From guru at unixarea.de Wed Apr 1 17:30:29 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 Apr 2020 17:30:29 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key Message-ID: <20200401153029.GA11439@sh4-5.1blu.de> Hello, I encounter in my server the following situation: I can decrypt files but not encrypting any file: $ gpg2 --version gpg (GnuPG) 2.1.19 libgcrypt 1.7.6 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/guru/.gnupg-v2.1.19 Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ gpg -d sybase.gpg gpg: encrypted with 2048-bit RSA key, ID 2802AB9D46B97090, created 2018-03-11 "guru at unixarea.de" ... (clear text deleted) .... $ gpg2 -r guru at unixarea.de -ea test gpg: guru at unixarea.de: skipped: No public key gpg: test: encryption failed: No public key It seems that there is the file pubring.gpg missing: $ ls -ltr /home/guru/.gnupg-v2.1.19 total 36 -rw------- 1 guru wheel 32 11 mar. 2018 pubring.kbx~ -rw-r--r-- 1 guru wheel 1396 11 mar. 2018 pubring.kbx drwx------ 2 guru wheel 512 11 mar. 2018 private-keys-v1.d drwx------ 2 guru wheel 512 11 mar. 2018 openpgp-revocs.d -rw-r----- 1 guru wheel 676 28 mar. 2018 sshcontrol srwx------ 1 guru wheel 0 11 abr. 2018 S.scdaemon -rw-r--r-- 1 guru wheel 7 11 abr. 2018 reader_0.status -rw-r--r-- 1 guru wheel 37 1 ene. 2019 gpg-agent.conf -rw------- 1 guru wheel 600 6 sept. 2019 random_seed srwx------ 1 guru wheel 0 1 abr. 15:40 S.gpg-agent srwx------ 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.extra srwx------ 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.browser srwx------ 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.ssh -rw------- 1 guru wheel 1280 1 abr. 16:17 trustdb.gpg Can I re-create the missing information/file somehow? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From kloecker at kde.org Wed Apr 1 18:59:17 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 01 Apr 2020 18:59:17 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <20200401153029.GA11439@sh4-5.1blu.de> References: <20200401153029.GA11439@sh4-5.1blu.de> Message-ID: <1631052.SAoqzhc8gI@thufir> On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > I encounter in my server the following situation: I can decrypt files > but not encrypting any file: > > $ gpg2 --version Here you are using gpg2. > > $ gpg -d sybase.gpg Now you are using gpg. > > $ gpg2 -r guru at unixarea.de -ea test Here you are using gpg2 again. My guess is that the second call uses gpg 1.x and a different home (including a different key ring). > It seems that there is the file pubring.gpg missing: Of course, because pubring.gpg is the public key container of gpg <2. > $ ls -ltr /home/guru/.gnupg-v2.1.19 > total 36 > -rw------- 1 guru wheel 32 11 mar. 2018 pubring.kbx~ > -rw-r--r-- 1 guru wheel 1396 11 mar. 2018 pubring.kbx pubring.kbx holds the public keys of gpg2. Regard, Ingo From guru at unixarea.de Wed Apr 1 19:39:24 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 Apr 2020 19:39:24 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <1631052.SAoqzhc8gI@thufir> References: <20200401153029.GA11439@sh4-5.1blu.de> <1631052.SAoqzhc8gI@thufir> Message-ID: <20200401173924.GA31572@sh4-5.1blu.de> El d?a Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Kl?cker escribi?: > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > I encounter in my server the following situation: I can decrypt files > > but not encrypting any file: > > > > $ gpg2 --version > > Here you are using gpg2. > > > > > $ gpg -d sybase.gpg > > Now you are using gpg. Sorry for this confusion. gpg is just a symlink to gpg2: $ which gpg /usr/local/bin/gpg $ which gpg2 /usr/local/bin/gpg2 $ ls -l /usr/local/bin/gpg /usr/local/bin/gpg2 lrwxr-xr-x 1 root wheel 4 27 mar. 2017 /usr/local/bin/gpg -> gpg2 -r-xr-xr-x 1 root wheel 903648 5 mar. 2017 /usr/local/bin/gpg2 > > $ gpg2 -r guru at unixarea.de -ea test > > Here you are using gpg2 again. My guess is that the second call uses gpg 1.x > and a different home (including a different key ring). > > > It seems that there is the file pubring.gpg missing: > > Of course, because pubring.gpg is the public key container of gpg <2. Ok, this explains its absence. > > > $ ls -ltr /home/guru/.gnupg-v2.1.19 > > total 36 > > -rw------- 1 guru wheel 32 11 mar. 2018 pubring.kbx~ > > -rw-r--r-- 1 guru wheel 1396 11 mar. 2018 pubring.kbx > > pubring.kbx holds the public keys of gpg2. Ok, but why encryption does not work? As you see the file pubring.kbx is not changed since it was created. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From kloecker at kde.org Wed Apr 1 20:06:01 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 01 Apr 2020 20:06:01 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <20200401173924.GA31572@sh4-5.1blu.de> References: <20200401153029.GA11439@sh4-5.1blu.de> <1631052.SAoqzhc8gI@thufir> <20200401173924.GA31572@sh4-5.1blu.de> Message-ID: <2747238.vbSC7m8iUP@thufir> On Mittwoch, 1. April 2020 19:39:24 CEST Matthias Apitz wrote: > El d?a Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Kl?cker escribi?: > > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > > I encounter in my server the following situation: I can decrypt files > > > but not encrypting any file: Maybe the key is expired or not usable for encryption for some other reason. gpg will happily use an expired key for decryption (of old encrypted data), but it won't use an expired key for encryption. What does gpg --list-public-keys --with-colons guru at unixarea.de say? Regards, Ingo From guru at unixarea.de Wed Apr 1 20:16:30 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 Apr 2020 20:16:30 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <2747238.vbSC7m8iUP@thufir> References: <20200401153029.GA11439@sh4-5.1blu.de> <1631052.SAoqzhc8gI@thufir> <20200401173924.GA31572@sh4-5.1blu.de> <2747238.vbSC7m8iUP@thufir> Message-ID: <20200401181630.GB31572@sh4-5.1blu.de> El d?a Mittwoch, April 01, 2020 a las 08:06:01 +0200, Ingo Kl?cker escribi?: > On Mittwoch, 1. April 2020 19:39:24 CEST Matthias Apitz wrote: > > El d?a Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Kl?cker escribi?: > > > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > > > I encounter in my server the following situation: I can decrypt files > > > > but not encrypting any file: > > Maybe the key is expired or not usable for encryption for some other reason. > gpg will happily use an expired key for decryption (of old encrypted data), > but it won't use an expired key for encryption. > > What does > gpg --list-public-keys --with-colons guru at unixarea.de > say? $ gpg --list-public-keys --with-colons guru at unixarea.de tru::1:1585750650:0:3:1:5 pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::::::: fpr:::::::::8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: uid:e::::1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::guru at unixarea.de: sub:e:2048:1:2802AB9D46B97090:1520759851::::::e:::::: fpr:::::::::8D06C9C9460222C8A26181142802AB9D46B97090: sub:e:2048:1:4FAD759204AFE5CB:1585762137::::::e:::::: fpr:::::::::D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From kloecker at kde.org Wed Apr 1 21:42:48 2020 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Wed, 01 Apr 2020 21:42:48 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <20200401181630.GB31572@sh4-5.1blu.de> References: <20200401153029.GA11439@sh4-5.1blu.de> <2747238.vbSC7m8iUP@thufir> <20200401181630.GB31572@sh4-5.1blu.de> Message-ID: <2875111.pfFNoYHdPX@thufir> On Mittwoch, 1. April 2020 20:16:30 CEST Matthias Apitz wrote: > El d?a Mittwoch, April 01, 2020 a las 08:06:01 +0200, Ingo Kl?cker escribi?: > > On Mittwoch, 1. April 2020 19:39:24 CEST Matthias Apitz wrote: > > > El d?a Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Kl?cker escribi?: > > > > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > > > > I encounter in my server the following situation: I can decrypt > > > > > files > > > > > > > but not encrypting any file: > > Maybe the key is expired or not usable for encryption for some other > > reason. gpg will happily use an expired key for decryption (of old > > encrypted data), but it won't use an expired key for encryption. > > > > What does > > gpg --list-public-keys --with-colons guru at unixarea.de > > say? > > $ gpg --list-public-keys --with-colons guru at unixarea.de > tru::1:1585750650:0:3:1:5 > pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::::::: > fpr:::::::::8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: > uid:e::::1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::guru at unixarea > .de: sub:e:2048:1:2802AB9D46B97090:1520759851::::::e:::::: > fpr:::::::::8D06C9C9460222C8A26181142802AB9D46B97090: > sub:e:2048:1:4FAD759204AFE5CB:1585762137::::::e:::::: > fpr:::::::::D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: As I assumed, the keys are expired, as can be seen by the :e: after pub/uid/ sub. If you do gpg --list-public-keys guru at unixarea.de you should see when the keys expired. (It's also listed above, but the unix timestamp 1583831851 isn't easy to read for humans.) Regards, Ingo From guru at unixarea.de Wed Apr 1 22:10:44 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 Apr 2020 22:10:44 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <2875111.pfFNoYHdPX@thufir> References: <20200401153029.GA11439@sh4-5.1blu.de> <2747238.vbSC7m8iUP@thufir> <20200401181630.GB31572@sh4-5.1blu.de> <2875111.pfFNoYHdPX@thufir> Message-ID: <20200401201044.GA29787@sh4-5.1blu.de> El d?a Mittwoch, April 01, 2020 a las 09:42:48 +0200, Ingo Kl?cker escribi?: > > $ gpg --list-public-keys --with-colons guru at unixarea.de > > tru::1:1585750650:0:3:1:5 > > pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::::::: > > fpr:::::::::8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: > > uid:e::::1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::guru at unixarea > > .de: sub:e:2048:1:2802AB9D46B97090:1520759851::::::e:::::: > > fpr:::::::::8D06C9C9460222C8A26181142802AB9D46B97090: > > sub:e:2048:1:4FAD759204AFE5CB:1585762137::::::e:::::: > > fpr:::::::::D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: > > As I assumed, the keys are expired, as can be seen by the :e: after pub/uid/ > sub. > > If you do > gpg --list-public-keys guru at unixarea.de > you should see when the keys expired. (It's also listed above, but the unix > timestamp 1583831851 isn't easy to read for humans.) Yes, the key expired some days ago: $ gpg --list-public-keys guru at unixarea.de pub rsa2048 2018-03-11 [SC] [expired: 2020-03-10] 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 uid [ expired] guru at unixarea.de I don't know how this happened when I generated the keys. I assume that there's no way to shift the expiration date? If not, I will decrypt all files, generate new keys and crypt the files again. Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: ???????? ????????????! Thank you very much, Russian liberators! From sac at 300baud.de Wed Apr 1 22:21:25 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 1 Apr 2020 22:21:25 +0200 Subject: Who is the GnuPG Mailing List administrator? Message-ID: <20200401222125.000078c6.sac@300baud.de> Hi Werner, I would like to contact the admin of the GnuPG Mailing List, for a proposal, but could not find the contact email address. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas From guru at unixarea.de Wed Apr 1 22:38:33 2020 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 Apr 2020 22:38:33 +0200 Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: References: <20200401153029.GA11439@sh4-5.1blu.de> <2747238.vbSC7m8iUP@thufir> <20200401181630.GB31572@sh4-5.1blu.de> <2875111.pfFNoYHdPX@thufir> <20200401201044.GA29787@sh4-5.1blu.de> Message-ID: <20200401203833.GB29787@sh4-5.1blu.de> El d?a Mittwoch, April 01, 2020 a las 10:19:09 +0200, Erich Eckner escribi?: > > I assume that there's no way to shift the expiration date? > > I assumed so, too, for a long time. But I was wrong: > > gpg --edit-key 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 > expire > ... > Hello Ingo and Erich, You both saved my day. Thank you! Bleibt gesund! matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From andrewg at andrewg.com Wed Apr 1 22:47:29 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 1 Apr 2020 21:47:29 +0100 Subject: can not encrypt (but decrypt) dues to missing pub key Message-ID: <01A4B0A3-5704-4DE1-BDD4-7ADDC6463C5F@andrewg.com> > On 1 Apr 2020, at 21:11, Matthias Apitz wrote: > > I assume that there's no way to shift the expiration date? `gpg --quick-set-expire $FINGERPRINT 2y` A From abbot at monksofcool.net Wed Apr 1 22:56:02 2020 From: abbot at monksofcool.net (Ralph Seichter) Date: Wed, 01 Apr 2020 22:56:02 +0200 Subject: Who is the GnuPG Mailing List administrator? In-Reply-To: <20200401222125.000078c6.sac@300baud.de> References: <20200401222125.000078c6.sac@300baud.de> Message-ID: <87zhbv6i3h.fsf@wedjat.horus-it.com> * Stefan Claas via Gnupg-users: > I would like to contact the admin of the GnuPG Mailing List, > for a proposal, but could not find the contact email address. Mailman 2.1, which is the software managing this mailing list, adds a footer to every message. The link in that footer should get you started, as should a search for "mailman list owner address". -Ralph From sac at 300baud.de Wed Apr 1 23:04:46 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 1 Apr 2020 23:04:46 +0200 Subject: Who is the GnuPG Mailing List administrator? In-Reply-To: <87zhbv6i3h.fsf@wedjat.horus-it.com> References: <20200401222125.000078c6.sac@300baud.de> <87zhbv6i3h.fsf@wedjat.horus-it.com> Message-ID: <20200401230446.00003763.sac@300baud.de> Ralph Seichter via Gnupg-users wrote: > * Stefan Claas via Gnupg-users: > > > I would like to contact the admin of the GnuPG Mailing List, > > for a proposal, but could not find the contact email address. > > Mailman 2.1, which is the software managing this mailing list, adds a > footer to every message. The link in that footer should get you started, > as should a search for "mailman list owner address". > > -Ralph Stupid me ... Thanks a lot! Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas From gnupg at eckner.net Wed Apr 1 22:19:09 2020 From: gnupg at eckner.net (Erich Eckner) Date: Wed, 1 Apr 2020 22:19:09 +0200 (CEST) Subject: can not encrypt (but decrypt) dues to missing pub key In-Reply-To: <20200401201044.GA29787@sh4-5.1blu.de> References: <20200401153029.GA11439@sh4-5.1blu.de> <2747238.vbSC7m8iUP@thufir> <20200401181630.GB31572@sh4-5.1blu.de> <2875111.pfFNoYHdPX@thufir> <20200401201044.GA29787@sh4-5.1blu.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Matthias, On Wed, 1 Apr 2020, Matthias Apitz wrote: > El d?a Mittwoch, April 01, 2020 a las 09:42:48 +0200, Ingo Kl?cker escribi?: > >>> $ gpg --list-public-keys --with-colons guru at unixarea.de >>> tru::1:1585750650:0:3:1:5 >>> pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::::::: >>> fpr:::::::::8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: >>> uid:e::::1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::guru at unixarea >>> .de: sub:e:2048:1:2802AB9D46B97090:1520759851::::::e:::::: >>> fpr:::::::::8D06C9C9460222C8A26181142802AB9D46B97090: >>> sub:e:2048:1:4FAD759204AFE5CB:1585762137::::::e:::::: >>> fpr:::::::::D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: >> >> As I assumed, the keys are expired, as can be seen by the :e: after pub/uid/ >> sub. >> >> If you do >> gpg --list-public-keys guru at unixarea.de >> you should see when the keys expired. (It's also listed above, but the unix >> timestamp 1583831851 isn't easy to read for humans.) > > Yes, the key expired some days ago: > > $ gpg --list-public-keys guru at unixarea.de > pub rsa2048 2018-03-11 [SC] [expired: 2020-03-10] > 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 > uid [ expired] guru at unixarea.de > > I don't know how this happened when I generated the keys. > > I assume that there's no way to shift the expiration date? I assumed so, too, for a long time. But I was wrong: gpg --edit-key 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 expire ... > > If not, I will decrypt all files, generate new keys and crypt the files > again. > > Thanks > > matthias regards, Erich -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6E9z4ACgkQCu7JB1Xa e1rcfw//Yn0KpgdbtQKq7JmmSZ84sjqbjWPHKpNJfs3O3kmn3H7pYB4Zzt186sdI d56TlB8aHfxYngiQ8yJtnxoxSWiRVFFHh3ciNyI5TZktQlQsaCiMQl0Ne6k/1Lue C9euh3QbopASSHMbzNuFRhfF4g2hgI9g5vjCr6XutqMKodVQM7WUUPpb9Ew5TAmL 8tmCtmoYnvnVjjv0OospqlKJmHqSXG7UdSsZNEQwP+eiBeqY5q/e7fuNlAsy2J69 z9a33GQbQojEysqfgaJaNwHoP6HJJS7kQ0wYGKn/G3XhlrUUovYuzpcc8r6xDyp3 ms/IA34XNGUnWAMHPBgt2iESmP3k4LV251jvjNRqypuUmkzLPdgNR25xdI1xRbx0 6VyrWBcXzcq9JppcqswwFMI2QziOnwfAKylkbTZ+bmiBPrpc1Cvw7zLzjxyO8nTl C0UjG8J/NdPy+yoTJP7I7O18iDCTyS8LaDjtIffWEgTtM6iKrR1694DYgiYLZ92J tJOTXY5tWVZHwz53RWNdhP/UAXE47cbS5F97zLLfsaVelSxd+qMAkc/84jgqPPJ5 jp9IIm+2Kua5MK710vA7j+Q2xw1VjhotQ7NArV32YimTr17T19kWYoQ/gNGdzriL HSUUiu1VHVcrO/85nOfzskgqEhaOjBhmTqdcLO/MJAK/WCliCho= =NVCc -----END PGP SIGNATURE----- From bjmgeek at gmail.com Tue Apr 7 14:31:52 2020 From: bjmgeek at gmail.com (Brian Minton) Date: Tue, 7 Apr 2020 08:31:52 -0400 Subject: WKS server problems In-Reply-To: <961ba305-8e5c-753a-beaf-64faae715761@mail.com> References: <5a68f3c8-d5b0-7ab9-6e1a-4cb4afa84bce@andrewg.com> <4d58e96f-d792-3101-4aaf-bbe40b941296@mail.com> <319095a7-7c17-2bc0-d383-565617e8d7f0@andrewg.com> <87r1xk6u6s.fsf@wheatstone.g10code.de> <83465a10-bc28-90cc-a1bb-1a7c539e4976@mail.com> <87d093700e.fsf@wheatstone.g10code.de> <3805099b-026a-3009-b92c-573b78a81924@mail.com> <722693a8-36a2-0ec2-3efc-99a36172c65d@andrewg.com> <961ba305-8e5c-753a-beaf-64faae715761@mail.com> Message-ID: <43818efe-9f01-8f8e-5ee8-6d0b5d348222@gmail.com> On 3/23/20 12:52 PM, john doe wrote: > I'll go back to using havege then as I need to generate a gpg key for > testing purposes on this VM. I apologize if I missed it earlier, but where is the VM running?? A lot of hypervisors provide an emulated or pass-through rdrand instruction, or virtio-rng.? In either case case, rng-tools may be useful.? However, check if the emulated cpu provides RDRAND.? From pullanreddy41 at gmail.com Thu Apr 9 07:08:55 2020 From: pullanreddy41 at gmail.com (nithin reddy) Date: Thu, 9 Apr 2020 10:38:55 +0530 Subject: File permissions issue while doing GPG encypt and decrypt Message-ID: Hi All, We are using GnuPG 2.0.14 in CentOS linux servers. We are able to try to encrypt and decrypt the files as a root user. Now we are facing issues with the normal users who are trying to encrypt a file. Example:- Root user and User "nithin" are using same KEY ID for encryption and decryptiong, USer "nithin" is trying to encrypt a file "file1.txt", file1.txt is owned by nithin, when he encrypt the file1.txt, the encrypted file "file1.txt.gpg" permission is getting changed to root not nithin, and while "nithin" is trying to decrypt a file which have nithin as owner and group, the decrypted file permissions also getting changed to root and root. Need your help and suggestions here. Regards Pulla Nithin -------------- next part -------------- An HTML attachment was scrubbed... URL: From angel at pgp.16bits.net Thu Apr 16 03:45:38 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Thu, 16 Apr 2020 03:45:38 +0200 Subject: File permissions issue while doing GPG encypt and decrypt In-Reply-To: References: Message-ID: <1587001538.1070.24.camel@16bits.net> On 2020-04-09 at 10:38 +0530, nithin reddy via Gnupg-users wrote: > Hi All, > > > We are using GnuPG 2.0.14 in CentOS linux servers. We are able to try > to encrypt and decrypt the files as a root user. Now we are facing > issues with the normal users who are trying to encrypt a file. > > > Example:- Root user and User "nithin" are using same KEY ID for > encryption and decryptiong, USer "nithin" is trying to encrypt a file > "file1.txt", file1.txt is owned by nithin, when he encrypt the > file1.txt, the encrypted file "file1.txt.gpg" permission is getting > changed to root not nithin, and while "nithin" is trying to decrypt a > file which have nithin as owner and group, the decrypted file > permissions also getting changed to root > and root. > > > Need your help and suggestions here. Did you somehow end up with the gpg program being setuid? (as a 'solution' to gpg keyring files owned by root if he was directly accesing nithin keyring, perhaps, whereas you should have changed the owner there to nithin) From grunweg at web.de Mon Apr 20 22:18:14 2020 From: grunweg at web.de (Mike Grunweg) Date: Mon, 20 Apr 2020 22:18:14 +0200 Subject: Restoring keyring from backup fails Message-ID: <0fcbcc06-7ab4-ea69-6459-b5ce8764284c@web.de> Dear list, I'm trying to restore my full gpg keyring from a backup of my .gnupg folder, but no method I have tried seems to work. What I tried: Create a backup of the entire .gnupg folder on the old system. On the new system, gpg was already installed. Replace the content of the .gnupg folder with my backup. (Both the backed-up and the new system have the same operating system, with the same username, so the path layout should be identical.) Expected result: gpg recognises these files as my keyring, and I can use these keys just fine. Actual result: Typing |gpg --list-keys| or similar lists nothing. Applications using the keyring list no keys. After that, I deleted the whole content of the .gnupg folder, and copied only the files pubring.gpg, secring.gpg, and trustdb.gpg. The result didn't change. Any ideas what might be the cause, or how I can find out what's wrong? One idea I had is that the new system has an encrypted hard disc (using lux), but I feel that shouldn't matter. Thanks for the help. Best, Mike System information: Debian GNU/Linux buster; the output of |gpg --version| begins with gpg (GnuPG) 2.2.12 libgcrypt 1.8.4. From rjh at sixdemonbag.org Tue Apr 21 05:15:24 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 20 Apr 2020 23:15:24 -0400 Subject: Restoring keyring from backup fails In-Reply-To: <0fcbcc06-7ab4-ea69-6459-b5ce8764284c@web.de> References: <0fcbcc06-7ab4-ea69-6459-b5ce8764284c@web.de> Message-ID: <0db0cc1f-8afb-ea14-7db0-02ca8ea1b372@sixdemonbag.org> > Any ideas what might be the cause, or how I can find out what's wrong? GnuPG 2.2 changed the way it stores public and private keys. If your old installation was GnuPG 2.0 and the new one is 2.2, that might explain things. The fix is pretty easy, though. Check your versions and let us know what's up. :) From romain.lebrun-thauront at protonmail.com Tue Apr 21 12:40:49 2020 From: romain.lebrun-thauront at protonmail.com (Romain Lebrun Thauront) Date: Tue, 21 Apr 2020 10:40:49 +0000 Subject: Making a subkey a standalone Master key Message-ID: Hi folks, [Problem] : I'm generating myself a brand new pgp master key and I'd like it to have this structure : A first .gnupg folder with : sec???? ed25519 1876-02-10 [SC] ????????? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA uid???? [ultimate] Romain Lebrun Thauront ssb???? ed25519 2020-04-21 [S] [expires: 2021-01-01] ????????? BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB ssb???? cv25519 2020-04-21 [E] [expires: 2021-01-01] ????????? CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC A second .gnupg folder (let say .gnupg_copy) with : sec???? ed25519 2020-04-21 [SC] [expires: 2021-01-01] ????????? BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB uid???? [ultimate] Romain Lebrun Thauront ssb???? cv25519 2020-04-21 [E] [expires: 2021-01-01] ????????? CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC Where the BBBB and CCCC keys are the same in the two folders, but BBBB is in one case a signing subkey and on the other a standalone Master key. I do not find how to achieve that by myself, does anyone have an idea ? I don't care if the problem is solve one way or the other. (generating the first config and transforming a subkey into a master key OR generating the second config and transforming a master key into a signing subkey of another master key) [\Problem] [Context] : Reading that isn't necessary for giving a purely technical answer, but if you are curious then go on. I'm using a web mailer called ProtonMail which offer in-browser cryptography. For that I have to upload some encrypted secret key with signing and encrypting capabilities to their servers. But their software wont accept that I upload only the "secret subkeys" keys, without the "secret master key" key. I mean, something like that is refuse : sec#?? ed25519 1876-02-10 [SC]? (The difference is the # here, meaning I do not upload the secret master key) ????????? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA uid???? [ultimate] Romain Lebrun Thauront ssb???? ed25519 2020-04-21 [S] [expires: 2021-01-01] ????????? BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB ssb???? cv25519 2020-04-21 [E] [expires: 2021-01-01] ????????? CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC As I want to keep my secret master key, offline, off my computer, on an encrypted usb, on a chest, on the deep Caribbean see, kept by three infamous sharks, the setup describe on the above section would be a great workaround : I'll use config one (my rolling subkeys as subkeys) on my other mailer and I will advertise them like that to my contacts an keyservers. I'll upload the second config (my rolling subkeys as a Master key) to ProtonMail servers each time I roll keys. [\Context] As an ed25565 keypair is an ed25565 keypair, wether it is used as master key or subkey, I think that should be theoretically possible, at least by modifying the binaries of the key files. But their should be an easier solution, right ? Best, RLT P.S.: sorry for grammatical incorrectness, not my native language From andrewg at andrewg.com Tue Apr 21 16:15:37 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Tue, 21 Apr 2020 15:15:37 +0100 Subject: Making a subkey a standalone Master key In-Reply-To: References: Message-ID: <6ff4446d-6bb4-a037-eb40-878d7299d431@andrewg.com> On 21/04/2020 11:40, Romain Lebrun Thauront via Gnupg-users wrote: > I'm using a web mailer called ProtonMail which offer in-browser > cryptography. For that I have to upload some encrypted secret key with > signing and encrypting capabilities to their servers. But their software > wont accept that I upload only the "secret subkeys" keys, without the > "secret master key" key. This is a potentially interesting hack. I don't see any reason in principle why you can't construct such a key, since the mathematics of keys and subkeys is identical. But there is a big wrinkle coming, and that is how such a mangled key would be understood in practice. If someone were to send you a mail encrypted to your "real" key, would Protonmail understand that it has the correct key material available to decrypt it? After all, the "fake" key that Protonmail knows would have a different (primary) fingerprint from the one your correspondent used to encrypt. It might be possible IFF protonmail tests only the fingerprint of the encryption subkey and ignores that of the primary, but that would be an implementation detail. If you do get it to work though, I would be very interested in your method. :-) -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Tue Apr 21 19:32:11 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 21 Apr 2020 19:32:11 +0200 Subject: Making a subkey a standalone Master key In-Reply-To: <6ff4446d-6bb4-a037-eb40-878d7299d431@andrewg.com> References: <6ff4446d-6bb4-a037-eb40-878d7299d431@andrewg.com> Message-ID: <20200421193211.00005483@300baud.de> Andrew Gallagher wrote: > On 21/04/2020 11:40, Romain Lebrun Thauront via Gnupg-users wrote: > > I'm using a web mailer called ProtonMail which offer in-browser > > cryptography. For that I have to upload some encrypted secret key with > > signing and encrypting capabilities to their servers. But their software > > wont accept that I upload only the "secret subkeys" keys, without the > > "secret master key" key. > > This is a potentially interesting hack. I don't see any reason in > principle why you can't construct such a key, since the mathematics of > keys and subkeys is identical. > > But there is a big wrinkle coming, and that is how such a mangled key > would be understood in practice. If someone were to send you a mail > encrypted to your "real" key, would Protonmail understand that it has > the correct key material available to decrypt it? After all, the "fake" > key that Protonmail knows would have a different (primary) fingerprint > from the one your correspondent used to encrypt. It might be possible > IFF protonmail tests only the fingerprint of the encryption subkey and > ignores that of the primary, but that would be an implementation detail. > > If you do get it to work though, I would be very interested in your > method. :-) I have just checked my pub key, I created there a month ago, for testing purposes, of this account. What would happen if one creates a master key with only signing capabilities and no certification capablities? And then create a second key pair with the proper master key and try to combine those with what skeeto once mentioned with his pgp key-poisoner, i.e. that it is possible to bind sub keys to someone elses pub key? Because Protomail only uses the encryption sub key, with a different fingerprint it should not matter, right? I see there no problem if the submitted Master key there has a different fingerprint and only signing capabilities. Maybe worth a try. Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas From peter at digitalbrains.com Tue Apr 21 18:30:19 2020 From: peter at digitalbrains.com (Peter Lebbing) Date: Tue, 21 Apr 2020 18:30:19 +0200 Subject: Making a subkey a standalone Master key In-Reply-To: <6ff4446d-6bb4-a037-eb40-878d7299d431@andrewg.com> References: <6ff4446d-6bb4-a037-eb40-878d7299d431@andrewg.com> Message-ID: Another idea would be to deliberately destroy the encrypted primary key material you upload to ProtonMail. I'd suggest setting the capabilities of the primary key to just Certify, not Sign. It could very well be that ProtonMail never tries to decrypt the encrypted primary private key then, because it is never asked to do a certification. And since you can only tell that the encrypted material has been destroyed once you actually try to decrypt it, it would never notice and chug on happily oblivious it has been lied to. Oh, to answer the original question, you're looking for $ gpg --expert --full-gen-key and then option (13) Existing key. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From angel at pgp.16bits.net Fri Apr 24 03:57:40 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Fri, 24 Apr 2020 03:57:40 +0200 Subject: Restoring keyring from backup fails In-Reply-To: <0db0cc1f-8afb-ea14-7db0-02ca8ea1b372@sixdemonbag.org> References: <0fcbcc06-7ab4-ea69-6459-b5ce8764284c@web.de> <0db0cc1f-8afb-ea14-7db0-02ca8ea1b372@sixdemonbag.org> Message-ID: <1587693460.1899.14.camel@16bits.net> On 2020-04-20 at 23:15 -0400, Robert J. Hansen wrote: > > Any ideas what might be the cause, or how I can find out what's wrong? > > GnuPG 2.2 changed the way it stores public and private keys. If your > old installation was GnuPG 2.0 and the new one is 2.2, that might > explain things. The fix is pretty easy, though. Check your versions > and let us know what's up. :) GnuPG 2.2 is able to work with an old keyring. I think the problem is that the step > Replace the content of the .gnupg folder with my backup. meant keeping everything in .gnupg, overwriting files that were present in the system. Thus, I presume: * Before moving over the keys he ran gpg on the new system. This will have created a ~/.gnupg/pubring.kbx file. * He added (overwriting) to ~/.gnupg the contents of the old ~/.gnupg * There was no pubring.kbx in the old system, so it happily used pubring.gpg * The new system sees that there is a pubring.kbx, and uses it, not pubring.gpg as their contents would have been migrated, Thus, he has two completely different behaviors with the same gnupg version and (apparently) the same keyring. It would be possible to import the old keys into the new format, but as we don't need to merge different keyrings, I recommend to just remove (move somewhere else) the ~/.gnupg folder in the new system and extract there the contents of the old one. Additionally, there may be a gpg-agent instance running. Kill that to ensure that a new one is spawned. Kind regards From angel at pgp.16bits.net Sat Apr 25 23:53:16 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Sat, 25 Apr 2020 23:53:16 +0200 Subject: Restoring keyring from backup fails In-Reply-To: <151e0698-745c-85fe-d694-71f326992360@web.de> References: <0fcbcc06-7ab4-ea69-6459-b5ce8764284c@web.de> <0db0cc1f-8afb-ea14-7db0-02ca8ea1b372@sixdemonbag.org> <1587693460.1899.14.camel@16bits.net> <151e0698-745c-85fe-d694-71f326992360@web.de> Message-ID: <1587851596.1138.3.camel@16bits.net> On 2020-04-25 at 00:20 +0200, Mike Grunweg wrote: > Am 24.04.20 um 03:57 schrieb ?ngel: > > On 2020-04-20 at 23:15 -0400, Robert J. Hansen wrote: > >>> Any ideas what might be the cause, or how I can find out what's wrong? > >> GnuPG 2.2 changed the way it stores public and private keys. If your > >> old installation was GnuPG 2.0 and the new one is 2.2, that might > >> explain things. The fix is pretty easy, though. Check your versions > >> and let us know what's up. :) > > GnuPG 2.2 is able to work with an old keyring. I think the problem is > > that the step > >> Replace the content of the .gnupg folder with my backup. > > meant keeping everything in .gnupg, overwriting files that were present > > in the system. Thus, I presume: > > * Before moving over the keys he ran gpg on the new system. This will > > have created a ~/.gnupg/pubring.kbx file. > > * He added (overwriting) to ~/.gnupg the contents of the old ~/.gnupg > > * There was no pubring.kbx in the old system, so it happily used > > pubring.gpg > > * The new system sees that there is a pubring.kbx, and uses it, not > > pubring.gpg as their contents would have been migrated, > > > > Thus, he has two completely different behaviors with the same gnupg > > version and (apparently) the same keyring. > > > > It would be possible to import the old keys into the new format, but as > > we don't need to merge different keyrings, I recommend to just remove > > (move somewhere else) the ~/.gnupg folder in the new system and extract > > there the contents of the old one. > > > > Additionally, there may be a gpg-agent instance running. Kill that to > > ensure that a new one is spawned. > > > > > > Kind regards > Thanks so much, this suggestion worked like a charm! > > From what I can tell, the ?ngel's diagnosis was pretty much spot on.. > - Indeed, the old ~/.gnupg didn't have a pubring.kbx file. > - The new system did have a ~/.gnupg/pubring.kbx file. > I presumably ran gnupg before (via an external program which started it). > > > Thus, for the record, I did the following to finally have my keys > properly recognised. > 1. Kill any gpg-agent instance running. > 2. Removed my ~/.gnupg folder (move it to a new folder). > Omitting step 1 is not advisable: without terminating any running > gpg-agent instances, moving the folder resulted in the creation of a new > ~/.gnupg folder, containing a pubring.kbx file, which defeated the > entire point of moving these files. > 3. Move the key parts of the old folder to the new .gnupg folder. > At first I moved just the files pubring.gpg, secring.gpg, and > trustdb.gpg. This was NOT quite what I wanted: > at least in gnupg 2.2, private keys are not stored in the file > secring.gpg any more, but in the private-keys-v1.d subdirectory. > Synchronising that directory was the thing to do, and worked > perfectly then. > > Best, > Mike Adding back the list. Glad it worked, Mike! From scott092707 at aol.com Sun Apr 26 04:23:22 2020 From: scott092707 at aol.com (scott092707 at aol.com) Date: Sun, 26 Apr 2020 02:23:22 +0000 (UTC) Subject: Passphrase window freezes my DE's panel - is this a bug? References: <582039586.356300.1587867802128.ref@mail.yahoo.com> Message-ID: <582039586.356300.1587867802128@mail.yahoo.com> When I installed QtPass and started using it, I had to select a GPG passphrase, which I then stored in a file. The first time I use QtPass after booting my computer, it asks for my GPG passphrase. It then asks for it again, either after a certain number of minutes, or after a certain number of password uses in QtPass. I got tired of always having to bring up my file manager, and then opening the file containing the passphrase, and copy and pasting it into the passphrase field, each time GPG wanted the passphrase. I created a .desktop file that contained an exe field containing a terminal command to copy the passphrase string onto the clipboard, and dragged it into my panel's QuickLaunch. Now, when GPG wants the passphrase, I just click on the .desktop icon in the QuickLaunch, and ctrl-v into the passphrase window text field. All was good. Until... Since the installation of the 2.2.20 GnuPG packages on my LXQt Debian Testing system, I am no longer able to do this. I try to click on the .desktop file icon in the QuickLaunch, and nothing happens. In fact, nothing in the panel is clickable - no other icons, not the menu - nothing. Probably nothing else on the desktop/workspace is usable - it appears the passphrase window steals all possible input. I just (4/9) did a apt-get upgrade, and I note that several GPG packages were in the list of installed upgrades, being raised to 2.2.20 ("(2.2.20-1) over (2.2.19-1)") I can get around this by cancelling the passphrase window, clicking on my icon, re-selecting the QtPass line that is supposed to bring up the password and related info, and finally pasting the clipboard into the re-appearing passphrase window. It is annoying to have to do this, though... Is this a bug, or a (security?) feature? I don't know which of the many GPG packages throws up the passphrase window, to know to which package a bug report should be directed (if it is a bug). I might have thought pinentry[*], but it is NOT one of the upgraded packages. (I have pinentry-curses and pinentry-gnome3 (curiously, not pinentry-qt...), at versions 1.1.0-3+b1) My QtPass is at version 1.3.2-1, and pass is at 1.7.3-2. (My assumption is that QtPass is calling a GPG function that sometimes asks for the passphrase, or that QtPass calls a pass function that is calling a GPG function that sometimes asks for the passphrase.) I thought I had a way to make use of the passphrase easier, and now that way is removed - or at least made lots more convoluted. Any ideas? -Scott From andrewg at andrewg.com Sun Apr 26 15:32:37 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sun, 26 Apr 2020 14:32:37 +0100 Subject: Passphrase window freezes my DE's panel - is this a bug? In-Reply-To: <582039586.356300.1587867802128@mail.yahoo.com> References: <582039586.356300.1587867802128@mail.yahoo.com> Message-ID: <598ADC92-E7C1-4E3A-B0DC-DE3436283FEB@andrewg.com> > On 26 Apr 2020, at 05:04, Scott C Jacobs via Gnupg-users wrote: > > I don't know which of the many GPG packages throws up the passphrase window, to know to which package a bug > report should be directed (if it is a bug). I might have thought pinentry[*], but it is NOT one of the upgraded packages. > (I have pinentry-curses and pinentry-gnome3 (curiously, not pinentry-qt...), at versions 1.1.0-3+b1) To find out what process is controlling a window, you could use xwininfo and xprop as described in this SO answer: https://unix.stackexchange.com/a/84981 A -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott092707 at aol.com Mon Apr 27 01:53:24 2020 From: scott092707 at aol.com (scott092707 at aol.com) Date: Sun, 26 Apr 2020 23:53:24 +0000 (UTC) Subject: Passphrase window freezes my DE's panel - is this a bug? References: <990432816.657067.1587945204952.ref@mail.yahoo.com> Message-ID: <990432816.657067.1587945204952@mail.yahoo.com> >To find out what process is controlling a window, you could use xwininfo and xprop as described in this SO answer: >https://unix.stackexchange.com/a/84981 The problem is, that even if I have a terminal window open into which I wanted to type xwininfo and xprop, once the passphrase window appears, I cannot use the terminal or anything else - the passphrase window allows nothing to happen until I enter the passphrase and click OK or click on cancel. Then I could use the terminal and type those commands, but the passphrase window I wished to query is gone after OK or cancel... From scott092707 at aol.com Mon Apr 27 03:16:14 2020 From: scott092707 at aol.com (scott092707 at aol.com) Date: Mon, 27 Apr 2020 01:16:14 +0000 (UTC) Subject: Passphrase window freezes my DE's panel - is this a bug? References: <65227562.676614.1587950174973.ref@mail.yahoo.com> Message-ID: <65227562.676614.1587950174973@mail.yahoo.com> On 4/26/20 1:53 PM, Scott C Jacobs via Gnupg-users wrote: The problem is, that even if I have a terminal window open into which I wanted to type xwininfo and xprop, once the passphrase window appears, I cannot use the terminal or anything else - the passphrase window allows nothing to happen until I enter the passphrase and click OK or click on cancel. Then I could use the terminal and type those commands, but the passphrase window I wished to query is gone after OK or cancel... >This is by design I think. I'm pretty sure that it's been true since PGP if I recall correctly. The idea is to not allow other software to run that could peek at what you are typing. You might want to write your passphrase on a card to help you remember it. But you can't run anything else while it is being entered. First of all, this did not happen until the other day - I have been using my "click on the launcher icon to copy the passphrase to the clipboard" system for months now, and it worked fine. Secondly, I could write the passphrase down... I could write ALL my passwords down, and then I would not need a password manager! Not very practical. Thirdly, the password manager itself copies passwords to the clipboard, to be pasted into input fields. If using the clipboard is unsafe, then GPG would disallow its use in password managers as well, would it not? If one is supposed to have long, complicated, difficult-to-remember-and-type passwords (which one cannot even see when they are being entered!), then one HAS to use a clipboard to get them from where they are stored into where they are needed, and the passphrase is supposed to be even longer (since it unlocks access to all the others). There has to be a way to access the passphrase when the passphrase-entry window magically appears (which, naturally, is when one is short of time!) Again - this disallowing of any input but that of the passphrase window is NEW. It did not happen until recently. From hwj at BridgeportContractor.com Mon Apr 27 01:50:18 2020 From: hwj at BridgeportContractor.com (Howard Johnson) Date: Sun, 26 Apr 2020 13:50:18 -1000 Subject: GnuPG Shell Message-ID: <406271f9-cb1e-dba3-7d00-c4c11f3e2d53@BridgeportContractor.com> Hi, Not sure how to send this to the right person, so please forward if you will. I noticed that `GnuPG Shell` appears to be old.? Debian doesn't have it in it's repository, or at least I can't find it. Best package I can find is v 1.0.0 https://unix.stackexchange.com/questions/582699/whats-the-debian-package-name-for-gnupg-shell?noredirect=1#comment1085001_582699 I recommend taking it off the list of gpg front-ends. For Linux KGpg, gpa, and seahorse still work. -h -------------- next part -------------- An HTML attachment was scrubbed... URL: From felix at crowfix.com Mon Apr 27 03:44:06 2020 From: felix at crowfix.com (Felix Finch) Date: Sun, 26 Apr 2020 18:44:06 -0700 Subject: Passphrase window freezes my DE's panel - is this a bug? In-Reply-To: <990432816.657067.1587945204952@mail.yahoo.com> References: <990432816.657067.1587945204952.ref@mail.yahoo.com> <990432816.657067.1587945204952@mail.yahoo.com> Message-ID: <20200427014406.GB2880@crowfix.com> On 20200426, Scott C Jacobs via Gnupg-users wrote: >The problem is, that even if I have a terminal window open into which I wanted to type xwininfo and xprop, >once the passphrase window appears, I cannot use the terminal or anything else - the passphrase window allows >nothing to happen until I enter the passphrase and click OK or click on cancel. Then I could use the terminal and >type those commands, but the passphrase window I wished to query is gone after OK or cancel... FWIW, when I plug in a USB encrypted backup drive, it has a popup passphrase window which also locks out all other windows. I show my passphrase and use CTRL-SHIFT-C to copy it before plugging in the drive, then use CTRL-SHIFT-V to paste it into the popup window. I suppose this is not as secure as it should be, but it's good enough for me. -- ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._. Felix Finch: scarecrow repairman & wood chipper / felix at crowfix.com GPG = E987 4493 C860 246C 3B1E 6477 7838 76E9 182E 8151 ITAR license #4933 I've found a solution to Fermat's Last Theorem but I see I've run out of room o From rjh at sixdemonbag.org Mon Apr 27 06:48:43 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 27 Apr 2020 00:48:43 -0400 Subject: Passphrase window freezes my DE's panel - is this a bug? In-Reply-To: <65227562.676614.1587950174973@mail.yahoo.com> References: <65227562.676614.1587950174973.ref@mail.yahoo.com> <65227562.676614.1587950174973@mail.yahoo.com> Message-ID: > If using the clipboard is unsafe, then GPG would disallow its use in > password managers as well, would it not? How would it do so? > If one is supposed to have long, complicated, > difficult-to-remember-and-type passwords (which one cannot even see > when they are being entered!), then one HAS to use a clipboard to get > them from where they are stored into where they are needed, Nonsense. A prior job literally *required* that I not only use completely random passwords, but 128 bits of them, and completely change them every six months, for four different networks. It was incredibly annoying but possible. If I can remember "ZECY17pJQo9PoeVqJ4S/lA==" and three others like it, and change them twice a year, then it's simply untrue that "one HAS to use a clipboard to get them from where they are stored into where they are needed". Convenient, absolutely. Good UI design, also. But not *required*. Further, I don't know who told you that your passphrase must be long, complicated, difficult to remember and difficult to type. The passphrase exists as a defense in the event someone's able to steal your private key: but if you think you've already defended against theft adequately, use a short passphrase or none at all. Like so many things, it all depends on your own risk model. > Again - this disallowing of any input but that of the passphrase > window is NEW. It did not happen until recently. Perhaps I missed something, but did the GnuPG team write your pinentry? If not, they're really not in a good position to offer help. From andrewg at andrewg.com Mon Apr 27 08:58:37 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 27 Apr 2020 07:58:37 +0100 Subject: Passphrase window freezes my DE's panel - is this a bug? In-Reply-To: <990432816.657067.1587945204952@mail.yahoo.com> References: <990432816.657067.1587945204952@mail.yahoo.com> Message-ID: <22FEA65C-E6F9-4737-A689-E9655FE7EC81@andrewg.com> > On 27 Apr 2020, at 01:15, Scott C Jacobs via Gnupg-users wrote: > > the passphrase window allows > nothing to happen until I enter the passphrase and click OK or click on cancel. This is definitely not pinentry then. It?s most likely a unified desktop passphrase manager such as gnome-keyring. A From sac at 300baud.de Mon Apr 27 15:15:29 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 27 Apr 2020 15:15:29 +0200 Subject: GnuPG 2.2.20 under Termux (Android) ... Message-ID: <20200427151529.00005cc7@300baud.de> Hi all, maybe interesting for some of you. I just noticed that, after installing Golang under Termux that Termux has also GnuPG already installed. https://ibb.co/hyG8q4Y Would people recommend using pure GnuPG on a smartphone, compared to a (compromised?) PC? I ask, because I have not read yet what attacks (remotely) are possible with smartphones, to obtain the secret keys. Any pointers to articles would be very welcome! Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas From szczepan at nitrokey.com Mon Apr 27 15:55:09 2020 From: szczepan at nitrokey.com (Szczepan Zalega | Nitrokey) Date: Mon, 27 Apr 2020 15:55:09 +0200 Subject: GnuPG 2.2.20 under Termux (Android) ... In-Reply-To: <20200427151529.00005cc7@300baud.de> References: <20200427151529.00005cc7@300baud.de> Message-ID: <31c649f5-9d6e-9ad7-23f7-6a45695a58c8@nitrokey.com> On 4/27/20 3:15 PM, Stefan Claas wrote: > maybe interesting for some of you. > > I just noticed that, after installing Golang under Termux > that Termux has also GnuPG already installed. > > https://ibb.co/hyG8q4Y > > Would people recommend using pure GnuPG on a smartphone, > compared to a (compromised?) PC? > > I ask, because I have not read yet what attacks (remotely) > are possible with smartphones, to obtain the secret keys. > > Any pointers to articles would be very welcome! > Hi! I would not keep the secrets on the mobile, but rather offload the computation to a simple device and communicate via USB/NFC. Reason is that this is a complicated communication device, which has a big attack surface. Here is a fresh remote code exploitation done over Bluetooth for Android 8/9 [1]. Fix was released in February 2020 as far as I see. In the past there were some issues with the WiFi as well AFAIR. [1] https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/ -- Best regards, Szczepan From sac at 300baud.de Mon Apr 27 18:50:37 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 27 Apr 2020 18:50:37 +0200 Subject: GnuPG 2.2.20 under Termux (Android) ... In-Reply-To: <31c649f5-9d6e-9ad7-23f7-6a45695a58c8@nitrokey.com> References: <20200427151529.00005cc7@300baud.de> <31c649f5-9d6e-9ad7-23f7-6a45695a58c8@nitrokey.com> Message-ID: <20200427185037.00001181@300baud.de> Szczepan Zalega | Nitrokey via Gnupg-users wrote: > On 4/27/20 3:15 PM, Stefan Claas wrote: > > maybe interesting for some of you. > > > > I just noticed that, after installing Golang under Termux > > that Termux has also GnuPG already installed. > > > > https://ibb.co/hyG8q4Y > > > > Would people recommend using pure GnuPG on a smartphone, > > compared to a (compromised?) PC? > > > > I ask, because I have not read yet what attacks (remotely) > > are possible with smartphones, to obtain the secret keys. > > > > Any pointers to articles would be very welcome! > > > > Hi! > > I would not keep the secrets on the mobile, but rather offload the > computation to a simple device and communicate via USB/NFC. Reason is > that this is a complicated communication device, which has a big attack > surface. > Here is a fresh remote code exploitation done over Bluetooth for Android > 8/9 [1]. Fix was released in February 2020 as far as I see. > In the past there were some issues with the WiFi as well AFAIR. > > > [1] > https://insinuator.net/2020/04/cve-2020-0022-an-android-8-0-9-0-bluetooth-zero-click-rce-bluefrag/ Thanks for the info, much appreciated! I see in your address 'Nitrokey' and I was wondering (I have USB on my Samsung A40) that a Nitrokey USB device would work properly with my Termux set-up, i.e. Nitrokey drivers which must be detected via Termux, so that it would work? Are you aware of if this was ever been tested? Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas From angel at pgp.16bits.net Tue Apr 28 03:31:07 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Tue, 28 Apr 2020 03:31:07 +0200 Subject: Passphrase window freezes my DE's panel - is this a bug? In-Reply-To: <582039586.356300.1587867802128@mail.yahoo.com> References: <582039586.356300.1587867802128.ref@mail.yahoo.com> <582039586.356300.1587867802128@mail.yahoo.com> Message-ID: <1588037467.1316.68.camel@16bits.net> First of all, you have created three threads about it. When you reply to an email, you need to actually reply that mail. Just using the same subject does not make the email get into the thread (could you imagine the threads for emails title "Bug"?). I am replying to the original thread, and glossing over points pentioned over several threads. > I don't know which of the many GPG packages throws up the passphrase window, to know to which package a bug > report should be directed (if it is a bug). I might have thought pinentry[*], but it is NOT one of the upgraded packages. > (I have pinentry-curses and pinentry-gnome3 (curiously, not pinentry-qt...), at versions 1.1.0-3+b1) > > My QtPass is at version 1.3.2-1, and pass is at 1.7.3-2. > (My assumption is that QtPass is calling a GPG function that sometimes asks for the passphrase, or that QtPass calls > a pass function that is calling a GPG function that sometimes asks for the passphrase.) QtPass is a frontend for pass, which itself is a password manager based on gpg. So it's normal that a prompt for the underlying gpg key ends up appearing. > It then asks for it again, either after a certain number of minutes, > or after a certain number of password uses in QtPass. > > You may play with the agent ttl options on ~/.gnupg/gpg.conf so that it doesn't request it so often https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options > Is this a bug, or a (security?) feature? It is a (somewhat annoying) feature. By grabbing the keyboard: a) it ensures that i don't accidentally type into another window when i think i'm typing in the prompter b) it keeps other X11 clients from sniffing the keyboard input -- dkg on Debian bug 930062 > > > I got tired of always having to bring up my file manager, and then opening the file containing the passphrase, > and copy and pasting it into the passphrase field, each time GPG wanted the passphrase. You shouldn't have the password for the password manager on a file along it. > > Secondly, I could write the passphrase down... I could write ALL my > passwords down, and then I would not need a password manager! > Not very practical. There is ONE passphrase you cannot keep stored in the password manager. That's the one that gives you access to the password manager itself.? You are having issues with that one passphrase. Writing down all your passwords as you propose would be equivalent to using your password manager with no password manager password (it may not be a good idea, but you *could* do that). > Thirdly, the password manager itself copies passwords to the > clipboard, to be pasted into input fields. > If using the clipboard is unsafe, then GPG would disallow its use in > password managers as well, would it not? It's not that the clipboard is unsafe? The problem with your flow is that you are copying the master password from an unsafe place. The reason for the master password is that, should anyone steal your files (either physically or remotely), they would not be able to get to the secrets stored on your password manager. Passwords should be either directly typed or copied from a password manager. If you copy that password from another file, the file from which you are copying it is the insecure part, not that you move it from that file through the clipboard. It would be the same issue if you had the text file open in the background and you typed it from there. Be careful what you wish for, btw. Some pinentries *do* block pasting from the clipboard. I had to type a gpg password that I had available on the password manager, when the system launched the wrong? pinentry. ? > If one is supposed to have long, complicated, > difficult-to-remember-and-type passwords (which one cannot even > see when they are being entered!), then one HAS to use a clipboard to > get them from where they are stored into where they are needed, > and the passphrase is supposed to be even longer (since it unlocks > access to all the others). > Above you were arguing for writing down all your passwords in plain text, now you they need to be very difficult-to-remember-and-type passwords. Also, you have a few misconceptions: > long, complicated, difficult-to-remember-and-type passwords Passwords don't need to be ?complicated to type?. The classic example would be 'Tr0ub4dor&3' vs 'correct horse battery staple' from https://xkcd.com/936/ The goal isn't that they are difficult to remember either. If I needed to set one, I would state it as ?use an unique, random password for each realm?. Here 'random' just means ?unpredictable?. You could take your passwords from the telephone book. What you shall not use is the phone number of your Granny, since it'd be predictable that you used a number you already knew, such as the one a family member. Learning by heart a telephone number of a stranger you got by randomly opening it would work. ? And memorizing it shouldn't be harder than memorizing any other phone number (smartphones made people lazy but it was common to know lots of numbers by heart). Remembering *lots* of passwords is what start making it hard, but remembering a few good passwords is not that difficult (and the password for your password manager is one key to remember). As for the password manager passphrase needing to be longer, that could be argued both ways. The protection provided by the password manager should not be weaker than that of any secret it guards. It doesn't mean that its strength should be the sum of that of everything it contains. On the other hand, what we need to amount is the protection it provides, which doesn't rest solely on the master password. You could take into account also the protection added by the password manager format itself, and the system it rests on, and so a 'weak' password could be considered enough. As usual, you should make your own risk analysis. ? Well, kind of. There are clipboard snooping attacks, where an application (or even a web page) retrieves clipboard contents that were not intended for them. Also, you will find that password managers like to clear the password from the clipboard after some seconds. ? No need to remember the password website: Don't worry, I only need to (remember and provide) the password manager password, but before? I only need to (remember and provide) the system account password, but before? I only need to (remember and provide) the disk encryption password, but before? I only need to (remember and provide) the BIOS boot password, but before? I only need to (remember and provide) the system account password, but before? I only need to (remember and provide) the PIN on the door, but before? I only need to (remember and provide) the right word to the Cerberus relative that is guarding the garden, but before? I only need to (remember and provide) the right answer to the sphinx that is at the entrance of the city. It is very easy, you see, to provide the password at the website. No need to its password struggle to learn. It's now so simple to enter there. Wait!, it is asking me for a 2FA code to provide?