From wk at gnupg.org Tue Sep 1 10:10:39 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Sep 2020 10:10:39 +0200 Subject: gnupg --fetch-key problems In-Reply-To: <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> (=?utf-8?Q?=22=C3=81ngel=22's?= message of "Mon, 31 Aug 2020 02:48:54 +0200") References: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> Message-ID: <87d0353ojk.fsf@wheatstone.g10code.de> On Mon, 31 Aug 2020 02:48, ?ngel said: > HTTP/1.1 would require support for things that currently may not be > present, such as chunked transfer encodings, whereas HTTP/1.0 is That is for the server site but not for the client. IIRC, the only mandatory request header for a client has is "Host:". This is optional in 1.0 but we have always send this. I see no benefit for requiring 1.1 and also no reason why a site should block 1.0 - that would be a pretty lame DoS mitigation because bots could also send 1.1 without any problems but don't do so because it is not needed. > I agree it should provide an User-Agent, though. There is no User-Agent header to minimize the amount of identifiable information. You want a User-Agent header to make debugging requests easier? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From bjacke at samba.org Tue Sep 1 14:27:35 2020 From: bjacke at samba.org (=?UTF-8?Q?Bj=c3=b6rn_Jacke?=) Date: Tue, 1 Sep 2020 14:27:35 +0200 Subject: gnupg --fetch-key problems In-Reply-To: <87d0353ojk.fsf@wheatstone.g10code.de> References: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> <87d0353ojk.fsf@wheatstone.g10code.de> Message-ID: Hello Werner, On 01.09.20 10:10, Werner Koch via Gnupg-users wrote: >> HTTP/1.1 would require support for things that currently may not be >> present, such as chunked transfer encodings, whereas HTTP/1.0 is > > That is for the server site but not for the client. IIRC, the only > mandatory request header for a client has is "Host:". This is optional > in 1.0 but we have always send this. I see no benefit for requiring 1.1 > and also no reason why a site should block 1.0 - that would be a pretty > lame DoS mitigation because bots could also send 1.1 without any > problems but don't do so because it is not needed. you may find it lame or not, disabling http 1.0 is recommended at a number of places and a number servers out there already have it disabled and it will probably be more and not less sites doing that in the future, that's nothing that we can change. Ignoring all those sites and let the gpg users suffer by not being able to connect would not be nice. I talked with Wiktor about the http 1.0 issue in gpg and he also mentioned that a number of weird problems that people have reported with WKD in the past might be related to gpg talking http 1.0 only. You didn't mention the suggested libcurl yet - if you would use that you would not have to worry about the details of how to implement more modern http protocols in gpg. >> I agree it should provide an User-Agent, though. > > There is no User-Agent header to minimize the amount of identifiable > information. You want a User-Agent header to make debugging requests > easier? yes, I found out that the trouble making http clients are gpg clients only because Wiktor found that out by chance. Best regards Bj?rn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Sep 1 21:17:24 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 01 Sep 2020 21:17:24 +0200 Subject: gnupg --fetch-key problems In-Reply-To: (=?utf-8?Q?=22Bj=C3=B6rn?= Jacke via Gnupg-users"'s message of "Tue, 1 Sep 2020 14:27:35 +0200") References: <100ecfd4-1f3f-8a1f-59fb-9e680e0d9942@samba.org> <7abd513abf1baeea6c934592f8d43786e27bb62c.camel@16bits.net> <87d0353ojk.fsf@wheatstone.g10code.de> Message-ID: <87v9gx1f3v.fsf@wheatstone.g10code.de> On Tue, 1 Sep 2020 14:27, Bj?rn Jacke said: > I talked with Wiktor about the http 1.0 issue in gpg and he also > mentioned that a number of weird problems that people have reported with > WKD in the past might be related to gpg talking http 1.0 only. And what are with those servers which don't support 1.1 ? Will that be more than those 1.1 servers disabling 1.0 without any valid reasons? There is more HTTP infrastructure out there than the standard servers. RFC-7230 explicitly describes the versioning scheme and how it shall be used. Dirmngr does not feature the required 1.1 parts and thus it is not okay to enable 1.1. > You didn't mention the suggested libcurl yet - if you would use that you We are glad that we could remove most of the duplicated code and library duplication from the GnuPG code base. Adding libcurl would pull in for example OpenSSL, GnuTLS, GMP, Hogweed/Nettle, Kerberos, P11 Kit, and libgcrypt. The latter might even be a different version than what GnuPG uses which is a very brittle thing and should be avoided. Granted, the standard Dirmngr on Linix also pulls in libldap and a respective crypto lib which is not good either. Any hints on hooks in libldap to avoid this would be very appreciated. Maybe we may need to get back to a helper process for ldap. > would not have to worry about the details of how to implement more > modern http protocols in gpg. We use only very basic HTTP features and won't follow any fashionable new things - there is just no need for it and will only break things. Well, if people voluntary break their HTTP infrastructure I would like to learn what reasons are given for that. Complexity is the worst enemy of security. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From avemilia at protonmail.com Wed Sep 2 13:53:08 2020 From: avemilia at protonmail.com (Ave Milia) Date: Wed, 02 Sep 2020 11:53:08 +0000 Subject: Windows GPG 2.22.2: ERR 100663354 No data In-Reply-To: References: Message-ID: I have just noticed that I accidentally misread the versions and thought I am using 2.22.2, while it is 2.2.22. In this regard 2.3 milestone for Sep 30, 2020 in [0] makes sense. I will try to build gpg from source and test it. Sorry for the confusion. ??????? Original Message ??????? On Monday, August 31, 2020 11:03 PM, Ave Milia via Gnupg-users wrote: > Windows, GPG 2.22.2 from chocolatey (choco install gnupg) > > While trying to setup gpg-agent to work with SSH key on Yubikey on Windows I have noticed (perhaps unrelated) issue: > > PS C:\Users\avemilia> gpgconf.exe --kill all > PS C:\Users\avemilia> gpgconf.exe --launch all > PS C:\Users\avemilia> echo "scd getinfo reader_list" | gpg-connect-agent.exe --decode > ERR 100663354 No data > PS C:\Users\avemilia> gpgconf.exe --kill all > > On Linux this gives: > ? echo "scd getinfo reader_list" | gpg-connect-agent --decode > D 1050:0407:X:0 > OK > > I found two mentions of this issue [0][1]. It seems like this issue was addressed in 2.3.0? > > Why do I care? I am configuring gpg and ssh on Windows and was reading [2] which mentions this command to determine reader-port value in order to operate only on one smartcard. I am struggling to understand what this error means -- gpg cannot determine the smartcard to use? If so, why does gpg --card-status work? If not, what does the error imply? Can it be one of the reasons why agent forwarding over ssh fails (this is what I was debugging before I met this error)? > > gpg-agent.conf: > enable-ssh-support > enable-putty-support > default-cache-ttl 60 > max-cache-ttl 120 > verbose > debug-level advanced > log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log > > scdaemon.conf: > #reader-port Yubico Yubikey 4 OTP+U2F+CCID 0 > card-timeout 5 > verbose > debug-level advanced > log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log > > Notice that reader-port is commented out, but it the error is the same when it is set as well. I have looked up this value from Device Manager according to some guide on the internet that recommended setting reader-port so that scdaemon doesn't choke on virtual smartcards generated by 365 Office, or something. > > Below are the logs of gpg-agent and scdaemon based on (only) 4 commands provided at the beginning of this email. > > agent: > 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent' > 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra' > 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser' > 2020-08-31 22:59:54 gpg-agent[7220] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh' > 2020-08-31 22:59:54 gpg-agent[7220] gpg-agent (GnuPG) 2.2.22 started > 2020-08-31 22:59:54 gpg-agent[7220] putty message loop thread started > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK Pleased to meet you > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- RESET > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- NOP > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 -> OK > 2020-08-31 22:59:54 gpg-agent[7220] DBG: chan_0x000002a8 <- [eof] > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> OK Pleased to meet you > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- RESET > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> OK > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- scd getinfo reader_list > 2020-08-31 23:00:06 gpg-agent[7220] no running SCdaemon - starting it > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK GNU Privacy Guard's Smartcard server ready > 2020-08-31 23:00:06 gpg-agent[7220] DBG: first connection to SCdaemon established > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> GETINFO socket_name > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK > 2020-08-31 23:00:06 gpg-agent[7220] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> OPTION event-signal=0x000002a4 > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> getinfo reader_list > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- ERR 100663354 No data > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 -> ERR 100663354 No data > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002b8 <- [eof] > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc -> RESTART > 2020-08-31 23:00:06 gpg-agent[7220] DBG: chan_0x000002cc <- OK > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK Pleased to meet you > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- RESET > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- GETINFO scd_running > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- scd killscd > 2020-08-31 23:00:09 gpg-agent[7220] new connection to SCdaemon established (reusing) > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc -> killscd > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc <- OK closing connection > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 -> OK > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000000b0 <- [eof] > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc -> RESTART > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002cc <- [eof] > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK Pleased to meet you > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 <- RESET > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 <- KILLAGENT > 2020-08-31 23:00:09 gpg-agent[7220] DBG: chan_0x000002d4 -> OK closing connection > 2020-08-31 23:00:09 gpg-agent[7220] secmem usage: 0/32768 bytes in 0 blocks > > scd: > 2020-08-31 23:00:06 scdaemon[12216] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' > 2020-08-31 23:00:06 scdaemon[12216] handler for fd -1 started > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK GNU Privacy Guard's Smartcard server ready > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- GETINFO socket_name > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- OPTION event-signal=0x000002a4 > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- getinfo reader_list > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> ERR 100663354 No data > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 <- RESTART > 2020-08-31 23:00:06 scdaemon[12216] DBG: chan_0x00000100 -> OK > 2020-08-31 23:00:09 scdaemon[12216] DBG: chan_0x00000100 <- killscd > 2020-08-31 23:00:09 scdaemon[12216] DBG: chan_0x00000100 -> OK closing connection > > Thank you in advance for the reply (and replies on my previous thread, on which I replied with own solution). > > [0] https://dev.gnupg.org/T4620 > [1] https://dev.gnupg.org/T1081 > [2] https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Options.html > > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From avemilia at protonmail.com Thu Sep 3 02:13:48 2020 From: avemilia at protonmail.com (Ave Milia) Date: Thu, 03 Sep 2020 00:13:48 +0000 Subject: Unable to RemoteForward Yubikey: gpg: error getting version from 'scdaemon': Forbidden Message-ID: I am trying to forward gpg-agent from Windows (local) to Linux (remote) in order to use Yubikey in full capacity on the remote. That means I am able to encrypt, decrypt, sign with gpg key stored on the token, use ssh key stored on the token for authentication in remote's environment. On Windows I am using win32-openssh 8.0 and gpg 2.2.22, with two additional tools (described below). On Linux I am using openssh 8.3p1 and gpg 2.2.21. [0] allows key-based SSH authentication to be used (it connects gpg-agent and pageant), when SSH key is stored on Yubikey. It makes pinentry to ask for Yubikey PIN. SSH_AUTH_SOCK is set to "\\.\pipe\ssh-pageant" before launching the program. It is launched as so: PS C:\Users\avemilia> wsl-ssh-pageant-amd64.exe --winssh ssh-pageant 2020/09/03 00:06:39 Listening on named pipe: \\.\pipe\ssh-pageant and produces no errors. See [1][2] as tracking issues for this feature in gpg and win32-openssh. [3] is a bridge between Unix sockets and TCP sockets, used both as a workaround for win32-openssh and gpg. Win32-openssh is unable to parse Windows paths in config and gpg is unable to communicate with Unix sockets. See [4] as tracking issue for this feature in win32-openssh, and perhaps [1] for gpg. Two instances are launched as so: PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1: C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra PS C:\Users\avemilia> gpg-bridge.exe 127.0.0.1: C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh and produce no errors. Both ports are in high numbers, working as intended. This is the session I attempt, following instructions from [5]: PS C:\Users\avemilia> ssh pc Last login: Thu Sep 3 00:01:38 2020 from gpg-connect-agent: connection to agent is in restricted mode ? gpg --card-status gpg: error getting version from 'scdaemon': Forbidden gpg: selecting card failed: Forbidden gpg: OpenPGP card not available: Forbidden ? Connection to closed. /etc/ssh/sshd_config on remote: AllowUsers Port ListenAddress AddressFamily inet Compression yes KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com LogLevel VERBOSE Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO PermitRootLogin no PubkeyAuthentication yes PasswordAuthentication no KbdInteractiveAuthentication no AuthenticationMethods publickey UsePAM yes AuthorizedKeysFile .ssh/authorized_keys PrintMotd no # pam does that Banner /etc/issue StreamLocalBindUnlink yes .ssh/config on local: User Host pc Hostname Port RemoteForward /run/user/1000/gnupg/S.gpg-agent 127.0.0.1: RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh 127.0.0.1: [5] does not mention ssh-agent forwarding, but googling about the "forbidden" problem yielded [6] which says: "If only forwarding the ?extra? socket, you?ll receive these errors", which are the errors I receive. Thus I added ssh socket, but it didn't work out. This is the current state of the problem and I am stuck :( This is how I [re]start gpg on remote before SSH session and stop after to collect logs: ? systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service ? systemctl --user start gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service ? systemctl --user stop gpg-agent-browser.socket gpg-agent-extra.socket gpg-agent-ssh.socket gpg-agent.socket gpg-agent.service dirmngr.socket dirmngr.service This is how I [re]start gpg on local before SSH session and stop after to collect logs: PS C:\Users\avemilia> gpgconf --kill all PS C:\Users\avemilia> gpgconf --launch all PS C:\Users\avemilia> gpgconf --kill all Below are logs and configs of gpg on local and remote in respect to these manipulations. gpg-agent.log on remote: 2020-09-03 00:08:34 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 starting in supervised mode. 2020-09-03 00:08:34 gpg-agent[785552] using fd 3 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser) 2020-09-03 00:08:34 gpg-agent[785552] using fd 4 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra) 2020-09-03 00:08:34 gpg-agent[785552] using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh) 2020-09-03 00:08:34 gpg-agent[785552] using fd 6 for std socket (/run/user/1000/gnupg/S.gpg-agent) 2020-09-03 00:08:34 gpg-agent[785552] listening on: std=6 extra=4 browser=3 ssh=5 2020-09-03 00:09:08 gpg-agent[785552] socket file has been removed - shutting down 2020-09-03 00:09:08 gpg-agent[785552] gpg-agent (GnuPG) 2.2.21 stopped 2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent' 2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.extra' 2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.browser' 2020-09-03 00:15:58 gpg-agent[786612] listening on socket '/run/user/1000/gnupg/S.gpg-agent.ssh' 2020-09-03 00:15:58 gpg-agent[786613] gpg-agent (GnuPG) 2.2.21 started 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786610 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- RESET 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- updatestartuptty 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:15:58 gpg-agent[786613] DBG: chan_10 <- [eof] 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK Pleased to meet you, process 786711 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- RESET 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttyname=/dev/pts/13 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION ttytype=xterm-kitty 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION display=:0 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION xauthority=/home/ave/.Xauthority 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-ctype=en_US.UTF-8 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- OPTION lc-messages=en_US.UTF-8 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- updatestartuptty 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 -> OK 2020-09-03 00:16:00 gpg-agent[786613] DBG: chan_10 <- [eof] (I have accidentally opened a new shell, so you will see [an irrelevant] updatestartuptty in the end) gpg-agent.conf on remote: enable-ssh-support default-cache-ttl 60 max-cache-ttl 120 verbose debug-level advanced log-file /home/ave/.gnupg/gpg-agent.log scdaemon.log on remote: absent scdaemon.conf on remote: pcsc-driver /usr/lib/libpcsclite.so card-timeout 5 disable-ccid verbose debug-level advanced log-file /home/ave/.gnupg/scdaemon.log gpg.conf on remote: personal-cipher-preferences AES256 AES192 AES personal-digest-preferences SHA512 SHA384 SHA256 personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed cert-digest-algo SHA512 s2k-digest-algo SHA512 s2k-cipher-algo AES256 charset utf-8 fixed-list-mode no-comments no-emit-version no-greeting keyid-format 0xlong list-options show-uid-validity verify-options show-uid-validity with-fingerprint require-cross-certification no-symkey-cache use-agent throw-keyids .zshrc on remote: export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" export GPG_TTY=$(tty) gpgconf --create-socketdir gpg-connect-agent updatestartuptty /bye >/dev/null gpg-agent.log on local: 2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent' 2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.extra' 2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.browser' 2020-09-03 00:05:30 gpg-agent[12992] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.gpg-agent.ssh' 2020-09-03 00:05:30 gpg-agent[12992] gpg-agent (GnuPG) 2.2.22 started 2020-09-03 00:05:30 gpg-agent[12992] putty message loop thread started 2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you 2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- RESET 2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 -> OK 2020-09-03 00:05:30 gpg-agent[12992] DBG: chan_0x00000294 <- [eof] 2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you 2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- RESET 2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 -> OK 2020-09-03 00:05:35 gpg-agent[12992] DBG: chan_0x00000274 <- [eof] 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK Pleased to meet you 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- GETINFO pid 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> D 12992 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 <- BYE 2020-09-03 00:06:34 gpg-agent[12992] DBG: chan_0x000002b4 -> OK closing connection 2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you 2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET 2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 -> OK 2020-09-03 00:07:01 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof] 2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK Pleased to meet you 2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- RESET 2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 -> OK 2020-09-03 00:07:09 gpg-agent[12992] DBG: chan_0x00000298 <- [eof] 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK Pleased to meet you 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- GETINFO pid 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> D 12992 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 <- BYE 2020-09-03 00:07:34 gpg-agent[12992] DBG: chan_0x000002c4 -> OK closing connection 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK Pleased to meet you 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- GETINFO pid 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> D 12992 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c <- BYE 2020-09-03 00:08:35 gpg-agent[12992] DBG: chan_0x0000029c -> OK closing connection 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK Pleased to meet you 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- RESET 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- NOP 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 -> OK 2020-09-03 00:08:42 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof] 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274 2020-09-03 00:08:56 gpg-agent[12992] DBG: my sid: '' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000 2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) started 2020-09-03 00:08:56 gpg-agent[12992] no running SCdaemon - starting it 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK GNU Privacy Guard's Smartcard server ready 2020-09-03 00:08:56 gpg-agent[12992] DBG: first connection to SCdaemon established 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO socket_name 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: additional connections at 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> OPTION event-signal=0x00000290 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] SIGUSR2 received - updating card event counter 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETINFO card_list 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand= 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $AUTHKEYID 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $AUTHKEYID OPENPGP.3 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> READKEY OPENPGP.3 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 28 ...( byte(s) skipped) ] 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> GETATTR $DISPSERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S $DISPSERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for request_identities (11) ready 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file 'WSLPageantRequest' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map handle 0x00000274 2020-09-03 00:08:56 gpg-agent[12992] DBG: my sid: '' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh map file sid: '' 2020-09-03 00:08:56 gpg-agent[12992] DBG: ssh IPC buffer at 0x00670000 2020-09-03 00:08:56 gpg-agent[12992] ssh request handler for sign_request (13) started 2020-09-03 00:08:56 gpg-agent[12992] new connection to SCdaemon established (reusing) 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SERIALNO --demand= 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- S SERIALNO 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: detected card with S/N 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> SETDATA 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_0x000002b8 -> PKAUTH OPENPGP.3 2020-09-03 00:08:56 gpg-agent[12992] DBG: chan_000002B8 <- [ 49 4e 51 ...( byte(s) skipped) ] 2020-09-03 00:08:56 gpg-agent[12992] starting a new PIN Entry 2020-09-03 00:08:56 gpg-agent[12992] DBG: connection to PIN entry established 2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_000002B8 -> [ 44 20 7e ...( byte(s) skipped) ] 2020-09-03 00:09:05 gpg-agent[12992] DBG: chan_0x000002b8 -> END 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_000002B8 <- [ 44 20 39 ...( byte(s) skipped) ] 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:09:08 gpg-agent[12992] ssh request handler for sign_request (13) ready 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x000002b8 <- OK 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK Pleased to meet you 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- RESET 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- OPTION ttyname=/dev/pts/13 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- GETINFO restricted 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> OK 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- updatestartuptty 2020-09-03 00:09:08 gpg-agent[12992] command 'UPDATESTARTUPTTY' failed: Forbidden 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 -> ERR 67109115 Forbidden 2020-09-03 00:09:08 gpg-agent[12992] DBG: chan_0x00000294 <- [eof] 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK Pleased to meet you 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- RESET 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION ttyname=/dev/pts/13 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO restricted 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- GETINFO version 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> D 2.2.22 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION allow-pinentry-notify 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- OPTION agent-awareness=2.1.0 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> OK 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- SCD GETINFO version 2020-09-03 00:09:20 gpg-agent[12992] command 'SCD' failed: Forbidden 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc -> ERR 67109115 Forbidden 2020-09-03 00:09:20 gpg-agent[12992] DBG: chan_0x000002fc <- [eof] 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK Pleased to meet you 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- RESET 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- GETINFO scd_running 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- scd killscd 2020-09-03 00:09:32 gpg-agent[12992] new connection to SCdaemon established (reusing) 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> killscd 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- OK closing connection 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 -> OK 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000274 <- [eof] 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 -> RESTART 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x000002b8 <- [eof] 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK Pleased to meet you 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- RESET 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 <- KILLAGENT 2020-09-03 00:09:32 gpg-agent[12992] DBG: chan_0x00000328 -> OK closing connection 2020-09-03 00:09:32 gpg-agent[12992] secmem usage: 0/32768 bytes in 0 blocks gpg-agent.conf on local: enable-ssh-support enable-putty-support default-cache-ttl 60 max-cache-ttl 120 verbose debug-level advanced log-file C:\Users\avemilia\AppData\Roaming\gnupg\gpg-agent.log scdaemon.log on local: 2020-09-03 00:08:56 scdaemon[5332] listening on socket 'C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon' 2020-09-03 00:08:56 scdaemon[5332] handler for fd -1 started 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK GNU Privacy Guard's Smartcard server ready 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO socket_name 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> D C:\Users\avemilia\AppData\Roaming\gnupg\S.scdaemon 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- OPTION event-signal=0x00000290 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO 2020-09-03 00:08:56 scdaemon[5332] detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' 2020-09-03 00:08:56 scdaemon[5332] reader slot 0: not connected 2020-09-03 00:08:56 scdaemon[5332] reader slot 0: active protocol: T1 2020-09-03 00:08:56 scdaemon[5332] slot 0: ATR=[...] 2020-09-03 00:08:56 scdaemon[5332] AID: [...] 2020-09-03 00:08:56 scdaemon[5332] Historical Bytes: [...] 2020-09-03 00:08:56 scdaemon[5332] Version-2+ .....: yes 2020-09-03 00:08:56 scdaemon[5332] Extcap-v3 ......: no 2020-09-03 00:08:56 scdaemon[5332] Button .........: yes 2020-09-03 00:08:56 scdaemon[5332] SM-Support .....: no 2020-09-03 00:08:56 scdaemon[5332] Get-Challenge ..: no 2020-09-03 00:08:56 scdaemon[5332] Key-Import .....: yes 2020-09-03 00:08:56 scdaemon[5332] Change-Force-PW1: yes 2020-09-03 00:08:56 scdaemon[5332] Private-DOs ....: yes 2020-09-03 00:08:56 scdaemon[5332] Algo-Attr-Change: yes 2020-09-03 00:08:56 scdaemon[5332] Symmetric Crypto: no 2020-09-03 00:08:56 scdaemon[5332] KDF-Support ....: no 2020-09-03 00:08:56 scdaemon[5332] Max-Cert3-Len ..: 1216 2020-09-03 00:08:56 scdaemon[5332] Cmd-Chaining ...: yes 2020-09-03 00:08:56 scdaemon[5332] Ext-Lc-Le ......: no 2020-09-03 00:08:56 scdaemon[5332] Status-Indicator: 05 2020-09-03 00:08:56 scdaemon[5332] GnuPG-No-Sync ..: no 2020-09-03 00:08:56 scdaemon[5332] GnuPG-Def-PW2 ..: no 2020-09-03 00:08:56 scdaemon[5332] Key-Attr-sign ..: RSA, n=4096, e=17, fmt=std 2020-09-03 00:08:56 scdaemon[5332] Key-Attr-encr ..: RSA, n=4096, e=17, fmt=std 2020-09-03 00:08:56 scdaemon[5332] Key-Attr-auth ..: RSA, n=4096, e=17, fmt=std 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO 2020-09-03 00:08:56 scdaemon[5332] triggering event 0x00000290 (0x00000290) for client -1 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETINFO card_list 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand= 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $AUTHKEYID 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $AUTHKEYID OPENPGP.3 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR SERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- READKEY OPENPGP.3 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 28 ...( byte(s) skipped) ] 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- GETATTR $DISPSERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S $DISPSERIALNO 000606330752 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- RESTART 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SERIALNO --demand= 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> S SERIALNO 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- SETDATA XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_0x00000150 <- PKAUTH OPENPGP.3 2020-09-03 00:08:56 scdaemon[5332] DBG: asking for PIN '||Please unlock the card%0A%0A Number: XXXX XXXXXXXX%0AHolder: Ave Milia' 2020-09-03 00:08:56 scdaemon[5332] DBG: chan_00000150 -> [ 49 4e 51 ...( byte(s) skipped) ] 2020-09-03 00:09:05 scdaemon[5332] DBG: chan_00000150 <- [ 44 20 7e ...( byte(s) skipped) ] 2020-09-03 00:09:05 scdaemon[5332] DBG: chan_0x00000150 <- END 2020-09-03 00:09:08 scdaemon[5332] operation auth result: Success 2020-09-03 00:09:08 scdaemon[5332] DBG: chan_00000150 -> [ 44 20 39 ...( byte(s) skipped) ] 2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 <- RESTART 2020-09-03 00:09:08 scdaemon[5332] DBG: chan_0x00000150 -> OK 2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 <- killscd 2020-09-03 00:09:32 scdaemon[5332] DBG: chan_0x00000150 -> OK closing connection scdaemon.conf on local: card-timeout 5 verbose debug-level advanced log-file C:\Users\avemilia\AppData\Roaming\gnupg\scdaemon.log gpg.conf on local: identical to remote If you need any additional logs, e.g. ssh -v, or certain lines unredacted, I can provide them as well. To summarize the problem: I want to forward gpg-agent, got "forbidden" errors, tried additionally forwarding gpg-ssh-agent and the errors are still present. No more ideas how to fix it. [0] [1] [2] [3] [4] [5] [6] From sac at 300baud.de Thu Sep 3 16:54:15 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 3 Sep 2020 16:54:15 +0200 Subject: croc .onion relay for GnuPG encrypted documents or files. Message-ID: <20200903165415.00005fc0@300baud.de> Hi all, email might sometimes not be ideal for GnuPG encrypted data transfer, due to attachment file size limits or that users do not like to show to third parties the communication paths used, revealing the sender and receiver. Some of you may know Micah's OnionShare or Magic Wormhole etc. The disadvantage of OnionShare is IMHO that you always must tell your communications partner the .onion URL in advance and that it can not be used with an Android smart phone, AFAIR. Magic Wormhole I found to difficult to install under Windows, for the average user, if he does not know how to fix erros, which may occur when installing. So I looked a while ago a bit around and found croc, https://github.com/schollz/croc which is easy to use and written in Golang (yay :-)), thus allowing one also to use it under Android, with Termux, for example. While there is no information available to use it with socat (which is also available as Windows .exe) via Tor, I noodled a bit around and found a solution to use croc via a Tor Hidden Service Onion Relay. The good thing is that setting up an .onion relay does only require a cheap VPS server, without registering an own domain. croc does not store files nor does it keep logs and only 'glues' together both endpoints, in order to perform the transfer. A croc operator can set a pass phrase for his relay and users can also use pre-defined codes, which they share in advance. Ok. here is the set-up I used: 1. Open ports 9009, 9010, 9011, 9012 and 9013 in your firewall, on your VPS server. Once you have set-up your Tor Hidden Service add the following lines to your torrc: HiddenServicePort 9009 127.0.0.1:9009 HiddenServicePort 9010 127.0.0.1:9010 HiddenServicePort 9011 127.0.0.1:9011 HiddenServicePort 9012 127.0.0.1:9012 HiddenServicePort 9013 127.0.0.1:9013 restart Tor. Follow the instructions on GitHub on how to use croc. As relay operator you can start your relay like this: $ croc relay --pass="yourrelaypassphrase" In order that you can send GnuPG encrypted documents, files or folders via the Tor relay you and your communication partner needs of course Tor and socat installed and the following socat onliner: echo -n 9009 9010 9011 9012 9013 | xargs -d ' ' -I% bash -c 'socat tcp4-listen:5870,fork socks4a:127.0.0.1:youronionaddresss.onion:%,socksport=9050' What I have not figured out yet is to run this onliner properly under cmd.exe, due to the xargs command. If you have a Windows solution for this please post it here. Hope you find this info useful. And if you know a better and easier way to transfer GnuPG encrypted documents or files (cross-platform and mobile), please let me/us know. Regards Stefan From wk at gnupg.org Thu Sep 3 18:44:35 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 03 Sep 2020 18:44:35 +0200 Subject: [Announce] [security fix] GnuPG 2.2.23 released Message-ID: <87h7seyfm4.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new GnuPG release: version 2.2.23. This version fixes a *critical security bug* in versions 2.2.21 and 2.2.22. Impact ====== These versions are affected: - GnuPG 2.2.21 (released 2020-07-09) - GnuPG 2.2.22 (released 2020-08-27) - Gpg4win 3.1.12 (released 2020-07-24) All other versions are not affected. Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04. Software distribution verification should not be affected by this bug because such a system uses a curated list of keys. A CVE-id has not yet been assigned. We track this bug at https://dev.gnupg.org/T5050 Solution ======== If GnuPG version 2.2.21 or 2.2.22 is in use please update ASAP to version 2.2.23. If you are using an older version or a beta of version 2.3 no immediate action is required. If you are using Gpg4win 3.1.12 or GnuPG VS-Desktop 3.1.12 you may either wait for a fixed release which we will provide very soon or install GnuPG version 2.2.23 on top. If installation of a new version is not possible, applying the patch https://dev.gnupg.org/rGaeb8272ca8aad403a4baac33b8d5673719cfd8f0 is also sufficient. About GnuPG =========== The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.2.23 ==================================== * gpg: Fix AEAD preference list overflow. [#5050] * gpg: Fix a possible segv in the key cleaning code. * gpgsm: Fix a minor RFC2253 parser bug. [#5037] * scdaemon: Fix a PIN verify failure on certain OpenPGP card implementations. Regression in 2.2.22. [#5039] * po: Fix bug in the Hungarian translation. Updates for the Czech, Polish, and Ukrainian translations. Release-info: https://dev.gnupg.org/T5045 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG 2.2.23 may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code compressed using BZIP2 and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.23.tar.bz2 (6933k) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.23.tar.bz2.sig An installer for Windows without any graphical frontend except for a very minimal Pinentry tool is available here: https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.23_20200903.exe (4187k) https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.23_20200903.exe.sig The source used to build the Windows installer can be found in the same directory with a ".tar.xz" suffix. A new version of the GnuPG Desktop for Windows (aka Gpg4win) featuring this version of GnuPG will be released shortly. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.2.23.tar.bz2 you would use this command: gpg --verify gnupg-2.2.23.tar.bz2.sig gnupg-2.2.23.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.2.23.tar.bz2, you run the command like this: sha1sum gnupg-2.2.23.tar.bz2 and check that the output matches the next line: bd949b4af7426e4afc13667d678503063c6aa4b5 gnupg-2.2.23.tar.bz2 c4435707bef33a612d54114f53837b19fcea38f5 gnupg-w32-2.2.23_20200903.tar.xz 489bc6de0a078248086f3214ca298dd6145ec497 gnupg-w32-2.2.23_20200903.exe Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Japanese, Norwegian, Polish, Russian, and Ukrainian being almost completely translated. Documentation and Support ========================= If you used GnuPG in the past you should read the description of changes and new features at doc/whats-new-in-2.1.txt or online at https://gnupg.org/faq/whats-new-in-2.1.html The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in thee manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf . You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T5045 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: . We suggest to send bug reports for a new release to this list in favor of filing a bug at . If you need commercial support go to or . If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and currently mostly financed by donations. Two full-time employed developers as well as two contractor exclusively work on GnuPG and closely related software like Libgcrypt, GPGME and Gpg4win. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, or answering questions on the mailing lists. Many thanks to our numerous financial supporters, both corporate and individuals. Without you it would not be possible to keep GnuPG in a good and secure shape and to address all the small and larger requests made by our users. Thanks. Special thanks to Andreas Stieger for reporting a bug and providing detailed information for us to track this down. Happy hacking, Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users'at'gnupg.org mailing list. p.p.s List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] Key fingerprint = 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] Key fingerprint = 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) The keys are available at and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From konstantin at linuxfoundation.org Fri Sep 4 16:25:51 2020 From: konstantin at linuxfoundation.org (Konstantin Ryabitsev) Date: Fri, 4 Sep 2020 10:25:51 -0400 Subject: [Announce] [security fix] GnuPG 2.2.23 released In-Reply-To: <87h7seyfm4.fsf@wheatstone.g10code.de> References: <87h7seyfm4.fsf@wheatstone.g10code.de> Message-ID: <20200904142551.gffbjdk4twlrsaf4@chatter.i7.local> On Thu, Sep 03, 2020 at 06:44:35PM +0200, Werner Koch via Gnupg-users wrote: > Hello! > > We are pleased to announce the availability of a new GnuPG release: > version 2.2.23. This version fixes a *critical security bug* in > versions 2.2.21 and 2.2.22. For those using gnupg22-static on el7 via the icon/lfit COPR, updates are now available and can be applied by running: yum update gnupg22-static https://copr.fedorainfracloud.org/coprs/icon/lfit/ -K -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From olav at seyfarth.de Sun Sep 6 01:24:52 2020 From: olav at seyfarth.de (Olav Seyfarth) Date: Sun, 6 Sep 2020 01:24:52 +0200 Subject: How to migrate my key from card to file? Message-ID: <4bd6dd39-2a51-e6ff-2231-ec71eb8ba4e4@seyfarth.de> Hi list, I did search but did not find a useful answer to my question. In 2017 someone else asked: > During generating the keys on the GnuPG card, one can (and should) > create some backup of the secret key into a file. It is totally > unclear to me how to make something usefull out of this file, for > example import it into a "normal" secret keyring to use it in case of > the GnuPG card gets lost. The discussion that followed explained how to create another CARD based key from the backup. That is NOT my concern, I know how to do this. Thus, I'd like to put this more specifically: I want to no longer use a card (e.g. in order to be able to read old messages on a mobile device, or in Thunderbird 78.2.1 WITHOUT the use of GnuPG) but want to use the OLD CARD KEY. I did create the key "on card"* (with --card-edit/admin/generate, NOT as plain file and then with --keytocard). I do have a private_stub.gpg, pubkey.gpg and sk_xxx.gpg. *As I read in the above thread, the code actually generates the key as a file, writes out a backup file and transfers it to the card. So maybe I'd rather have used file based creation+backup-my-key+keytocard in the first place, but I did not. My question: Now that I have the above three files (and a working card with the secret key on it), how can I use these to create a plain file based private+public keypair from it? Regards Olav From sac at 300baud.de Sun Sep 6 11:16:48 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 6 Sep 2020 11:16:48 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200813101535.000020d3@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200813101535.000020d3@300baud.de> Message-ID: <20200906111648.00006003@300baud.de> Stefan Claas wrote: > vedaal at nym.hush.com wrote: > > > > > > > On 8/11/2020 at 3:00 PM, "Stefan Claas" wrote: > > > > ... > > > > >As understood a Pegasus operator can do what ever > > >he likes to do remotely, anonymously with our (Android/iOS) > > >smartphone, without that we know that this happens. > > > > ... > > > > >in form of a best practice FAQ (cross-platform), to no longer use > > >encryption software on online devices and work out > > >strategies to use offline devices and how to handle this data > > >securely over to an online device, until proper and affordable > > >hardware encryption devices for online usage are available? > > > > ===== > > > > There is already a simple existing solution. > > > > [1] Encrypt and decrypt on a computer that has internet hardware disabled. > > I am thinking about this mobile one, once it hits the market. > > https://pocket.popcorncomputer.com/#products > > > [2] Use an Orbic Journey V phone that gets and sends *only text* > > Seems not to be available in Germany, so I must look for a similar one. Thinking about another option smart phone users can try (I currently have no second smart phone). Since I am new to smart phone usage, I figured out that one can use a second smart phone without a SIM-Card and with WiFi disabled. :-) This means to me, regardless if people would use Android with Termux and GnuPG or a Linux smart phone that they simply create the messages on the IMHO not (so easy?!) compromisable second offline smart phone and then transfer securely the encrypted messages to the compromised online usage smart phone. Regards Stefan From includestdioh at secmail.pro Sun Sep 6 20:58:42 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Sun, 6 Sep 2020 11:58:42 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin Message-ID: As advised by Mr.Koch, my original plead on the subject: https://dev.gnupg.org/T5032 Cheers :) From sac at 300baud.de Mon Sep 7 00:01:02 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 7 Sep 2020 00:01:02 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: Message-ID: <20200907000102.00001b28@300baud.de> Dieter Frye wrote: > As advised by Mr.Koch, my original plead on the subject: > https://dev.gnupg.org/T5032 > > Cheers :) Hi, curious as I am, If I understand it right, you use Windows XP with Becky as MUA for GnuPG or would like to use it with the lastest version of GnuPG? Your posting is done via secmail.pro, a Tor email provider, which requires AFAIK Tor Browser Bundle to access the service. My question, if you don't mind, does the lastest Tor Browser Bundle still supports Windows XP and how do you use Becky with secmail.pro? Regards Stefan From wk at gnupg.org Mon Sep 7 09:02:02 2020 From: wk at gnupg.org (Werner Koch) Date: Mon, 07 Sep 2020 09:02:02 +0200 Subject: How to migrate my key from card to file? In-Reply-To: <4bd6dd39-2a51-e6ff-2231-ec71eb8ba4e4@seyfarth.de> (Olav Seyfarth's message of "Sun, 6 Sep 2020 01:24:52 +0200") References: <4bd6dd39-2a51-e6ff-2231-ec71eb8ba4e4@seyfarth.de> Message-ID: <87a6y22hp1.fsf@wheatstone.g10code.de> On Sun, 6 Sep 2020 01:24, Olav Seyfarth said: > private_stub.gpg, pubkey.gpg and sk_xxx.gpg. The pubkey and the sk_KEYID.gpg is all you need but unfortunately there is no tool support to create a file from it. It would require a little bit of hacking to do this with the current code base. The feature I would propose here is a way to create a private-keys-v1.d/xxx.key file from a sk_KEYID.gpg file. It should not be too much work and I can imagine that this will go into 2.3. Can you please do me a favor and open a feature request at dev.gnupg.org ? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From includestdioh at secmail.pro Mon Sep 7 13:58:21 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Mon, 7 Sep 2020 04:58:21 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin Message-ID: > Hi, > curious as I am, If I understand it right, you use Windows XP > with Becky as MUA for GnuPG or would like to use it with the > lastest version of GnuPG? Howdy. So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on Windows XP, but functionality is somewhat crippled for anything other than GnuPG v1.4. > Your posting is done via secmail.pro, a Tor email provider, > which requires AFAIK Tor Browser Bundle to access the service. > My question, if you don't mind, does the lastest Tor Browser > Bundle still supports Windows XP and how do you use Becky > with secmail.pro? Nope, they dropped support for XP (specifically the browser part) a while ago, which thing never really affected me since I use a third party browser which I interface with the "expert bundle" exe that they continue to distribute. Of course, that's an gross oversimplification of what's actually going on this computer, but you catch my drift. As far as secmail.pro is concerned, it's not possible to use it with Becky! because there's no server-side support for SMTP, POP3 or IMAP, so I'm writing directly from semail's web interface. Unfortunately since practically every single internet service in existence (be it mail, fora or otherwise) has been in bed with the worldwide private data collection operation going on right now (lookup PRISM and the ShadowGate documentary) it's no longer possible (and so it's been for nearly a decade now) to anonymously register any type of account anywhere, meaning I'm technically shunned from the Internet and it's nothing short of a miracle that I'm able to post here at all. I'm actually shocked this place hasn't been hijacked by vpn-hating cloudflare and the google captcha nazis because that's true everywhere else. Currently I use another free, anonymous e-mail service called TorBox which does have SMTP/POP3 support for everyday communications, though that's only viable for people operating within the TOR network as it's got no clearweb support unlike secmail itself, which at the end of the day is kind of a useless thing anyways given it's blacklisted status (and that completely without justification) among most every big and small e-mail provider out there. From sac at 300baud.de Mon Sep 7 16:37:22 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 7 Sep 2020 16:37:22 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: Message-ID: <20200907163722.0000048d@300baud.de> Dieter Frye wrote: > > Hi, > > > curious as I am, If I understand it right, you use Windows XP > > with Becky as MUA for GnuPG or would like to use it with the > > lastest version of GnuPG? > > Howdy. > > So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on Windows > XP, but functionality is somewhat crippled for anything other than GnuPG > v1.4. > > > Your posting is done via secmail.pro, a Tor email provider, > > which requires AFAIK Tor Browser Bundle to access the service. > > > My question, if you don't mind, does the lastest Tor Browser > > Bundle still supports Windows XP and how do you use Becky > > with secmail.pro? > > Nope, they dropped support for XP (specifically the browser part) a while > ago, which thing never really affected me since I use a third party > browser which I interface with the "expert bundle" exe that they continue > to distribute. Of course, that's an gross oversimplification of what's > actually going on this computer, but you catch my drift. > > As far as secmail.pro is concerned, it's not possible to use it with > Becky! because there's no server-side support for SMTP, POP3 or IMAP, so > I'm writing directly from semail's web interface. Ah, ok, thanks for the information! > Unfortunately since practically every single internet service in existence > (be it mail, fora or otherwise) has been in bed with the worldwide private > data collection operation going on right now (lookup PRISM and the > ShadowGate documentary) it's no longer possible (and so it's been for > nearly a decade now) to anonymously register any type of account anywhere, > meaning I'm technically shunned from the Internet and it's nothing short > of a miracle that I'm able to post here at all. I'm actually shocked this > place hasn't been hijacked by vpn-hating cloudflare and the google captcha > nazis because that's true everywhere else. Yes, it is not easy nowadays. Besides cryptography anonymous communication is also a hobby of mine, since the early cypherpunk days and I always look for new ways to archive that. I did recently some experiments with some well known wannabe anonymous email services and how to register with them anonymously, so that their security checks can be bypassed. Currently I focus on anonymous communications in combination with offline devices, to protect better against Pegasus, FinFisher and other crap. > Currently I use another free, anonymous e-mail service called TorBox which > does have SMTP/POP3 support for everyday communications, though that's > only viable for people operating within the TOR network as it's got no > clearweb support unlike secmail itself, which at the end of the day is > kind of a useless thing anyways given it's blacklisted status (and that > completely without justification) among most every big and small e-mail > provider out there. Yes, blacklisting small providers is not nice, but at least users can purchase a cheap VPS server and run their own mail server, which adds decentralization to the email world. Regards Stefan From ryan at digicana.com Tue Sep 8 18:14:13 2020 From: ryan at digicana.com (ryan at digicana.com) Date: Tue, 08 Sep 2020 16:14:13 +0000 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: Message-ID: <005701d685fb$16b9d010$442d7030$@digicana.com> A. Yes, you can still anonymously register for almost anything. It's not straightforward and requires a bit of forethought and jumping through hoops. No, it probably won't defeat the NSA, but if they're your adversary what in blue blazes are you doing using any kind of electronic device let alone posting here. B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs territory. If you want to believe that stuff that's cool, just thought I'd make sure to stick the tinfoil tag on this one since you speak of it like it's a legit thing. https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ C. Replying to person you were replying to -- how pants on head stupid does one have to be to use Tor browser (or any type of security critical software) on XP? If you think that's a good idea then you shouldn't be using Tor. Either you don't need Tor and using Tor is silly for you, or you do need Tor and you're going to hurt yourself bad by having not the slightest clue how to use Tor safely. D: If you really need secure anonymous email, fire up TAILS on a bootable DVD, sign up for a free Protonmail account over Tor, use a burner prepaid phone number to authenticate to Protonmail (Protonmail correctly gets worried about Tor signups), access Protonmail only over Tor (they have a hidden service). If that's not good enough to circumvent your adversaries, again, you should probably just move up into the remote Alaskan wilderness and live off wild animals and shrubbery for the rest of your life and hope the bad men never find you. -----Original Message----- From: Gnupg-users On Behalf Of Dieter Frye Sent: Monday, September 7, 2020 6:58 AM To: gnupg-users at gnupg.org Subject: On Becky! Internet Mail's GnuPG Plugin > Hi, > curious as I am, If I understand it right, you use Windows XP with > Becky as MUA for GnuPG or would like to use it with the lastest > version of GnuPG? Howdy. So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on Windows XP, but functionality is somewhat crippled for anything other than GnuPG v1.4. > Your posting is done via secmail.pro, a Tor email provider, which > requires AFAIK Tor Browser Bundle to access the service. > My question, if you don't mind, does the lastest Tor Browser Bundle > still supports Windows XP and how do you use Becky with secmail.pro? Nope, they dropped support for XP (specifically the browser part) a while ago, which thing never really affected me since I use a third party browser which I interface with the "expert bundle" exe that they continue to distribute. Of course, that's an gross oversimplification of what's actually going on this computer, but you catch my drift. As far as secmail.pro is concerned, it's not possible to use it with Becky! because there's no server-side support for SMTP, POP3 or IMAP, so I'm writing directly from semail's web interface. Unfortunately since practically every single internet service in existence (be it mail, fora or otherwise) has been in bed with the worldwide private data collection operation going on right now (lookup PRISM and the ShadowGate documentary) it's no longer possible (and so it's been for nearly a decade now) to anonymously register any type of account anywhere, meaning I'm technically shunned from the Internet and it's nothing short of a miracle that I'm able to post here at all. I'm actually shocked this place hasn't been hijacked by vpn-hating cloudflare and the google captcha nazis because that's true everywhere else. Currently I use another free, anonymous e-mail service called TorBox which does have SMTP/POP3 support for everyday communications, though that's only viable for people operating within the TOR network as it's got no clearweb support unlike secmail itself, which at the end of the day is kind of a useless thing anyways given it's blacklisted status (and that completely without justification) among most every big and small e-mail provider out there. _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Sep 8 18:47:30 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 8 Sep 2020 12:47:30 -0400 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <005701d685fb$16b9d010$442d7030$@digicana.com> References: <005701d685fb$16b9d010$442d7030$@digicana.com> Message-ID: <77170606-50d9-a6b1-a1b6-dd3dfb4ad1cd@sixdemonbag.org> > A. Yes, you can still anonymously register for almost anything. > It's not straightforward and requires a bit of forethought and > jumping through hoops. No, it probably won't defeat the NSA, but if > they're your adversary what in blue blazes are you doing using any > kind of electronic device let alone posting here. As I have told several people, the moment your threat model is "I am of interest to a major nation-state intelligence agency" your response needs to be either "call my lawyer and sit down for a long talk with them" or else "withdraw all my savings as cash and go on the run refusing to use any technology more complicated than a frying pan". There are no realistic in-betweens. Bin Laden went for option #2, and was able to survive for almost ten years while being of interest to every world intelligence agency. It's good advice, it seriously is. But I'm not kidding about refusing to use any technology more complicated than a frying pan. > B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs > territory. Yep. > If that's not good enough to circumvent your adversaries, again, you > should probably just move up into the remote Alaskan wilderness and > live off wild animals and shrubbery for the rest of your life and > hope the bad men never find you. A frying pan might be useful should one elect to go this route! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 821 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Tue Sep 8 19:03:21 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 8 Sep 2020 19:03:21 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <005701d685fb$16b9d010$442d7030$@digicana.com> References: <005701d685fb$16b9d010$442d7030$@digicana.com> Message-ID: <20200908190256.0000144f@300baud.de> Ryan McGinnis via Gnupg-users wrote: > B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs territory. If you want to believe that stuff that's > cool, just thought I'd make sure to stick the tinfoil tag on this one since you speak of it like it's a legit thing. > https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ Well, to be fair, people in Germany, for example, who have seen the German Edition of Shadow Gate may not know that private contractors exits and what their role is. At least it is now known that they exist. https://www.seattletimes.com/nation-world/private-contractors-play-key-role-in-us-intelligence-work/ The other question which might come up, what is all this IIA and PsyOps stuff, people are talking about. https://theintercept.com/2015/08/07/psychologists-work-gchq-deception-unit-inflames-debate-among-peers/ Maybe people have also heard of the term Cyber Warfare and wonder if it really exists and what does it do. Knowing that the below mentioned brigade has a software running called Shadownet. https://www.army.mil/article/194646/91st_cyber_brigade_activated_as_army_national_guards_first_cyber_brigade So all in all, whether people think Shadow Gate is a hoax etc. at least it is quite interesting to watch, because it is well made and should people animate to think more what the future will bring with this hole commercial Internet crap of today. Thanks to Bill Clinton and Al Gore for 'inventing' the Internet. Before that 'invention' the Internet was a nice place. > D: If you really need secure anonymous email, fire up TAILS on a bootable DVD, sign up for a free Protonmail account over > Tor, use a burner prepaid phone number to authenticate to Protonmail (Protonmail correctly gets worried about Tor signups), > access Protonmail only over Tor (they have a hidden service). If that's not good enough to circumvent your adversaries, > again, you should probably just move up into the remote Alaskan wilderness and live off wild animals and shrubbery for the > rest of your life and hope the bad men never find you. People who try to sign-up anonymously with Tor Browser, will face the problem that all (random) user ids are already 'taken', thus making it impossible to sign up via Tor. Maybe you or others had luck in the past. Regards Stefan From rjh at sixdemonbag.org Tue Sep 8 19:13:04 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 8 Sep 2020 13:13:04 -0400 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: <005701d685fb$16b9d010$442d7030$@digicana.com> <77170606-50d9-a6b1-a1b6-dd3dfb4ad1cd@sixdemonbag.org> Message-ID: <3e2b2c9f-3eae-0139-90c1-19a58217603d@sixdemonbag.org> On 9/8/20 12:59 PM, Avi wrote: > Go cast iron. You can use it over an open fire in the tundra and it > makes a decent self-defense weapon against rampaging moose. :) A m??se once bit my sister. From rjh at sixdemonbag.org Tue Sep 8 19:55:30 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 8 Sep 2020 13:55:30 -0400 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <20200908190256.0000144f@300baud.de> References: <005701d685fb$16b9d010$442d7030$@digicana.com> <20200908190256.0000144f@300baud.de> Message-ID: <5341d70d-11b1-7f34-471f-a948f53ca80c@sixdemonbag.org> > Well, to be fair, people in Germany, for example, who have seen the > German Edition of Shadow Gate may not know that private contractors > exits and what their role is. At least it is now known that they > exist. I have already begged you once, Stefan, to stop hyping this disinformation. From sac at 300baud.de Tue Sep 8 20:06:54 2020 From: sac at 300baud.de (Stefan Claas) Date: Tue, 8 Sep 2020 20:06:54 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <5341d70d-11b1-7f34-471f-a948f53ca80c@sixdemonbag.org> References: <005701d685fb$16b9d010$442d7030$@digicana.com> <20200908190256.0000144f@300baud.de> <5341d70d-11b1-7f34-471f-a948f53ca80c@sixdemonbag.org> Message-ID: <20200908200654.000069d5@300baud.de> Robert J. Hansen wrote: > > Well, to be fair, people in Germany, for example, who have seen the > > German Edition of Shadow Gate may not know that private contractors > > exits and what their role is. At least it is now known that they > > exist. > > I have already begged you once, Stefan, to stop hyping this disinformation. Robert, If you remember the other thread, I said I will do so, in *that* thread. You should also see my reply in context with the provided URLs, which you have not quoted. Regards Stefan From avi.wiki at gmail.com Tue Sep 8 18:59:27 2020 From: avi.wiki at gmail.com (Avi) Date: Tue, 8 Sep 2020 12:59:27 -0400 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <77170606-50d9-a6b1-a1b6-dd3dfb4ad1cd@sixdemonbag.org> References: <005701d685fb$16b9d010$442d7030$@digicana.com> <77170606-50d9-a6b1-a1b6-dd3dfb4ad1cd@sixdemonbag.org> Message-ID: Go cast iron. You can use it over an open fire in the tundra and it makes a decent self-defense weapon against rampaging moose. :) Avi On Tue, Sep 8, 2020 at 12:48 PM Robert J. Hansen wrote: > > A. Yes, you can still anonymously register for almost anything. > > > It's not straightforward and requires a bit of forethought and > > > jumping through hoops. No, it probably won't defeat the NSA, but if > > > they're your adversary what in blue blazes are you doing using any > > > kind of electronic device let alone posting here. > > > > As I have told several people, the moment your threat model is "I am of > > interest to a major nation-state intelligence agency" your response > > needs to be either "call my lawyer and sit down for a long talk with > > them" or else "withdraw all my savings as cash and go on the run > > refusing to use any technology more complicated than a frying pan". > > > > There are no realistic in-betweens. > > > > Bin Laden went for option #2, and was able to survive for almost ten > > years while being of interest to every world intelligence agency. It's > > good advice, it seriously is. But I'm not kidding about refusing to use > > any technology more complicated than a frying pan. > > > > > B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs > > > territory. > > > > Yep. > > > > > If that's not good enough to circumvent your adversaries, again, you > > > should probably just move up into the remote Alaskan wilderness and > > > live off wild animals and shrubbery for the rest of your life and > > > hope the bad men never find you. > > > > A frying pan might be useful should one elect to go this route! > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Sent from Gmail Mobile -------------- next part -------------- An HTML attachment was scrubbed... URL: From includestdioh at secmail.pro Tue Sep 8 22:31:05 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Tue, 8 Sep 2020 13:31:05 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin Message-ID: <93a7b90e10bb8632d305719fa4843277.squirrel@giyzk7o6dcunb2ry.onion> > Dieter Frye wrote: > >> > Hi, >> >> > curious as I am, If I understand it right, you use Windows XP >> > with Becky as MUA for GnuPG or would like to use it with the >> > lastest version of GnuPG? >> >> Howdy. >> >> So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on Windows >> XP, but functionality is somewhat crippled for anything other than GnuPG >> v1.4. >> >> > Your posting is done via secmail.pro, a Tor email provider, >> > which requires AFAIK Tor Browser Bundle to access the service. >> >> > My question, if you don't mind, does the lastest Tor Browser >> > Bundle still supports Windows XP and how do you use Becky >> > with secmail.pro? >> >> Nope, they dropped support for XP (specifically the browser part) a >> while >> ago, which thing never really affected me since I use a third party >> browser which I interface with the "expert bundle" exe that they >> continue >> to distribute. Of course, that's an gross oversimplification of what's >> actually going on this computer, but you catch my drift. >> >> As far as secmail.pro is concerned, it's not possible to use it with >> Becky! because there's no server-side support for SMTP, POP3 or IMAP, so >> I'm writing directly from semail's web interface. > > Ah, ok, thanks for the information! > You're welcome. >> Unfortunately since practically every single internet service in >> existence >> (be it mail, fora or otherwise) has been in bed with the worldwide >> private >> data collection operation going on right now (lookup PRISM and the >> ShadowGate documentary) it's no longer possible (and so it's been for >> nearly a decade now) to anonymously register any type of account >> anywhere, >> meaning I'm technically shunned from the Internet and it's nothing short >> of a miracle that I'm able to post here at all. I'm actually shocked >> this >> place hasn't been hijacked by vpn-hating cloudflare and the google >> captcha >> nazis because that's true everywhere else. > > Yes, it is not easy nowadays. Besides cryptography anonymous communication > is also a hobby of mine, since the early cypherpunk days and I always look > for new ways to archive that. I did recently some experiments with some > well > known wannabe anonymous email services and how to register with them > anonymously, > so that their security checks can be bypassed. Currently I focus on > anonymous > communications in combination with offline devices, to protect better > against > Pegasus, FinFisher and other crap. > Neat. I was still able to use one my old "nym.aliased" gmx with Quicksilvermail like 8 years ago or whatever it was. Eventually most if not all public remailers went belly up, and gmx, just like every other internet service I had been using for years at that point, stone cold cancelled my account as I refused to comply to their new "privacy policies" where I'd have been required to hand over my personal information for no legitimate reason at all. What a bunch of creeps. Now touching on private communications in general, there's this one place left most people never heard of called Freenet, specifically the FMS fora (usenet-style compatible with NNTP clients and all) operating within, which's completely free, decentralized, anonymous and fully censorship/DOS resistant. Definitely worth checking out and telling others about. BitMessage appears to be a somewhat solid alternative to FMS if you can't really be online regularly, but it's got nowhere near the level of utility. >> Currently I use another free, anonymous e-mail service called TorBox >> which >> does have SMTP/POP3 support for everyday communications, though that's >> only viable for people operating within the TOR network as it's got no >> clearweb support unlike secmail itself, which at the end of the day is >> kind of a useless thing anyways given it's blacklisted status (and that >> completely without justification) among most every big and small e-mail >> provider out there. > > Yes, blacklisting small providers is not nice, but at least users can > purchase a cheap VPS server and run their own mail server, which adds > decentralization to the email world. > > Regards > Stefan > Unfortunately the main issue for me is being able to communicate with the outside world, and most of this problem can be traced back to society in general having an obstinate pathological aversion towards privacy that cannot be explained away without looking into the recent history of soviet-style psyops unleashed in the western world. From includestdioh at secmail.pro Tue Sep 8 22:32:41 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Tue, 8 Sep 2020 13:32:41 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin Message-ID: > A. Yes, you can still anonymously register for almost anything. It's not > straightforward and requires a bit of forethought and jumping through > hoops. > Not even close. Only a prepaid phone will do, which are not available where I live, and even if they were, I'd still be required to show some form of ID in order to get it, which defeats the whole purpose of getting one in the first place. > No, it probably won't defeat the NSA, but if they're your > adversary what in blue blazes are you doing using any kind of electronic > device let alone posting here. > In the world we live in right now, a comment someone pretends to be offended by will get you jail time. It's that bad. I'm not being singled out by the NSA or anything, and that in part due to the fact that there's absolutely not a trace of anything on the internet that can be linked back to my real identity. I arduously cultivated my anonymity from the get go so to be able to operate freely in the shadows, and it's now paying off in the form of relative tranquility as I stand untouched in the midst of this cruel, worldwide socialist takeover. > B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs > territory. If you want to believe that stuff that's cool, just thought > I'd make sure to stick the tinfoil tag on this one since you speak of it > like it's a legit thing. > https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ > There's nothing in that article that even begins to disprove anything the ShadowGate documentary addressed; literally not one thing. Just a bunch of NPC's running their mouths spewing the same old tired lies and slander, which's standard practice for fake news socialist outlets anyways. Just don't let others do the thinking for you. > C. Replying to person you were replying to -- how pants on head stupid > does one have to be to use Tor browser (or any type of security critical > software) on XP? If you think that's a good idea then you shouldn't be > using Tor. > The TOR Browser is an accident waiting to happen irrespective of the system it's running on. XP is secure to the extent that you know how to make it secure, and that goes for any operating system flexible enough for the task. > D: If you really need secure anonymous email, fire up TAILS on a bootable > DVD > There's no value in doing that since there's nothing I need to perform securely that XP will not cooperate with, and besides all this, you do NOT want to blindly capitulate your security to any AIO "solution" like Tails, specially in light of it's flaws. You're much better off acquiring an adequate understanding of whatever OS you're running and make the necessary changes as you go. Of course there's a limit to that, and certain OS' are plainly and simply way too compromised and stiff for any privacy-related work, but XP is far from being one of them. >, sign up for a free Protonmail account over Tor, use a burner prepaid > phone number to authenticate to Protonmail (Protonmail correctly gets > worried about Tor signups), access Protonmail only over Tor (they have a > hidden service). > Not possible as explained above, and quite frankly Protonmail is one of the worst offenders because they shun people who are concerned with privacy...in the name of privacy, of all things. What a dishonest bunch. >If that's not good enough to circumvent your > adversaries, again, you should probably just move up into the remote > Alaskan wilderness and live off wild animals and shrubbery for the rest of > your life and hope the bad men never find you. > I'll be going up in the rapture before it gets that crazy, so that's something for the leftbehinders to figure out ;) From ryan at digicana.com Wed Sep 9 00:35:25 2020 From: ryan at digicana.com (ryan at digicana.com) Date: Tue, 08 Sep 2020 22:35:25 +0000 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: Message-ID: <00fd01d68630$55e806f0$01b814d0$@digicana.com> Unless you live in North Korea or something there are always ways around SIM registration laws, though they get expensive depending on where you live. If you have a trusted US contact you can just have them grab you a bunch of Mint Mobile SIMs and have them cooperate with sending you the OTP codes during signups, for example. Or if you are a man of many quatloos, you can fly to the U.S. and do the trick here yourself and then fly back home and use the accounts. Once you sign up you change the OTP recovery phone number to a VOIP number you control (you'd need to purchase this VOIP number anonymously too, there are plenty of ways to do that like MySudo, Twillio, etc). But unless you're doing some really hinky-dinky stuff like investigating organized criminals or sending the Guardian classified videos of drone strikes on baby kittens, this is mega overkill. Using XP is madness, IMO. If you're that into rolling your own system why in the heck wouldn't you be petting the penguin? I mean, why would you use a fully configurable open source OS or a fully audited secure distro based on said open source OS when you could instead use an obsolete proprietary OS that's had no security patches in over half a decade? I wouldn't even trust XP for airgapping. If the baddies were really after you I'm sure they'd find whatever you've done to harden your XP boxen super amusing. They might even send each other screenshots of your setup over Signal while making funny comments. -----Original Message----- From: Gnupg-users On Behalf Of Dieter Frye Sent: Tuesday, September 8, 2020 3:33 PM To: gnupg-users at gnupg.org Subject: On Becky! Internet Mail's GnuPG Plugin > A. Yes, you can still anonymously register for almost anything. It's > not straightforward and requires a bit of forethought and jumping > through hoops. > Not even close. Only a prepaid phone will do, which are not available where I live, and even if they were, I'd still be required to show some form of ID in order to get it, which defeats the whole purpose of getting one in the first place. > No, it probably won't defeat the NSA, but if they're your adversary > what in blue blazes are you doing using any kind of electronic device > let alone posting here. > In the world we live in right now, a comment someone pretends to be offended by will get you jail time. It's that bad. I'm not being singled out by the NSA or anything, and that in part due to the fact that there's absolutely not a trace of anything on the internet that can be linked back to my real identity. I arduously cultivated my anonymity from the get go so to be able to operate freely in the shadows, and it's now paying off in the form of relative tranquility as I stand untouched in the midst of this cruel, worldwide socialist takeover. > B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs > territory. If you want to believe that stuff that's cool, just > thought I'd make sure to stick the tinfoil tag on this one since you > speak of it like it's a legit thing. > https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-sh > adowgate-spreads-misinformation-major-events/5601742002/ > There's nothing in that article that even begins to disprove anything the ShadowGate documentary addressed; literally not one thing. Just a bunch of NPC's running their mouths spewing the same old tired lies and slander, which's standard practice for fake news socialist outlets anyways. Just don't let others do the thinking for you. > C. Replying to person you were replying to -- how pants on head > stupid does one have to be to use Tor browser (or any type of security > critical > software) on XP? If you think that's a good idea then you shouldn't > be using Tor. > The TOR Browser is an accident waiting to happen irrespective of the system it's running on. XP is secure to the extent that you know how to make it secure, and that goes for any operating system flexible enough for the task. > D: If you really need secure anonymous email, fire up TAILS on a > bootable DVD > There's no value in doing that since there's nothing I need to perform securely that XP will not cooperate with, and besides all this, you do NOT want to blindly capitulate your security to any AIO "solution" like Tails, specially in light of it's flaws. You're much better off acquiring an adequate understanding of whatever OS you're running and make the necessary changes as you go. Of course there's a limit to that, and certain OS' are plainly and simply way too compromised and stiff for any privacy-related work, but XP is far from being one of them. >, sign up for a free Protonmail account over Tor, use a burner prepaid >phone number to authenticate to Protonmail (Protonmail correctly gets >worried about Tor signups), access Protonmail only over Tor (they have >a hidden service). > Not possible as explained above, and quite frankly Protonmail is one of the worst offenders because they shun people who are concerned with privacy...in the name of privacy, of all things. What a dishonest bunch. >If that's not good enough to circumvent your adversaries, again, you >should probably just move up into the remote Alaskan wilderness and >live off wild animals and shrubbery for the rest of your life and hope >the bad men never find you. > I'll be going up in the rapture before it gets that crazy, so that's something for the leftbehinders to figure out ;) _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 839 bytes Desc: OpenPGP digital signature URL: From includestdioh at secmail.pro Wed Sep 9 13:00:45 2020 From: includestdioh at secmail.pro (Dieter Frye) Date: Wed, 9 Sep 2020 04:00:45 -0700 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <00fa01d68630$28fa8ff0$7aefafd0$@digicana.com> References: <00fa01d68630$28fa8ff0$7aefafd0$@digicana.com> Message-ID: > Unless you live in North Korea or something there are always ways around > SIM registration laws, though they get expensive depending on where you > live. > This may have been true at some point in the past, but unfortunately I failed to secure this type of solution when I had the chance to. Today it simply isn't viable. > If you have a trusted US contact you can just have them grab you a > bunch of Mint Mobile SIMs and have them cooperate with sending you the OTP > codes during signups, for example. > My trusted contacts, irrespective of the country they reside in, are in pretty much the same situation as myself, so unfortunately it's no use. > Or if you are a man of many quatloos, > you can fly to the U.S. and do the trick here yourself and then fly back > home and use the accounts. Once you sign up you change the OTP recovery > phone number to a VOIP number you control (you'd need to purchase this > VOIP number anonymously too, there are plenty of ways to do that like > MySudo, Twillio, etc). But unless you're doing some really hinky-dinky > stuff like investigating organized criminals or sending the Guardian > classified videos of drone strikes on baby kittens, this is mega overkill. > Anything you pay for will inevitably leave a trace unless they're working with some flavor of digital currency, and on top of that...from MySudo: "We are committed to working with government agencies if evidence of illegal activity by a user is brought to our attention. We investigate all reports where MySudo may have been misused." They can (and usually do) declare absolutely anything to be "illegal" these days, and who's going to tell them otherwise? You waste a BLM terrorist death-threatening you and your family in the midst of your own property and you're the one committing an illegal act as far as the "law" of the land is concerned. Twillio doesn't even let me in... I appreciate the suggestions but the days of presumption of innocence and constitutional civil liberties in general are far behind us already. > Using XP is madness, IMO. If you're that into rolling your own system why > in the heck wouldn't you be petting the penguin? I mean, why would you > use a fully configurable open source OS or a fully audited secure distro > based on said open source OS when you could instead use an obsolete > proprietary OS that's had no security patches in over half a decade? > Because a barebones Posready 2009 installation (which actually received patches regularly all the way up to 2019) is about as fully configurable as virtually any Linux/BSD distro out there, and I've also spent the last 9 years or so auditing this particular OS and I know for a fact it is not compromised in any meaningful way. Think of it as an "ArchWindows" of sorts that I'm very familiar with. As for security patches, XP's solely there to provide the file system, the API and part of the TCP-IP stack; everything else I handle through 3rd party applications. In any event, there's quality (and for me, indispensable) Windows software that doesn't have an equivalent in the OpenBSD world, which's what I use for pretty much everything else save for my own rig. > wouldn't even trust XP for airgapping. If the baddies were really after > you I'm sure they'd find whatever you've done to harden your XP boxen > super amusing. They might even send each other screenshots of your setup > over Signal while making funny comments. > You bet they would haha. Actually I have thought of putting it all together into a book, but I figured no one would care. Guess the craft's dying with me. From jerry at seibercom.net Wed Sep 9 13:53:59 2020 From: jerry at seibercom.net (Jerry) Date: Wed, 9 Sep 2020 07:53:59 -0400 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: <005701d685fb$16b9d010$442d7030$@digicana.com> References: <005701d685fb$16b9d010$442d7030$@digicana.com> Message-ID: <20200909075359.30937f7f@scorpio.seibercom.net> On Tue, 08 Sep 2020 16:14:13 +0000, Ryan McGinnis via Gnupg-users stated: >A. Yes, you can still anonymously register for almost anything. It's >not straightforward and requires a bit of forethought and jumping >through hoops. No, it probably won't defeat the NSA, but if they're >your adversary what in blue blazes are you doing using any kind of >electronic device let alone posting here. > >B. The Shadowgate documentary isn?t. This is Coo-Coo for CocoaPuffs >territory. If you want to believe that stuff that's cool, just >thought I'd make sure to stick the tinfoil tag on this one since you >speak of it like it's a legit thing. >https://www.usatoday.com/story/news/factcheck/2020/08/18/fact-check-shadowgate-spreads-misinformation-major-events/5601742002/ > >C. Replying to person you were replying to -- how pants on head >stupid does one have to be to use Tor browser (or any type of security >critical software) on XP? If you think that's a good idea then you >shouldn't be using Tor. Either you don't need Tor and using Tor is >silly for you, or you do need Tor and you're going to hurt yourself >bad by having not the slightest clue how to use Tor safely. > >D: If you really need secure anonymous email, fire up TAILS on a >bootable DVD, sign up for a free Protonmail account over Tor, use a >burner prepaid phone number to authenticate to Protonmail (Protonmail >correctly gets worried about Tor signups), access Protonmail only over >Tor (they have a hidden service). If that's not good enough to >circumvent your adversaries, again, you should probably just move up >into the remote Alaskan wilderness and live off wild animals and >shrubbery for the rest of your life and hope the bad men never find >you. > >-----Original Message----- >From: Gnupg-users On Behalf Of Dieter >Frye Sent: Monday, September 7, 2020 6:58 AM >To: gnupg-users at gnupg.org >Subject: On Becky! Internet Mail's GnuPG Plugin > > >> Hi, > >> curious as I am, If I understand it right, you use Windows XP with >> Becky as MUA for GnuPG or would like to use it with the lastest >> version of GnuPG? > >Howdy. > >So yes, I'm using Becky! as a MUA + an outdated GnuPG plugin on >Windows XP, but functionality is somewhat crippled for anything other >than GnuPG v1.4. > >> Your posting is done via secmail.pro, a Tor email provider, which >> requires AFAIK Tor Browser Bundle to access the service. > >> My question, if you don't mind, does the lastest Tor Browser Bundle >> still supports Windows XP and how do you use Becky with secmail.pro? >> > >Nope, they dropped support for XP (specifically the browser part) a >while ago, which thing never really affected me since I use a third >party browser which I interface with the "expert bundle" exe that they >continue to distribute. Of course, that's an gross oversimplification >of what's actually going on this computer, but you catch my drift. > >As far as secmail.pro is concerned, it's not possible to use it with >Becky! because there's no server-side support for SMTP, POP3 or IMAP, >so I'm writing directly from semail's web interface. > >Unfortunately since practically every single internet service in >existence (be it mail, fora or otherwise) has been in bed with the >worldwide private data collection operation going on right now (lookup >PRISM and the ShadowGate documentary) it's no longer possible (and so >it's been for nearly a decade now) to anonymously register any type of >account anywhere, meaning I'm technically shunned from the Internet >and it's nothing short of a miracle that I'm able to post here at all. >I'm actually shocked this place hasn't been hijacked by vpn-hating >cloudflare and the google captcha nazis because that's true everywhere >else. > >Currently I use another free, anonymous e-mail service called TorBox >which does have SMTP/POP3 support for everyday communications, though >that's only viable for people operating within the TOR network as it's >got no clearweb support unlike secmail itself, which at the end of the >day is kind of a useless thing anyways given it's blacklisted status >(and that completely without justification) among most every big and >small e-mail provider out there. Worst case of paranoia I have witnessed in quite awhile. -- Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From martin.paetzold at rheinwerk-verlag.de Wed Sep 9 15:22:18 2020 From: martin.paetzold at rheinwerk-verlag.de (=?UTF-8?Q?Martin_P=c3=a4tzold?=) Date: Wed, 9 Sep 2020 15:22:18 +0200 Subject: private-keys-v1.d and preserve-permissions Message-ID: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> Hello, I am working with Debian Stretch (9.13) and GPG 2.1.18. The "private-keys-v1.d" directory has per default the permissions 700 (drwx------), but I need them to be 770 (drwxrwx---). I can change the permissions ($ chmod 770 private-keys-v1.d) but after some time they are be back to 700. According to the documentation (https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html#GPG-Esoteric-Options) there is an option "--preserve-permissions" with the description "Don't change the permissions of a secret keyring back to user read/write only." I assumed that is what I need and added this option as "preserve-permissions\n" to the "gpg.conf" file. But it is not working as expected. When I stop the gpg-agent ($ gpgconf --kill gpg-agent) and trigger its restart ($ gpg -K), the permissions are back to 700. (I also checked, that the gpg.conf file is in fact used.) Where am I wrong here? Is the setting not what I need, or do I set it incorrectly, or do I test it incorrectly? And if the setting is not what I need, how can I prevent the permissions for "private-keys-v1.d" from changing? Regards, Martin From wk at gnupg.org Wed Sep 9 19:27:49 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Sep 2020 19:27:49 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> ("Martin \=\?utf-8\?Q\?P\=C3\=A4tzold\=22's\?\= message of "Wed, 9 Sep 2020 15:22:18 +0200") References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> Message-ID: <871rja273e.fsf@wheatstone.g10code.de> On Wed, 9 Sep 2020 15:22, Martin P?tzold said: > And if the setting is not what I need, how can I prevent the > permissions for "private-keys-v1.d" from changing? The --preserve-permissions is a gpg option and not one of gpg-agent. In fact gpg does not known anything about private-keys-v1.d. And well, the gpg option does nothing because gpg has no control over secret keys. I will update the documentation to clarify that this is a dummy option. Is there a special reason that you need to give group access to those files? Salam-Shalom, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Wed Sep 9 19:37:57 2020 From: wk at gnupg.org (Werner Koch) Date: Wed, 09 Sep 2020 19:37:57 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> ("Martin \=\?utf-8\?Q\?P\=C3\=A4tzold\=22's\?\= message of "Wed, 9 Sep 2020 15:22:18 +0200") References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> Message-ID: <87wo12zw96.fsf@wheatstone.g10code.de> Hi, I looked at the history and the reason for the described behaviour is documented at https://dev.gnupg.org/T2312. I re-opened that bug. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Thu Sep 10 07:52:41 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Sep 2020 07:52:41 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <87wo12zw96.fsf@wheatstone.g10code.de> (Werner Koch via Gnupg-users's message of "Wed, 09 Sep 2020 19:37:57 +0200") References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <87wo12zw96.fsf@wheatstone.g10code.de> Message-ID: <87sgbqyy8m.fsf@wheatstone.g10code.de> On Wed, 9 Sep 2020 19:37, Werner Koch said: > I looked at the history and the reason for the described behaviour is > documented at https://dev.gnupg.org/T2312. I re-opened that bug. Fixed in master and 2.2 see the ticket above for the patch. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From martin.paetzold at rheinwerk-verlag.de Thu Sep 10 10:34:37 2020 From: martin.paetzold at rheinwerk-verlag.de (=?UTF-8?Q?Martin_P=c3=a4tzold?=) Date: Thu, 10 Sep 2020 10:34:37 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <871rja273e.fsf@wheatstone.g10code.de> References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> Message-ID: Thanks for the clarification and the patch. > Is there a special reason that you need to give group access to those > files? Yes, we have some period tasks that are handled by Celery. Celery has its own user on the system and this user needs at least read access to the keys, therefore we had to extend the permissions for the "private-keys-v1.d" directory to group access. Regards, Martin From andrewg at andrewg.com Thu Sep 10 10:38:13 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Thu, 10 Sep 2020 09:38:13 +0100 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> Message-ID: <5b883eaf-4b04-5327-15c4-50f6a17fc4fe@andrewg.com> On 10/09/2020 09:34, Martin P?tzold wrote: > Yes, we have some period tasks that are handled by Celery. Celery has > its own user on the system and this user needs at least read access to > the keys, therefore we had to extend the permissions for the > "private-keys-v1.d" directory to group access. Long shot: does your system support ACLs? -- Andrew Gallagher -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From martin.paetzold at rheinwerk-verlag.de Thu Sep 10 11:13:34 2020 From: martin.paetzold at rheinwerk-verlag.de (=?UTF-8?Q?Martin_P=c3=a4tzold?=) Date: Thu, 10 Sep 2020 11:13:34 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <5b883eaf-4b04-5327-15c4-50f6a17fc4fe@andrewg.com> References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> <5b883eaf-4b04-5327-15c4-50f6a17fc4fe@andrewg.com> Message-ID: <35d48abd-58a3-064a-f37e-be98c020b087@rheinwerk-verlag.de> >> Yes, we have some period tasks that are handled by Celery. Celery has >> its own user on the system and this user needs at least read access to >> the keys, therefore we had to extend the permissions for the >> "private-keys-v1.d" directory to group access. > > Long shot: does your system support ACLs? Using ACL would be possible, but we are reluctant to do so, since it adds a second permissions layer that is only visible if you actively look for it. Regards, Martin From jerry at seibercom.net Thu Sep 10 11:40:36 2020 From: jerry at seibercom.net (Jerry) Date: Thu, 10 Sep 2020 05:40:36 -0400 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <35d48abd-58a3-064a-f37e-be98c020b087@rheinwerk-verlag.de> References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> <5b883eaf-4b04-5327-15c4-50f6a17fc4fe@andrewg.com> <35d48abd-58a3-064a-f37e-be98c020b087@rheinwerk-verlag.de> Message-ID: <20200910054036.473fec9d@scorpio.seibercom.net> On Thu, 10 Sep 2020 11:13:34 +0200, Martin P?tzold stated: > >> Yes, we have some period tasks that are handled by Celery. Celery > >> has its own user on the system and this user needs at least read > >> access to the keys, therefore we had to extend the permissions for > >> the "private-keys-v1.d" directory to group access. > > > > Long shot: does your system support ACLs? > >Using ACL would be possible, but we are reluctant to do so, since it >adds a second permissions layer that is only visible if you actively >look for it. Perhaps I am not understanding this correctly, but wouldn't that be a good thing? -- Jerry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: From martin.paetzold at rheinwerk-verlag.de Thu Sep 10 13:46:12 2020 From: martin.paetzold at rheinwerk-verlag.de (=?UTF-8?Q?Martin_P=c3=a4tzold?=) Date: Thu, 10 Sep 2020 13:46:12 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: <20200910054036.473fec9d@scorpio.seibercom.net> References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> <5b883eaf-4b04-5327-15c4-50f6a17fc4fe@andrewg.com> <35d48abd-58a3-064a-f37e-be98c020b087@rheinwerk-verlag.de> <20200910054036.473fec9d@scorpio.seibercom.net> Message-ID: <34bca059-6708-aa32-9893-8ba746a41610@rheinwerk-verlag.de> >>> Long shot: does your system support ACLs? >> >> Using ACL would be possible, but we are reluctant to do so, since it >> adds a second permissions layer that is only visible if you actively >> look for it. > > Perhaps I am not understanding this correctly, but wouldn't that be a > good thing? Not from a maintenance perspective. This would be the only exception in permission handling across all of our platforms and it is not immediately visible. Six or twelf months from now we may not remember this exception and may lose a lot of time debugging if we don't look into the documentation early enough. Regards, Martin From wk at gnupg.org Thu Sep 10 14:25:10 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 10 Sep 2020 14:25:10 +0200 Subject: private-keys-v1.d and preserve-permissions In-Reply-To: ("Martin \=\?utf-8\?Q\?P\=C3\=A4tzold\=22's\?\= message of "Thu, 10 Sep 2020 10:34:37 +0200") References: <040ab9d0-dcc0-31ac-ac68-f61c4c767d2c@rheinwerk-verlag.de> <871rja273e.fsf@wheatstone.g10code.de> Message-ID: <87h7s5zumx.fsf@wheatstone.g10code.de> On Thu, 10 Sep 2020 10:34, Martin P?tzold said: > the keys, therefore we had to extend the permissions for the > "private-keys-v1.d" directory to group access. I see. Just a hint: You may use the remote socket feature to run gpg-agent under a different account. It might take a bit of effort to get the details right and make the system robust enough. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From sac at 300baud.de Sun Sep 13 13:46:12 2020 From: sac at 300baud.de (Stefan Claas) Date: Sun, 13 Sep 2020 13:46:12 +0200 Subject: On Becky! Internet Mail's GnuPG Plugin In-Reply-To: References: <00fa01d68630$28fa8ff0$7aefafd0$@digicana.com> Message-ID: <20200913134612.0000237a@300baud.de> Dieter Frye wrote: > Actually I have thought of putting it all together into a book, but I > figured no one would care. Guess the craft's dying with me. I have a Windows-XP CD license lying around and would pay for your book. :-) Regards Stefan From bexnews at gmail.com Mon Sep 14 14:16:19 2020 From: bexnews at gmail.com (bexnews at gmail.com) Date: Mon, 14 Sep 2020 08:16:19 -0400 Subject: Announcing paperbackup.py to backup keys as QR codes on paper Message-ID: Hello Friends, Ok I am no coder so I am trying to bungle my way thru setting up paperbackup.py. My goal was to be able to print out a paper encrypted backup of a strong key that I can use to encrypt data or other keys. I tried the Windows Paperbackup from OllyDbg but it is older, on Windows (I'm on Linux atm) and was having a hard time getting the roundtrip to work with my printer and scanner. Paperbackup.py looked like a smart idea and I like the redundancy of the QR code and text string outputs. I tried the usage instructions.... 1. the first issue was I think specifically you need to prefix "paperbackup.py" with "python" correct? 2. second issue was when I do #1 I get > Traceback (most recent call last): > File "paperbackup.py", line 35, in > import qrencode > ImportError: No module named qrencode > 3. I may be failing to install all the dependencies properly. I did "sudo apt install qrencode" and seems installed (qrencode version 3.4.4 Copyright (C) 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is there some other way to "hook" qrencode into paperbackup.py? I tried putting it all into the same folder but it doesn't seem to help. danke schoen! - bexnews > Announcing paperbackup.py to backup keys as QR codes on paper *Gerd v. > Egidy* gerd.von.egidy at intra2net.com > > *Tue Feb 21 15:34:17 CET 2017* > > - Previous message (by thread): Problems with cert validation via CRL > > - Next message (by thread): Announcing paperbackup.py to backup keys > as QR codes on paper > > - *Messages sorted by:* [ date ] > [ > thread ] > [ > subject ] > [ > author ] > > > ------------------------------ > > Hi, > > I'd like to announce a program I wrote to backup GnuPG and SSH keys as > qrcodes on paper: > > paperbackup.py https://github.com/intra2net/paperbackup > > This is designed as fallback if all your regular backups failed to restore or > were lost. > > Usage is like this: > > gpg2 --armor --export "User Name" >key.asc > gpg2 --armor --export-secret-key "User Name" >>key.asc > paperbackup.py key.asc > paperrestore.sh key.asc.pdf | diff key.asc - > lpr key.asc.pdf > > You'll find all the details, reasoning and examples in the README. > > Kind regards, > > Gerd > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gpg-users at chiraag.me Mon Sep 14 16:07:33 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Mon, 14 Sep 2020 14:07:33 +0000 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: References: Message-ID: <20200914140730.GA207@chiraag> You'll have to install python3-qrencode, not qrencode. All of the dependencies should by in the form of python3- (or if that's not available, install it through pip3). Hope that helps! - Chiraag -- ?????? ?????? Pronouns: he/him/his 14/09/20 08:16 ?????, bexnews--- via Gnupg-users ??????: > Hello Friends, > > Ok I am no coder so I am trying to bungle my way thru setting up > paperbackup.py. > > My goal was to be able to print out a paper encrypted backup of a strong key > that I can use to encrypt data or other keys. I tried the Windows Paperbackup > from OllyDbg but it is older, on Windows (I'm on Linux atm) and was having a > hard time getting the roundtrip to work with my printer and scanner. > Paperbackup.py looked like a smart idea and I like the redundancy of the QR > code and text string outputs. I tried the usage instructions.... > > 1. the first issue was I think specifically you need to prefix "paperbackup.py" > with "python" correct? > 2. second issue was when I do #1 I get > > Traceback (most recent call last): > ? File "paperbackup.py", line 35, in > ? ? import qrencode > ImportError: No module named qrencode > > > 3. I may be failing to install all the dependencies properly. I did? "sudo apt > install qrencode" and seems installed (qrencode version 3.4.4 Copyright (C) > 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is there > some other way to "hook" qrencode into paperbackup.py? I tried putting it all > into the same folder but it doesn't seem to help. > > danke schoen! > - bexnews > > Announcing paperbackup.py to backup keys as QR codes on paper > > Gerd v. Egidy [1]gerd.von.egidy at intra2net.com > Tue Feb 21 15:34:17 CET 2017 > ? Previous message (by thread): [2]Problems with cert validation via CRL > ? Next message (by thread): [3]Announcing paperbackup.py to backup keys > as QR codes on paper > ? Messages sorted by: [4][ date ] [5][ thread ] [6][ subject ] [7][ > author ] > ??????????????????????????????????????????????????????????????????????????? > > Hi, > > I'd like to announce a program I wrote to backup GnuPG and SSH keys as > qrcodes on paper: > > paperbackup.py > [8]https://github.com/intra2net/paperbackup > > This is designed as fallback if all your regular backups failed to restore or > were lost. > > Usage is like this: > > gpg2 --armor --export "User Name" >key.asc > gpg2 --armor --export-secret-key "User Name" >>key.asc > paperbackup.py key.asc > paperrestore.sh key.asc.pdf | diff key.asc - > lpr key.asc.pdf > > You'll find all the details, reasoning and examples in the README. > > Kind regards, > > Gerd > > > > > References: > > [1] mailto:gnupg-users%40gnupg.org?Subject=Re%3A%20Announcing%20paperbackup.py%20to%20backup%20keys%20as%20QR%20codes%20on%20paper&In-Reply-To=%3C9664399.F7pj19RVc2%40thunder.m.i2n%3E > [2] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057787.html > [3] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057771.html > [4] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/date.html#57765 > [5] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/thread.html#57765 > [6] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/subject.html#57765 > [7] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/author.html#57765 > [8] https://github.com/intra2net/paperbackup -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Mon Sep 14 16:20:11 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 14 Sep 2020 16:20:11 +0200 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: References: Message-ID: <20200914162011.00004152@300baud.de> bexnews--- via Gnupg-users wrote: Hi, while I can't help you with your issue, I like to suggest to take a look at Fraunhofer SIT's modern JAB-Code, which compiles nicely under Linux, Windows and macOS. It has also the advantage that it can carry much more data than QR code. The color barcode withstands also ugly Facebook .jpeg compression, in case one needs to sign large messages, with GnuPG, on 'social' media sites. https://github.com/jabcode/jabcode Regards Stefan > Hello Friends, > > Ok I am no coder so I am trying to bungle my way thru setting up > paperbackup.py. > > My goal was to be able to print out a paper encrypted backup of a strong > key that I can use to encrypt data or other keys. I tried the Windows > Paperbackup from OllyDbg but it is older, on Windows (I'm on Linux atm) and > was having a hard time getting the roundtrip to work with my printer and > scanner. Paperbackup.py looked like a smart idea and I like the redundancy > of the QR code and text string outputs. I tried the usage instructions.... > > 1. the first issue was I think specifically you need to prefix > "paperbackup.py" with "python" correct? > 2. second issue was when I do #1 I get > > > Traceback (most recent call last): > > File "paperbackup.py", line 35, in > > import qrencode > > ImportError: No module named qrencode > > > > 3. I may be failing to install all the dependencies properly. I did "sudo > apt install qrencode" and seems installed (qrencode version 3.4.4 Copyright > (C) 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is > there some other way to "hook" qrencode into paperbackup.py? I tried > putting it all into the same folder but it doesn't seem to help. > > danke schoen! > - bexnews From gpg-users at chiraag.me Mon Sep 14 16:29:27 2020 From: gpg-users at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Mon, 14 Sep 2020 14:29:27 +0000 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: <20200914140730.GA207@chiraag> References: <20200914140730.GA207@chiraag> Message-ID: <20200914142919.GA207@chiraag> Additionally, you can install paperkey from the Debian repos, which might do something similar? HTH! - Chiraag -- ?????? ?????? Pronouns: he/him/his 14/09/20 14:07 ?????, ?????? ?????? via Gnupg-users ??????: > You'll have to install python3-qrencode, not qrencode. All of the dependencies should by in the form of python3- (or if that's not available, install it through pip3). > > Hope that helps! > > - Chiraag > -- > ?????? ?????? > Pronouns: he/him/his > > 14/09/20 08:16 ?????, bexnews--- via Gnupg-users ??????: > > Hello Friends, > > > > Ok I am no coder so I am trying to bungle my way thru setting up > > paperbackup.py. > > > > My goal was to be able to print out a paper encrypted backup of a strong key > > that I can use to encrypt data or other keys. I tried the Windows Paperbackup > > from OllyDbg but it is older, on Windows (I'm on Linux atm) and was having a > > hard time getting the roundtrip to work with my printer and scanner. > > Paperbackup.py looked like a smart idea and I like the redundancy of the QR > > code and text string outputs. I tried the usage instructions.... > > > > 1. the first issue was I think specifically you need to prefix "paperbackup.py" > > with "python" correct? > > 2. second issue was when I do #1 I get > > > > Traceback (most recent call last): > > ? File "paperbackup.py", line 35, in > > ? ? import qrencode > > ImportError: No module named qrencode > > > > > > 3. I may be failing to install all the dependencies properly. I did? "sudo apt > > install qrencode" and seems installed (qrencode version 3.4.4 Copyright (C) > > 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is there > > some other way to "hook" qrencode into paperbackup.py? I tried putting it all > > into the same folder but it doesn't seem to help. > > > > danke schoen! > > - bexnews > > > > Announcing paperbackup.py to backup keys as QR codes on paper > > > > Gerd v. Egidy [1]gerd.von.egidy at intra2net.com > > Tue Feb 21 15:34:17 CET 2017 > > ? Previous message (by thread): [2]Problems with cert validation via CRL > > ? Next message (by thread): [3]Announcing paperbackup.py to backup keys > > as QR codes on paper > > ? Messages sorted by: [4][ date ] [5][ thread ] [6][ subject ] [7][ > > author ] > > ??????????????????????????????????????????????????????????????????????????? > > > > Hi, > > > > I'd like to announce a program I wrote to backup GnuPG and SSH keys as > > qrcodes on paper: > > > > paperbackup.py > > [8]https://github.com/intra2net/paperbackup > > > > This is designed as fallback if all your regular backups failed to restore or > > were lost. > > > > Usage is like this: > > > > gpg2 --armor --export "User Name" >key.asc > > gpg2 --armor --export-secret-key "User Name" >>key.asc > > paperbackup.py key.asc > > paperrestore.sh key.asc.pdf | diff key.asc - > > lpr key.asc.pdf > > > > You'll find all the details, reasoning and examples in the README. > > > > Kind regards, > > > > Gerd > > > > > > > > > > References: > > > > [1] mailto:gnupg-users%40gnupg.org?Subject=Re%3A%20Announcing%20paperbackup.py%20to%20backup%20keys%20as%20QR%20codes%20on%20paper&In-Reply-To=%3C9664399.F7pj19RVc2%40thunder.m.i2n%3E > > [2] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057787.html > > [3] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057771.html > > [4] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/date.html#57765 > > [5] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/thread.html#57765 > > [6] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/subject.html#57765 > > [7] https://lists.gnupg.org/pipermail/gnupg-users/2017-February/author.html#57765 > > [8] https://github.com/intra2net/paperbackup > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - gpg-users at chiraag.me.asc.pgp Type: application/pgp-key Size: 651 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 233 bytes Desc: OpenPGP digital signature URL: From kauer at biplane.com.au Mon Sep 14 16:12:30 2020 From: kauer at biplane.com.au (Karl Auer) Date: Tue, 15 Sep 2020 00:12:30 +1000 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: References: Message-ID: <008606cb644593dde14248a871662f82f5cb44ff.camel@biplane.com.au> On Mon, 2020-09-14 at 08:16 -0400, bexnews--- via Gnupg-users wrote: > import qrencode > ImportError: No module named qrencode You may need something like the python3-qrencode package. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer at biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170 Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D From sac at 300baud.de Mon Sep 14 19:06:11 2020 From: sac at 300baud.de (Stefan Claas) Date: Mon, 14 Sep 2020 19:06:11 +0200 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: <20200914162011.00004152@300baud.de> References: <20200914162011.00004152@300baud.de> Message-ID: <20200914190611.00001202@300baud.de> Stefan Claas wrote: > Hi, > > while I can't help you with your issue, I like to suggest to take a look > at Fraunhofer SIT's modern JAB-Code, which compiles nicely under Linux, > Windows and macOS. It has also the advantage that it can carry much more > data than QR code. The color barcode withstands also ugly Facebook .jpeg > compression, in case one needs to sign large messages, with GnuPG, on > 'social' media sites. > > https://github.com/jabcode/jabcode The other option GnuPG users have is to memorize the passphrase and re-generate the private key from the passphrase, thus avoiding paper loss etc. Regards Stefan From sac at 300baud.de Wed Sep 16 21:21:14 2020 From: sac at 300baud.de (Stefan Claas) Date: Wed, 16 Sep 2020 21:21:14 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200812002423.00003bef@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200812002423.00003bef@300baud.de> Message-ID: <20200916212114.00003acd@300baud.de> Stefan Claas wrote: [...] > > (btw, > > There is, [afaik], no protection available in GnuPG > > against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer, > > and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message > > by flicking a wand at it, and using the simple charm 'Revelato' ) > > I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage. > > > but not really in my threat model 8^)))) > > Mine neither. :-) I think I sell my smart phone and recommend not to keep it one the same room with an offline computer. Regards Stefan From alan.bram at cornell.edu Thu Sep 17 00:03:03 2020 From: alan.bram at cornell.edu (Alan Bram) Date: Wed, 16 Sep 2020 15:03:03 -0700 Subject: how to suppress new "insecure passphrase" warning Message-ID: I have been using gnupg for a few years now, with no change in the way I invoke it. Recently (I guess my package manager updated to a new version: 2.2.23) it started injecting a warning about "insecure passphrase" and suggesting that I ought to include a digit or special character. I don't want to do that. I have a strong passphrase that was generated via Diceware. It's simply a few words made of plain letters; but it's long enough, and totally random. Stronger than a short, lame password that someone simply appends a "1" to. Is there a way to suppress the annoying warning? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan at digicana.com Thu Sep 17 16:42:24 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Thu, 17 Sep 2020 14:42:24 +0000 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: References: Message-ID: (BTW -- not to be pedantic, but if by "a few" words you mean "three", then you don't have a good passphrase -- six words is kinda minimum with diceware to get a decent amount of entropy) -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ??????? Original Message ??????? On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I invoke it. Recently (I guess my package manager updated to a new version: 2.2.23) it started injecting a warning about "insecure passphrase" and suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via Diceware. It's simply a few words made of plain letters; but it's long enough, and totally random. Stronger than a short, lame password that someone simply appends a "1" to. > > Is there a way to suppress the annoying?warning? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 855 bytes Desc: OpenPGP digital signature URL: From sac at 300baud.de Thu Sep 17 17:05:46 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 17 Sep 2020 17:05:46 +0200 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: References: Message-ID: <20200917170546.00005608@300baud.de> Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan From ryan at digicana.com Thu Sep 17 18:40:57 2020 From: ryan at digicana.com (Ryan McGinnis) Date: Thu, 17 Sep 2020 16:40:57 +0000 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: <1861685275.20200917172550@postzone.org> References: <1861685275.20200917172550@postzone.org> Message-ID: Wonder if someone saw this email and uploaded it -- it shows up when I search! :) Best, -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ??????? Original Message ??????? On Thursday, September 17, 2020 10:25 AM, Martin wrote: > Hello Ryan, > > Thursday, September 17, 2020, 4:42:24 PM, you wrote: > > > -Ryan McGinnis > > http://www.bigstormpicture.com > > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > BTW your public key is not onkeys.openpgp.org > > ------------------------------------------------ > > Best regards, > Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 855 bytes Desc: OpenPGP digital signature URL: From martin at postzone.org Thu Sep 17 17:25:50 2020 From: martin at postzone.org (Martin) Date: Thu, 17 Sep 2020 17:25:50 +0200 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: References: Message-ID: <1861685275.20200917172550@postzone.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Ryan, Thursday, September 17, 2020, 4:42:24 PM, you wrote: > -Ryan McGinnis > http://www.bigstormpicture.com > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD BTW your public key is not on keys.openpgp.org - -- Best regards, Martin -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C 445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9 02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7 1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI 4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ 4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO wPoKLy2OtHi77e8Out9G5bcngUwhxA== =8K8V -----END PGP SIGNATURE----- From gnupg-users at spodhuis.org Thu Sep 17 17:56:14 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Thu, 17 Sep 2020 11:56:14 -0400 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: References: Message-ID: <20200917155614.GA381230@fullerene.field.pennock-tech.net> On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is 1, but I think that you can set it to 0. Also make sure that you haven't set check-passphrase-pattern to point to a dictionary -- a common security pattern for 8-12 "random" character passwords but unlikely to be helpful with a diceware approach. There are other relevant options in the gpg-agent man-page in the area around those options, worth reviewing. -Phil From juliejhayden at yahoo.com Thu Sep 17 18:09:47 2020 From: juliejhayden at yahoo.com (julie hayden) Date: Thu, 17 Sep 2020 16:09:47 +0000 (UTC) Subject: how to suppress new "insecure passphrase" warning In-Reply-To: <20200917170546.00005608@300baud.de> References: <20200917170546.00005608@300baud.de> Message-ID: <81214456.3492717.1600358987208@mail.yahoo.com> Stop. Unsubscribe Sent from Yahoo Mail on Android On Thu, Sep 17, 2020 at 10:40 AM, Stefan Claas wrote: Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Sep 17 19:31:21 2020 From: wk at gnupg.org (Werner Koch) Date: Thu, 17 Sep 2020 19:31:21 +0200 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: (Alan Bram via Gnupg-users's message of "Wed, 16 Sep 2020 15:03:03 -0700") References: Message-ID: <87a6xol386.fsf@wheatstone.g10code.de> On Wed, 16 Sep 2020 15:03, Alan Bram said: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. Please check your configuration in gpg-agent.conf. Is there a min-passphrase-nonalpha option set? Note that some external software may have modified your configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From alan.bram at cornell.edu Thu Sep 17 19:52:19 2020 From: alan.bram at cornell.edu (Alan Bram) Date: Thu, 17 Sep 2020 10:52:19 -0700 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: <20200917155614.GA381230@fullerene.field.pennock-tech.net> References: <20200917155614.GA381230@fullerene.field.pennock-tech.net> Message-ID: On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock wrote: > > Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is > 1, but I think that you can set it to 0. > I tried that, but it doesn't seem to have any effect. Then, as an experiment, I tried setting it to 2, and observed that including just 1 digit in the passphrase resulted in no warning (again suggesting that the setting was not having any effect). But I don't even think I'm using the agent (unless I misunderstand): I'm simply running a command like the following: gpg2 --output *outputfilename* --symmetric *inputfilename* and waiting for the program to prompt me to enter the passphrase each time. Sorry, I should have made that clear. (Thank you for your quick responses.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.bram at cornell.edu Thu Sep 17 20:27:28 2020 From: alan.bram at cornell.edu (Alan Bram) Date: Thu, 17 Sep 2020 11:27:28 -0700 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: References: <20200917155614.GA381230@fullerene.field.pennock-tech.net> Message-ID: On Thu, Sep 17, 2020 at 10:52 AM Alan Bram wrote: > On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock > wrote: > >> >> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is >> 1, but I think that you can set it to 0. >> > > I tried that, but it doesn't seem to have any effect. > D'oh! Sorry! It is working after all. I didn't realize that the `gpg2` command was starting the agent automatically. And I didn't realize that when I first tried changing the configuration, there was an already-running agent that I had to kill first in order to get it to reread the config. It's all working great now. Thank you so much! And sorry for the bad info previously. -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at postzone.org Thu Sep 17 22:57:59 2020 From: martin at postzone.org (Martin) Date: Thu, 17 Sep 2020 22:57:59 +0200 Subject: Which keyserver Message-ID: <424898733.20200917225759@postzone.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi list Which keyserver do you recommend these days? I have hkps://keys.openpgp.org in gpg.conf - but it seems that there are missing a lot of public keys on this server. - -- Best regards, Martin -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jzeAACgkQsdyR185C 444yaAgAgoj2wlUFhclr4nr/PeRu9LXHWR4IAbI7UvfmNEk2PcJVveIYHXrRQqdq AOzxOv+HCzxz5RN9TIiQjLnqcyJlzQpZd6BIFRizr7ZMXEjtSS0oM/u0zevypcae 8L/uhFHgqp3KzYU7njz17k08JVGGTcOBhdGwICa+jlxc4L2y7eZhkFHoFFUxAPwc xegbJOQKRLZhlLbvSsiFUc5x4uvxesA4ivqFNHWk336XHqdtUOG2tFr6i+hJF3Qc d6b3g5psigQycr5l2NVQbsHHR0ie6KlX0/KJM9hZmpvPL3yEo4YhdWaeOAABU+AS J+VEervsa2vRod5euFtPisS+EM2Z5g== =d3Cq -----END PGP SIGNATURE----- From sac at 300baud.de Thu Sep 17 23:11:10 2020 From: sac at 300baud.de (Stefan Claas) Date: Thu, 17 Sep 2020 23:11:10 +0200 Subject: Which keyserver In-Reply-To: <424898733.20200917225759@postzone.org> References: <424898733.20200917225759@postzone.org> Message-ID: <20200917231058.000054c9@300baud.de> Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi list > > Which keyserver do you recommend these days? > > I have hkps://keys.openpgp.org in gpg.conf - but it seems that there > are missing a lot of public keys on this server. Hi, good question ... I like https://keys.mailvelope.com/ best, because it only allows publishing your pub key if you decrypt their reply with your secret key and as bonus it keeps your collected WoT sigs, in case you need the classical WoT signatures, or CA sigs, like from Governikus etc. Unfortunately gpg.conf, IIRC, allows only defining one key server and many people still use SKS key servers. Regards Stefan From gnupg-users at spodhuis.org Fri Sep 18 00:13:03 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Thu, 17 Sep 2020 18:13:03 -0400 Subject: Which keyserver In-Reply-To: <424898733.20200917225759@postzone.org> References: <424898733.20200917225759@postzone.org> Message-ID: <20200917221303.GA437892@fullerene.field.pennock-tech.net> On 2020-09-17 at 22:57 +0200, Martin wrote: > Which keyserver do you recommend these days? For what purpose? For receiving updates to previously known keys, of people who care enough about their keys to distribute their keys across multiple keyservers instead of just going "I pushed it to the keyservers, that's it, I don't care", hkps://keys.openpgp.org is probably the most reasonable choice. There's no choice for general purpose, and "running a keysigning party" or "finding someone's key from their fingerprint" which works well today. If publishing keys, I do recommend setting up WKD for your domain, which helps a little. And heck, I run a finger daemon written in Go for a true blast from the past. :) is in the UK, run from the same University bunch of folks as gave us PuTTY and has been around receiving keys from the SKS keyservers via email for ages, so tends to be "fairly well populated", so is where I try next after openpgp.org. After that I hit old SKS keyservers which usually seem to work, whether or not these entries are in the pools and _current_, since they'll at least get me some of a key; the pool hostnames haven't been worth trying the last several times I checked, too many bad servers. hkps://keyserver.ubuntu.com hkps://zimmermann.mayfirst.org hkp://keys2.kfwebs.net hkps://pgp.mit.edu The kfwebs and pgp.mit.edu servers appear to not be working right now, which leaves us with Ubuntu's and Dan Gillmor's (DKG's) mayfirst.org server. You can still look over https://sks-keyservers.net/status/ to see if there are any working there, if the pool hostnames are broken for you at the time you check. The status list for the servers not in the pools will show you how far "behind" they are. -Phil From gnupg at raf.org Fri Sep 18 03:04:34 2020 From: gnupg at raf.org (raf) Date: Fri, 18 Sep 2020 11:04:34 +1000 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: <20200917170546.00005608@300baud.de> References: <20200917170546.00005608@300baud.de> Message-ID: <20200918010434.q7tg7ag7byv6uh4d@raf.org> Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I don't know, but you could report it as a bug in the package. If they are going to introduce such a warning, the logic should be evidence-based, and I bet it isn't. I once read a great article (on an Mozilla or OWASP site) about the fact that the ancient corporate advice of using a password that is at least eight characters long, with at least three character classes (i.e. upper case, lower case, punctuation and digits), was harmful because humans all think very similarly, and we all come up with passwords that look the same, like "Password1". Being forced to change passwords for no reason every 90 days just means we all use "Winter2019", "Autumn2019", etc. So penetration testers have done the stats on cracked passwords and come up with a list of the top 100 password patterns that mean that you can dramatically reduce the search space when cracking passwords and crack about 95% of supposedly strong passwords. The top pattern covers about 12% of passwords. Here's a URL on the topic (but not the one I first read): https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/ So the original advice wasn't evidence-based, and even FIPS have adandoned it and have started recommending long passphrases. Diceware passwords are brilliant, and any system that complains that they are aren't secure is an embarrassment. I hate being told by websites that my 50 character passphrase isn't secure enough, even more so when it meets all of their stated password requirements (i.e. they don't mention the fact that they don't accept space characters as a special character - grr). cheers, raf P.S. Of course you could make a local copy of the binary and replace the first character of the warning with a nul byte. That should fix it. :-) From alci at mecadu.org Fri Sep 18 10:08:46 2020 From: alci at mecadu.org (Franck Routier (perso)) Date: Fri, 18 Sep 2020 10:08:46 +0200 Subject: Which keyserver In-Reply-To: <20200917221303.GA437892@fullerene.field.pennock-tech.net> References: <424898733.20200917225759@postzone.org> <20200917221303.GA437892@fullerene.field.pennock-tech.net> Message-ID: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> Le jeudi 17 septembre 2020 ? 18:13 -0400, Phil Pennock via Gnupg-users a ?crit : > If publishing keys, I do recommend setting up WKD for your > domain, which helps a little. What is the status of WKD now, and is it to superseed centralized key servers ? Franck From look at my.amazin.horse Fri Sep 18 12:55:45 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Fri, 18 Sep 2020 12:55:45 +0200 Subject: Which keyserver In-Reply-To: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> References: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> <424898733.20200917225759@postzone.org> <20200917221303.GA437892@fullerene.field.pennock-tech.net> Message-ID: <3OLYAE7KK9V4L.3DZW788FCV85V@my.amazin.horse> > What is the status of WKD now, and is it to superseed centralized key > servers ? Not for folks who have their email address at the domain of an email provider, or an organization that doesn't support WKD. So statistically, everyone but a rounding error. That said, for folks who run their own domain, a it seems WKD is gaining some ground. keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, and at this point there are more than 100 domains running on it. That's not a huge amount, assuming most of those are single-user domains, but it's something :) - V [WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service From accounts-gnupg at holbrook.no Fri Sep 18 15:04:35 2020 From: accounts-gnupg at holbrook.no (accounts-gnupg at holbrook.no) Date: Fri, 18 Sep 2020 15:04:35 +0200 Subject: Which keyserver In-Reply-To: <3OLYAE7KK9V4L.3DZW788FCV85V@my.amazin.horse> References: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> <424898733.20200917225759@postzone.org> <20200917221303.GA437892@fullerene.field.pennock-tech.net> <3OLYAE7KK9V4L.3DZW788FCV85V@my.amazin.horse> Message-ID: <20200918130435.GA20600@holbrook.no> I wasn't aware of WKD, thanks for the heads up. Is it possible to define multiple sources of keys with WKD, for example with a dns TXT record? The use-case would be if the main server is down, alternative places to get it. On Fri, Sep 18, 2020 at 12:55:45PM +0200, Vincent Breitmoser via Gnupg-users wrote: > > > What is the status of WKD now, and is it to superseed centralized key > > servers ? > > Not for folks who have their email address at the domain of an email provider, > or an organization that doesn't support WKD. So statistically, everyone but > a rounding error. > > That said, for folks who run their own domain, a it seems WKD is gaining some > ground. keys.o.o has a (sort of experimental) "[WKD as a Service]" feature, and > at this point there are more than 100 domains running on it. That's not a huge > amount, assuming most of those are single-user domains, but it's something :) > > - V > > [WKD as a Service]: https://keys.openpgp.org/about/usage#wkd-as-a-service > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From azbigdogs at gmx.com Fri Sep 18 17:06:54 2020 From: azbigdogs at gmx.com (Mark) Date: Fri, 18 Sep 2020 08:06:54 -0700 Subject: Which keyserver In-Reply-To: <424898733.20200917225759@postzone.org> References: <424898733.20200917225759@postzone.org> Message-ID: <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not working right. I was not getting any hits back when searching with Kleopatra and then I tried to ping that server which returned host not found.? So I'm also interested if there is a better choice. On 9/17/2020 1:57 PM, Martin wrote: > Hi list > > Which keyserver do you recommend these days? > > I have hkps://keys.openpgp.org in gpg.conf - but it seems that there > are missing a lot of public keys on this server. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From gnupg-users at spodhuis.org Fri Sep 18 17:26:37 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Fri, 18 Sep 2020 11:26:37 -0400 Subject: Which keyserver In-Reply-To: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> References: <424898733.20200917225759@postzone.org> <20200917221303.GA437892@fullerene.field.pennock-tech.net> <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> Message-ID: <20200918152637.GA491907@fullerene.field.pennock-tech.net> On 2020-09-18 at 10:08 +0200, Franck Routier (perso) wrote: > Le jeudi 17 septembre 2020 ? 18:13 -0400, Phil Pennock via Gnupg-users > a ?crit : > > If publishing keys, I do recommend setting up WKD for your > > domain, which helps a little. > > What is the status of WKD now, and is it to superseed centralized key > servers ? It's a draft spec, it's spreading a little. Federated control of your own namespace is always good. Ultimately it's just HTTPS with a fixed well-known layout. kernel.org, debian.org, gentoo.org, archlinux.org -- it's spreading amongst the Linux folks who have a central idea of what PGP keys are supposed to exist in their domain. Then there's exim.org and a couple of others, but I set those up and so I can't say that this is proof of its popularity. I think that any organization which uses PGP, including for signing software releases, should be setting up WKD. Non-WKD is for individuals using PGP on a more ad-hoc basis. Self-pimping: has other/standalone-update-website as a Python tool which can be integrated into static site builds where something else manages the list of keys (I have it in a Gulp rule for nats.io site build) and the repo itself is a framework for managing the keys for one or more domains, so is used for spodhuis.org, exim.org and pennock-tech.com. The repo is designed to be easy to fork and replace the key/domain definitions so that others can use it. -Phil From gnupg-users at spodhuis.org Fri Sep 18 17:32:55 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Fri, 18 Sep 2020 11:32:55 -0400 Subject: Which keyserver In-Reply-To: <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> Message-ID: <20200918153255.GB491907@fullerene.field.pennock-tech.net> On 2020-09-18 at 08:06 -0700, Mark wrote: > I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not > working right. I was not getting any hits back when searching with > Kleopatra and then I tried to ping that server which returned host not > found. So I'm also interested if there is a better choice. keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is now returning zero results. The pool of SKS keyservers is Very Unhealthy. The entire keyserver system had Known Issues but worked well enough that the volunteers who ran it could keep it alive and improving, until it came under sustained attack from people trying to burn it all down and push people to use "not OpenPGP" instead (some of the funding for attack tool development came from an org which is firmly pushing one of the modern alternative encrypted communications tools). There's still some keyservers, but what you see now are the red smoking embers of what's left after everything else has been burnt down. From a pool of around 120 servers, almost all routinely working fairly well and being able to maintain per-continent pool aliases of servers which were health-checked and removed if not doing well, there's now fewer than 20 servers left, from very few independent sources, and even those in the main pool are often not doing well. Which is why folks are struggling and trying to find something which works well enough. There's nothing which fits all needs, but various solutions for some scenarios. See my first reply in this thread with suggestions of particular servers. -Phil From andreas.mattheiss at gmx.de Fri Sep 18 18:47:57 2020 From: andreas.mattheiss at gmx.de (Andreas Mattheiss) Date: Fri, 18 Sep 2020 18:47:57 +0200 Subject: Which keyserver In-Reply-To: <20200918130435.GA20600@holbrook.no> Message-ID: <20200918164756.GB8035@highscreen> Hello, >Is it possible to define multiple sources of keys with WKD, for example >with a dns TXT record? Well, yes, actually. This can be done with both X509 certificates (where it is called SMIMEA) and gpg keys. Obtaining a key basically involves quering the appropriate TYPE in the DNS record (53 for SMIMEA, 61 for openpgp). An additional step is to check the authenticity of this record. All this is completely seperate from WKD though. That's the theory. In practise, alas, bugger all's using it. It's a shame, since this would really be a big step forward. The catch here is that it needs to be supported by the mail server where the addressee has his account. Needless to mention it is hardly deployed; in Germany mail.de has it, as do a number of paid email services. Plus, of course: before this goes big, the big email clients would have to support it. Of course you can hack something together using only command line tools (I've done that), but that's not the cup of tea for 99.9% of normal email users. Vincent Breitmoser described this in this thread eloquently as being used by effectively nobody but a rounding error. Sigh. Andreas From azbigdogs at gmx.com Fri Sep 18 20:17:37 2020 From: azbigdogs at gmx.com (Mark) Date: Fri, 18 Sep 2020 11:17:37 -0700 Subject: Which keyserver In-Reply-To: <20200918153255.GB491907@fullerene.field.pennock-tech.net> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> Message-ID: <8303ca51-c49d-fda9-d000-f0d1aee4dede@gmx.com> Phil, Thanks for the explanation on what was happening. I thought something was just not right as when I hit search it would come back in less than a second with 0 results. It seemed to me that it didn't actually even search through the database. Anyway now that you say there is not really a server anymore to search it makes sense.? I'm not familiar with the attack on it and by who so will have to google it and see if I can learn more. On 9/18/2020 8:32 AM, Phil Pennock wrote: > On 2020-09-18 at 08:06 -0700, Mark wrote: >> I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not >> working right. I was not getting any hits back when searching with >> Kleopatra and then I tried to ping that server which returned host not >> found. So I'm also interested if there is a better choice. > keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is > now returning zero results. > > The pool of is Very Unhealthy. The entire keyserver > system had Known Issues but worked well enough that the volunteers who > ran it could keep it alive and improving, until it came under sustained > attack from people trying to burn it all down and push people to use > "not OpenPGP" instead (some of the funding for attack tool development > came from an org which is firmly pushing one of the modern alternative > encrypted communications tools). > > There's still some keyservers, but what you see now are the red smoking > embers of what's left after everything else has been burnt down. From a > pool of around 120 servers, almost all routinely working fairly well and > being able to maintain per-continent pool aliases of servers which were > health-checked and removed if not doing well, there's now fewer than 20 > servers left, from very few independent sources, and even those in the > main pool are often not doing well. > > Which is why folks are struggling and trying to find something which > works well enough. There's nothing which fits all needs, but various > solutions for some scenarios. See my first reply in this thread with > suggestions of particular servers. > > -Phil From gnupg-users at spodhuis.org Fri Sep 18 20:58:42 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Fri, 18 Sep 2020 14:58:42 -0400 Subject: Which keyserver In-Reply-To: <20200918130435.GA20600@holbrook.no> References: <52f7b4c135291f9738b7f524bd19bebf5c42f2ba.camel@mecadu.org> <424898733.20200917225759@postzone.org> <20200917221303.GA437892@fullerene.field.pennock-tech.net> <3OLYAE7KK9V4L.3DZW788FCV85V@my.amazin.horse> <20200918130435.GA20600@holbrook.no> Message-ID: <20200918185842.GA535207@fullerene.field.pennock-tech.net> On 2020-09-18 at 15:04 +0200, accounts-gnupg at holbrook.no wrote: > Is it possible to define multiple sources of keys with WKD, for example > with a dns TXT record? The use-case would be if the main server is down, > alternative places to get it. The SRV record approach had to be dropped because the people doing OpenPGP in web-browsers protested hard, since browsers _still_ refuse to implement SRV lookup. So we're stuck with an ancient model. Currently that means "set up openpgpkey.example.org using whatever loadbalancers and multiple A records across regions you like". Within a few years we _might_ be able to get SRV-like distribution for HTTPS with the proposed new `HTTPS` RR-type for DNS: https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https but that's not something you can rely on today. -Phil From look at my.amazin.horse Sat Sep 19 02:33:28 2020 From: look at my.amazin.horse (Vincent Breitmoser) Date: Sat, 19 Sep 2020 02:33:28 +0200 Subject: Which keyserver In-Reply-To: <20200918153255.GB491907@fullerene.field.pennock-tech.net> References: <20200918153255.GB491907@fullerene.field.pennock-tech.net> <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> Message-ID: <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> > keys.gnupg.net is a CNAME for hkps.pool.sks-keyservers.net -- which is > now returning zero results. Let me break the prose down into the simple facts: * the "HKPS" pool is no longer actually a "pool". it is a [single server]. * the "HKP" pool still contains a few servers, but using it means *all communication happens in plain text*. * the newest release of SKS is [1.1.6], from august 2016. > until it came under sustained attack from people trying to burn it all down It is true the attacks were what brought it down, but the amount of effort was not a "sustained attack" by any measure. The invested resources are somewhere around "couple hours and $0.00". - V [single server]: https://sks-keyservers.net/status/ (hkps column) [1.1.6]: https://github.com/SKS-Keyserver/sks-keyserver/commit/b1725fda5dd89343b304c2126df78ad34bef66a8 From sac at 300baud.de Sat Sep 19 12:33:47 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 19 Sep 2020 12:33:47 +0200 Subject: In case you use OpenPGP on a smartphone ... In-Reply-To: <20200916212114.00003acd@300baud.de> References: <20200811181543.000066c6@300baud.de> <46849457-D0B0-4BC4-98CF-BAC8EE8317BE@andrewg.com> <20200811205757.000005ec@300baud.de> <20200811194926.00033801885@smtp.hushmail.com> <20200812002423.00003bef@300baud.de> <20200916212114.00003acd@300baud.de> Message-ID: <20200919123347.00006b7f@300baud.de> Stefan Claas wrote: > Stefan Claas wrote: > > [...] > > > > (btw, > > > There is, [afaik], no protection available in GnuPG > > > against a Clairvoyancy attack vector on an encrypted file even in an air-gapped computer, > > > and there is a rumour that any Witch or Wizard can instantly behold the plaintext of an encrypted message > > > by flicking a wand at it, and using the simple charm 'Revelato' ) > > > > I think I know what you mean. But I think it does not scale well for the masses due to manpower shortage. > > > > > but not really in my threat model 8^)))) > > > > Mine neither. :-) > > I think I sell my smart phone and recommend not to keep it one the same room with an offline computer. > > Sold it. Now I can take my tinfoil hat off, in regards to smart phone usage. :-D Regards Stefan From 2017-r3sgs86x8e-lists-groups at riseup.net Sat Sep 19 12:44:49 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sat, 19 Sep 2020 11:44:49 +0100 Subject: Which keyserver In-Reply-To: <20200918153255.GB491907@fullerene.field.pennock-tech.net> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> Message-ID: <817067771.20200919114432@mail.riseup.net> Hi On Friday 18 September 2020 at 4:32:55 PM, in , Phil Pennock via Gnupg-users wrote:- > keys.gnupg.net is a CNAME for > hkps.pool.sks-keyservers.net -- which is > now returning zero results. The GnuPG manual's description [0] of the Dirmngr option "--keyserver name" still ends with "If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-keyservers.net." Is this still true, or was the default changed? [0] https://gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html#Dirmngr-Options -- Best regards MFPA Ballerinas are always on their toes. We need taller ballerinas! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From rjh at sixdemonbag.org Sat Sep 19 13:42:06 2020 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 19 Sep 2020 07:42:06 -0400 Subject: Which keyserver In-Reply-To: <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> References: <20200918153255.GB491907@fullerene.field.pennock-tech.net> <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> Message-ID: > It is true the attacks were what brought it down, but the amount of effort was not a "sustained > attack" by any measure. The invested resources are somewhere around "couple hours and $0.00". I'm not sure that's true. The keyserver poisoning attack was demonstrated first by EFF's Micah Lee. When he published his findings, he also published the Python scripts necessary to execute the attack. I don't know who the poisoner was. However, if I were to do the poisoning attack I certainly would've begun by downloading Micah's code and adapting it to the task. And for that reason I think it's entirely reasonable to believe the keyserver poisoning attack was bootstrapped by an EFF-funded research project which inappropriately released attack tools. From sac at 300baud.de Sat Sep 19 20:17:36 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 19 Sep 2020 20:17:36 +0200 Subject: Which keyserver In-Reply-To: References: <20200918153255.GB491907@fullerene.field.pennock-tech.net> <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> Message-ID: <20200919201736.000025f5@300baud.de> Robert J. Hansen wrote: > > It is true the attacks were what brought it down, but the amount of effort was not a "sustained > > attack" by any measure. The invested resources are somewhere around "couple hours and $0.00". > > I'm not sure that's true. [...] I think it does not matter. Professional businesses and their customers can use the mentioned Mailvelope key server, to protect their keys or use for anonymity purposes Hagrid, in combination with sequoia pgp, while the geeks can use WKD. The only thing SKS, so it seems, is currently good for is decentralized file sharing or for chat purposes, when using SKS chat software. Regards Stefan From sac at 300baud.de Sat Sep 19 21:03:55 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 19 Sep 2020 21:03:55 +0200 Subject: Which keyserver In-Reply-To: <20200919184029.Ng9bM%steffen@sdaoden.eu> References: <20200918153255.GB491907@fullerene.field.pennock-tech.net> <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> <20200919201736.000025f5@300baud.de> <20200919184029.Ng9bM%steffen@sdaoden.eu> Message-ID: <20200919210355.00007a62@300baud.de> Steffen Nurpmeso wrote: > Stefan Claas wrote in > <20200919201736.000025f5 at 300baud.de>: > |Robert J. Hansen wrote: > |>> It is true the attacks were what brought it down, but the amount \ > |>> of effort was not a "sustained > |>> attack" by any measure. The invested resources are somewhere around \ > |>> "couple hours and $0.00". > |> > |> I'm not sure that's true. > | > |[...] > | > |I think it does not matter. > | > |Professional businesses and their customers can use the mentioned Mailve\ > |lope key server, > |to protect their keys or use for anonymity purposes Hagrid, in combination \ > |with sequoia > |pgp, while the geeks can use WKD. > | > |The only thing SKS, so it seems, is currently good for is decentralized \ > |file sharing or > |for chat purposes, when using SKS chat software. > > SKS served me very well for many years, and it is a shame that > even national/related agencies with quite some funding, or > universities with that immense pool of students did not stood up > trying to keep this decade old community driven infrastructure > alive. I guess they all were eating burger, and at that level. Well, there is IMHO a good replacement for SKS available, called hockeypuck and it is written in modern Golang. The problem is that those (I don't know what to call these people publicity) SKS key server operators have no plan. The hockeypuck author is really fast in responding when it comes to issues and I guess he would be quite happy to help the SKS operators with solving issues, or listen to users if they have proposals. The good thing about the modern programming language Golang is that *soooooo* many (young) people are using Golang nowadays, that it should be easy to assist the author of hockeypuck. Regards Stefan From andrewg at andrewg.com Sat Sep 19 21:38:22 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 19 Sep 2020 20:38:22 +0100 Subject: Which keyserver In-Reply-To: <20200919210355.00007a62@300baud.de> References: <20200919210355.00007a62@300baud.de> Message-ID: <642247A9-80A1-4CAA-A9B9-30B37CF68A6A@andrewg.com> > On 19 Sep 2020, at 20:05, Stefan Claas wrote: > > Well, there is IMHO a good replacement for SKS available, called > hockeypuck and it is written in modern Golang. This is beside the point. SKS is both a protocol and an implementation. Hockeypuck is a reimplementation of the same protocol and is so is vulnerable to the same poisoning issues. The problem with the SKS *protocol* is very hard to fix, because designing a universal, publicly writable datastore means solving a trilemma: censorship resistance, vandalism resistance, and decentralisation. SKS prioritises censorship resistance and decentralisation, and so is vulnerable to vandalism. Hagrid ?solves? the vandalism problem by abandoning decentralisation. WKD steps outside the problem space by abandoning universality. All these are valid alternatives, but none can be called a ?replacement?. A From gnupg-users at spodhuis.org Sat Sep 19 20:34:13 2020 From: gnupg-users at spodhuis.org (Phil Pennock) Date: Sat, 19 Sep 2020 14:34:13 -0400 Subject: Which keyserver In-Reply-To: <817067771.20200919114432@mail.riseup.net> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> <817067771.20200919114432@mail.riseup.net> Message-ID: <20200919183413.GA607461@fullerene.field.pennock-tech.net> On 2020-09-19 at 11:44 +0100, MFPA via Gnupg-users wrote: > On Friday 18 September 2020 at 4:32:55 PM, in > , Phil > Pennock via Gnupg-users wrote:- > > > > keys.gnupg.net is a CNAME for > > hkps.pool.sks-keyservers.net -- which is > > now returning zero results. > > > The GnuPG manual's description [0] of the Dirmngr option "--keyserver name" still ends with "If no keyserver is explicitly configured, dirmngr will use the built-in default of hkps://hkps.pool.sks-keyservers.net." Is this still true, or was the default changed? The original question was: } I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not so that's what I answered. keys.gnupg.net _used to be_ the default, but it was changed and nowadays there is both a CNAME in DNS and logic in modern GnuPG to hard-replace the hostname. The mapping is in dirmngr/server.c:make_keyserver_item() and the default is found via compile-time configure, which defaults to hkps://hkps.pool.sks-keyservers.net (see configure.ac DIRMNGR_DEFAULT_KEYSERVER). From sac at 300baud.de Sat Sep 19 22:04:21 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 19 Sep 2020 22:04:21 +0200 Subject: Which keyserver In-Reply-To: <642247A9-80A1-4CAA-A9B9-30B37CF68A6A@andrewg.com> References: <20200919210355.00007a62@300baud.de> <642247A9-80A1-4CAA-A9B9-30B37CF68A6A@andrewg.com> Message-ID: <20200919220421.00000c23@300baud.de> Andrew Gallagher wrote: > > > On 19 Sep 2020, at 20:05, Stefan Claas wrote: > > > > Well, there is IMHO a good replacement for SKS available, called > > hockeypuck and it is written in modern Golang. > > This is beside the point. SKS is both a protocol and an implementation. Hockeypuck is a reimplementation of the same protocol > and is so is vulnerable to the same poisoning issues. > > The problem with the SKS *protocol* is very hard to fix, because designing a universal, publicly writable datastore means > solving a trilemma: censorship resistance, vandalism resistance, and decentralisation. SKS prioritises censorship resistance > and decentralisation, and so is vulnerable to vandalism. Hagrid ?solves? the vandalism problem by abandoning > decentralisation. WKD steps outside the problem space by abandoning universality. All these are valid alternatives, but none > can be called a ?replacement?. *With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the author implements the same Mailvelope or Hagrid confirmation process for its users, or it would honor the SKS --no-modify flag, Werner implemented long time ago in GnuPG. And if (former) SKS key server operators would be honest this could be solved with hockeypuck and if not people which are using GnuPG or OpenPGP apps may wondering how it comes that a client/server model for *security/privacy* software is from the SKS server side globally still operated, if it can not *protect* their users pub keys adequately? I am very sorry to say that but all arguments from former or current SKS operators do not convince me nor do they show the OpenPGP users community willingness or advancements in this area, to be taken serious. Best regards Stefan From steffen at sdaoden.eu Sat Sep 19 20:40:29 2020 From: steffen at sdaoden.eu (Steffen Nurpmeso) Date: Sat, 19 Sep 2020 20:40:29 +0200 Subject: Which keyserver In-Reply-To: <20200919201736.000025f5@300baud.de> References: <20200918153255.GB491907@fullerene.field.pennock-tech.net> <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <2ZXFJ7V8C9MEZ.3669VKB8GKKFM@my.amazin.horse> <20200919201736.000025f5@300baud.de> Message-ID: <20200919184029.Ng9bM%steffen@sdaoden.eu> Stefan Claas wrote in <20200919201736.000025f5 at 300baud.de>: |Robert J. Hansen wrote: |>> It is true the attacks were what brought it down, but the amount \ |>> of effort was not a "sustained |>> attack" by any measure. The invested resources are somewhere around \ |>> "couple hours and $0.00". |> |> I'm not sure that's true. | |[...] | |I think it does not matter. | |Professional businesses and their customers can use the mentioned Mailve\ |lope key server, |to protect their keys or use for anonymity purposes Hagrid, in combination \ |with sequoia |pgp, while the geeks can use WKD. | |The only thing SKS, so it seems, is currently good for is decentralized \ |file sharing or |for chat purposes, when using SKS chat software. SKS served me very well for many years, and it is a shame that even national/related agencies with quite some funding, or universities with that immense pool of students did not stood up trying to keep this decade old community driven infrastructure alive. I guess they all were eating burger, and at that level. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) From andrewg at andrewg.com Sat Sep 19 22:58:51 2020 From: andrewg at andrewg.com (Andrew Gallagher) Date: Sat, 19 Sep 2020 21:58:51 +0100 Subject: Which keyserver In-Reply-To: <20200919220421.00000c23@300baud.de> References: <20200919220421.00000c23@300baud.de> Message-ID: <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> > On 19 Sep 2020, at 21:06, Stefan Claas wrote: > > *With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the author > implements the same Mailvelope or Hagrid confirmation process for its users If you have not yet read the mega threads from a year or two back over on the sks mailing list discussing how filtering is incompatible with open synchronisation, I suggest you do so before opining further. I really don?t have the energy to explain it again! ;-) tl;dr: if you don?t have either a central authority or an agreed, future-proof zkp system of verification (itself a Very Hard Problem) then your decentralised network goes split brain at the slightest provocation. https://lists.nongnu.org/archive/html/sks-devel/2018-05/msg00009.html https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00010.html I?d also suggest reading DKG?s proposals for what *is* technically possible, as they are pretty comprehensive: https://lists.nongnu.org/archive/html/sks-devel/2019-04/msg00002.html Finally, I would suggest continuing any technical discussions on sks-devel rather than here as we are veering off topic. A -------------- next part -------------- An HTML attachment was scrubbed... URL: From sac at 300baud.de Sat Sep 19 23:34:32 2020 From: sac at 300baud.de (Stefan Claas) Date: Sat, 19 Sep 2020 23:34:32 +0200 Subject: Which keyserver In-Reply-To: <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> References: <20200919220421.00000c23@300baud.de> <0F7A336D-ED58-4BF8-91BA-730635A358DA@andrewg.com> Message-ID: <20200919233432.00007f82@300baud.de> Andrew Gallagher wrote: > > > On 19 Sep 2020, at 21:06, Stefan Claas wrote: > > > > *With all due respect*, the problems you mention with the SKS protocol is IMHO absolutely solvable with hockeypuck if the > > author implements the same Mailvelope or Hagrid confirmation process for its users > > If you have not yet read the mega threads from a year or two back over on the sks mailing list discussing how filtering is > incompatible with open synchronisation, I suggest you do so before opining further. I really don?t have the energy to explain > it again! ;-) tl;dr: if you don?t have either a central authority or an agreed, future-proof zkp system of verification > (itself a Very Hard Problem) then your decentralised network goes split brain at the slightest provocation. > > https://lists.nongnu.org/archive/html/sks-devel/2018-05/msg00009.html > > https://lists.nongnu.org/archive/html/sks-devel/2019-02/msg00010.html > > I?d also suggest reading DKG?s proposals for what *is* technically possible, as they are pretty comprehensive: > > https://lists.nongnu.org/archive/html/sks-devel/2019-04/msg00002.html > > Finally, I would suggest continuing any technical discussions on sks-devel rather than here as we are veering off topic. I am not interested to discuss old SKS issues/proposals further on the SKS mailing list with (former) SKS operators and only wanted to bring my POV to GnuPG users attention. I am aware of dkg's fine draft and his other valuable contributions he made. I stand by my points that hockeypuck can solve the issues and will respect your wish to not further discuss technical SKS issues here on the GnuPG Mailing List. In case dkg is reading this thread, maybe he, as highly respected community member and skilled programmer, can discuss these things with the hockeypuck author on GitHub, in case he has time and is willing to do so. Regards Stefan From neal at walfield.org Sat Sep 19 23:50:45 2020 From: neal at walfield.org (Neal H. Walfield) Date: Sat, 19 Sep 2020 23:50:45 +0200 Subject: Which keyserver In-Reply-To: <642247A9-80A1-4CAA-A9B9-30B37CF68A6A@andrewg.com> References: <20200919210355.00007a62@300baud.de> <642247A9-80A1-4CAA-A9B9-30B37CF68A6A@andrewg.com> Message-ID: <87sgbd4eru.wl-neal@walfield.org> Hi Andrew, On Sat, 19 Sep 2020 21:38:22 +0200, Andrew Gallagher wrote: > Hagrid ?solves? the vandalism problem by abandoning > decentralisation. This is not strictly true. When we think about updating keys, there are two types of information that can be updated: - Identity Information (User IDs) - Operational Information (Revocations, Subkey Rotations, Metadata (self-sig) updates, etc.) Identity information in privacy sensitive, and we think people should be able to control where their details are published, and have the ability to retract them, if desired. This requires some type of centralization. Operation Information does not require the same protection, and can and should be widely published. It would be possible to create a network of keyservers that synchronize this type of information in a similar way to how SKS worked. But, we know from experience with SKS that this is not easy (the set of filters needs to be synchronized, etc., which is a type of centralization). So far, no one has taken the time to think through this problem, and implement a solution for Hagrid. But, I think that we'd welcome a patch that adds such functionality. :) Neal From 2017-r3sgs86x8e-lists-groups at riseup.net Sun Sep 20 13:58:56 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Sun, 20 Sep 2020 12:58:56 +0100 Subject: Which keyserver In-Reply-To: <20200919183413.GA607461@fullerene.field.pennock-tech.net> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> <817067771.20200919114432@mail.riseup.net> <20200919183413.GA607461@fullerene.field.pennock-tech.net> Message-ID: <559791655.20200920125825@mail.riseup.net> Hi On Saturday 19 September 2020 at 7:34:13 PM, in , Phil Pennock via Gnupg-users wrote:- > The original question was: > } I use GPG4Win and I've noticed that > "hkp://keys.gnupg.net" is not > so that's what I answered. I asked a different but related question that occurred to me when I read in your post that hkps.pool.sks-keyservers.net "is now returning zero results". I had noticed the GnuPG manual says the default keyserver is hkps.pool.sks-keyservers.net. I was under the impression the default had been changed to the Hagrid keyserver at keys.openpgp.org after the SKS attacks, so I asked the question to this list. > The mapping is in > dirmngr/server.c:make_keyserver_item() and the default > is found via compile-time configure, which defaults to > hkps://hkps.pool.sks-keyservers.net (see configure.ac > DIRMNGR_DEFAULT_KEYSERVER). So we have a default keyserver that is returning zero results? -- Best regards MFPA The more corrupt the state, the more numerous the laws. (Tacitus) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From azbigdogs at gmx.com Mon Sep 21 00:29:07 2020 From: azbigdogs at gmx.com (Mark) Date: Sun, 20 Sep 2020 15:29:07 -0700 Subject: Which keyserver In-Reply-To: <559791655.20200920125825@mail.riseup.net> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> <817067771.20200919114432@mail.riseup.net> <20200919183413.GA607461@fullerene.field.pennock-tech.net> <559791655.20200920125825@mail.riseup.net> Message-ID: <8d5a2f13-b736-112c-fb96-187d6726a2dd@gmx.com> I'm the one that asked the original question in regards to GPG4Win. I know with the latest version the default is "hkp://keys.gnupg.net" On 9/20/2020 4:58 AM, MFPA via Gnupg-users wrote: > Hi > > > On Saturday 19 September 2020 at 7:34:13 PM, in > , Phil > Pennock via Gnupg-users wrote:- > > >> The original question was: >> } I use GPG4Win and I've noticed that >> "hkp://keys.gnupg.net" is not >> so that's what I answered. > I asked a different but related question that occurred to me when I read in your post that hkps.pool.sks-keyservers.net "is now returning zero results". I had noticed the GnuPG manual says the default keyserver is hkps.pool.sks-keyservers.net. I was under the impression the default had been changed to the Hagrid keyserver at keys.openpgp.org after the SKS attacks, so I asked the question to this list. > > >> The mapping is in >> dirmngr/server.c:make_keyserver_item() and the default >> is found via compile-time configure, which defaults to >> hkps://hkps.pool.sks-keyservers.net (see configure.ac >> DIRMNGR_DEFAULT_KEYSERVER). > So we have a default keyserver that is returning zero results? > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From 2017-r3sgs86x8e-lists-groups at riseup.net Mon Sep 21 01:25:37 2020 From: 2017-r3sgs86x8e-lists-groups at riseup.net (MFPA) Date: Mon, 21 Sep 2020 00:25:37 +0100 Subject: Which keyserver In-Reply-To: <8d5a2f13-b736-112c-fb96-187d6726a2dd@gmx.com> References: <424898733.20200917225759@postzone.org> <5d72e96e-812c-f7be-363f-c35520f0629e@gmx.com> <20200918153255.GB491907@fullerene.field.pennock-tech.net> <817067771.20200919114432@mail.riseup.net> <20200919183413.GA607461@fullerene.field.pennock-tech.net> <559791655.20200920125825@mail.riseup.net> <8d5a2f13-b736-112c-fb96-187d6726a2dd@gmx.com> Message-ID: <1106559457.20200921002519@mail.riseup.net> Hi On Sunday 20 September 2020 at 11:29:07 PM, in , Mark wrote:- > I'm the one that asked the original question in > regards to GPG4Win. I > know with the latest version the default is > "hkp://keys.gnupg.net" Thanks, Mark. hkp://keys.gnupg.net is an alias for hkps://hkps.pool.sks-keyservers.net, which Phil said a couple of days ago was returning zero results. That issue is either intermittent or fixed, because I retrieved some keys from hkps://hkps.pool.sks-keyservers.net a few hours ago and again a few minutes ago. At least, a line of the output said "gpg: data source: https://hkps.pool.sks-keyservers.net:443 ". -- Best regards MFPA Never interrupt me when I'm trying to interrupt you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1207 bytes Desc: not available URL: From andrew at fsf.org Mon Sep 21 18:58:54 2020 From: andrew at fsf.org (Andrew Engelbrecht) Date: Mon, 21 Sep 2020 12:58:54 -0400 Subject: Recovering private keys in a friend's GPG installation Message-ID: Hello GnuPG mailing list, A friend of mine is running into issues with restoring their private keys after a botched system upgrade. While I don't have details of what exactly went wrong, they do have 3 keys in: ~/.gnupg/private-keys-v1.d/ ~/.gnupg/secring.gpg is empy, and their backups don't have any private keys in them. I asked them to run commands on both gpg and gpg2 commands in Trisquel 8, which is based off of Ubuntu 16.04, however, neither gpg --list-secret-keys nor gpg2 show any private keys. I asked them to cross-import public keys from both the gpg and gpg2 public keys exports, and checked to make sure that their public key is installed in their public keyring. We tried touching ~/.gnupg/.gpg-v21-migrated , and all permissions look correct. Unfortunately, none of these methods have imported / activated the private keys. My best guess is that these 3 keys are associated with some older private keys, and were merely left behind. If there is a way to check the fingerprint of the keys they belong to, and to import them, that would be super helpful. Is there a way to do that? Thanks, : ) Andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From philihp at gmail.com Tue Sep 22 03:21:59 2020 From: philihp at gmail.com (Philihp Busby) Date: Tue, 22 Sep 2020 01:21:59 +0000 Subject: Announcing paperbackup.py to backup keys as QR codes on paper In-Reply-To: References: Message-ID: <20200922012159.GA70090@jinteki.local> A: Take a look at Paperkey, https://wiki.archlinux.org/index.php/Paperkey; I think it serves this need well. Not to diminish your work, good job! It's probably a good thing to have diversity in implementations, so we don't get stuck with the only thing being written in OCaml. B: I'm not well versed in Python, but have you tried `pip install qrencode`? C: If you're using an rsa4096 key, extracting just the secret key with paperkey will just barely fit in a QR code, and if you have subkeys then just forget it with "export-minimal". This, to me, is a good reason to migrate to an ed25519 key which is a deci-order of magnitude smaller (e.g. https://philihp.com/assets/id_ed25519.png) On 2020-09-14T08:16:19-0400 bexnews--- via Gnupg-users wrote 7.3K bytes: > Hello Friends, > > Ok I am no coder so I am trying to bungle my way thru setting up > paperbackup.py. > > My goal was to be able to print out a paper encrypted backup of a strong > key that I can use to encrypt data or other keys. I tried the Windows > Paperbackup from OllyDbg but it is older, on Windows (I'm on Linux atm) and > was having a hard time getting the roundtrip to work with my printer and > scanner. Paperbackup.py looked like a smart idea and I like the redundancy > of the QR code and text string outputs. I tried the usage instructions.... > > 1. the first issue was I think specifically you need to prefix > "paperbackup.py" with "python" correct? > 2. second issue was when I do #1 I get > > > Traceback (most recent call last): > > File "paperbackup.py", line 35, in > > import qrencode > > ImportError: No module named qrencode > > > > 3. I may be failing to install all the dependencies properly. I did "sudo > apt install qrencode" and seems installed (qrencode version 3.4.4 Copyright > (C) 2006-2012 Kentaro Fukuchi), but no change in the ImportError in #2. Is > there some other way to "hook" qrencode into paperbackup.py? I tried > putting it all into the same folder but it doesn't seem to help. > > danke schoen! > - bexnews > > > Announcing paperbackup.py to backup keys as QR codes on paper *Gerd v. > > Egidy* gerd.von.egidy at intra2net.com > > > > *Tue Feb 21 15:34:17 CET 2017* > > > > - Previous message (by thread): Problems with cert validation via CRL > > > > - Next message (by thread): Announcing paperbackup.py to backup keys > > as QR codes on paper > > > > - *Messages sorted by:* [ date ] > > [ > > thread ] > > [ > > subject ] > > [ > > author ] > > > > > > ------------------------------ > > > > Hi, > > > > I'd like to announce a program I wrote to backup GnuPG and SSH keys as > > qrcodes on paper: > > > > paperbackup.py https://github.com/intra2net/paperbackup > > > > This is designed as fallback if all your regular backups failed to restore or > > were lost. > > > > Usage is like this: > > > > gpg2 --armor --export "User Name" >key.asc > > gpg2 --armor --export-secret-key "User Name" >>key.asc > > paperbackup.py key.asc > > paperrestore.sh key.asc.pdf | diff key.asc - > > lpr key.asc.pdf > > > > You'll find all the details, reasoning and examples in the README. > > > > Kind regards, > > > > Gerd > > > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue Sep 22 08:49:51 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 22 Sep 2020 08:49:51 +0200 Subject: how to suppress new "insecure passphrase" warning In-Reply-To: (Alan Bram via Gnupg-users's message of "Thu, 17 Sep 2020 11:27:28 -0700") References: <20200917155614.GA381230@fullerene.field.pennock-tech.net> Message-ID: <87a6xijofk.fsf@wheatstone.g10code.de> On Thu, 17 Sep 2020 11:27, Alan Bram said: > configuration, there was an already-running agent that I had to kill first > in order to get it to reread the config. Just for the reecords: gpgconf --reload gpg-agent would have been sufficent but "gpgconf --kill gpg-agent: works of course also. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wk at gnupg.org Tue Sep 22 16:57:03 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 22 Sep 2020 16:57:03 +0200 Subject: Recovering private keys in a friend's GPG installation In-Reply-To: (Andrew Engelbrecht via Gnupg-users's message of "Mon, 21 Sep 2020 12:58:54 -0400") References: Message-ID: <87lfh1j1vk.fsf@wheatstone.g10code.de> On Mon, 21 Sep 2020 12:58, Andrew Engelbrecht said: > private keys, and were merely left behind. If there is a way to check > the fingerprint of the keys they belong to, and to import them, that > would be super helpful. Is there a way to do that? Unfortunately this is not instantly possible because the creation time is part of the fingerprint computation. We don't have a tool yet to do this. Needs to be written. GnuPG 2.3 will record the creation time to make things easier in the future. For now you need to guess the time (the "protected-at" value in the key file might give a hint) and weel, write a little tool to compute the fingerprint. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From pankaj at codeisgreat.org Mon Sep 28 20:24:58 2020 From: pankaj at codeisgreat.org (Pankaj Jangid) Date: Mon, 28 Sep 2020 23:54:58 +0530 Subject: agent refused operation when using GnuPG key for ssh Message-ID: I am trying to configure gpg key for ssh authentication. I have added a new key specifically for authentication (usage). And then exported the public key using --export-ssh-key and saved on the remote server authorized_keys. ~/.gnupg/gpg-agent.conf ~/.gnupg/sshcontrol The above files are configured accordingly. And in my ~/.zshrc, I have, --8<---------------cut here---------------start------------->8--- export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpgconf --launch gpg-agent --8<---------------cut here---------------end--------------->8--- But when I connect using ssh, it tries to login using the GnuPG key. But gets - agent refused operation - error. Below is the log. --8<---------------cut here---------------start------------->8--- debug1: Offering public key: (none) RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: (none) RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY agent debug3: sign_and_send_pubkey: RSA SHA256:JDqSzpk8xTHxmB9ba98TuTwaiObrzU5/bFrHQwrvRdY debug3: sign_and_send_pubkey: signing using rsa-sha2-512 sign_and_send_pubkey: signing failed: agent refused operation debug1: Offering public key: /Users/pankaj/.ssh/id_rsa RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8 debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: /Users/pankaj/.ssh/id_rsa RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8 debug3: sign_and_send_pubkey: RSA SHA256:fwEoS8jdY2L/ETw75CuRQLL05IMBRTFK8kHk89s0+M8 debug3: sign_and_send_pubkey: signing using rsa-sha2-512 debug3: send packet: type 50 debug3: receive packet: type 52 debug1: Authentication succeeded (publickey). --8<---------------cut here---------------end--------------->8--- How to diagnose this further? -- Pankaj Jangid GnuPG Fingerprint => 0B62 7424 3B26 A911 052A DDE6 7C95 6E6F F858 7689 From wk at gnupg.org Tue Sep 29 22:01:56 2020 From: wk at gnupg.org (Werner Koch) Date: Tue, 29 Sep 2020 22:01:56 +0200 Subject: agent refused operation when using GnuPG key for ssh In-Reply-To: (Pankaj Jangid's message of "Mon, 28 Sep 2020 23:54:58 +0530") References: Message-ID: <87lfgsfj2j.fsf@wheatstone.g10code.de> On Mon, 28 Sep 2020 23:54, Pankaj Jangid said: > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 > sign_and_send_pubkey: signing failed: agent refused operation Algorithm looks okay. You need to look at the gpg-agent log. Put log-file /somewhere/gpg-agent.log verbose into ~/.gnupg/gpg-agent.conf and restart the agent ("gpgconf --reload gpg-agent" should be sufficient. Run ssh again, check the log and post it. What vesion of GnUPg are you running? ("gpg-agent --version"). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From francoisgervais at gmail.com Tue Sep 29 19:23:19 2020 From: francoisgervais at gmail.com (Francois Gervais) Date: Tue, 29 Sep 2020 13:23:19 -0400 Subject: SSH CA + gpg-agent + gnuk => error Message-ID: I'm trying to follow up on a previous thread as I'm affected by the same issue. https://www.mail-archive.com/gnupg-users at gnupg.org/msg37567.html I'm seeking some help in order to track down the issue. Here's my current gpg-agent settings: fgervais at fgervais-System-Product-Name:~$ cat .gnupg/gpg-agent.conf enable-ssh-support debug-level guru debug-all verbose log-file /home/fgervais/gpg-agent-log I'm not getting much more info than previously posted. Basically everything is fine until 2020-09-29 12:49:17 gpg-agent[16002] smartcard signing failed: General error 2020-09-29 12:49:17 gpg-agent[16002] ssh sign request failed: General error I don't mind posting the whole thing if someone can confirm that it is safe to share. What could be my next step in order to track this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: From francoisgervais at gmail.com Tue Sep 29 20:12:08 2020 From: francoisgervais at gmail.com (Francois Gervais) Date: Tue, 29 Sep 2020 14:12:08 -0400 Subject: SSH CA + gpg-agent + gnuk => error In-Reply-To: References: Message-ID: I have more, I changed the scdaemon configuration: fgervais at fgervais-System-Product-Name:~$ cat .gnupg/scdaemon.conf verbose debug 2048 log-file /home/fgervais/scdaemon.log and I got the following: 2020-09-29 14:01:04 scdaemon[23361] DBG: dump: 2020-09-29 14:01:04 scdaemon[23361] Version-2+ .....: yes 2020-09-29 14:01:04 scdaemon[23361] Extcap-v3 ......: no 2020-09-29 14:01:04 scdaemon[23361] Button .........: yes 2020-09-29 14:01:04 scdaemon[23361] SM-Support .....: no 2020-09-29 14:01:04 scdaemon[23361] Get-Challenge ..: yes (32 bytes max) 2020-09-29 14:01:04 scdaemon[23361] Key-Import .....: yes 2020-09-29 14:01:04 scdaemon[23361] Change-Force-PW1: yes 2020-09-29 14:01:04 scdaemon[23361] Private-DOs ....: no 2020-09-29 14:01:04 scdaemon[23361] Algo-Attr-Change: yes 2020-09-29 14:01:04 scdaemon[23361] Symmetric Crypto: no 2020-09-29 14:01:04 scdaemon[23361] KDF-Support ....: yes 2020-09-29 14:01:04 scdaemon[23361] Max-Cert3-Len ..: 2048 2020-09-29 14:01:04 scdaemon[23361] Cmd-Chaining ...: yes 2020-09-29 14:01:04 scdaemon[23361] Ext-Lc-Le ......: no 2020-09-29 14:01:04 scdaemon[23361] Status-Indicator: 05 2020-09-29 14:01:04 scdaemon[23361] GnuPG-No-Sync ..: no 2020-09-29 14:01:04 scdaemon[23361] GnuPG-Def-PW2 ..: no 2020-09-29 14:01:04 scdaemon[23361] DBG: send apdu: c=00 i=CA p1=00 p2=6E lc=-1 le=256 em=0 2020-09-29 14:01:04 scdaemon[23361] DBG: raw apdu: 00 CA 00 6E 00 2020-09-29 14:01:04 scdaemon[23361] DBG: response: sw=9000 datalen=248 2020-09-29 14:01:04 scdaemon[23361] DBG: dump: 4F 10 D2 76 00 01 24 01 02 00 FF FE 43 11 22 34 00 00 5F 52 0A 00 31 84 73 80 01 80 05 90 00 73 81 D0 C0 0A 75 00 00 20 08 00 00 FF 01 00 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 01 7F 7F 7F 03 03 03 C5 3C D2 8D 3D 5D 50 9C 5B 11 25 D7 4A 2A 21 E3 A1 80 DE D9 53 6A 22 15 82 13 6A D6 E2 39 EA 82 D4 DC 16 9E E2 25 75 32 7A 51 6E E2 CD 7D AF D2 D1 F4 D1 C8 69 0A 34 D5 63 14 D4 84 07 11 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 5F 65 5D 93 5F 65 5E 1D 5F 65 5E 42 D6 02 00 20 D7 02 00 20 D8 02 00 20 7F 74 03 81 01 20 2020-09-29 14:01:04 scdaemon[23361] Key-Attr-sign ..: ECC, curve=Ed25519 (eddsa) 2020-09-29 14:01:04 scdaemon[23361] DBG: send apdu: c=00 i=CA p1=00 p2=6E lc=-1 le=256 em=0 2020-09-29 14:01:04 scdaemon[23361] DBG: raw apdu: 00 CA 00 6E 00 2020-09-29 14:01:04 scdaemon[23361] DBG: response: sw=9000 datalen=248 2020-09-29 14:01:04 scdaemon[23361] DBG: dump: 4F 10 D2 76 00 01 24 01 02 00 FF FE 43 11 22 34 00 00 5F 52 0A 00 31 84 73 80 01 80 05 90 00 73 81 D0 C0 0A 75 00 00 20 08 00 00 FF 01 00 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 01 7F 7F 7F 03 03 03 C5 3C D2 8D 3D 5D 50 9C 5B 11 25 D7 4A 2A 21 E3 A1 80 DE D9 53 6A 22 15 82 13 6A D6 E2 39 EA 82 D4 DC 16 9E E2 25 75 32 7A 51 6E E2 CD 7D AF D2 D1 F4 D1 C8 69 0A 34 D5 63 14 D4 84 07 11 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 5F 65 5D 93 5F 65 5E 1D 5F 65 5E 42 D6 02 00 20 D7 02 00 20 D8 02 00 20 7F 74 03 81 01 20 2020-09-29 14:01:04 scdaemon[23361] Key-Attr-encr ..: ECC, curve=Curve25519 (djb-tweak) 2020-09-29 14:01:04 scdaemon[23361] DBG: send apdu: c=00 i=CA p1=00 p2=6E lc=-1 le=256 em=0 2020-09-29 14:01:04 scdaemon[23361] DBG: raw apdu: 00 CA 00 6E 00 2020-09-29 14:01:04 scdaemon[23361] DBG: response: sw=9000 datalen=248 2020-09-29 14:01:04 scdaemon[23361] DBG: dump: 4F 10 D2 76 00 01 24 01 02 00 FF FE 43 11 22 34 00 00 5F 52 0A 00 31 84 73 80 01 80 05 90 00 73 81 D0 C0 0A 75 00 00 20 08 00 00 FF 01 00 C1 0A 16 2B 06 01 04 01 DA 47 0F 01 C2 0B 12 2B 06 01 04 01 97 55 01 05 01 C3 0A 16 2B 06 01 04 01 DA 47 0F 01 C4 07 01 7F 7F 7F 03 03 03 C5 3C D2 8D 3D 5D 50 9C 5B 11 25 D7 4A 2A 21 E3 A1 80 DE D9 53 6A 22 15 82 13 6A D6 E2 39 EA 82 D4 DC 16 9E E2 25 75 32 7A 51 6E E2 CD 7D AF D2 D1 F4 D1 C8 69 0A 34 D5 63 14 D4 84 07 11 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 5F 65 5D 93 5F 65 5E 1D 5F 65 5E 42 D6 02 00 20 D7 02 00 20 D8 02 00 20 7F 74 03 81 01 20 2020-09-29 14:01:04 scdaemon[23361] Key-Attr-auth ..: ECC, curve=Ed25519 (eddsa) 2020-09-29 14:01:04 scdaemon[23361] DBG: SIGCONT received - breaking select 2020-09-29 14:01:04 scdaemon[23361] sending signal 12 to client 23359 2020-09-29 14:01:04 scdaemon[23361] DBG: send apdu: c=00 i=47 p1=81 p2=00 lc=2 le=256 em=0 2020-09-29 14:01:04 scdaemon[23361] DBG: raw apdu: 00 47 81 00 02 A4 00 00 2020-09-29 14:01:04 scdaemon[23361] DBG: response: sw=9000 datalen=37 2020-09-29 14:01:04 scdaemon[23361] DBG: dump: 7F 49 22 86 20 A5 7D 9B 4B 84 B3 85 67 8F 70 75 6A D7 EB 0D 40 FC 93 C7 DF 1C 45 DE AA B5 8E 3B 38 E1 FD B5 80 Would the SIGCONT be the source of my problem? On Tue, Sep 29, 2020 at 1:23 PM Francois Gervais wrote: > > I'm trying to follow up on a previous thread as I'm affected by the same issue. > > https://www.mail-archive.com/gnupg-users at gnupg.org/msg37567.html > > I'm seeking some help in order to track down the issue. > > Here's my current gpg-agent settings: > > fgervais at fgervais-System-Product-Name:~$ cat .gnupg/gpg-agent.conf > enable-ssh-support > debug-level guru > debug-all > verbose > log-file /home/fgervais/gpg-agent-log > > I'm not getting much more info than previously posted. Basically everything is fine until > 2020-09-29 12:49:17 gpg-agent[16002] smartcard signing failed: General error > 2020-09-29 12:49:17 gpg-agent[16002] ssh sign request failed: General error > > I don't mind posting the whole thing if someone can confirm that it is safe to share. > > What could be my next step in order to track this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: From gniibe at fsij.org Wed Sep 30 07:57:48 2020 From: gniibe at fsij.org (NIIBE Yutaka) Date: Wed, 30 Sep 2020 14:57:48 +0900 Subject: SSH CA + gpg-agent + gnuk => error In-Reply-To: References: Message-ID: <87o8lnn6w3.fsf@jumper.gniibe.org> Francois Gervais via Gnupg-users wrote: > Would the SIGCONT be the source of my problem? No, not at all. It's completely normal. You need to locate the place where it fails. * * * FYI, we have a ticket for signing SSH CA by Gnuk Token. https://dev.gnupg.org/T5041 This problem is... (for me) because of bad design of digital signature for SSH CA. If it's not larger, Gnuk 1.2.16 works. I think it is possibly related to your issue. -- From pankaj at codeisgreat.org Wed Sep 30 10:41:04 2020 From: pankaj at codeisgreat.org (Pankaj Jangid) Date: Wed, 30 Sep 2020 14:11:04 +0530 Subject: agent refused operation when using GnuPG key for ssh In-Reply-To: <87lfgsfj2j.fsf@wheatstone.g10code.de> (Werner Koch via Gnupg-users's message of "Tue, 29 Sep 2020 22:01:56 +0200") References: <87lfgsfj2j.fsf@wheatstone.g10code.de> Message-ID: On Tue, Sep 29 2020, Werner Koch via Gnupg-users wrote: > On Mon, 28 Sep 2020 23:54, Pankaj Jangid said: >> debug3: sign_and_send_pubkey: signing using rsa-sha2-512 >> sign_and_send_pubkey: signing failed: agent refused operation > > Algorithm looks okay. You need to look at the gpg-agent log. Put > > log-file /somewhere/gpg-agent.log > verbose > > into ~/.gnupg/gpg-agent.conf and restart the agent ("gpgconf --reload > gpg-agent" should be sufficient. Run ssh again, check the log and post > it. What vesion of GnUPg are you running? ("gpg-agent --version"). (Fixed) The error was coming because it could not find the tty to ask for passphrase. Now I am doing this in my ~/.bash_profile #+BEGIN_SRC bash export GPG_TTY=$(tty) export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) gpg-connect-agent updatestartuptty /bye #+END_SRC In the stackoverflow archives, someone indicated about installing pinentry-mac for macOS. This gave me hint. I had the pinentry-curses already installed. So looked for how to tell this to gpg-agent and found this, https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol Then ran, gpg-connect-agent 'help updatestartuptty' Regards -- Pankaj Jangid GnuPG Fingerprint => 0B62 7424 3B26 A911 052A DDE6 7C95 6E6F F858 7689 From angel at pgp.16bits.net Wed Sep 30 23:25:13 2020 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Wed, 30 Sep 2020 23:25:13 +0200 Subject: Recovering private keys in a friend's GPG installation In-Reply-To: References: Message-ID: On 2020-09-21 at 12:58 -0400, Andrew Engelbrecht via Gnupg-users wrote: > My best guess is that these 3 keys are associated with some older > private keys, and were merely left behind. If there is a way to check > the fingerprint of the keys they belong to, and to import them, that > would be super helpful. Is there a way to do that? > > Thanks, : ) > Andrew Hello Andrew gpg --list-keys --with-keygrip will give you the keygrip of the public keys you have. The filename of the private keys are the keygrip. If they are associated with public keys nobody has then, while it would be possible to recreate an equivalent gpg key if you had the key creation time, it would probably be simpler to create new keys. Best regards