From sac at 300baud.de  Fri Feb  1 09:58:45 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 09:58:45 +0100
Subject: [OT] Where can I find some papers to read on mail (and
 envelope) security?
In-Reply-To: <65f4a745-0113-f91c-7c17-c3460c09deaf@schokokeks.org>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <65f4a745-0113-f91c-7c17-c3460c09deaf@schokokeks.org>
Message-ID: <20190201095845.1966a479@300baud.de>

On Wed, 30 Jan 2019 21:36:15 +0100, Michael Kesper wrote:

Hi Michael,

> On 30.01.19 16:33, Stefan Claas wrote:
> > Interesting topic, which i am interested in as well. I started, as German
> > citizen, to use also epost Brief and De-Mail a while ago, when
> > communicating sometimes with friends, because i like those paid
> > services much more than the classical email PGP combo.  
> 
> You know that you use snake oil then?
> These services decrypt your e-mails to "protect you against viruses" [0].

It does not matter to much for me. My threat model is not so high and if i
like to do so i can encrypt my mail and run it through codegroup.

And with De-Mail people can put an OpenPGP pub key in their directory,
so that people can get the pub key from there, regardless of which
De-Mail service provider they use.

P.S. We should get back on topic from the OP, on how to send securely
OpenPGP letters / postcards via regular mail.

If one googles for the string "encrypted postcards" there are many
links shown, from people who did that in the early 20th century. :-)

Best regards
Stefan



From Siemons at CleanFuels.nl  Fri Feb  1 09:03:54 2019
From: Siemons at CleanFuels.nl (Roland Siemons (P))
Date: Fri, 1 Feb 2019 09:03:54 +0100
Subject: GPA errors when creating key pair
In-Reply-To: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
Message-ID: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl>

Dear List,

I am trying to help somebody to set up GPG4Win. He uses Win10. Trying to
create a new key pair using GPA, GPA returns: "The GPGME library
returned an unexpected
error at gpagenkeyadvop.c:163. The error was: Invalid argument"

How can this be resolved?

Greetz,
-- 

Roland Siemons
Haaksbergerstraat 205
ENSCHEDE

t: O645616734



From Siemons at CleanFuels.nl  Fri Feb  1 10:05:23 2019
From: Siemons at CleanFuels.nl (Roland Siemons (P))
Date: Fri, 1 Feb 2019 10:05:23 +0100
Subject: Fwd: GPA errors when creating key pair
In-Reply-To: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl>
References: <0e7ae8bc-baeb-8412-1ef8-d24129c9350a@CleanFuels.nl>
Message-ID: <32945592-71b8-8084-d52a-d23e9ef3f2d0@CleanFuels.nl>

An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/0a5f423b/attachment.html>

From chrisbcoutinho at gmail.com  Fri Feb  1 12:26:03 2019
From: chrisbcoutinho at gmail.com (Chris Coutinho)
Date: Fri, 1 Feb 2019 12:26:03 +0100
Subject: gpg-agent forwarding to remote with systemd - status?
In-Reply-To: <CAG+YirS0uy76vDC=sTqq=KqY65Y2WwoG5aUkC5AJ=Efe3rQXYQ@mail.gmail.com>
References: <CAG+YirS0uy76vDC=sTqq=KqY65Y2WwoG5aUkC5AJ=Efe3rQXYQ@mail.gmail.com>
Message-ID: <CAG+YirSoLctnXPoXsQkwOm0GLjZL9aHJKub56s3N-agExeCmTQ@mail.gmail.com>

I should add that the remote is OpenSUSE Leap 15.0 running GnuPG
2.2.5, and my current client is OpenSUSE Leap 15.0 running WSL on
Windows 10, also running GnuPG 2.2.5. The WSL client doesn't have
systemd installed on it, so it uses the old ~/.gnupg directory for
holding sockets.

On client:
$ gpgconf --list-dir socketdir
/home/chris/.gnupg

On remote:
$ gpgconf --list-dir socketdir
/run/user/1001/gnupg

Regards,
Chris

On Fri, 1 Feb 2019 at 11:42, Chris Coutinho <chrisbcoutinho at gmail.com> wrote:
>
> Hi,
>
> I'm trying to forward my local gpg-agent over ssh to a remote that
> controls the gnupg sockets via systemd. This fails because sshd
> attempts to place the socket in a directory that doesn't exist,
> because that is handled on the remote by systemd.
>
> This issue was raised back in 2016:
>
> https://gnupg-users.gnupg.narkive.com/eYVmOa2h/agent-forwarding-failure-when-the-socketdir-was-autodeleted
>
> It was suggested in that thread to place `gpgconf --create-socketdir`
> in '.bashrc' to create the proper directory, but this doesn't work in
> my case because on the remote the directory is created/deleted by
> systemd and shell scripts are sourced after ssh attempts to place the
> socket.
>
> From my limited understanding of the issue, it seems that it wasn't
> clear in what project the solution should be (openssh, systemd,
> gnupg).
>
> Is there an update regarding this issue, or any proposed workarounds
> for systemd-based remotes?
>
> Regards,
> Chris


From chrisbcoutinho at gmail.com  Fri Feb  1 11:42:27 2019
From: chrisbcoutinho at gmail.com (Chris Coutinho)
Date: Fri, 1 Feb 2019 11:42:27 +0100
Subject: gpg-agent forwarding to remote with systemd - status?
Message-ID: <CAG+YirS0uy76vDC=sTqq=KqY65Y2WwoG5aUkC5AJ=Efe3rQXYQ@mail.gmail.com>

Hi,

I'm trying to forward my local gpg-agent over ssh to a remote that
controls the gnupg sockets via systemd. This fails because sshd
attempts to place the socket in a directory that doesn't exist,
because that is handled on the remote by systemd.

This issue was raised back in 2016:

https://gnupg-users.gnupg.narkive.com/eYVmOa2h/agent-forwarding-failure-when-the-socketdir-was-autodeleted

It was suggested in that thread to place `gpgconf --create-socketdir`
in '.bashrc' to create the proper directory, but this doesn't work in
my case because on the remote the directory is created/deleted by
systemd and shell scripts are sourced after ssh attempts to place the
socket.

>From my limited understanding of the issue, it seems that it wasn't
clear in what project the solution should be (openssh, systemd,
gnupg).

Is there an update regarding this issue, or any proposed workarounds
for systemd-based remotes?

Regards,
Chris


From sac at 300baud.de  Fri Feb  1 17:37:51 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 17:37:51 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <20190130215006.6f436b0b@300baud.de>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de>
Message-ID: <20190201173751.4a95bcc4@300baud.de>

On Wed, 30 Jan 2019 21:50:06 +0100, Stefan Claas wrote:
> On Wed, 30 Jan 2019 21:23:56 +0100, Peter Lebbing wrote:
> 
> > On 30/01/2019 20:44, Stefan Claas wrote:  
> > > But which one ... ;-) I may check this again with a friend.    
> > 
> > Well there are the classical options:
> > <https://en.wikipedia.org/wiki/OCR-A>
> > <https://en.wikipedia.org/wiki/OCR-B>
> > 
> > Debian provides free fonts like that as packages fonts-ocr-a and
> > fonts-ocr-b, which come from:
> > <http://sourceforge.net/projects/ocr-a-font>
> > and
> > <http://ansuz.sooke.bc.ca/fonts.php>  
> 
> Thanks, i will take a look!

O.k. just did some tests again with old .pdf's containing images
of scanned text and then also used a jpeg image (small resolution)
with the free tesseract.

Tesseract did not do a good job, to many errors.

Then i googled a bit and ... Google can do it.

According to a youtube video you need a gmail account, upload to
Google Drive and then from there open the image or pdf with
Google Docs, which does imho the best job i have seen do far.

I will do more tests, once time permits.

Regards
Stefan


From justina at colmena.biz  Fri Feb  1 05:43:35 2019
From: justina at colmena.biz (justina colmena)
Date: Thu, 31 Jan 2019 19:43:35 -0900
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190130234741.3e8ce8af@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
Message-ID: <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>

On January 30, 2019 1:47:41 PM AKST, Stefan Claas <sac at 300baud.de> wrote:
>On Wed, 30 Jan 2019 12:46:26 -0800, Allen M. Juinio wrote:
>> > Date: Wed, 30 Jan 2019 20:44:07 +0100
>> > From: Stefan Claas <sac at 300baud.de>
>
>> > On the other side i wish PGPfone would have been further developed.
>> > I found it, way back then, pretty cool and super easy to use,
>compared
>> > to PGP or GnuPG.
>
>> Have you tried using Signal from Open Whisper Systems?  They have
>both an Android and Apple version. 
>
>Thanks, i am aware of Signal, but what i mean is to communicate
>directly
>and not via servers and also by not giving away phone numbers.
>
>With PGPfone one needed only the (current) IP address of its
>communication
>partner and then connected directly, without any servers involved.
>
>Regards
>Stefan
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

I don't mean to sound rude or out of place, but there appear to be too many distractions to have a productive discussion on this list, and there are some critical issues, because GnuPG has become an essential part of many important systems throughout the free and open source software community.

The weekly "digest" option for the mailing list should be no-reply. People who wish to participate in a pointed or on-topic discussion really need to receive each email message independently.

I realize it's a German domain, but 300baud.de is just really obnoxious in English. The phrase "300 baud" itself is, of course, completely unobjectionable hacker lore, but baud+de = "bawdy" as in "bawdy house" which is extremely vulgar in English. Only for the gentlemen.

That sort of "humor" is not friendly to women and children, and I know especially a lot of women and girls would otherwise be very interested in cryptography, PGP-encrypted email, etc. Let's lose the vulgarity and focus on Alice's secret message to Bob, something Eve or Mallory has no need to know, basic elements of what needs to be done right with respect to the core functionality of GnuPG.

Not to advertise, but my own domain is the Spanish word "colmena" (hive, colony of bees, beehive in English) with the "biz" tld, slang for "business." Bees are busy, and they make that buzzing noise. Point being, it's entirely possible to avoid a lewd implication or double entendre. I can't let people take me for all honey and no sting with my domain.

With regards to PGPfone etc., all you need to do is run Asterisk on a server somewhere, enable SIP with encryption. If you or your conversation partner don't have a public key, there is a voice verification of endpoints, but do note that encrypted real-time voice conversations are extremely difficult to protect from packet-timing and other side-channel attacks which often trivially reveal a muffled but clear recording and transcript.

The human voice is in a certain sense "too rich" to hide or conceal, and the Bible tells of a "line" of every signal or sound that extends to be heard to the ends the earth, and of the ungodly that "the sound of his words shall come unto the Lord for the manifestation of his wicked deeds."
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/contacto.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190131/19c320de/attachment.sig>

From sac at 300baud.de  Fri Feb  1 19:44:34 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 19:44:34 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <BB3E994C-9F90-44A4-AB26-BDE5ADCB1B5D@webweaving.org>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de>
 <20190201173751.4a95bcc4@300baud.de>
 <BB3E994C-9F90-44A4-AB26-BDE5ADCB1B5D@webweaving.org>
Message-ID: <20190201194434.42338084@300baud.de>

On Fri, 1 Feb 2019 17:53:09 +0100, Dirk-Willem van Gulik wrote:

> It is a bit of a hack - and quite setting specific for us - but we?ve been using
> 
> 	https://github.com/dirkx/gpg-offline-batch-key- <https://github.com/dirkx/gpg-offline-batch-key->
> 
> and had to occasionally recover keys (every few years or so).
> 
> Typical output below.

Thanks for the info! I had a quick look at the source code and
as understood it uses QR-Codes, which i have played also in
the past with.

However, i am currently interested in using codegroup armor
so that it can be printed too and then read properly (hopefully)
with OCR solutions.

Maybe a bit old fashioned, but worth a try imho, because
in case OCR fails one could type it in manually, if its are
short encrypted messages.

Regards
Stefan 


From dirkx at webweaving.org  Fri Feb  1 20:01:58 2019
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Fri, 1 Feb 2019 20:01:58 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <20190201194434.42338084@300baud.de>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de>
 <BB3E994C-9F90-44A4-AB26-BDE5ADCB1B5D@webweaving.org>
 <20190201194434.42338084@300baud.de>
Message-ID: <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org>

On 1 Feb 2019, at 19:44, Stefan Claas <sac at 300baud.de> wrote:
> On Fri, 1 Feb 2019 17:53:09 +0100, Dirk-Willem van Gulik wrote:
> 
>> It is a bit of a hack - and quite setting specific for us - but we?ve been using
>> 
>> 	https://github.com/dirkx/gpg-offline-batch-key- <https://github.com/dirkx/gpg-offline-batch-key->
> 
> However, i am currently interested in using codegroup armor
> so that it can be printed too and then read properly (hopefully)
> with OCR solutions.

Yes - if you look at the next  pages in the example - that is what is being done there.

With specific care taken to minimise what one has to enter.

So one can either OCR the written text, use the QR code or enter it by hand.

Over the years we've come to rely on this a lot - and regularly had to resort to manual entry or OCR ing of the numbers.

Dw.

From sac at 300baud.de  Fri Feb  1 20:05:58 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 20:05:58 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
Message-ID: <20190201200558.34a720eb@300baud.de>

On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote:

> With regards to PGPfone etc., all you need to do is run Asterisk on a server somewhere, enable SIP with encryption.
> If you or your conversation partner don't have a public key, there is a voice verification of endpoints, but do note
> that encrypted real-time voice conversations are extremely difficult to protect from packet-timing and other
> side-channel attacks which often trivially reveal a muffled but clear recording and transcript.

Thanks for the info, but i do not want to install server software, for encrypted communications,
where 3rd parties could have theoretically access to it.

Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further
so that it can be used on Linux too or modern macOS. The old Windows version still runs
fine, under Windows 7, for example.

Regards
Stefan

P.S. About my domain name, for the interested women or children, please take
a look here: https://en.wikipedia.org/wiki/Baud


From sheogorath at shivering-isles.com  Fri Feb  1 18:20:22 2019
From: sheogorath at shivering-isles.com (Sheogorath)
Date: Fri, 1 Feb 2019 18:20:22 +0100
Subject: WKD with HTTP redirect possible?
Message-ID: <b5630a98-67a1-f659-9a35-81d2a7967c3f@shivering-isles.com>

Hi,

I have a domain with a catchall setup. So I wonder if I can just setup a
HTTP redirect to my main key so WKD works fine. So far it seems to fail.

The standard basically says that the GET request has to return the
binary key, which is quite unhandy in this case. I mean, not impossible
to build, but feels wrong to me.

Also, and that's not overly important, but given that WKD discovers a
key, downloads it and it's not containing the mail address, is this key
still used for the communication or is it ignored? Does it throw an error?

Even with `-vv` set I couldn't really figure out.

Version used (on Fedora 29):
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4

-- 
Signed
Sheogorath

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/8b2f2dd1/attachment.sig>

From sac at 300baud.de  Fri Feb  1 20:19:35 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 20:19:35 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de>
 <20190201173751.4a95bcc4@300baud.de>
 <BB3E994C-9F90-44A4-AB26-BDE5ADCB1B5D@webweaving.org>
 <20190201194434.42338084@300baud.de>
 <57AAA991-E579-49E6-8996-DEA8A065188B@webweaving.org>
Message-ID: <20190201201935.3b8eb1ee@300baud.de>

On Fri, 1 Feb 2019 20:01:58 +0100, Dirk-Willem van Gulik wrote:
> On 1 Feb 2019, at 19:44, Stefan Claas <sac at 300baud.de> wrote:

> > However, i am currently interested in using codegroup armor
> > so that it can be printed too and then read properly (hopefully)
> > with OCR solutions.  
> 
> Yes - if you look at the next  pages in the example - that is what is being done there.
> 
> With specific care taken to minimise what one has to enter.
> 
> So one can either OCR the written text, use the QR code or enter it by hand.
> 
> Over the years we've come to rely on this a lot - and regularly had to resort to manual entry or OCR ing of the
> numbers.

Oh, sorry, than i have to take a closer look again!

Many thanks for pointing this out!

Regards
Stefan


From peter at digitalbrains.com  Fri Feb  1 20:23:26 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Fri, 1 Feb 2019 20:23:26 +0100
Subject: OpenPGP on paper
In-Reply-To: <20190201173751.4a95bcc4@300baud.de>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de>
Message-ID: <ae57787c-d7ea-a524-d8ca-98934c7b1c91@digitalbrains.com>

On 01/02/2019 17:37, Stefan Claas wrote:
> Tesseract did not do a good job, to many errors.

Just an idea: OCR'ing a special OCR font like the two classics I
mentioned will go a lot better if the OCR engine *knows* it is looking
at that font. They designed the glyphs to be dissimilar. I don't know if
there are any free software OCR engines that can restrict themselves to
a specific font, I'm just reasoning about it without domain knowledge.

Also, if you choose an encoding that avoids similar glyphs like one and
ell, zero and oh, etcetera, your miss rate should go down.

> Then i googled a bit and ... Google can do it.

That doesn't seem useful for secret letters. And I don't think you'll
get an offline engine which has been trained like theirs from them.

HTH,

Peter.

PS: Could you removed the (was: ...) bit from the subject in replies? I
think I'll stop doing that type of formatting from now on. I saw it
being used quite some time back and when it works it's okay, so I
followed suit. But it's not working that well anymore.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/c46623bd/attachment.sig>

From sac at 300baud.de  Fri Feb  1 21:06:16 2019
From: sac at 300baud.de (Stefan Claas)
Date: Fri, 1 Feb 2019 21:06:16 +0100
Subject: OpenPGP on paper
In-Reply-To: <ae57787c-d7ea-a524-d8ca-98934c7b1c91@digitalbrains.com>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de>
 <20190201173751.4a95bcc4@300baud.de>
 <ae57787c-d7ea-a524-d8ca-98934c7b1c91@digitalbrains.com>
Message-ID: <20190201210616.0a6ef14a@300baud.de>

On Fri, 1 Feb 2019 20:23:26 +0100, Peter Lebbing wrote:
> On 01/02/2019 17:37, Stefan Claas wrote:
> > Tesseract did not do a good job, to many errors.  
> 
> Just an idea: OCR'ing a special OCR font like the two classics I
> mentioned will go a lot better if the OCR engine *knows* it is looking
> at that font. They designed the glyphs to be dissimilar. I don't know if
> there are any free software OCR engines that can restrict themselves to
> a specific font, I'm just reasoning about it without domain knowledge.
> 
> Also, if you choose an encoding that avoids similar glyphs like one and
> ell, zero and oh, etcetera, your miss rate should go down.

Well, i googled a bit and it seems one has to train tesseract to give good
results. As understood Google's engine uses also tesseract, but it must
be trained then pretty good, i assume.

> > Then i googled a bit and ... Google can do it.  
> 
> That doesn't seem useful for secret letters. And I don't think you'll
> get an offline engine which has been trained like theirs from them.

Probably not, but i thought to share my findings.

> PS: Could you removed the (was: ...) bit from the subject in replies? I
> think I'll stop doing that type of formatting from now on. I saw it
> being used quite some time back and when it works it's okay, so I
> followed suit. But it's not working that well anymore.

Sorry, i always overlook this ...

Regards
Stefan


From dirkx at webweaving.org  Fri Feb  1 17:53:09 2019
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Fri, 1 Feb 2019 17:53:09 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <20190201173751.4a95bcc4@300baud.de>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130163327.3c8a9135@300baud.de>
 <a8fd1f6f-385d-3745-b230-845a1c857e61@digitalbrains.com>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
 <20190130215006.6f436b0b@300baud.de> <20190201173751.4a95bcc4@300baud.de>
Message-ID: <BB3E994C-9F90-44A4-AB26-BDE5ADCB1B5D@webweaving.org>


> On 1 Feb 2019, at 17:37, Stefan Claas <sac at 300baud.de> wrote:
> 
> On Wed, 30 Jan 2019 21:50:06 +0100, Stefan Claas wrote:
>> On Wed, 30 Jan 2019 21:23:56 +0100, Peter Lebbing wrote:
>> 
>>> On 30/01/2019 20:44, Stefan Claas wrote:  
>>>> But which one ... ;-) I may check this again with a friend.    
>>> 
>>> Well there are the classical options:
>>> <https://en.wikipedia.org/wiki/OCR-A>
>>> <https://en.wikipedia.org/wiki/OCR-B>
>>> 
>>> Debian provides free fonts like that as packages fonts-ocr-a and
>>> fonts-ocr-b, which come from:
>>> <http://sourceforge.net/projects/ocr-a-font>
>>> and
>>> <http://ansuz.sooke.bc.ca/fonts.php>  
>> 
>> Thanks, i will take a look!
> 
> O.k. just did some tests again with old .pdf's containing images
> of scanned text and then also used a jpeg image (small resolution)
> with the free tesseract.
> 
> Tesseract did not do a good job, to many errors.
> 
> Then i googled a bit and ... Google can do it.
> 
> According to a youtube video you need a gmail account, upload to
> Google Drive and then from there open the image or pdf with
> Google Docs, which does imho the best job i have seen do far.
> 
> I will do more tests, once time permits.

It is a bit of a hack - and quite setting specific for us - but we?ve been using

	https://github.com/dirkx/gpg-offline-batch-key- <https://github.com/dirkx/gpg-offline-batch-key->

and had to occasionally recover keys (every few years or so).

Typical output below.

Dw.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/3c07650f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: privkey.pdf.pdf
Type: application/pdf
Size: 211080 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/3c07650f/attachment-0001.pdf>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/3c07650f/attachment-0003.html>

From justina at colmena.biz  Sat Feb  2 04:26:21 2019
From: justina at colmena.biz (justina colmena)
Date: Fri, 01 Feb 2019 18:26:21 -0900
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190201200558.34a720eb@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
Message-ID: <D4346F4E-AB4D-4E80-BA09-51F065245DDB@colmena.biz>

On February 1, 2019 10:05:58 AM AKST, Stefan Claas <sac at 300baud.de> wrote:
>On Thu, 31 Jan 2019 19:43:35 -0900, justina colmena wrote:
>
>> With regards to PGPfone etc., all you need to do is run Asterisk on a
>server somewhere, enable SIP with encryption.
>> If you or your conversation partner don't have a public key, there is
>a voice verification of endpoints, but do note
>> that encrypted real-time voice conversations are extremely difficult
>to protect from packet-timing and other
>> side-channel attacks which often trivially reveal a muffled but clear
>recording and transcript.
>
>Thanks for the info, but i do not want to install server software, for
>encrypted communications,
>where 3rd parties could have theoretically access to it.
>
>Maybe someone, in the future, can pick-up the idea of PGPfone and
>develop it further
>so that it can be used on Linux too or modern macOS. The old Windows
>version still runs
>fine, under Windows 7, for example.
>
>Regards
>Stefan
>
>P.S. About my domain name, for the interested women or children, please
>take
>a look here: https://en.wikipedia.org/wiki/Baud

I am definitely not asking anyone to install anything for my use. I'm just trying to explain AFAIK, what you need to do if you want to experiment with voice encryption.

I don't want to be held responsible for it or arrested for it any more than anyone else, and I'm also trying to explain how some of these things come across to authorities who continually amd repeatedly insist on viewing all such matters in the worst possible light.

Didn't Martin Luther say to place the best construction on all things? But no, we must submit to "parallel construction" and falsely sworn warrants by over-informed and under-educated law enforcement officers. "Thou shalt not bear false witness" and all that, and we just had a holiday, Dr. Martin Luther King Jr. day - and that's right, now that I think about it - not only a doctorate like his German namesake, but his father and grandfather and their wives must have been staunch Lutherans as well, in so far as to name one son after another after him.

There is so much Catholic insistence on communist totalitarianism under a papal dictatorship of the proletariat, and opposition in the name of that religion to every precept of human rights and due process of law, that even the Finnish Protestants preach "oikeutta" & "lain oikeaa k?ytt??" in church, because like us they have not attained to such rights and freedoms in this life on Earth, and so the struggle continues against Catholicism.

The full name of "baud" is "Baudot," a Frenchman, if I recall correctly, a contemporary of Hartley or Shannon, definitely a co-worker on such matters. Living relatives? Is it another family feud? France is practically at war already with a migrant situation, the recent Europol or Interpol shake-up with China or Russia or South Korea, general E.U. upheaval, Brexit sympathies, and so on and so forth.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/contacto.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190201/9f75f821/attachment.sig>

From jhs at berklix.com  Sat Feb  2 14:02:32 2019
From: jhs at berklix.com (Julian H. Stacey)
Date: Sat, 02 Feb 2019 14:02:32 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: Your message "Fri, 01 Feb 2019 18:26:21 -0900."
 <D4346F4E-AB4D-4E80-BA09-51F065245DDB@colmena.biz>
Message-ID: <201902021302.x12D2WEt060862@fire.js.berklix.net>

Message-id: <D4346F4E-AB4D-4E80-BA09-51F065245DDB at colmena.biz>
Date: Fri, 01 Feb 2019 18:26:21 -0900 (Sat 04:26 CET)
>From justina colmena <justina at colmena.biz> 
had nothing relevant to list remit
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Cheers,
Julian
-- 
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent
 http://www.berklix.uk/brexit/#email_an_mp


From vedaal at nym.hush.com  Sun Feb  3 06:12:07 2019
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Sun, 03 Feb 2019 00:12:07 -0500
Subject: pgp-phone  (was Gnupg-users Digest, Vol 184, Issue 22)
In-Reply-To: <20190201200558.34a720eb@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de> 
Message-ID: <20190203051207.61504C06D8@smtp.hushmail.com>



On 2/1/2019 at 2:48 PM, "Stefan Claas"  wrote:Maybe someone, in the
future, can pick-up the idea of PGPfone and develop it further
so that it can be used on Linux too or modern macOS. The old Windows
version still runs
fine, under Windows 7, for example.

=====
Can be done on Ubuntu, or any Linux OS running Oracle Virtual Box with
win 7, (and maybe on VB with old dos 6,2, but have not actually tried
it on dos)
vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190203/541ebc65/attachment.html>

From rjh at sixdemonbag.org  Sun Feb  3 10:14:06 2019
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 3 Feb 2019 04:14:06 -0500
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190201200558.34a720eb@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
Message-ID: <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>

> Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further
> so that it can be used on Linux too or modern macOS. The old Windows version still runs
> fine, under Windows 7, for example.

Why?

It's a serious question.  What exact feature set was there present in
PGPfone which you believe is not easily available with out-of-the-box
software solutions?


From sac at 300baud.de  Sun Feb  3 12:49:06 2019
From: sac at 300baud.de (Stefan Claas)
Date: Sun, 3 Feb 2019 12:49:06 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
Message-ID: <20190203124906.57ef92c6@300baud.de>

On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote:
> > Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further
> > so that it can be used on Linux too or modern macOS. The old Windows version still runs
> > fine, under Windows 7, for example.  
> 
> Why?
> 
> It's a serious question.  What exact feature set was there present in
> PGPfone which you believe is not easily available with out-of-the-box
> software solutions?

What i liked about PGPfone was that you could directly connect to your
communications partner, without any servers involved and it was super
easy to use. You simply put in the (current) IP Adress, connect and then
read some displayed letters to each other, to prevent MITM, and then
communicated. There was no learning curve involved.

I think i have to look harder to find a cross-platform FOSS solution
that works the same.

Regards
Stefan
 





From sac at 300baud.de  Sun Feb  3 12:51:10 2019
From: sac at 300baud.de (Stefan Claas)
Date: Sun, 3 Feb 2019 12:51:10 +0100
Subject: pgp-phone  (was Gnupg-users Digest, Vol 184, Issue 22)
In-Reply-To: <20190203051207.61504C06D8@smtp.hushmail.com>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <20190203051207.61504C06D8@smtp.hushmail.com>
Message-ID: <20190203125110.2cdf27c6@300baud.de>

On Sun, 03 Feb 2019 00:12:07 -0500, vedaal via Gnupg-users wrote:
> On 2/1/2019 at 2:48 PM, "Stefan Claas"  wrote:Maybe someone, in the
> future, can pick-up the idea of PGPfone and develop it further
> so that it can be used on Linux too or modern macOS. The old Windows
> version still runs
> fine, under Windows 7, for example.
> 
> =====
> Can be done on Ubuntu, or any Linux OS running Oracle Virtual Box with
> win 7, (and maybe on VB with old dos 6,2, but have not actually tried
> it on dos)
> vedaal

Thanks for the info, much appreciated. What i don't remember is if
the used ciphers in PGPFone are still safe nowadays. Have to look
for that.

Regards
Stefan


From rjh at sixdemonbag.org  Sun Feb  3 17:48:28 2019
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 3 Feb 2019 11:48:28 -0500
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203124906.57ef92c6@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
Message-ID: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>

> What i liked about PGPfone was that you could directly connect to your
> communications partner, without any servers involved and it was super
> easy to use. You simply put in the (current) IP Adress, connect and then
> read some displayed letters to each other, to prevent MITM, and then
> communicated. There was no learning curve involved.

In the era before NAT, this may have made sense.  In today's
NAT-pervasive era, not so much.

Under NAT, your IP address is hidden from the rest of the internet.  The
address my router gives me is not one the outside world can use to route
information to me; and if I go to a website that lists my IP, that's
actually my router's IP, not mine.

I won't go into how NAT works except to say that under NAT, connections
cannot[1] be made from one peer to another.  You need a server that's
not NATted in order to facilitate connections between peers.

So -- I hate to be the one to tell you this, but the architecture of the
internet has changed dramatically since PGPfone was released in ... what
was it, '94?  Today, one of the major purposes of these servers is to
facilitate traversing NATs.


[1] It's technically possible to do peer to peer behind NAT, but beyond
the technical capabilities of the vast majority of users.


From sac at 300baud.de  Sun Feb  3 20:12:19 2019
From: sac at 300baud.de (Stefan Claas)
Date: Sun, 3 Feb 2019 20:12:19 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
Message-ID: <20190203201219.72824c1e@300baud.de>

On Sun, 3 Feb 2019 11:48:28 -0500, Robert J. Hansen wrote:
> > What i liked about PGPfone was that you could directly connect to your
> > communications partner, without any servers involved and it was super
> > easy to use. You simply put in the (current) IP Adress, connect and then
> > read some displayed letters to each other, to prevent MITM, and then
> > communicated. There was no learning curve involved.  
> 
> In the era before NAT, this may have made sense.  In today's
> NAT-pervasive era, not so much.
> 
> Under NAT, your IP address is hidden from the rest of the internet.  The
> address my router gives me is not one the outside world can use to route
> information to me; and if I go to a website that lists my IP, that's
> actually my router's IP, not mine.

Well, i can only say last time i used PGPfone was in 2014, with a friend.
We both used a website that showed us our IP addresses and it worked
fine. We only had to set UDP port 17447 in our routers, for incoming
and outgoing connections.

I currently have no Windows box, otherwise i would try it out again
and let you know.

Regards
Stefan


From sac at 300baud.de  Sun Feb  3 20:52:00 2019
From: sac at 300baud.de (Stefan Claas)
Date: Sun, 3 Feb 2019 20:52:00 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203201219.72824c1e@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
 <20190203201219.72824c1e@300baud.de>
Message-ID: <20190203205200.620c6453@300baud.de>

On Sun, 3 Feb 2019 20:12:19 +0100, Stefan Claas wrote:

> Well, i can only say last time i used PGPfone was in 2014, with a friend.
> We both used a website that showed us our IP addresses and it worked
> fine. We only had to set UDP port 17447 in our routers, for incoming
> and outgoing connections.
> 
> I currently have no Windows box, otherwise i would try it out again
> and let you know.

Maybe, if such a software would see the light again it could be done
via Tor usage, like Onionshare works. People set up a Tor Hidden
Service on their own computer, like Onionshare does and then you
provide the .onion address to the caller ...

Regards
Stefan


From justina at colmena.biz  Sun Feb  3 20:56:54 2019
From: justina at colmena.biz (justina colmena)
Date: Sun, 03 Feb 2019 10:56:54 -0900
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
Message-ID: <F7D7F0A7-DF55-4DC8-B5B3-836BB8AEA835@colmena.biz>

On February 3, 2019 7:48:28 AM AKST, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
>> What i liked about PGPfone was that you could directly connect to
>your
>> communications partner, without any servers involved and it was super
>> easy to use. You simply put in the (current) IP Adress, connect and
>then
>> read some displayed letters to each other, to prevent MITM, and then
>> communicated. There was no learning curve involved.
>
>In the era before NAT, this may have made sense.  In today's
>NAT-pervasive era, not so much.
>
>Under NAT, your IP address is hidden from the rest of the internet. 
>The
>address my router gives me is not one the outside world can use to
>route
>information to me; and if I go to a website that lists my IP, that's
>actually my router's IP, not mine.
>
>I won't go into how NAT works except to say that under NAT, connections
>cannot[1] be made from one peer to another.  You need a server that's
>not NATted in order to facilitate connections between peers.
>
>So -- I hate to be the one to tell you this, but the architecture of
>the
>internet has changed dramatically since PGPfone was released in ...
>what
>was it, '94?  Today, one of the major purposes of these servers is to
>facilitate traversing NATs.
>
>
>[1] It's technically possible to do peer to peer behind NAT, but beyond
>the technical capabilities of the vast majority of users.
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

The official answer to NAT is IPv6. Works quite well, except for a few technology luddites.

Other than that, my place was SWATted about 1:30am last night. The previous night the phone rang at 4:38am, caller ID from Washington, D.C. A strange car had been parked at my place, listening for the phone to ring.

We've got to think outside the box on that one. There's a German pub down the street, the "West Berlin," just across from the local telephone office, GCI, yes, luddites, all NAT, no IPv6. Gotta go AT&T for that.

So think reality: location, location, location. It's S.O.P. for the C.C.C., and no, we're not talking about the Civilian Conservation Corps. Young white male cops on the graveyard shift, amped up on adrenaline and testosterone, brash and eager to make their bones on a big bust. That color-of-law stuff from the feds is starting to get to them.

Talk too much on the phone, and there's bound to be some girl or female operator pressing charges by the minute. "Get off my block, bitch, I'm listening!" she mutters in a sleepy voice. It's the Democratic boiler room Party line. The ladies have a stranglehold on the telephone surveillance business, yes, those ladies, meaning none other than Dianne Feinstein and friends on the Senate Intelligence Committee, Eve and Mallory listening to Alice and Bob.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/contacto.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190203/a48c4e11/attachment.sig>

From jhs at berklix.com  Sun Feb  3 21:39:33 2019
From: jhs at berklix.com (Julian H. Stacey)
Date: Sun, 03 Feb 2019 21:39:33 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: Your message "Sun, 03 Feb 2019 10:56:54 -0900."
 <F7D7F0A7-DF55-4DC8-B5B3-836BB8AEA835@colmena.biz>
Message-ID: <201902032039.x13KdXPD022271@fire.js.berklix.net>

justina at colmena.biz  Emited more politics not to list remit.

http://lists.gnupg.org/mailman/admin/gnupg-users/privacy/sender
has eg reject_these_nonmembers etc 

Cheers,
Julian
-- 
Julian Stacey, Consultant Systems Engineer, BSD Linux Unix, Munich Aachen Kent


From juergen at bruckner.tk  Sun Feb  3 21:43:34 2019
From: juergen at bruckner.tk (Juergen Bruckner)
Date: Sun, 3 Feb 2019 21:43:34 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203124906.57ef92c6@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
Message-ID: <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk>

Hello Stefan,

ever had a look at "Jami" (formerly 'ring') [1]


regards
Juergen

[1]https://jami.net/

Am 03.02.19 um 12:49 schrieb Stefan Claas:
> On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote:
>>> Maybe someone, in the future, can pick-up the idea of PGPfone and develop it further
>>> so that it can be used on Linux too or modern macOS. The old Windows version still runs
>>> fine, under Windows 7, for example.  
>>
>> Why?
>>
>> It's a serious question.  What exact feature set was there present in
>> PGPfone which you believe is not easily available with out-of-the-box
>> software solutions?
> 
> What i liked about PGPfone was that you could directly connect to your
> communications partner, without any servers involved and it was super
> easy to use. You simply put in the (current) IP Adress, connect and then
> read some displayed letters to each other, to prevent MITM, and then
> communicated. There was no learning curve involved.
> 
> I think i have to look harder to find a cross-platform FOSS solution
> that works the same.
> 
> Regards
> Stefan
>  
> 
> 
> 
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

-- 
Juergen M. Bruckner
juergen at bruckner.tk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190203/dd22f565/attachment-0001.bin>

From sac at 300baud.de  Sun Feb  3 21:56:49 2019
From: sac at 300baud.de (Stefan Claas)
Date: Sun, 3 Feb 2019 21:56:49 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk>
Message-ID: <20190203215649.36ace68b@300baud.de>

On Sun, 3 Feb 2019 21:43:34 +0100, Juergen Bruckner wrote:

Hi Juergen,

> ever had a look at "Jami" (formerly 'ring') [1]
> 
> 
> regards
> Juergen
> 
> [1]https://jami.net/

Thanks a lot, will look into it.

Regards
Stefan


From juergen at bruckner.tk  Sun Feb  3 22:01:25 2019
From: juergen at bruckner.tk (Juergen Bruckner)
Date: Sun, 3 Feb 2019 22:01:25 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203215649.36ace68b@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <1ad15669-8be5-9db4-16c1-e5542d997894@bruckner.tk>
 <20190203215649.36ace68b@300baud.de>
Message-ID: <f1f71621-ba70-169f-7958-ff2cee34cfe1@bruckner.tk>

Hi Stefan,

youre welcome! :)

I really don't know how far the developement of this software is.
They did introduce their project to a few people at the FOSDEM 2016.
And if I remember right they did get a funding by the p?p Foundation;
but not fully sure about this last point.

regards
Juergen

Am 03.02.19 um 21:56 schrieb Stefan Claas:
> On Sun, 3 Feb 2019 21:43:34 +0100, Juergen Bruckner wrote:
> 
> Hi Juergen,
> 
>> ever had a look at "Jami" (formerly 'ring') [1]
>>
>>
>> regards
>> Juergen
>>
>> [1]https://jami.net/
> 
> Thanks a lot, will look into it.
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juergen at bruckner.tk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3894 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190203/1ddd92cb/attachment.bin>

From rjh at sixdemonbag.org  Mon Feb  4 05:38:35 2019
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 3 Feb 2019 23:38:35 -0500
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203201219.72824c1e@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
 <20190203201219.72824c1e@300baud.de>
Message-ID: <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org>

> Well, i can only say last time i used PGPfone was in 2014, with a friend.
> We both used a website that showed us our IP addresses and it worked
> fine. We only had to set UDP port 17447 in our routers, for incoming
> and outgoing connections.

"All you had to do" was:

(a) understand computer networking well enough to understand what you
needed to do,

(b) know your router could be used to do port forwarding,

(c) log into your router, navigate bad UX,

(d) probably switch your DHCP allocation to a static one, so you
wouldn't have to do this again every time you acquired a new DHCP lease,

(e) and on and on and on.

No, PGPfone was not "easier to use".  The skills required to use it were
far in excess of what most users possessed.

I get that you liked PGPfone.  Nothing wrong with that.  But there are
good reasons it failed to get traction in the privacy community, most of
them revolving around user-unfriendliness and inconvenience.


From sac at 300baud.de  Mon Feb  4 16:48:30 2019
From: sac at 300baud.de (Stefan Claas)
Date: Mon, 4 Feb 2019 16:48:30 +0100
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
 <3a9c810c-e1a8-212e-b733-c23db8f874a2@sixdemonbag.org>
 <20190203201219.72824c1e@300baud.de>
 <8b48d702-11f0-8fa7-810b-3d38de602aa3@sixdemonbag.org>
Message-ID: <20190204164830.0a120aa4@300baud.de>

On Sun, 3 Feb 2019 23:38:35 -0500, Robert J. Hansen wrote:
> > Well, i can only say last time i used PGPfone was in 2014, with a friend.
> > We both used a website that showed us our IP addresses and it worked
> > fine. We only had to set UDP port 17447 in our routers, for incoming
> > and outgoing connections.  
> 
> "All you had to do" was:
> 
> (a) understand computer networking well enough to understand what you
> needed to do,
> 
> (b) know your router could be used to do port forwarding,
> 
> (c) log into your router, navigate bad UX,
> 
> (d) probably switch your DHCP allocation to a static one, so you
> wouldn't have to do this again every time you acquired a new DHCP lease,
> 
> (e) and on and on and on.
> 
> No, PGPfone was not "easier to use".  The skills required to use it were
> far in excess of what most users possessed.
> 
> I get that you liked PGPfone.  Nothing wrong with that.  But there are
> good reasons it failed to get traction in the privacy community, most of
> them revolving around user-unfriendliness and inconvenience.

With all due respect,

my friend has no crypto experience at all and also noodles not around with
network settings, but found PGPfone easy to use as well. 

But people with Windows boxes can tryout themselves and ask themselves
why it was not further developed for the (Linux) community ...

And if it is really so hard to use, like you wan't to make people believe, then
one can pick-up the development idea from my previous posting and provide
us with a solution that uses .onion addresses, like Onionshare does. ;-)

Regards
Stefan







From justina at colmena.biz  Tue Feb  5 22:47:10 2019
From: justina at colmena.biz (justina colmena)
Date: Tue, 05 Feb 2019 12:47:10 -0900
Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
In-Reply-To: <k9mail/k-9/issues/2375/460329013@github.com>
References: <k9mail/k-9/issues/2375@github.com>
 <k9mail/k-9/issues/2375/460329013@github.com>
Message-ID: <FAD48E42-B394-4996-BA63-66F358D7E5D9@colmena.biz>

On February 4, 2019 8:07:33 AM AKST, Citizen Kepler <notifications at github.com> wrote:
>I would like to say that I need to have a signature on all of the
>emails that I send to authenticate me as the sender, but not encrypt
>them.  Often these messages are going back into bug tracking systems or
>mailing lists, and manually signing each email is a bad solution.   I
>will need to allow a opt-in sign by default option. 

[[[Date: Tuesday, February 5, 2019, 12:45 PM AKST]]]
PGP signatures do have a couple of rather severe and vicious limitations.

THE DATE PROBLEM. Only the body of the email is signed, not the envelope headers, namely the subject and intended recipients, and probably most importantly, the date. It would be nice to have an option to automatically include some of these headers in the body of the signed message when composing a signed email message.

THE STRIPPING PROBLEM. Currently, each attachment is signed separately and independently by the PGP-MIME standard. It would be preferable to digitally sign SHA hashes of the main message and all attachments in a single additional attachment. This would leave an indication of any attachments that may have been "stripped" from the email message, but without breaking the signatures of remaining attachments in such cases.

Bust that 55+ EFF nightclub and do it right, folks, unless it's the youth wing spouting the exact same old fogies' party line. ....
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/contacto.php
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190205/ff5f6c3d/attachment.sig>

From vedaal at nym.hush.com  Tue Feb  5 23:38:07 2019
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 05 Feb 2019 17:38:07 -0500
Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
In-Reply-To: <FAD48E42-B394-4996-BA63-66F358D7E5D9@colmena.biz>
References: <k9mail/k-9/issues/2375@github.com>
 <k9mail/k-9/issues/2375/460329013@github.com>
 <FAD48E42-B394-4996-BA63-66F358D7E5D9@colmena.biz> 
Message-ID: <20190205223807.AB08420132@smtp.hushmail.com>



On 2/5/2019 at 4:50 PM, "justina colmena via Gnupg-users"  wrote:>THE
DATE PROBLEM. Only the body of the email is signed, not the envelope
headers, namely the subject and intended >recipients, and probably
most importantly, the date. It would be nice to have an option to
automatically include some of >these headers in the body of the signed
message when composing a signed email message.

>THE STRIPPING PROBLEM. Currently, each attachment is signed
separately and independently by the PGP-MIME >standard. It would be
preferable to digitally sign SHA hashes of the main message and all
attachments in a single >additional attachment. This would leave an
indication of any attachments that may have been "stripped" from the
email >message, but without breaking the signatures of remaining
attachments in such cases.

=====

In this case, there is a simple workaround :
[1] Put the subject, the intended recipients, and the date, in the
introductory line(s) in the plaintext.

[2] enarmor all the attachments, [ using the GnuPG --enarmor command  
(-a command in PGP) ], and paste the enarmored text into the body of
the message, at the end of the message, right after a line saying;  
here are the following attachments :[3] Sign and encrypt the entire
message composed of parts [1] and [2] and send it off

this has the following 3 advantages:

(a) no one knows what kind of attachments are being sent, or how many.
(b) all the important data is in the Plaintext, where it belongs, and
not vulnerable to MIMT attacks
(c) backward compatibility in maintained, and no new standards have to
be designed
vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190205/1a44a70f/attachment.html>

From oub at mat.ucm.es  Wed Feb  6 10:30:04 2019
From: oub at mat.ucm.es (Uwe Brauer)
Date: Wed, 06 Feb 2019 10:30:04 +0100
Subject: can't encrypt with public key from sectigo (former comodo)
Message-ID: <875ztx1cyr.fsf@mat.ucm.es>



I have used certificates from comodo since almost 10 years, without any problems.


Now they changed their name to sectigo.
I just received a public key from somebody, who obtained 2 days ago a
certificate from them.


With this certificate:
Encrypting and signing still works in thunderbird 

But I tried the following in the command line

gpgsm --encrypt -r 0xCC6EDB92 epg-error.txt

And obtain

gpgsm: Note: non-critical certificate policy not allowed
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate {09C0F2FC0BDA94DB5FFE2BDFA89942CFC9E0AD00} not found using authorityKeyIdentifier
gpgsm: dirmngr cache-only key lookup failed: Not found
gpgsm: issuer certificate not found
gpgsm: issuer certificate: #/CN=Sectigo RSA Client Authentication and Secure Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
gpgsm: can't encrypt to '0xCC6EDB92': Missing issuer certificate

How can I solve that issue?

Thanks

Uwe Brauer 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5025 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190206/02e1a36e/attachment.bin>

From wk at gnupg.org  Wed Feb  6 13:50:23 2019
From: wk at gnupg.org (Werner Koch)
Date: Wed, 06 Feb 2019 13:50:23 +0100
Subject: [k9mail/k-9] Makes PGP sign-only mails very difficult (#2375)
In-Reply-To: <FAD48E42-B394-4996-BA63-66F358D7E5D9@colmena.biz> (justina
 colmena via Gnupg-users's message of "Tue, 05 Feb 2019 12:47:10
 -0900")
References: <k9mail/k-9/issues/2375@github.com>
 <k9mail/k-9/issues/2375/460329013@github.com>
 <FAD48E42-B394-4996-BA63-66F358D7E5D9@colmena.biz>
Message-ID: <87zhr96pyo.fsf@wheatstone.g10code.de>

[Please don't cross-post!]

On Tue,  5 Feb 2019 12:47, gnupg-users at gnupg.org said:

> THE DATE PROBLEM. Only the body of the email is signed, not the
> envelope headers, namely the subject and intended recipients, and

Sure, mail headers are subject to changes.  For example by mailing list
software or simpluy by forwarding mail.  Tehre is a reason that OpenPGP
signatures carry a creation date.

> THE STRIPPING PROBLEM. Currently, each attachment is signed separately
> and independently by the PGP-MIME standard. It would be preferable to

Nope.  Please actually read RFC3156 and check compliant implementation -
All I known get it right.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190206/db199508/attachment-0001.sig>

From kloecker at kde.org  Wed Feb  6 18:03:43 2019
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Wed, 06 Feb 2019 18:03:43 +0100
Subject: can't encrypt with public key from sectigo (former comodo)
In-Reply-To: <875ztx1cyr.fsf@mat.ucm.es>
References: <875ztx1cyr.fsf@mat.ucm.es>
Message-ID: <2256828.CUm3igvvs5@collossus.ingo-kloecker.de>

On Mittwoch, 6. Februar 2019 10:30:04 CET Uwe Brauer wrote:
> With this certificate:
> Encrypting and signing still works in thunderbird

Thunderbird probably uses the certificate bundle provided by your 
distribution.

> But I tried the following in the command line
> 
> gpgsm --encrypt -r 0xCC6EDB92 epg-error.txt
> 
> And obtain
> 
> gpgsm: Note: non-critical certificate policy not allowed
> gpgsm: dirmngr cache-only key lookup failed: Not found
> gpgsm: issuer certificate {09C0F2FC0BDA94DB5FFE2BDFA89942CFC9E0AD00} not
> found using authorityKeyIdentifier gpgsm: dirmngr cache-only key lookup
> failed: Not found
> gpgsm: issuer certificate not found
> gpgsm: issuer certificate: #/CN=Sectigo RSA Client Authentication and Secure
> Email CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB gpgsm:
> can't encrypt to '0xCC6EDB92': Missing issuer certificate
> 
> How can I solve that issue?

Add the CA certifcate of Sectigo to ~/.gnupg/trustlist.txt .

gpgsm explicitly does not use the certificate bundles provided by the 
distributions.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190206/3e787323/attachment.sig>

From oub at mat.ucm.es  Wed Feb  6 19:29:00 2019
From: oub at mat.ucm.es (Uwe Brauer)
Date: Wed, 6 Feb 2019 19:29:00 +0100
Subject: can't encrypt with public key from sectigo (former comodo)
In-Reply-To: <2256828.CUm3igvvs5@collossus.ingo-kloecker.de>
References: <875ztx1cyr.fsf@mat.ucm.es>
 <2256828.CUm3igvvs5@collossus.ingo-kloecker.de>
Message-ID: <1E5C0822-0C63-41C4-97F1-D01C76197C47@mat.ucm.es>



Sent from my iPhone

> On 6. Feb 2019, at 18:03, Ingo Kl?cker <kloecker at kde.org> wrote:
> 
> Add the CA certifcate of Sectigo to ~/.gnupg/trustlist.txt

My problem was I did not know where to find that CA certificate! 
Pointers are welcome. 
Finally I solved it as I described in a different message. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2356 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190206/aaebb4ca/attachment.bin>

From andre at ockers.eu  Sat Feb  9 09:06:43 2019
From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=)
Date: Sat, 9 Feb 2019 09:06:43 +0100
Subject: Keysigning party: after the event challenges
Message-ID: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>

Dear GnuPG users,


I went to the FOSDEM keysigning party [1] and now I'm in trouble.

The situation is:

- GNU/Linux Trisquel + Icedove (= Thunderbird rebranded) + Enigmail here
at home;

- 171 official keysigning party participants, of who 107 showed up to my
awareness;

- 5 participants have a key on the keyserver in a for Enigmail
downloadable state;

- when I want to check [2] a fingerprint of a downloaded Key ID I get an
error message, for example

$ gpg --fingerprint <599C62A291810408>
bash: syntax error near unexpected symbol 'newline'

Please help! Thank you very much,

Best regards,

Andr? Ockers

[1] https://fosdem.org/2019/keysigning/

[2]
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party






From tlikonen at iki.fi  Sat Feb  9 10:23:35 2019
From: tlikonen at iki.fi (Teemu Likonen)
Date: Sat, 09 Feb 2019 11:23:35 +0200
Subject: Keysigning party: after the event challenges
In-Reply-To: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 (=?iso-8859-1?Q?=22Andr=E9?=
 Ockers"'s message of "Sat, 9 Feb 2019 09:06:43 +0100")
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
Message-ID: <87tvhde2nc.fsf@iki.fi>

Andr? Ockers [2019-02-09 09:06:43+01] wrote:

> $ gpg --fingerprint <599C62A291810408>
> bash: syntax error near unexpected symbol 'newline'

Your Bash shell uses characters "<" and ">" for input and output
redirection. Remove those characters:

    gpg --fingerprint 599C62A291810408

-- 
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190209/1c12e108/attachment.sig>

From peter at digitalbrains.com  Sat Feb  9 12:48:55 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 9 Feb 2019 12:48:55 +0100
Subject: Keysigning party: after the event challenges
In-Reply-To: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
Message-ID: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>

Hello Andr?,

On 09/02/2019 09:06, Andr? Ockers wrote:
> - 171 official keysigning party participants, of who 107 showed up to my
> awareness;

This is going to be a pain to do manually. But you don't have to! As the
FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
(last sentence of the page, not counting the footer).

If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
you have checked on your paper list, you can feed this text file with
checkmarks directly to caff and it will import the keys for you *and*
verify their fingerprints! It will only consider entries with checkmarks
for both "Fingerprint OK" and "ID OK", so only when the participant has
acknowledged their fingerprint matches and you have marked that you find
their identification papers match.

The FOSDEM KSP offers a keyring with all the keys from the party. You
can feed that to caff as well and it won't even need to fetch the keys
from a keyserver (which might not have all keys).

My suggestion is to look for "caff" and documentation and try that
before you verify 107 fingerprints manually :-). If you still hit
problems, report back here and we can take a further look.

> - 5 participants have a key on the keyserver in a for Enigmail
> downloadable state;

That sounds odd, there might be something malfunctioning. But if you use
caff, you don't need Enigmail. And if you use the supplied keyring from
the party, you don't need to use a keyserver at all.

HTH,

Peter.

[1] https://fosdem.org/2019/keysigning/

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190209/fd99f6ea/attachment-0001.sig>

From wolfgang.traylor at posteo.de  Sat Feb  9 11:20:39 2019
From: wolfgang.traylor at posteo.de (Wolfgang Traylor)
Date: Sat, 9 Feb 2019 11:20:39 +0100
Subject: Upload key to WKD from command line?
Message-ID: <20190209102039.jbuom4mb34kgrt52@lyta>

Hello GnuPG community,

Is there a way to upload my public key to the Web Key Directory (WKD) of my email provider using command-line tools?

I am looking for a simple solution just like `gpg --send-keys`, but for WKD.

My providers are Posteo, mailbox.org, and Protonmail.

(Enigmail shows the ?Upload to Web Key Directory? only in gray. I don?t know why.)

Best regards,
W. Traylor


From andre at ockers.eu  Sun Feb 10 15:36:05 2019
From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=)
Date: Sun, 10 Feb 2019 15:36:05 +0100
Subject: Keysigning party: after the event challenges
In-Reply-To: <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
Message-ID: <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>

Hi Peter,

Thank you very much.


Op 09-02-19 om 12:48 schreef Peter Lebbing:
> Hello Andr?,
>
> On 09/02/2019 09:06, Andr? Ockers wrote:
>> - 171 official keysigning party participants, of who 107 showed up to my
>> awareness;
> This is going to be a pain to do manually. But you don't have to! As the
> FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
> (last sentence of the page, not counting the footer).
>
> If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
> you have checked on your paper list, you can feed this text file with
> checkmarks directly to caff and it will import the keys for you *and*
> verify their fingerprints! It will only consider entries with checkmarks
> for both "Fingerprint OK" and "ID OK", so only when the participant has
> acknowledged their fingerprint matches and you have marked that you find
> their identification papers match.

Done.

> The FOSDEM KSP offers a keyring with all the keys from the party. You
> can feed that to caff as well and it won't even need to fetch the keys
> from a keyserver (which might not have all keys).
>
> My suggestion is to look for "caff" and documentation and try that
> before you verify 107 fingerprints manually :-). If you still hit
> problems, report back here and we can take a further look.

Following documentation [1], I checked that I have Postfix installed and
now I'm here [2]

$ sudo postconf -e 'relayhost = smtp.provider.nl'
[sudo] wachtwoord voor andre:
postconf: fatal: open /etc/postfix/main.cf for reading: No such file or
directory

Best regards,

Andr? Ockers

[1] https://wiki.debian.org/caff
[2] https://www.howtoforge.com/postfix_relaying_through_another_mailserver

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190210/846b0b7f/attachment.sig>

From peter at digitalbrains.com  Sun Feb 10 18:07:26 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sun, 10 Feb 2019 18:07:26 +0100
Subject: Configuring Linux system mail submission
In-Reply-To: <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
 <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
Message-ID: <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com>

Hi Andr?,

On 10/02/2019 15:36, Andr? Ockers wrote:
> Following documentation [1], I checked that I have Postfix installed and
> now I'm here [2]

I had feared it would break down at the mail configuration stage :-). I
have mail servers running with a hand-managed config file with Exim 4,
but I know nothing about Postfix. However, for mail submission, I use
nullmailer myself. It can only do mail submission, but is much easier to
manage than a full mail system (in my opinion).

So I don't know if you installed Postfix for this purpose or actually
use it for a real mail server, but if you can switch to nullmailer that
would allow me to easily help you, probably.

Personally, I run nullmailer on all systems that are not running a
full-fledged mail server, and they connect to my edge mail server for
mail submission. You can just use any SMTP-supporting provider for the
latter.

When installing nullmailer on Debian, it will ask you interactively for
entries for files in /etc and /etc/nullmailer. Mine look like this:

/etc/mailname: hostname.digitalbrains.com (the actual fully qualified
domain name of the local host)

/etc/nullmailer/adminaddr: empty file

/etc/nullmailer/defaultdomain: digitalbrains.com

/etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...]

That last one is the really important one. It uses the SMTP submission
port, STARTTLS, and in my case a password that has been chosen to not
require quotes. But you can use quotes to just use your provider account
password.

I believe /etc/mailname is primarily used to build the sender address
and build recipient addresses that specify no host, i.e., something like
<peter>. /etc/nullmailer/defaultdomain is used for not fully qualified
hosts, i.e., if I write <peter at butters> it will qualify the hostname
butters with that domain name. It's not that important for this purpose.

There is one more detail to get right. Because this will actually make
the mail originate from the user <peter at hostname.digitalbrains.com> in
this example and a username of peter. This is probably not what you
want, you want <p.lebbing at provider.nl> if you're me. If this is always
what you want when sending mail through the system mailer, you could
make sure the following environment variables are set for this user:

MAILUSER=p.lebbing
MAILHOST=provider.nl

If you're anxious about changing environment variables that have
influence over programs other than nullmailer, you can use
NULLMAILER_USER and NULLMAILER_HOST instead.

But for me, the <peter at hostname.digitalbrains.com> is actually an e-mail
address that will be accepted on the right side of my firewall, and is
used for system messages from, e.g., cron. It is not the address I want
for caff, though. But caff does the right thing already by specifying
the e-mail address you want in ~/.caffrc:

$CONFIG{'email'} = 'p.lebbing at provider.nl';

This will automatically set both the envelope sender and From: to that
address.

One remark: the hostname from /etc/mailname is used to build 
the Message-Id: header. If you'd like to hide that, you could set:

/etc/nullmailer/idhost: provider.nl

I think that mirrors Thunderbird's behaviour, taking a peek in my "Sent"
folder.

You could also arguably just set /etc/mailname to provider.nl and drop
the MAILHOST env variable in the process, but I'd feel slightly anxious
over accidentally building mail addresses of other customers of my
provider as if they were the sender, so I wouldn't do that. Imagine your
webserver started sending mails from <www-data at provider.nl> accidentally
that way, or <cron at provider.nl>... these might annoy your provider. And
it gets worse with a regular user account, let's call her Anna. She
might not control <anna at provider.nl>.

I think that covers it. You can try stuff from the command line to see
what it becomes without actually sending with:

$ nullmailer-inject -nv <test.eml

The first two lines output are the SMTP envelope sender and recipient,
and the rest is the full mail. But while informative it doesn't tell you
how exactly Perl programs like caff are going to behave. I just
disconnected from the network, did tests with caff (I have generated
test keys) and checked the nullmailer queue for the results. Then I
emptied the queue manually (simply delete files in
/var/spool/nullmailer/queue, nullmailer is very
manual-poking-at-stuff-friendly) and reconnected to the network.

Note that there are multiple different roles concerning a mail sender.
If you want to keep things simple, set both the "SMTP envelope sender"
and the From:-header to your real e-mail address and don't include
a Sender:-header. Any other combinations require you to really
understand the e-mail ecosystem, IMHO.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190210/7dee085d/attachment.sig>

From ben at adversary.org  Sun Feb 10 19:29:19 2019
From: ben at adversary.org (Ben McGinnes)
Date: Mon, 11 Feb 2019 05:29:19 +1100
Subject: Keysigning party: after the event challenges
In-Reply-To: <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
 <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
Message-ID: <20190210182919.i42mkfcosgn6hya4@adversary.org>

On Sun, Feb 10, 2019 at 03:36:05PM +0100, Andr? Ockers wrote:
> Hi Peter,
> 
> Thank you very much.
> 
> 
> Op 09-02-19 om 12:48 schreef Peter Lebbing:
> > Hello Andr?,
> >
> > On 09/02/2019 09:06, Andr? Ockers wrote:
> >> - 171 official keysigning party participants, of who 107 showed up to my
> >> awareness;
> > This is going to be a pain to do manually. But you don't have to! As the
> > FOSDEM keysigning party page[1] notes, "You may find caff a helpful tool."
> > (last sentence of the page, not counting the footer).
> >
> > If you open your ksp-fosdem2019.txt file and put "x" in every checkbox
> > you have checked on your paper list, you can feed this text file with
> > checkmarks directly to caff and it will import the keys for you *and*
> > verify their fingerprints! It will only consider entries with checkmarks
> > for both "Fingerprint OK" and "ID OK", so only when the participant has
> > acknowledged their fingerprint matches and you have marked that you find
> > their identification papers match.
> 
> Done.
> 
> > The FOSDEM KSP offers a keyring with all the keys from the party. You
> > can feed that to caff as well and it won't even need to fetch the keys
> > from a keyserver (which might not have all keys).
> >
> > My suggestion is to look for "caff" and documentation and try that
> > before you verify 107 fingerprints manually :-). If you still hit
> > problems, report back here and we can take a further look.
> 
> Following documentation [1], I checked that I have Postfix installed and
> now I'm here [2]
> 
> $ sudo postconf -e 'relayhost = smtp.provider.nl'
> [sudo] wachtwoord voor andre:
> postconf: fatal: open /etc/postfix/main.cf for reading: No such file or
> directory

Make sure that the postconf in your $PATH matches where the Postfix
config directory really is.  Depending on which distro you're actually
using, it might be somewhere like /usr/local/etc/postfix/ or something
similar.

If locate's db is up to date then there's a good chance that running
"locate main.cf" will answer this for you (or confirm you really don't
have a Postfix config file; but if that were true then you'd have much
bigger problems with launching Postfix).

Anyway, assuming postconf is not loading the right file, but the
config file exists, then you can just edit the main.cf file directly
((possibly via sudoedit) to add your relayhost config line.  Then
follow it with:

    $ sudo postfix reload


Regards,
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190211/0b5b315e/attachment.sig>

From felix.klee at inka.de  Sun Feb 10 23:26:10 2019
From: felix.klee at inka.de (Felix E. Klee)
Date: Sun, 10 Feb 2019 23:26:10 +0100
Subject: 0.332
Message-ID: <CA+m_8J0V4JBuYLbzmuFwNzZGtansBoexxdamE-m5KVmxYaqJkQ@mail.gmail.com>

FYI:

https://github.com/feklee/0.332

This is a mod of the SCM SPR332 v2 smart card reader, making it
smaller and lighter. For quite a while I have regularly been using it
with my phone:

https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19


From vesely at tana.it  Mon Feb 11 13:28:33 2019
From: vesely at tana.it (Alessandro Vesely)
Date: Mon, 11 Feb 2019 13:28:33 +0100
Subject: Upload key to WKD from command line?
In-Reply-To: <20190209102039.jbuom4mb34kgrt52@lyta>
References: <20190209102039.jbuom4mb34kgrt52@lyta>
Message-ID: <779eae10-084b-1dda-19cc-abb6f9fe0cf3@tana.it>

On Sat 09/Feb/2019 11:20:39 +0100 Wolfgang Traylor wrote:
> 
> Is there a way to upload my public key to the Web Key Directory (WKD) of my email provider using command-line tools?

It might be possible, but not straightforward.  The protocol is designed to
work over SMTP.  It makes sense that a provider automates the procedure,
although small providers can do it manually.  For users, it is definitely overkill.

See https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07#section-4
It is a work in progress, so don't mind the SRV RRset in bullet #1.

> 
> (Enigmail shows the ?Upload to Web Key Directory? only in gray. I don?t know why.)

Neither do I.  https://posteo.de/.well-known/openpgpkey/submission-address has
an address of keys at posteo.de.  However, their "policy" entry have:

#Policy for draft-koch-openpgp-webkey-service-04
mailbox-only
auth-submit

(Version -04 didn't provide for a submission address among policy flags, but
maybe Enigmail looks for it just there?)


Best
Ale


From vesely at tana.it  Mon Feb 11 14:04:31 2019
From: vesely at tana.it (Alessandro Vesely)
Date: Mon, 11 Feb 2019 14:04:31 +0100
Subject: The "advanced" URL of openpgp-webkey-service-07, and l=
Message-ID: <763ef00f-82dd-4817-703c-b544859182cd@tana.it>

Werner,

I just saw version -07 today.  The advanced method:

WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey

doesn't seem to make much sense to me.  I tried it with posteo.de, and got:

ale at pcale:~/tmp$ dig +short openpgp.posteo.de
89.146.220.134

ale at pcale:~/tmp$ curl --head https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address
curl: (51) SSL: no alternative certificate subject name matches target host name 'openpgp.posteo.de'

The subdomain is probably a star (*) DNS record.  However, their certificate's Subject Alt Name doesn't have a star, but a list of subdomains.  Certificates cost, albeit not much, so the need to set up a new subdomain may hamper implementation.

I'm unable to get the "flexibility in setting up the Web Key Directory in environments where more than one mail domain is hosted".  Say I host A.example and B.example.  Then I need to set up both subdomains openpgpkey.A.example and openpgpkey.B.example.  Internally, they can be redirected in a number of ways, but the server should hold the HTTP_HOST anyway.  To repeat tha mail domain between .well-known and openpgpkey doesn't seem to help much.

The openpgpkey folder can be implemented by plain files named after the 32 byte string and containing the key to be served.  The l= parameter would just be discarded in that case.  Otherwise, if the server side script is cute, should it verify whether the value of the parameter interpreted as a local part matches the 32 byte string?  What if they don't match?  To urlencode the local part might have been easier than Z-encoding its SHA1, but what's the point of doing both?


Best
Ale



From gerd.von.egidy at intra2net.com  Mon Feb 11 12:17:09 2019
From: gerd.von.egidy at intra2net.com (Gerd v. Egidy)
Date: Mon, 11 Feb 2019 12:17:09 +0100
Subject: 0.332
In-Reply-To: <CA+m_8J0V4JBuYLbzmuFwNzZGtansBoexxdamE-m5KVmxYaqJkQ@mail.gmail.com>
References: <CA+m_8J0V4JBuYLbzmuFwNzZGtansBoexxdamE-m5KVmxYaqJkQ@mail.gmail.com>
Message-ID: <1626952.OYuuDd0FtQ@thunder.m.i2n>

> https://github.com/feklee/0.332
> 
> This is a mod of the SCM SPR332 v2 smart card reader, making it
> smaller and lighter.

Nice.

How does it compare size-wise to the cyberJack one from Reiner SCT? That is 
the one I use for size-constrained use cases. 

I think having a slot for a regular card is an advantage as you can easily 
take the card out, carry it with you in your wallet and use it on other 
systems too.

Kind regards,

Gerd





From gerd.von.egidy at intra2net.com  Mon Feb 11 12:10:37 2019
From: gerd.von.egidy at intra2net.com (Gerd v. Egidy)
Date: Mon, 11 Feb 2019 12:10:37 +0100
Subject: OpenPGP on paper (was: Where can I find some papers to read on
 mail (and envelope) security?)
In-Reply-To: <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
References: <cda3e31a-3691-d9f6-4e8f-c3fec846e7c7@spth.de>
 <20190130204407.4c195dc7@300baud.de>
 <de8a8ff2-c3b3-87ca-ee9b-bcea3e11e446@digitalbrains.com>
Message-ID: <4672360.boooG8vsat@thunder.m.i2n>

> Well there are the classical options:
> <https://en.wikipedia.org/wiki/OCR-A>
> <https://en.wikipedia.org/wiki/OCR-B>
> 
> Debian provides free fonts like that as packages fonts-ocr-a and
> fonts-ocr-b, which come from:
> <http://sourceforge.net/projects/ocr-a-font>
> and
> <http://ansuz.sooke.bc.ca/fonts.php>

You might also want to take a look at

https://github.com/intra2net/paperbackup

This was specifically developed to store or transfer GPG encrypted text or 
secret keys on paper.

Kind regards,

Gerd





From felix.klee at inka.de  Mon Feb 11 23:24:22 2019
From: felix.klee at inka.de (Felix E. Klee)
Date: Mon, 11 Feb 2019 23:24:22 +0100
Subject: 0.332
In-Reply-To: <1626952.OYuuDd0FtQ@thunder.m.i2n>
References: <CA+m_8J0V4JBuYLbzmuFwNzZGtansBoexxdamE-m5KVmxYaqJkQ@mail.gmail.com>
 <1626952.OYuuDd0FtQ@thunder.m.i2n>
Message-ID: <CA+m_8J14UB3sDfa3Df+80msF_U2GwHpFt08dwevsfaBZ=hZnsw@mail.gmail.com>

On Mon, Feb 11, 2019 at 12:17 PM Gerd v. Egidy
<gerd.von.egidy at intra2net.com> wrote:
> How does it compare size-wise to the cyberJack one from Reiner SCT?

  * cyberJack RFID standard:

    62 x 95 x 13 mm

  * 0.332 enclosure:

    69 ? 111 ? 13 mm

It could be fun to replace the pin pad by a smaller one and create a
custom board. IOW it could be fun to create an open source card reader!

> That is the one I use for size-constrained use cases.

Did that in the past too. However, the ?cyberJack RFID standard? needs
dedicated drivers while the Reiner SCT directly interfaces with
GnuPG. In particular with Termux on my rooted Android phone, I did not
get the cyberJack to work.

> I think having a slot for a regular card is an advantage as you can
> easily take the card out, carry it with you in your wallet and use it
> on other systems too.

I understand, but that?s not my use-case. If someone wants to give it a
go, it should not be too hard to modify the current design. You can
start from the STL files if you don?t have Rhino3D (proprietary).


From wk at gnupg.org  Tue Feb 12 19:36:12 2019
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Feb 2019 19:36:12 +0100
Subject: The "advanced" URL of openpgp-webkey-service-07, and l=
In-Reply-To: <763ef00f-82dd-4817-703c-b544859182cd@tana.it> (Alessandro
 Vesely's message of "Mon, 11 Feb 2019 14:04:31 +0100")
References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it>
Message-ID: <87ef8c3lcz.fsf@wheatstone.g10code.de>

Hi!

On Mon, 11 Feb 2019 14:04, vesely at tana.it said:

> I just saw version -07 today.  The advanced method:
>
> WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>
> doesn't seem to make much sense to me.  I tried it with posteo.de, and got:

The two parts were accidently swapped in the I-D.  It has been corrected
in the repo.  See
https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d

> The subdomain is probably a star (*) DNS record.  However, their

Right, they fixed it a few weeks ago, but they might have broken it
agains.  Actually only posteo.de works at all because they have invalid
certificate for posteo.net for a frew years now (posteo.net is
301-redirected to posteo.de but posteo.net needs to have a cert for
posteo.net).

> I'm unable to get the "flexibility in setting up the Web Key Directory
> in environments where more than one mail domain is hosted".  Say I
> host A.example and B.example.  Then I need to set up both subdomains
> openpgpkey.A.example and openpgpkey.B.example.  Internally, they can

You redirect the host openpgpkey.example.com and openpgpkey.example.org
to, say, webkeys.example.com but keep the path to avoid CSRF.  Then you
can install gpg-wks-server on the webkeys.example.com host using its
default layout with a directory for each domain.  It is really
convenient, because it requires less configuration.

> What if they don't match?  To urlencode the local part might have been
> easier than Z-encoding its SHA1, but what's the point of doing both?

Percent-encoding does not allow to store it as plain text files becuase
'/' does not need to be percent encoded and the entire length of the
filename might get too long without using a hash.

The l= parameter has been added as an alternative way for looking up the
key for those platforms which already employ databases or such and don't
want to store extra data like a hash.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190212/72cf7eb8/attachment.sig>

From wk at gnupg.org  Tue Feb 12 18:54:35 2019
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Feb 2019 18:54:35 +0100
Subject: [Announce] GnuPG 2.2.13 released
Message-ID: <87mun03nac.fsf@wheatstone.g10code.de>

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.13.  This is a maintenance release; see below for a list
of fixed bugs.


About GnuPG
===========

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an universal crypto
engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.13
====================================

  * gpg: Implement key lookup via keygrip (using the & prefix).

  * gpg: Allow generating Ed25519 key from existing key.

  * gpg: Emit an ERROR status line if no key was found with -k.

  * gpg: Stop early when trying to create a primary Elgamal key.  [#4329]

  * gpgsm: Print the card's key algorithms along with their keygrips
    in interactive key generation.

  * agent: Clear bogus pinentry cache in the error case.  [#4348]

  * scd: Support "acknowledge button" feature.

  * scd: Fix for USB INTERRUPT transfer.  [#4308]

  * wks: Do no use compression for the the encrypted challenge and
    response.

  Release-info: https://dev.gnupg.org/T4290


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.2.13 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.13.tar.bz2 (6545k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.13.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.13_20190212.exe (4078k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.13_20190212.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.13.tar.bz2 you would use this command:

     gpg --verify gnupg-2.2.13.tar.bz2.sig gnupg-2.2.13.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.13.tar.bz2, you run the command like this:

     sha1sum gnupg-2.2.13.tar.bz2

   and check that the output matches the next line:

66ebc053e2d22f743673d3fbe54453774e4fac58  gnupg-2.2.13.tar.bz2
2b76bf7981957ebc8ca74e70cb1776ad6ab656fd  gnupg-w32-2.2.13_20190212.tar.xz
ce2c5e60f851f3d54c85da1be717cc53742c4953  gnupg-w32-2.2.13_20190212.exe


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Japanese,
Norwegian, Russian, and Ukrainian being almost completely translated.


Documentation and Support
=========================

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how to
set up the whole thing.  You may also want to search the GnuPG mailing
list archives or ask on the gnupg-users mailing list for advise on how
to solve problems.  Most of the new features are around for several
years and thus enough public experience is available.

In case of build problems specific to this release please first check
https://dev.gnupg.org/T4290 for updated information.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support check out <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs two full-time developers and one
contractor.  They all work exclusively on GnuPG and closely related
software like Libgcrypt, GPGME and Gpg4win.

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.

Many thanks to our numerous financial supporters, both corporate and
individuals.  Without you it would not be possible to keep GnuPG in a
good shape and to address all the small and larger requests made by our
users.  Thanks.


Happy hacking,

   Your GnuPG hackers



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  rsa2048 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at <https://gnupg.org/signature_key.html> and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190212/98a2a1e6/attachment-0001.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From justina at colmena.biz  Tue Feb 12 21:00:17 2019
From: justina at colmena.biz (justina colmena)
Date: Tue, 12 Feb 2019 11:00:17 -0900
Subject: The "advanced" URL of openpgp-webkey-service-07, and l=
In-Reply-To: <763ef00f-82dd-4817-703c-b544859182cd@tana.it>
References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it>
Message-ID: <A68BDDAB-D82B-458E-896F-981FD2E84D86@colmena.biz>

On February 11, 2019 4:04:31 AM AKST, Alessandro Vesely <vesely at tana.it> wrote:
>Werner,
>
>I just saw version -07 today.  The advanced method:
>
>WELLKNOWN :=
>https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>
>doesn't seem to make much sense to me.  I tried it with posteo.de, and
>got:
>
>ale at pcale:~/tmp$ dig +short openpgp.posteo.de
>89.146.220.134
>
>ale at pcale:~/tmp$ curl --head
>https://openpgp.posteo.de/.well-known/posteo.de/openpgpkey/submission-address
>curl: (51) SSL: no alternative certificate subject name matches target
>host name 'openpgp.posteo.de'
>
>The subdomain is probably a star (*) DNS record.  However, their
>certificate's Subject Alt Name doesn't have a star, but a list of
>subdomains.  Certificates cost, albeit not much, so the need to set up
>a new subdomain may hamper implementation.
>
>I'm unable to get the "flexibility in setting up the Web Key Directory
>in environments where more than one mail domain is hosted".  Say I host
>A.example and B.example.  Then I need to set up both subdomains
>openpgpkey.A.example and openpgpkey.B.example.  Internally, they can be
>redirected in a number of ways, but the server should hold the
>HTTP_HOST anyway.  To repeat tha mail domain between .well-known and
>openpgpkey doesn't seem to help much.
>
>The openpgpkey folder can be implemented by plain files named after the
>32 byte string and containing the key to be served.  The l= parameter
>would just be discarded in that case.  Otherwise, if the server side
>script is cute, should it verify whether the value of the parameter
>interpreted as a local part matches the 32 byte string?  What if they
>don't match?  To urlencode the local part might have been easier than
>Z-encoding its SHA1, but what's the point of doing both?
>
>
>Best
>Ale
>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

Certificates COST, do they?

Should a * star certificate COST so infinitely much, then?

WELLKNOWN := Check the sex offender registry list, grab a guy by short and curlies, dig in with your fingernails, and give a sharp twist to the left, or something like that.

Is that what those Russian ladies from NGINX call a "leftist" programming style?
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190212/52e253dd/attachment.sig>

From amuza at riseup.net  Wed Feb 13 18:27:00 2019
From: amuza at riseup.net (amuza)
Date: Wed, 13 Feb 2019 17:27:00 +0000
Subject: It's more GNU/Linux than GnuPG
Message-ID: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>

Hi,

I have two GNU/Linux computers syncing their ~/.gnupg directories.
"alice" is my username in one computer, "bob" is my username in the
other one.

I have a CA certificate stored in my home directory of both computers,
and would like to keep it there.

Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to
that CA cert:

	keyserver-options ca-cert-file=~/keyserverCA.pem

But that line does not seem to work because of "~".

Everything works ok in one computer if I write:

	keyserver-options ca-cert-file=/home/alice/keyserverCA.pem

and in the other computer if I write:

	keyserver-options ca-cert-file=/home/bob/keyserversCA.pem

But then, by specifying names, when syncing, that line won't work in one
of the two computers because of the usernames.

Is there any way to specify "user" without writing their name?

Any other suggestion?

Thank you


From vojtas199 at gmail.com  Wed Feb 13 20:11:31 2019
From: vojtas199 at gmail.com (=?UTF-8?B?Vm9qdMSbY2ggxaBpcsWvxI1law==?=)
Date: Wed, 13 Feb 2019 20:11:31 +0100
Subject: Problem with generating Brainpool P-512
Message-ID: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com>

Hello,

I have encountered quite unusual problem.

I had been able to already generate brainpool keys but it is quite a
time ago but when I try to generate them now the gpg fails with

??? gpg: signing failed: Invalid length
??? gpg: make_keysig_packet failed: Invalid length
??? Key generation failed: Invalid length
??? [GNUPG:] ERROR key_generate 67109003
??? [GNUPG:] KEY_NOT_CREATED

and in syslog I have found this

??? gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key
??? gpg-agent[pid]:command 'PKSIGN' failed: Invalid length

Full debug in paste https://ghostbin.com/paste/oeth5

I would appreciate any input

Best regards

V?


From wk at gnupg.org  Thu Feb 14 07:44:42 2019
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Feb 2019 07:44:42 +0100
Subject: Problem with generating Brainpool P-512
In-Reply-To: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com>
 (=?utf-8?B?IlZvanTEm2NoCcWgaXLFr8SNZWsiJ3M=?= message of "Wed, 13 Feb 2019
 20:11:31 +0100")
References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com>
Message-ID: <87d0nu27j9.fsf@wheatstone.g10code.de>

On Wed, 13 Feb 2019 20:11, vojtas199 at gmail.com said:

> and in syslog I have found this

gpg-agent writes to syslog - that's new to me (with the exception of
certain diagnositics from Libgcrypt).

> ??? gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key
> ??? gpg-agent[pid]:command 'PKSIGN' failed: Invalid length

Please provide more information:  GnuPG version, OS, and command uses to
create the key.

> Full debug in paste https://ghostbin.com/paste/oeth5

Javascript required for paste - I won't look at it.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/05953af2/attachment.sig>

From wk at gnupg.org  Thu Feb 14 07:51:30 2019
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Feb 2019 07:51:30 +0100
Subject: It's more GNU/Linux than GnuPG
In-Reply-To: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net> (amuza's
 message of "Wed, 13 Feb 2019 17:27:00 +0000")
References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>
Message-ID: <878syi277x.fsf@wheatstone.g10code.de>

On Wed, 13 Feb 2019 17:27, amuza at riseup.net said:

> 	keyserver-options ca-cert-file=~/keyserverCA.pem

Didn't you got the warning that this option is obsolete.  Certifciates
are configured in dirmngr.conf.  In case you are using a 2.0 version of
GnuPG, please note that this branch reached EOL 14 months ago.  In case
of the 1.4 version please considre to move to 2.2 - we may eventually
remove the keyserver support from 1.4.

> Is there any way to specify "user" without writing their name?

POSIX systems always have the $HOME envar set.  Thus use

  $HOME/keyserverCA.pem

instead of the "~" abbreviation for $HOME.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/b18b549a/attachment.sig>

From wk at gnupg.org  Thu Feb 14 08:01:53 2019
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Feb 2019 08:01:53 +0100
Subject: Upload key to WKD from command line?
In-Reply-To: <20190209102039.jbuom4mb34kgrt52@lyta> (Wolfgang Traylor's
 message of "Sat, 9 Feb 2019 11:20:39 +0100")
References: <20190209102039.jbuom4mb34kgrt52@lyta>
Message-ID: <874l9626qm.fsf@wheatstone.g10code.de>

On Sat,  9 Feb 2019 11:20, wolfgang.traylor at posteo.de said:

> I am looking for a simple solution just like `gpg --send-keys`, but for WKD.

Locate the gpg-wks-client binary.  On Windows it should be found via
$PATH but on Unix it is installed at one of this locations

  /usr/local/libexec/gpg-wks-client
  /usr/local/lib/gpg-wks-client
  /usr/libexec/gpg-wks-client
  /usr/lib/gpg-wks-client

On Unix you can also invoke it directly using:

  $(gpgconf --list-dirs libexecdir)/gpg-wks-client

To create a publishing request use

  gpg-wks-client --create --send FINGERPRINT USERID

For example with my key

  $(gpgconf --list-dirs libexecdir)/gpg-wks-client \
    --create --send AEA84EDCF01AD86C4701C85C63113AE866587D0A wk at gnupg.org

Which sends the request using the usual sendmail stub.  If you don't
have this installed, don't use --send in which case the command creates
a mail which somehow needs to be send off.

With this in your /etc/mailcap

--8<---------------cut here---------------start------------->8---
application/vnd.gnupg.wks; /usr/local/libexec/gpg-wks-client \
   -v --read --send; needsterminal; description=WKS message
--8<---------------cut here---------------end--------------->8---

you can then easily process the incoming challenge from the server if
you use a MUA which support mailcap (Mutt, Gnus, and probably many
more).


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/aeeec323/attachment.sig>

From wolfgang.traylor at posteo.de  Thu Feb 14 10:53:07 2019
From: wolfgang.traylor at posteo.de (Wolfgang Traylor)
Date: Thu, 14 Feb 2019 09:53:07 +0000
Subject: Upload key to WKD from command line?
In-Reply-To: <874l9626qm.fsf@wheatstone.g10code.de>
References: <20190209102039.jbuom4mb34kgrt52@lyta>
 <874l9626qm.fsf@wheatstone.g10code.de>
Message-ID: <20190214095306.akb4h2uzca4jnfc4@gruenfink>

Thank you very much for pointing to gpg-wks-client.

Werner Koch <wk at gnupg.org> schrieb am 14.02 19 08:01:
> To create a publishing request use
> 
>   gpg-wks-client --create --send FINGERPRINT USERID

I receive the following error (with or without `--send`):

$ /lib/gnupg/gpg-wks-client --create  A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8 wolfgang.traylor at posteo.de
gpg-wks-client: submitting request to 'keys at posteo.de'
gpg-wks-client: no confirmation required for 'wolfgang.traylor at posteo.de'
gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user id 'wolfgang.traylor at posteo.de'
gpg-wks-client: gpg: key "A8FC7FEC9A68B5E0EFA25E474521F618BBEA93C8" not found: No secret key
gpg-wks-client: error running '/usr/bin/gpg': exit status 2
gpg-wks-client: adding user id failed: General error
gpg-wks-client: creating request failed: General error


I have my secret subkeys on a smartcard (unlocked when issuing the command). Could that be the issue?
Or do I even need my secret primary key?

My GnuPG version: 2.2.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/b9295c6d/attachment.sig>

From vesely at tana.it  Thu Feb 14 11:57:55 2019
From: vesely at tana.it (Alessandro Vesely)
Date: Thu, 14 Feb 2019 11:57:55 +0100
Subject: The "advanced" URL of openpgp-webkey-service-07, and l=
In-Reply-To: <87ef8c3lcz.fsf@wheatstone.g10code.de>
References: <763ef00f-82dd-4817-703c-b544859182cd@tana.it>
 <87ef8c3lcz.fsf@wheatstone.g10code.de>
Message-ID: <6b6e3285-cf64-768b-8bc7-215599e4efde@tana.it>

On Tue 12/Feb/2019 19:36:12 +0100 Werner Koch wrote:
> On Mon, 11 Feb 2019 14:04, vesely at tana.it said:
> 
>> WELLKNOWN := https://openpgpkey.example.org/.well-known/example.org/openpgpkey
>>
>> doesn't seem to make much sense to me.  I tried it with posteo.de, and got:
> 
> The two parts were accidently swapped in the I-D.  It has been corrected
> in the repo.  See
> https://dev.gnupg.org/rD733acdda1a440ca38df4aa22711459af7c25cd2d


Oh, ok, that makes some more sense.  If example.org is a single domain, it is
probably convenient to alias both /.well-known/openpgpkey/example.org and
/.well-known/openpgpkey/ to the same directory where keys are stored.  That way
it also stays compatible with previous versions of this protocol.


>> I'm unable to get the "flexibility in setting up the Web Key Directory
>> in environments where more than one mail domain is hosted".  Say I
>> host A.example and B.example.  Then I need to set up both subdomains
>> openpgpkey.A.example and openpgpkey.B.example.  Internally, they can
> 
> You redirect the host openpgpkey.example.com and openpgpkey.example.org
> to, say, webkeys.example.com but keep the path to avoid CSRF.  Then you
> can install gpg-wks-server on the webkeys.example.com host using its
> default layout with a directory for each domain.  It is really
> convenient, because it requires less configuration.


I have not installed gpg-wks-server, but it seems to be primarily concerned
with automating key installation, not plain key retrieval.  To simply retrieve
a key is not a transaction, so there should be no worry of CSRF.  If the domain
is missing, as in the "direct" method, an appropriate URL rewriting rule can
easily recover it from the HTTP_HOST server variable.  I'm not clear if that
may be an urlencoded IDN rather than an A-label.

The domain name can also be recovered from the SNI (an A-label, according to
rfc6066).

BTW, the revised reason to suppress SRV records sounds paranoid, given that
(e.g. in the case of DNS poisoning) a subdomain under an attacker control still
has to provide a valid domain certificate.  At any rate, using "wkd" rather
than "openpgpkey" as a subdomain label would have leveraged previous version's
recommendation.


>> What if they don't match?  To urlencode the local part might have been
>> easier than Z-encoding its SHA1, but what's the point of doing both?
> 
> Percent-encoding does not allow to store it as plain text files because
> '/' does not need to be percent encoded and the entire length of the
> filename might get too long without using a hash.


According to rfc5321, the maximum total length of a user name or other
local-part is 64 octets.  However, yes, slashes may entail hairy scripting by
those providers who allow funny characters in their email addresses.


> The l= parameter has been added as an alternative way for looking up the
> key for those platforms which already employ databases or such and don't
> want to store extra data like a hash.


Indeed, those hashes are difficult.  However, after one learns how to do them,
they're quite handy.  Having alternative ways to retrieve (alternative?) keys
sounds strange.


Thank you for your attention

Best
Ale

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/d50b1a70/attachment.sig>

From mlnl at mailbox.org  Thu Feb 14 10:52:14 2019
From: mlnl at mailbox.org (mlnl)
Date: Thu, 14 Feb 2019 10:52:14 +0100
Subject: Problem with generating Brainpool P-512
In-Reply-To: <87d0nu27j9.fsf@wheatstone.g10code.de>
References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com>
 <87d0nu27j9.fsf@wheatstone.g10code.de>
Message-ID: <ef77415b-69bb-f799-6e4d-c30e211d4165@mailbox.org>

Hi Werner,

>> gpg-agent[pid]: a 256 bit hash is not valid for a 512 bit ECC key 
>> gpg-agent[pid]:command 'PKSIGN' failed: Invalid length
> 
> Please provide more information:  GnuPG version, OS, and command uses
> to create the key.

you should add it in the man page, because it's a FAQ:
cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit

-- 
mlnl


From wk at gnupg.org  Thu Feb 14 21:05:11 2019
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Feb 2019 21:05:11 +0100
Subject: Upload key to WKD from command line?
In-Reply-To: <20190214095306.akb4h2uzca4jnfc4@gruenfink> (Wolfgang Traylor's
 message of "Thu, 14 Feb 2019 09:53:07 +0000")
References: <20190209102039.jbuom4mb34kgrt52@lyta>
 <874l9626qm.fsf@wheatstone.g10code.de>
 <20190214095306.akb4h2uzca4jnfc4@gruenfink>
Message-ID: <87va1myw3s.fsf@wheatstone.g10code.de>


> gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user
> id 'wolfgang.traylor at posteo.de'

> Or do I even need my secret primary key?

Right.  The primary key is required to create a new user id.  gpg tries
to be helpful there but it can't work for high security environments
with an offline primary key.  I would suggest that you create a second
user id with just the mail address on your other box with the primary
key.  Then gpg-wks-client has no need to create it of its own.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/9798c769/attachment-0001.sig>

From wk at gnupg.org  Thu Feb 14 21:10:03 2019
From: wk at gnupg.org (Werner Koch)
Date: Thu, 14 Feb 2019 21:10:03 +0100
Subject: Problem with generating Brainpool P-512
In-Reply-To: <ef77415b-69bb-f799-6e4d-c30e211d4165@mailbox.org> (mlnl's
 message of "Thu, 14 Feb 2019 10:52:14 +0100")
References: <4d668d68-08aa-43bb-8366-b65c8f0e31ff@gmail.com>
 <87d0nu27j9.fsf@wheatstone.g10code.de>
 <ef77415b-69bb-f799-6e4d-c30e211d4165@mailbox.org>
Message-ID: <87r2cayvvo.fsf@wheatstone.g10code.de>

On Thu, 14 Feb 2019 10:52, mlnl at mailbox.org said:

> you should add it in the man page, because it's a FAQ:
> cert-digest-algo !< SHA512 ing gpg.conf for ECC >= 512-bit

Sorry, I can't parse that.  Please also note that --cert-digest-algo
should not be used because it viloates the OpenPGP preference system


Shalom-Salam,

   Werner



-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/6ea2f0ca/attachment.sig>

From wolfgang.traylor at posteo.de  Thu Feb 14 22:32:05 2019
From: wolfgang.traylor at posteo.de (Wolfgang Traylor)
Date: Thu, 14 Feb 2019 21:32:05 +0000
Subject: Upload key to WKD from command line?
In-Reply-To: <87va1myw3s.fsf@wheatstone.g10code.de>
References: <20190209102039.jbuom4mb34kgrt52@lyta>
 <874l9626qm.fsf@wheatstone.g10code.de>
 <20190214095306.akb4h2uzca4jnfc4@gruenfink>
 <87va1myw3s.fsf@wheatstone.g10code.de>
Message-ID: <20190214213205.gk55sx6dsljlhbxb@gruenfink>

Thank you very much. That answered all my questions.

Werner Koch <wk at gnupg.org> schrieb am 14.02 19 21:05:
> 
> > gpg-wks-client: Warning: policy requires 'mailbox-only' - adding user
> > id 'wolfgang.traylor at posteo.de'
> 
> > Or do I even need my secret primary key?
> 
> Right.  The primary key is required to create a new user id.  gpg tries
> to be helpful there but it can't work for high security environments
> with an offline primary key.  I would suggest that you create a second
> user id with just the mail address on your other box with the primary
> key.  Then gpg-wks-client has no need to create it of its own.
> 
> 
> Salam-Shalom,
> 
>    Werner
> 
> -- 
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190214/5bfc42b2/attachment.sig>

From amuza at riseup.net  Fri Feb 15 11:50:00 2019
From: amuza at riseup.net (amuza)
Date: Fri, 15 Feb 2019 10:50:00 +0000
Subject: How to specify ca-cert-file as a path relative to ~? (was: It's
 more GNU/Linux than GnuPG)
In-Reply-To: <20190213223631.GH15406@kugelfisch.zuhause.test>
References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>
 <20190213223631.GH15406@kugelfisch.zuhause.test>
Message-ID: <eb0f2a07-a7c6-6448-3899-7105c1cd3977@riseup.net>



Friedhelm Waitzmann:
>> I have two GNU/Linux computers syncing their ~/.gnupg directories.
>> "alice" is my username in one computer, "bob" is my username in the
>> other one.
> 
>> I have a CA certificate stored in my home directory of both computers,
>> and would like to keep it there.
> 
>> Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to
>> that CA cert:
> 
>> 	keyserver-options ca-cert-file=~/keyserverCA.pem
> 
>> But that line does not seem to work because of "~".
> 
>> Everything works ok in one computer if I write:
> 
>> 	keyserver-options ca-cert-file=/home/alice/keyserverCA.pem
> 
>> and in the other computer if I write:
> 
>> 	keyserver-options ca-cert-file=/home/bob/keyserversCA.pem
> 
>> But then, by specifying names, when syncing, that line won't work in one
>> of the two computers because of the usernames.
> 
>> Is there any way to specify "user" without writing their name?
> 
>> Any other suggestion?
> 
> Just guessing:  How about specifying the file as a path relative
> to the .gnupg directory?
> 
> (1)
>    keyserver-options ca-cert-file=../keyserversCA.pem
> 
> or
> 
> (2)
>    In the .gnupg directory create a symbolic link pointing to ..:
>    $ ln -s .. ~/.gnupg/homedir
>    Then set ca-cert-file to homedir/keyserversCA.pem:
>    keyserver-options ca-cert-file=homedir/keyserversCA.pem
> 

Hey Friedhelm, thanks a lot!
Suggestion 2 worked!!

Thank you Werner too.

Cheers


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190215/b626ca46/attachment.sig>

From andre at ockers.eu  Sat Feb 16 10:34:43 2019
From: andre at ockers.eu (=?UTF-8?Q?Andr=c3=a9_Ockers?=)
Date: Sat, 16 Feb 2019 10:34:43 +0100
Subject: Configuring Linux system mail submission
In-Reply-To: <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
 <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
 <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com>
Message-ID: <21387077-216a-1e2c-807e-40363704927b@ockers.eu>

Hi Peter and list,


Op 10-02-19 om 18:07 schreef Peter Lebbing:
> Hi Andr?,
>
> On 10/02/2019 15:36, Andr? Ockers wrote:
>> Following documentation [1], I checked that I have Postfix installed and
>> now I'm here [2]
> I had feared it would break down at the mail configuration stage :-). I
> have mail servers running with a hand-managed config file with Exim 4,
> but I know nothing about Postfix. However, for mail submission, I use
> nullmailer myself. It can only do mail submission, but is much easier to
> manage than a full mail system (in my opinion).

Thank you.

> So I don't know if you installed Postfix for this purpose or actually
> use it for a real mail server, but if you can switch to nullmailer that
> would allow me to easily help you, probably.

Removed Postfix.
Installed Nullmailer.

> Personally, I run nullmailer on all systems that are not running a
> full-fledged mail server, and they connect to my edge mail server for
> mail submission. You can just use any SMTP-supporting provider for the
> latter.
>
> When installing nullmailer on Debian, it will ask you interactively for
> entries for files in /etc and /etc/nullmailer. Mine look like this:
>
> /etc/mailname: hostname.digitalbrains.com (the actual fully qualified
> domain name of the local host)

So what do you do here if you have an emailadress, like
andre at ockers.eu
at an email service provider, let's say
serviceprovider.nl?
Would that be ockers.eu or serviceprovider.nl in /etc/mailname?

> /etc/nullmailer/adminaddr: empty file

Check

> /etc/nullmailer/defaultdomain: digitalbrains.com

Would that be ockers.eu or serviceprovider.nl in
/etc/nullmailer/defaultdomain?

> /etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...]
>
> That last one is the really important one. It uses the SMTP submission
> port, STARTTLS, and in my case a password that has been chosen to not
> require quotes. But you can use quotes to just use your provider account
> password.

Would that be
mail.serviceprovider.nl smtp --port=587 --starttls
--user=andre-nullmailer --pass=...
or
mail.ockers.eu smtp --port=587 --starttls --user=andre-nullmailer --pass=...
in /etc/nullmailer/remotes?

Thank you in advance,

Andr? Ockers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190216/0a8cc54e/attachment.sig>

From peter at digitalbrains.com  Sat Feb 16 12:46:22 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 16 Feb 2019 12:46:22 +0100
Subject: Configuring Linux system mail submission
In-Reply-To: <21387077-216a-1e2c-807e-40363704927b@ockers.eu>
References: <d7ae8ea3-2cf2-af91-e827-2705d61e979b@ockers.eu>
 <30ca231d-3997-acb8-c480-de08aba64901@digitalbrains.com>
 <cb129319-8adc-4ba2-75ac-e4503c1f7952@ockers.eu>
 <4913ec3d-fd5b-4470-84bc-46bcf93b0a35@digitalbrains.com>
 <21387077-216a-1e2c-807e-40363704927b@ockers.eu>
Message-ID: <7535be96-3245-df1a-c1bf-36fb18566aeb@digitalbrains.com>

Hi Andr?,

On 16/02/2019 10:34, Andr? Ockers wrote:
>> /etc/mailname: hostname.digitalbrains.com (the actual fully qualified
>> domain name of the local host)
> 
> So what do you do here if you have an emailadress, like
> andre at ockers.eu
> at an email service provider, let's say
> serviceprovider.nl?
> Would that be ockers.eu or serviceprovider.nl in /etc/mailname?

The more domain names, the merrier!

There is no single right answer. These names are used to build e-mail
addresses when you don't specify a fully valid e-mail address when you
send the mail; both for the sender and the recipient addresses. As I
indicated in the previous mail, I think you should avoid the situation
where nullmailer will build e-mail adresses on a domain you don't
control yourself, to prevent annoying people who happen to have the
address that nullmailer builds.

This all simply does not apply to caff, and caff is our intended goal.
But configuring nullmailer might also cause daemons on your computer to
try and start sending e-mails, and that is where it does apply.

I've gone through several iterations of this e-mail. The thing is,
there is no single right answer. There are multiple wrong answers. And
my system is configured differently than yours, so I can't just say
"this works for me", since I know for a fact it will not work for you.
I'm sorry if I'm confusing you. I'm doing my best, but I'm simply not
sure of the *best* solution in this case.

So I hope that this is the best outcome:

First, let's see what your computer thinks it is called. Invoke this:

$ hostname --fqdn

It will give you the domain name of the computer. Let's say this
happened:

$ hostname --fqdn
mario.itsa.me

Then let's put this in the files:

/etc/mailname: mario.itsa.me
/etc/nullmailer/adminaddr: andre at ockers.eu
/etc/nullmailer/defaultdomain: itsa.me
/etc/nullmailer/idhost: ockers.eu

This will cause any e-mails addressed to some-username at mario,
some-username at mario.itsa.me and some-username at localhost to end up being
delivered to andre at ockers.eu. They might not succeed, though, because
your e-mail provider might very well reject the sender of the mail. You
should probably check every now and then whether there is anything stuck
in /var/spool/nullmailer/queue.  You can delete any files there and it
will stop trying to deliver that e-mail. You do need to be root to
delete them.

Note that Postfix would probably not do better at delivering those
e-mails. It could be configured to do so, but by default it would not.

And the idhost line prevents the name mario.itsa.me from ending up in
the e-mail headers (specifically, the Message-ID line). It mirrors your
current e-mail setup, which I could see in your e-mail headers. Some
people don't like names from their internal network leaking out to the
big bad internet. But it might still happen in other places.

>> /etc/nullmailer/remotes: mail.digitalbrains.com smtp --port=587 --starttls --user=peter-nullmailer --pass=[...]
>>
>> That last one is the really important one. It uses the SMTP submission
>> port, STARTTLS, and in my case a password that has been chosen to not
>> require quotes. But you can use quotes to just use your provider account
>> password.
> 
> Would that be
> mail.serviceprovider.nl smtp --port=587 --starttls
> --user=andre-nullmailer --pass=...
> or
> mail.ockers.eu smtp --port=587 --starttls --user=andre-nullmailer --pass=...
> in /etc/nullmailer/remotes?

This is the same as when configuring your e-mail client. If your e-mail
service provider has given you the following outgoing mail server
settings:

Outgoing mail server: smtp.serviceprovider.nl
User name: some-username at serviceprovider.nl
Password: lalala

Then the line becomes

/etc/nullmailer/remotes: smtp.serviceprovider.nl smtp --port=587 --starttls --user=some-username at serviceprovider.nl --pass=lalala

Some providers will use a full e-mail address as user name, others just
the bit before the @.

You could take a look in your e-mail client software (which clearly
works) and see what it has there for outgoing mail server settings. That
probably will not show you the password right away.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190216/e6e4cebc/attachment-0001.sig>

From mgorny at gentoo.org  Sat Feb 16 19:25:38 2019
From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=)
Date: Sat, 16 Feb 2019 19:25:38 +0100
Subject: An option to generate revocation cert for subkey(s)?
Message-ID: <1550341538.642.7.camel@gentoo.org>

Hello,

I'd like to ask whether it'd be feasible to have an option to generate
revocation certificate that revokes one (or more?) subkeys rather than
the whole key.

Our use case involves signing key kept on a server for the purpose of
automated signatures.  We'd like to keep the secret portion
of the primary key offline and use a dedicated signing subkey
on the server.  At the same time, we'd like to be able to quickly revoke
the subkey if need arises without having to reach for the primary key.

I know that currently with a bit of hacking we can store an export
of the key with subkey revoked, and use that for the purpose.  However,
I think it would be much more convenient if had an option to generate
the revocation signature separately.

-- 
Best regards,
Micha? G?rny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190216/4e30ba1f/attachment.sig>

From tlikonen at iki.fi  Sun Feb 17 07:23:38 2019
From: tlikonen at iki.fi (Teemu Likonen)
Date: Sun, 17 Feb 2019 08:23:38 +0200
Subject: Two utilities: gpg-tofu and gpg-graph
Message-ID: <87ftsnorv9.fsf@iki.fi>

Hello!

I have made two utilities to help my usage of gpg. I think the
functionality of one of them should be part of gpg.


gpg-tofu
--------

https://github.com/tlikonen/gpg-tofu

This program parses "gpg --batch --no-tty --with-tofu-info --with-colons
--list-keys -- [...]" output and displays human readable TOFU
statistics. An example:


$ gpg-tofu tlikonen at iki.fi

4E1055DC84E9DFF613D78557719D69D324539450
  [ultimate] Teemu Likonen <tlikonen at iki.fi>
    TOFU validity: (4/4) a lot of history for trust, TOFU policy: good
    428 signatures in 1 year 252 days, first: 2017-06-09 11:28:16, last: 2019-02-16 19:36:03
    404 encryptions in 1 year 244 days, first: 2017-06-15 14:41:30, last: 2019-02-14 19:25:41
[...]


In my opinion "gpg --with-tofu-info --list-keys" etc. (without
--with-colons) should display similar human readable TOFU info. Please
make my tool obsolete. :-)


gpg-graph
---------

https://github.com/tlikonen/gpg-graph

This program parses "gpg --batch --no-tty --with-colons
--check-signatures -- [...]" and prints graph data for Graphviz for
drawing nice web of trust graphs.


$ gpg-graph [key1 ...] | dot -Tpng >wot-dot.png
$ gpg-graph [key1 ...] | neato -Tpng >wot-neato.png
$ gpg-graph [key1 ...] | sfdp -Tpng >wot-sfdp.png


I have seen one similar tool before (packaged in Debian) but it was
broken by design because it tries to parse the human readable output of
"gpg --check-signatures". It didn't work with the default --list-options
of gpg 2.1. Obviously it should parse machine readable --with-colons
output which my version does.


-- 
/// Teemu Likonen   - .-..   <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190217/8921ea79/attachment.sig>

From farhan at farhan.codes  Sun Feb 17 08:20:30 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Sun, 17 Feb 2019 02:20:30 -0500
Subject: Yubikey keytocard: "Bad secret key"
Message-ID: <81ffafa24469e91bc6164ddd431674b1@farhan.codes>

Hi all,

I am trying to import my existing PGP key to my Yubikey and I keep getting:

gpg: KEYTOCARD failed: Bad secret key

Even after I reset the pin or set a custom value. I am following the instructions here (https://support.yubico.com/support/solutions/articles/15000006421-resetting-the-openpgp-applet-on-your-yubikey) to reset the device, but am told the pin is wrong. This happens both when I set a custom pin and not. Am I doing something wrong? Below is an output of what I did to reset the pin, expecting it to be "1234578".

Please advise.

---------------
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006047082720000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg-connect-agent --hex
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 82                                              i.              
OK
> scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
D[0000]  69 83                                              i.              
OK
> scd apdu 00 e6 00 00
D[0000]  90 00                                              ..              
OK
> scd apdu 00 44 00 00
D[0000]  90 00                                              ..              
OK
>
 
---------------
>From here I killed the running gpg-agent process, removed the device, re-entered it, and opened a new terminal. I do not have gpg-connect-agent running.
---------------
$ gpg --card-status
Reader ...........: 1050:0407:X:0
Application ID ...: D2760001240102010006047082720000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: XXXXXXXX
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg --list-keys test at test.com
pub   rsa1024 2019-02-16 [SC]
      B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82
uid           [ultimate] test test (Test Comment) <test at test.com>
sub   rsa1024 2019-02-16 [E]

$ gpg --edit-key B8F72ED15BF85867CDFD7C80A08B3F30A45C3E82
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1). test test (Test Comment) <test at test.com>

gpg> toggle

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1). test test (Test Comment) <test at test.com>

gpg> 1

sec  rsa1024/A08B3F30A45C3E82
     created: 2019-02-16  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa1024/4D997E0AE0CEC20C
     created: 2019-02-16  expires: never       usage: E   
[ultimate] (1)* test test (Test Comment) <test at test.com>

gpg> keytocard
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Bad secret key
---------------
I am prompted to enter the PGP password, which seems to work, but when I enter the admin key of "12345678" I get this error. Any ideas where the problem may lay?

Thanks!

---
Farhan Khan


From andrewg at andrewg.com  Sun Feb 17 10:26:03 2019
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Sun, 17 Feb 2019 09:26:03 +0000
Subject: Yubikey keytocard: "Bad secret key"
In-Reply-To: <81ffafa24469e91bc6164ddd431674b1@farhan.codes>
References: <81ffafa24469e91bc6164ddd431674b1@farhan.codes>
Message-ID: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com>


> On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users <gnupg-users at gnupg.org> wrote:
> 
> Key attributes ...: rsa2048 rsa2048 rsa2048

But you?re trying to load an rsa1024 key onto it. Have you tried loading a 2048 bit key instead?

A


From 2017-r3sgs86x8e-lists-groups at riseup.net  Sun Feb 17 13:25:24 2019
From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA)
Date: Sun, 17 Feb 2019 12:25:24 +0000
Subject: Two utilities: gpg-tofu and gpg-graph
In-Reply-To: <87ftsnorv9.fsf@iki.fi>
References: <87ftsnorv9.fsf@iki.fi>
Message-ID: <1908274116.20190217122524@my_localhost_LG>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 17 February 2019 at 6:23:38 AM, in
<mid:87ftsnorv9.fsf at iki.fi>, Teemu Likonen wrote:-


> In my opinion "gpg --with-tofu-info --list-keys" etc.
> (without
> --with-colons) should display similar human readable
> TOFU info.

Currently I don't think the option "--with-tofu-info" changes the
output of "gpg --list-keys" at all. It would be interesting to see
this, but I'm not sure the information is useful to me.

- --
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

You can't build a reputation on what you are going to do
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXGlSxl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+uq4AQCGlSbteRcfDt4kLRazRd/GIIGUzkrrL7+OPA0WPjbgMQD/VdAH4qSVY34I
8NLGK7bvPQ7fAKnyAtnnYVcxWLBSBgyJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXGlSxl8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/6omD/9rdw0aFyU3r+rl+TjmXRgm4sVE
V0zh6ZdKPUb8n7fsyGu/Yu8mt9zBQHI4NusnKJ+cpr2G+KcAvdYxomMU9vOi57rK
ujevvLjt3v19c4jqF2oM5B6fe6dcYe1q+jJfy0JJNG52S4DQ4BjyuImYWjsyj6dC
ec06qHSEbDYatK/ZenRJwv5JC+R7SFBog9DbTNy8nPUzZoyFeuw5Td/9/Tik0Y9o
rC61+KCvii71atIZ/fOp4NIDOjl5OWTboG7n+miFRJ7cvLkHaqxWKMyseFFs6QYV
CTQNAEwT+k9mvf7bbXaXjKZl88GjfRr521KubaEDP0M4oJrS8VaINphSxZspPSKy
kWqg+x/cbBMAi/eYfLxqwdQ+kECildwjNckuwPsr7kZAOyD8DNmDSuVAoIa+iKw1
oUn0GLnTNlxUNuFlgn978Oy+pUz5/U0zlYxbL9iWB57Cs5JXcxKbrtV/Ilh+pxH/
FxX9cdEtkBp5Kg9RoHEK5OjhuXzD7sp5XZThlkHor46D74H7v1JfPED5hRBVuwY/
wFjCVUW74WWM//HKfw1FcUGXZ6u1CuYeB1GeTpvbG8pygmKb4+N/FWTqjWZyGTRK
Ptr97TOqo04RZym6CLEztmQsp3qOhrlpk2Z6R2JF8+pOxT00pz2T+plDMU9g0Xcl
5usBfSrldizpbPietQ==
=4N13
-----END PGP SIGNATURE-----



From jerry at seibercom.net  Sun Feb 17 13:34:29 2019
From: jerry at seibercom.net (Jerry)
Date: Sun, 17 Feb 2019 07:34:29 -0500
Subject: An option to generate revocation cert for subkey(s)?
In-Reply-To: <1550341538.642.7.camel@gentoo.org>
References: <1550341538.642.7.camel@gentoo.org>
Message-ID: <20190217073429.0000365c@seibercom.net>

On Sat, 16 Feb 2019 19:25:38 +0100, Micha? G?rny stated:

>Hello,
>
>I'd like to ask whether it'd be feasible to have an option to generate
>revocation certificate that revokes one (or more?) subkeys rather than
>the whole key.
>
>Our use case involves signing key kept on a server for the purpose of
>automated signatures.  We'd like to keep the secret portion
>of the primary key offline and use a dedicated signing subkey
>on the server.  At the same time, we'd like to be able to quickly
>revoke the subkey if need arises without having to reach for the
>primary key.
>
>I know that currently with a bit of hacking we can store an export
>of the key with subkey revoked, and use that for the purpose.  However,
>I think it would be much more convenient if had an option to generate
>the revocation signature separately.

+1

-- 
Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190217/d62f9346/attachment-0001.sig>

From james at cleverstudentlets.com  Sun Feb 17 13:36:11 2019
From: james at cleverstudentlets.com (james at cleverstudentlets.com)
Date: Sun, 17 Feb 2019 12:36:11 +0000 (GMT)
Subject: =?utf-8?Q?Re:_Re:_An_option_to_generate_revocation_cert_for_subkey=28s=29=3F?=
Message-ID: <20190217123611.BB9C9CF5F2E@cloud328480-1.lcncloud.com>

Thanks for your e-mail. Please note that I am away from the office at the moment. If your enquiry is of an urgent nature please call the office on 01752-500511 or e-mail mark at cleverstudentlets.com.





From aajaxx at gmail.com  Sun Feb 17 21:08:50 2019
From: aajaxx at gmail.com (Ajax)
Date: Sun, 17 Feb 2019 20:08:50 +0000
Subject: Speedo build of GnuPG v2.2.13 fails for me
Message-ID: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>

This is with Debian Stretch (Debian 9.8) and Linux kernel
4.19.0-0.bpo.2-amd64

Speedo fails as follows:

ajax:~/src/gnupg/gnupg-2.2.13$ LD_LIBRARY_PATH=$(pwd)/PLAY/inst/lib make -f
build-aux/speedo.mk  native
make -f /home/jam/src/gnupg/gnupg-2.2.13/build-aux/speedo.mk UPD_SWDB=1
TARGETOS=native WHAT=release WITH_GUI=0 all
make[1]: Entering directory '/home/jam/src/gnupg/gnupg-2.2.13'
gpgv: Signature made Mon 11 Feb 2019 10:41:15 AM UTC
gpgv:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpgv: Good signature from "Werner Koch (dist sig)"
GnuPG version in swdb.lst is less than this version!
  This version: 2.2.13
  SWDB version: 2.2.12
/home/ajax/src/gnupg/gnupg-2.2.13/build-aux/speedo.mk:279: *** Error
getting GnuPG software version database.  Stop.
make[1]: Leaving directory '/home/ajax/src/gnupg/gnupg-2.2.13'
build-aux/speedo.mk:73: recipe for target 'native' failed
make: *** [native] Error 2

I notice the following:

ajax:~/src/gnupg/gnupg-2.2.13$ gpg --verify swdb.lst.sig swdb.lst
gpg: Signature made Mon 11 Feb 2019 10:41:15 AM UTC
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"

jajax:~/src/gnupg/gnupg-2.2.13$ head -n 1 swdb.lst
gnupg22_ver 2.2.12

Is the above what is to be expected?

FWIW without speedo, I get the following and the build seems to be fine.

ajax:~/src/gnupg/gnupg-2.2.13$ ./configure | tail -n 30
config.status: creating po/Makefile

        GnuPG v2.2.13 has been configured as follows:

        Revision:  7922e2dd1  (31010)
        Platform:  GNU/Linux (x86_64-pc-linux-gnu)

        OpenPGP:   yes
        S/MIME:    yes
        Agent:     yes
        Smartcard: yes (without internal CCID driver)
        G13:       no
        Dirmngr:   yes
        Gpgtar:    yes
        WKS tools: yes

        Protect tool:      (default)
        LDAP wrapper:      (default)
        Default agent:     (default)
        Default pinentry:  (default)
        Default scdaemon:  (default)
        Default dirmngr:   (default)

        Dirmngr auto start:  yes
        Readline support:    yes
        LDAP support:        yes
        TLS support:         ntbtls
        TOFU support:        yes
        Tor support:         yes

What should I do to make a speedo build work?

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190217/dcf2658c/attachment.html>

From farhan at farhan.codes  Mon Feb 18 06:19:03 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Mon, 18 Feb 2019 00:19:03 -0500
Subject: Using Yubikey only to encrypt/sign
Message-ID: <20190218051902.GA19367@pc.farhan.codes>

Hi all,

How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to
encrypt, sign, or decrypt? This might be in a scenario where I only have the
keys on my card but not on disk such as while traveling. I can confirm that
'gpg --card-status' lists the keys as present.

I am simulating this scenario by moving ~/.gnupg to another directory, but
running 'gpg --list-keys' does not list the list the key as present.

Please advise.
Thanks!

---
Farhan Khan
PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF


From farhan at farhan.codes  Mon Feb 18 06:51:17 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Mon, 18 Feb 2019 05:51:17 +0000
Subject: Yubikey keytocard: "Bad secret key"
In-Reply-To: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com>
References: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com>
 <81ffafa24469e91bc6164ddd431674b1@farhan.codes>
Message-ID: <b6b7129edd75f32706dce28a8d2b586a@farhan.codes>

February 17, 2019 4:26 AM, "Andrew Gallagher" <andrewg at andrewg.com> wrote:

>> On 17 Feb 2019, at 07:20, Farhan Khan via Gnupg-users <gnupg-users at gnupg.org> wrote:
>> 
>> Key attributes ...: rsa2048 rsa2048 rsa2048
> 
> But you?re trying to load an rsa1024 key onto it. Have you tried loading a 2048 bit key instead?
> 
> A
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

This was it, loading a 2048-bit key works just fine
Thanks Andrew!

---
Farhan Khan
PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF


From andrewg at andrewg.com  Mon Feb 18 08:35:27 2019
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Mon, 18 Feb 2019 07:35:27 +0000
Subject: Using Yubikey only to encrypt/sign
In-Reply-To: <20190218051902.GA19367@pc.farhan.codes>
References: <20190218051902.GA19367@pc.farhan.codes>
Message-ID: <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>


> On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users <gnupg-users at gnupg.org> wrote:
> 
> How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to
> encrypt, sign, or decrypt? This might be in a scenario where I only have the
> keys on my card but not on disk such as while traveling. I can confirm that
> 'gpg --card-status' lists the keys as present.
> 
> I am simulating this scenario by moving ~/.gnupg to another directory, but
> running 'gpg --list-keys' does not list the list the key as present.

You need to download the public key of the secret keys you are about to use, and then run `gpg --card-status` again. After that it Should Just Work.

A


From peter at digitalbrains.com  Mon Feb 18 12:09:36 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Mon, 18 Feb 2019 12:09:36 +0100
Subject: Yubikey keytocard: "Bad secret key"
In-Reply-To: <b6b7129edd75f32706dce28a8d2b586a@farhan.codes>
References: <279DEE80-FF7A-47CE-9A11-083C9D5D08A5@andrewg.com>
 <81ffafa24469e91bc6164ddd431674b1@farhan.codes>
 <b6b7129edd75f32706dce28a8d2b586a@farhan.codes>
Message-ID: <5db47951-9500-6fdc-f083-3542bbfbed6e@digitalbrains.com>

On 18/02/2019 06:51, Farhan Khan via Gnupg-users wrote:
> This was it, loading a 2048-bit key works just fine
> Thanks Andrew!

First of all, I think it's a much better idea to generate a 2048-bit key
anyway, so it worked out okay.

But the problem is interesting. Before --card-edit gained its key-attr
command, GnuPG would do the correct key-attr stuff automatically to
switch to the desired key length. Maybe it has stopped doing that now,
and you need to do:

$ gpg --card-edit
[...]
gpg> key-attr

to select the desired key length before keytocard.

At the moment, I don't have a version with key-attr at hand to quickly
test myself.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190218/df3a9e01/attachment.sig>

From konstantin at linuxfoundation.org  Mon Feb 18 14:32:41 2019
From: konstantin at linuxfoundation.org (Konstantin Ryabitsev)
Date: Mon, 18 Feb 2019 08:32:41 -0500
Subject: Two utilities: gpg-tofu and gpg-graph
In-Reply-To: <87ftsnorv9.fsf@iki.fi>
References: <87ftsnorv9.fsf@iki.fi>
Message-ID: <20190218133241.GB1151@chatter.qube.local>

On Sun, Feb 17, 2019 at 08:23:38AM +0200, Teemu Likonen wrote:
>gpg-graph
>---------
>
>https://github.com/tlikonen/gpg-graph
>
>This program parses "gpg --batch --no-tty --with-colons
>--check-signatures -- [...]" and prints graph data for Graphviz for
>drawing nice web of trust graphs.
>
>
>$ gpg-graph [key1 ...] | dot -Tpng >wot-dot.png
>$ gpg-graph [key1 ...] | neato -Tpng >wot-neato.png
>$ gpg-graph [key1 ...] | sfdp -Tpng >wot-sfdp.png
>
>
>I have seen one similar tool before (packaged in Debian) but it was
>broken by design because it tries to parse the human readable output of
>"gpg --check-signatures". It didn't work with the default --list-options
>of gpg 2.1. Obviously it should parse machine readable --with-colons
>output which my version does.

There's also this graphing tool that I've been using for kernel.org 
needs:
https://github.com/mricon/wotmate

-K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190218/beb15157/attachment-0001.sig>

From wk at gnupg.org  Mon Feb 18 20:16:25 2019
From: wk at gnupg.org (Werner Koch)
Date: Mon, 18 Feb 2019 20:16:25 +0100
Subject: Speedo build of GnuPG v2.2.13 fails for me
In-Reply-To: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>
 (Ajax's message of "Sun, 17 Feb 2019 20:08:50 +0000")
References: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>
Message-ID: <87d0nox5yu.fsf@wheatstone.g10code.de>

On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said:

> GnuPG version in swdb.lst is less than this version!
>   This version: 2.2.13
>   SWDB version: 2.2.12

Something went wrong uploading the version file.  I just repeated it and
it wortks now (try: "build-aux/getswdb.sh").

Thanks for reporting,

 Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190218/f9a5c5be/attachment.sig>

From aajaxx at gmail.com  Mon Feb 18 21:10:20 2019
From: aajaxx at gmail.com (Ajax)
Date: Mon, 18 Feb 2019 20:10:20 +0000
Subject: Speedo build of GnuPG v2.2.13 fails for me
In-Reply-To: <87d0nox5yu.fsf@wheatstone.g10code.de>
References: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>
 <87d0nox5yu.fsf@wheatstone.g10code.de>
Message-ID: <CABNaOw-aE=F=vR0Okc7TYneToyu5cfityy2A2_kSRvXT+2XE+A@mail.gmail.com>

On Mon, Feb 18, 2019 at 7:20 PM Werner Koch <wk at gnupg.org> wrote:

> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said:
>
> > GnuPG version in swdb.lst is less than this version!
> >   This version: 2.2.13
> >   SWDB version: 2.2.12
>
> Something went wrong uploading the version file.  I just repeated it and
> it wortks now (try: "build-aux/getswdb.sh"
>

Any hints where I might  find build-aux on debian stretch?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190218/a89ccec2/attachment.html>

From farhan at farhan.codes  Mon Feb 18 21:35:30 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Mon, 18 Feb 2019 20:35:30 +0000
Subject: Using Yubikey only to encrypt/sign
In-Reply-To: <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>
References: <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>
 <20190218051902.GA19367@pc.farhan.codes>
Message-ID: <e2ab22c9e9d456805b66755111facc6c@farhan.codes>

February 18, 2019 2:35 AM, "Andrew Gallagher" <andrewg at andrewg.com> wrote:

>> On 18 Feb 2019, at 05:19, Farhan Khan via Gnupg-users <gnupg-users at gnupg.org> wrote:
>> 
>> How does one utilize *just* the yubikey (or OpenPGP smartcard in general) to
>> encrypt, sign, or decrypt? This might be in a scenario where I only have the
>> keys on my card but not on disk such as while traveling. I can confirm that
>> 'gpg --card-status' lists the keys as present.
>> 
>> I am simulating this scenario by moving ~/.gnupg to another directory, but
>> running 'gpg --list-keys' does not list the list the key as present.
> 
> You need to download the public key of the secret keys you are about to use, and then run `gpg
> --card-status` again. After that it Should Just Work.
> 
> A
> 

Hey Andrew,
I was given the message "gpg: decryption failed: No secret key". I ran this:

mv .gnupg .gnupg.bak
gpg --card-status
cat encrypted_message | gpg --decrypt

This gave me the warning message:
gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
      "Farhan Khan <farhan at farhan.codes>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

When I run gpg --list-secret-keys, I see the serial number listed for my card.
I suspect this is a gpg-agent issue?

Thanks,

---
Farhan Khan
PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF


From andrewg at andrewg.com  Mon Feb 18 21:51:07 2019
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Mon, 18 Feb 2019 20:51:07 +0000
Subject: Using Yubikey only to encrypt/sign
In-Reply-To: <e2ab22c9e9d456805b66755111facc6c@farhan.codes>
References: <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>
 <20190218051902.GA19367@pc.farhan.codes>
 <e2ab22c9e9d456805b66755111facc6c@farhan.codes>
Message-ID: <67563238-716E-49C5-B379-99072F17060F@andrewg.com>


> On 18 Feb 2019, at 20:35, Farhan Khan <farhan at farhan.codes> wrote:
> Hey Andrew,
> I was given the message "gpg: decryption failed: No secret key". I ran this:
> 
> mv .gnupg .gnupg.bak
> gpg --card-status
> cat encrypted_message | gpg --decrypt
> 
> This gave me the warning message:
> gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
>      "Farhan Khan <farhan at farhan.codes>"
> gpg: public key decryption failed: Invalid ID
> gpg: decryption failed: No secret key
> 
> When I run gpg --list-secret-keys, I see the serial number listed for my card.
> I suspect this is a gpg-agent issue?

Would you mind posting the results of `gpg --list-secret-keys`? With the yubikey plugged in. It shouldn?t contain anything too sensitive. You may have the decryption key in the wrong slot. 

A


From farhan at farhan.codes  Mon Feb 18 22:39:47 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Mon, 18 Feb 2019 21:39:47 +0000
Subject: Using Yubikey only to encrypt/sign
In-Reply-To: <67563238-716E-49C5-B379-99072F17060F@andrewg.com>
References: <67563238-716E-49C5-B379-99072F17060F@andrewg.com>
 <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>
 <20190218051902.GA19367@pc.farhan.codes>
 <e2ab22c9e9d456805b66755111facc6c@farhan.codes>
Message-ID: <17d7b19a31012c16d560882e4b510220@farhan.codes>

February 18, 2019 3:51 PM, "Andrew Gallagher" <andrewg at andrewg.com> wrote:

>> On 18 Feb 2019, at 20:35, Farhan Khan <farhan at farhan.codes> wrote:
>> Hey Andrew,
>> I was given the message "gpg: decryption failed: No secret key". I ran this:
>> 
>> mv .gnupg .gnupg.bak
>> gpg --card-status
>> cat encrypted_message | gpg --decrypt
>> 
>> This gave me the warning message:
>> gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
>> "Farhan Khan <farhan at farhan.codes>"
>> gpg: public key decryption failed: Invalid ID
>> gpg: decryption failed: No secret key
>> 
>> When I run gpg --list-secret-keys, I see the serial number listed for my card.
>> I suspect this is a gpg-agent issue?
> 
> Would you mind posting the results of `gpg --list-secret-keys`? With the yubikey plugged in. It
> shouldn?t contain anything too sensitive. You may have the decryption key in the wrong slot.
> 
> A

Sure!

So, I have two tracks I'm taking at once, and perhaps you can provide some clarity on usage. My intention was to have the key on both my disk for use locally and on card for use while away from my computer.

A. I have a keyring with the secret key. I ran --edit-key, then keytocard. When I list --secret-keys, I get this:

---
$ gpg --list-secret-keys farhan at farhan.codes
sec>  rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]
      7BEF02AB89AF9581194D57F1BF0F750DB428FFFF
      Card serial no. = XXXX XXXXXXXX
uid           [ultimate] Farhan Khan <farhan at farhan.codes>
---

Notice the serial card number. At this point, I cannot decrypt files without the key present. Has the secret key been removed from disk? If so, this means I can only have the key in one place at a time and risk losing it. Ideally I would like to have the secret key on my computer, which I trust, but not on other devices.

B. I moved ~/.gnupg and created a new keyring. Then, I imported my public key. This simulates a situation where I can access my public key from the internet, but will not store it on the machine. Here is the output you requested:

---
$ gpg --list-secret-keys farhan at farhan.codes
sec>  rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]
      7BEF02AB89AF9581194D57F1BF0F750DB428FFFF
      Card serial no. = 0006 04708272
uid           [ unknown] Farhan Khan <farhan at farhan.codes>
---

I expect to be able to decrypt messages, but cannot:
---
$ echo test | gpg --encrypt -r farhan at farhan.codes | gpg --decrypt
gpg: BF0F750DB428FFFF: There is no assurance this key belongs to the named user
pub  rsa2048/BF0F750DB428FFFF 2019-02-18 Farhan Khan <farhan at farhan.codes>
 Primary key fingerprint: 7BEF 02AB 89AF 9581 194D  57F1 BF0F 750D B428 FFFF

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
      "Farhan Khan <farhan at farhan.codes>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
---

Please advise where my mistakes or incorrect assumptions are.
Thanks,

---
Farhan Khan
PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF


From aajaxx at gmail.com  Mon Feb 18 22:54:58 2019
From: aajaxx at gmail.com (Ajax)
Date: Mon, 18 Feb 2019 21:54:58 +0000
Subject: Speedo build of GnuPG v2.2.13 fails for me
In-Reply-To: <CABNaOw-aE=F=vR0Okc7TYneToyu5cfityy2A2_kSRvXT+2XE+A@mail.gmail.com>
References: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>
 <87d0nox5yu.fsf@wheatstone.g10code.de>
 <CABNaOw-aE=F=vR0Okc7TYneToyu5cfityy2A2_kSRvXT+2XE+A@mail.gmail.com>
Message-ID: <CABNaOw-9Jd7PWuTzZE0bTYVwA7w4zJcdNT+LDQUZaW3tYVP8Ww@mail.gmail.com>

On Mon, Feb 18, 2019 at 8:10 PM Ajax <aajaxx at gmail.com> wrote:

>
>
> On Mon, Feb 18, 2019 at 7:20 PM Werner Koch <wk at gnupg.org> wrote:
>
>> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said:
>>
>> > GnuPG version in swdb.lst is less than this version!
>> >   This version: 2.2.13
>> >   SWDB version: 2.2.12
>>
>> Something went wrong uploading the version file.  I just repeated it and
>> it wortks now (try: "build-aux/getswdb.sh"
>>
>
> Any hints where I might  find build-aux on debian stretch?
>

Thank you for your quick abs suscibct response and please excuse me for ny
last silly response.
The speedo build worked fine after using "build-aux/getswdb.sh".

After the speedo build make install gives:

make: *** No rule to make target 'install'.  Stop.

What am I missing now?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190218/af760225/attachment.html>

From peter at digitalbrains.com  Tue Feb 19 11:23:52 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Tue, 19 Feb 2019 11:23:52 +0100
Subject: Using Yubikey only to encrypt/sign
In-Reply-To: <17d7b19a31012c16d560882e4b510220@farhan.codes>
References: <67563238-716E-49C5-B379-99072F17060F@andrewg.com>
 <E631BD5F-961A-4D51-816C-41BAF22339BE@andrewg.com>
 <20190218051902.GA19367@pc.farhan.codes>
 <e2ab22c9e9d456805b66755111facc6c@farhan.codes>
 <17d7b19a31012c16d560882e4b510220@farhan.codes>
Message-ID: <2d3a85b6-b812-1752-b3ca-88e6a7c2828e@digitalbrains.com>

On 18/02/2019 22:39, Farhan Khan via Gnupg-users wrote:
> $ gpg --list-secret-keys farhan at farhan.codes
> sec>  rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]

Ah, well, there's your problem.

You should not use your primary key for encryption; they invented
subkeys for that.

And with the smartcard, you come into the uncomfortable situation that
the smartcard will decline to decrypt with what it knows is a signature
key, and likewise decline to sign with what it knows is an encryption
key. But both those usages are this key, and there will only be one stub
in GnuPG, which will refer to either a smartcard signature key or a
smartcard encryption key, but not both.

The most straightforward solution is to create an RSA primary key that
does certification and signatures (usage: SC), and an RSA subkey that
does encryption (usage: E). My --full-gen-key calls this option "RSA and
RSA (default)".

You can then upload those keys to the correct slots in the smartcard (it
will decline to pick the wrong slot). But if you wish to use the on-disk
keys after that, and the smartcard somewhere else, you should "Quit
without save", because as you have experienced, it will *delete* the
on-disk key when you "Save and quit" and only use the smartcard key from
then on.

As an aside, I'll note that you could also create a primary key that can
only certify, and a separate subkey that does signatures. That way, you
can have only subkeys on your smartcard, and compromise of the system
you use the smartcard on will only allow the attacker to issue
signatures on documents, but not edit your key or issue signatures on
other /keys/. But this might not be necessary for you, it depends on
what threat model you envision.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190219/e7d3eb52/attachment-0001.sig>

From mac3iii at gmail.com  Tue Feb 19 15:29:26 2019
From: mac3iii at gmail.com (murphy)
Date: Tue, 19 Feb 2019 09:29:26 -0500
Subject: Speedo build of GnuPG v2.2.13 fails for me
Message-ID: <42a0ec20-e8f8-bf4f-6544-ecd5d0fd68e9@gmail.com>

Hi Ajax - For what it is worth I put up a github bash file that should
build the latest version of gpg using the fabulous speedo method in a
Debian based environment.? I ran this yesterday and it works on Ubuntu
18.04 and the latest Raspbian Stretch (Raspberry Pi OS based on Stretch).

https://github.com/sandyCH/gpg_build

I also noticed that the database had not been updated and chose to wait
until it was found and corrected.? It happens sometimes.? I hope you
find this useful!

murphy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190219/f5d97d76/attachment.sig>

From abbot at monksofcool.net  Tue Feb 19 18:26:39 2019
From: abbot at monksofcool.net (Ralph Seichter)
Date: Tue, 19 Feb 2019 18:26:39 +0100
Subject: Problems while joining/leaving this mailing list
Message-ID: <87zhqrpu40.fsf@ra.horus-it.com>

I have written to the list owners but did not receive a reply yet, and I
also wonder if anybody else has experienced this:

I tried to subscribe with new at dom.ain and unsubscribe with old at dom.ain
by sending email to gnupg-users-request at gnupg.org from each of this
addresses. Firstly, I find it very irritating that messages to the
mailing list robot are subjected to greylisting delay of at least one
hour. Secondly, I have received two replies with different confirmation
codes for each of my (un)subscription attempts -- four codes total.

It seems to me that the mailing list robot is experiencing hiccups. Can
anybody here confirm this?

-Ralph


From idmsdba at nycap.rr.com  Tue Feb 19 21:28:38 2019
From: idmsdba at nycap.rr.com (Michael A. Yetto)
Date: Tue, 19 Feb 2019 15:28:38 -0500
Subject: Problems while joining/leaving this mailing list
In-Reply-To: <87zhqrpu40.fsf@ra.horus-it.com>
References: <87zhqrpu40.fsf@ra.horus-it.com>
Message-ID: <20190219152838.70bdcee1@braetac.lighthouse.yetnet>

On Tue, 19 Feb 2019 18:26:39 +0100
Ralph Seichter <abbot at monksofcool.net> writes, and having writ moves on:

>I have written to the list owners but did not receive a reply yet, and
>I also wonder if anybody else has experienced this:
>
>I tried to subscribe with new at dom.ain and unsubscribe with old at dom.ain
>by sending email to gnupg-users-request at gnupg.org from each of this
>addresses. Firstly, I find it very irritating that messages to the
>mailing list robot are subjected to greylisting delay of at least one
>hour. Secondly, I have received two replies with different confirmation
>codes for each of my (un)subscription attempts -- four codes total.
>
>It seems to me that the mailing list robot is experiencing hiccups. Can
>anybody here confirm this?
>


When you sent mail to <gnupg-users-request at gnupg.org> what did you use
as the Subject?

Did you try the unsubscribe URL found in the "List-Unsubscribe:" header
of each email sent to the list? 

Mike Yetto
-- 
"The hard but just rule is that if the ideas don't work, you must throw
them away. Don't waste any neurons on what doesn't work.  Devote those
neurons to new ideas that better explain the data.  Valid criticism is
doing you a favor."
 - Carl Sagan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190219/e2e9053f/attachment.sig>

From abbot at monksofcool.net  Wed Feb 20 04:02:00 2019
From: abbot at monksofcool.net (Ralph Seichter)
Date: Wed, 20 Feb 2019 04:02:00 +0100
Subject: Problems while joining/leaving this mailing list
In-Reply-To: <20190219152838.70bdcee1@braetac.lighthouse.yetnet>
References: <87zhqrpu40.fsf@ra.horus-it.com>
 <20190219152838.70bdcee1@braetac.lighthouse.yetnet>
Message-ID: <87o97717tj.fsf@ra.horus-it.com>

* Michael A. Yetto:

> When you sent mail to <gnupg-users-request at gnupg.org> what did you use
> as the Subject?

I used "subscribe" and "unsubscribe" as subjects for my (un)subscription
attempts, as shown in the List-Subscribe and List-Unsubscribe headers.
I also tried to unsubscribe using the URL provided in the headers, in
which case I received one confirmation code per attempt (not two per
attempt like with the mail interface), but these codes were rejected
in the web form.

I've since managed to unsub my old address, but something definitely
feels borked here. I have "rolled" my address for about a dozen mailing
lists over the last two days, and gnupg-users is the only ML which
caused problems.

-Ralph


From wk at gnupg.org  Wed Feb 20 09:03:39 2019
From: wk at gnupg.org (Werner Koch)
Date: Wed, 20 Feb 2019 09:03:39 +0100
Subject: An option to generate revocation cert for subkey(s)?
In-Reply-To: <1550341538.642.7.camel@gentoo.org> (=?utf-8?Q?=22Micha=C5=82?=
 =?utf-8?Q?_G=C3=B3rny=22's?= message of
 "Sat, 16 Feb 2019 19:25:38 +0100")
References: <1550341538.642.7.camel@gentoo.org>
Message-ID: <87sgwihoo4.fsf@wheatstone.g10code.de>

On Sat, 16 Feb 2019 19:25, mgorny at gentoo.org said:

> of the key with subkey revoked, and use that for the purpose.  However,
> I think it would be much more convenient if had an option to generate
> the revocation signature separately.

Can you please enter a feature request at dev.gnupg.org?


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190220/089793bb/attachment.sig>

From amuza at riseup.net  Wed Feb 20 13:15:00 2019
From: amuza at riseup.net (amuza)
Date: Wed, 20 Feb 2019 12:15:00 +0000
Subject: How to specify ca-cert-file as a path relative to ~? (was: It's
 more GNU/Linux than GnuPG)
In-Reply-To: <eb0f2a07-a7c6-6448-3899-7105c1cd3977@riseup.net>
References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>
 <20190213223631.GH15406@kugelfisch.zuhause.test>
 <eb0f2a07-a7c6-6448-3899-7105c1cd3977@riseup.net>
Message-ID: <dda4aba2-3206-d1cc-c23b-cca638a2b9ed@riseup.net>



amuza:
> 
> 
> Friedhelm Waitzmann:
>>> I have two GNU/Linux computers syncing their ~/.gnupg directories.
>>> "alice" is my username in one computer, "bob" is my username in the
>>> other one.
>>
>>> I have a CA certificate stored in my home directory of both computers,
>>> and would like to keep it there.
>>
>>> Into the ~/.gnupg/gpg.conf file, I wrote the following line pointing to
>>> that CA cert:
>>
>>> 	keyserver-options ca-cert-file=~/keyserverCA.pem
>>
>>> But that line does not seem to work because of "~".
>>
>>> Everything works ok in one computer if I write:
>>
>>> 	keyserver-options ca-cert-file=/home/alice/keyserverCA.pem
>>
>>> and in the other computer if I write:
>>
>>> 	keyserver-options ca-cert-file=/home/bob/keyserversCA.pem
>>
>>> But then, by specifying names, when syncing, that line won't work in one
>>> of the two computers because of the usernames.
>>
>>> Is there any way to specify "user" without writing their name?
>>
>>> Any other suggestion?
>>
>> Just guessing:  How about specifying the file as a path relative
>> to the .gnupg directory?
>>
>> (1)
>>    keyserver-options ca-cert-file=../keyserversCA.pem
>>
>> or
>>
>> (2)
>>    In the .gnupg directory create a symbolic link pointing to ..:
>>    $ ln -s .. ~/.gnupg/homedir
>>    Then set ca-cert-file to homedir/keyserversCA.pem:
>>    keyserver-options ca-cert-file=homedir/keyserversCA.pem
>>
> 
> Hey Friedhelm, thanks a lot!
> Suggestion 2 worked!!
> 
> Thank you Werner too.
> 
Hi again,

I was wrong, suggestion 2 does not work either.

I have tried with

(1)
keyserver-options ca-cert-file=../keyserversCA.pem

(2)
keyserver-options ca-cert-file=symlink_to_home/keyserversCA.pem

(3)
keyserver-options ca-cert-file=$HOME/keyserverCA.pem


I also tried moving the certificate into ~/.gnupg/ and did:

(4)
keyserver-options ca-cert-file=keyserverCA.pem

(5)
keyserver-options ca-cert-file=./keyserverCA.pem


None of them works. Any other suggestion without writing the full path?

I would like it to work for both Alice and Bob, but would like to keep
the certificate into the home directory.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190220/c081ca53/attachment.sig>

From wk at gnupg.org  Wed Feb 20 14:54:48 2019
From: wk at gnupg.org (Werner Koch)
Date: Wed, 20 Feb 2019 14:54:48 +0100
Subject: How to specify ca-cert-file as a path relative to ~?
In-Reply-To: <dda4aba2-3206-d1cc-c23b-cca638a2b9ed@riseup.net> (amuza's
 message of "Wed, 20 Feb 2019 12:15:00 +0000")
References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>
 <20190213223631.GH15406@kugelfisch.zuhause.test>
 <eb0f2a07-a7c6-6448-3899-7105c1cd3977@riseup.net>
 <dda4aba2-3206-d1cc-c23b-cca638a2b9ed@riseup.net>
Message-ID: <87k1huh8ev.fsf@wheatstone.g10code.de>

On Wed, 20 Feb 2019 12:15, amuza at riseup.net said:

> (1)
> keyserver-options ca-cert-file=../keyserversCA.pem

I recently asked whether you got a warning regarding this option.  Would
you mind to look again at the output and, more important, tell us what
version of gpg you are using (gpg --version).

Note: Since gnupg 2.1 the above option is obsolete and has no effect.
You need to configure non-standard CA certificates in dirmngr.conf
instead.

Just in case you are still using gpg 1.4.x: You may very weel run
into problems with that if you try to access keyservers.


Shalom-Salam,

   Werner


p.s.  Please do not use full quotes.  Quotes are used to give context to
the reader and thus a few lines are in almost all cases enough.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190220/69ffa55e/attachment-0001.sig>

From mgorny at gentoo.org  Wed Feb 20 16:37:50 2019
From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=)
Date: Wed, 20 Feb 2019 16:37:50 +0100
Subject: An option to generate revocation cert for subkey(s)?
In-Reply-To: <87sgwihoo4.fsf@wheatstone.g10code.de>
References: <1550341538.642.7.camel@gentoo.org>
 <87sgwihoo4.fsf@wheatstone.g10code.de>
Message-ID: <1550677070.732.0.camel@gentoo.org>

On Wed, 2019-02-20 at 09:03 +0100, Werner Koch wrote:
> On Sat, 16 Feb 2019 19:25, mgorny at gentoo.org said:
> 
> > of the key with subkey revoked, and use that for the purpose.  However,
> > I think it would be much more convenient if had an option to generate
> > the revocation signature separately.
> 
> Can you please enter a feature request at dev.gnupg.org?
> 

https://dev.gnupg.org/T4370

Thanks.

-- 
Best regards,
Micha? G?rny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190220/e2f6d2df/attachment.sig>

From amuza at riseup.net  Wed Feb 20 17:33:00 2019
From: amuza at riseup.net (amuza)
Date: Wed, 20 Feb 2019 16:33:00 +0000
Subject: How to specify ca-cert-file as a path relative to ~?
In-Reply-To: <87k1huh8ev.fsf@wheatstone.g10code.de>
References: <2e1d8b74-68db-26a5-e131-85644b0ce02f@riseup.net>
 <20190213223631.GH15406@kugelfisch.zuhause.test>
 <eb0f2a07-a7c6-6448-3899-7105c1cd3977@riseup.net>
 <dda4aba2-3206-d1cc-c23b-cca638a2b9ed@riseup.net>
 <87k1huh8ev.fsf@wheatstone.g10code.de>
Message-ID: <4143b745-3abb-21d1-4ee8-8fd6f3951462@riseup.net>


> I recently asked whether you got a warning regarding this option.


Everything works fine if I set the full path. If I use relative paths
and try, for instance, gpg --search-keys user at domain.tld, I get the
following:

gpg: searching for "user at domain.tld" from hkps server hkps.foo.tld
gpgkeys: HTTP search error 77:
gpg: key "user at domain.tld" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error


> tell us what
> version of gpg you are using (gpg --version).


1.4.20

I can also see I have 2.1.11 installed. However, I always use the gpg
command, I have never used the gpg2 command.

I have just tried now:

$ gpg2 --search-keys user at domain.tld
gpg: keyserver option 'ca-cert-file' is obsolete; please use
'hkp-cacert' in dirmngr.conf
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or
directory
gpg: connecting dirmngr at '/home/Alice/.gnupg/S.dirmngr' failed: No
such file or directory
gpg: error searching keyserver: No dirmngr
gpg: keyserver search failed: No dirmngr

So it seems I have version 2 installed, but not that dirmngr thing.

> 
> Note: Since gnupg 2.1 the above option is obsolete and has no effect.
> You need to configure non-standard CA certificates in dirmngr.conf
> instead.
> Just in case you are still using gpg 1.4.x: You may very weel run
> into problems with that if you try to access keyservers.


What kind of problems? I never had a problem when the full path was set.
Will relative paths work if I use version 2?

In that case, what should I do for the upgrade?

Any explanation or link is welcome, I don't know anything about version
2 and that dirmngr file.

Thanks.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190220/fcb629c2/attachment.sig>

From brian at minton.name  Thu Feb 21 19:59:47 2019
From: brian at minton.name (Brian Minton)
Date: Thu, 21 Feb 2019 13:59:47 -0500
Subject: Gnupg-users Digest, Vol 184, Issue 22
In-Reply-To: <20190203124906.57ef92c6@300baud.de>
References: <mailman.11365.1548879854.30381.gnupg-users@gnupg.org>
 <625DD656-7563-4FAD-A51E-7A61486C9A92@Juinio.net>
 <20190130234741.3e8ce8af@300baud.de>
 <CA7CAF77-E615-4D8E-A868-AF56C5E5C9AD@colmena.biz>
 <20190201200558.34a720eb@300baud.de>
 <89b0e539-9431-6335-ce85-7355b73cd98d@sixdemonbag.org>
 <20190203124906.57ef92c6@300baud.de>
Message-ID: <20190221185946.GC8995@brian.minton.name>

On Sun, Feb 03, 2019 at 12:49:06PM +0100, Stefan Claas wrote:
> On Sun, 3 Feb 2019 04:14:06 -0500, Robert J. Hansen wrote:
> 
> I think i have to look harder to find a cross-platform FOSS solution
> that works the same.

Signal seems to work that way.  Well, it relies on a server, but you can host
your own server.  See for instance
https://www.reddit.com/r/signal/wiki/faq#wiki_can_i_host_my_own_server.3F ).
So in that sense, you could directly connect to the person you want to talk
to, if one of you cares to run your own server.

-- 
Brian Minton
brian at minton dot name https://brian.minton.name
Live long, and prosper longer!
OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20  2206 0424 DC19 B678 A1A9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 390 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190221/db6cba37/attachment.sig>

From brian at minton.name  Thu Feb 21 22:55:50 2019
From: brian at minton.name (Brian Minton)
Date: Thu, 21 Feb 2019 16:55:50 -0500
Subject: NIST 800-57 compatible unattended encryption?
In-Reply-To: <20190221213551.olhcmmfkiyfxejmj@raf.org>
References: <20190102050203.7psom2s5hqvphxgp@raf.org>
 <20190102094747.e5lhhj4rndllufos@aurora.local.incenp.org>
 <5504353a-3347-502c-590f-31daf9bd0d7f@metacode.biz>
 <20190108031541.6f4ziukdpccmcejg@raf.org>
 <20190221184118.GB8995@brian.minton.name>
 <20190221213551.olhcmmfkiyfxejmj@raf.org>
Message-ID: <20190221215550.GD8995@brian.minton.name>

On Fri, Feb 22, 2019 at 08:35:51AM +1100, gnupg at raf.org wrote:
> 
> All of it. If you look at Part 1, Section 5, pp 29-31,
> you'll see the complete list of the different types of
> cryptographic key that are considered to be part of the
> standard and hence approved:

Based on my quick skimming of the document, this is what openpgp uses
asymmetric crypto for:

>   10 Private key-transport key
>   11 Public key-transport key

From that document, the definition of key-transport key is as follows:

10. Private key-transport key: Private key-transport keys are the private keys
of asymmetric (public) key pairs that are used to decrypt keys that have been
encrypted with the corresponding public key using a public-key algorithm.
Key-transport keys are usually used to establish keys (e.g., key-wrapping
keys, data-encryption keys or MAC keys) and, optionally, other keying material
(e.g., Initialization Vectors). 

That usage (data-encryption keys) is exactly what gnupg uses to encrypt a
file.   You can go through the document and see the rest of the policies,
whether or not they apply to gnupg as implemented, but at first glance, that
is the case.

-- 
Brian Minton
brian at minton dot name https://brian.minton.name
Live long, and prosper longer!
OpenPGP fingerprint = 8213 71DD 4665 CF4F AE20  2206 0424 DC19 B678 A1A9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 390 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190221/d8e0d299/attachment.sig>

From swedebugia at riseup.net  Fri Feb 22 11:36:02 2019
From: swedebugia at riseup.net (swedebugia)
Date: Fri, 22 Feb 2019 11:36:02 +0100
Subject: Help with SSH and GPG subkey for authentication
Message-ID: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>

Hi

I'm quite a beginner to gnupg.

I would like to have a master key used for both encrypting documents and 
mail and a subkey of that used for SSH.

Following this 
https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html

I first set up the keys:

sec? ed25519/CFCD435B280B6CD2
 ???? created: 2019-02-22? expires: 2021-02-21? usage: SC
 ???? trust: ultimate????? validity: ultimate
ssb? cv25519/4FD4A5C38C7715BB
 ???? created: 2019-02-22? expires: 2021-02-21? usage: E
ssb? ed25519/B84BE844E27BFE21
 ???? created: 2019-02-22? expires: 2021-02-21? usage: A
[ultimate] (1). swedebugia <swedebugia at riseup.net>

(followed these two guides: 
https://www.gniibe.org/memo/software/gpg/keygen-25519.html and 
https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/)

I get this after restarting my gpg-agent:

$ gpg-agent --server
OK Pleased to meet you

and in another terminal:

$ ssh-add -l
The agent has no identities.

My environment is this:

$ env|grep SSH
SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
SSH_AGENT_PID=538
$ gpgconf --list-dirs agent-ssh-socket
/run/user/1000/gnupg/S.gpg-agent.ssh

My configs are attached.

Thanks in advance!

Cheers

swedebugia

-------------- next part --------------
enable-ssh-support
-------------- next part --------------
7338C1836152D95BBCEFF33F45C49516CC810826

From aajaxx at gmail.com  Fri Feb 22 19:23:15 2019
From: aajaxx at gmail.com (Ajax)
Date: Fri, 22 Feb 2019 18:23:15 +0000
Subject: Speedo build of GnuPG v2.2.13 fails for me
In-Reply-To: <CABNaOw-9Jd7PWuTzZE0bTYVwA7w4zJcdNT+LDQUZaW3tYVP8Ww@mail.gmail.com>
References: <CABNaOw8mwJkAKXnNkYCxfDgYOhy0MHtD32aBV_7eF6WmAemBSA@mail.gmail.com>
 <87d0nox5yu.fsf@wheatstone.g10code.de>
 <CABNaOw-aE=F=vR0Okc7TYneToyu5cfityy2A2_kSRvXT+2XE+A@mail.gmail.com>
 <CABNaOw-9Jd7PWuTzZE0bTYVwA7w4zJcdNT+LDQUZaW3tYVP8Ww@mail.gmail.com>
Message-ID: <CABNaOw-qnhJt4TsY65GLiPCiB0C-XuK8nupDiug_pR=OQsaNVw@mail.gmail.com>

On Mon, Feb 18, 2019 at 9:54 PM Ajax <aajaxx at gmail.com> wrote:

>
>
> On Mon, Feb 18, 2019 at 8:10 PM Ajax <aajaxx at gmail.com> wrote:
>
>>
>>
>> On Mon, Feb 18, 2019 at 7:20 PM Werner Koch <wk at gnupg.org> wrote:
>>
>>> On Sun, 17 Feb 2019 20:08, aajaxx at gmail.com said:
>>>
>>> > GnuPG version in swdb.lst is less than this version!
>>> >   This version: 2.2.13
>>> >   SWDB version: 2.2.12
>>>
>>> Something went wrong uploading the version file.  I just repeated it and
>>> it wortks now (try: "build-aux/getswdb.sh"
>>>
>>
>> Any hints where I might  find build-aux on debian stretch?
>>
>
> Thank you for your quick abs suscibct response and please excuse me for ny
> last silly response.
> The speedo build worked fine after using "build-aux/getswdb.sh".
>
> After the speedo build make install gives:
>
> make: *** No rule to make target 'install'.  Stop.
>
> What am I missing now?
>

Missing was  INSTALL_PREFIX=/usr/local

Thanks, all is well now.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190222/67c22034/attachment-0001.html>

From johndoe65534 at mail.com  Sat Feb 23 08:06:20 2019
From: johndoe65534 at mail.com (john doe)
Date: Sat, 23 Feb 2019 08:06:20 +0100
Subject: user id question
Message-ID: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>

Hi,

I'm in the process of creating a gpg key, I have one question though:
Some time I use the name x and sometime I use a shorter form of that
name but the e-mail address is the same.

EG:

first-name last-name <first-name.last-name at example.com>
short-name <first-name.last-name at example.com>

Is it acceptable to have multiple 'user ID's with the same address e-mail?

--
John Doe


From chrisbcoutinho at gmail.com  Sat Feb 23 12:43:10 2019
From: chrisbcoutinho at gmail.com (Chris Coutinho)
Date: Sat, 23 Feb 2019 12:43:10 +0100
Subject: Help with SSH and GPG subkey for authentication
In-Reply-To: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>
References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>
Message-ID: <20190223114310.zd24325lwkd4lafx@tumbleweed>

On Feb-22-19, swedebugia wrote:
>Hi
>
>I'm quite a beginner to gnupg.
>
>I would like to have a master key used for both encrypting documents 
>and mail and a subkey of that used for SSH.
>
>Following this 
>https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
>
>I first set up the keys:
>
>sec? ed25519/CFCD435B280B6CD2
>???? created: 2019-02-22? expires: 2021-02-21? usage: SC
>???? trust: ultimate????? validity: ultimate
>ssb? cv25519/4FD4A5C38C7715BB
>???? created: 2019-02-22? expires: 2021-02-21? usage: E
>ssb? ed25519/B84BE844E27BFE21
>???? created: 2019-02-22? expires: 2021-02-21? usage: A
>[ultimate] (1). swedebugia <swedebugia at riseup.net>
>
>(followed these two guides: 
>https://www.gniibe.org/memo/software/gpg/keygen-25519.html and 
>https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/)
>
>I get this after restarting my gpg-agent:
>
>$ gpg-agent --server
>OK Pleased to meet you
>
>and in another terminal:
>
>$ ssh-add -l
>The agent has no identities.
>
>My environment is this:
>
>$ env|grep SSH
>SSH_AUTH_SOCK=/run/user/1000/gnupg/S.gpg-agent.ssh
>SSH_AGENT_PID=538
>$ gpgconf --list-dirs agent-ssh-socket
>/run/user/1000/gnupg/S.gpg-agent.ssh
>
>My configs are attached.
>
>Thanks in advance!
>
>Cheers
>
>swedebugia
>

>enable-ssh-support

>7338C1836152D95BBCEFF33F45C49516CC810826

>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

What is the key that you in include in the .gnupg/sshcontrol file? On my 
system, it's the authentication subkey's 'keygrip'. I'm not exactly sure 
what the difference is between that and a fingerprint, but you can 
determine what it is using:

$ gpg --list-secret-keys --with-keygrip

Then make sure the keygrip in 'sshcontrol' matches the keygrip of your 
authentication subkey.

Cheers,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190223/533f1446/attachment.sig>

From peter at digitalbrains.com  Sat Feb 23 14:10:49 2019
From: peter at digitalbrains.com (Peter Lebbing)
Date: Sat, 23 Feb 2019 14:10:49 +0100
Subject: Help with SSH and GPG subkey for authentication
In-Reply-To: <20190223114310.zd24325lwkd4lafx@tumbleweed>
References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>
 <20190223114310.zd24325lwkd4lafx@tumbleweed>
Message-ID: <ad3fff07-4a11-80f8-dcd4-55321c60a79d@digitalbrains.com>

On 23/02/2019 12:43, Chris Coutinho wrote:
> I'm not exactly sure what the difference is between that and a fingerprint

A key's fingerprint is something specific to OpenPGP. It includes
OpenPGP-specific information and formats. As such, it is undefined for
an OpenSSH key or a CMS (X.509) key; it simply doesn't exist.

A keygrip is a short representation of an asymmetric keypair's actual
public key material. For example, it is the same for an RSA key whether
that key is used for an OpenPGP key, an OpenSSH key or a CMS key.
gpg-agent works with keygrips because it provides services to all of
OpenPGP, SSH and CMS. And it allows you to use the same material in
multiple formats that way, such as with the Authentication subkey.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190223/24f526ae/attachment.sig>

From swedebugia at riseup.net  Sat Feb 23 09:14:10 2019
From: swedebugia at riseup.net (swedebugia)
Date: Sat, 23 Feb 2019 09:14:10 +0100
Subject: Help with SSH and GPG subkey for authentication
In-Reply-To: <20190223114310.zd24325lwkd4lafx@tumbleweed>
References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>
 <20190223114310.zd24325lwkd4lafx@tumbleweed>
Message-ID: <d97de61e-0ed6-2b4a-c827-31f53315b022@riseup.net>

On 2019-02-23 12:43, Chris Coutinho wrote:
> On Feb-22-19, swedebugia wrote:
snip

>>
> 
>> enable-ssh-support
> 
>> 7338C1836152D95BBCEFF33F45C49516CC810826
> 
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> What is the key that you in include in the .gnupg/sshcontrol file? On my
> system, it's the authentication subkey's 'keygrip'. I'm not exactly sure
> what the difference is between that and a fingerprint, but you can
> determine what it is using:
> 
> $ gpg --list-secret-keys --with-keygrip
> 
> Then make sure the keygrip in 'sshcontrol' matches the keygrip of your
> authentication subkey.
> 
> Cheers,
> Chris

I think I did it correctly. Here is the output of the grip:
$ gpg2 --with-keygrip -k swedebugia
pub   ed25519 2019-02-22 [SC] [expires: 2021-02-21]
      7A2163653A22E7F610FA6B55CFCD435B280B6CD2
      Keygrip = E1A8AB878329A205F4F3A5BD899EAD95996DD344
uid           [ultimate] swedebugia <swedebugia at riseup.net>
sub   cv25519 2019-02-22 [E] [expires: 2021-02-21]
      Keygrip = B0CA7175D7173FC906264F1A55DDE766A572ECFB
sub   ed25519 2019-02-22 [A] [expires: 2021-02-21]
      Keygrip = 7338C1836152D95BBCEFF33F45C49516CC810826

My problem is that neither gpg-agent nor ssh-add gives me debug output
so I can pinpoint the error.

I resorted to creating a separate ssh-key with ssh-keygen instead as it
seems to be a hassle to keep it in gpg and use it from there.

-- 
Cheers Swedebugia

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190223/8700a488/attachment.sig>

From chrisbcoutinho at gmail.com  Sat Feb 23 14:42:00 2019
From: chrisbcoutinho at gmail.com (Chris Coutinho)
Date: Sat, 23 Feb 2019 14:42:00 +0100
Subject: Help with SSH and GPG subkey for authentication
In-Reply-To: <ad3fff07-4a11-80f8-dcd4-55321c60a79d@digitalbrains.com>
References: <553ddad7-8113-6524-6096-14da33fe10b4@riseup.net>
 <20190223114310.zd24325lwkd4lafx@tumbleweed>
 <ad3fff07-4a11-80f8-dcd4-55321c60a79d@digitalbrains.com>
Message-ID: <20190223134200.6fnth23ydciw6eo5@tumbleweed>

On Feb-23-19, Peter Lebbing wrote:
>On 23/02/2019 12:43, Chris Coutinho wrote:
>> I'm not exactly sure what the difference is between that and a fingerprint
>
>A key's fingerprint is something specific to OpenPGP. It includes
>OpenPGP-specific information and formats. As such, it is undefined for
>an OpenSSH key or a CMS (X.509) key; it simply doesn't exist.
>
>A keygrip is a short representation of an asymmetric keypair's actual
>public key material. For example, it is the same for an RSA key whether
>that key is used for an OpenPGP key, an OpenSSH key or a CMS key.
>gpg-agent works with keygrips because it provides services to all of
>OpenPGP, SSH and CMS. And it allows you to use the same material in
>multiple formats that way, such as with the Authentication subkey.
>
>HTH,
>
>Peter.
>
>-- 
>I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
>You can send me encrypted mail if you want some privacy.
>My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>

Thanks for the succinct explanation Peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190223/06a77a82/attachment-0001.sig>

From rjh at sixdemonbag.org  Sat Feb 23 14:55:02 2019
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sat, 23 Feb 2019 08:55:02 -0500
Subject: user id question
In-Reply-To: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>
References: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>
Message-ID: <70daef56-bd2d-a64e-73a8-12f6a71eb922@sixdemonbag.org>

> Is it acceptable to have multiple 'user ID's with the same address e-mail?

There's nothing forbidding it.  Whether it's a good idea depends on your
own particular use case.

I'd recommend thinking long and hard before doing this, as it's possible
you'll confuse some badly-written workflows somewhere.  But if after
thinking long and hard you decide to go for it, knock yourself out: it's
allowed.  :)



From 2017-r3sgs86x8e-lists-groups at riseup.net  Sat Feb 23 16:34:57 2019
From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA)
Date: Sat, 23 Feb 2019 15:34:57 +0000
Subject: user id question
In-Reply-To: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>
References: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>
Message-ID: <997697746.20190223153457@my_localhost_LG>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 23 February 2019 at 7:06:20 AM, in
<mid:cbc92596-b276-8d99-245f-5ae384ba1ae5 at mail.com>, john doe wrote:-


> Is it acceptable to have multiple 'user ID's with the
> same address e-mail?

Yes. It might be simpler to have a single UID containing only the
email address and with neither form of your name.

- --
Best regards

MFPA                  <mailto:2017-r3sgs86x8e-lists-groups at riseup.net>

The truth is rarely pure and never simple
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQSWDIYo1ZL/jN6LsL/g4t7h1sju+gUCXHFoIV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OTYw
Qzg2MjhENTkyRkY4Q0RFOEJCMEJGRTBFMkRFRTFENkM4RUVGQQAKCRDg4t7h1sju
+koDAQDBAEye7byh7617Tv4okXTAwwwimt61xoJiPrZQIe6GkQD/diXY6TJqOind
FdHZRY8C+SFQ/feN79R8i6DY29Ue+QuJApMEAQEKAH0WIQRSX6konxd5jbM7JygT
DfUWES/A/wUCXHFoIV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0NTI1RkE5Mjg5RjE3Nzk4REIzM0IyNzI4MTMw
REY1MTYxMTJGQzBGRgAKCRATDfUWES/A/xbTD/0YDxIAVnIl0PiRvfzUQ9I7hmau
6qKsn+BadR+DeAOt1zxoRvCDxH2unzwONde928ak3XGGWFkytmnPpw7Z6Yby7323
ULd+/QGSJqIdjG42b/voYpQI0n/VcGsbXiZgfo+umZzP9i0Ro/UOalBJfOG3TNg4
KWeLrozmbxB3p/FQH2pZ7+VQO2QqOY9UJwEZuw61YlXStyfyd2nHngkIYX06NVXy
zhmJoicMyOQ84nPfapwBE7pA7ooWe6CXpBkz+zvLV2iu+uFPD5GOYhzqTYFsTZaW
GC7hc/WFeNBrH8teEwmmMgHQob/ZMeGVTi5uPGQidz1v1MWsV2bxe8UJEBf0PHld
AYn7v3yfnLmvKB3226yaZSfPNOSe6DtYEO2wOnOyyc4jS4h4xjzMngG4os/tvhm7
epjr7pBWIYeLfufJ3BPRAlIMtdVcmDMeHuhSlB7iPfxfAmd2qMS/HAYDyXNNzdRT
09ywMFz9fVbjA+CQp/fvpZpIOScbIdgSWGOXkKZCy/Di2ImgS4j55nUpx8ZwrpVd
4ZBq3M/PFuOz6E2MymqGSDTeTSQ2Aaw2JtARuuWwH97LiozEOGx8cjqmzcQriH/Z
ZMmyFTjFgLl5Pw3TM7nYmeRSrwdtODubEFRsHr8z/8v3k+jfuEgOV6eEQaVpIalD
aa4BIK8A4bb1hRcF/A==
=/+F+
-----END PGP SIGNATURE-----



From roshii at riseup.net  Sat Feb 23 15:49:03 2019
From: roshii at riseup.net (roshii)
Date: Sat, 23 Feb 2019 15:49:03 +0100
Subject: Serialize a message and parse its ECDSA signature
Message-ID: <28446efb-73ae-f13f-bebe-ddbd267bd4bf@riseup.net>

Hi,

I am playing around with GPG which I'd like to use to sign message and
use the resulting signature binary in another piece of code.

So far I have created a simple PGP packet parser in JuliaLang with which
I think I can successfully extract the elliptic curve point representing
the public key as follows. See GitLab
<https://gitlab.com/braneproject/PGParser.jl> for source code.

```
$ gpg --output pubkey.bin --export 8FAB2B40D753C0F6
```

```

julia> packets = bin2packet("pubkey.bin")
3-element Array{PGPPacket,1}:
?Public-Key Packet
?Length : 79, Partial : false
PublicKey(0x04, 1550079457, scep256k1 Point(?,?):
f05314566c9bfc8d8cf463a7a01e7735245d588a60dd874f09a9636620abb314,
6bda245d43cbbe019ab1ad74316d675dd858cdd776820969bcc21bbccbd3a661)
```

I am then generating a message within Julia, an integer, which needs to
be signed and which I just save to file made of 32 bytes representing
the 256 bits number in big-endian.

But I wonder if this should be serialized in some way? Should their be a
package header indicating to GPG what it is signing for, what length is
has or anything else? Should I maybe follow X.690 for integer encoding?


Next, comes signature parsing which I haven't been able to interpret so
far, finding no hints in RFC4880 or 5480. Nevertheless, I assume the
last 68 bytes must be signature representation with two integer,
preceded by some bytes which looks to be 00ff in the below message.

How should EC signature be parsed exactly? Where would this be documented?
Last but not least, is the signature hashed? And if yes, is there a way
to get it unhashed?


```

julia> z =
99621552382283238930643867389539606415724582999531180113553721867524305282175;
julia> f = open("z.bin","w");
julia> write(f,int2bytes(z))
32

```

```

$ gpg -b -u D753C0F6 z.bin

```

```
julia> packet = bin2packet("z.bin.sig")
1-element Array{PGPPacket,1}:
?Signature Packet
?Length : 117, Partial : false
?Version : 4
?Type : SHA256
SignatureSubPacket[
??? Issuer Fingerprint
??? 041f6132045b4b6c393c48846e8fab2b40d753c0f6,
??? Signature Creation Time
??? 5c70346a]
SignatureSubPacket[
??? Issuer
??? 8fab2b40d753c0f6]
?Hash left : 3462
?scep256k1 signature(?, ?):
"00ff6ae576da68ddbd1a2aff20d450186fdd1a13bbbddc1b9837a19080364f3cd83700ff4727b504b86d667b048147c939b4eafae21203e1235ae6e68aa71477292ea173"

```

All my attempt to verify signature of message provided pub key have so
far failed and so there is clearly something I do not get. I am looking
forward at receiving any tips :)


Thanks upfront

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190223/0e10948a/attachment.html>

From johndoe65534 at mail.com  Sun Feb 24 10:09:52 2019
From: johndoe65534 at mail.com (john doe)
Date: Sun, 24 Feb 2019 10:09:52 +0100
Subject: user id question
In-Reply-To: <997697746.20190223153457@my_localhost_LG>
References: <cbc92596-b276-8d99-245f-5ae384ba1ae5@mail.com>
 <997697746.20190223153457@my_localhost_LG>
Message-ID: <1b3e599f-22f1-dd18-3349-949c2afb5ff0@mail.com>

On 2/23/2019 4:34 PM, MFPA wrote:
> Hi
>
>
> On Saturday 23 February 2019 at 7:06:20 AM, in
> <mid:cbc92596-b276-8d99-245f-5ae384ba1ae5 at mail.com>, john doe wrote:-
>
>
>> Is it acceptable to have multiple 'user ID's with the
>> same address e-mail?
>
> Yes. It might be simpler to have a single UID containing only the
> email address and with neither form of your name.
>
>

Thank you everyone for your answers.

What I understand is that there is no clear convention.

Lets say that my first name 'abcdefgh' is and my short name is 'abcd',
based on this thread I'll use something like:

abcdefgh abcd LAST-NAME <E-MAIL>

Should I put the short name between '()' or quoates or is the above
example the best way forward?

Thanks again for the help/input.

--
John Doe


From farhan at farhan.codes  Sun Feb 24 20:34:02 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Sun, 24 Feb 2019 19:34:02 +0000
Subject: Why Signing key part of Master key
Message-ID: <022355adc2488d5b86c07fc52bf78001@farhan.codes>

Hi all,

I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
question, why is the signing key part of the master key? Why not have it be a subkey? Almost
everywhere I looked, the two were a single key except this site
(http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
functionality worked the same when they the signing key was a subkey versus a part of the master.

Are there any advantages of disadvantages either way?

Thank you,

---
Farhan Khan


From mgorny at gentoo.org  Sun Feb 24 20:51:14 2019
From: mgorny at gentoo.org (=?UTF-8?Q?Micha=C5=82_G=C3=B3rny?=)
Date: Sun, 24 Feb 2019 20:51:14 +0100
Subject: Why Signing key part of Master key
In-Reply-To: <022355adc2488d5b86c07fc52bf78001@farhan.codes>
References: <022355adc2488d5b86c07fc52bf78001@farhan.codes>
Message-ID: <1551037874.21411.6.camel@gentoo.org>

On Sun, 2019-02-24 at 19:34 +0000, Farhan Khan via Gnupg-users wrote:
> Hi all,
> 
> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
> question, why is the signing key part of the master key? Why not have it be a subkey? Almost
> everywhere I looked, the two were a single key except this site
> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
> functionality worked the same when they the signing key was a subkey versus a part of the master.
> 
> Are there any advantages of disadvantages either way?
> 

Gentoo policy [1] requires split signing subkey.  The main advantage is
that you can then store primary key offline, and not have it exposed
the same way subkeys are.

[1]:https://www.gentoo.org/glep/glep-0063.html

-- 
Best regards,
Micha? G?rny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190224/4e2f2320/attachment-0001.sig>

From farhan at farhan.codes  Sun Feb 24 20:53:53 2019
From: farhan at farhan.codes (Farhan Khan)
Date: Sun, 24 Feb 2019 19:53:53 +0000
Subject: Why Signing key part of Master key
In-Reply-To: <b151b79a-132a-adf7-4c5f-4cd53ffff7cf@sumptuouscapital.com>
References: <b151b79a-132a-adf7-4c5f-4cd53ffff7cf@sumptuouscapital.com>
 <022355adc2488d5b86c07fc52bf78001@farhan.codes>
Message-ID: <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes>

February 24, 2019 2:39 PM, "Kristian Fiskerstrand" <kristian.fiskerstrand at sumptuouscapital.com>
wrote:

> On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote:
> 
>> Hi all,
>> 
>> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
>> question, why is the signing key part of the master key? Why not have it be a subkey? Almost
>> everywhere I looked, the two were a single key except this site
>> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
>> functionality worked the same when they the signing key was a subkey versus a part of the master.
>> 
>> Are there any advantages of disadvantages either way?
>> 
>> Thank you,
> 
> its mostly a sensible default as people tend to keep key material on
> disk on online computers to begin with.. the benefits of a separate
> primary normally comes out in scenarios with stronger security
> requirement, at which point the manual interaction required to set it
> up isn't the biggest hurdle anyways, but actually keeping up with
> operational security is.
> 
> (note, its not the SC capable primary that is the issue to begin with,
> but actually keeping it isolated, the primary will always be able to
> become signing-capable anyways by updating the flags on its self-signature)
> 
> --
> ----------------------------
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com
> Twitter: @krifisk
> ----------------------------
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> ----------------------------
> Corruptissima re publica plurim? leges
> The greater the degeneration of the republic, the more of its laws

I was under the impression that best practice was to keep the master key offline in cold storage.
If so, wouldn't that make having the signing key impossible to use?

And if so, is it possible to remove the Signing functionality from my Certificate key that I already generated?

---
Farhan Khan


From kristian.fiskerstrand at sumptuouscapital.com  Sun Feb 24 20:39:39 2019
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Sun, 24 Feb 2019 20:39:39 +0100
Subject: Why Signing key part of Master key
In-Reply-To: <022355adc2488d5b86c07fc52bf78001@farhan.codes>
References: <022355adc2488d5b86c07fc52bf78001@farhan.codes>
Message-ID: <b151b79a-132a-adf7-4c5f-4cd53ffff7cf@sumptuouscapital.com>

On 2/24/19 8:34 PM, Farhan Khan via Gnupg-users wrote:
> Hi all,
> 
> I am still working on setting up the "perfect" setup. When I created the master, it was [SC]. I
> question, why is the signing key part of the master key? Why not have it be a subkey? Almost
> everywhere I looked, the two were a single key except this site
> (http://openpgpblog.tumblr.com/post/219954494/photos-on-pgp-keys). In my own tests the signing
> functionality worked the same when they the signing key was a subkey versus a part of the master.
> 
> Are there any advantages of disadvantages either way?
> 
> Thank you,

its mostly a sensible default as people tend to keep key material on
disk on online computers to begin with.. the benefits of a separate
primary normally comes out in scenarios with stronger security
requirement, at which point the manual interaction required  to set it
up isn't the biggest hurdle anyways, but actually keeping up with
operational security is.

(note, its not the SC capable primary that is the issue to begin with,
but actually keeping it isolated, the primary will always be able to
become signing-capable anyways by updating the flags on its self-signature)

-- 
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurim? leges
The greater the degeneration of the republic, the more of its laws

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190224/125ebb41/attachment.sig>

From oliver at schinagl.nl  Mon Feb 25 07:54:33 2019
From: oliver at schinagl.nl (Olliver Schinagl)
Date: Mon, 25 Feb 2019 07:54:33 +0100
Subject: gpg vs gpgv and trustedkeys
Message-ID: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl>

While working on a little project, I found that there seems to be some 
discrepancy on how gpg and gpgv are to be used.

What I am trying to accomplish, is to generate an OS image, which 
contains a public gpg key. The public is added using gpg --import and 
kets added to the newly created pubkey.gpg.

However, the OS image has no need for the full blown gpg and happily 
uses gpgv. However gpgv fails with the (now) well known error that it 
cannot find the trustedkeys.gpg/kbx keyring/box.

The internet has some suggestions that it is needed for gpg to generate 
a special keyring and import the keys into there. However the options 
(no-default-keyring and/or --keyring) are not existant with the gpg 
tools (on alpine and debian) (anymore, I believe gpg1 did have them in 
the past?).

While gpgv still has the options, I don't think the intention was to 
always having to supply a custom keyring to gpgv.

And so it appears that the default used keyring between the generator 
and the validator are miss-matching.

Is this intended? If so, why? And what would be the reason for having 
the two separate keyrings anyway.

For now, I have simply added a hack in that the two files are symlinked, 
this atleast makes gpgv to work as a user would intend. I suppose the
alternative would be to rename the key after installation, but if that 
was the intention, I don't seem to see why the option to use a different 
keyring was removed from gpg to begin with.

Both my Alpine based gpg and gpgv are the same version, gpg (GnuPG) 2.1.18


P.S. Please keep me CC-ed as I am not subsribed.


From michaelholly at discover.com  Mon Feb 25 15:13:32 2019
From: michaelholly at discover.com (Michael Holly)
Date: Mon, 25 Feb 2019 14:13:32 +0000
Subject: Ok this is a stupid questions
Message-ID: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>

So I completely preface this question is not a valid use case for gpg.  I know, I get it.

I have a potential issue that I'm trying to diagnose.  I'm trying to understand how gpg will react to the input file size changing during the encrypt or decrypt step.

Right now it appears that the gpg process goes a bit crazy and the 200 MB file I am decrypting becomes 1.2 TB or greater.

Here is the order of the events


1.       File lands on my system.

2.       PGP decrypt is invoked on the file.

3.       Since the file is not truly done being sent to me, the file grows in size.

4.       GPG seems to expand the decrypted file many times over.

What I suspect is that instead of erroring out, GPG starts the decrypt process over and appends the new output to the previous cycle..   I have not tested this, but will soon.

I just wanted to see if anyone else has seen this happen.

Thanks

Michael






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/2f2d0962/attachment-0001.html>

From justina at colmena.biz  Mon Feb 25 20:27:18 2019
From: justina at colmena.biz (justina colmena)
Date: Mon, 25 Feb 2019 10:27:18 -0900
Subject: Ok this is a stupid questions
In-Reply-To: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
Message-ID: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>

On February 25, 2019 5:13:32 AM AKST, Michael Holly <michaelholly at discover.com> wrote:
> So I completely preface this question is not a valid use case for gpg.
>  I know, I get it.
> 
> I have a potential issue that I'm trying to diagnose.  I'm trying to
> understand how gpg will react to the input file size changing during
> the encrypt or decrypt step.
> 
> Right now it appears that the gpg process goes a bit crazy and the 200
> MB file I am decrypting becomes 1.2 TB or greater.
> 
> Here is the order of the events
> 
> 
> 1.       File lands on my system.
> 
> 2.       PGP decrypt is invoked on the file.
> 
> 3.       Since the file is not truly done being sent to me, the file
> grows in size.
> 
> 4.       GPG seems to expand the decrypted file many times over.
> 
> What I suspect is that instead of erroring out, GPG starts the decrypt
> process over and appends the new output to the previous cycle..   I
> have not tested this, but will soon.
> 
> I just wanted to see if anyone else has seen this happen.
> 
> Thanks
> 
> Michael

News media questions?

Many times it is the case that large files are compresssed before being encrypted, and there are certain information-theoretical reasons to do so.

Aside from efficiency and possibly a slightly better security, it is absolutely impossible to compress files after they are encrypted because the repetitive or redundant patterns, on which the compression is based, are precisely what is obfuscated and concealed by the encryption.

In any case, if the file was compressed before encryption, then it will have to be expanded back to its original size after decryption.

Then there is the base64 ASCII armor, which causes a ciphertext expansion to the tune of some 35% by using only 6 of the 8 bits of each byte plus extra formatting for new lines and such.

So how did the Firstlook Media reporters from The Intercept come to give up their GPG keys and go so mainstream corporate? They never got along all that well with the military, and they're not even remotely "alternative" anymore if they ever were. It's all establishment Democrat party line mainstream media, and "Don't you dare try to get smart and buck the labor union!" Holed up in Brazil somewhere pushing that atrocious "7me" spyware app on my Android phone as if that gay male reporter is suddenly a good Christian sitting on the church pew keeping the Sabbath so obediently on the Seventh Day and circumcising his kids under the law of Moses.

That's why I have to call foul play on proprietary operating systems. Encryption is theoretical only: in practice useless, moot, crippled, broken, and terminally back-doored with all the malware, adware, spyware, worms, viruses, trojans, keyloggers, and screenscrapers inherent to such systems as Google Android, Microsoft Windows, and Apple OS. The Democrats will stop at nothing to keep it that way at all costs, and the Republicans just don't care.
-- 
Una Milicia bien regulada, estando necesaria a la seguridad de un Estado libre, el derecho del pueblo de tener y de portar Armas, no ser? infringido.

https://www.colmena.biz/~justina/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/3dc8b24f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 683 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/3dc8b24f/attachment.sig>

From vedaal at nym.hush.com  Mon Feb 25 22:02:50 2019
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Mon, 25 Feb 2019 16:02:50 -0500
Subject: Ok this is a stupid questions
In-Reply-To: <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
 <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz> 
Message-ID: <20190225210252.775A8C017A@smtp.hushmail.com>



On 2/25/2019 at 2:29 PM, "justina colmena via Gnupg-users"  wrote:   
That's why I have to call foul play on proprietary operating systems.
Encryption is theoretical only: in practice useless, moot, crippled,
broken, and terminally back-doored with all the malware, adware,
spyware, worms, viruses, trojans, keyloggers, and screenscrapers
inherent to such systems as Google Android, Microsoft Windows, and
Apple OS. The Democrats will stop at nothing to keep it that way at
all costs, and the Republicans just don't care.

=====
Maybe *proprietary* encryption is theoretical only.What problems do
you have with GnuPG as a FOSS program ?
Ordinarily, I'm on the cautious, [maybe even borderline paranoid ;-) 
] side of things, and I don't just trust things lightly.
But I *DO* trust GnuPG, WK, and the host of other people who have put
the time and effort into GnuPG, releasing the source code routinely so
that it can be compiled by the end user on FOSS platforms (Linux,
Ubuntu. etc.)
You sound capable enough to review source-code, and use a Linux
variant.
Why do you think GnuPG is useless if you check the source-code, run it
on hardware you trust, and a Linux variant you trust, with a
Chromium/Iron browser, and avoid anything google or microsoft or apple
or any non-FOSS product? 
If I misunderstand you, and your beef is not with GnuPG, only with
Google, Android, MS, apple etc.then I apologize.
That said, can i ask you to trim your posts from the political rants,
much as they may be deserved.
There are other forums ideally suited to that.
Thanks.
vedaal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/cffd651c/attachment.html>

From marcel.waldvogel at uni-konstanz.de  Mon Feb 25 18:01:22 2019
From: marcel.waldvogel at uni-konstanz.de (Marcel Waldvogel)
Date: Mon, 25 Feb 2019 18:01:22 +0100
Subject: git.gnupg.org: Certificate expired
Message-ID: <bb911fb4a202ef53806fe73c68fa6dbce67a28cb.camel@uni-konstanz.de>

Hi,

this is probably not the right place to post, but I did not find
anything more appropriate:

The certificate for git.gnupg.org expired yesterday. Could someone with
the appropriate privileges please fix this?

Thanks,
-Marcel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/604ebef3/attachment-0001.sig>

From andrei at bislog.se  Mon Feb 25 19:53:17 2019
From: andrei at bislog.se (Andrei Fokau)
Date: Mon, 25 Feb 2019 19:53:17 +0100
Subject: Weird locale at passphrase step
Message-ID: <CAOoN8huLczbxY8iQSAPLmmCMNLckXrSMu3O+qNcgPCzQH2yz=Q@mail.gmail.com>

Hello,

I have just installed GnuPG on macOS Mojave using Homebrew. When I try to
generate a new key I can go through almost all steps seeing messages and
dialogs in English, but when it asks my passphrase, I see:

[image: image.png]

My GnuPG version and locale:

$ gpg --version
gpg (GnuPG) 2.2.13
libgcrypt 1.8.4

$ echo $LANGUAGE
en_US.UTF-8

$ locale
LANG="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_ALL="en_US.UTF-8"

How do I fix this?

Thanks,
Andrei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/988f152e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 31993 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/988f152e/attachment-0001.png>

From angel at pgp.16bits.net  Mon Feb 25 23:32:06 2019
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Mon, 25 Feb 2019 23:32:06 +0100
Subject: Ok this is a stupid questions
In-Reply-To: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
Message-ID: <1551133926.1070.10.camel@16bits.net>

On 2019-02-25 at 14:13 +0000, Michael Holly wrote:
> What I suspect is that instead of erroring out, GPG starts the decrypt
> process over and appends the new output to the previous cycle..   I
> have not tested this, but will soon. 
>
> I just wanted to see if anyone else has seen this happen.
> 
Not that it couldn't happen, but I find strange gpg would do that.
Erroring out would make more sense. Note that GnuPG can work in filter
mode, so you can do
 cat incomplete_file | gpg -d > output_file   (*)

in which case it really can't start over.

I don't think it would process things differently, but worth trying. How
are you invoking gpg? Which version are you running?


(*) Yes, this is an useless use of cat? In fact, it's quite likely cat
will be faster than whatever is transferring the file, piping eg. 
wget -O - would make more sense.
(**) Remember that even though you are getting an incomplete output,
unless the gpg terminates with no error after verifying the data,
**there's no guarantee about the contents** Don't pipe that output to
bash or otherwise treat as trusted data! Wait to the next command for
that (after verifying that gpg is ok with what was provided).


Cheers

?ngel




From dkg at fifthhorseman.net  Tue Feb 26 00:03:52 2019
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 25 Feb 2019 18:03:52 -0500
Subject: git.gnupg.org: Certificate expired
In-Reply-To: <bb911fb4a202ef53806fe73c68fa6dbce67a28cb.camel@uni-konstanz.de>
References: <bb911fb4a202ef53806fe73c68fa6dbce67a28cb.camel@uni-konstanz.de>
Message-ID: <87d0nfpj1j.fsf@fifthhorseman.net>

On Mon 2019-02-25 18:01:22 +0100, Marcel Waldvogel wrote:
> this is probably not the right place to post, but I did not find
> anything more appropriate:
>
> The certificate for git.gnupg.org expired yesterday. Could someone with
> the appropriate privileges please fix this?

It's probably a fine place.  The last time this happened was on November
24 (3 months ago!) and it was reported on gnupg-devel:

   Message-Id: <SUSPXOTL.BLSDAVSX.BAE6GEH5 at SCUKSX4A.M4UW445T.L6OC2ZQ6>

Perhaps the certificate update mechanism (it appears to be Let's
Encrypt) needs to be automated into refreshing the webserver when a new
certificate is issued.

Thanks for the report.

            --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/701b7103/attachment.sig>

From dkg at fifthhorseman.net  Tue Feb 26 00:47:08 2019
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 25 Feb 2019 18:47:08 -0500
Subject: Weird locale at passphrase step
In-Reply-To: <CAOoN8huLczbxY8iQSAPLmmCMNLckXrSMu3O+qNcgPCzQH2yz=Q@mail.gmail.com>
References: <CAOoN8huLczbxY8iQSAPLmmCMNLckXrSMu3O+qNcgPCzQH2yz=Q@mail.gmail.com>
Message-ID: <875zt7ph1f.fsf@fifthhorseman.net>

On Mon 2019-02-25 19:53:17 +0100, Andrei Fokau wrote:

> I have just installed GnuPG on macOS Mojave using Homebrew. When I try to
> generate a new key I can go through almost all steps seeing messages and
> dialogs in English, but when it asks my passphrase, I see

 [ image of cyrillic glyphs and U+FFFD REPLACEMENT CHARACTER symbols ]

It sounds to me like the gpg-agent process that is running on your
system has a different locale.

GnuPG asks the agent for a new passphrase, which in turn displays the
prompt.

> How do I fix this?

unfortunately, it depends on how your gpg-agent is initialized, which we
don't have enough information on here.  perhaps it was launched before
your locale was set to en_US.UTF-8?

One thing you can try as a workaround is to kill off the gpg-agent and
it should get manually restarted on subsequent use:

   gpgconf --kill gpg-agent

maybe someone with more info about how MacOS and Homebrew manage
per-user services can weigh in on better workarounds, or suggest a more
principled fix for that platform.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190225/7e08b058/attachment.sig>

From dkg at fifthhorseman.net  Tue Feb 26 07:45:51 2019
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 26 Feb 2019 01:45:51 -0500
Subject: gpg vs gpgv and trustedkeys
In-Reply-To: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl>
References: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl>
Message-ID: <87ftsbnj34.fsf@fifthhorseman.net>

On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote:
> What I am trying to accomplish, is to generate an OS image, which 
> contains a public gpg key. The public is added using gpg --import and 
> kets added to the newly created pubkey.gpg.

I think your description here is missing some background: why do you
need the public OpenPGP key in your OS image?

If the goal is just to use it with gpgv (e.g. to verify software updates
or some other post-build artifact that you'll fetch over the network)
then i recommend just explicitly pointing gpgv at the curated keyring
using --keyring, and not bothering with public.gpg or anything else.

This is the best approach because it lets you precisely control what is
being checked against, and you don't have to worry that other uses of
~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check
you're hoping to make strong.

if you want an analogous example, check out the best-pratice guidance in
https://wiki.debian.org/DebianRepository/UseThirdParty about using
isolated keys per repository (with apt's Signed-By: options).

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/0ca025de/attachment.sig>

From dkg at fifthhorseman.net  Tue Feb 26 08:35:25 2019
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 26 Feb 2019 02:35:25 -0500
Subject: Why Signing key part of Master key
In-Reply-To: <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes>
References: <b151b79a-132a-adf7-4c5f-4cd53ffff7cf@sumptuouscapital.com>
 <022355adc2488d5b86c07fc52bf78001@farhan.codes>
 <379c8fa8d0409e387c49c5cbe9c0a400@farhan.codes>
Message-ID: <874l8rngsi.fsf@fifthhorseman.net>

On Sun 2019-02-24 19:53:53 +0000, Farhan Khan via Gnupg-users wrote:
> I was under the impression that best practice was to keep the master
> key offline in cold storage.

"best practice" for some is "unusable complexity" for others :) If it
works for you, it's probably not unreasonable to keep the primary key
offline in cold storage.  But remember that what that does is to protect
the primary key itself -- if you've got subkeys that are capable of
acting as you (with the exception of making OpenPGP certifications),
those subkeys are not protected by keeping the primary key offline.

> If so, wouldn't that make having the signing key impossible to use?

sure, but there's nothing stopping an "SC-capable" primary key from
*also* certifying another S-capable subkey, and using that one, if the
primary key is kept offline.

> And if so, is it possible to remove the Signing functionality from my
> Certificate key that I already generated?

the "change-usage" subcommand to "gpg --edit-key" might be what you're
looking for.  it's documented in more recent versions of the gpg(1) man
page.

            change-usage
                     Change the usage flags (capabilities) of the primary  key
                     or  of  subkeys.   These usage flags (e.g. Certify, Sign,
                     Authenticate,  Encrypt)  are  set  during  key  creation.
                     Sometimes  it is useful to have the opportunity to change
                     them (for example to add Authenticate)  after  they  have
                     been  created.  Please take care when doing this; the al?
                     lowed usage flags depend on the key algorithm.

Note that if you do this after having sent messages signed by the
primary key, it's not clear what the behavior will be for someone who
reads those signed messages after fetching your updated OpenPGP
certificate.  Should the message signature be invalid because the
primary key is no longer signing-capable?

Also note that OpenPGP certificates are built and updated by
aggregation.  So if you change your primary key's usage flags, that'll
simply be a new set of self-signatures that makes this change.

Anyone who wants to build a composite OpenPGP certificate from your key
material by filtering out this change can easily do so, producing a
certificate that is appears to still be SC-capable.  Reasonable OpenPGP
clients that see this certificate *and* your updated one will merge them
and respect the most recent usage flags. But does everyone you
correspond with use a reasonable OpenPGP client and have access to your
update certificate?  (exercise left to the reader?)

           --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/1ea9552e/attachment.sig>

From ciprian.craciun at gmail.com  Tue Feb 26 10:02:59 2019
From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun)
Date: Tue, 26 Feb 2019 11:02:59 +0200
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
Message-ID: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>

Hello all!

Given the recent survey in password managers security [1], which
concluded with their failure to properly sanitize / scrub the
sensitive data (i.e. "master key") in "running locked state", I was
wondering how does GnuPG Agent fare in this regard?

More specifically:
* let's assume that one uses GnuPG Agent;  (only for PGP;)
* the user enters the password for a particular private key;
* (one assumes that the password was used to get the private key
cryptographic material, and then scrubbed;)
* then `--max-cache-ttl` seconds passes;
* one assumes that the private key cryptographic material is now scrubbed;

Is this expectation correct?


Is there some external analysis about the security of the agent with
regard to the scrubbing of both passwords and cryptographic material?

Thanks,
Ciprian.


[1] https://www.securityevaluators.com/casestudies/password-manager-hacking/




P.S.:  My interest in this subject is because I have a "custom"
password-manager implemented on-top of GnuPG, which I'm sure leaks
passwords all over the place (because it's written in Bash, and uses
various X tools, none made for security).  However I am curios how
"safe" the actual GnuPG agent really is.


From ciprian.craciun at gmail.com  Tue Feb 26 12:54:01 2019
From: ciprian.craciun at gmail.com (Ciprian Dorin Craciun)
Date: Tue, 26 Feb 2019 13:54:01 +0200
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
In-Reply-To: <CAEHSPzpRvsCh=EPp=bQKMVxS6tvTpzxZrKA15O4io-iWH8AopA@mail.gmail.com>
References: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
 <CAEHSPzpRvsCh=EPp=bQKMVxS6tvTpzxZrKA15O4io-iWH8AopA@mail.gmail.com>
Message-ID: <CA+Tk8fy9DbnkAvYC4m70K=rsJW-wuMdPs_qtbqBAgaEzOMoJBg@mail.gmail.com>

On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan
<sarunint at sarunint.com> wrote:
> I'm not able to answer your main question, but I believe it is you explained. However, regarding the matter in P.S., I'm glad to inform you that such a tool exists. It is called pass [1] and it is fully integrated with GnuPG and Git. So you can backup your password like a Git repository.


I know about that tool, however it is unfortunately written also in
Bash, which as my own implementation has countless ways to
(permanently) leak the password.

For example take the following commit:
    https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24

Which has the following change:
~~~~
- $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}"
<<<"$password" || die "Password encryption aborted."
+ echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
"${GPG_OPTS[@]}" || die "Password encryption aborted."
~~~~

In was committed in 2018, but the tool is from 2015, thus in the
interim all the passwords were leaked into `$TMPDIR` and thus on the
disk, which in most cases is actually the `rootfs`.  Thus without much
effort, one can take out the HDD, and just run a file-system recovery
tool to recover deleted files, or dump ASCII tokens, and thus get
access to the used passwords.


I'm not criticizing the `pass` tool, as I know myself how hard it is
to write a tool that doesn't leak data, however any such tool should
come with a big warning to its users.

Unfortunately on the project page there is no mention of its security
weaknesses or any hint to the users about possible data leaks.

Ciprian.


From sarunint at sarunint.com  Tue Feb 26 11:58:22 2019
From: sarunint at sarunint.com (Sarun Intaralawan)
Date: Tue, 26 Feb 2019 17:58:22 +0700
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
In-Reply-To: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
References: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
Message-ID: <CAEHSPzpRvsCh=EPp=bQKMVxS6tvTpzxZrKA15O4io-iWH8AopA@mail.gmail.com>

Hi Caprian,

I'm not able to answer your main question, but I believe it is you
explained. However, regarding the matter in P.S., I'm glad to inform you
that such a tool exists. It is called pass [1] and it is fully integrated
with GnuPG and Git. So you can backup your password like a Git repository.

There's also Android and iOS implementation of pass.

Hope this helps.

Regards,
Sarun

[1]: https://www.passwordstore.org

On Tue, 26 Feb 2019, 17:47 Ciprian Dorin Craciun, <ciprian.craciun at gmail.com>
wrote:

> Hello all!
>
> Given the recent survey in password managers security [1], which
> concluded with their failure to properly sanitize / scrub the
> sensitive data (i.e. "master key") in "running locked state", I was
> wondering how does GnuPG Agent fare in this regard?
>
> More specifically:
> * let's assume that one uses GnuPG Agent;  (only for PGP;)
> * the user enters the password for a particular private key;
> * (one assumes that the password was used to get the private key
> cryptographic material, and then scrubbed;)
> * then `--max-cache-ttl` seconds passes;
> * one assumes that the private key cryptographic material is now scrubbed;
>
> Is this expectation correct?
>
>
> Is there some external analysis about the security of the agent with
> regard to the scrubbing of both passwords and cryptographic material?
>
> Thanks,
> Ciprian.
>
>
> [1]
> https://www.securityevaluators.com/casestudies/password-manager-hacking/
>
>
>
>
> P.S.:  My interest in this subject is because I have a "custom"
> password-manager implemented on-top of GnuPG, which I'm sure leaks
> passwords all over the place (because it's written in Bash, and uses
> various X tools, none made for security).  However I am curios how
> "safe" the actual GnuPG agent really is.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/163cb7b7/attachment.html>

From michaelholly at discover.com  Tue Feb 26 14:10:35 2019
From: michaelholly at discover.com (Michael Holly)
Date: Tue, 26 Feb 2019 13:10:35 +0000
Subject: Ok this is a stupid questions
In-Reply-To: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
Message-ID: <DM5PR19MB14203F49F563E0FB2750E3FBBF7B0@DM5PR19MB1420.namprd19.prod.outlook.com>

Hello

As a follow up to my previous post,  let me emphasize the size expansion is not related to the compression that is applied during encryption.  My issue is that I have files that are being transferred to me, and for a cause that I am trying to track down, gpg begins to decrypt before the file has fully arrived.  From my perspective it appears to send gpg into a tailspin.  The process seems to be able to continue for a week or more and does not seem to complete.

>From a design perspective, I expect the usual replies of "if that is not what you want to do then don't do it".   Yes I know. What I am looking to do is to be able to understand why it goes into this race condition instead of erroring out.
My ask of the gpg listers, is has anyone ever seen this behavior?


From: Michael Holly
Sent: Monday, February 25, 2019 8:14 AM
To: gnupg-users at gnupg.org
Subject: Ok this is a stupid questions

So I completely preface this question is not a valid use case for gpg.  I know, I get it.

I have a potential issue that I'm trying to diagnose.  I'm trying to understand how gpg will react to the input file size changing during the encrypt or decrypt step.

Right now it appears that the gpg process goes a bit crazy and the 200 MB file I am decrypting becomes 1.2 TB or greater.

Here is the order of the events


1.       File lands on my system.

2.       PGP decrypt is invoked on the file.

3.       Since the file is not truly done being sent to me, the file grows in size.

4.       GPG seems to expand the decrypted file many times over.

What I suspect is that instead of erroring out, GPG starts the decrypt process over and appends the new output to the previous cycle..   I have not tested this, but will soon.

I just wanted to see if anyone else has seen this happen.

Thanks

Michael






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/3720ae7b/attachment-0001.html>

From andrewg at andrewg.com  Tue Feb 26 15:03:21 2019
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Tue, 26 Feb 2019 14:03:21 +0000
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
In-Reply-To: <CA+Tk8fy9DbnkAvYC4m70K=rsJW-wuMdPs_qtbqBAgaEzOMoJBg@mail.gmail.com>
References: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
 <CAEHSPzpRvsCh=EPp=bQKMVxS6tvTpzxZrKA15O4io-iWH8AopA@mail.gmail.com>
 <CA+Tk8fy9DbnkAvYC4m70K=rsJW-wuMdPs_qtbqBAgaEzOMoJBg@mail.gmail.com>
Message-ID: <93c45378-a0b9-dbe6-207f-520d0f7e21d9@andrewg.com>

On 26/02/2019 11:54, Ciprian Dorin Craciun wrote:
> Thus without much
> effort, one can take out the HDD, and just run a file-system recovery
> tool to recover deleted files, or dump ASCII tokens, and thus get
> access to the used passwords.

Indeed, but if you use one of the standard web browsers your session
tokens are also stored on disk, by default unencrypted, and in many
cases these are equivalent to passwords (depending on the website).

Password managers address the issue of a network attacker. They don't
directly solve the problem of an attacker who has physical access to
your device. An encrypted drive is a better way to prevent an attacker
getting access to sensitive material on disk (not only passwords).

So while the problem you identify is bad, it's not fatal.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/9f5de97e/attachment.sig>

From sac at 300baud.de  Tue Feb 26 16:26:04 2019
From: sac at 300baud.de (Stefan Claas)
Date: Tue, 26 Feb 2019 16:26:04 +0100
Subject: AW: Ok this is a stupid questions
In-Reply-To: <20190225210252.775A8C017A@smtp.hushmail.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
 <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>
 <20190225210252.775A8C017A@smtp.hushmail.com>
Message-ID: <mailman.16.1551194773.30378.gnupg-users@gnupg.org>


Von: vedaal via Gnupg-users
Gesendet: Montag, 25. Februar 2019 22:09
An: justina colmena; gnupg-users at gnupg.org
Betreff: Re: Ok this is a stupid questions

Why do you think GnuPG is useless if you check the source-code, run it on hardware you trust, and a Linux variant you trust, with a Chromium/Iron browser, and avoid anything google or microsoft or apple or any non-FOSS product??

Why do you think FOSS is more secure? Do you think that people
always check the source code, with every release of their OS updates or the GnuPG updates? I doubt that. And how about FOSS developers? Do they regularly check their sites if the code was exchanged and if their keys are already compromised? The detached signatures or hashes of FOSS software are not time stamped. Is / was FOSS, like GnuPG, ever audited by major and trustworthy institutions, were users could read reports about their findings? Can you always trust developers, because they have many sigs on their keys but not sign back the signers keys?
I have learned in the past trust nobody. Therefore I would not rely
on  people from the GnuPG ecosystem and what they say.

Last but not least don?t forget rule 41, for example, which allows the FBI to hack computers worldwide. And if they can hack and access computers then others can do so too. You also never read here best practice tips like use a second computer, not connected to the Internet, and GnuPG in command line mode. ?
Regards
Stefan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/2bf4a15d/attachment.html>

From vedaal at nym.hush.com  Tue Feb 26 19:57:01 2019
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 26 Feb 2019 13:57:01 -0500
Subject: AW: Ok this is a stupid questions
In-Reply-To: <20190226152942.7E012A0AD8@smtp2.hushmail.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
 <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>
 <20190225210252.775A8C017A@smtp.hushmail.com>
 <20190226152942.7E012A0AD8@smtp2.hushmail.com> 
Message-ID: <20190226185702.9EA37C015E@smtp.hushmail.com>



On 2/26/2019 at 10:29 AM, "Stefan Claas"  wrote:
	Von: vedaal via Gnupg-users
Gesendet: Montag, 25. Februar 2019 22:09
An: justina colmena; gnupg-users at gnupg.org
Betreff: Re: Ok this is a stupid questions
	Why do you think GnuPG is useless if you check the source-code, run
it on hardware you trust, and a Linux variant you trust, with a
Chromium/Iron browser, and avoid anything google or microsoft or apple
or any non-FOSS product? 
	I have learned in the past trust nobody. Therefore I would not rely

	on  people from the GnuPG ecosystem and what they say.

	 =====

	It depends on how realistic your threat model is.

	For someone in a politically repressive regime who is being targeted,
yes, trust should be very limited, and clearly earned.

	For those  whose threat model is criminal hacking by individual
opportunists,  there is a certain leeway.

	When i first started out, I knew people who read every single line of
PGP 2.x sourcecode, and even today, refuse to migrate to gnupg because
they haven't the time to read all the code.

	(Although some have considered that if there would be a minimalist
version, with a small enough code to read, they would definitely use
it.)

	These people routinely 'airgap' their encrypting functions.

	I respect it, 

	but there is literally no end to how paranoid one can be ...

	For example, has anyone you know, ever checked how the compilers
work?  (Reviewed gcc's source code, and the hardware necessary to make
it run, to ensure that nothing is 'added/subtracted/altered' when it
gets to machine language? Even more difficult when it is a proprietary
compiler.)

	GnuPG is offering a FOSS privacy tool.

	One can scrutinize it, appreciate it, and say thank you,

	or be paranoid enough to never use it,

	or some other in-between balance, that's comfortable for the
individual's threat model.
	The gnupg-users list can help with clearing up technical questions
and let the users decide for themselves.
	vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/47f03571/attachment-0001.html>

From sac at 300baud.de  Tue Feb 26 21:28:12 2019
From: sac at 300baud.de (Stefan Claas)
Date: Tue, 26 Feb 2019 21:28:12 +0100
Subject: Ok this is a stupid questions
In-Reply-To: <20190226185702.9EA37C015E@smtp.hushmail.com>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
 <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>
 <20190225210252.775A8C017A@smtp.hushmail.com>
 <20190226152942.7E012A0AD8@smtp2.hushmail.com>
 <20190226185702.9EA37C015E@smtp.hushmail.com>
Message-ID: <20190226212812.5559ac4a@iria.my-fqdn.de>

Am Tue, 26 Feb 2019 13:57:01 -0500
schrieb vedaal at nym.hush.com:

> On 2/26/2019 at 10:29 AM, "Stefan Claas"  wrote:

>> I have learned in the past trust nobody. Therefore I would
>> not rely on  people from the GnuPG ecosystem and what they say.

> It depends on how realistic your threat model is.

Well, mine is actually very low, otherwise I would only read the
list via Tor, for tips and tricks and don't publish keys on key
servers, nor use smtp to submit encrypted messages. ;-)

> For example, has anyone you know, ever checked how the
> compilers work?  (Reviewed gcc's source code, and the hardware
> necessary to make it run, to ensure that nothing is
> 'added/subtracted/altered' when it gets to machine language? Even
> more difficult when it is a proprietary compiler.)

You bring up an interesting question, imho ... Let's assume the
tool chain is in good condition, but do you / we know if FOSS
coders use online computers to code and do we know if their computers
are hacked too?

And if so, do coders have always checksums handy (on paper) for
comparison or are superior Linux tools availabe which would
detect changes immediately?

And maybe another FOSS point? How about issuing Warrant Canaries?

I have seen that VeraCrypt does this.

Regards
Stefan


From andrei at bislog.se  Tue Feb 26 19:31:42 2019
From: andrei at bislog.se (Andrei Fokau)
Date: Tue, 26 Feb 2019 19:31:42 +0100
Subject: Weird locale at passphrase step
In-Reply-To: <875zt7ph1f.fsf@fifthhorseman.net>
References: <CAOoN8huLczbxY8iQSAPLmmCMNLckXrSMu3O+qNcgPCzQH2yz=Q@mail.gmail.com>
 <875zt7ph1f.fsf@fifthhorseman.net>
Message-ID: <CAOoN8hsx09b5qhzwcG=61_AXPXAOV2z3jNwdRScnJ=Nz7jEb4w@mail.gmail.com>

That command fixed it! Thanks a lot!

Still curious how it picked up the other locale... I do have russian layout
as one of the input sources but have never set locale to ru and the system
was always in English.
In some cases the agent shows another dialog that is half-english and
half-broken-cyrillic. Very weird.

Thanks,
Andrei


On Tue, Feb 26, 2019 at 12:52 AM Daniel Kahn Gillmor <dkg at fifthhorseman.net>
wrote:

> On Mon 2019-02-25 19:53:17 +0100, Andrei Fokau wrote:
>
> > I have just installed GnuPG on macOS Mojave using Homebrew. When I try to
> > generate a new key I can go through almost all steps seeing messages and
> > dialogs in English, but when it asks my passphrase, I see
>
>  [ image of cyrillic glyphs and U+FFFD REPLACEMENT CHARACTER symbols ]
>
> It sounds to me like the gpg-agent process that is running on your
> system has a different locale.
>
> GnuPG asks the agent for a new passphrase, which in turn displays the
> prompt.
>
> > How do I fix this?
>
> unfortunately, it depends on how your gpg-agent is initialized, which we
> don't have enough information on here.  perhaps it was launched before
> your locale was set to en_US.UTF-8?
>
> One thing you can try as a workaround is to kill off the gpg-agent and
> it should get manually restarted on subsequent use:
>
>    gpgconf --kill gpg-agent
>
> maybe someone with more info about how MacOS and Homebrew manage
> per-user services can weigh in on better workarounds, or suggest a more
> principled fix for that platform.
>
>        --dkg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/b6f6933c/attachment.html>

From kara_da at xiala.net  Tue Feb 26 21:37:17 2019
From: kara_da at xiala.net (Daniel)
Date: Tue, 26 Feb 2019 21:37:17 +0100
Subject: Newbie: Installing Build Dependencies to gnupg-2.2.13 update from
 gnupg 2.0.22 on Ubuntu 14.04 LTS failed
Message-ID: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net>

dear members of gnupg-users,

prolog:

hello my name is daniel. if i may introduce myself, i'm not an entirely 
sophisticated or seasoned unix/linux user and usually dependend on 
whatever snippets of information i can find in forums and on the web 
that give me usually a ballpark idea of what i can or cannot do via the 
command line. i understand that this approach doesn't always make sense 
or seems abit farfetched to the more experienced programmer. that said, 
i recently learned when trying to update my outmoded gnupg 2.0.22 on my 
Ubuntu 14.04 LTS distro, that i ran into some major issues for which i'm 
currently looking for advice on how to resolve them and get my update to 
work. so, if there's anyone who has the patience and the time necessary 
to give this problem a fair introspection, your help would be greatly 
appreciated. thanks.

the deal:

trying to install gnupg-2.2.13 on Ubuntu 14.04 LTS, including build 
dependencies libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, 
libksba-1.3.5, npth-1.6, pinentry-1.1.0 & gpg-agent

history/approach:

largely dependend on the information i deployed from a website called 
https://gist.github.com/vt0r/a2f8c0bcb1400131ff51

i tried and followed the instructions there blindly, save for a few 
alterations. 1. for instance i wrote (copy/paste) each line of code 
separately for each building routine, instead of using &&. 2. I also did 
a detailed log of each command (copy/paste) that I ran on the shell in 
gedit, for each building block, including error messages that I got in 
return. 3. instead of https://www.gnupg.org/ftp/gcrypt/ as the 
mainsource from which to recover the tarball, I used for instance
$ sudo wget -c ftp://ftp.gnupg.org/gcrypt/pinentry/pinentry-1.1.0.tar.bz2

as the protocol on the website suggest, i first cleaned up the older 
GNuPG 2.0.22 build, by sudo apt-get --purge remove gnupg2
mistakenly, I also removed gnupg-agent at first, because I thought it 
also took an updated version. however re-installed gnupg-agent at a 
later point in the process, when my enigmail add-on to thunderbird, 
seemed to have trouble making the connection.

the next step I created directory /var/src/gnupg22 with mkdir.

the contents of var/src/gnupg22 currently look like this:

daniel at daniel-ThinkPad-X240:/var/src/gnupg22$ ls
gnupg-2.2.10.tar.bz2         libgcrypt-1.8.4.tar.gz.sig
gnupg-2.2.10.tar.bz2.sig     libgpg-error-1.32.tar.gz
gnupg-2.2.13                 libgpg-error-1.32.tar.gz.sig
gnupg-2.2.13.tar.bz2         libgpg-error-1.35
gnupg-2.2.13.tar.bz2.sig     libgpg-error-1.35.tar.gz
index.html                   libgpg-error-1.35.tar.gz.sig
libassuan-2.5.1.tar.bz2      libksba-1.3.5
libassuan-2.5.1.tar.bz2.sig  libksba-1.3.5.tar.bz2
libassuan-2.5.3              libksba-1.3.5.tar.bz2.sig
libassuan-2.5.3.tar.bz2      npth-1.6
libassuan-2.5.3.tar.bz2.sig  npth-1.6.tar.bz2
libgcrypt-1.8.3.tar.gz       npth-1.6.tar.bz2.sig
libgcrypt-1.8.3.tar.gz.sig   pinentry-1.1.0
libgcrypt-1.8.4              pinentry-1.1.0.tar.bz2
libgcrypt-1.8.4.tar.gz       pinentry-1.1.0.tar.bz2.sig

I did check and verify each signature of the respective tarball file!

installation procedure:

then I ran in the same order as on the website the complete /.configure 
cycle, including

$ ./configure --prefix=/usr
$ make
$ make check
$ sudo make install

for the configuration of pinentry for instance, the return i got was:

	Pinentry v1.1.0 has been configured as follows:

	Revision:  02df3d2  (735)
	Platform:  x86_64-pc-linux-gnu

	Curses Pinentry ..: no
	TTY Pinentry .....: yes
	Emacs Pinentry ...: no
	GTK+-2 Pinentry ..: yes
	GNOME 3 Pinentry .: no
	Qt Pinentry ......: no
	TQt Pinentry .....: no
	W32 Pinentry .....: no
	FLTK Pinentry ....: no

	Fallback to Curses: no
	Emacs integration : yes

	libsecret ........: no

	Default Pinentry .: pinentry-gtk-2

now for instance if i run: $ aptitude search pinentry-gtk-2

i get no search results in return! same is true for all other build 
dependencies (libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3, 
libksba-1.3.5, npth-1.6, pinentry-1.1.0),  including gnupg-2.2.13.

one of the main problems of the build, seemed that libraries like 
libgcrypt-1.8.4 couldn't detect it's build dependencies like 
libgpg-error-1.35.. so the

$ make check of libgcrypt-1.8.4
 >>>>>>>>>>returned 27 Test failed!!<<<<<<<<<<<<<<<<<<<<<<<<<<<<

the $ make check of libgpg-error-1.35 returned PASS: 
gpg-error-config-test.sh
=============
1 test passed;

and
==================
All 9 tests passed


and after $ sudo make install: the contents of usr/local/lib currently 
looks like this:

daniel at daniel-ThinkPad-X240:/usr/local/lib$ ls
libgcrypt.la         libgpg-error.la         node_modules  site_ruby
libgcrypt.so         libgpg-error.so         pkgconfig
libgcrypt.so.20      libgpg-error.so.0       python2.7
libgcrypt.so.20.2.4  libgpg-error.so.0.26.1  python3.4

hypothesis:

On a website called: https://dev.gnupg.org/T4068, someone mentioned, 
that I probably did this mistake: "You configure your environment for 
your compiling and installation, but not for running. Thus, old original 
libgpg-error in system was used, and failed."

My folder/directory libgpg-error-1.35 looks like this and so do all the 
other dependencies, including gnupg-2.2.13:

daniel at daniel-ThinkPad-X240:/var/src/gnupg22/libgpg-error-1.35$ ls
ABOUT-NLS       config.h       COPYING.LIB           Makefile       src
aclocal.m4      config.h.in    doc                   Makefile.am    stamp-h1
AUTHORS         config.log     INSTALL               Makefile.in    tests
autogen.rc      config.status  lang                  mkinstalldirs  THANKS
autogen.sh      configure      libgpg-error.spec     NEWS           VERSION
build-aux       configure.ac   libgpg-error.spec.in  po
ChangeLog       contrib        libtool               potomo
ChangeLog-2011  COPYING        m4                    README

furthermore:

 >>>>>my usr/bin directory for instance, contains a file called 
libgcrypt-config, when I open it in gedit, I get the following header:

# File: src/libgcrypt-config.  Generated from 			libgcrypt-config.in by 
configure.

# General.
prefix="/usr"
exec_prefix="${prefix}"
version="1.8.4"
includedir="${prefix}/include"
libdir="${exec_prefix}/lib"
gpg_error_libs="-L/usr/local/lib -lgpg-error"
gpg_error_cflags="-I/usr/local/include"


 >>>>>>>>>> or usr/bin/libassuan-config for instance returns:


# Configure libgpg-error.
gpg_error_cflags=""
gpg_error_libs="-lgpg-error"

PGM=libassuan-config
lib="-lassuan"
extralibs="$gpg_error_libs"
cflags=" $gpg_error_cflags"
api_version="2"
my_host="x86_64-pc-linux-gnu"
prefix=/usr
exec_prefix=${prefix}
includes=""
libdirs=""
exec_prefix_set=no
echo_libs=no
echo_cflags=no
echo_prefix=no
echo_exec_prefix=no
echo_host=no

-------------------------------------------------
epilog:

on the website https://gist.github.com/vt0r/a2f8c0bcb1400131ff51, 
finishing the build via command line goes:

echo "/usr/local/lib" > /etc/ld.so.conf.d/gpg2.conf && ldconfig -v

however, i don't exactly know what that is supposed to do?!! the return 
i get is:

bash: /etc/ld.so.conf.d/gpg2.conf: Permission denied


 >>>>>>but instead in directory usr/lib for instance i find:

libassuan.la
libassuan.so
libassuan.so.0
libassuan.so.0.8.3
.
.
libgcrypt.la
libgcrypt.so
libgcrypt.so.20
libgcrypt.so.20.2.4
.
.
libksba.la
libksba.so
libksba.so.8
libksba.so.8.11.6

 >>>>>>>>>in /usr/local/bin$ i find:
gpg-error-config   libgcrypt-config
gpg-error  gpgrt-config

 >>>>>>>>>>and in /usr/local/share$ i find:

libgpg-error


the directories usr/local/sbin; usr/local/etc; and usr/local/src

are empty!

So this is about the gist of my troubleshooting. perhaps if you find the 
information helpful that i supplied, it would be great if you could give 
me a hint, where and how to fix my build. if you need any further 
information on my initial configuration and install process i be happy 
to comply with more detailed analysis as far as i can supply the 
resulting outputs i stored safely of each step. again, your input would 
be greatly appreciated.

thank you for your consideration,

kindly yours,

daniel






-- 
pgp fingerprint: 02EF 1CA4 A4FB 0F12 76CA BC08 B678 C658 9B03 AB5E


From angel at pgp.16bits.net  Wed Feb 27 00:14:34 2019
From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=)
Date: Wed, 27 Feb 2019 00:14:34 +0100
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
In-Reply-To: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
References: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
Message-ID: <1551222874.1053.22.camel@16bits.net>

On 2019-02-26 at 11:02 +0200, Ciprian Dorin Craciun wrote:
> Hello all!
> 
> Given the recent survey in password managers security [1], which
> concluded with their failure to properly sanitize / scrub the
> sensitive data (i.e. "master key") in "running locked state", I was
> wondering how does GnuPG Agent fare in this regard?
> 
> More specifically:
> * let's assume that one uses GnuPG Agent;  (only for PGP;)
> * the user enters the password for a particular private key;
> * (one assumes that the password was used to get the private key
> cryptographic material, and then scrubbed;)
> * then `--max-cache-ttl` seconds passes;
> * one assumes that the private key cryptographic material is now scrubbed;
> 
> Is this expectation correct?

I would say this is the right expectation.

However note that even with a perfect agent implementation, you might
find eg. that the kernel swapped to disk the page where the password was
read (before providing it to the program, which would hopefully be using
mlock(2) to avoid being swapped itself).



> Is there some external analysis about the security of the agent with
> regard to the scrubbing of both passwords and cryptographic material?

Intrigued by this I did a quick glance at the relevant code:

The cache purging seems to be done at housekeeping() [1], which simply calls release_data over the entry to free.
In turn, release_data() [2] is just a xfree() call, which would be
converted to gcry_free(), which is a libgcrypt function that will call
_gcry_private_free() [3].

_gcry_private_free() checks[4] whether this allocation was from a secure
pool (ie. allocated with gcry_xmalloc_secure), in which case it will
call _gcry_secmem_free[5], which does attempt to wipe the memory by
overwriting it with 0xff, 0xaa, 0x55 and 0x00 [6] using the macro
wipememory2,[7] which may do so inline (using volatile to avoid compiler
optimization) or end up calling _gcry_fast_wipememory, which would end
up calling the normal memset() through a function pointer.[8]
(I would expect either an attempt to use memset_s if available, similar
to the  check for explicit_bzero, or a note that like SecureZeroMemory
it provides no benefit, instead of a plain memset, though)

Best regards

[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l198
[2] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/cache.c;h=799d595abdb007422090622a959aa03741139c54;hb=HEAD#l141
[3] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/global.c;h=d82c680a5d2a2981129d0531ff43b337ffebb085;hb=refs/heads/master#l1019
[4] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/stdmem.c;h=04ce64fba14b2fd5d58be5050b80d6a159dffed5;hb=refs/heads/master#l220
[5] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l787
[6] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/secmem.c;h=b36c44f6de188ff005ca10800a4ba9fdf5a352d2;hb=refs/heads/master#l768
[7] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/g10lib.h;h=694c2d83e2682103d83be03070c737a1bb6a3ae4;hb=refs/heads/master#l337
[8] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=src/misc.c;h=bb39e1c2fe1c94affe1f024a87621f79e77ba1aa;hb=refs/heads/master#l504




From vedaal at nym.hush.com  Wed Feb 27 00:15:29 2019
From: vedaal at nym.hush.com (vedaal at nym.hush.com)
Date: Tue, 26 Feb 2019 18:15:29 -0500
Subject: Ok this is a stupid questions
In-Reply-To: <20190226212812.5559ac4a@iria.my-fqdn.de>
References: <DM5PR19MB1420A0C4BA78E3692B103C09BF7A0@DM5PR19MB1420.namprd19.prod.outlook.com>
 <89704283-110D-4D01-BD55-D92218E32AF0@colmena.biz>
 <20190225210252.775A8C017A@smtp.hushmail.com>
 <20190226152942.7E012A0AD8@smtp2.hushmail.com>
 <20190226185702.9EA37C015E@smtp.hushmail.com>
 <20190226212812.5559ac4a@iria.my-fqdn.de> 
Message-ID: <20190226231529.6FEAAC015F@smtp.hushmail.com>


On 2/26/2019 at 3:28 PM, "Stefan Claas" <sac at 300baud.de> wrote:And maybe another FOSS point? How about issuing Warrant Canaries?

I have seen that VeraCrypt does this.

=====

Yes.
The latest one is here:
https://www.idrix.fr/VeraCrypt/canary.txt

Interesting, but it still boils down to *trust*.

I would trust WK and the GnuPG team even if they didn't *sign* a Warrant Canary
(i / we all, sort-of trust the verification of the new GnuPG releases, with his sig), 

And if we *don't trust*, then signing a Warrant Canary with the same signing key as the GnuPG release,
wouldn't help ;-)


vedaal




From gnupg at raf.org  Wed Feb 27 02:16:54 2019
From: gnupg at raf.org (gnupg at raf.org)
Date: Wed, 27 Feb 2019 12:16:54 +1100
Subject: Question about the security of the GnuPG Agent with regard to
 cryptographic material scrubbing
In-Reply-To: <CA+Tk8fy9DbnkAvYC4m70K=rsJW-wuMdPs_qtbqBAgaEzOMoJBg@mail.gmail.com>
References: <CA+Tk8fx+Jt-betfSixO-t5cY2P4jYc5fNGxFsmekkxtkP7FBXw@mail.gmail.com>
 <CAEHSPzpRvsCh=EPp=bQKMVxS6tvTpzxZrKA15O4io-iWH8AopA@mail.gmail.com>
 <CA+Tk8fy9DbnkAvYC4m70K=rsJW-wuMdPs_qtbqBAgaEzOMoJBg@mail.gmail.com>
Message-ID: <20190227011654.4bwu7dmlkmly2fvg@raf.org>

Ciprian Dorin Craciun wrote:

> On Tue, Feb 26, 2019 at 12:58 PM Sarun Intaralawan
> <sarunint at sarunint.com> wrote:
> > I'm not able to answer your main question, but I believe it is you
> > explained. However, regarding the matter in P.S., I'm glad to inform
> > you that such a tool exists. It is called pass [1] and it is fully
> > integrated with GnuPG and Git. So you can backup your password like
> > a Git repository.
> 
> I know about that tool, however it is unfortunately written also in
> Bash, which as my own implementation has countless ways to
> (permanently) leak the password.
> 
> For example take the following commit:
>     https://git.zx2c4.com/password-store/commit/src/password-store.sh?id=367efa5846492e1b0898aad8a2c26ce94163ba24
> 
> Which has the following change:
> ~~~~
> - $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}"
> <<<"$password" || die "Password encryption aborted."
> + echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile"
> "${GPG_OPTS[@]}" || die "Password encryption aborted."
> ~~~~
> 
> In was committed in 2018, but the tool is from 2015, thus in the
> interim all the passwords were leaked into `$TMPDIR` and thus on the
> disk, which in most cases is actually the `rootfs`.  Thus without much
> effort, one can take out the HDD, and just run a file-system recovery
> tool to recover deleted files, or dump ASCII tokens, and thus get
> access to the used passwords.

The new version still leaks, just not as badly
(permanently). On Linux, for example, unless system
call tracing and arbitrary RAM reading has been
completely disabled, even for root, with "sysctl
kernel.yama.ptrace_scope=3", the password will appear
in ptrace/strace/ltrace output when $GPG reads stdin.

Admittedly, there needs to be an adversary with root
privileges (or the user's privileges) active on the
host at the time but it's still a potential leak. And
it might make its way to swap which might not be
encrypted.

Even with kernel.yama.ptrace_scope=3, systemtap or
dtrace (on hosts that have it) can probably see the
password.

It's probably impossible to completely avoid
(transient) leaks without hardware cryptographic
modules. But of course, that's no reason not to do
whatever you can to make it as difficult as possible
for an adversary.

> I'm not criticizing the `pass` tool, as I know myself how hard it is
> to write a tool that doesn't leak data, however any such tool should
> come with a big warning to its users.
> 
> Unfortunately on the project page there is no mention of its security
> weaknesses or any hint to the users about possible data leaks.
> 
> Ciprian.

[The rest is even more off-topic for this list]
 
To be fair, all software probably has unknown security
bugs. Warning users about the possibility before you
know that there's a problem might seem alarmist. But if
a security bug has been identified and fixed, users
should be notified if there's anything that they need
to do. Changelogs at least should highlight security
bug fixes.

In that commit, the author said that "Do not put
passwords in herestrings: Bash sometimes writes these
into temporary files, which isn't okay". If it is only
sometimes, maybe bash only uses temporary files for
here strings when they are large. If that's the case,
the passwords might never have been written to disk.
So it might be OK. However, it's not sometimes.
It's always:

  $ bash -c 'lsof -a -p $$ -d0' <<< Password1
  COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
  lsof    24183  raf    0r   REG  253,1       10 7864877 /tmp/zshz9mNt3 (deleted)

So the commit message wasn't alarmist enough. And there
doesn't seem to be a Changelog file for pass or a
news or security notices section on its website.

Maybe you could submit a bug report for the
passwordstore.org website about its lack of a news or
security notices section for notifying users about
security issues.

I suppose the remedy is to cryptographically shred free
space if users didn't already have full disk encryption
(and hope they don't have SSDs). It would be good if
pass users were notified of that.

cheers,
raf



From oscar at spindel.tax  Wed Feb 27 11:43:26 2019
From: oscar at spindel.tax (Oscar Carlsson)
Date: Wed, 27 Feb 2019 11:43:26 +0100
Subject: Newbie: Installing Build Dependencies to gnupg-2.2.13 update from
 gnupg 2.0.22 on Ubuntu 14.04 LTS failed
In-Reply-To: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net>
References: <1141de1a-14fd-4f6b-3786-a531908cc762@xiala.net>
Message-ID: <7b714f10ef400a5959c47d2dcb760372@spindel.tax>

2019-02-26 21:37 skrev Daniel:
> dear members of gnupg-users,
> 
> prolog:
> 
> hello my name is daniel. if i may introduce myself, i'm not an
> entirely sophisticated or seasoned unix/linux user and usually
> dependend on whatever snippets of information i can find in forums and
> on the web that give me usually a ballpark idea of what i can or
> cannot do via the command line. i understand that this approach
> doesn't always make sense or seems abit farfetched to the more
> experienced programmer. that said, i recently learned when trying to
> update my outmoded gnupg 2.0.22 on my Ubuntu 14.04 LTS distro, that i
> ran into some major issues for which i'm currently looking for advice
> on how to resolve them and get my update to work. so, if there's
> anyone who has the patience and the time necessary to give this
> problem a fair introspection, your help would be greatly appreciated.
> thanks.
> 
> the deal:
> 
> trying to install gnupg-2.2.13 on Ubuntu 14.04 LTS, including build
> dependencies libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3,
> libksba-1.3.5, npth-1.6, pinentry-1.1.0 & gpg-agent
> 
> history/approach:
> 
> largely dependend on the information i deployed from a website called
> https://gist.github.com/vt0r/a2f8c0bcb1400131ff51
> 
> i tried and followed the instructions there blindly, save for a few
> alterations. 1. for instance i wrote (copy/paste) each line of code
> separately for each building routine, instead of using &&. 2. I also
> did a detailed log of each command (copy/paste) that I ran on the
> shell in gedit, for each building block, including error messages that
> I got in return. 3. instead of https://www.gnupg.org/ftp/gcrypt/ as
> the mainsource from which to recover the tarball, I used for instance
> $ sudo wget -c 
> ftp://ftp.gnupg.org/gcrypt/pinentry/pinentry-1.1.0.tar.bz2
> 
> as the protocol on the website suggest, i first cleaned up the older
> GNuPG 2.0.22 build, by sudo apt-get --purge remove gnupg2
> mistakenly, I also removed gnupg-agent at first, because I thought it
> also took an updated version. however re-installed gnupg-agent at a
> later point in the process, when my enigmail add-on to thunderbird,
> seemed to have trouble making the connection.
> 
> the next step I created directory /var/src/gnupg22 with mkdir.
> 
> the contents of var/src/gnupg22 currently look like this:
> 
> daniel at daniel-ThinkPad-X240:/var/src/gnupg22$ ls
> gnupg-2.2.10.tar.bz2         libgcrypt-1.8.4.tar.gz.sig
> gnupg-2.2.10.tar.bz2.sig     libgpg-error-1.32.tar.gz
> gnupg-2.2.13                 libgpg-error-1.32.tar.gz.sig
> gnupg-2.2.13.tar.bz2         libgpg-error-1.35
> gnupg-2.2.13.tar.bz2.sig     libgpg-error-1.35.tar.gz
> index.html                   libgpg-error-1.35.tar.gz.sig
> libassuan-2.5.1.tar.bz2      libksba-1.3.5
> libassuan-2.5.1.tar.bz2.sig  libksba-1.3.5.tar.bz2
> libassuan-2.5.3              libksba-1.3.5.tar.bz2.sig
> libassuan-2.5.3.tar.bz2      npth-1.6
> libassuan-2.5.3.tar.bz2.sig  npth-1.6.tar.bz2
> libgcrypt-1.8.3.tar.gz       npth-1.6.tar.bz2.sig
> libgcrypt-1.8.3.tar.gz.sig   pinentry-1.1.0
> libgcrypt-1.8.4              pinentry-1.1.0.tar.bz2
> libgcrypt-1.8.4.tar.gz       pinentry-1.1.0.tar.bz2.sig
> 
> I did check and verify each signature of the respective tarball file!
> 
> installation procedure:
> 
> then I ran in the same order as on the website the complete
> /.configure cycle, including
> 
> $ ./configure --prefix=/usr
> $ make
> $ make check
> $ sudo make install
> 
> for the configuration of pinentry for instance, the return i got was:
> 
> 	Pinentry v1.1.0 has been configured as follows:
> 
> 	Revision:  02df3d2  (735)
> 	Platform:  x86_64-pc-linux-gnu
> 
> 	Curses Pinentry ..: no
> 	TTY Pinentry .....: yes
> 	Emacs Pinentry ...: no
> 	GTK+-2 Pinentry ..: yes
> 	GNOME 3 Pinentry .: no
> 	Qt Pinentry ......: no
> 	TQt Pinentry .....: no
> 	W32 Pinentry .....: no
> 	FLTK Pinentry ....: no
> 
> 	Fallback to Curses: no
> 	Emacs integration : yes
> 
> 	libsecret ........: no
> 
> 	Default Pinentry .: pinentry-gtk-2
> 
> now for instance if i run: $ aptitude search pinentry-gtk-2
> 
> i get no search results in return! same is true for all other build
> dependencies (libgpg-error-1.35, libgcrypt-1.8.4, libassuan-2.5.3,
> libksba-1.3.5, npth-1.6, pinentry-1.1.0),  including gnupg-2.2.13.
> 
> one of the main problems of the build, seemed that libraries like
> libgcrypt-1.8.4 couldn't detect it's build dependencies like
> libgpg-error-1.35.. so the
> 
> $ make check of libgcrypt-1.8.4
>>>>>>>>>>> returned 27 Test failed!!<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> 
> the $ make check of libgpg-error-1.35 returned PASS: 
> gpg-error-config-test.sh
> =============
> 1 test passed;
> 
> and
> ==================
> All 9 tests passed
> 
> 
> and after $ sudo make install: the contents of usr/local/lib currently
> looks like this:
> 
> daniel at daniel-ThinkPad-X240:/usr/local/lib$ ls
> libgcrypt.la         libgpg-error.la         node_modules  site_ruby
> libgcrypt.so         libgpg-error.so         pkgconfig
> libgcrypt.so.20      libgpg-error.so.0       python2.7
> libgcrypt.so.20.2.4  libgpg-error.so.0.26.1  python3.4
> 
> hypothesis:
> 
> On a website called: https://dev.gnupg.org/T4068, someone mentioned,
> that I probably did this mistake: "You configure your environment for
> your compiling and installation, but not for running. Thus, old
> original libgpg-error in system was used, and failed."
> 
> My folder/directory libgpg-error-1.35 looks like this and so do all
> the other dependencies, including gnupg-2.2.13:
> 
> daniel at daniel-ThinkPad-X240:/var/src/gnupg22/libgpg-error-1.35$ ls
> ABOUT-NLS       config.h       COPYING.LIB           Makefile       src
> aclocal.m4      config.h.in    doc                   Makefile.am    
> stamp-h1
> AUTHORS         config.log     INSTALL               Makefile.in    
> tests
> autogen.rc      config.status  lang                  mkinstalldirs  
> THANKS
> autogen.sh      configure      libgpg-error.spec     NEWS           
> VERSION
> build-aux       configure.ac   libgpg-error.spec.in  po
> ChangeLog       contrib        libtool               potomo
> ChangeLog-2011  COPYING        m4                    README
> 
> furthermore:
> 
>>>>>> my usr/bin directory for instance, contains a file called 
>>>>>> libgcrypt-config, when I open it in gedit, I get the following 
>>>>>> header:
> 
> # File: src/libgcrypt-config.  Generated from 			libgcrypt-config.in
> by configure.
> 
> # General.
> prefix="/usr"
> exec_prefix="${prefix}"
> version="1.8.4"
> includedir="${prefix}/include"
> libdir="${exec_prefix}/lib"
> gpg_error_libs="-L/usr/local/lib -lgpg-error"
> gpg_error_cflags="-I/usr/local/include"
> 
> 
>>>>>>>>>>> or usr/bin/libassuan-config for instance returns:
> 
> 
> # Configure libgpg-error.
> gpg_error_cflags=""
> gpg_error_libs="-lgpg-error"
> 
> PGM=libassuan-config
> lib="-lassuan"
> extralibs="$gpg_error_libs"
> cflags=" $gpg_error_cflags"
> api_version="2"
> my_host="x86_64-pc-linux-gnu"
> prefix=/usr
> exec_prefix=${prefix}
> includes=""
> libdirs=""
> exec_prefix_set=no
> echo_libs=no
> echo_cflags=no
> echo_prefix=no
> echo_exec_prefix=no
> echo_host=no
> 
> -------------------------------------------------
> epilog:
> 
> on the website https://gist.github.com/vt0r/a2f8c0bcb1400131ff51,
> finishing the build via command line goes:
> 
> echo "/usr/local/lib" > /etc/ld.so.conf.d/gpg2.conf && ldconfig -v
> 
> however, i don't exactly know what that is supposed to do?!! the
> return i get is:
> 
> bash: /etc/ld.so.conf.d/gpg2.conf: Permission denied
> 
> 
>>>>>>> but instead in directory usr/lib for instance i find:
> 
> libassuan.la
> libassuan.so
> libassuan.so.0
> libassuan.so.0.8.3
> .
> .
> libgcrypt.la
> libgcrypt.so
> libgcrypt.so.20
> libgcrypt.so.20.2.4
> .
> .
> libksba.la
> libksba.so
> libksba.so.8
> libksba.so.8.11.6
> 
>>>>>>>>>> in /usr/local/bin$ i find:
> gpg-error-config   libgcrypt-config
> gpg-error  gpgrt-config
> 
>>>>>>>>>>> and in /usr/local/share$ i find:
> 
> libgpg-error
> 
> 
> the directories usr/local/sbin; usr/local/etc; and usr/local/src
> 
> are empty!
> 
> So this is about the gist of my troubleshooting. perhaps if you find
> the information helpful that i supplied, it would be great if you
> could give me a hint, where and how to fix my build. if you need any
> further information on my initial configuration and install process i
> be happy to comply with more detailed analysis as far as i can supply
> the resulting outputs i stored safely of each step. again, your input
> would be greatly appreciated.
> 
> thank you for your consideration,
> 
> kindly yours,
> 
> daniel

Hi,

Ubuntu 14.04 will reach it's end-of-life in 1 month. Please upgrade if 
possible. There's little to no point in trying to fix the issues above 
when we are running very old software to begin with.

And in future emails, try to be more concise, and/or use pastebin like 
services and/or attach logs instead of adding them inline like this.


-- 
Oscar


From gpirlot at manymore.fr  Wed Feb 27 17:19:08 2019
From: gpirlot at manymore.fr (gpirlot at manymore.fr)
Date: Wed, 27 Feb 2019 17:19:08 +0100
Subject: Using gpg in an automated environememt
Message-ID: <143801d4ceb8$2b0c2eb0$81248c10$@manymore.fr>

Hi all,

 

I've been unsuccessfully trying for a while now to have gpg working in an
automated environment.  I've been following the point 8.20 int the gnupg faq
and I get an error at the gpg -homedir command (see screenshot below)

 



 

I'm rather new with gpg in particular and pki in general, and would greatly
appreciate any help that can be sent my way.

 

Looking forward to hearing from you,

 

Regards,

 

Geoffrey.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190227/0f56be96/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 65596 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190227/0f56be96/attachment-0001.png>

From oliver at schinagl.nl  Wed Feb 27 21:10:36 2019
From: oliver at schinagl.nl (Olliver Schinagl)
Date: Wed, 27 Feb 2019 21:10:36 +0100
Subject: gpg vs gpgv and trustedkeys
In-Reply-To: <87ftsbnj34.fsf@fifthhorseman.net>
References: <1a28ff3c-5934-106b-31ad-8aeb9c57a725@schinagl.nl>
 <87ftsbnj34.fsf@fifthhorseman.net>
Message-ID: <a6f720eb-823c-18a2-24b0-934c700b7f47@schinagl.nl>

Hey Daniel,

On 26-02-2019 07:45, Daniel Kahn Gillmor wrote:
> On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote:
>> What I am trying to accomplish, is to generate an OS image, which 
>> contains a public gpg key. The public is added using gpg --import and 
>> kets added to the newly created pubkey.gpg.
> I think your description here is missing some background: why do you
> need the public OpenPGP key in your OS image?
Well it is an embedded system, so the OS image is for the embedded
system. During development, engineers also login to the system and may
need to use the gpgv tool to check things. Having to point to the exact
file is just common cause of imstakes 'where was that file again' or 'oh
forgot'. But sure it is manageable, but.
>
> If the goal is just to use it with gpgv (e.g. to verify software updates
> or some other post-build artifact that you'll fetch over the network)
> then i recommend just explicitly pointing gpgv at the curated keyring
> using --keyring, and not bothering with public.gpg or anything else.
Passing it via the argument is 'ok' wouldn't it be for that fact that
option was removed a while ago from gpg. So we where reluctant to use it
with gpgv as it too, could just dissapear.
>
> This is the best approach because it lets you precisely control what is
> being checked against, and you don't have to worry that other uses of
> ~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check
> you're hoping to make strong.

Sure, but sometimes you don't care about the precise control; just that
it works as expected, which was my question was about. So I do thank you
a lot for taking the time to answer.


However, now that I have the solution (which I kinda guessed) it still
does not explain the discrepancy (and especially any text about it).

Simple example; I have my keys in my keychain generated/created via gpg.
Now I want to use gpgv to validate something, with my key, but now i
explicitly have to point it to the pubkey, because the default of gpgv
is trustedkey. So why the differences? Why are these not in sync, what
is the purpose? If the reason is to force the user to use the parameter,
why set a default, why set a default that does not match the generator.


Thanks :)

Olliver


>
> if you want an analogous example, check out the best-pratice guidance in
> https://wiki.debian.org/DebianRepository/UseThirdParty about using
> isolated keys per repository (with apt's Signed-By: options).
>
> Regards,
>
>         --dkg




From gpg at trodman.com  Thu Feb 28 14:40:56 2019
From: gpg at trodman.com (gpg at trodman.com)
Date: Thu, 28 Feb 2019 07:40:56 -0600
Subject: Howto override "encrypt-to KEYHERE" in gpg.conf?
Message-ID: <201902281340.x1SDeuFR024834@epjdn.zq3q.org>

I have imported  a new / additional primary key (0x2A5D250B1C9BE7D1) to my keyring.

But my default-key in gpg.conf is not changed:
    $ egrep '^(default-key|encrypt-to) ' ~/.gnupg/gpg.conf
    default-key 040B8410C3F36C1E
    encrypt-to 040B8410C3F36C1E

My goal is to run gpg commands that entirely ignore my default-key and encrypt-to key
in ~/.gnupg/gpg.conf.

Consider:

    $ echo hello |gpg2 --encrypt  -v  --default-key gnupg at baz.com  --recipient gnupg at baz.com > /dev/null
    gpg: using subkey 0xAC725930854EA1D6 instead of primary key 0x040B8410C3F36C1E
    gpg: using pgp trust model
    gpg: using subkey 0x6EADCB57CF0962B3 instead of primary key 0x2A5D250B1C9BE7D1
    gpg: automatically retrieved 'gnupg at baz.com' via Local
    gpg: This key belongs to us
    gpg: reading from '[stdin]'
    gpg: writing to stdout
    gpg: RSA/AES256 encrypted for: "0x6EADCB57CF0962B3 Bob S Lorem <gnupg at baz.com>"
    gpg: RSA/AES256 encrypted for: "0xAC725930854EA1D6 Robert S Lorem <WoT at baz.com>"
    $

    [...] Now comment out this line: "encrypt-to 040B8410C3F36C1E" in gpg.conf:
    $ echo hi    |gpg2 --encrypt  -v  --default-key gnupg at baz.com  --recipient gnupg at baz.com > /dev/null
    gpg: using pgp trust model
    gpg: using subkey 0x6EADCB57CF0962B3 instead of primary key 0x2A5D250B1C9BE7D1
    gpg: automatically retrieved 'gnupg at baz.com' via Local
    gpg: This key belongs to us
    gpg: reading from '[stdin]'
    gpg: writing to stdout
    gpg: RSA/AES256 encrypted for: "0x6EADCB57CF0962B3 Bob S Lorem <gnupg at baz.com>"
    $

How can I change the "echo hi ..." pipeline above and get the same results
without editing ~/.gnupg/gpg.conf?

--
thanks,
Tom
--
The primary private (secret) keys are saved offline, and not present in ~/.gnupg.