From plr.vincent at gmail.com Mon May 3 02:27:12 2021 From: plr.vincent at gmail.com (Vincent Pelletier) Date: Mon, 3 May 2021 00:27:12 +0000 Subject: All my Passwords are lost In-Reply-To: References: <727D2DBB-89A8-45BB-8EBA-8635C3DE95A3@podiuminternational.org> <20210425084106.0f187786@gmail.com> <20210426111232.071f12c5@gmail.com> Message-ID: <20210503002712.52908ba1@gmail.com> On Tue, 27 Apr 2021 20:32:04 +0200, Marek Stepanek wrote: > That means, no way to fiddle around with the headers (I called them like that) of the pw.gpg-file. BTW, I just noticed that there was an on-list-only email which gave details on how to extract and replace-during-decryption these, so in case you are not subscribed and missed it, here it is: https://lists.archive.carbon60.com/gnupg/users/90299#90299 (first result on "gnupg-user archives", no idea about the quality of this archive domain in particular) Also, I had a completely different idea to how to maybe retrieve the file: as you decrypt it on-disk before use, maybe you can recover it by undeleting this file ? This is of course: - very dependent on the filesystem (I believe not all have tools for undeleting) - very dependent on the amount of writes which happened since the last deletion (compared to the amount of free space) - very dependent on whether this is on an ssd and whether you have "discard" enabled - possibly tedious, depending on the capabilities of the tool used to undelete but at least this is a way which puts crypto out of the equation. And on a related note: is there an RAM-only (ideally swap-disabled, no temporary file...) decipher-edit-encipher editor out there, to avoid having to write plain files to disk and leaving such traces ? I thought kleopatra did this, but I cannot find it now. > It is really encrypted with the PUBLIC key of pause at pause.perl.org - probably a dead email address - nobody is reading. Maybe you can try to reach out someone else on the perl.org domain, who may guide you to someone having access to that key ? Regards, -- Vincent Pelletier GPG fingerprint 983A E8B7 3B91 1598 7A92 3845 CAC9 3691 4257 B0C1 From kloecker at kde.org Mon May 3 09:14:50 2021 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Mon, 03 May 2021 09:14:50 +0200 Subject: All my Passwords are lost In-Reply-To: <20210503002712.52908ba1@gmail.com> References: <727D2DBB-89A8-45BB-8EBA-8635C3DE95A3@podiuminternational.org> <20210503002712.52908ba1@gmail.com> Message-ID: <16205900.cmrTmuEWb0@breq> On Montag, 3. Mai 2021 02:27:12 CEST Vincent Pelletier via Gnupg-users wrote: > And on a related note: is there an RAM-only (ideally swap-disabled, no > temporary file...) decipher-edit-encipher editor out there, to avoid > having to write plain files to disk and leaving such traces ? I thought > kleopatra did this, but I cannot find it now. Kleopatra has a notepad which allows this. It doesn't prevent swaping, but it does not write anything to disk itself. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. URL: From stefan.vasilev at posteo.ru Mon May 3 11:24:01 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Mon, 3 May 2021 09:24:01 +0000 Subject: How would you do that ... Message-ID: Hi all, here is a little scenario. Alice and Bob needs to find a way to do encrypted communications globally. The task is the following: Alice needs to travel to a foreign country without any devices (laptop, smartphone etc.). At arrival she needs to communicate daily (no real time communications) with Bob to exchange encrypted documents. Alice is not allowed to login in any services, like her Gmail account, social media etc. to not reveal her login credentials. She can't use Tor, because at her destination Tor is blocked. The only option she has is to use Internet Caf?s or public libraries etc. She is aware that at an Internet Caf? keyloggers may be installed. Last but not least she does not carry any notices on paper with her. How would you solve this task? Regards Stefan From ralph at ml.seichter.de Mon May 3 14:57:25 2021 From: ralph at ml.seichter.de (Ralph Seichter) Date: Mon, 03 May 2021 14:57:25 +0200 Subject: How would you do that ... In-Reply-To: References: Message-ID: <8735v4dlfu.fsf@wedjat.horus-it.com> * Stefan Vasilev via Gnupg-users: > How would you solve this task? With Alice having to rely on cryptography she can do in her head? Some shift cipher and carrier pigeons. :-) -Ralph From rjh at sixdemonbag.org Mon May 3 15:39:51 2021 From: rjh at sixdemonbag.org (rjh at sixdemonbag.org) Date: Mon, 03 May 2021 08:39:51 -0500 Subject: How would you do that ... In-Reply-To: References: Message-ID: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> I have dealt with a similar problem in real life, as a real problem with real people. We created a custom Linux environment, burned it to Blu-Ray, and Alice crossed the border with her Linux environment tucked into her CD player. On the other side she acquired a laptop, Blu-Ray drive, and USB drive locally, booted into this custom environment, then flashed her BIOS and gave her drives a low-level format. Rebooting into Linux (to reduce the likelihood of BIOS-based malware being present in memory) she used her system normally, although never touching the local hard drive. All storage was on USB stick. Prior to departing the country she wiped the laptop hard drive and donated it to a school. The Blu-Ray disc and USB drive were physically destroyed and discreetly dumped. I am not at liberty to say who Alice was, where she was, or why her needs were so extreme. But yes, we actually did this. On May 3, 2021 4:24:01 AM CDT, Stefan Vasilev via Gnupg-users wrote: >Hi all, > >here is a little scenario. Alice and Bob needs to find a way to do >encrypted communications globally. > >The task is the following: Alice needs to travel to a foreign country >without any devices (laptop, smartphone etc.). > >At arrival she needs to communicate daily (no real time communications) > >with Bob to exchange encrypted documents. > >Alice is not allowed to login in any services, like her Gmail account, >social media etc. to not reveal her login credentials. > >She can't use Tor, because at her destination Tor is blocked. The only >option she has is to use Internet Caf?s or public libraries etc. > >She is aware that at an Internet Caf? keyloggers may be installed. Last > >but not least she does not carry any notices on paper with her. > > >How would you solve this task? > > >Regards > >Stefan > > > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users at gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From stefan.vasilev at posteo.ru Mon May 3 18:41:41 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Mon, 3 May 2021 16:41:41 +0000 Subject: How would you do that ... In-Reply-To: <8735v4dlfu.fsf@wedjat.horus-it.com> References: <8735v4dlfu.fsf@wedjat.horus-it.com> Message-ID: <9d10f40b-5f94-f25f-5451-18a1fbd9f0b8@posteo.ru> Ralph Seichter wrote: > * Stefan Vasilev via Gnupg-users: > >> How would you solve this task? > With Alice having to rely on cryptography she can do in her head? Well, so to speak, this would be an option in the future. > Some shift cipher and carrier pigeons. :-) Ha ha, but she needs to do that over a long distance and daily. Regards Stefan From stefan.vasilev at posteo.ru Mon May 3 18:46:36 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Mon, 3 May 2021 16:46:36 +0000 Subject: How would you do that ... In-Reply-To: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> References: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> Message-ID: <3616d317-80f6-b4ef-e7e5-d5796cc5aab0@posteo.ru> rjh at sixdemonbag.org wrote: > I have dealt with a similar problem in real life, as a real problem > with real people. > > We created a custom Linux environment, burned it to Blu-Ray, and Alice > crossed the border with her Linux environment tucked into her CD player. > > On the other side she acquired a laptop, Blu-Ray drive, and USB drive > locally, booted into this custom environment, then flashed her BIOS > and gave her drives a low-level format. > > Rebooting into Linux (to reduce the likelihood of BIOS-based malware > being present in memory) she used her system normally, although never > touching the local hard drive. All storage was on USB stick. > > Prior to departing the country she wiped the laptop hard drive and > donated it to a school. The Blu-Ray disc and USB drive were physically > destroyed and discreetly dumped. Thanks a lot, this sounds very good! > > I am not at liberty to say who Alice was, where she was, or why her > needs were so extreme. But yes, we actually did this. > Sure, I fully understand! Regards Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4500 bytes Desc: S/MIME Cryptographic Signature URL: From johanw at vulcan.xs4all.nl Mon May 3 20:10:44 2021 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 3 May 2021 20:10:44 +0200 Subject: How would you do that ... In-Reply-To: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> References: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> Message-ID: On 03-05-2021 15:39, Robert J. Hansen via Gnupg-users wrote: > and gave her drives a low-level format. I remember from the stone age (end 1980's begin 90's) that you could low-level format a disk with the DOS command debug by calling some BIOS routine by assembler routines. Modern harddisks don't allow that anymore. Should I assume that "low-level format" in this case means something like dd if=/dev/zero of=/dev/sdX -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sandyinchina at gmail.com Tue May 4 08:46:37 2021 From: sandyinchina at gmail.com (Sandy Harris) Date: Tue, 4 May 2021 14:46:37 +0800 Subject: How would you do that ... In-Reply-To: <8735v4dlfu.fsf@wedjat.horus-it.com> References: <8735v4dlfu.fsf@wedjat.horus-it.com> Message-ID: Ralph Seichter via Gnupg-users wrote: > > * Stefan Vasilev via Gnupg-users: > > > How would you solve this task? > > With Alice having to rely on cryptography she can do in her head? > Some shift cipher and carrier pigeons. :-) Neal Stephenson's novel Cryptonomicon is excellent. I strongly recommend it to anyone who enjoys reading & is interested in crypto. Part of the plot involves a cipher that operates a bit like RC-4, permuting an array, but the array is a deck of cards. https://www.schneier.com/academic/solitaire/ From bernhard at intevation.de Tue May 4 14:58:51 2021 From: bernhard at intevation.de (Bernhard Reiter) Date: Tue, 4 May 2021 14:58:51 +0200 Subject: Gpg4win/RunAsUser: (Is:After upgrading to gpg4win 3.3.15 Kleopatra fails to come up) In-Reply-To: References: Message-ID: <202105041458.59013.bernhard@intevation.de> Am Montag 19 April 2021 23:49:56 schrieb Shridhar Mysore via Gnupg-users: > <<<< > Kleopatra cannot be run as adminstrator without breaking file permissions > in the GnuPG data folder. (For completeness here in the ML) https://wiki.gnupg.org/Gpg4win/RunAsUser Best, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From stefan.vasilev at posteo.ru Tue May 4 17:24:10 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Tue, 4 May 2021 15:24:10 +0000 Subject: How would you do that ... In-Reply-To: References: <8735v4dlfu.fsf@wedjat.horus-it.com> Message-ID: <8851e30e-1dc4-d31c-7d03-324abb464460@posteo.ru> Sandy Harris wrote: > Ralph Seichter via Gnupg-users wrote: >> * Stefan Vasilev via Gnupg-users: >> >>> How would you solve this task? >> With Alice having to rely on cryptography she can do in her head? >> Some shift cipher and carrier pigeons. :-) > Neal Stephenson's novel Cryptonomicon is excellent. I strongly > recommend it to anyone who enjoys reading & is interested in crypto. > Part of the plot involves a cipher that operates a bit like RC-4, > permuting an array, but the array is a deck of cards. > https://www.schneier.com/academic/solitaire/ I remember Bruce Schneier's Solitaire. One can also use the Elsie Four (LC4) cipher for that. The task, however, is also communicating (daily) without logging into any services and if required to send larger documents, or even photos. Regards Stefan From rjh at sixdemonbag.org Tue May 4 17:57:22 2021 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 4 May 2021 11:57:22 -0400 Subject: How would you do that ... In-Reply-To: References: <8735v4dlfu.fsf@wedjat.horus-it.com> Message-ID: <921b4692-7b22-2f28-dbaa-d8c63f3c3eed@sixdemonbag.org> > Neal Stephenson's novel Cryptonomicon is excellent. I strongly > recommend it to anyone who enjoys reading & is interested in crypto. > Part of the plot involves a cipher that operates a bit like RC-4, > permuting an array, but the array is a deck of cards. > https://www.schneier.com/academic/solitaire/ Please don't. Solitaire is not a particularly well-designed cipher, in either the human factors sense or in the cryptographic strength sense. Even Schneier himself says it's mostly of interest only as a curiosity and not for serious purposes. From rjh at sixdemonbag.org Tue May 4 18:47:50 2021 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 4 May 2021 12:47:50 -0400 Subject: How would you do that ... In-Reply-To: References: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> Message-ID: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> > Modern harddisks don't allow that anymore. Should I assume that > "low-level format" in this case means something like > > dd if=/dev/zero of=/dev/sdX [puts on forensics professional hat] Good question! The tl;dr of it is that the technique to wipe a hard drive will vary according to the kind of technology used in manufacturing the drive, and to a lesser extent the kind of forensics nerdery you're afraid of. This is the origin of the myth of the 30-odd-pass "Gutmann shred". It was always a complete myth that you needed 30-odd passes to wipe a hard drive. The 30+ passes were if you had no knowledge about the underlying technology of the drive and needed to account for antique FM-coded drives all the way up through modern SSDs. If you were thinking of doing a 30+-pass shred, the best thing to do was smack yourself in the face for being so foolish and then go off and read the label on your hard drive. :) For modern SSDs I generally recommend a single pass with random data: dd if=/dev/urandom of=/dev/foo bs=1M (Don't forget the blocksize [bs] parameter; it can improve speed significantly.) This is enough to foil the vast majority of forensic analysis. Yes, yes, SSDs have remapping capabilities which means certain memory cells won't get hit even if you do this, and it's theoretically possible for a good forensics nerd to do all kinds of wild magic to pull off data you didn't even know was there... but that kind of very high-level forensics nerdery costs a lot of money, and few people are worth that kind of investment. From kloecker at kde.org Tue May 4 19:15:17 2021 From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=) Date: Tue, 04 May 2021 19:15:17 +0200 Subject: How would you do that ... In-Reply-To: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> References: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> Message-ID: <1835266.xySDcBoo5v@breq> On Dienstag, 4. Mai 2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: > For modern SSDs I generally recommend a single pass with random data: > > dd if=/dev/urandom of=/dev/foo bs=1M > > (Don't forget the blocksize [bs] parameter; it can improve speed > significantly.) > > This is enough to foil the vast majority of forensic analysis. Yes, > yes, SSDs have remapping capabilities which means certain memory cells > won't get hit even if you do this, and it's theoretically possible for a > good forensics nerd to do all kinds of wild magic to pull off data you > didn't even know was there... but that kind of very high-level forensics > nerdery costs a lot of money, and few people are worth that kind of > investment. I'd always use full disk encryption ideally with the key stored on a USB token. Otherwise, with a very good passphrase. And, after use, wipe the disk and destroy the token. Modern enterprise-level SSDs also have secure erase, but, of course, you'd have to trust the hardware manufacturer to implement it properly without any backdoors which you probably don't want to do in the above scenario. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. URL: From vedaal at nym.hush.com Tue May 4 23:46:31 2021 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 04 May 2021 17:46:31 -0400 Subject: How would you do that ... In-Reply-To: <1835266.xySDcBoo5v@breq> References: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> <1835266.xySDcBoo5v@breq> Message-ID: <20210504214631.E8E1480E2C5@smtp.hushmail.com> Or, for the really paranoid ;-)you can have random data on a read-only mini cdrom,and use it as an OTP, and throw it into a garbage incinerator afterwards. If you are up against adversaries where this is necessary,this methods may ultimately not help ... ===== On 5/4/2021 at 1:19 PM, "Ingo Kl?cker" wrote:On Dienstag, 4. Mai 2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: > For modern SSDs I generally recommend a single pass with random data: > > dd if=/dev/urandom of=/dev/foo bs=1M > > (Don't forget the blocksize [bs] parameter; it can improve speed > significantly.) > > This is enough to foil the vast majority of forensic analysis. Yes, > yes, SSDs have remapping capabilities which means certain memory cells > won't get hit even if you do this, and it's theoretically possible for a > good forensics nerd to do all kinds of wild magic to pull off data you > didn't even know was there... but that kind of very high-level forensics > nerdery costs a lot of money, and few people are worth that kind of > investment. I'd always use full disk encryption ideally with the key stored on a USB token. Otherwise, with a very good passphrase. And, after use, wipe the disk and destroy the token. Modern enterprise-level SSDs also have secure erase, but, of course, you'd have to trust the hardware manufacturer to implement it properly without any backdoors which you probably don't want to do in the above scenario. Regards, Ingo -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at nym.hush.com Tue May 4 23:53:08 2021 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Tue, 04 May 2021 17:53:08 -0400 Subject: No subject Message-ID: <20210504215308.205E580E2C5@smtp.hushmail.com> On 5/4/2021 at 1:19 PM, "Ingo Kl?cker" wrote:I'd always use full disk encryption ideally with the key stored on a USB token. Otherwise, with a very good passphrase. And, after use, wipe the disk and destroy the token. Modern enterprise-level SSDs also have secure erase, but, of course, you'd have to trust the hardware manufacturer to implement it properly without any backdoors which you probably don't want to do in the above scenario. ===== Or, for the really paranoid ;-)you can have random data on a read-only mini cdrom,and use it as an OTP, and throw it into a garbage incinerator afterwards. But really, if anyone is up against adversaries where this is necessary,this methods may ultimately not help. These adversaries are not known for their honor and fair play ... vedaal -------------- next part -------------- An HTML attachment was scrubbed... URL: From rjh at sixdemonbag.org Wed May 5 00:18:55 2021 From: rjh at sixdemonbag.org (rjh at sixdemonbag.org) Date: Tue, 04 May 2021 17:18:55 -0500 Subject: How would you do that ... In-Reply-To: <20210504214631.E8E1480E2C5@smtp.hushmail.com> References: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> <1835266.xySDcBoo5v@breq> <20210504214631.E8E1480E2C5@smtp.hushmail.com> Message-ID: I have literally never in my life seen any meaningful use case for the OTP after about 1974. It's not part of a sensible discussion. :) On May 4, 2021 4:46:31 PM CDT, vedaal via Gnupg-users wrote: >Or, for the really paranoid ;-)you can have random data on a read-only >mini cdrom,and use it as an OTP, and throw it into a garbage >incinerator afterwards. >If you are up against adversaries where this is necessary,this methods >may ultimately not help ... >===== > >On 5/4/2021 at 1:19 PM, "Ingo Kl?cker" wrote:On Dienstag, 4. Mai >2021 18:47:50 CEST Robert J. Hansen via Gnupg-users wrote: >> For modern SSDs I generally recommend a single pass with random >data: >> >> dd if=/dev/urandom of=/dev/foo bs=1M >> >> (Don't forget the blocksize [bs] parameter; it can improve speed >> significantly.) >> >> This is enough to foil the vast majority of forensic analysis. Yes, >> yes, SSDs have remapping capabilities which means certain memory >cells >> won't get hit even if you do this, and it's theoretically possible >for a >> good forensics nerd to do all kinds of wild magic to pull off data >you >> didn't even know was there... but that kind of very high-level >forensics >> nerdery costs a lot of money, and few people are worth that kind of >> investment. > >I'd always use full disk encryption ideally with the key stored on a >USB >token. Otherwise, with a very good passphrase. > >And, after use, wipe the disk and destroy the token. > >Modern enterprise-level SSDs also have secure erase, but, of course, >you'd >have to trust the hardware manufacturer to implement it properly >without any >backdoors which you probably don't want to do in the above scenario. > >Regards, >Ingo -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan at digicana.com Fri May 7 16:43:06 2021 From: ryan at digicana.com (Ryan McGinnis) Date: Fri, 07 May 2021 14:43:06 +0000 Subject: How would you do that ... In-Reply-To: References: Message-ID: Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done For identification, have some code word that will be the first thing you send. Maybe even have a duress code word, too. Now there are some places this won't work. Some places only sell phones that are pre-compromised. If you know what you're doing you can probably flash it with GrapheneOS, though that would require buying a computer, in that country, too. At some point you're probably in the "gonna be taking some serious risks no matter what" territory, unless you're working for MI6 or something. -Ryan McGinnis ryan at digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ??????? Original Message ??????? On Monday, May 3rd, 2021 at 4:24 AM, Stefan Vasilev via Gnupg-users wrote: > Hi all, > > here is a little scenario. Alice and Bob needs to find a way to do > > encrypted communications globally. > > The task is the following: Alice needs to travel to a foreign country > > without any devices (laptop, smartphone etc.). > > At arrival she needs to communicate daily (no real time communications) > > with Bob to exchange encrypted documents. > > Alice is not allowed to login in any services, like her Gmail account, > > social media etc. to not reveal her login credentials. > > She can't use Tor, because at her destination Tor is blocked. The only > > option she has is to use Internet Caf?s or public libraries etc. > > She is aware that at an Internet Caf? keyloggers may be installed. Last > > but not least she does not carry any notices on paper with her. > > How would you solve this task? > > Regards > > Stefan > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - ryan at digicana.com - 0x5C738727.asc Type: application/pgp-keys Size: 3217 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 855 bytes Desc: OpenPGP digital signature URL: From stefan.vasilev at posteo.ru Sat May 8 00:36:05 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Fri, 7 May 2021 22:36:05 +0000 Subject: How would you do that ... In-Reply-To: References: Message-ID: Ryan McGinnis wrote: > Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: > > Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done > > For identification, have some code word that will be the first thing you send. Maybe even have a duress code word, too. > > Now there are some places this won't work. Some places only sell phones that are pre-compromised. If you know what you're doing you can probably flash it with GrapheneOS, though that would require buying a computer, in that country, too. At some point you're probably in the "gonna be taking some serious risks no matter what" territory, unless you're working for MI6 or something. > > Alice likes to keep the costs low and would only purchase a laptop there, to prepare data, prior taking it to the Internet Caf?'s (compromised) computer. Phones, whether dumb or smart, she likes to avoid. But thanks for the proposal, much appreciated. Regards Stefan From ryan at digicana.com Sat May 8 00:45:38 2021 From: ryan at digicana.com (Ryan McGinnis) Date: Fri, 07 May 2021 22:45:38 +0000 Subject: How would you do that ... In-Reply-To: References: Message-ID: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> Alice is an idiot if she?s trying to defeat nation-state adversaries and be a thrifty shopper at the same time, but even so, in most places a laptop isn?t going to be cheaper than a cheap mobile phone. You really want Alice to use some public library computer for some reason, but I am going to assume Alice isn?t a complete moron and would avoid this, given there are a hundred better options that won?t result in her genitals being shocked in some dingy government interrogation room. If you have to use a laptop then, cool, grab an ISO of Debian, install it, find the nearest WiFi hotspot, make a free protonmail account, send an email. Done. -Ryan McGinnis ryan at digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > On May 7, 2021, at 5:36 PM, Stefan Vasilev wrote: > > > Ryan McGinnis wrote: > >> Sounds like you're having to trust some kind of tech from the country you're going to, so with that in mind: >> >> Buy burner phone and SIM with cash from some place where normal people buy phones and SIMs with cash. Install Signal. Done >> >> For identification, have some code word that will be the first thing you send. Maybe even have a duress code word, too. >> >> Now there are some places this won't work. Some places only sell phones that are pre-compromised. If you know what you're doing you can probably flash it with GrapheneOS, though that would require buying a computer, in that country, too. At some point you're probably in the "gonna be taking some serious risks no matter what" territory, unless you're working for MI6 or something. >> >> > > Alice likes to keep the costs low and would only purchase a laptop > there, to prepare > > data, prior taking it to the Internet Caf?'s (compromised) computer. > Phones, whether > > dumb or smart, she likes to avoid. But thanks for the proposal, much > appreciated. > > > Regards > > Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - ryan at digicana.com - 5c738727.asc Type: application/pgp-keys Size: 3127 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From stefan.vasilev at posteo.ru Sat May 8 00:58:37 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Fri, 7 May 2021 22:58:37 +0000 Subject: How would you do that ... In-Reply-To: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> Message-ID: Ryan McGinnis wrote: > Alice is an idiot if she?s trying to defeat nation-state adversaries > and be a thrifty shopper at the same time, but even so, in most places > a laptop isn?t going to be cheaper than a cheap mobile phone. > > You really want Alice to use some public library computer for some > reason, but I am going to assume Alice isn?t a complete moron and > would avoid this, given there are a hundred better options that won?t > result in her genitals being shocked in some dingy government > interrogation room. > > If you have to use a laptop then, cool, grab an ISO of Debian, install > it, find the nearest WiFi hotspot, make a free protonmail account, > send an email. ?Done. Alice is no complete moron, because she can't register a free ProtonMail account without a phone. Or did she missed there an anonymous registration procedure which works? If yes, then she is of course a moron. :-D Regards Stefan From ryan at digicana.com Sat May 8 05:43:53 2021 From: ryan at digicana.com (Ryan McGinnis) Date: Sat, 08 May 2021 03:43:53 +0000 Subject: How would you do that ... In-Reply-To: References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> Message-ID: <7FD26709-9E1E-46DB-BA1E-ECA4EE65ACFC@digicana.com> Protonmail only requires a phone number to send a verification ?are you a real human? SMS if the IP you are registering from is a source of previous abuse. So, like, don?t use a VPN when you do it. Or if you?re worried about it, make the account back in your safe country before you travel to Deathistan by using a burner phone SIM or something. These are pretty easily solvable problems that don?t lead to getting your genitals shocked. -Ryan McGinnis ryan at digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > On May 7, 2021, at 5:58 PM, Stefan Vasilev wrote: > > > Ryan McGinnis wrote: > >> Alice is an idiot if she?s trying to defeat nation-state adversaries >> and be a thrifty shopper at the same time, but even so, in most places >> a laptop isn?t going to be cheaper than a cheap mobile phone. >> >> You really want Alice to use some public library computer for some >> reason, but I am going to assume Alice isn?t a complete moron and >> would avoid this, given there are a hundred better options that won?t >> result in her genitals being shocked in some dingy government >> interrogation room. >> >> If you have to use a laptop then, cool, grab an ISO of Debian, install >> it, find the nearest WiFi hotspot, make a free protonmail account, >> send an email. Done. > > > Alice is no complete moron, because she can't register a free ProtonMail > account > > without a phone. Or did she missed there an anonymous registration procedure > > which works? If yes, then she is of course a moron. :-D > > > Regards > > Stefan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - ryan at digicana.com - 5c738727.asc Type: application/pgp-keys Size: 3127 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From l0f4r0 at tuta.io Sat May 8 09:59:45 2021 From: l0f4r0 at tuta.io (l0f4r0 at tuta.io) Date: Sat, 8 May 2021 09:59:45 +0200 (CEST) Subject: How would you do that ... In-Reply-To: References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> Message-ID: Hi, 8 mai 2021, 00:58 de gnupg-users at gnupg.org: > Alice is no complete moron, because she can't register a free ProtonMail account > > without a phone. Or did she missed there an anonymous registration procedure > > which works? > I don't use ProtonMail so I can't say. But otherwise you have Tutanota (no phone number required):? https://tutanota.com/blog/posts/anonymous-email/ Best regards, l0f4r0 From stefan.vasilev at posteo.ru Sat May 8 15:04:37 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Sat, 8 May 2021 13:04:37 +0000 Subject: How would you do that ... In-Reply-To: References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> Message-ID: <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> l0f4r0 wrote: > Hi, > > 8 mai 2021, 00:58 de gnupg-users at gnupg.org: > >> Alice is no complete moron, because she can't register a free ProtonMail account >> >> without a phone. Or did she missed there an anonymous registration procedure >> >> which works? >> > I don't use ProtonMail so I can't say. > > But otherwise you have Tutanota (no phone number required): > https://tutanota.com/blog/posts/anonymous-email/ Hi, thanks! I already found a solution by using an .onion based email provider, with clearnet usage support. Super simple registration, where the user only supplies a username and a password. Nothing more. :-) Regards Stefan From stefan.vasilev at posteo.ru Sat May 8 15:12:05 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Sat, 8 May 2021 13:12:05 +0000 Subject: How would you do that ... In-Reply-To: <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> Message-ID: Am 08.05.2021 um 15:04 schrieb Stefan Vasilev via Gnupg-users: > l0f4r0 wrote: > >> Hi, >> >> 8 mai 2021, 00:58 de gnupg-users at gnupg.org: >> >>> Alice is no complete moron, because she can't register a free >>> ProtonMail account >>> >>> without a phone. Or did she missed there an anonymous registration >>> procedure >>> >>> which works? >>> >> I don't use ProtonMail so I can't say. >> >> But otherwise you have Tutanota (no phone number required): >> https://tutanota.com/blog/posts/anonymous-email/ > > Hi, > > thanks! I already found a solution by using an .onion based email > provider, > > with clearnet usage support. Super simple registration, where the user > only > > supplies a username and a password. Nothing more. :-) > BTW. Tutanota does (full???) Browser fingerprinting and they where required to 'upgrade' their email service. Regards Stefan From mailinglisten at posteo.de Sun May 9 12:00:25 2021 From: mailinglisten at posteo.de (mailinglisten at posteo.de) Date: Sun, 9 May 2021 10:00:25 +0000 Subject: gpg and TPM Message-ID: Hi there, the blog article about using GPG with a TPM just caught my eyes, this really sounds damn interesting. I think this has so much potential. Some questions about this. I wasn?t aware the TPM has that much space, does the TPM hold really a complete key? Does it make sense to use ECC keys to save space on the TPM? Does this come with a brute force protection regarding the passphrase, could a much shorter PIN be used instead, like you do with the openPGP smartcard? This really is hot stuff. Though I think, an external smart card reader with dedicated pinpad still is boss. But this really is amazing! regards From dgouttegattat at incenp.org Sun May 9 15:22:39 2021 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Sun, 9 May 2021 14:22:39 +0100 Subject: gpg and TPM In-Reply-To: References: Message-ID: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> Hi, On Sun, May 09, 2021 at 10:00:25AM +0000, mailinglisten--- via Gnupg-users wrote: >I wasn?t aware the TPM has that much space, does the TPM hold really a >complete key? Does it make sense to use ECC keys to save space on the TPM? Keys are actually not stored *in* the TPM. When you use the `keytotpm` command, the key is encrypted in such a way that it can only be decrypted and used by the TPM, but the key is still stored, in this encrypted form, as a file under the $GNUPGHOME/private-keys-v1.d directory. So there's no need to switch to ECC keys just to ?save space on the TPM?. You can protect as many RSA keys as you want with the TPM without being constrained by space. - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From mailinglisten at posteo.de Tue May 11 16:03:21 2021 From: mailinglisten at posteo.de (mailinglisten at posteo.de) Date: Tue, 11 May 2021 14:03:21 +0000 Subject: gpg and TPM In-Reply-To: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> References: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> Message-ID: Am 09.05.21 um 15:22 schrieb Damien Goutte-Gattat: > Hi, > > On Sun, May 09, 2021 at 10:00:25AM +0000, mailinglisten--- via > Gnupg-users wrote: >> I wasn?t aware the TPM has that much space, does the TPM hold really a >> complete key? Does it make sense to use ECC keys to save space on the >> TPM? > > Keys are actually not stored *in* the TPM. When you use the `keytotpm` > command, the key is encrypted in such a way that it can only be > decrypted and used by the TPM, but the key is still stored, in this > encrypted form (....) Thanks for explaining. This is really interesting. I?m not that familiar with the TPM in general, is the TPM owner (and SRK) password safe against brute force attacks? Or do you need a complex password for the TPM? Thanks From stefan.claas at posteo.de Tue May 11 16:48:02 2021 From: stefan.claas at posteo.de (Stefan Claas) Date: Tue, 11 May 2021 14:48:02 +0000 Subject: How would you do that ... In-Reply-To: <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> Message-ID: <9ce0d42b-276e-bc27-dea1-ca1069601770@posteo.de> On 08.05.2021 15:04, Stefan Vasilev via Gnupg-users wrote: > Hi, > > thanks! I already found a solution by using an .onion based email > provider, > > with clearnet usage support. Super simple registration, where the user > only > > supplies a username and a password. Nothing more. :-) > > Regards > > Stefan > Those already familar with IPFS can also create an encrypted 'diary', where the search term for the 'diary' is a memorizeable 256bit hex key, thus making it not possible to guess the diary name. Thus avoiding any log-in procedures at services and IPFS is used around the world and for example also popular in Russia and China. https://ipjot.herokuapp.com/ Regards Stefan From cjac at colliertech.org Wed May 12 03:30:17 2021 From: cjac at colliertech.org (C.J. Collier) Date: Tue, 11 May 2021 18:30:17 -0700 Subject: How would you do that ... In-Reply-To: References: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> Message-ID: Maybe for i in {1..9} ; do dd if=/dev/zero of=/dev/sdX ; done just to be careful Or /dev/urandom as if= value On Mon, May 3, 2021, 11:14 Johan Wevers wrote: > On 03-05-2021 15:39, Robert J. Hansen via Gnupg-users wrote: > > > and gave her drives a low-level format. > > I remember from the stone age (end 1980's begin 90's) that you could > low-level format a disk with the DOS command debug by calling some BIOS > routine by assembler routines. > > Modern harddisks don't allow that anymore. Should I assume that > "low-level format" in this case means something like > > dd if=/dev/zero of=/dev/sdX > > -- > ir. J.C.A. Wevers > PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From azbigdogs at gmx.com Thu May 13 01:46:52 2021 From: azbigdogs at gmx.com (Mark) Date: Wed, 12 May 2021 16:46:52 -0700 Subject: How would you do that ... In-Reply-To: <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> References: <6F3316F4-E0B5-4128-B9B5-693D990B4D3D@sixdemonbag.org> <0178b1e7-dcdf-fb6e-ef44-b823ac82572f@sixdemonbag.org> Message-ID: <0f7a52eb-ff5b-5fa9-1ee1-58918fecc943@gmx.com> This will work too and doesn't care about the type ? https://youtu.be/wb3Xa1h_RqM On 5/4/2021 9:47 AM, Robert J. Hansen via Gnupg-users wrote: >> Modern harddisks don't allow that anymore. Should I assume that >> "low-level format" in this case means something like >> >> dd if=/dev/zero of=/dev/sdX > > [puts on forensics professional hat] > > Good question!? The tl;dr of it is that the technique to wipe a hard > drive will vary according to the kind of technology used in > manufacturing the drive, and to a lesser extent the kind of forensics > nerdery you're afraid of. > > This is the origin of the myth of the 30-odd-pass "Gutmann shred".? It > was always a complete myth that you needed 30-odd passes to wipe a > hard drive.? The 30+ passes were if you had no knowledge about the > underlying technology of the drive and needed to account for antique > FM-coded drives all the way up through modern SSDs.? If you were > thinking of doing a 30+-pass shred, the best thing to do was smack > yourself in the face for being so foolish and then go off and read the > label on your hard drive.? :) > > For modern SSDs I generally recommend a single pass with random data: > > dd if=/dev/urandom of=/dev/foo bs=1M > > (Don't forget the blocksize [bs] parameter; it can improve speed > significantly.) > > This is enough to foil the vast majority of forensic analysis. Yes, > yes, SSDs have remapping capabilities which means certain memory cells > won't get hit even if you do this, and it's theoretically possible for > a good forensics nerd to do all kinds of wild magic to pull off data > you didn't even know was there... but that kind of very high-level > forensics nerdery costs a lot of money, and few people are worth that > kind of investment. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- PGP Key Upon Request From ryan at digicana.com Thu May 13 17:06:58 2021 From: ryan at digicana.com (Ryan McGinnis) Date: Thu, 13 May 2021 15:06:58 +0000 Subject: How would you do that ... In-Reply-To: <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> Message-ID: For what it's worth if you're gung-ho about our heroine using a public library computer or something and you can't stego some info into an image for one of the image boards because you don't have any tech of your own in that country, then using a OTP to publicly post something to a pastebin that Bob is actively monitoring is probably the way to go. A OTP doesn't require any kind of tech to pull off and it's about as secure as it can get. This could facilitate two way communications as well, so long as you both know where the messages will be dropped. It's not very subtle, but it'd work. -Ryan McGinnis ryan at digicana.com http://bigstormpicture.com 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ??????? Original Message ??????? On Saturday, May 8th, 2021 at 8:04 AM, Stefan Vasilev via Gnupg-users wrote: > l0f4r0 wrote: > > > Hi, > > > > 8 mai 2021, 00:58 de gnupg-users at gnupg.org: > > > > > Alice is no complete moron, because she can't register a free ProtonMail account > > > > > > without a phone. Or did she missed there an anonymous registration procedure > > > > > > which works? > > > > I don't use ProtonMail so I can't say. > > > > But otherwise you have Tutanota (no phone number required): > > > > https://tutanota.com/blog/posts/anonymous-email/ > > Hi, > > thanks! I already found a solution by using an .onion based email provider, > > with clearnet usage support. Super simple registration, where the user only > > supplies a username and a password. Nothing more. :-) > > Regards > > Stefan > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - ryan at digicana.com - 0x5C738727.asc Type: application/pgp-keys Size: 3217 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 855 bytes Desc: OpenPGP digital signature URL: From dgouttegattat at incenp.org Thu May 13 23:03:51 2021 From: dgouttegattat at incenp.org (Damien Goutte-Gattat) Date: Thu, 13 May 2021 22:03:51 +0100 Subject: gpg and TPM In-Reply-To: References: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> Message-ID: <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> On Tue, May 11, 2021 at 02:03:21PM +0000, mailinglisten at posteo.de wrote: >I?m not that familiar with the TPM in general Me neither. >is the TPM owner (and SRK) password safe against brute force attacks? >Or do you need a complex password for the TPM? My understanding is that the TPM offers the *possibility* to protect against brute force attacks (through the ?dictionary attack lockout reset? mechanism), but I am not sure whether that protection is enabled by default or if the tpm2daemon (the new component within GnuPG in charge of using the TPM) makes use of it. Until I know more, I use with my TPM stronger PINs than what I normally use with my OpenPGP tokens, just in case. :) - Damien -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From raja at rsdisk.com Fri May 14 08:46:44 2021 From: raja at rsdisk.com (Raja Saha) Date: Fri, 14 May 2021 12:16:44 +0530 Subject: gpg and TPM In-Reply-To: <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> References: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> Message-ID: <1c3c5a3f6553196d99fd71cbe1f4a379c8b52401.camel@rsdisk.com> Hi, I was reading about Debian UEFI and secure boot. If tpm isn't secured at boot, will that make tpm less secure than key pair where user puts a strong password? Thanks. On Thu, 2021-05-13 at 22:03 +0100, Damien Goutte-Gattat via Gnupg-users wrote: > On Tue, May 11, 2021 at 02:03:21PM +0000, mailinglisten at posteo.de > wrote: > > I?m not that familiar with the TPM in general > > Me neither. > > > > is the TPM owner (and SRK) password safe against brute force > > attacks? > > Or do you need a complex password for the TPM? > > My understanding is that the TPM offers the *possibility* to protect > against brute force attacks (through the ?dictionary attack lockout > reset? mechanism), but I am not sure whether that protection is > enabled > by default or if the tpm2daemon (the new component within GnuPG in > charge of using the TPM) makes use of it. > > Until I know more, I use with my TPM stronger PINs than what I > normally > use with my OpenPGP tokens, just in case. :) > > - Damien > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From stefan.vasilev at posteo.ru Fri May 14 18:03:16 2021 From: stefan.vasilev at posteo.ru (Stefan Vasilev) Date: Fri, 14 May 2021 16:03:16 +0000 Subject: How would you do that ... In-Reply-To: References: <0C3CE731-E12F-42BE-9D52-DBCBBA6DDD6A@digicana.com> <61c3f67a-6402-55fb-8366-a871ce729353@posteo.ru> Message-ID: Ryan McGinnis wrote: > For what it's worth if you're gung-ho about our heroine using a public library computer or something and you can't stego some info into an image for one of the image boards because you don't have any tech of your own in that country, then using a OTP to publicly post something to a pastebin that Bob is actively monitoring is probably the way to go. A OTP doesn't require any kind of tech to pull off and it's about as secure as it can get. This could facilitate two way communications as well, so long as you both know where the messages will be dropped. It's not very subtle, but it'd work. OTPs are superb, agreed! However, our heroine needs to be able to send larger documents, or maybe a photo, on a daily basis. Then there is the problem at airports, which is if properly controlled, that the little booklet can be discovered. This excercise in not meant for spies, but for ordinary citicens, which later must somehow 'survive' a 4th virtual Reich, so to speak. Regards Stefan From mailinglisten at posteo.de Fri May 14 18:40:27 2021 From: mailinglisten at posteo.de (mailinglisten at posteo.de) Date: Fri, 14 May 2021 16:40:27 +0000 Subject: gpg and TPM In-Reply-To: <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> References: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> Message-ID: Am 13.05.21 um 23:03 schrieb Damien Goutte-Gattat: > On Tue, May 11, 2021 at 02:03:21PM +0000, mailinglisten at posteo.de wrote: >> I?m not that familiar with the TPM in general > > Me neither. > > >> is the TPM owner (and SRK) password safe against brute force attacks? >> Or do you need a complex password for the TPM? > > My understanding is that the TPM offers the *possibility* to protect > against brute force attacks (through the ?dictionary attack lockout > reset? mechanism), but I am not sure whether that protection is enabled > by default or if the tpm2daemon (the new component within GnuPG in > charge of using the TPM) makes use of it. > > Until I know more, I use with my TPM stronger PINs than what I normally > use with my OpenPGP tokens, just in case. :) Your concerns are true, TPM protected keys, created by GnuPG are not brute force protected, a quote from James Bottomley: "The TPM includes what?s called dictionary lockout protection, so if too many incorrect passwords are entered, it will enter a dictionary attack timeout phase before it lets you try a new one. The TPM owner can set the timeout parameters for this. Note that you can defeat this by specifying the NODA flag in a TPM key, which means ?don?t use dictionary attack protection for this key?. GnuPG keys are currently created with this flag set, so you need strong passwords for them" I wonder, if the dictionary protection can be enabled at a later point of time.... it would greatly ease the use of the key if you just need a short PIN. Another point is, you can?t set an owner password for the TPM, if you do so, GnuPG can?t access the TPM and you can?t use the keytotpm command. According to James, GnuPG currently has no mechanism to ask for a possibly set TPM owner password. After all, the whole things works, but still requires some fine tuning here and there, but TPM protected gpg keys really is a great thing and fun to play with. Finally the TPM is something good for in a Unix box ;-) (besides using the hardware RNG which I already did before) best regards From mailinglisten at posteo.de Fri May 14 18:47:48 2021 From: mailinglisten at posteo.de (mailinglisten at posteo.de) Date: Fri, 14 May 2021 16:47:48 +0000 Subject: gpg and TPM In-Reply-To: <1c3c5a3f6553196d99fd71cbe1f4a379c8b52401.camel@rsdisk.com> References: <20210509132239.xejuqtzkigqkklqr@dynein.local.incenp.org> <20210513210351.pv72fsikibapv4pu@dynein.local.incenp.org> <1c3c5a3f6553196d99fd71cbe1f4a379c8b52401.camel@rsdisk.com> Message-ID: Am 14.05.21 um 08:46 schrieb Raja Saha: > Hi, > > I was reading about Debian UEFI and secure boot. If tpm isn't secured > at boot, will that make tpm less secure than key pair where user puts a > strong password? Technically, secure boot and TPM are 2 different things. You can use secure boot without TPM. If you want to use a TPM protected gpg key, you must *not* set a TPM owner password! When you set a TPM owner password, the GnuPG command keytotpm will not work! I think this is not a big deal, because the TPM protected key has its own password when you create it. Maybe in the future we can set a TPM owner password and use GnuPG with TPM protected keys, but now you can?t set a TPM password and use GnuPG with it, unfortunately. But I think, this is not a real risk. First the gpg key has its own password and second, an attacker is never able to retrieve the they key from the TPM. regards From sergio at outerface.net Thu May 20 12:41:17 2021 From: sergio at outerface.net (sergio) Date: Thu, 20 May 2021 13:41:17 +0300 Subject: "gpg: decryption failed: No secret key" after export-import to another host Message-ID: I have generated a key on host A and it works fine: A $ echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "Name (comment) " test I copied it to host B: A $ gpg --armor --export > private.key A $ scp private.key B: B $ gpg --import private.key But it doesn't work on B: B % echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "name (comment) " gpg: decryption failed: No secret key gpg version is the same on both hosts: 2.2.27-2 from debian sid $ gpg --list-secret-keys --with-subkey-fingerprint show the same key on both hosts -- sergio. From gnupg at eckner.net Thu May 20 14:11:37 2021 From: gnupg at eckner.net (Erich Eckner) Date: Thu, 20 May 2021 14:11:37 +0200 (CEST) Subject: "gpg: decryption failed: No secret key" after export-import to another host In-Reply-To: References: Message-ID: <3f2f9bfe-6b15-46eb-3242-62717e70d4e7@eckner.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, have a look at the manpage at --export-secret-keys: "Same as --export, but exports the secret keys instead. ..." regards, Erich On Thu, 20 May 2021, sergio via Gnupg-users wrote: > I have generated a key on host A and it works fine: > > A $ echo test | gpg --encrypt --recipient | gpg --decrypt > gpg: encrypted with 256-bit ECDH key, ID , created > "Name (comment) " > test > > I copied it to host B: > > A $ gpg --armor --export > private.key > A $ scp private.key B: > B $ gpg --import private.key > > But it doesn't work on B: > B % echo test | gpg --encrypt --recipient | gpg --decrypt > gpg: encrypted with 256-bit ECDH key, ID , created > "name (comment) " > gpg: decryption failed: No secret key > > > gpg version is the same on both hosts: 2.2.27-2 from debian sid > > > $ gpg --list-secret-keys --with-subkey-fingerprint > show the same key on both hosts > > > -- > sergio. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmCmUfwACgkQCu7JB1Xa e1oSqg/9EepKvPziEfCmyDFe/4DIfkilsYWGqIOmXuKZyyykxXqBegyxAgZ8p3BK aqkzq/lS9IgB0AiyZ9whFRH1q9rVXfZwmfxjN4eEkz4dkrNaPSGk9OlWC2l4ZM1n Nxld2teVd6zbXFZiOCWXqpgLTj9tzY1Jv3bKyYa03NmIzTS3aI5nd9ES9je/veiO +t9Ytii18nsNApj8VgFqT4Q/5Ie3hu2VYHcCx/tdjNe+biZsEUAmPl1hY4Z/Rhko e5q8WRJzybnaPBX0llWkZ6G6cYHxAlIytmLjlSWAsLbCbd0/WwOQcdwqlBLM9sUg dq1EE5FXJNlqwhZ+xzYqSvmYfrS0Hzp+j4FCBiM8I1g0aWQzfGD5RDD2SLm1JD8z 5pjs9dfAv0IwlXjoZ5t3cflqHp0Q+BUXgJigGIwNs9LYwsdreNEv2FqA0Rc0gW3j F6MsfI4hfeLAY/cwr5LyDB/UOjl5p4i83Z8DmVbQYZfhnuhAwq07yHcXIae9iy3s taNpurM+4QJchtq7Xs+MgyvZtATb9Kc1XduAgQ1U50Lepm5ppS4orh13d8qyk8P0 um2J+MpvxJILIlHxBPwF7cLYA/N++4+9FlOlHNH/S9SPyYBFaa4OviKCPoWrNr7L 3r9dMdiF89CCYF8frRF/qW0+weBPR+ePTwa9cRXm81innUQHeZM= =uft7 -----END PGP SIGNATURE----- From sergio at outerface.net Thu May 20 15:06:03 2021 From: sergio at outerface.net (sergio) Date: Thu, 20 May 2021 16:06:03 +0300 Subject: "gpg: decryption failed: No secret key" after export-import to another host In-Reply-To: <3f2f9bfe-6b15-46eb-3242-62717e70d4e7@eckner.net> References: <3f2f9bfe-6b15-46eb-3242-62717e70d4e7@eckner.net> Message-ID: <20152c39-43e1-aef2-dcaf-aaf4923d1fc1@outerface.net> > --export-secret-keys Sorry, this is a typo, or course. And to be absolutely sure, I re-checked: B $ gpg --import secret.key gpg: key : public key "name (comment) " imported gpg: key : secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 gpg: secret keys unchanged: 1 -- sergio. From wonsuchai at gmail.com Mon May 24 17:51:19 2021 From: wonsuchai at gmail.com (=?UTF-8?B?4LiZ4Liy4Lii4Liq4Li44LiK4Lix4LiiIOC4p+C4o+C4o+C4k+C4geC4tOC4iOC4p+C4o+C4gQ==?= =?UTF-8?B?4Li44Lil?=) Date: Mon, 24 May 2021 22:51:19 +0700 Subject: =?UTF-8?B?4LiC4Lit4Lia4LiE4Li44LiT4LiE4Lij4Lix4LiaLg==?= Message-ID: -- ?????????????????? ???????????????? ???????? ???????????? ????????????????????. wonsuchai at gmail.com 086-4227317 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michaelof at rocketmail.com Mon May 24 19:06:37 2021 From: michaelof at rocketmail.com (Michael) Date: Mon, 24 May 2021 19:06:37 +0200 Subject: =?UTF-8?B?UmU6IOC4guC4reC4muC4hOC4uOC4k+C4hOC4o+C4seC4mi4=?= In-Reply-To: References: Message-ID: <08919D03-CDEF-4914-8CC0-B1627BFFDEC0@rocketmail.com> 42 :) Am 24. Mai 2021 17:51:19 MESZ schrieb "???????? ???????????? via Gnupg-users" : >-- >?????????????????? > >???????????????? > > >???????? ???????????? >????????????????????. >wonsuchai at gmail.com >086-4227317 -- Diese Nachricht wurde von meinem Android-Ger?t mit K-9 Mail gesendet. From andreas.mattheiss at gmx.de Tue May 25 21:51:49 2021 From: andreas.mattheiss at gmx.de (Andreas Mattheiss) Date: Tue, 25 May 2021 21:51:49 +0200 Subject: CCID no longer working Message-ID: <20210525195148.GA17688@highscreen> Hello, for a few weeks now gpg has been unable to contact my smartcard. I have recently updated to gpg 2.3.1, so it *might* have to do with that, but I can't positively confirm. Things had been working flawlessly until then. Running scdaemon with debug gave a telltale hint: 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> D /home/andreas/.gnupg/S.scdaemon 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> OK 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 <- OPTION event-signal=12 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> OK 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 <- GETINFO version 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> D 2.3.1 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> OK 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 <- SERIALNO 2021-05-25 21:33:11 scdaemon[13946] ccid open error: skip 2021-05-25 21:33:11 scdaemon[13946] check permission of USB device at Bus 005 Device 004 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> ERR 100696144 Kein passendes Ger?t gefunden 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 <- RESTART 2021-05-25 21:33:11 scdaemon[13946] DBG: chan_7 -> OK I then put "disable-ccid" into scmdaemon.conf, and things started working again - I have pcscd running anyway. The system is not running udev, the device nodes are static. I had no trouble earlier, so I would assume permissions are not an issue - one would think 666 to be sufficient: crw-rw-rw- 1 root root 189, 515 25. Mai 21:34 /dev/bus/usb/005/004 gpg 2.3.1 has been out for a month now, and I assume that if there were an issue with CCID there would be some related noise on the mailing list, but there isn't. Maybe it's worth a casual look from our esteemed developers. Regards Andreas Mattheiss From wk at gnupg.org Wed May 26 16:49:07 2021 From: wk at gnupg.org (Werner Koch) Date: Wed, 26 May 2021 16:49:07 +0200 Subject: CCID no longer working In-Reply-To: <20210525195148.GA17688@highscreen> (Andreas Mattheiss via Gnupg-users's message of "Tue, 25 May 2021 21:51:49 +0200") References: <20210525195148.GA17688@highscreen> Message-ID: <87v975czz0.fsf@wheatstone.g10code.de> On Tue, 25 May 2021 21:51, Andreas Mattheiss said: > I then put "disable-ccid" into scmdaemon.conf, and things started > working again - I have pcscd running anyway. The system is not running pcscd grabbed the device and thus scdameon can't open it. We don't have a fallback to PC/SC anymore thus you see this error instead of scdaemon silently switching from internal CCID to PC/SC. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From wonsuchai at gmail.com Thu May 27 03:40:47 2021 From: wonsuchai at gmail.com (=?UTF-8?B?4LiZ4Liy4Lii4Liq4Li44LiK4Lix4LiiIOC4p+C4o+C4o+C4k+C4geC4tOC4iOC4p+C4o+C4gQ==?= =?UTF-8?B?4Li44Lil?=) Date: Thu, 27 May 2021 08:40:47 +0700 Subject: Translate Thai Language Message-ID: https://www.google.com/collections/s/list/GonnECDElSgvvZAspdWokUS97euzFg/-nn6B0iFiAA -------------- next part -------------- An HTML attachment was scrubbed... URL: From dudleystevenr at gmail.com Thu May 27 17:44:23 2021 From: dudleystevenr at gmail.com (dudleystevenr at gmail.com) Date: Thu, 27 May 2021 10:44:23 -0500 Subject: GPG NEVER asks for a passphrase Message-ID: <60AFBE57.29174.BB031F@dudleystevenr.gmail.com> Windows 7 home premium service pack 1 8 gb of ram 64-bit GnuPG 1.4.23 GPG Config 1.33 GPG Shell 3.78 I started using PGP about 30 years go, mostly out of an academic interest. I had (and still have) no real need to ecrypt my email. But, I found very quickly that I liked using it to encrypt individual files on my computer. So, long time user, but rather casual user. I have have the same email address for many years and the my ISP tells me they no longer provide email servies. I go to an email prvider, make a new address, make sure it is working, and then make a new key pair for it. When I right click on a file and send to GPG Tools, pick my OLD DEFAULT (being phased out) email, GPG runs and a *.gpg file is created. I double click on it, I'm asked for a passphrase, I enter it, and my file is decrypted. When I encrypt to my NEW key, my *.gpg file is created, I double click on it, GPG NEVER asks for a passphrase, it just decrypts the file. What is wrong? Thank you. Steve Dudley http://odessachess.byethost31.com/ Steve Dudley (0x69F16D99) pub.asc From bernhard at intevation.de Fri May 28 17:09:05 2021 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 28 May 2021 17:09:05 +0200 Subject: GPG NEVER asks for a passphrase In-Reply-To: <60AFBE57.29174.BB031F@dudleystevenr.gmail.com> References: <60AFBE57.29174.BB031F@dudleystevenr.gmail.com> Message-ID: <202105281709.12717.bernhard@intevation.de> Hi Steven, Am Donnerstag 27 Mai 2021 17:44:23 schrieb Steven Dudley via Gnupg-users: > Windows 7 home premium > service pack 1 > 8 gb of ram > 64-bit > > GnuPG 1.4.23 > GPG Config 1.33 > GPG Shell 3.78 (Note that I cannot find a current info on GPG Shell are you shure this is still security supported?) > When I right click on a file and send to GPG Tools, pick my OLD DEFAULT > (being phased out) email, GPG runs and a *.gpg file is created. I double > click on it, I'm asked for a passphrase, I enter it, and my file is > decrypted. > > When I encrypt to my NEW key, my *.gpg file is created, I double click on > it, GPG NEVER asks for a passphrase, it just decrypts the file. Try to operate "gpg" on the command line to see more messages which may help you to find out if this is a frontend issue or something else. example gpg -vv --decrypt x.gpg Newer GnuPG version on windows would cache a passphrase for a while, I cannot say what GPG Shell does (as far as I remember it isn't Free Software). Best Regards, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From bernhard at intevation.de Fri May 28 17:11:24 2021 From: bernhard at intevation.de (Bernhard Reiter) Date: Fri, 28 May 2021 17:11:24 +0200 Subject: Translate Thai Language In-Reply-To: References: Message-ID: <202105281711.24569.bernhard@intevation.de> Am Donnerstag 27 Mai 2021 03:40:47 schrieb ???????? ???????????? via Gnupg-users: > https://www.google.com/collections/s/list/GonnECDElSgvvZAspdWokUS97euzFg/-nn6B0iFiAA If this is a serious mail, please note that many of us cannot see the contents of the above link, because it seems to need a google account to allow access. Best, Bernhard -- www.intevation.de/~bernhard ? +49 541 33 508 3-3 Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Fri May 28 18:00:23 2021 From: wk at gnupg.org (Werner Koch) Date: Fri, 28 May 2021 18:00:23 +0200 Subject: Translate Thai Language In-Reply-To: <202105281711.24569.bernhard@intevation.de> (Bernhard Reiter's message of "Fri, 28 May 2021 17:11:24 +0200") References: <202105281711.24569.bernhard@intevation.de> Message-ID: <87lf7yc0h4.fsf@wheatstone.g10code.de> On Fri, 28 May 2021 17:11, Bernhard Reiter said: > If this is a serious mail, please note that many of us cannot see the contents This was obviously spam which slipped through. Check out the the address list which included "noreply" addresses. I already set the moderation flag on this account. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From andreas.mattheiss at gmx.de Fri May 28 19:16:23 2021 From: andreas.mattheiss at gmx.de (Andreas Mattheiss) Date: Fri, 28 May 2021 19:16:23 +0200 Subject: CCID no longer working In-Reply-To: <87v975czz0.fsf@wheatstone.g10code.de> References: <20210525195148.GA17688@highscreen> <87v975czz0.fsf@wheatstone.g10code.de> Message-ID: <20210528171623.GB9243@highscreen> Hello Werner, thanks for the feedback. Am Wed, 26 May 2021 16:49:07 +0200 schrieb Werner Koch via Gnupg-users: > pcscd grabbed the device and thus scdameon can't open it. We don't have > a fallback to PC/SC anymore thus you see this error instead of scdaemon > silently switching from internal CCID to PC/SC. > > I can confirm this, heuristically: I reenabled ccid for scdaemon, terminated pcscd and scdaemon and tryed gpg --card-status again, which duly prompted the expected information. Regards Andreas From angel at pgp.16bits.net Sat May 29 18:03:42 2021 From: angel at pgp.16bits.net (=?ISO-8859-1?Q?=C1ngel?=) Date: Sat, 29 May 2021 18:03:42 +0200 Subject: GPG NEVER asks for a passphrase In-Reply-To: <60AFBE57.29174.BB031F@dudleystevenr.gmail.com> References: <60AFBE57.29174.BB031F@dudleystevenr.gmail.com> Message-ID: <85dd9341be5e6b9e9fe1245ce67f7e52d50460a8.camel@16bits.net> On 2021-05-27 at 10:44 -0500, Steven Dudley via Gnupg-users wrote: > When I encrypt to my NEW key, my *.gpg file is created, I double > click on it, GPG NEVER asks for a passphrase, it just decrypts the > file. > > What is wrong? Starting with the basics: Does your new key have a password set? From cwr at cwrichardson.com Mon May 31 07:59:35 2021 From: cwr at cwrichardson.com (Christopher Richardson) Date: Mon, 31 May 2021 07:59:35 +0200 Subject: decryption failed: No pinentry Message-ID: <88DFB69B-A400-4E15-973C-76D20E32C14C@cwrichardson.com> This is probably something very trivial, but I?m building gpg for the first time since, apparently, 2013, according to my old binary. The build seems fine, but ... cwr at cwr2019mbp passwds % gpg --decrypt personal.gpg gpg: encrypted with elg2048 key, ID 4CDB599A36DD7843, created 2000-07-26 "Christopher W. Richardson " gpg: using "04B90F4FA999D22FBFB769773FAE5104E3874F31" as default secret key for signing gpg: public key decryption failed: No pinentry gpg: decryption failed: No pinentry cwr at cwr2019mbp passwds % which pinentry /usr/local/bin/pinentry cwr at cwr2019mbp passwds % pinentry OK Pleased to meet you cwr at cwr2019mbp passwds % uname -a Darwin cwr2019mbp.local 20.5.0 Darwin Kernel Version 20.5.0: Sat May 8 05:10:33 PDT 2021; root:xnu-7195.121.3~9/RELEASE_X86_64 x86_64 No homebrew or other package manager installed, just native XTools and the command line tools. Suggestions? From please.post at publicly.invalid Mon May 31 12:30:27 2021 From: please.post at publicly.invalid (Andreas Mattheiss) Date: Mon, 31 May 2021 12:30:27 +0200 Subject: decryption failed: No pinentry References: <88DFB69B-A400-4E15-973C-76D20E32C14C@cwrichardson.com> Message-ID: Hello, Am Mon, 31 May 2021 07:59:35 +0200 schrieb Christopher Richardson via Gnupg-users: > This is probably something very trivial, but Im building gpg for the > first time since, apparently, 2013, according to my old binary. The build > seems fine, but ... > a bit of a longshot, but if your pinintry is also as of 2013 there might (might!) be incompatabilities with a modern gpg? The obvious thing would be to also update pinentry, which is painless. You can specify a pinentry program during the configure step when building gpg. I haven't done this, and it still finds pinentry and works fine. I could not spot that configure would do any other checks on pinentry on the system (checking usability etc.). I don't have any pinentry defined in any of my settings in .gnupg/ neither. Regards Andreas From sergio at outerface.net Mon May 31 12:49:07 2021 From: sergio at outerface.net (sergio) Date: Mon, 31 May 2021 13:49:07 +0300 Subject: "gpg: decryption failed: No secret key" after export-import to another host In-Reply-To: References: Message-ID: <0e7654e3-bf90-3b6a-4d82-a4fc1323bc81@outerface.net> I tried the same sequence on the same host A but for new test user with clean ~/.gnupg without success. Could you help me to debug this, please. -- sergio. From cwr at cwrichardson.com Mon May 31 15:28:33 2021 From: cwr at cwrichardson.com (Christopher Richardson) Date: Mon, 31 May 2021 15:28:33 +0200 Subject: decryption failed: No pinentry In-Reply-To: References: <88DFB69B-A400-4E15-973C-76D20E32C14C@cwrichardson.com> Message-ID: > On 31. 5. 2021, at 12:30, Andreas Mattheiss wrote: > > Am Mon, 31 May 2021 07:59:35 +0200 schrieb Christopher Richardson via > Gnupg-users: > >> This is probably something very trivial, but Im building gpg for the >> first time since, apparently, 2013, according to my old binary. The build >> seems fine, but ... >> > The obvious thing would be to also update pinentry, which is painless. I should have mentioned this, but it was a new build of pinentry, too. However, since the README said that pinentry wasn?t required for the build, I built it after I build gpg. Sadly ... > You can specify a pinentry program during the configure step when building > gpg. I tried both make distclean and rebuilding gpg, and the same thing with ./configure --with-pinentry-pgm=`which pinentry` But no love. Any other ideas? From mailinglist at chiraag.me Mon May 31 20:43:08 2021 From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=) Date: Mon, 31 May 2021 18:43:08 +0000 Subject: keydb_search failed: Invalid argument Message-ID: Hello! I use Debian unstable+experimental. Debian unstable has gpg version 2.2.27, while Debian experimental has gpg version 2.3.1. I'm using gpg mainly in the context of pass (https://passwordstore.org), but also for encrypting files and such. Additionally, I use ProtonMail, and I have the bridge (https://protonmail.com/bridge) use pass to retrieve credentials. With gpg version 2.2.27, everything works just fine - there are no warnings or errors and pass and ProtonMail bridge both work well. With gpg version 2.3.1, however, I run into a warning of "gpg: keydb_search failed: Invalid argument" whenever I attempt to decrypt a password with pass. pass also returns an error code of 2, which seems to be propagated from the gpg return value. Because of this, the ProtonMail bridge program believes that it was not able to retrieve the credentials and fails to load properly. I saw another email on here with a "keydb_search: Broken pipe" message, but I wasn't sure if these are related or if there is something I have misconfigured. I don't really have control over how ProtonMail bridge calls pass, and I'm getting this error/warning even when I just decrypt an encrypted file using plain gpg. Any help would be deeply appreciated! Sincerely, Chiraag -- ?????? ?????? Pronouns: he/him/his -------------- next part -------------- A non-text attachment was scrubbed... Name: publickey - mailinglist at chiraag.me - b0c8d720.asc Type: application/pgp-keys Size: 713 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 294 bytes Desc: OpenPGP digital signature URL: From mailinglisten at posteo.de Mon May 31 23:08:39 2021 From: mailinglisten at posteo.de (mailinglisten at posteo.de) Date: Mon, 31 May 2021 21:08:39 +0000 Subject: GnuPG distribution key with no trust Message-ID: <411fe913-95ed-8ea4-ba81-36f79e29b4da@posteo.de> Hello, is there a reason why the new software distribution key for GnuPG ( 0x528897B826403ADA ) comes with no chain of trust at all? It does not have any signature from any preceding key. Past distribution keys like 0x53B620D01CE0C630 had signatures from other keys you might have trusted like e.g. 0x5DE249965B0358A2 This makes it virtually impossible to build any trust in this new distribution key. Not signing such an important key with its predecessor is a severe neglect of trust IMHO. Thanks