > Also, I would require installation binaries and steps on Solaris / Linux > and HP UX systems. For GNU/Linux, distributions offer binaries for GnuPG. These days, GnuPG 2.1.x/2.2.x is available. For Solaris, I checked OpenIndiana, but it only offers GnuPG 2.0.x (yet), while libraries (except npth) are available. For HP-UX, I checked the HP-UX Porting and Archive Centre [0], situation is similar. Since all libraries are available (including npth) there, building GnuPG is not that hard, I suppose. I, for myself, do my best to keep supporting those (older) systems, in our development. However, we don't actively develop GnuPG on those systems. Only occasionally, when needed. Well, since I don't have any access to HP-UX system any more, so, it depends on bug reporters. Last month, in libgpg-error development, I learned that such older Unixen tend to use ksh (variant) for /bin/sh. I encourage users on Solaris and HP-UX to migrate GnuPG 2.2. [0] http://hpux.connect.org.uk/ -- From dguthrie at posteo.net Wed Oct 3 03:04:18 2018 From: dguthrie at posteo.net (Duncan Guthrie) Date: Wed, 3 Oct 2018 02:04:18 +0100 Subject: GPG 2.1.0 Compatibility Metrix(Solaris/Linux/HP Unix) and Installation In-Reply-To: <87h8i33nyk.fsf@iwagami.gniibe.org> References: <87h8i33nyk.fsf@iwagami.gniibe.org> Message-ID: <9d02c7b7-c204-a3f9-ae83-a7b772d6096f@posteo.net> Hello, On 03/10/18 00:53, NIIBE Yutaka wrote: > Madhav Narisetty wrote: >> Can someone let me know the GPG 2.1.0 compatibility Metrix for >> Unix(Solaris/Linux/HP Unix). >> Also, I would require installation binaries and steps on Solaris / Linux >> and HP UX systems. > > For GNU/Linux, distributions offer binaries for GnuPG. These days, > GnuPG 2.1.x/2.2.x is available. > > For Solaris, I checked OpenIndiana, but it only offers GnuPG 2.0.x > (yet), while libraries (except npth) are available. > > For HP-UX, I checked the HP-UX Porting and Archive Centre [0], situation > is similar. Since all libraries are available (including npth) there, > building GnuPG is not that hard, I suppose. > > I, for myself, do my best to keep supporting those (older) systems, in > our development. However, we don't actively develop GnuPG on those > systems. Only occasionally, when needed. Well, since I don't have any > access to HP-UX system any more, so, it depends on bug reporters. > > Last month, in libgpg-error development, I learned that such older > Unixen tend to use ksh (variant) for /bin/sh. > > I encourage users on Solaris and HP-UX to migrate GnuPG 2.2. > > [0] http://hpux.connect.org.uk/ > Regarding Illumos derivatives such as the aforementioned OpenIndiana, Joyent produce pkgsrc binaries for Illumos: https://pkgsrc.joyent.com/install-on-illumos/. With this, I was able to get GnuPG 2.2.4 to work on my box running SmartOS. I don't know if it would work on Solaris, though. Illumos and modern Solaris may have diverged quite a bit by now. But at least it might provide a starting point. Best wishes, Duncan From dclarke at blastwave.org Wed Oct 3 04:13:18 2018 From: dclarke at blastwave.org (Dennis Clarke) Date: Tue, 2 Oct 2018 22:13:18 -0400 Subject: GPG 2.1.0 Compatibility Metrix(Solaris/Linux/HP Unix) and Installation In-Reply-To: <87h8i33nyk.fsf@iwagami.gniibe.org> References: <87h8i33nyk.fsf@iwagami.gniibe.org> Message-ID: On 10/02/2018 07:53 PM, NIIBE Yutaka wrote: > Madhav Narisetty wrote: >> Can someone let me know the GPG 2.1.0 compatibility Metrix for >> Unix(Solaris/Linux/HP Unix). >> Also, I would require installation binaries and steps on Solaris / Linux >> and HP UX systems. > > For GNU/Linux, distributions offer binaries for GnuPG. These days, > GnuPG 2.1.x/2.2.x is available. > > For Solaris, I checked OpenIndiana, but it only offers GnuPG 2.0.x > (yet), while libraries (except npth) are available. >... > I encourage users on Solaris and HP-UX to migrate GnuPG 2.2. I'll have a look at it. I have a reasonable 64-bit stack on Solaris but only for sparc. Mostly because I never had much use for the x86 variant. Dennis Clarke From keesdejong+bugs at gmail.com Wed Oct 3 14:44:50 2018 From: keesdejong+bugs at gmail.com (K. de Jong) Date: Wed, 3 Oct 2018 14:44:50 +0200 Subject: Where to put "export-pka" output in DNS? Message-ID: Hi, I want to make use of PKA, I saw a few blogs [1] where they did this in TXT DNS records. However, this seems to not work anymore. When I issue `gpg2 --export-options export-pka --export $keyid` I get an output. But it's unclear where I should put this output in DNS. A TXT record? Or a CERT record [2]? Something else? I would like to hear some comments about this. The TXT record method has my preference since I do not have CERT records at my registrar. Is there some official documentation about this? [1] https://keyserver.mattrude.com/guides/public-key-association/ [2] https://slxh.nl/blog/2016/pgp-and-dns/ -- Kind regards, Kees de Jong | OpenPGP fingerprint: 0x0E45C98AB51428E6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wiktor at metacode.biz Wed Oct 3 22:12:15 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Wed, 3 Oct 2018 22:12:15 +0200 Subject: Where to put "export-pka" output in DNS? In-Reply-To: References: Message-ID: <8a744b40-cef3-0496-92d5-5ac62fe0487c@metacode.biz> Hi Kees, > I want to make use of PKA, I saw a few blogs [1] where they did this in > TXT DNS records. However, this seems to not work anymore. When I issue > `gpg2 --export-options export-pka --export $keyid` I get an output. But > it's unclear where I should put this output in DNS. A TXT record? Or a > CERT record [2]? Something else? I would like to hear some comments > about this. > > The TXT record method has my preference since I do not have CERT records > at my registrar. Is there some official documentation about this? Yes, it's a TXT record, such as this (for user at example.com): user._pka.example.com. TXT "v=pka1;fpr=D2063054549295F3349037FFFBBE5A30624BB249;uri=http://example.com/key.asc" see examples here: http://www.gushi.org/make-dns-cert/HOWTO.html Note that if you have your own domain and HTTPS set up it would be better to utilize the Web Key Directory, that is enabled by default in modern GnuPG and used by some e-mail clients automatically (thunderbird/enigmail, outlook/gpgol). Export your binary key (gpg --export user at example.com > key.gpg) and get the hash (gpg --list-keys --with-wkd user at example.com) and copy your key to https://example.com/.well-known/openpgpkey/hu/$hash, replace example.com and $hash with your values. Then "gpg --locate-key user at example.com" will then download the key from your web server). More details here: https://wiki.gnupg.org/WKD Kind regards, Wiktor > > [1]?https://keyserver.mattrude.com/guides/public-key-association/ > [2]?https://slxh.nl/blog/2016/pgp-and-dns/ > > > -- > Kind regards, > Kees de Jong ?| ?OpenPGP fingerprint: 0x0E45C98AB51428E6 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- https://metacode.biz/@wiktor From wk at gnupg.org Thu Oct 4 10:30:09 2018 From: wk at gnupg.org (Werner Koch) Date: Thu, 04 Oct 2018 10:30:09 +0200 Subject: Where to put "export-pka" output in DNS? In-Reply-To: (K. de Jong's message of "Wed, 3 Oct 2018 14:44:50 +0200") References: Message-ID: <877eiy15da.fsf@wheatstone.g10code.de> On Wed, 3 Oct 2018 14:44, keesdejong+bugs at gmail.com said: > I want to make use of PKA, I saw a few blogs [1] where they did this in TXT > DNS records. However, this seems to not work anymore. When I issue `gpg2 Please don't use this anymore. It never got any kind of widespread adoption and thus will eventually be removed from gnupg. You should use the Web key Directory instead which is much easier and does not even require that you fiddle with the DNS. See Wiktor's answer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From zerbey at gmail.com Fri Oct 5 21:04:11 2018 From: zerbey at gmail.com (Chris Horry) Date: Fri, 5 Oct 2018 15:04:11 -0400 Subject: Wrong key usage (0x19, 0x2) on key Message-ID: Hello all, I noticed my key has started throwing this warning in new versions, it may have been related to me trying to add an authentication key for my YubiKey so I'm hoping I didn't mess it up. I've done some Googling to see if there's a way to restore it to normal operation without much success: gpg: bad data signature from key : Wrong key usage (0x19, 0x2) Secret key is available. sec rsa4096/ created: 2016-05-03 expires: 2021-05-03 usage: SC trust: ultimate validity: ultimate ssb rsa4096/ created: 2016-05-03 expires: 2021-05-03 usage: E The following key was revoked on 2018-09-26 by RSA key Chris Horry sub rsa4096/ created: 2018-09-23 revoked: 2018-09-26 usage: SEA The following key was revoked on 2018-09-26 by RSA key Chris Horry sub rsa4096/ created: 2018-09-23 revoked: 2018-09-26 usage: E [ultimate] (1). Chris Horry [ultimate] (2) Chris Horry [ultimate] (3) Chris Horry [ultimate] (4) Chris Horry The two revoked subkeys were from my YubiKey experiments, I've since created a separate key for that device and it's working just fine. Any help appreciated, I just want to remove the warnings and hopefully get reassurance my key is working. I just use it for signing, certification and encryption (and decryption). Creating a new key is an option, but would be inconvenient :( Thanks! Chris -- Chris Horry Ham Radio - KG4TSM zerbey at gmail.com https://twitter.com/zerbey -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Sun Oct 7 03:01:20 2018 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 06 Oct 2018 21:01:20 -0400 Subject: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons) In-Reply-To: References: <98b958f1-5f8c-dfc2-7ad4-59dd941fac56@digitalbrains.com> <6d040c11-1027-495d-61b5-e8a5b750a794@digitalbrains.com> <87zhw8ge5x.fsf@fifthhorseman.net> Message-ID: <87zhvqpo2n.fsf@fifthhorseman.net> On Mon 2018-09-24 12:44:38 +0200, Peter Lebbing wrote: > The always-correct option would be to --export, copy the exported key to > the initramfs, and simply --import it before use, no meddling with > prefabricated keyrings. It does waste some processing. I think you're right that this is an "always-correct" option. But i note that when assembling an initramfs, you have to choose which version of GnuPG you put in it. And i also note that the initramfs is typically never modified once created: rather, a new one might be created and swapped in. This suggests that at time of initramfs creation, you can use your suggested "--no-default-keyring --keyring foo.kbx --import" approach (using the version of gpg that you are also packing into the initramfs), and you can be confident that it will work in the initramfs, because the version of gpg and the keyring will match. In this case, you only need to --import at initramfs creation time, and you can avoid the extra --import at initramfs-run-time. Does this make sense? you just need to make sure you tie the version of gpg and the keyring into the same initramfs build time. > So have I been too strict all these years? :-) Are we free to build > keyrings with --export and will GnuPG happily consume them as an > always-supported fallback? I don't know the answer to this about using concatenated TPKs as keyring. Maybe Werner can weigh in? But GnuPG *will* forever continue to consume concatenated TPKs via --import -- that's the OpenPGP interoperable format, and if GnuPG stops consuming it on --import, it would no longer be an OpenPGP implementation. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From patrick at enigmail.net Sun Oct 7 10:57:54 2018 From: patrick at enigmail.net (Patrick Brunschwig) Date: Sun, 07 Oct 2018 10:57:54 +0200 Subject: 4th OpenPGP Email Summit - Update In-Reply-To: <1d5b7612-cf0e-d482-eeb8-5f4307aed91d@enigmail.net> References: <1d5b7612-cf0e-d482-eeb8-5f4307aed91d@enigmail.net> Message-ID: <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> It's 2 weeks until the Summit. Here are some updates: - Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 ? Brussels, www.winery.be ). People from Mailfence will be there from 19:30, I will arrive a little later. - if you plan to come, but didn't tell me yet, please send me an email. - we will start on Saturday at 09:30. If you have any issues such as finding the location or with local logistics, here is my phone number: +41 78 631 6622 - we will have a plenary session on Saturday. If you have something you think is worth sharing with everyone, then that would be the perfect occasion for a short presentation. See https://wiki.gnupg.org/OpenPGPEmailSummit201810 for details. I'm looking forward to meeting you all. -Patrick -- Patrick Brunschwig mailto:patrick at enigmail.net PGP fingerprint: 4F9F 89F5 505A C1D1 A260 631C DB11 87B9 DD5F 693B -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon Oct 8 16:24:21 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Oct 2018 16:24:21 +0200 Subject: Wrong key usage (0x19, 0x2) on key In-Reply-To: (Chris Horry's message of "Fri, 5 Oct 2018 15:04:11 -0400") References: Message-ID: <87efd0wm7e.fsf@wheatstone.g10code.de> On Fri, 5 Oct 2018 21:04, zerbey at gmail.com said: > gpg: bad data signature from key : Wrong key usage (0x19, 0x2) > Secret key is available. Right, I noticed this as well but ignored it. Thanks for raising this. I re-opened task 4014 and pushed a fix to master. I attach it in case you want to apply and test it in stable. 73 de DD9JN -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-gpg-Fix-extra-check-for-sign-usage-of-a-data-signatu.patch Type: text/x-diff Size: 1057 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From zerbey at gmail.com Mon Oct 8 16:38:39 2018 From: zerbey at gmail.com (Chris Horry) Date: Mon, 8 Oct 2018 10:38:39 -0400 Subject: Wrong key usage (0x19, 0x2) on key In-Reply-To: <87efd0wm7e.fsf@wheatstone.g10code.de> References: <87efd0wm7e.fsf@wheatstone.g10code.de> Message-ID: Werne, Thanks for letting me know and for the patch, 73, Chris On Mon, Oct 8, 2018 at 10:34 AM Werner Koch wrote: > On Fri, 5 Oct 2018 21:04, zerbey at gmail.com said: > > > gpg: bad data signature from key : Wrong key usage (0x19, 0x2) > > Secret key is available. > > Right, I noticed this as well but ignored it. Thanks for raising this. > I re-opened task 4014 and pushed a fix to master. I attach it in case > you want to apply and test it in stable. > > 73 de DD9JN > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > -- Chris Horry Ham Radio - KG4TSM zerbey at gmail.com https://twitter.com/zerbey -------------- next part -------------- An HTML attachment was scrubbed... URL: From wiktor at metacode.biz Mon Oct 8 20:42:01 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 8 Oct 2018 20:42:01 +0200 Subject: Get notation value through --with-colons interface Message-ID: <5f0a031b-74ef-032d-39da-ae69c923910a@metacode.biz> Hello, I'm wondering if there is a way to programmatically access notations on self-certifications? I see them through --list-options show-notations: gpg --list-options show-notations --list-sigs 6C8857E0D8E8F074 | grep notation but adding --with-colons to that command unfortunately filters out notations. Is there any way to access it via API-like interface? I'm mostly interested in a particular notation key on last self-certification signature of my primary UID. Thank you in advance for help! Kind regards, Wiktor -- https://metacode.biz/@wiktor From wk at gnupg.org Mon Oct 8 23:41:27 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Oct 2018 23:41:27 +0200 Subject: [openpgp-email] 4th OpenPGP Email Summit - Update In-Reply-To: <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> (Patrick Brunschwig's message of "Sun, 07 Oct 2018 10:57:54 +0200") References: <1d5b7612-cf0e-d482-eeb8-5f4307aed91d@enigmail.net> <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> Message-ID: <87o9c4uneg.fsf@wheatstone.g10code.de> On Sun, 7 Oct 2018 10:57, patrick at enigmail.net said: > - we will start on Saturday at 09:30. If you have any issues such as finding the location or with local logistics, here is my phone number: +41 78 631 6622 Huh, that is early. Andre and me might arrive a bit later. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Oct 9 09:04:09 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Oct 2018 09:04:09 +0200 Subject: [Announce] GnuPG Made Easy (GPGME) 1.12.0 released Message-ID: <87a7nnvbx2.fsf@wheatstone.g10code.de> Hello! We are pleased to announce version 1.12.0 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines like gpg and gpgsm easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification, and key management. GPGME comes with language bindings for Common Lisp, C++, QT, Python 2 and 3. See https://gnupg.org/software/gpgme for more. Noteworthy changes in version 1.12.0 ==================================== * Enhanced the JSON based interface tool gpgme-json to support Native Messaging as well as new Javascript code to support the browser site. See lang/js/README for details. * Major overhaul of the Python language bindings documentation. * Even for old versions of gpg a missing MDC will now lead to a decryption failure. * Added context flag "auto-key-locate" to control the behavior of GPGME_KEYLIST_MODE_LOCATE. * New data function to create a data object from an estream. * Add more interfaces to the C++ bindings. * Improved error codes on decryption failure. * Lots of minor fixes. * Interface changes relative to the 1.11.1 release: gpgme_data_new_from_estream NEW. gpgme_decrypt_result_t EXTENDED: New field legacy_cipher_nomdc. gpgme_set_ctx_flag EXTENDED: New flag 'ignore-mdc-error'. GPGME_AUDITLOG_DEFAULT NEW. GPGME_AUDITLOG_DIAG NEW. gpgme_set_ctx_flag EXTENDED: New flag 'auto-key-locate'. cpp: DecryptionResult::sessionKey NEW. cpp: DecryptionResult::symkeyAlgo NEW. cpp: DecryptionResult::isLegacyCipherNoMDC NEW. cpp: Data::rewind NEW. cpp: Context::setFlag NEW. cpp: Context::getFlag NEW. cpp: Context::createKeyEx NEW. Release-info: https://dev.gnupg.org/T4109 Download ======== You may download this library and its OpenPGP signature from: https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.12.0.tar.bz2 (1619k) https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.12.0.tar.bz2.sig or from ftp.gnupg.org. The SHA-1 checksum is 6f1828fcd7de4366ca063e57f35e4ab24bc91baf gpgme-1.12.0.tar.bz2 but you better check the integrity using the provided signature. See for details. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and two contractors. All work exclusively on GnuPG and closely related software like Libgcrypt and GPGME. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-devel 'at' gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From aheinecke at intevation.de Tue Oct 9 15:08:12 2018 From: aheinecke at intevation.de (Andre Heinecke) Date: Tue, 09 Oct 2018 15:08:12 +0200 Subject: Get notation value through --with-colons interface In-Reply-To: <5f0a031b-74ef-032d-39da-ae69c923910a@metacode.biz> References: <5f0a031b-74ef-032d-39da-ae69c923910a@metacode.biz> Message-ID: <4367063.HNTWFdmNrc@esus> Hi, On Monday, October 8, 2018 8:42:01 PM CEST Wiktor Kwapisiewicz via Gnupg-users wrote: > Is there any way to access it via API-like interface? GPGME does: gpg --with-colons --list-options show-sig-subpackets=\"20,26\" \ --list-sigs 6C8857E0D8E8F074 Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From wiktor at metacode.biz Tue Oct 9 16:53:24 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Tue, 9 Oct 2018 16:53:24 +0200 Subject: Get notation value through --with-colons interface In-Reply-To: <4367063.HNTWFdmNrc@esus> References: <5f0a031b-74ef-032d-39da-ae69c923910a@metacode.biz> <4367063.HNTWFdmNrc@esus> Message-ID: <8bafb252-97ff-8a16-93b2-691cec198dce@metacode.biz> On 09.10.2018 15:08, Andre Heinecke wrote: > gpg --with-colons --list-options show-sig-subpackets=\"20,26\" \ > --list-sigs 6C8857E0D8E8F074 Wow, that was exactly what I needed! Thank you Andre! For the record, once I knew it I found some resources about the format: https://lists.gt.net/gnupg/devel/31529 https://dev.gnupg.org/source/gnupg/browse/master/doc/DETAILS;b6275f3bda8edff34274c5b921508567f491ab9c$337 and, of course: https://tools.ietf.org/html/rfc4880#section-5.2.3.16 Kind regards, Wiktor -- https://metacode.biz/@wiktor -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 862 bytes Desc: OpenPGP digital signature URL: From Siemons at CleanFuels.nl Wed Oct 10 12:06:04 2018 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Wed, 10 Oct 2018 12:06:04 +0200 Subject: Help needed with key Message-ID: <8d34d305-dc7c-fac7-dea0-f427191a8217@CleanFuels.nl> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: klhjphckjfmegnpf.png Type: image/png Size: 21324 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAEEC5E2ED87628F5.asc Type: application/pgp-keys Size: 6319 bytes Desc: not available URL: From siemons at cleanfuels.nl Wed Oct 10 12:31:34 2018 From: siemons at cleanfuels.nl (Roland Siemons) Date: Wed, 10 Oct 2018 12:31:34 +0200 Subject: Help needed with key Message-ID: <10748626-e93a-ee32-eaa1-390ab03e472f@cleanfuels.nl> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAEEC5E2ED87628F5.asc Type: application/pgp-keys Size: 6319 bytes Desc: not available URL: From siemons at cleanfuels.nl Wed Oct 10 14:02:29 2018 From: siemons at cleanfuels.nl (Roland Siemons) Date: Wed, 10 Oct 2018 14:02:29 +0200 Subject: Decryption troubles Message-ID: Dear GNUPGs, I have strange troubles with my key. I DO can decrypt encrypted files that other people prepared for me, using the public part of my key for encryption. I canNOT decrypt files that were made by myself, using the same key. I receive this error message: "The GPGME library returned an unexpected error at gpafiledecryptop.c:540. The error was: No secret key." I am using GPA with GnuPG 2.2.10. Please advise! -- Roland Siemons Haaksbergerstraat 205 ENSCHEDE t: O645616734 From wk at gnupg.org Wed Oct 10 18:09:23 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Oct 2018 18:09:23 +0200 Subject: Decryption troubles In-Reply-To: (Roland Siemons's message of "Wed, 10 Oct 2018 14:02:29 +0200") References: Message-ID: <87d0shss0c.fsf@wheatstone.g10code.de> On Wed, 10 Oct 2018 14:02, siemons at cleanfuels.nl said: > I am using GPA with GnuPG 2.2.10. IIRC, the latest released GPA version is way behind what we have in the repo. To figure out your problem, please run gpg on the command line: gpg -vd -o OUTPUTFILE ENCRYPTED_FILE check the error messages you see. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Siemons at CleanFuels.nl Wed Oct 10 20:28:33 2018 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Wed, 10 Oct 2018 20:28:33 +0200 Subject: Decryption troubles In-Reply-To: <87d0shss0c.fsf@wheatstone.g10code.de> References: <87d0shss0c.fsf@wheatstone.g10code.de> Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAEEC5E2ED87628F5.asc Type: application/pgp-keys Size: 6319 bytes Desc: not available URL: From siemons at cleanfuels.nl Wed Oct 10 20:33:02 2018 From: siemons at cleanfuels.nl (Roland Siemons) Date: Wed, 10 Oct 2018 20:33:02 +0200 Subject: Decryption troubles In-Reply-To: <87d0shss0c.fsf@wheatstone.g10code.de> References: <87d0shss0c.fsf@wheatstone.g10code.de> Message-ID: <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> Dear Werner, Thanks for yr advise. This is what I get, following yr suggestion: ###################### gpg : gpg: public key is 1594F1502D7EF3B9 At line:1 char:1 + gpg -vd -o C:\Users\Roland\Desktop\Bagger\1.pdf? C:\Users\Roland\Desk ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ??? + CategoryInfo????????? : NotSpecified: (gpg: public key is 1594F1502D7EF3B9:String) [], RemoteException ??? + FullyQualifiedErrorId : NativeCommandError ? gpg: using subkey 1594F1502D7EF3B9 instead of primary key AEEC5E2ED87628F5 gpg: encrypted with 2048-bit RSA key, ID 1594F1502D7EF3B9, created 2017-03-18 ????? "Roland Siemons " gpg: decryption failed: No secret key ##################### I do not know what to do with this information, and shall appreciate if you can get me out of this troubles. For your information, this is returned upon gpg -K: ####################### C:/Users/Roland/AppData/Roaming/gnupg/pubring.gpg ------------------------------------------------- sec?? rsa2048 2009-09-27 [SCA] ????? A5F3C219AB2601BEC1BCE4F2AEEC5E2ED87628F5 uid?????????? [ultimate] Roland Siemons uid?????????? [ultimate] Roland Siemons uid?????????? [ultimate] Roland Siemons uid?????????? [ultimate] Roland Siemons ssb?? rsa2048 2009-09-27 [E] ssb#? rsa2048 2017-03-18 [E] ssb#? rsa2048 2017-03-18 [S] sec>? rsa2048 2017-03-18 [SC] ????? FA8FD0825931914AD032F6A40E92D34261B68C62 ????? Card serial no. = 0005 000047CF uid?????????? [ unknown] Roland Siemons ssb>? rsa2048 2017-03-18 [A] ssb>? rsa2048 2017-03-18 [E] ################# Best regards, Roland On 10/10/2018 18:09, Werner Koch wrote: > On Wed, 10 Oct 2018 14:02, siemons at cleanfuels.nl said: > >> I am using GPA with GnuPG 2.2.10. > IIRC, the latest released GPA version is way behind what we have in the > repo. > > To figure out your problem, please run gpg on the command line: > > gpg -vd -o OUTPUTFILE ENCRYPTED_FILE > > check the error messages you see. > > > Salam-Shalom, > > Werner > -- Roland Siemons Haaksbergerstraat 205 ENSCHEDE t: O645616734 From wk at gnupg.org Thu Oct 11 11:05:03 2018 From: wk at gnupg.org (Werner Koch) Date: Thu, 11 Oct 2018 11:05:03 +0200 Subject: Decryption troubles In-Reply-To: <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> (Roland Siemons's message of "Wed, 10 Oct 2018 20:33:02 +0200") References: <87d0shss0c.fsf@wheatstone.g10code.de> <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> Message-ID: <87tvlsrgzk.fsf@wheatstone.g10code.de> On Wed, 10 Oct 2018 20:33, siemons at cleanfuels.nl said: > gpg: decryption failed: No secret key Well, you don't have the secret key (aka private key) to decrypt the message. > sec?? rsa2048 2009-09-27 [SCA] > ????? A5F3C219AB2601BEC1BCE4F2AEEC5E2ED87628F5 [..] > ssb?? rsa2048 2009-09-27 [E] > ssb#? rsa2048 2017-03-18 [E] That last key _seems_ to be used. On the keyserver I only found the first subkey and thus I can't be sure. Use gpg --with-subkey-fingerprint -K to also show the fingerprints of subkeys. However, that subkey has been taken offline and that can be the reason why you see the "No secret key" > sec>? rsa2048 2017-03-18 [SC] > ????? FA8FD0825931914AD032F6A40E92D34261B68C62 > ????? Card serial no. = 0005 000047CF > uid?????????? [ unknown] Roland Siemons > ssb>? rsa2048 2017-03-18 [A] > ssb>? rsa2048 2017-03-18 [E] May it be that the last key is the same subkey as the one above? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wiktor at metacode.biz Thu Oct 11 11:22:18 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Thu, 11 Oct 2018 11:22:18 +0200 Subject: Decryption troubles In-Reply-To: <87tvlsrgzk.fsf@wheatstone.g10code.de> References: <87d0shss0c.fsf@wheatstone.g10code.de> <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> <87tvlsrgzk.fsf@wheatstone.g10code.de> Message-ID: <69995e49-0741-bc0d-8908-64313d2161dc@metacode.biz> Hello, There are two encryption keys as far as I can see (more complete key in attachment). Probably one of them was added but the secret key has been lost (during migration? I don't know). I've suggested checking which one works for them and revoking the other, and then publishing the key to keyservers (that was some time ago, that's how I've got this key with two E keys). By the way of two encryption keys, I liked your idea: "+ 0x04 - This key may be used as an additional decryption subkey (ADSK)." Kind regards, Wiktor On 11.10.2018 11:05, Werner Koch wrote: > On Wed, 10 Oct 2018 20:33, siemons at cleanfuels.nl said: > >> gpg: decryption failed: No secret key > > Well, you don't have the secret key (aka private key) to decrypt the > message. > > >> sec?? rsa2048 2009-09-27 [SCA] >> ????? A5F3C219AB2601BEC1BCE4F2AEEC5E2ED87628F5 > [..] >> ssb?? rsa2048 2009-09-27 [E] >> ssb#? rsa2048 2017-03-18 [E] > > That last key _seems_ to be used. On the keyserver I only found the > first subkey and thus I can't be sure. Use > > gpg --with-subkey-fingerprint -K > > to also show the fingerprints of subkeys. However, that subkey has been > taken offline and that can be the reason why you see the "No secret key" > >> sec>? rsa2048 2017-03-18 [SC] >> ????? FA8FD0825931914AD032F6A40E92D34261B68C62 >> ????? Card serial no. = 0005 000047CF >> uid?????????? [ unknown] Roland Siemons >> ssb>? rsa2048 2017-03-18 [A] >> ssb>? rsa2048 2017-03-18 [E] > > > May it be that the last key is the same subkey as the one above? > > > Shalom-Salam, > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- https://metacode.biz/@wiktor -------------- next part -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBEq/YigBCAC6Xw0bROOrs38R2j7u/bDubP+99ObmOuQxH9W4fZ1d50qJfx/t t2uukhLnjacf54j/P2/8Q9ODZMSpf9kbwMkadOTxbrGexSVolrGKF1aOjunym6EX RJMXLj7LO7tb1cjj6KnejLrzLQXHsREgNmfjtneU6T2lV5SUDhOCDhDSg96X20s3 GsfAkri3sxlRmZqCwDaI35x85fu2NDCFiTqK7YLZoeDlTKaD0izNSCx9bViA5HoD JHObUpbCgRwe8EbtHx+CS2Nkft9IXXcN9b9QKzPSiXFVAqfT8anD1Kp7Y34CEWNT H0jQdpO0z10uM1z6mjiy/ftpOGhPYxq+COkLABEBAAG0JlJvbGFuZCBTaWVtb25z IDxTaWVtb25zQENsZWFuRnVlbHMubmw+iQE8BBMBAgAmAhsjBwsJCAcDAgEGFQgC CQoLBBYCAwECHgECF4ACGQEFAlS2QH4ACgkQruxeLth2KPUTiQf/fzLsT/LwX24u C5sAZyIkFWAj8DGGGUoGYkvjJ42gmlT4LJxDxeKn9/0tGR/aTVHgEb89+1wIkS+H K0aH67ajAp5oUR43k1zmJ/dDpTvUCsDENJniy3qNfHqDwbUdNW7jJvCq9Q9lgdPW ciSt3v/zayVewjA8+23oxJd3HLP+cHcNd7g+ErbPtGfB7lgRvoihCtuJQT1mVQdv y1xL65RUWas/nNk6m1svJXDqHgFq0RMG4i0t/gmmSAnJ72ZrHcLSK/GCC8Fk6LRv mn0QfYiuUjYOVVlTf9nOjFyH8SYkWLunAd7PqD4BXlnAZzcIdmBmmEiV+CGJUlbd KvoeAsJ4tLQmUm9sYW5kIFNpZW1vbnMgPHNpZW1vbnNAY2xlYW5mdWVscy5ubD6J AU8EEwECADkCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEpfPCGasmAb7B vOTyruxeLth2KPUFAluOO+oACgkQruxeLth2KPV7bggArBdFnyqqTr9v+M9yOBzF zAGQTQWAmrhcq+AXwXoJjNdKygd/IRw06AmSWlkKXP+pEMLSGfogwFjO+JBqRjF2 4CYR1OuAZftc6nnbwOIhWlvocS1J/iZ+K9F6JAnf14DqvmbH8463jc8Fl+ExdT5k zCjh4J2IH31jfw91M8H0D/LqrkL2WxlPE6XAQtwBcb6OcuuoQ76iHWgRhg5hu13F 7zVF5HMmtaxgSu8G5hYlR/Bi/dZOV6Hsv8gtu9TTPii/42ulWiSX4VXOsWIICYLo ikSMRGJ2PQUTAsgrK3+Lq4LKoCsKVlNtXDCN9j2armNkLjWphcyUoz0Dw1+GooSE nokBOAQTAQIAIgIbIwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlS2QIwACgkQ ruxeLth2KPXUMwf/TGSXPMKkJqqNGx8txuaLyiIAvToBbQ9RyT+9p6fIx4JcwGU/ gW3uR9rtHuJ4OATKTVVs4coXhMwzJax/+NCSOZzYL9tSdtsn+44B2Umwm/4FkClc O0lJrZqpmdlmN+S0WdQSTzf0J18xwVlIHG6zv1TWhU6BHewZY4tmoBkJfD3Y1Grr e659h8DqmD884ikkBEtspgm74eZZnZ4Pig211yaWCGttyXuhGsvUF26RHuXdgyKP g3u/b8eY5wBa5FHLxUFkDy8nYoAHMbVXMx4LtpDBeykaUyUOin6dGFhCRvSbAIkU TD2eg1IFFWz54ZqNV/J0Rc/vyaf0yK9pKb3KyokBPgQTAQIAKAUCSr9iKAIbIwUJ CWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQruxeLth2KPVu0ggAhif+ bFXRxbbghzRfcnQgjqrKXIZ9CUv+HbamNvEagVgSDz+GTwNZgg6mPhT9/I4C/eok HTomLjfbRZWuwe3hDULT19vhtPcm/b3wb15kArtNZIb9vLHhm+lIcuO6dy9AWye8 hZXhKNgT8MUEUDEqFGMbv8N/SArVXodAdK9K7IHJ52UuyShacnsAww2IZh8qnR2T 6GrWqc5K9Dbak9X4pjn9h3ph0nLlWnryEFVzU0uWiSl0XmiQoJwW38gkxQF9qnDc TZaao6LfKaglhD9NX40JGI+QuiQPoN5pYSFoAfr+ifujnfAQBdZYbngYvlqDpvcD 8mZXEiewzEYhaU+kELQkUm9sYW5kIFNpZW1vbnMgPFJWU2llbW9uc0BnbWFpbC5j b20+iQE5BBMBAgAjAhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AFAlS2QIwA CgkQruxeLth2KPVPvgf/Sn/TXp4+NmAv+PqsfJ/emDDlDA5bWf4drj11twKL6SBq ZG4mNvLkz4xdae0fgo+ZNyxptsMW8LNYMuu39DKdud6t1yvjLYf5g6JWXGpvCQT5 enSpCJnv/xeNkQfTIl5gW5de3O+QDlOfZ1E1ZdGc+f9xeZgOc6Z/weJneVx/ajrP DYPrHvlc7HGK3hkXXbISC1DDy27yhorfiKRvAZj/y2+v8CX1QMZmky82TYvfvQul vlaq61fa2k0ing2mpT4YR/AyzmpKsniZ/Cxcu21ctW7a1FwnO6MCfUvDLwmwaIyG 7OjKbG6gryzRXHGZ2dvIQhZW/mx/TJFoAYxoDyQFA7QmUm9sYW5kIFNpZW1vbnMg PHIudi5zaWVtb25zQG9ubGluZS5ubD6JATkEEwECACMCGyMHCwkIBwMCAQYVCAIJ CgsEFgIDAQIeAQIXgAUCVLZAjAAKCRCu7F4u2HYo9S9gB/0Qf/QNtF6pgl6aYq02 NgoNjwpLu9FChcUlCVKJp7/4O1y6jZ/1ZN8rqYFqKYPM2d3BidY2e3eqA/UPokEb h93UbQL9QDO0hSv0m8naH9ecZ6Uj5mQ7GVcb0y9J5mv0VoKqTClUoLw4G4oGE/M0 DyKp/aTJuYgV12PcHlZoo4zs0yUqvZH68wqQbmt/JUGPDtgyZvX9yYg4KrNSN9Wm kOP96jE5ZAEeojQcLciPYZPTtJTcpvHHqAxN9wNpRwuw3apbWyxNrz97lTpOQN6+ obpW5cZnWZib1eHWSbsZ1tML/z3D6r3saHWSF+gt3G38Dzw+13nWgygwqwI5qaqc V0qfuQENBFjNZVsBCACMn7nYvibYHIts9YTiTy2emIhFqU3C1rPRy5WezQa6k5Sl 9gzRY5i/62rGMgbjlgIFPKiCtBPCuPuHfZbCZWPjHHxs8TIf8HgmIomE0KFlDUd1 HLwPmgqh/ZhWALRDSg5OjTTX3u0c4yf9E2vXhtqU2US2lT7Jq1nFsOu4vG1flV1Y o9WO/2aIqSTL0PUN/wewNO71TOqcluw7MdP60/iCleN8PrCrbWBX5xN6WHTSACnC Gj/oXPrV1Ft9oA3l/Wy3667ZqgdkejWh8nZJ3+qLGfBrOLHaO+aBj/rPvTF5CLXc zOOc0wBuojqFGMqnajaeN/aiw4JYoMh0DT42LpUtABEBAAGJAR8EGAEIAAkFAljN ZVsCGwwACgkQruxeLth2KPUJFgf/f3WuIdYH6hqO0k9wrJZFNpH2EQk53rvoQ/Ei dePcN0vvlxEBn1x9DyCnTl8bbibJ59vl+YUAvGHGekSiD+aaKjx3c08p+hS7J3fd bpUEB7mcv3Jiy4aspSmwDYk4PxNebInlhl/vk6w7sicGPlioEFEv1ZIcEquy4etP 4kb038eRWjSdKkaTmwqgU/IcWF2FkUPWhBUNXjggP/MvG0HG1GlM+YRkewL90YcQ Be6Vq0ck1Y2Uff7J7TxpV70FrhI3pjuL/r6y6XXltazzkui4ur7hnFQ95P3mtDqI XwMRzo9ya/DuSCFdAcvR1V9hD5t7OxF000nrVvyTH0uZxVJp0LkBDQRKv2IoAQgA 547lC7Z3snILIQafDrMmZ5YUB9a5uNLAD92J1pnqvUfAGZXjshxc4EHB0u5N3PL0 CPOJzrVbBYw5XrLX4gNSDHWmqc/gpf8KFHPrPLgeUWYI2oV/f7TblLcSxSlSMpvp yUsxHdjUfo9gUA0/pgU7VckhyOJtbpoZtNZjLKDlkd+JK8Jcxv/9ipDSMgS1nn9V zoQScoIs0xGJRcnsHmZkVqRW9ZBGptcum4xJ7Of56FGCgdST/NmdKgOFISjTe+ta BHzZ/+PDKN8DM9QyPKDmNVZDt8BgQ3rmDj62B1O3HeKfI8MSyaWkVNqeq7ddZZZw Y9SMJhqqiFPm+tEWRyN6ZwARAQABiQEfBBgBAgAJAhsMBQJUtkCMAAoJEK7sXi7Y dij19CEH/0ya/prw5NK6rnOYdeAAWmt4Y9Lbg06bHfui69QuBQ47X9s0R9rK5xOI +tBTOoB4TSFlvKbvSphmoTg+qx3AoX4BXNIYqZUhph3oQBVrb2t2KHoJNqo2TXMq SbeShdcVXsNofzoK8VM8t1TQ2Uv1NJztQOOzqFlqAZIVkLtolu6UrHzEEUE6rUgV qBFNpjn3Ugd9IrlYgbr/DwoA/iuqKaMVbDU6eBe/xoXe9A0/JSD2FOnUg/hH7UB6 fqc1HQT14xKtGokSpbrKF0U66gT/Uu1cLsac9HoJoQ0TVLfQzR/hpp1PGI5JDA9r OLmNYzM8RYotBPazzUmFZRc7xB8kxnO5AQ0EWM1mwgEIAKXb+5Z4vGvtRgOqJwD+ yQSgPK7TWAZ1fNsZls4iyk9pm2sbn7Coigr3oCPWK5rQ5ctJgSrewbUccAWOAg4D y4d5P/4+Sor7I08LnJJmzWSo5cqSq1bGQ0aQSSAghKU9KX4LOuGydh16FwMnu26v xNa2S0ipKDtOKpnr+46jocAXy1HhKCiu4OA/xajQLdeIDT1MuO9LTxgEgwe714uL iFA/ZpC6vxpF/9ZkaHuwxtbL3qRCVA+Fv7SiLykdiOXKaRVbvy5RIlQWT2FSJpVi +fJ03MtpB/iGTuIwGWF+5I/JY6+MlEb/Pcaer99AxzUaGcZcmFJc3IUCRLazdW9+ 45kAEQEAAYkCPgQYAQgACQUCWM1mwgIbAgEpCRCu7F4u2HYo9cBdIAQZAQgABgUC WM1mwgAKCRAldfMOZOcjeacmB/9DQwYoK2ZAJVexpgDTvFRlLa6EcU3euFCGzNZf NhzuDo9HNam94rQ+bEFiCIVNoTDlf5u9x3EttPZ5SqyPjWM0cUtw+GNno9am5RFo FfE5jZH8Dw28HXzN+tr/BJ/yCQJml5Ob2ttU9iigZsoqhlMeLtXt6Dmfsn/onkOX 3GsG6jg7qbxThNm/pM4fsH7LW4vXrmjPV5TRpAci+NLkHOwFFwxrez2/BKI6qHAQ 8oOXTag1V2ObNnnDO+DcPZGvgxaEm2n0rlAfZtcPaOZBCG8ft3S5qaYpOI+bQreT 5rEY9Yyi9hN2NTv1yTZl1JXfEXDHAkTnAO5Ndob8AdX+wPr30oYIAI2HGvo92Sfe 2DkmE3pTkgGWy0GhSPpua+9HMWtPgAKhbfU08OKIqX4t6FE2cWF7yXMZ28SL6/Ue OCw3OUs3z3PQDKFm5p+AlvmYBQ35Lg81oc7OTc9JJp4om0KDCDwNljhP1ptgI+ci wtY8y5DjidsF7vYXFv9ct5V/xwNQVSAeETf7S2zR3ikUy0nS3wiAFNGgot3ASqNh 2lQ2xnthJsnWlqvrm06jeWRjHZ5CM50GZTPRB4awSZcEI4pZYOCP9/s7U3RCoD7M x9c1IPP5nm7F+0fdjPWJ23576ifV8sDQMcRpd8ka3gX2OTggKWZORNm6Ia1d5MrY o4bpYfKWxMA= =bUD6 -----END PGP PUBLIC KEY BLOCK----- From Siemons at CleanFuels.nl Wed Oct 10 20:28:42 2018 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Wed, 10 Oct 2018 20:28:42 +0200 Subject: Decryption troubles In-Reply-To: <87d0shss0c.fsf@wheatstone.g10code.de> References: <87d0shss0c.fsf@wheatstone.g10code.de> Message-ID: An HTML attachment was scrubbed... URL: From Siemons at CleanFuels.nl Fri Oct 12 10:37:38 2018 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Fri, 12 Oct 2018 10:37:38 +0200 Subject: gpg troubles In-Reply-To: <87tvlsrgzk.fsf@wheatstone.g10code.de> References: <87d0shss0c.fsf@wheatstone.g10code.de> <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> <87tvlsrgzk.fsf@wheatstone.g10code.de> Message-ID: <222556d1-c570-b9e6-a6f3-a5967cf13edb@CleanFuels.nl> Dear GnuPG experts, 1/ Thanks and compliments to those who make GnuPG possible! 2/ I am a very ordinary end-user who unfortunately cannot fall back to computer experts easily in his vicinity. One of those for whom forum assistance and manuals are very important. 3/ Assisted remotely by some of you, I was able to sort out a very strange problem with decryption. The solution was found by manipulating my key from inside the gpg shell using the command line. I am not very experienced with the command line. A major difficulty for those for whom this is not daily bread and butter is that mistakes are easily made. Hence the great value of GUIs. 4/ I observed some unclarities in the GnuPG manual (www.gnupg.org/gph/en/manual.html), here below under A. And perhaps also some bugs in gpg, here below under B (please consider). Here is my experience: A/ I tried to revoke some subkeys, following the said manual (heading "Revoking key components"). gpg pretended to do the job. Everything looked fine. But it did'nt! After several hours of analysis (up to checking if GnuPG was installed consistently on my system), I found the issue: After the revkey procedure it is necessary to command "quit". Instead of quitting, gpg then asks "do you want to save yr changes" (or something like that). And only then the subkeys were revoked. The said manual does mention the command "quit" only once, and not even in a general place explaining the operations of gpg, and in fact without any explanation as to the impact of that command. Of course I am happy to have found out, but let's hope that I remember when after perhaps 2 years time I have to use gpg shell again.... B/ It is not at all clear to me how to start the gpg shell. For example: 1/ if (under the CMD terminal) I command "gpg -K", the lists of private keys is returned, but I am also returned to CMD, that is, kicked out of the gpg shell. 2/ if (CMD) I command "gpg --edit-key X" (where X is key identifier), I do indeed enter the gpg shell, the screen showing "gpg>". That all may be allright, HOWEVER: 3/ if (CMD) I command "gpg", the return is: "gpg: WARNING: no command supplied.? Trying to guess what you mean ... gpg: Go ahead and type your message . Then if I type a gpg command, everything stalls. No results whatsoever. Even the command "quit" gives no results. So I force quit by Ctrl-C. So, in general, how to start the gpg shell? (FYI: the Windows Powershell ISE shows more weird behaviour than the CMD terminal) This is my system: Win7 gpg --version gpg (GnuPG) 2.2.10 libgcrypt 1.8.2 I hope that the above could be of some use to the developers. Best regards Roland From alexander.hermes at grasshopperasia.com Fri Oct 12 04:17:18 2018 From: alexander.hermes at grasshopperasia.com (Alexander Hermes) Date: Fri, 12 Oct 2018 10:17:18 +0800 Subject: Gpg-agent requires kill&relaunch after restart to enable SSH support Message-ID: Hi, I am trying to use gpg-agent as a drop-in replacement for ssh-agent and I have an issue where I consistently have to kill & manually relaunch the agent upon every reboot because the agent initially refuses SSH support I have included more information on my environment & GPG versions below, but in brief it's Fedora 28 and GPG 2.2.8. Here is my issue: * I have enabled `enable-ssh-support` in .gnupg/gpg-agent.conf and added lines to my .bashrc to set GPG_TTY and start gpg agent upon login * When I initially boot my system and log in to Gnome (Gnome3 with wayland) a gpg-agent process is started (I can see it in the process list - see initial ps output below) * If I try to use the SSH function of the agent by SSHing into a machine then SSH reports "agent refused operation" * If I kill and relaunch the agent through `gpgconf --kill gpg-agent && gpgconf --launch gpg-agent` then it starts working Please can you help me troubleshoot / debug this issue: 0) Can you think of how this can happen? 1) How can I figure out what the configuration of the _running_ agent is to check if it's picked up the options? 2) How can I get the agent to log to a file (I tried setting debug / log file options in gpg-agent.conf but that seems to have no effect) Please CC me in any responses. Thanks a lot, Alexander *## Initial ps output* alexander.hermes at dev28-wslpt ~ $ ps auxf | grep gpg-agent alexand+ 2455 0.0 0.0 370644 644 ? Ss 08:48 0:00 gpg-agent --homedir /home/alexander.hermes/.gnupg --use-standard-socket --daemon *## .gnupg/gpg-agent.conf* ###+++--- GPGConf ---+++### enable-ssh-support ###+++--- GPGConf ---+++### Mon 01 Oct 2018 10:11:45 AM +08 # GPGConf edited this configuration file. # It will disable options before this marked block, but it will # never change anything below these lines. debug-level expert debug-all verbose log-file /var/log/gpg-agent *## .bashrc gpg lines* # Setup for GPG-agent export GPG_TTY="$(tty)" # Cf. https://wiki.archlinux.org/index.php/GnuPG#SSH_agent unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi (... other stuff ...) # Start gpg agent gpgconf --launch gpg-agent *## GPG2 info* alexander.hermes at dev28-wslpt .gnupg $ gpg2 --version gpg (GnuPG) 2.2.8 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/alexander.hermes/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP *## GPG-Agent info* alexander.hermes at dev28-wslpt .gnupg $ gpg-agent --version gpg-agent (GnuPG) 2.2.8 libgcrypt 1.8.3 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. *## Kernel info + OS* Linux dev28-wslpt.grass.corp 4.17.14-202.fc28.x86_64 #1 SMP Wed Aug 15 12:29:25 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Fedora release 28 (Twenty Eight) -------------- next part -------------- An HTML attachment was scrubbed... URL: From wiktor at metacode.biz Mon Oct 15 15:21:26 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 15 Oct 2018 15:21:26 +0200 Subject: Question about specifics of --locate-key option Message-ID: Hello, I have a question about specifics of --locate-key option, that is how does it decide which lookup mechanism will additionally be called if a local key is not present. A little bit of context - I was checking how Evolution works with GnuPG and whether it would locate key through WKD if it's missing locally. I found out that even though it passes the e-mail address to -r option (encrypt/recipient) WKD doesn't work. A more careful look revealed that they pass e-mail address wrapped in "<" and ">". Sample call: gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch --yes --status-fd=61 --encrypt --armor --always-trust -u user at example.com -r --output - This, as it turns out, does not trigger WKD. Removing "<" and ">" sure enough does the trick and the key is found. My question is: is there a documented behavior of how --locate-key algorithm will process it's input? Or is it implementation-defined? (currently I see it must be an exact e-mail address with no leading, trailing characters). The man page description seems to leave it as unspecified. Thank you for your time! Kind regards, Wiktor -- https://metacode.biz/@wiktor From wiktor at metacode.biz Mon Oct 15 15:28:05 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 15 Oct 2018 15:28:05 +0200 Subject: Question about specifics of --locate-key option In-Reply-To: References: Message-ID: <2e19c54f-ae79-90cb-1fda-84df6e560a49@metacode.biz> Oh, I forgot to mention that this is the commit adding "<" and ">" to Evolution: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5d8b92c622f6927b253762ff9310479dd3ac627d And the commit message: > Enclose email addresses in brackets to ensure an exact > match, as per the gpg man page: > > HOW TO SPECIFY A USER ID > > ... > > By exact match on an email address. > This is indicated by enclosing the email address in the > usual way with left and right angles. This references the following guide: https://www.gnupg.org/documentation/manuals/gnupg/Specify-a-User-ID.html It seems as if the guide suggested wrapping e-mail addresses with "<" and ">". Kind regards, Wiktor On 15.10.2018 15:21, Wiktor Kwapisiewicz wrote: > Hello, > > I have a question about specifics of --locate-key option, that is how > does it decide which lookup mechanism will additionally be called if a > local key is not present. > > A little bit of context - I was checking how Evolution works with GnuPG > and whether it would locate key through WKD if it's missing locally. I > found out that even though it passes the e-mail address to -r option > (encrypt/recipient) WKD doesn't work. A more careful look revealed that > they pass e-mail address wrapped in "<" and ">". > > Sample call: > > gpg2 --verbose --no-secmem-warning --no-greeting --no-tty --batch > --yes --status-fd=61 --encrypt --armor --always-trust -u > user at example.com -r --output - > > This, as it turns out, does not trigger WKD. Removing "<" and ">" sure > enough does the trick and the key is found. > > My question is: is there a documented behavior of how --locate-key > algorithm will process it's input? Or is it implementation-defined? > (currently I see it must be an exact e-mail address with no leading, > trailing characters). The man page description seems to leave it as > unspecified. > > Thank you for your time! > > Kind regards, > Wiktor > -- https://metacode.biz/@wiktor From wk at gnupg.org Mon Oct 15 19:38:44 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Oct 2018 19:38:44 +0200 Subject: Question about specifics of --locate-key option In-Reply-To: (Wiktor Kwapisiewicz via Gnupg-users's message of "Mon, 15 Oct 2018 15:21:26 +0200") References: Message-ID: <87r2grkt3v.fsf@wheatstone.g10code.de> On Mon, 15 Oct 2018 15:21, gnupg-users at gnupg.org said: > This, as it turns out, does not trigger WKD. Removing "<" and ">" sure > enough does the trick and the key is found. The gnupg internal function to extract the addrspec is mailbox_from_userid and its test program t-mbox-utils.c has these vectors: /* input */ /* Output, NULL = invalid */ { "Werner Koch ", "wk at gnupg.org" }, { "", "wk at gnupg.org" }, { "wk at gnupg.org", "wk at gnupg.org" }, { "wk at gnupg.org ", NULL }, ... Whis indicates that it should work. By adding a "--debug lookup" to the gpg invocation you might be abale to see more. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wiktor at metacode.biz Mon Oct 15 20:33:34 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 15 Oct 2018 20:33:34 +0200 Subject: Question about specifics of --locate-key option In-Reply-To: <87r2grkt3v.fsf@wheatstone.g10code.de> References: <87r2grkt3v.fsf@wheatstone.g10code.de> Message-ID: Thank you Werner, "--debug lookup" output is a lot more verbose. The output is a lot different in both cases, in this case it detects MAIL: $ gpg --debug lookup --locate-key "" gpg: enabled debug flags: lookup gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: MAIL: '' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: secmem usage: 0/32768 bytes in 0 blocks Direct e-mail prints SUBSTR: $ gpg --debug lookup --locate-key "test-wkd at metacode.biz" gpg: enabled debug flags: lookup gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: SUBSTR: 'test-wkd at metacode.biz' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: FPR: '74EC 8D3D A82A 79DA A25D F10C 6BA5 5ED8 3ABA E1BB' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: FPR20: '74EC 8D3D A82A 79DA A25D F10C 6BA5 5ED8 3ABA E1BB' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success gpg: DBG: finish_lookup: checking key 3ABAE1BB (one)(req_usage=0) gpg: DBG: using key 3ABAE1BB gpg: key 6BA55ED83ABAE1BB: public key "Test WKD Key " imported ... Using a broken input (in this case a space after e-mail) also triggers SUBSTR: $ gpg --debug lookup --locate-key "test-wkd at metacode.biz " gpg: enabled debug flags: lookup gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: SUBSTR: '' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: secmem usage: 0/32768 bytes in 0 blocks (if the key was previously in keyring it would display it, it won't use WKD in that case - correctly). I've tested this on both GnuPG 2.2.8 and 2.2.10, on a clean keyring (inside a docker Alpine container). Is it possible that only SUBSTR lookups that look like an e-mail trigger WKD unlike MAIL matches? Thank you for your time! Kind regards, Wiktor On 15.10.2018 19:38, Werner Koch wrote: > On Mon, 15 Oct 2018 15:21, gnupg-users at gnupg.org said: >> This, as it turns out, does not trigger WKD. Removing "<" and ">" sure >> enough does the trick and the key is found. > > The gnupg internal function to extract the addrspec is > mailbox_from_userid and its test program t-mbox-utils.c has these > vectors: > /* input */ /* Output, NULL = invalid */ > { "Werner Koch ", "wk at gnupg.org" }, > { "", "wk at gnupg.org" }, > { "wk at gnupg.org", "wk at gnupg.org" }, > { "wk at gnupg.org ", NULL }, > ... > > Whis indicates that it should work. By adding a "--debug lookup" to the > gpg invocation you might be abale to see more. > > > Salam-Shalom, > > Werner > -- https://metacode.biz/@wiktor From seoul3 at hotmail.com Tue Oct 16 05:41:42 2018 From: seoul3 at hotmail.com (fel) Date: Mon, 15 Oct 2018 20:41:42 -0700 (MST) Subject: Decrypting file - Private key issue Message-ID: <1539661302676-0.post@n7.nabble.com> I'm trying to decrypt a file that I encrypted for myself. However gpg doesn't seem to recognize the correct private key. Here is the output of gpg --list-secret-keys sec 2048R/69258CF8 2015-09-17 uid user ssb 2048R/EA31820A 2015-09-17 Here is the the output of gpg -vd -o OUTPUTFILE ENCRYPTED_FILE gpg: public key is 4A83B612 gpg: using subkey 4A83B612 instead of primary key 0BBBBDB3 gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19 "user " gpg: decryption failed: secret key not available Any help would be greatly appreciated. Thank you! -- Sent from: http://gnupg.10057.n7.nabble.com/GnuPG-User-f3.html From seoul3 at hotmail.com Tue Oct 16 05:31:50 2018 From: seoul3 at hotmail.com (fel) Date: Mon, 15 Oct 2018 20:31:50 -0700 (MST) Subject: Decryption problem - private key Message-ID: <1539660710729-0.post@n7.nabble.com> I'm trying to decrypt a file that I encrypted for myself. I managed to have an output of gpg --list-secret-keys but I still can't decrypt the file. Here is the output of gpg --output doc --decrypt doc.gpg: gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19 "user " gpg: decryption failed: secret key not available -- Sent from: http://gnupg.10057.n7.nabble.com/GnuPG-User-f3.html From wk at gnupg.org Wed Oct 17 07:17:09 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 17 Oct 2018 07:17:09 +0200 Subject: [Announce] GPA 0.10.0 released Message-ID: <87r2gpjgoa.fsf@wheatstone.g10code.de> Hello! We are pleased to announce GPA version 0.10.0. GPA is a graphical frontend for the GNU Privacy Guard (GnuPG). GPA can be used for most operations supported by GnuPG using either the OpenPGP or the S/MIME protocol. A smartcard manager and a generic user interface server are included as well. Find its homepage at https://gnupg.org/software/gpa . GPA is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 0.10.0 (2018-10-16) ================================================ * Added key manager context menu items to copy the key fingerprint and the secret key to the clipboard. * Added "Details" buttons to many error popups to show raw diagnostic output from gpg. * Changed the "Retrieve Key" dialog to first try the Web Key Directory if a mail address is given. Only if this lookup fails the keyservers are searched. * Added a user-ID notebook page to show per user-ID info. * Made location of locale dir under Windows more flexible. * Fixed crash on filename conversion error. [#2185] * Fixed listing of key algos in the subkey windows. [#3405] * Removed lazy loading of the secret keyring. [#3748] Release-info: https://dev.gnupg.org/T4186 Download ======== You can find the source code here: https://gnupg.org/ftp/gcrypt/gpa/gpa-0.10.0.tar.bz2 (745k) https://gnupg.org/ftp/gcrypt/gpa/gpa-0.10.0.tar.bz2.sig and soon on all ftp.gnupg.org mirrors. A binary version for Windows will be part of the next Gpg4win release. The SHA1 checksum for this release is: 61475989acd12de8b7daacd906200e8b4f519c5a gpa-0.10.0.tar.bz2 Support ======= Please consult the archive of the gnupg-users mailing list and the release info given above before reporting a bug. We suggest to send bug reports for a fresh release to that list in favor of filing a bug at . If you are a developer and you may need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and two contractors. They work exclusively on GnuPG and closely related software like Libgcrypt and GPGME. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users 'at' gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From bernhard at intevation.de Wed Oct 17 09:34:05 2018 From: bernhard at intevation.de (Bernhard Reiter) Date: Wed, 17 Oct 2018 09:34:05 +0200 Subject: [Announce] GPA 0.10.0 released In-Reply-To: <87r2gpjgoa.fsf@wheatstone.g10code.de> References: <87r2gpjgoa.fsf@wheatstone.g10code.de> Message-ID: <201810170934.06092.bernhard@intevation.de> Moin, Am Mittwoch 17 Oktober 2018 07:17:09 schrieb Werner Koch: > We are pleased to announce GPA version 0.10.0. congratulations on the new GPA release! (The last one was 0.9.10 from November 2016.) Given that GPA is stable and satisfies needs for some users for quite a while, I think you should give it a version number like 1.0. (I'll follow Paul Graham on the notion that version numbers are mainly used for communication to third parties.) > Find its homepage at https://gnupg.org/software/gpa . This still has the old 0.9.10 changelog. > Release-info: https://dev.gnupg.org/T4186 There is not much there, by intention? Best Regards, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: From mail at sandroknauss.de Wed Oct 17 14:26:24 2018 From: mail at sandroknauss.de (Sandro =?ISO-8859-1?Q?Knau=DF?=) Date: Wed, 17 Oct 2018 14:26:24 +0200 Subject: [openpgp-email] 4th OpenPGP Email Summit - Update In-Reply-To: <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> References: <1d5b7612-cf0e-d482-eeb8-5f4307aed91d@enigmail.net> <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> Message-ID: <1663160.yiPKYvHvCf@tuxin> Hey, > - Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 > ? Brussels, www.winery.be ). People from Mailfence will be there from > 19:30, I will arrive a little later. I'll arrive at 4pm in Bruxelles and after getting rid of my luggage, I'll plan to come to Winery at 19:30 - Maybe I'll stay a little bit longer at a friends place and come later. I haven't checked the local transport system... > - we will start on Saturday at 09:30. If you have any issues such as finding > the location or with local logistics, here is my phone number: +41 78 631 > 6622 Excited to meet you all! sandro -- Ich habe meinen Schl?ssel gewechselt / I've switched my GnuPG key: http://sandroknauss.de/files/transition2015.asc Mein (neuer) ?ffentlicher Schl?ssel / My (new) public key: E68031D299A6527C Fingerabdruck / Fingerprint: D256 4951 1272 8840 BB5E 99F2 E680 31D2 99A6 527C Runterladen z.B. bei/ Get it e.g. here: pool.sks-keyservers.net, ... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: From kristian.fiskerstrand at sumptuouscapital.com Fri Oct 19 19:48:17 2018 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 19 Oct 2018 19:48:17 +0200 Subject: [openpgp-email] 4th OpenPGP Email Summit - Update In-Reply-To: <1663160.yiPKYvHvCf@tuxin> References: <1d5b7612-cf0e-d482-eeb8-5f4307aed91d@enigmail.net> <1A74370D-DC92-41D2-A4B3-9A06430BBD4C@enigmail.net> <1663160.yiPKYvHvCf@tuxin> Message-ID: <2744CDCA-617F-4175-8F60-3697D5669420@sumptuouscapital.com> > On 17 Oct 2018, at 14:26, Sandro Knau? wrote: > > Hey, > >> - Friday evening: we will meet at the Winery (Trois Tilleuls Street 1, 1170 >> ? Brussels, www.winery.be ). People from Mailfence will be there from >> 19:30, I will arrive a little later. I?ve arrived in brussels and checked into hotel so will leave soon to come and join as well.. will probably be there in 20-30 minutes. KF From angel at pgp.16bits.net Sat Oct 20 00:26:41 2018 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Sat, 20 Oct 2018 00:26:41 +0200 Subject: Decrypting file - Private key issue In-Reply-To: <1539661302676-0.post@n7.nabble.com> References: <1539661302676-0.post@n7.nabble.com> Message-ID: <1539988001.960.32.camel@16bits.net> On 2018-10-15 at 20:41 -0700, fel wrote: > I'm trying to decrypt a file that I encrypted for myself. However gpg doesn't > seem to recognize the correct private key. > > Here is the output of gpg --list-secret-keys > > sec 2048R/69258CF8 2015-09-17 > uid user > ssb 2048R/EA31820A 2015-09-17 > > > Here is the the output of gpg -vd -o OUTPUTFILE ENCRYPTED_FILE > > gpg: public key is 4A83B612 > gpg: using subkey 4A83B612 instead of primary key 0BBBBDB3 > gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19 > "user " > gpg: decryption failed: secret key not available > > Any help would be greatly appreciated. Thank you! The file was encrypted to the key 4A83B612, but you don't have the corresponding secret key. You only have the secret key for 69258CF8/EA31820A. Is it possible that there are two different key pairs for that user? (it was encrypted to one of them, but you only hold the private key for the other) Best regards From sattiwari18 at gmail.com Mon Oct 22 07:39:56 2018 From: sattiwari18 at gmail.com (Satendra Tiwari) Date: Mon, 22 Oct 2018 12:39:56 +0700 Subject: Encrypting 27 TB RMAN Backup with GPG Message-ID: Dear users, We want to ship our on-premise Oracle backup to AWS to be upload to AWS S3. Since, AWS Snowball is not available in our country and our internet link is a shared connection, we are limited to send this data in physical drive to AWS DC. Also, we dont have Oracle's ASO license to encrypt the backup. In this case, we want to use GPG to encrypt Oracle backup. We have two databases of 17 TB and 7 TB they compress to 2.6 TB and 1.3 TB respectively. What would be the best way to encrypt our backup and how long would it take? -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan at rumpelsepp.org Mon Oct 22 12:08:55 2018 From: stefan at rumpelsepp.org (Stefan Tatschner) Date: Mon, 22 Oct 2018 12:08:55 +0200 Subject: --refresh-keys for WKD Message-ID: <871s8i8f9k.fsf@rumpelsepp.org> Hi! I recently experimented with key distribution via WKD. Is there an equivalent to `--refresh-keys` for key servers? How do I fetch key updates (signatures, revocations, ...) via WKD? Stefan From wiktor at metacode.biz Mon Oct 22 14:22:08 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 22 Oct 2018 14:22:08 +0200 Subject: --refresh-keys for WKD In-Reply-To: <871s8i8f9k.fsf@rumpelsepp.org> References: <871s8i8f9k.fsf@rumpelsepp.org> Message-ID: Hello, > I recently experimented with key distribution via WKD. Is there an > equivalent to `--refresh-keys` for key servers? How do I fetch key > updates (signatures, revocations, ...) via WKD? If the key was fetched via WKD and it is expired it will be refreshed using WKD too (see: https://dev.gnupg.org/T2917 ). You can "force" it via: gpg --auto-key-locate clear,nodefault,wkd --locate-key user at example.com The entire thread here talks about this issue and I think you may find it interesting: https://lists.gnupg.org/pipermail/gnupg-devel/2018-June/033812.html Kind regards, Wiktor -- https://metacode.biz/@wiktor From wk at gnupg.org Mon Oct 22 17:40:40 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Oct 2018 17:40:40 +0200 Subject: --refresh-keys for WKD In-Reply-To: (Wiktor Kwapisiewicz via Gnupg-users's message of "Mon, 22 Oct 2018 14:22:08 +0200") References: <871s8i8f9k.fsf@rumpelsepp.org> Message-ID: <87bm7mugzr.fsf@wheatstone.g10code.de> On Mon, 22 Oct 2018 14:22, gnupg-users at gnupg.org said: > gpg --auto-key-locate clear,nodefault,wkd --locate-key user at example.com Here is why these auto-key-locate (AKL) parameters are required: clear := Remove all existing AKL setting from a config file. nodefault := Do not use the default AKL. The default contains "local" which has obviously a higer precendece than wkd. wkd := Use the web key directory. BTW, the recent GPA release uses the above command line when you give a mail address in the Server->Retrieve_key dialog. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wiktor at metacode.biz Mon Oct 22 17:52:45 2018 From: wiktor at metacode.biz (Wiktor Kwapisiewicz) Date: Mon, 22 Oct 2018 17:52:45 +0200 Subject: --refresh-keys for WKD In-Reply-To: <87bm7mugzr.fsf@wheatstone.g10code.de> References: <871s8i8f9k.fsf@rumpelsepp.org> <87bm7mugzr.fsf@wheatstone.g10code.de> Message-ID: <49a0737e-ec19-2575-8481-65e1ff84186e@metacode.biz> On 22.10.2018 17:40, Werner Koch wrote: > BTW, the recent GPA release uses the above command line when you give a > mail address in the Server->Retrieve_key dialog. Is there a small bug in recent GPA (0.10.0)? I looked up: "test-wkd at metacode.biz" and got "No keys were found" but when I clicked "details" I got the correct "key imported" GnuPG log details. Sure enough the key is imported. (the key is available only through WKD). Kind regards, Wiktor -- https://metacode.biz/@wiktor From wk at gnupg.org Mon Oct 22 19:36:14 2018 From: wk at gnupg.org (Werner Koch) Date: Mon, 22 Oct 2018 19:36:14 +0200 Subject: --refresh-keys for WKD In-Reply-To: <49a0737e-ec19-2575-8481-65e1ff84186e@metacode.biz> (Wiktor Kwapisiewicz's message of "Mon, 22 Oct 2018 17:52:45 +0200") References: <871s8i8f9k.fsf@rumpelsepp.org> <87bm7mugzr.fsf@wheatstone.g10code.de> <49a0737e-ec19-2575-8481-65e1ff84186e@metacode.biz> Message-ID: <87sh0xubn5.fsf@wheatstone.g10code.de> On Mon, 22 Oct 2018 17:52, wiktor at metacode.biz said: > Is there a small bug in recent GPA (0.10.0)? I looked up: > "test-wkd at metacode.biz" and got "No keys were found" but when I clicked > "details" I got the correct "key imported" GnuPG log details. Sure I noticed this as well but thought it is a minor thing. That part of the code needs a bit of rework anyway because it does not show the progress bar and blocks everything. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From Vijay.Akunuri at kiewit.com Mon Oct 22 20:03:46 2018 From: Vijay.Akunuri at kiewit.com (Vijay.Akunuri) Date: Mon, 22 Oct 2018 18:03:46 +0000 Subject: GnuPG 2.2.8 -- Trouble Decrypting using PowerShell script Message-ID: Hi Team, We are lately running into some issues with the decrypting file using PGP. In command prompt we are using "& gpg -d --batch --passphrase comment C:\projects\successfactors\SuccessionTalentPool\incoming_files\Succession_Talent_Pool_Tableau_Report.csv.pgp " [cid:image001.png at 01D46A07.8310AB10] We are passing the passphrase but when we run the script the a window pops up to enter the passphrase manually like this below. [cid:image002.png at 01D46A07.8310AB10] On local if enter the passphase in above prompted window then it is able to decrypt the file. But on servers we can do that manually and that is the reason we are passing it to command prompt. Kindly help us in resolving this issue. Let me know if you need more information. [cid:image001.png at 01D40941.ED729260] Venkata Vijaya Mohan Akunuri TG Sr. Database Developer- BI Data Integration Kiewit Technology Group 12720 I St, Omaha, NE 68137 402-938-4358 763-227-3224 cell [View-my-LinkedIn-profile-image-3-300x140] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7819 bytes Desc: image001.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 10171 bytes Desc: image002.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 4134 bytes Desc: image003.png URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image006.png Type: image/png Size: 3013 bytes Desc: image006.png URL: From aheinecke at intevation.de Wed Oct 24 11:02:14 2018 From: aheinecke at intevation.de (Andre Heinecke) Date: Wed, 24 Oct 2018 11:02:14 +0200 Subject: GnuPG 2.2.8 -- Trouble Decrypting using PowerShell script In-Reply-To: References: Message-ID: <4126579.nqPBGIqcMj@esus> Hi, just as a bit of advertising. There is professional support available under gpg4win-professional at gpg4win.org I'm answering your problem inline below: On Monday, October 22, 2018 6:03:46 PM CEST Vijay. Akunuri wrote: > In command prompt we are using "& gpg -d --batch --passphrase comment C: \projects\successfactors\SuccessionTalentPool\incoming_files \Succession_Talent_Pool_Tableau_Report.csv.pgp " > > We are passing the passphrase but when we run the script the a window pops up to enter the passphrase manually like this below. Your command is missing "--pinentry-mode loopback" See: https://wiki.gnupg.org/TroubleShooting#Passphrase_on_the_command_line E.g.: "gpg --pinentry-mode loopback -d --batch --passphrase comment C:\projects \successfactors\SuccessionTalentPool\incoming_files \Succession_Talent_Pool_Tableau_Report.csv.pgp " > On local if enter the passphase in above prompted window then it is able to > decrypt the file. But on servers we can do that manually and that is the > reason we are passing it to command prompt. As a scheduled job on a server you might also want to set an explicit homedir in your command. See: https://wiki.gnupg.org/TroubleShooting#Windows_. 3E_8_and_Server_2012_Task_Scheduler_Problems > Kindly help us in resolving this issue. Let me know if you need more > information. I'm working professionally for Gpg4win. So please consider a volunatry payment to Gpg4win or donation to GnuPG if this helped to solve your problem. :-) Best Regards, Andre Heinecke -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: This is a digitally signed message part. URL: From alvaro.gmj at gmail.com Thu Oct 25 22:29:35 2018 From: alvaro.gmj at gmail.com (=?UTF-8?Q?Alvaro_Mart=C3=ADnez?=) Date: Thu, 25 Oct 2018 17:29:35 -0300 Subject: File name seen by gpg Message-ID: Hello, I just joined the list, hoping to find some guidance regarding my use of gpg as part of a backup scheme. Background: I uploaded files to Amazon S3, after encrypting them locally. I kept a log containing the hash of the encrypted file, the hash of the plain file, and the file name. The idea is that I would regularly hash the files on my computer and check the hashes against the copies in S3. I used symmetric encryption because I read that public key encryption done by GPG includes some random content and therefore does not always produce the same output. Issue: I didn't know when I encrypted the files that the file name is part of the encrypted data, and therefore a change in the file name changes the resulting hash. I have files with accented characters on their names, those names were encoded in UTF-8 by a Linux system. I am now using a Mac, which encodes the same characters in a different way ("fully decomposed" vs the original "precomposed" UTF-8), so the hashes of the encrypted files do not match. Question: I want to use a scheme which allows me to somehow future-proof my backups. I can still do the checks and backups in a Linux box, but this issue made me realize subtle system changes can break my backup strategy easily. I read elsewhere that GPG can be told to not store any name, but if I do that I'll have to re-upload my files, and although I'm willing to do that for an improvement in the backup scheme, it would be quite painful on my 512Kbps line. Is there any way to tell GPG which name it should use for the input file in the encrypted data? something like the "iconv" option for rsync would be ideal, but my searches on the web don't return any results. Thanks for reading :) Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Fri Oct 26 20:16:21 2018 From: wk at gnupg.org (Werner Koch) Date: Fri, 26 Oct 2018 20:16:21 +0200 Subject: [Announce] Libgcrypt 1.8.4 released Message-ID: <87r2gclgju.fsf@wheatstone.g10code.de> Hi! The GnuPG Project is pleased to announce the availability of Libgcrypt versions 1.8.4. This is a maintenance release to fix a few minor bugs. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.8.4 =================================== * Bug fixes: - Fix infinite loop due to applications using fork the wrong way. [#3491] - Fix possible leak of a few bits of secret primes to pageable memory. [#3848] - Fix possible hang in the RNG (1.8.3 only). [#4034] - Several minor fixes. [#4102,#4208,#4209,#4210,#4211,#4212] * Performance: - On Linux always make use of getrandom if possible and then use its /dev/urandom behaviour. [#3894] Download ======== Source code is hosted at the GnuPG FTP server and its mirrors as listed at . On the primary server the source tarball and its digital signature are: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2 https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.bz2.sig or gzip compressed: https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.8.4.tar.gz.sig In order to check that the version of Libgcrypt you downloaded is an original and unmodified file please follow the instructions found at . In short, you may use one of the following methods: - Check the supplied OpenPGP signature. For example to check the signature of the file libgcrypt-1.8.4.tar.bz2 you would use this command: gpg --verify libgcrypt-1.8.4.tar.bz2.sig libgcrypt-1.8.4.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. - If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file libgcrypt-1.8.4.tar.bz2, you run the command like this: sha1sum libgcrypt-1.8.4.tar.bz2 and check that the output matches the first line from the this list: 4a8ef9db6922f3a31992aca5640b4198a69b58fc libgcrypt-1.8.4.tar.bz2 211855f39f3bc3c4a4f444d4c09d743dfc5cb427 libgcrypt-1.8.4.tar.gz You should also verify that the checksums above are authentic by matching them with copies of this announcement. Those copies can be found at other mailing lists, web sites, and search engines. Copying ======= Libgcrypt is distributed under the terms of the GNU Lesser General Public License (LGPLv2.1+). The helper programs as well as the documentation are distributed under the terms of the GNU General Public License (GPLv2+). The file LICENSES has notices about contributions that require that these additional notices are distributed. Support ======= In case of build problems specific to this release please first check https://dev.gnupg.org/T4234 for updated information. For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. If you are a developer and you may need a certain feature for your project, please do not hesitate to bring it to the gcrypt-devel mailing list for discussion. Thanks ====== Maintenance and development of GnuPG is mostly financed by donations. The GnuPG project currently employs one full-time developer and two contractors. They all work exclusively on GnuPG and closely related software like Libgcrypt, GPGME, and GPA. We have to thank all the people who helped the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, and answering questions on the mailing lists. Thanks to Tomas Mraz for pointing out several smaller flaws. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good shape and address all the small and larger requests made by our users. Thanks. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From zerbey at gmail.com Sat Oct 27 06:03:36 2018 From: zerbey at gmail.com (Chris Horry) Date: Sat, 27 Oct 2018 00:03:36 -0400 Subject: PGP Authentication with gpg4win+ssh Message-ID: Hello All, I'm trying to get this to work with gpg4win. I have a Yubikey with a PGP key stored and it works just fine. I connect with PuTTY, it connects to the GPG agent and it pops up asking for my Yubikey PIN and away I go. My config looks like this: Linux side: authorized_keys file has the converted PGP key as RSA keys added. Windows side: PGP key is in the Kleopata keyring. gpg-agent.conf has enable-putty-support, gpg-connect-agent is running. I also created an Authentication subkey for my other PGP Key, the only difference being it's not on my Yubkiey but in my regular keyring with Kleopatra. This same key works just fine on my Linux boxes when I use it for authentication between them but not in Windows. PuTTY shows no keys available in the agent and thus my login is rejected. Is there some setting I'm missing or does gpg4win only support PGP authentication with SSH via a smart card? Chris -- Chris Horry Ham Radio - KG4TSM zerbey at gmail.com https://twitter.com/zerbey -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2017-r3sgs86x8e-lists-groups at riseup.net Sun Oct 28 15:05:49 2018 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sun, 28 Oct 2018 14:05:49 +0000 Subject: File name seen by gpg In-Reply-To: References: Message-ID: <1186477281.20181028140549@my_localhost_LG> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 25 October 2018 at 9:29:35 PM, in , Alvaro Mart?nez wrote:- > Is there any way to tell GPG which name it should use > for the input > file in the encrypted data? Maybe it's https://gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#index-set_002dfilename --set-filename string Use string as the filename which is stored inside messages. This overrides the default, which is to use the actual filename of the file being encrypted. Using the empty string for string effectively removes the filename from the output. - -- Best regards MFPA There is no snooze button for a cat that wants breakfast -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCW9XCWl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +tAZAP0escSGxvqZhW0nCLFiy+t+rNyS9bjakb1S8L4DsHHamQEAzXx/3zmZ5/Xe SDGtIcAzI6ky5neNHIfDu+8+TJLhAw2JApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCW9XCWl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/0AqD/9u6jKM+6sRIsg6yuMdvZcuEzq5 p/VWR+p+ttlcseI2CiE5TIWtORfTS4vxAXHuijv/tL/Ssv8ul2nLVH718VjqsARy iMyAEr82ta1D3WPH8IljaKlD+qJndTRI73wRF9F+rUVacrsy+2Hu7wJlPZc1tUSs jRY9Egk8rbELGWa14d0fiqGI4IOcSOaA44+CbZTMGvmfHuxB94m5utFa8tb97IsC Q2KYpQ4MXP0fcXQxD8zaqDibvmPWU/kGwcZi2MVZpN4NpmYMSVQ9EwJqFoNZzNGN is3MP+OrxSHypz9xOnRePNuv49DiEky8/jKZBd8bWliTXAeik3s3I1/uFoYkVvKA yIg3ffb34W6ckfOLnapXRe/EvsulAUhUkSEjS0wDmS0C+zuZ0IR5dxlIc45roZWm 1e0i/Yx4fVnRQnTAGn4/wB8Ornk7w98JiC86qyZw/FiiZKbW4p7fE1mAnwN01GF0 dl4y49o19gdtRCXqkOQ0VGbCKJ+FqES6J92TWMan7MgkLHLbTeVkImVmsfabLvvO fiAYogyCwxX22l3ISwaycTY5CENehbu5tQlIvzyNsVoaF8kKJNH5wFHfi7h1HDAG MUlqGGLi2u8z72PtoKjwOjktTvH46QhIIYbPYhaATILb+XuhpvEJL5e2KYCxZVL5 8OYdb2tR9XQIvmzykA== =lUDX -----END PGP SIGNATURE----- From gnupgmlusers.fwnsp at xoxy.net Mon Oct 29 04:18:31 2018 From: gnupgmlusers.fwnsp at xoxy.net (Friedhelm Waitzmann) Date: Mon, 29 Oct 2018 04:18:31 +0100 Subject: gpg troubles In-Reply-To: <222556d1-c570-b9e6-a6f3-a5967cf13edb@CleanFuels.nl> References: <87d0shss0c.fsf@wheatstone.g10code.de> <7b3fa55b-4a8e-9898-52ca-a675f021f14a@cleanfuels.nl> <87tvlsrgzk.fsf@wheatstone.g10code.de> <222556d1-c570-b9e6-a6f3-a5967cf13edb@CleanFuels.nl> Message-ID: <20181029031830.GA24386@kugelfisch.zuhause.test> Roland Siemons (P) at Fri., 2018-10-12: >3/ Assisted remotely by some of you, I was able to sort out a very >strange problem with decryption. The solution was found by manipulating >my key from inside the gpg shell using the command line. I am not very >experienced with the command line. A major difficulty for those for whom >this is not daily bread and butter is that mistakes are easily made. >Hence the great value of GUIs. >4/ I observed some unclarities in the GnuPG manual >(www.gnupg.org/gph/en/manual.html), here below under A. This is the GnuPG privacy handbook rather than the GnuPG manual. I suggest that you read the GnuPG manual () also, as it is the definitve instruction how to use GnuPG. >And perhaps also >some bugs in gpg, here below under B (please consider). Here is my >experience: >A/ I tried to revoke some subkeys, following the said manual (heading >"Revoking key components"). gpg pretended to do the job. Everything >looked fine. But it did'nt! After several hours of analysis (up to >checking if GnuPG was installed consistently on my system), I found the >issue: After the revkey procedure it is necessary to command "quit". A better way of committing the changes is typing in ?save?. Please see the GnuPG manual (). For the ?--edit-key? main command (given at the command line) it lists the sub commands (to be typed into the edit key command shell): save Save all changes to the keyrings and quit. quit Quit the program without updating the keyrings. >Instead of quitting, gpg then asks "do you want to save yr changes" (or >something like that). This is to remind you that you are about to discard your changes. >And only then the subkeys were revoked. The said >manual does mention the command "quit" only once, and not even in a >general place explaining the operations of gpg, and in fact without any >explanation as to the impact of that command. The GnuPG manual (not the privacy handbook) mentions both of ?save? and ?quit? and explains the difference. >Of course I am happy to >have found out, but let's hope that I remember when after perhaps 2 >years time I have to use gpg shell again.... Just remember to read the GnuPG manual also. >B/ It is not at all clear to me how to start the gpg shell. This isn't a general (?the?) GnuPG shell for all GnuPG commands, it is a shell for the limited set of ?--edit-key? sub commands. That is, the ?--edit-key? specified at the GnuPG invocation command line lets GnuPG run an interactive interpreter for the ?--edit-key? subcommands that have to be typed in. >For example: >1/ if (under the CMD terminal) I command "gpg -K", the lists of private >keys is returned, Generating this list doesn't need to ask the user to type any sub commands, so there is no ?--list-secret-keys? shell. >but I am also returned to CMD, that is, kicked out of >the gpg shell. If GnuPG has written this list into its standard output channel, the job is done, thus GnuPG terminates, nobody is ?kicked out?. >2/ if (CMD) I command "gpg --edit-key X" (where X is key identifier), I >do indeed enter the gpg shell, the screen showing "gpg>". You enter the shell that recognizes the limited set of the ?--edit-key? sub commands. >That all may be allright, HOWEVER: >3/ if (CMD) I command "gpg", the return is: "gpg: WARNING: no command >supplied.? Trying to guess what you mean ... gpg: Go ahead and >type your message . Please read the GnuPG manual (): ?gpg may be run with no commands. In this case it will perform a reasonable action depending on the type of file it is given as input (an encrypted message is decrypted, a signature is verified, a file containing keys is listed, etc.).? So GnuPG expects that you type in an encrypted message, a detached signature, a clear?signed message, a public key block, etc. >Then if I type a gpg command, everything stalls. Here you cannot type a GnuPG command, because GnuPG wants input, i.e. data. As you haven't specified any input file on the command line, GnuPG wants this data through its standard input channel, that is, typed in from the keyboard. >No results whatsoever. Unless the end of data is signalled (by typing the end?of?file character, with UNIX usually control d, with MS Windows perhaps control z), GnuPG repeats reading input lines. >Even the command "quit" gives no results. This ?quit? is counted an input line of data, too. >So I force quit by Ctrl-C. >So, in general, how to start the gpg shell? You don't in general start the GnuPG shell. You put a command on the invocation command line. This command may or may not be an interactive command. If it is (as with ?--edit-key?), GnuPG starts a sub command shell (as with ?--edit-key?) to read and execute further sub commands. If it is not (as with ?--list-keys?, ?--sign?, ?--encrypt?, etc.), GnuPG may (as with ?--sign?, ?--encrypt?, ?--decrypt?, etc.) expect input to process, or may not (as with ?--list-keys?, etc.) expect any input. Please remember: GnuPG is not a program, that does what you mean. It is a program, that does exactly what you command it to do. Thus you must know how to command GnuPG to do what you want it to do for you. Regards Friedhelm -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: Digital signature URL: From joerg at schmitz-linneweber.de Mon Oct 29 14:25:57 2018 From: joerg at schmitz-linneweber.de (=?UTF-8?Q?J=c3=b6rg_Schmitz-Linneweber?=) Date: Mon, 29 Oct 2018 14:25:57 +0100 Subject: PGP Authentication with gpg4win+ssh Message-ID: <5BD70A65.7030601@schmitz-linneweber.de> Hi Chris! Am 2018-10-27 06:03, schrieb Chris Horry: > I'm trying to get this to work with gpg4win. I have a Yubikey with a PGP key stored and it works just fine. I connect with PuTTY, it connects to the GPG agent and it pops up asking for my Yubikey PIN and away I go. > > My config looks like this: > > Linux side: authorized_keys file has the converted PGP key as RSA keys added. > Windows side: PGP key is in the Kleopata keyring. gpg-agent.conf has enable-putty-support, gpg-connect-agent is running. > > I also created an Authentication subkey for my other PGP Key, the only difference being it's not on my Yubkiey but in my regular keyring with Kleopatra. This same key works just fine on my Linux boxes when I use it for authentication between them but not in Windows. PuTTY shows no keys available in the agent and thus my login is rejected. > > Is there some setting I'm missing or does gpg4win only support PGP authentication with SSH via a smart card? I don't know exactly about getting the original gpg-agent to run on Windows. But I know for sure that it works with a GnuPG card under Windows if you use the SmartCard-Auth [ http://smartcard-auth.de/ssh-de.html ] But beware that you need to register (and pay a small amount) with the /actual version/ of this software... Salut, Joerg -- gpg/pgp key # 0x7e522d2f552a5cd0 fingerprint b0f7 4c1a d4af e48c c0a8 c656 7e52 2d2f 552a 5cd0 From gniibe at fsij.org Tue Oct 30 05:08:40 2018 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 30 Oct 2018 13:08:40 +0900 Subject: PGP Authentication with gpg4win+ssh In-Reply-To: References: Message-ID: <87r2g8vzxz.fsf@fsij.org> Chris Horry wrote: > I also created an Authentication subkey for my other PGP Key, the only > difference being it's not on my Yubkiey but in my regular keyring with > Kleopatra. This same key works just fine on my Linux boxes when I use it > for authentication between them but not in Windows. PuTTY shows no keys > available in the agent and thus my login is rejected. > > Is there some setting I'm missing or does gpg4win only support PGP > authentication with SSH via a smart card? Your authentication subkey should be listed in .gnupg/sshcontrol, while it is automatically supported for Gnuk Token and OpenPGP card. For detail, I found this post: https://ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth#adding-keys -- From zerbey at gmail.com Tue Oct 30 15:13:38 2018 From: zerbey at gmail.com (Chris Horry) Date: Tue, 30 Oct 2018 10:13:38 -0400 Subject: PGP Authentication with gpg4win+ssh In-Reply-To: <87r2g8vzxz.fsf@fsij.org> References: <87r2g8vzxz.fsf@fsij.org> Message-ID: Yep did all of that, my auth key is in sshcontrol. Pagent simply doesn't see it, and ssh-add -l is blank. If I connect my PGP smartcard it works just fine. If I do a gpg --list-keys my keys all show up just fine. 'Tis a mystery. Chris On Tue, Oct 30, 2018 at 12:08 AM NIIBE Yutaka wrote: > Chris Horry wrote: > > I also created an Authentication subkey for my other PGP Key, the only > > difference being it's not on my Yubkiey but in my regular keyring with > > Kleopatra. This same key works just fine on my Linux boxes when I use it > > for authentication between them but not in Windows. PuTTY shows no keys > > available in the agent and thus my login is rejected. > > > > Is there some setting I'm missing or does gpg4win only support PGP > > authentication with SSH via a smart card? > > Your authentication subkey should be listed in .gnupg/sshcontrol, while > it is automatically supported for Gnuk Token and OpenPGP card. > > For detail, I found this post: > https://ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth#adding-keys > -- > -- Chris Horry Ham Radio - KG4TSM zerbey at gmail.com https://twitter.com/zerbey -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Oct 30 15:38:17 2018 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Oct 2018 15:38:17 +0100 Subject: PGP Authentication with gpg4win+ssh In-Reply-To: (Chris Horry's message of "Tue, 30 Oct 2018 10:13:38 -0400") References: <87r2g8vzxz.fsf@fsij.org> Message-ID: <87in1jebza.fsf@wheatstone.g10code.de> On Tue, 30 Oct 2018 15:13, zerbey at gmail.com said: > If I do a gpg --list-keys my keys all show up just fine. Run gpg-connect-agent 'keyinfo --ssl-list' /bye to see the keys gpg-agent is aware of. See also gpg-connect-agent 'help keyinfo' /bye and as Gniibe wrote, you need to put a key into sshcontrol. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From alvaro.gmj at gmail.com Wed Oct 31 01:33:26 2018 From: alvaro.gmj at gmail.com (=?utf-8?Q?Alvaro_Mart=C3=ADnez?=) Date: Tue, 30 Oct 2018 21:33:26 -0300 Subject: File name seen by gpg In-Reply-To: <1186477281.20181028140549@my_localhost_LG> References: <1186477281.20181028140549@my_localhost_LG> Message-ID: <000001d470b1$596153e0$0c23fba0$@gmail.com> It seems I was not looking at the right keywords when I searched, because I couldn't find that option before. Thanks for your reply. I ended up discarding the possibility of re-generating these files, because I kept reading and found that GPG by default adds a salt to the passphrase, meaning there is no way for me to generate the same cypher text again. I'm not even sure I should rely on that, by the way, so I'll have to design a more robust system for my long-term backups :) -----Original Message----- From: MFPA [mailto:2017-r3sgs86x8e-lists-groups at riseup.net] Sent: Sunday, October 28, 2018 11:06 AM To: Alvaro Mart?nez on GnuPG-Users Cc: Alvaro Mart?nez Subject: Re: File name seen by gpg -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Thursday 25 October 2018 at 9:29:35 PM, in , Alvaro Mart?nez wrote:- > Is there any way to tell GPG which name it should use > for the input > file in the encrypted data? Maybe it's https://gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#index-set_002dfilename --set-filename string Use string as the filename which is stored inside messages. This overrides the default, which is to use the actual filename of the file being encrypted. Using the empty string for string effectively removes the filename from the output. - -- Best regards MFPA There is no snooze button for a cat that wants breakfast -----BEGIN PGP SIGNATURE----- iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCW9XCWl8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju +tAZAP0escSGxvqZhW0nCLFiy+t+rNyS9bjakb1S8L4DsHHamQEAzXx/3zmZ5/Xe SDGtIcAzI6ky5neNHIfDu+8+TJLhAw2JApMEAQEKAH0WIQRSX6konxd5jbM7JygT DfUWES/A/wUCW9XCWl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/0AqD/9u6jKM+6sRIsg6yuMdvZcuEzq5 p/VWR+p+ttlcseI2CiE5TIWtORfTS4vxAXHuijv/tL/Ssv8ul2nLVH718VjqsARy iMyAEr82ta1D3WPH8IljaKlD+qJndTRI73wRF9F+rUVacrsy+2Hu7wJlPZc1tUSs jRY9Egk8rbELGWa14d0fiqGI4IOcSOaA44+CbZTMGvmfHuxB94m5utFa8tb97IsC Q2KYpQ4MXP0fcXQxD8zaqDibvmPWU/kGwcZi2MVZpN4NpmYMSVQ9EwJqFoNZzNGN is3MP+OrxSHypz9xOnRePNuv49DiEky8/jKZBd8bWliTXAeik3s3I1/uFoYkVvKA yIg3ffb34W6ckfOLnapXRe/EvsulAUhUkSEjS0wDmS0C+zuZ0IR5dxlIc45roZWm 1e0i/Yx4fVnRQnTAGn4/wB8Ornk7w98JiC86qyZw/FiiZKbW4p7fE1mAnwN01GF0 dl4y49o19gdtRCXqkOQ0VGbCKJ+FqES6J92TWMan7MgkLHLbTeVkImVmsfabLvvO fiAYogyCwxX22l3ISwaycTY5CENehbu5tQlIvzyNsVoaF8kKJNH5wFHfi7h1HDAG MUlqGGLi2u8z72PtoKjwOjktTvH46QhIIYbPYhaATILb+XuhpvEJL5e2KYCxZVL5 8OYdb2tR9XQIvmzykA== =lUDX -----END PGP SIGNATURE----- From Siemons at CleanFuels.nl Wed Oct 31 10:21:11 2018 From: Siemons at CleanFuels.nl (Roland Siemons (P)) Date: Wed, 31 Oct 2018 10:21:11 +0100 Subject: gpg troubles In-Reply-To: References: Message-ID: <9a33aad3-f3e1-8a04-44a3-ee4ad92a47ca@CleanFuels.nl> Thanks Friedhelm, That is a lot to think about. I'll study .. Best regards, Roland On 31/10/2018 01:33, gnupg-users-request at gnupg.org wrote: > Date: Mon, 29 Oct 2018 04:18:31 +0100 > From: Friedhelm Waitzmann > To: gnupg-users at gnupg.org > Subject: Re: gpg troubles > Message-ID: <20181029031830.GA24386 at kugelfisch.zuhause.test> > > Roland Siemons (P) at Fri., 2018-10-12: > >> 3/ Assisted remotely by some of you, I was able to sort out a very >> strange problem with decryption. The solution was found by manipulating >> my key from inside the gpg shell using the command line. I am not very >> experienced with the command line. A major difficulty for those for whom >> this is not daily bread and butter is that mistakes are easily made. >> Hence the great value of GUIs. >> 4/ I observed some unclarities in the GnuPG manual >> (www.gnupg.org/gph/en/manual.html), here below under A. > This is the GnuPG privacy handbook rather than the GnuPG manual. > I suggest that you read the GnuPG manual > () also, as > it is the definitve instruction how to use GnuPG. > >> And perhaps also >> some bugs in gpg, here below under B (please consider). Here is my >> experience: >> A/ I tried to revoke some subkeys, following the said manual (heading >> "Revoking key components"). gpg pretended to do the job. Everything >> looked fine. But it did'nt! After several hours of analysis (up to >> checking if GnuPG was installed consistently on my system), I found the >> issue: After the revkey procedure it is necessary to command "quit". > A better way of committing the changes is typing in ?save?. > > Please see the GnuPG manual > (). > > For the ?--edit-key? main command (given at the command line) it > lists the sub commands (to be typed into the edit key command > shell): > > save > > Save all changes to the keyrings and quit. > > quit > > Quit the program without updating the keyrings. > >> Instead of quitting, gpg then asks "do you want to save yr changes" (or >> something like that). > This is to remind you that you are about to discard your changes. > >> And only then the subkeys were revoked. The said >> manual does mention the command "quit" only once, and not even in a >> general place explaining the operations of gpg, and in fact without any >> explanation as to the impact of that command. > The GnuPG manual (not the privacy handbook) mentions both of > ?save? and ?quit? and explains the difference. > >> Of course I am happy to >> have found out, but let's hope that I remember when after perhaps 2 >> years time I have to use gpg shell again.... > Just remember to read the GnuPG manual also. > >> B/ It is not at all clear to me how to start the gpg shell. > This isn't a general (?the?) GnuPG shell for all GnuPG commands, > it is a shell for the limited set of ?--edit-key? sub commands. > That is, the ?--edit-key? specified at the GnuPG invocation > command line lets GnuPG run an interactive interpreter for the > ?--edit-key? subcommands that have to be typed in. > >> For example: >> 1/ if (under the CMD terminal) I command "gpg -K", the lists of private >> keys is returned, > Generating this list doesn't need to ask the user to type any sub > commands, so there is no ?--list-secret-keys? shell. > >> but I am also returned to CMD, that is, kicked out of >> the gpg shell. > If GnuPG has written this list into its standard output channel, > the job is done, thus GnuPG terminates, nobody is ?kicked out?. > >> 2/ if (CMD) I command "gpg --edit-key X" (where X is key identifier), I >> do indeed enter the gpg shell, the screen showing "gpg>". > You enter the shell that recognizes the limited set of the > ?--edit-key? sub commands. > >> That all may be allright, HOWEVER: >> 3/ if (CMD) I command "gpg", the return is: "gpg: WARNING: no command >> supplied.? Trying to guess what you mean ... gpg: Go ahead and >> type your message . > Please read the GnuPG manual > (): > > ?gpg may be run with no commands. In this case it will perform > a reasonable action depending on the type of file it is given > as input (an encrypted message is decrypted, a signature is > verified, a file containing keys is listed, etc.).? > > So GnuPG expects that you type in an encrypted message, a > detached signature, a clear?signed message, a public key block, etc. > >> Then if I type a gpg command, everything stalls. > Here you cannot type a GnuPG command, because GnuPG wants input, > i.e. data. As you haven't specified any input file on the > command line, GnuPG wants this data through its standard input > channel, that is, typed in from the keyboard. > >> No results whatsoever. > Unless the end of data is signalled (by typing the end?of?file > character, with UNIX usually control d, with MS Windows perhaps > control z), GnuPG repeats reading input lines. > >> Even the command "quit" gives no results. > This ?quit? is counted an input line of data, too. > >> So I force quit by Ctrl-C. >> So, in general, how to start the gpg shell? > You don't in general start the GnuPG shell. You put a command on > the invocation command line. This command may or may not be an > interactive command. > > If it is (as with ?--edit-key?), GnuPG starts a sub command shell > (as with ?--edit-key?) to read and execute further sub commands. > > If it is not (as with ?--list-keys?, ?--sign?, ?--encrypt?, > etc.), GnuPG may (as with ?--sign?, ?--encrypt?, ?--decrypt?, > etc.) expect input to process, or may not (as with ?--list-keys?, > etc.) expect any input. > > Please remember: GnuPG is not a program, that does what you > mean. It is a program, that does exactly what you command it to > do. Thus you must know how to command GnuPG to do what you want > it to do for you. > > > Regards > Friedhelm > -- Roland Siemons Haaksbergerstraat 205 ENSCHEDE t: O645616734 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAEEC5E2ED87628F5.asc Type: application/pgp-keys Size: 7632 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Wed Oct 31 19:34:45 2018 From: wk at gnupg.org (Werner Koch) Date: Wed, 31 Oct 2018 19:34:45 +0100 Subject: File name seen by gpg In-Reply-To: <000001d470b1$596153e0$0c23fba0$@gmail.com> ("Alvaro =?utf-8?Q?Mart=C3=ADnez=22's?= message of "Tue, 30 Oct 2018 21:33:26 -0300") References: <1186477281.20181028140549@my_localhost_LG> <000001d470b1$596153e0$0c23fba0$@gmail.com> Message-ID: <87r2g6c6d6.fsf@wheatstone.g10code.de> On Wed, 31 Oct 2018 01:33, alvaro.gmj at gmail.com said: > It seems I was not looking at the right keywords when I searched, because I couldn't find that option before. Note that the filename stored with the encrypted or signed data is not even convered by the signature. Thus it is possible to anyone to change the filename in a signed file and trick the recipient into creating a file of that name. This is why gpg does not use that name for the output file. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From stefan.claas at posteo.de Wed Oct 31 18:59:07 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Wed, 31 Oct 2018 18:59:07 +0100 Subject: Slightly OT - i need the proper wording for a signed document In-Reply-To: <20181031185333.2a6a1230@iria.my-fqdn.de> References: <20181031185333.2a6a1230@iria.my-fqdn.de> Message-ID: <20181031185907.2fae3e54@iria.my-fqdn.de> On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote: > Hi all, > > i hope this is not to much off-topic... > > I recently signed up for the new Service of Germany's > Bundesdruckerei*, to obtain a *qualified* X.509 Certificate, > which is complaint with the EU's eIDAS regulation. Oh... sorry i mean *compliant* of course! Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: Digitale Signatur von OpenPGP URL: From stefan.claas at posteo.de Wed Oct 31 18:53:33 2018 From: stefan.claas at posteo.de (Stefan Claas) Date: Wed, 31 Oct 2018 18:53:33 +0100 Subject: Slightly OT - i need the proper wording for a signed document Message-ID: <20181031185333.2a6a1230@iria.my-fqdn.de> Hi all, i hope this is not to much off-topic... I recently signed up for the new Service of Germany's Bundesdruckerei*, to obtain a *qualified* X.509 Certificate, which is complaint with the EU's eIDAS regulation. Because PGP signatures are not qualified, nor the pub keys, i thought to create a little .pdf document containing my name and my pub key data and give this a qualified signature and publish it on keybase. The signed document will then also be detached signed with my current GnuPG key. The idea behind this is that people who find my pub key on keybase can be assured that i am the owner of the key. My pub key bears also a sig3 from Governikus, but i can't expect that people living outside of Germany understand what Governikus is and how the Governikus signing procedure works. So far so good.., since i am no native English speaker i would like to know what the proper wording would be to put such statement in the .pdf document and what name should i use for this document. Any help would be greatly appreciated! * https://cloud.sign-me.de/signature/start Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: Digitale Signatur von OpenPGP URL: