From ostroffjh at users.sourceforge.net  Sun Oct  3 01:12:45 2021
From: ostroffjh at users.sourceforge.net (Jack)
Date: Sat, 02 Oct 2021 19:12:45 -0400
Subject: how to add a passphrase to a keypair
Message-ID: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>

Is it possible to add a passphrase to a secret key originally created  
without one?  If so, please tell me how.  I'll be happy with either  
instructions or pointer to the fine manual I either missed or misread.

I have tried lots of variations.  Attempts using gpg-agent fail because  
pinentry (I've tried text and gui versions) refuses to accept a blank  
passphrase.  Variants using --passphrase or --passphrase-fd don't work  
because they only allow passing one passphrase, and I need to provide  
the old one and the new one.  I've also tried --export-secret-key,  
which also fails with "error receiving key from agent: No passphrase  
given - skipped" when using --passphrase-fd.

I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to  
a new user and using the old gpg doesn't help because gpg1 doesn't see  
the secret keys from gpg2, and I haven't been able to export them.

Is there a way to do this, or is revoking the old key and creating new  
keys from scratch the only solution?

Thanks for any information.

Jack


From gnupg at raf.org  Sun Oct  3 04:40:03 2021
From: gnupg at raf.org (raf)
Date: Sun, 3 Oct 2021 13:40:03 +1100
Subject: how to add a passphrase to a keypair
In-Reply-To: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
Message-ID: <YVkYA0U1Jur7IgKl@raf.org>

On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:

> Is it possible to add a passphrase to a secret key originally created
> without one?  If so, please tell me how.  I'll be happy with either
> instructions or pointer to the fine manual I either missed or misread.
> 
> I have tried lots of variations.  Attempts using gpg-agent fail because
> pinentry (I've tried text and gui versions) refuses to accept a blank
> passphrase.  Variants using --passphrase or --passphrase-fd don't work
> because they only allow passing one passphrase, and I need to provide the
> old one and the new one.  I've also tried --export-secret-key, which also
> fails with "error receiving key from agent: No passphrase given - skipped"
> when using --passphrase-fd.
> 
> I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
> user and using the old gpg doesn't help because gpg1 doesn't see the secret
> keys from gpg2, and I haven't been able to export them.
> 
> Is there a way to do this, or is revoking the old key and creating new keys
> from scratch the only solution?
> 
> Thanks for any information.
> 
> Jack

Try these instructions for changing the passphrase:

  https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
  https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase

  gpg --edit-key Your-Key-ID-Here
  gpg> passwd
  gpg> save

cheers,
raf



From gnupg at raf.org  Sun Oct  3 04:51:48 2021
From: gnupg at raf.org (raf)
Date: Sun, 3 Oct 2021 13:51:48 +1100
Subject: how to add a passphrase to a keypair
In-Reply-To: <YVkYA0U1Jur7IgKl@raf.org>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
 <YVkYA0U1Jur7IgKl@raf.org>
Message-ID: <YVkaxM72RE6QNX52@raf.org>

On Sun, Oct 03, 2021 at 01:40:03PM +1100, raf <gnupg at raf.org> wrote:

> On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:
> 
> > Is it possible to add a passphrase to a secret key originally created
> > without one?  If so, please tell me how.  I'll be happy with either
> > instructions or pointer to the fine manual I either missed or misread.
> > 
> > I have tried lots of variations.  Attempts using gpg-agent fail because
> > pinentry (I've tried text and gui versions) refuses to accept a blank
> > passphrase.  Variants using --passphrase or --passphrase-fd don't work
> > because they only allow passing one passphrase, and I need to provide the
> > old one and the new one.  I've also tried --export-secret-key, which also
> > fails with "error receiving key from agent: No passphrase given - skipped"
> > when using --passphrase-fd.
> > 
> > I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
> > user and using the old gpg doesn't help because gpg1 doesn't see the secret
> > keys from gpg2, and I haven't been able to export them.
> > 
> > Is there a way to do this, or is revoking the old key and creating new keys
> > from scratch the only solution?
> > 
> > Thanks for any information.
> > 
> > Jack
> 
> Try these instructions for changing the passphrase:
> 
>   https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
>   https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase
> 
>   gpg --edit-key Your-Key-ID-Here
>   gpg> passwd
>   gpg> save

Also, don't use gpg1. I'm guessing that either the key
was created with gpg2, or was created with gpg1 but
then ~/.gnupg was subsequently converted for use with
gpg2 (since you say "gpg1 doesn't see the secret keys
from gpg2"). If either is the case, keep using gpg2.

Also, if you are getting the error "No passphrase
given", I could be wrong, but that might suggest that
the secret key is already encrypted. Are you sure that
there is no existing passphrase? If so, ignore this.

cheers,
raf



From ostroffjh at users.sourceforge.net  Sun Oct  3 16:54:29 2021
From: ostroffjh at users.sourceforge.net (Jack)
Date: Sun, 3 Oct 2021 10:54:29 -0400
Subject: how to add a passphrase to a keypair
In-Reply-To: <YVkaxM72RE6QNX52@raf.org>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
 <YVkYA0U1Jur7IgKl@raf.org> <YVkaxM72RE6QNX52@raf.org>
Message-ID: <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>

On 10/2/21 22:51, raf via Gnupg-users wrote:
> On Sun, Oct 03, 2021 at 01:40:03PM +1100, raf <gnupg at raf.org> wrote:
>
>> On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:
>>
>>> Is it possible to add a passphrase to a secret key originally created
>>> without one?  If so, please tell me how.  I'll be happy with either
>>> instructions or pointer to the fine manual I either missed or misread.
>>>
>>> I have tried lots of variations.  Attempts using gpg-agent fail because
>>> pinentry (I've tried text and gui versions) refuses to accept a blank
>>> passphrase.  Variants using --passphrase or --passphrase-fd don't work
>>> because they only allow passing one passphrase, and I need to provide the
>>> old one and the new one.  I've also tried --export-secret-key, which also
>>> fails with "error receiving key from agent: No passphrase given - skipped"
>>> when using --passphrase-fd.
>>>
>>> I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
>>> user and using the old gpg doesn't help because gpg1 doesn't see the secret
>>> keys from gpg2, and I haven't been able to export them.
>>>
>>> Is there a way to do this, or is revoking the old key and creating new keys
>>> from scratch the only solution?
>>>
>>> Thanks for any information.
>>>
>>> Jack
>> Try these instructions for changing the passphrase:
>>
>>    https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
>>    https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase
>>
>>    gpg --edit-key Your-Key-ID-Here
>>    gpg> passwd
>>    gpg> save
> Also, don't use gpg1. I'm guessing that either the key
> was created with gpg2, or was created with gpg1 but
> then ~/.gnupg was subsequently converted for use with
> gpg2 (since you say "gpg1 doesn't see the secret keys
> from gpg2"). If either is the case, keep using gpg2.
>
> Also, if you are getting the error "No passphrase
> given", I could be wrong, but that might suggest that
> the secret key is already encrypted. Are you sure that
> there is no existing passphrase? If so, ignore this.
>
> cheers,
> raf

Thanks for the suggestions, but they do not help.? On my main PC I only 
have version 2 installed, so gpg and gpg2 are the same command (one is a 
symlink to the other.)? The key was created many years ago with gpg 
version 1 and was definitely created without a passphrase. ? I have gone 
through many PCs since then (all LInux) and always copied my ~/.gnupg 
folder to the new box.? Somewhere along the line some files do seem to 
have gotten lost, because I do not have secring.gpg or pubring.gpg, but 
gpg -k and gpg -K both show my main key.? I compiled a copy of gpg1 (not 
installed to the system) to try to use locally, since it doesn't enforce 
the use of a passphrase for the secret key.? Unfortunately, without 
secring.gpg, it doesn't see the secret key at all.

Your first suggestion does not work (as I said in my original post) 
because pinentry does not accept a blank passphrase, and it still 
prompts for one even if it doesn't actually need it.



From rjh at sixdemonbag.org  Sun Oct  3 18:53:54 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 3 Oct 2021 12:53:54 -0400
Subject: how to add a passphrase to a keypair
In-Reply-To: <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
 <YVkYA0U1Jur7IgKl@raf.org> <YVkaxM72RE6QNX52@raf.org>
 <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>
Message-ID: <f6faf6b8-b644-629b-b8e0-47981b166838@sixdemonbag.org>

> gpg -k and gpg -K both show my main key.? I compiled a copy of gpg1 (not 
> installed to the system) to try to use locally, since it doesn't enforce 
> the use of a passphrase for the secret key.? Unfortunately, without 
> secring.gpg, it doesn't see the secret key at all.

I haven't tried this, but it might be exactly what you want to do:

/path/to/gpg2 --export-secret-keys 0xMY_KEY_ID > secret.gpg
/path/to/gpg1 --import secret.gpg

When you import the secret key, secring.gpg will be recreated, and the 
corresponding public key will be automatically imported into 
pubring.gpg.  (A copy of the public key is embedded into each secret key.)

At that point you'll have the necessary pubring.gpg/secring.gpg files, 
and should be able to change the passphrase at a GPG1 command line.



From ostroffjh at users.sourceforge.net  Sun Oct  3 20:44:27 2021
From: ostroffjh at users.sourceforge.net (Jack)
Date: Sun, 3 Oct 2021 14:44:27 -0400
Subject: how to add a passphrase to a keypair
In-Reply-To: <f6faf6b8-b644-629b-b8e0-47981b166838@sixdemonbag.org>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
 <YVkYA0U1Jur7IgKl@raf.org> <YVkaxM72RE6QNX52@raf.org>
 <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>
 <f6faf6b8-b644-629b-b8e0-47981b166838@sixdemonbag.org>
Message-ID: <1623b891-ba10-047e-5fd1-85d074b1f219@users.sourceforge.net>

On 10/3/21 12:53, Robert J. Hansen via Gnupg-users wrote:
>> gpg -k and gpg -K both show my main key. I compiled a copy of gpg1 
>> (not installed to the system) to try to use locally, since it doesn't 
>> enforce the use of a passphrase for the secret key.? Unfortunately, 
>> without secring.gpg, it doesn't see the secret key at all.
>
> I haven't tried this, but it might be exactly what you want to do:
>
> /path/to/gpg2 --export-secret-keys 0xMY_KEY_ID > secret.gpg
It is what I want, but it doesn't work.? gpg2 uses pinentry to request 
the passphrase, and so fails with a blank one.? I would expect that 
using --passphrase-fd would work, but it also fails, as stated in my 
original post with "error receiving key from agent: No passphrase given 
- skipped".? I do find this odd, as I know using --passphrase-fd works: 
gpg --passwd fails with no passphrase given using pinentry, and fails 
with the same error using --passphrase-fd and a blank passphrase, but 
fails with bad passphrase using --passphrase-fd and any non blank 
passphrase.? I have just reconfirmed this behavior.
> /path/to/gpg1 --import secret.gpg
>
> When you import the secret key, secring.gpg will be recreated, and the 
> corresponding public key will be automatically imported into 
> pubring.gpg.? (A copy of the public key is embedded into each secret 
> key.)
>
> At that point you'll have the necessary pubring.gpg/secring.gpg files, 
> and should be able to change the passphrase at a GPG1 command line.

I do expect this would work if I could successfully do the export with gpg2.

Jack



From anon85786376 at protonmail.com  Wed Oct  6 22:03:38 2021
From: anon85786376 at protonmail.com (anonymous)
Date: Wed, 06 Oct 2021 20:03:38 +0000
Subject: how to add a passphrase to a keypair
In-Reply-To: <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>
References: <W2FDA4U5.7JDOZHPO.4PTKT7Z3@T4ZIZL3K.XCYRWMSZ.RNQEUYLR>
 <YVkYA0U1Jur7IgKl@raf.org> <YVkaxM72RE6QNX52@raf.org>
 <302bcdf4-33b9-7a42-e1a3-868c7132115a@users.sourceforge.net>
Message-ID: <GDZIU7OgBvHEq2Oszh6HeRDGimAGSV74aC6NQQqI6Yw1090CSjfCBMbJJu7aMq12i9VPbarGYH5GCpggTsp2z3CfHUZaKVxaby8uItWwkRY=@protonmail.com>

On Sunday, October 3rd, 2021 at 7:54 AM, Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:

> The key was created many years ago with gpg
> version 1 and was definitely created without a passphrase.

One of many problems with having no password protection for a key is there is nothing to stop someone who has access to your PC from creating a password for it.

> I do not have secring.gpg or pubring.gpg, but
> gpg -k and gpg -K both show my main key.

Secret keys are now stored in the /.gnupg/private-keys-v1.d folder with a filename that is the key's keygrip with a .key suffix.

To know which key each keygrip belongs to, use:
$ gpg --with-keygrip -K.

You can get some more information about the key's protection by viewing the keygrip file with the xxd command:
$ xxd ~/.gnupg/private-keys-v1.d/KEYGRIP.key
(obviously replace "KEYGRIP" with the actual keygrip).
The rightmost column will display text, with the part at the end of the file being the time password protection was added to the key.

> because pinentry does not accept a blank passphrase, and it still
> prompts for one even if it doesn't actually need it.

That prompt is a sure sign that the key is now protected with a password.


From anon85786376 at protonmail.com  Wed Oct  6 21:19:18 2021
From: anon85786376 at protonmail.com (anonymous)
Date: Wed, 06 Oct 2021 19:19:18 +0000
Subject: GNU Privacy Assistant - false negatives on detached signature
 verification
Message-ID: <9tWrYqLVY6IoGFqCvnCY9bO8AZgvoPzDUDNcFkHcfS0EpGTPyP_HBoEuux_nHz_tsyAtA_soWGvx6ryzxkmMiQI58mDwwoM6J8ZlrPIlaCA=@protonmail.com>

It seems that GPA can only verify detached signatures when it has a suffix of .sig .sign or .asc. When a detached signature has a different suffix (for example .gpg like all of the sha256sum.txt.gpg files for verifying Linux Mint downloads) GPA will always display a signature status of "Bad" even though the signature is in fact good.

If the detached signature file is renamed to change the suffix to one of .sig .sign or .asc the GPA will correctly verify it as "Good". Is that the only way to make it work?


From wk at gnupg.org  Thu Oct  7 07:50:37 2021
From: wk at gnupg.org (Werner Koch)
Date: Thu, 07 Oct 2021 07:50:37 +0200
Subject: [Announce] GnuPG 2.2.32 (LTS) fixes a problem with Let's Encrypt
Message-ID: <87czohxu1e.fsf@wheatstone.g10code.de>

Hello!

We are pleased to announce the availability of a new GnuPG LTS release:
version 2.2.32.  This release fixes a problem in GnuPG with the new
Let's Encrypt root certificate and is thus required to restore access to
many web resources (e.g. Web Key Directory and keyservers).

The LTS (long term support) series of GnuPG is guaranteed to be
maintained at least until the end of 2024.  See
https://gnupg.org/download/index.html#end-of-life


What is GnuPG
=============

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG can be freely used, modified and distributed under the terms of
the GNU General Public License.


Noteworthy changes in version 2.2.32 (2021-10-06)
=================================================

* dirmngr: Fix Let's Encrypt certificate chain validation.  [T5639]
  (See https://dev/gnupg.org/T5639)

* dirmngr: New option --ignore-cert.  [323a20399d]

* gpg: Fix --list-packets for AEAD packets with unknown key.  [T5584]

Release-info: https://dev.gnupg.org/T5601


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.2.32 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.32.tar.bz2 (7043k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.32.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.32_20211006.exe (4395k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.32_20211006.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.

A new version of Gpg4win will not be published.  Users of Gpg4win should
instead install this version on top of Gpg4win 3.1.16.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.32.tar.bz2 you would use this command:

     gpg --verify gnupg-2.2.32.tar.bz2.sig gnupg-2.2.32.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.32.tar.bz2, you run the command like this:

     sha1sum gnupg-2.2.32.tar.bz2

   and check that the output matches the next line:

81684626720c91060ae9920936c768df9fc8b2f6  gnupg-2.2.32.tar.bz2
0e24879a809c3a6de89dc41bad1dd4c2430b38a2  gnupg-w32-2.2.32_20211006.tar.xz
4705ed62b21cda6b8314d9e48ad8d9de1801ee8d  gnupg-w32-2.2.32_20211006.exe


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Italian,
Japanese, Norwegian, Polish, Russian, and Ukrainian being almost
completely translated.


Documentation and Support
=========================

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

You may also want to search the GnuPG mailing list archives or ask on
the gnupg-users mailing list for advise on how to solve problems.  Most
of the new features are around for several years and thus enough public
experience is available.  https://wiki.gnupg.org has user contributed
information around GnuPG and relate software.

In case of build problems specific to this release please first check
https://dev.gnupg.org/T5601 for updated information.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: https://gnupg.org/documentation/mailing-lists.html.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at https://bugs.gnupg.org.  If you need commercial
support go to https://gnupg.com or https://gnupg.org/service.html.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
and still mostly financed by donations.  Three full-time employed
developers as well as two contractors exclusively work on GnuPG and
closely related software like Libgcrypt, GPGME and Gpg4win.

We like to thank all the nice people who are helping the GnuPG project,
be it testing, coding, translating, suggesting, auditing, administering
the servers, spreading the word, or answering questions on the mailing
lists.

Many thanks to our numerous financial supporters, both corporate and
individuals.  Without you it would not be possible to keep GnuPG in a
good and secure shape and to address all the small and larger requests
made by our users.  Thanks.


Happy hacking,

   Your GnuPG hackers


p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these keys:

  rsa3072 2017-03-17 [expires: 2027-03-15]
  5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

  ed25519 2020-08-24 [expires: 2030-06-30]
  6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
  Werner Koch (dist signing 2020)

  ed25519 2021-05-19 [expires: 2027-04-04]
  AC8E 115B F73E 2D8D 47FA  9908 E98E 9B2D 19C6 C8BD
  Niibe Yutaka (GnuPG Release Key)

The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

--
Please read

  Nils Melzer: Der Fall Julian Assange

It is really important to know the background of the Assange case to
understand the massive perils to free journalism.  The book is right
now only available in German: https://dev.gnupg.org/u/melzerassang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211007/309c35c7/attachment.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From ostroffjh at users.sourceforge.net  Thu Oct  7 20:07:23 2021
From: ostroffjh at users.sourceforge.net (Jack)
Date: Thu, 07 Oct 2021 14:07:23 -0400
Subject: how to add a passphrase to a keypair
In-Reply-To: <GDZIU7OgBvHEq2Oszh6HeRDGimAGSV74aC6NQQqI6Yw1090CSjfCBMbJJu7aMq12i9VPbarGYH5GCpggTsp2z3CfHUZaKVxaby8uItWwkRY=@protonmail.com>
Message-ID: <JQJ6RAPV.63YBO35O.O62GO72L@OMI5PXL2.UODDTTFT.KPV4FQ4G>

OK, I have to declare defeat.  I obviously have a far worse case of CRS  
(Can't remember stuff) than I thought.

On 2021.10.06 16:03, anonymous via Gnupg-users wrote:
> On Sunday, October 3rd, 2021 at 7:54 AM, Jack via Gnupg-users  
> <gnupg-users at gnupg.org> wrote:

> > I do not have secring.gpg or pubring.gpg, but gpg -k and gpg -K  
> both show my main key.
> Secret keys are now stored in the /.gnupg/private-keys-v1.d folder  
> with a filename that is the key's keygrip with a .key suffix.
Not sure why I mentioned that, other than that the lack of those files  
prevented my trying to access they keys with gpg 1.4.
> 
> To know which key each keygrip belongs to, use:
> $ gpg --with-keygrip -K.
> 
> You can get some more information about the key's protection by  
> viewing the keygrip file with the xxd command:
> $ xxd ~/.gnupg/private-keys-v1.d/KEYGRIP.key
> (obviously replace "KEYGRIP" with the actual keygrip).
> The rightmost column will display text, with the part at the end of  
> the file being the time password protection was added to the key.
That was the key (no pun intended) to seeing that indeed, there is a  
password on the key, and, in complete conflict with my (obviously  
flaky) memory, it was added when the key was created, and that date  
(April 2020) was much more recent than I thought.  The only saving  
grace here (unless I can actually remember the password) is that it  
seems I never actually uploaded that key to any keyerver, although I do  
have a revocation certificate.
> 
> > because pinentry does not accept a blank passphrase, and it still  
> prompts for one even if it doesn't actually need it.
> That prompt is a sure sign that the key is now protected with a  
> password.
I may follow up on this later, but are you saying that if there is no  
password on the key, then gpg/gpg-agent/pinentry will not even prompt  
for it?  So, if I did have a key without a password, then "gpg --passwd  
that-key" would not prompt for the original (blank) password, and only  
for the new password?

Thanks again for giving me the necessary clue.


From anon85786376 at protonmail.com  Thu Oct  7 20:34:18 2021
From: anon85786376 at protonmail.com (anonymous)
Date: Thu, 07 Oct 2021 18:34:18 +0000
Subject: how to add a passphrase to a keypair
In-Reply-To: <JQJ6RAPV.63YBO35O.O62GO72L@OMI5PXL2.UODDTTFT.KPV4FQ4G>
References: <JQJ6RAPV.63YBO35O.O62GO72L@OMI5PXL2.UODDTTFT.KPV4FQ4G>
Message-ID: <plMnf87BaTR0Q4e_2a4W31m3BCrDkoB5o-yKd-b05yLQyBHd2QYsLdqkh0hClpcNh2pY-SnzuSaEEM7Nm2FadB5WYsYJDzpMiHGRdzyDVLY=@protonmail.com>

Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:
> I may follow up on this later, but are you saying that if there is no
> password on the key, then gpg/gpg-agent/pinentry will not even prompt
> for it? So, if I did have a key without a password, then "gpg --passwd
> that-key" would not prompt for the original (blank) password, and only
> for the new password?

That is correct. It will only prompt to "enter new passphrase" if the key does not already have password protection.


From bernhard at intevation.de  Fri Oct  8 12:19:23 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 8 Oct 2021 12:19:23 +0200
Subject: WKD docs on the wiki, restructuring. Feedback on forUsers page
In-Reply-To: <1ace12f3-1166-97d0-8745-5a827f8fa38d@tana.it>
References: <202109281739.29873.bernhard@intevation.de>
 <1ace12f3-1166-97d0-8745-5a827f8fa38d@tana.it>
Message-ID: <202110081219.29491.bernhard@intevation.de>



Am Mittwoch 29 September 2021 20:26:02 schrieb Alessandro Vesely via 
Gnupg-users:
> On Tue 28/Sep/2021 17:39:29 +0200 Bernhard Reiter wrote:
> > Feedback (and help) is always appreciated.:)
>
> I'm not sure if WKD/forHosts would be a better location than WKDHosting.

Not sure either yet. I'll just know that that https://wiki.gnupg.org/WKD
got too long and needs to be restructured for the different perspectives.
I haven't gotten to the WKDHosting page so far.

> Anyway, I'd publish the test suggested by Alissa on this list on 8 July
> 2019:
>
>      gpg --homedir "$(mktemp -d)" --locate-keys hi at alyssa.is

done

> The address https://www.ietf.org/id/draft-koch-openpgp-webkey-service.txt,
> near the bottom of the page yields 404.  Please use:
> https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service

done, thanks for your good suggesitons!

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211008/bc0fc38a/attachment.sig>

From bernhard at intevation.de  Fri Oct  8 12:26:42 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 8 Oct 2021 12:26:42 +0200
Subject: GNU Privacy Assistant - false negatives on detached signature
 verification (GPA)
In-Reply-To: <9tWrYqLVY6IoGFqCvnCY9bO8AZgvoPzDUDNcFkHcfS0EpGTPyP_HBoEuux_nHz_tsyAtA_soWGvx6ryzxkmMiQI58mDwwoM6J8ZlrPIlaCA=@protonmail.com>
References: <9tWrYqLVY6IoGFqCvnCY9bO8AZgvoPzDUDNcFkHcfS0EpGTPyP_HBoEuux_nHz_tsyAtA_soWGvx6ryzxkmMiQI58mDwwoM6J8ZlrPIlaCA=@protonmail.com>
Message-ID: <202110081226.42900.bernhard@intevation.de>

Am Mittwoch 06 Oktober 2021 21:19:18 schrieb anonymous via Gnupg-users:
> It seems that GPA can only verify detached signatures when it has a suffix
> of .sig .sign or .asc. When a detached signature has a different suffix
> (for example .gpg like all of the sha256sum.txt.gpg files for verifying
> Linux Mint downloads) GPA will always display a signature status of "Bad"
> even though the signature is in fact good.

If this is reproducable for you, please file a problem report on dev.gnupg.org
with keyword GPA. 

Note that GPA maintance is currently very slow. Werner has some GKT3 patches 
but no time to get this is shape. And unless someone steps up to maintain the 
windows port, it will probably be dropped from Gpg4win for example. (See 
gpg4win-devel@ discussion).

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211008/d424ee70/attachment.sig>

From luc.dedroog at bnpparibasfortis.com  Fri Oct  8 09:01:27 2021
From: luc.dedroog at bnpparibasfortis.com (luc.dedroog at bnpparibasfortis.com)
Date: Fri, 8 Oct 2021 07:01:27 +0000
Subject: Issue when running in command in batch
Message-ID: <e49dc2687ced422cb6bbcda66c6bc571@bnpparibasfortis.com>

Hi,

I have an issue with gnupg because I would like to run it in batch (to allow several users to maintain the keys) but I never succeed to use the parameter '--command-fd n' or '--command-file file' as explain in the documentation for the 'edit-key'.
I run gnupg on iSeries IBM machine.
Is the version I run (1.4.10) include this possibility?
Have you some example for it?

Thanks, Luc Dedroog.

I am from Belgium (Europe) and we try to use the gnupg on iSeries to exchange document with different branches in the world.


======================================================
BNP Paribas Fortis disclaimer:
http://www.bnpparibasfortis.com/e-mail-disclaimer.html
 
BNP Paribas Fortis privacy policy:
http://www.bnpparibasfortis.com/privacy-policy.html
 
======================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211008/10c19616/attachment.html>

From johndoe65534 at mail.com  Fri Oct  8 17:31:41 2021
From: johndoe65534 at mail.com (john doe)
Date: Fri, 8 Oct 2021 17:31:41 +0200
Subject: Issue when running in command in batch
In-Reply-To: <e49dc2687ced422cb6bbcda66c6bc571@bnpparibasfortis.com>
References: <e49dc2687ced422cb6bbcda66c6bc571@bnpparibasfortis.com>
Message-ID: <17a8e8e5-022f-10fd-aae9-20c01bbc174a@mail.com>

On 10/8/2021 9:01 AM, luc.dedroog--- via Gnupg-users wrote:
> Hi,
>
> I have an issue with gnupg because I would like to run it in batch (to allow several users to maintain the keys) but I never succeed to use the parameter '--command-fd n' or '--command-file file' as explain in the documentation for the 'edit-key'.
> I run gnupg on iSeries IBM machine.
> Is the version I run (1.4.10) include this possibility?
> Have you some example for it?
>

Not realy without seeing the command that is failing for you and the
expected result.

Adding the URL that is pointing to the documentation you are refering to
would be best.

--
John Doe


From karel-v_g at tutanota.com  Mon Oct 11 11:16:52 2021
From: karel-v_g at tutanota.com (karel-v_g at tutanota.com)
Date: Mon, 11 Oct 2021 11:16:52 +0200 (CEST)
Subject: Kleopatra does not show diasbled keys though defined in libkleopatrarc
Message-ID: <MliczVd--3-2@tutanota.com>

Hello!

I want to visually distinguish disabled OpenPGP-keys? in Kleopatras interface.
Therefor I edited inlibkleopatrarc and added a category "Disabled keys" to it:

[Key Filter #10]
Name=Disabled keys
font-italic=true
foreground-color=186,189,182
is-disabled=true

As a result I would expect to appear disabled keys to appear in grey and italic.

Though the new category is listed in Kleopatras settings after the edit and though the relevant keys are recognized as disabled in the mouse-over-box the visual settings are not applied.

This happens in the current Kleoptra included in GPG4Win 3.1.16, Debian 11.1 (Bullseye) and Ubuntu Budgie 21.4.3.

I am not sure at all, but I think this was working some time in the past

Thanks for Help!

Karel


From wk at gnupg.org  Tue Oct 12 19:41:15 2021
From: wk at gnupg.org (Werner Koch)
Date: Tue, 12 Oct 2021 19:41:15 +0200
Subject: [Announce] GnuPG 2.3.3 released
Message-ID: <874k9mqgxw.fsf@wheatstone.g10code.de>

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.3.3.  This is the fourth release in the new 2.3 series which
fixes a couple of bugs we introduced in 2.3.2 as well as a fix for
keyservers.  See below for details.


What is GnuPG
=============

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different series of GnuPG are actively maintained:

- Version 2.3 is the current stable version with a lot of new features
  compared to 2.2.  This announcement is about the latest release of
  this series.

- Version 2.2 is our LTS (long term support) version and guaranteed to
  be maintained at least until the end of 2024.
  See https://gnupg.org/download/index.html#end-of-life

- Version 1.4 is only maintained to allow decryption of very old data
  which is, for security reasons, not anymore possible with other GnuPG
  versions.


Noteworthy changes in version 2.3.3 (2021-10-12)
===============================================

  * agent: Fix segv in GET_PASSPHRASE (regression).  [#5577]

  * dirmngr: Fix Let's Encrypt certificate chain validation.  [#5639]

  * gpg: Change default and maximum AEAD chunk size to 4 MiB.
    [ad3dabc9fb]

  * gpg: Print a warning when importing a bad cv25519 secret key.
    [#5464]

  * gpg: Fix --list-packets for undecryptable AEAD packets.  [#5584]

  * gpg: Verify backsigs for v5 keys correctly.  [#5628]

  * keyboxd: Fix checksum computation for no UBID entry on disk.
    [#5573]

  * keyboxd: Fix "invalid object" error with cv448 keys.  [#5609]

  * dirmngr: New option --ignore-cert.  [4b3e9a44b5]

  * agent: Fix calibrate_get_time use of clock_gettime.  [#5623]

  * Silence process spawning diagnostics on Windows. [f2b01025c3]

  * Support a gpgconf.ctl file under Unix and use this for the
    regression tests.  [#5999]

  * The Windows installer now also installs the new keyboxd.
    (Put "use-keyboxd" into common.conf to use a fast SQLite
     database instead of the pubring.kbx file.)

  Release-info: https://dev.gnupg.org/T5565
  

Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG may be downloaded from one of the GnuPG mirror sites or direct
from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.3.tar.bz2 (7412k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.3.3.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.3.3_20211012.exe (4701k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.3.3_20211012.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.

If you want to use this GnuPG versions with Gpg4win simply install it on
on top of Gpg4win 3.1.16.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.3.3.tar.bz2 you would use this command:

     gpg --verify gnupg-2.3.3.tar.bz2.sig gnupg-2.3.3.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.3.3.tar.bz2, you run the command like this:

     sha1sum gnupg-2.3.3.tar.bz2

   and check that the output matches the next line:

b19a407076424704f1b00e8265254de1b3061659  gnupg-2.3.3.tar.bz2
bfb4e9fe2a69c763f15f6a7dd980c7ef6807277f  gnupg-w32-2.3.3_20211012.tar.xz
f95dec36a3905c1a928e7b8b83d4eee8a8200364  gnupg-w32-2.3.3_20211012.exe


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Italian,
Japanese, Norwegian, Polish, Russian, and Ukrainian being almost
completely translated.


Documentation and Support
=========================

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in the manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf

You may also want to search the GnuPG mailing list archives or ask on
the gnupg-users mailing list for advise on how to solve problems.  Most
of the new features are around for several years and thus enough public
experience is available.  https://wiki.gnupg.org has user contributed
information around GnuPG and relate software.

In case of build problems specific to this release please first check
https://dev.gnupg.org/T5565 for updated information.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: https://gnupg.org/documentation/mailing-lists.html.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at https://bugs.gnupg.org.  If you need commercial
support go to https://gnupg.com or https://gnupg.org/service.html.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
and still mostly financed by donations.  Three full-time employed
developers as well as two contractors exclusively work on GnuPG and
closely related software like Libgcrypt, GPGME and Gpg4win.

We like to thank all the nice people who are helping the GnuPG project,
be it testing, coding, translating, suggesting, auditing, administering
the servers, spreading the word, or answering questions on the mailing
lists.

The financial support of the governmental CERT of Luxembourg
(GOVCERT.LU) allowed us to develop new and improved features for
smartcards (Yubikey, PIV and Scute) as well as various usability
features.  Thanks.

Many thanks also to all other financial supporters, both corporate and
individuals.  Without you it would not be possible to keep GnuPG in a
good and secure shape and to address all the small and larger requests
made by our users.


Happy hacking,

   Your GnuPG hackers


p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users at gnupg.org mailing list.

p.p.s
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  ed25519 2020-08-24 [expires: 2030-06-30]
  Key fingerprint = 6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
  Werner Koch (dist signing 2020)

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

  ed25519 2021-05-19 [expires: 2027-04-04]
  AC8E 115B F73E 2D8D 47FA  9908 E98E 9B2D 19C6 C8BD
  Niibe Yutaka (GnuPG Release Key)

The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
Please read

  Nils Melzer: Der Fall Julian Assange

It is really important to know the background of the Assange case to
understand the massive perils to free journalism.  The book is right
now only available in German: https://dev.gnupg.org/u/melzerassang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211012/a6fd7c27/attachment-0001.sig>
-------------- next part --------------
_______________________________________________
Gnupg-announce mailing list
Gnupg-announce at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce

From ceo.teo.en.ming at gmail.com  Thu Oct 14 16:06:03 2021
From: ceo.teo.en.ming at gmail.com (Turritopsis Dohrnii Teo En Ming)
Date: Thu, 14 Oct 2021 22:06:03 +0800
Subject: Using GnuPG on Linux desktops with GUI
Message-ID: <CAMEJMGGAa+O2XpmLbgW8qJJT1+N=ucNmZWWMThRrUqBChZUknA@mail.gmail.com>

Subject: Using GnuPG on Linux desktops with GUI

Good day from Singapore,

I am using Linux desktops with GUI and GUI mail clients as well.

I understand GNU Privacy Guard (GnuPG) is a free and open source
command line tool.

How do I use it with a GUI mail client to sign and encrypt email
messages and files?

I am very much interested in cryptography.

I am looking forward to your replies.

Thank you very much.

Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 14 Oct 2021,
is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant
with a Systems Integrator (SI)/computer firm in Singapore. He is an IT
enthusiast.




-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
(5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----


From teo.en.ming at protonmail.com  Thu Oct 14 16:49:48 2021
From: teo.en.ming at protonmail.com (Turritopsis Dohrnii Teo En Ming)
Date: Thu, 14 Oct 2021 14:49:48 +0000
Subject: Using GnuPG on Linux desktops with GUI
Message-ID: <GY-jR6ZnWEXRpi5JpRaXltFTSj5ggNwfn5u3YiZRJqB86E7vBshQjiVoPAwL3F6gzmdtMxHGmJsew0_INbX2wWE7zvHBUY67cu0PMVNW7pU=@protonmail.com>

Subject: Using GnuPG on Linux desktops with GUI

Good day from Singapore,

I am using Linux desktops with GUI and GUI mail clients as well.

I understand GNU Privacy Guard (GnuPG) is a free and open source command line tool.

How do I use it with a GUI mail client to sign and encrypt email messages and files?

I am very much interested in cryptography.

I am looking forward to your replies.

Thank you very much.

Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 14 Oct 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a Systems Integrator (SI)/computer firm in Singapore. He is an IT enthusiast.

-----BEGIN EMAIL SIGNATURE-----

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html

********************************************************************************************

Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1]
https://tdtemcerts.wordpress.com/

[2]
https://tdtemcerts.blogspot.sg/

[3]
https://www.scribd.com/user/270125049/Teo-En-Ming

-----END EMAIL SIGNATURE-----

Sent with [ProtonMail](https://protonmail.com/) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211014/03e0ae49/attachment.html>

From stuartl at longlandclan.id.au  Thu Oct 14 23:02:54 2021
From: stuartl at longlandclan.id.au (Stuart Longland)
Date: Fri, 15 Oct 2021 07:02:54 +1000
Subject: Using GnuPG on Linux desktops with GUI
In-Reply-To: <CAMEJMGGAa+O2XpmLbgW8qJJT1+N=ucNmZWWMThRrUqBChZUknA@mail.gmail.com>
References: <CAMEJMGGAa+O2XpmLbgW8qJJT1+N=ucNmZWWMThRrUqBChZUknA@mail.gmail.com>
Message-ID: <20211015070254.7f31de50@longlandclan.id.au>

On Thu, 14 Oct 2021 22:06:03 +0800
Turritopsis Dohrnii Teo En Ming via Gnupg-users <gnupg-users at gnupg.org> wrote:

> I am using Linux desktops with GUI and GUI mail clients as well.
> 
> I understand GNU Privacy Guard (GnuPG) is a free and open source
> command line tool.
> 
> How do I use it with a GUI mail client to sign and encrypt email
> messages and files?

I'd have a look for a GnuPG plug-in for your email client.  It's not
clear which one you are using.

I'm using Claws Mail right now, PGP/MIME can be enabled by enabling it
in the plug-ins dialogue.  Others like Trojit?, there are similar
options for enabling and configuring GnuPG support.

For Mozilla Thunderbird, it has its own OpenPGP implementation
built-in, but if you wish, you can (at the moment) tell it to use
GnuPG.  An example use case where you might want to do this is if your
OpenPGP keys are stored on a hardware token (Thunderbird's built-in
OpenPGP support doesn't support these tokens yet).

https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards says "Use the
Thunderbird config editor (found at the bottom of preferences/options),
and search for mail.openpgp.allow_external_gnupg. Switch the value to
true."

Web-based clients: you'll need to look at some sort of browser
extension to enable this feature.

For just file and message encryption outside of emails, there are
various front-ends for GnuPG if you must use a GUI tool, for example
KDE ships Kleopatra.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


From Holger.Sebert at itk-engineering.de  Fri Oct 15 17:55:28 2021
From: Holger.Sebert at itk-engineering.de (Holger Sebert)
Date: Fri, 15 Oct 2021 15:55:28 +0000
Subject: Importing a signed key
Message-ID: <5c885d1e4b7a44f894ca74ec8a5963cb@itk-engineering.de>

Hi,

I've upgraded from an old version of GnuPG (1.4.18) to version 2.2.31
and encountered a new behavior which puzzles me:

I would like to import a key that has been previously signed with 
`gpg --sign` (say for example "somekey.pub.key.gpg").

In the old version of GnuPG I could import the .gpg-file into the key ring
simply by doing `gpg --import`. The new version, however, does nothing:

    $ gpg --import somekey.pub.key.gpg
    gpg: Total number processed: 0

On the other hand, importing the plain key-file ("somekey.pub.key")
works:

    $ gpg --import somekey.pub.key
    gpg: ...
    gpg: Total number processed: 1
    gpg:               imported: 1

I have no problem replacing the .gpg-file with the original .pub.key-file
when importing the key, but I am concerned that I am doing something
unsafe here.

What am I missing here?

Best,
Holger



From ceo.teo.en.ming at gmail.com  Sat Oct 16 08:58:02 2021
From: ceo.teo.en.ming at gmail.com (Turritopsis Dohrnii Teo En Ming)
Date: Sat, 16 Oct 2021 14:58:02 +0800
Subject: Using GnuPG on Linux desktops with GUI
In-Reply-To: <20211015070254.7f31de50@longlandclan.id.au>
References: <CAMEJMGGAa+O2XpmLbgW8qJJT1+N=ucNmZWWMThRrUqBChZUknA@mail.gmail.com>
 <20211015070254.7f31de50@longlandclan.id.au>
Message-ID: <CAMEJMGERcpTbVctcZMkf-s=bCKXSGTC6nn7NcRKBXH0B2E_nBg@mail.gmail.com>

Dear Stuart Longland,

Thank you for your reply.

I think I will be using Mozilla Thunderbird on Linux desktops.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore



On Fri, 15 Oct 2021 at 05:03, Stuart Longland
<stuartl at longlandclan.id.au> wrote:
>
> On Thu, 14 Oct 2021 22:06:03 +0800
> Turritopsis Dohrnii Teo En Ming via Gnupg-users <gnupg-users at gnupg.org> wrote:
>
> > I am using Linux desktops with GUI and GUI mail clients as well.
> >
> > I understand GNU Privacy Guard (GnuPG) is a free and open source
> > command line tool.
> >
> > How do I use it with a GUI mail client to sign and encrypt email
> > messages and files?
>
> I'd have a look for a GnuPG plug-in for your email client.  It's not
> clear which one you are using.
>
> I'm using Claws Mail right now, PGP/MIME can be enabled by enabling it
> in the plug-ins dialogue.  Others like Trojit?, there are similar
> options for enabling and configuring GnuPG support.
>
> For Mozilla Thunderbird, it has its own OpenPGP implementation
> built-in, but if you wish, you can (at the moment) tell it to use
> GnuPG.  An example use case where you might want to do this is if your
> OpenPGP keys are stored on a hardware token (Thunderbird's built-in
> OpenPGP support doesn't support these tokens yet).
>
> https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards says "Use the
> Thunderbird config editor (found at the bottom of preferences/options),
> and search for mail.openpgp.allow_external_gnupg. Switch the value to
> true."
>
> Web-based clients: you'll need to look at some sort of browser
> extension to enable this feature.
>
> For just file and message encryption outside of emails, there are
> various front-ends for GnuPG if you must use a GUI tool, for example
> KDE ships Kleopatra.
> --
> Stuart Longland (aka Redhatter, VK4MSL)
>
> I haven't lost my mind...
>   ...it's backed up on a tape somewhere.


From bernhard at intevation.de  Fri Oct 22 16:20:59 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 22 Oct 2021 16:20:59 +0200
Subject: Importing a signed key
In-Reply-To: <5c885d1e4b7a44f894ca74ec8a5963cb@itk-engineering.de>
References: <5c885d1e4b7a44f894ca74ec8a5963cb@itk-engineering.de>
Message-ID: <202110221621.05600.bernhard@intevation.de>

Hi Holger,

Am Freitag 15 Oktober 2021 17:55:28 schrieb Holger Sebert:
> The new version, however, does nothing:
>
>     $ gpg --import somekey.pub.key.gpg
>     gpg: Total number processed: 0

you could add more verbosity to find out what is going on, e.g. like
     gpg --verbose --import somekey.pub.key.gpg
or
     gpg --verbose --verbose --import somekey.pub.key.gpg
or 
     gpg --debug-level advanced --import somekey.pub.key.gpg

> On the other hand, importing the plain key-file ("somekey.pub.key")
> works:

If you want to check the signature, try
   gpg --verbose --verify somekey.pub.key.gpg
see if the result helps you.

Usually it is considered safe to import public keys, because they are not 
automatically trusted by GnuPG. (Usually means, unless you or some GnuPG 
using application is makeing other assumptions.)

Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211022/e2290869/attachment-0001.sig>

From x10an14 at gmail.com  Fri Oct 22 15:24:27 2021
From: x10an14 at gmail.com (Christian Chavez)
Date: Fri, 22 Oct 2021 15:24:27 +0200
Subject: Why does one machine allow me to use two yubikeys simultaneously
 connected, while another only allows one?
Message-ID: <CAF6oXFvM9AiCW0b-7fLTLJS56RJdyVYwUS4sb+_6h8A3K3JyTA@mail.gmail.com>

Hi,

I've got the same ~/.profile and ~/.bashrc configs (see below) on both
machines, yet on one machine I have to disconnect one to make use of the
other.
And on the other machine I can make use of GPG keys on either yubikey while
both are conected via USB.

What's puzzling is that it's the one with the newest scdaemon, pcscd, and
gpg does not allow me to leverage both yubikey's GPG keys (one will always
work, but to make the other work I have to disconnect the one that works).

See paste for configuration:
https://paste.sr.ht/~x10an14/0ff21ef47dce1aabae57e6841232ffd3064f2150

Anyone got any suggestions on how to debug this?

-- 
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211022/efdd8f43/attachment.html>

From bernhard at intevation.de  Fri Oct 22 16:35:37 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Fri, 22 Oct 2021 16:35:37 +0200
Subject: WKD Research: Measuring use. An mailinglist maintainers that would
 help?
Message-ID: <202110221635.44294.bernhard@intevation.de>

Hello friends of OpenPGP,

as part of his Bachelor thesis [1], Christoph wants so to find out, which 
actions could increase the overall usage of WKD.

Ideally we should be able to observe some changes in the usage of WKD over 
time and hopefully can credit something to some changes like measures tried 
during the research.

So how do we observe WKD usage over time? Obviously this is hard to do,
as we are in a decentral system, this is designed to keep things private.

Thus our measurement could only be indirectly.

One idea is: If we have a public email address where a lot of emails are send 
to, e.g. the submission address of a mailinglist
we could set up an OpenPGP key for it via WKD
and use a small tool to pipe each incoming mail through on the server
to decrypt and count the mail.

We can also count the number of request for the WKD address on the webserver
serving the WKD. In both counts, no personal data is saved.
So it is just about the safety of the decryption tool, which can be provided.

Do you know email addresses, e.g. of mailinglists, where you know the server 
administrators would be potentially willing to help this academic research?

An other ideas?

Best Regards,
Bernhard

[1] https://wiki.gnupg.org/WKD/Misc

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211022/24209180/attachment.sig>

From gnupg-users at spodhuis.org  Fri Oct 22 17:00:11 2021
From: gnupg-users at spodhuis.org (Phil Pennock)
Date: Fri, 22 Oct 2021 11:00:11 -0400
Subject: trust-model and federated lookups
Message-ID: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>

Folks,

When evaluating the trust we have in the identity attached to a key, I
often see "WARNING: We have NO indication whether the key belongs to the
person named as shown above"; at the same time, `--with-key-origin` for
the very same key will show "origin=wkd".

GnuPG uses the trust-model option to decide how to evaluate the trust we
have in a key.  I've looked through the options, and checked the release
notes for the 2.3.x series to confirm nothing new there.

I'm currently using "trust-model tofu+pgp"/"tofu-default-policy unknown"

I think what I _want_ is `trust-model pgp+federated+tofu`, which means,
in order: (1) any sigs from the WoT; (2) origin information from the
key, if the origin shows the key was safely retrieved from a federated
origin in a provable way (WKD, various DNSSEC storage options, etc); (3)
TOFU as a fallback if there's nothing better.

I might even just want `trust-model pgp+federated` if I'm feeling more
cautious.  But in reality tofu helps a little.

Does this make sense to people?  Is there a security problem with this?
Does this seem like a reasonable feature request?

Thanks,
-Phil


From gnupg at eckner.net  Fri Oct 22 19:17:07 2021
From: gnupg at eckner.net (Erich Eckner)
Date: Fri, 22 Oct 2021 19:17:07 +0200 (CEST)
Subject: WKD Research: Measuring use. An mailinglist maintainers that
 would help?
In-Reply-To: <202110221635.44294.bernhard@intevation.de>
References: <202110221635.44294.bernhard@intevation.de>
Message-ID: <b2a92a94-a4e9-4d8a-4a8-6b80974dff5@eckner.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 22 Oct 2021, Bernhard Reiter wrote:

> Hello friends of OpenPGP,

Hi!

> as part of his Bachelor thesis [1], Christoph wants so to find out, which
> actions could increase the overall usage of WKD.

There are two parts of the usage: The publishing part and the 
search-for-and-use-if-available part. Both need separate measurements, I 
think.

>
> Ideally we should be able to observe some changes in the usage of WKD over
> time and hopefully can credit something to some changes like measures tried
> during the research.
>
> So how do we observe WKD usage over time? Obviously this is hard to do,
> as we are in a decentral system, this is designed to keep things private.
>
> Thus our measurement could only be indirectly.
>
> One idea is: If we have a public email address where a lot of emails are send
> to, e.g. the submission address of a mailinglist
> we could set up an OpenPGP key for it via WKD
> and use a small tool to pipe each incoming mail through on the server
> to decrypt and count the mail.

Wouldn't this break DKIM signatures on the mail? Just to be clear: You 
intend to send the encrypted mail through the mailing list as usual, 
right?

Also: This would only cover mailing lists and thus skew the results. What 
about organizations, that use WKD in-house, but whose members rarely write 
to mailing lists?

>
> We can also count the number of request for the WKD address on the webserver
> serving the WKD. In both counts, no personal data is saved.
> So it is just about the safety of the decryption tool, which can be provided.
>
> Do you know email addresses, e.g. of mailinglists, where you know the server
> administrators would be potentially willing to help this academic research?
>
> An other ideas?

If you want to fiddle around with mailservers, I would prefer your second 
approach: You measure the requests to the webserver, but actually don't 
offer a key via WKD - thus, the email flow is undisturbed, but you still 
get your metrics.

For measuring the publishing part, one could actively query for WKD on 
known MX domains.

For measuring the usage part, I think, it's more valuable to have a look 
at available software and their features: How many people use mail client 
X, and does X have WKD enabled by default or can it use WKD at all / as a 
fallback / ...

>
> Best Regards,
> Bernhard

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmFy8hUACgkQCu7JB1Xa
e1pl1g/9F7mEkQhHS6nT9lFOJb6qj+lbuRU33wAtqcUdY4VsuEZOiG0rjTQWwrkJ
MkeC8Q09zNZu7xNEy4R86R9nhjyZjgohjqbxxntdSL5YCsJCVGVLLz6dvmzUIXTc
xtEgIZp8Qi2ftOLZQaCc9qkp6RduuBoqJPbLIgan+XWvRIQE2X4/xaDljVuJUkqz
m3I7tQzsdm6QFK+0w6WiWp4qigNpkxWe8j/LlOWzQROXymkymDOmnDVX+qPakoh0
P1q5rD9tlFvDSAEURHw3b9KpFgD0F9hvzquzl7T2t58zgXph/LXu5cHJqYJNdqgq
t4J7ZM4bK6pRjwz1vlKyoqvK+7NS9HWr8f3b+9mr4nNpJtC8bgUmIBDnMPWkl490
OedA6I+mczhtCidJMEfU1QxE/CR3f8YlFbu7zkXZ++VAedm3uY5dyWltZSr7u+fw
Swbuw3gYPIPUi0pN+LnXvDFDZCEkn7fzSrkwkMUa0nlMXMGzX3pAUooVVktZjnN1
JCf5Mg6hSr8giHhHzNcBN3FmFC6wTeXgUk/HLcgi/OrUClDHsCS2zB372ZhtxXWo
EI++nbYBDGFMjt6CLl6bSqTPTQH4r9YHQvlOmA2D2VGhejskcZObbbM/C15JErKr
fZf7sre8x7wvgALmRoDG2MK6Pk9j8VA0VCqn7sLIcA80gPbNk9k=
=xoNe
-----END PGP SIGNATURE-----


From bernhard at intevation.de  Sat Oct 23 17:19:50 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Sat, 23 Oct 2021 17:19:50 +0200
Subject: WKD Research: Measuring use. An mailinglist maintainers that
 would help?
In-Reply-To: <b2a92a94-a4e9-4d8a-4a8-6b80974dff5@eckner.net>
References: <202110221635.44294.bernhard@intevation.de>
 <b2a92a94-a4e9-4d8a-4a8-6b80974dff5@eckner.net>
Message-ID: <2234713.ElGaqSPkdT@kymo.gruen>

Hi Erich,

Am Freitag, 22. Oktober 2021, 19:17:07 CEST schrieb Erich Eckner via Gnupg-
users:

> There are two parts of the usage: The publishing part and the
> search-for-and-use-if-available part. Both need separate measurements, I
> think.

Yes, though we want to focus on the latter part.
 
> > One idea is: If we have a public email address where a lot of emails are
> > send to, e.g. the submission address of a mailinglist
> > we could set up an OpenPGP key for it via WKD
> > and use a small tool to pipe each incoming mail through on the server
> > to decrypt and count the mail.
> 
> Wouldn't this break DKIM signatures on the mail?

Good question.
Mailman as a popular mailinglist software, already modifies mails, thus may 
break these DKIM signature. I need to do more research on this concern.
(Here is an old Mailman Discussion https://wiki.list.org/DEV/DKIM)

> Just to be clear: You intend to send the encrypted mail through the mailing
> list as usual, right?

Yes, unencrypted, of course.

> Also: This would only cover mailing lists and thus skew the results. What
> about organizations, that use WKD in-house, but whose members rarely write
> to mailing lists?

If you have any ideas how to do a direct or indirect measurement, I'd like to 
hear about them. 
  
> If you want to fiddle around with mailservers, I would prefer your second
> approach: You measure the requests to the webserver, but actually don't
> offer a key via WKD - thus, the email flow is undisturbed, but you still
> get your metrics.

True, using the weblogs may give some indications. However
it does not measure if the clients later actually would understand the pubkey 
and send encrypted emails and an advanced client may cache the results of a 
WKD request for a limited time.
 
> For measuring the publishing part, one could actively query for WKD on
> known MX domains.

(As written above, the work is more focused on the client, but following up 
your suggestion: That they offer a WKD in principle does not say much about 
how many email addresses actually offer a key, as we cannot walk them and need 
an email address before we could actually do a real query. Otherwise, would be 
interesting to see if there are more prominent WKD offers out there.)

> For measuring the usage part, I think, it's more valuable to have a look
> at available software and their features: How many people use mail client
> X, and does X have WKD enabled by default or can it use WKD at all / as a
> fallback / ...

This is a good suggestion, Christoph is already doing this since a while.

Thanks for your feedback!

Best Regards,
Bernhard
ps.: I've chosen to have this discussion in gnupg-users,  where me and 
Christoph are subscrubed.
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211023/7a5774b3/attachment.sig>

From bernhard at intevation.de  Mon Oct 25 12:24:26 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Mon, 25 Oct 2021 12:24:26 +0200
Subject: trust-model and federated lookups
In-Reply-To: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>
References: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>
Message-ID: <202110251224.26873.bernhard@intevation.de>

Hi Phil,

Am Freitag 22 Oktober 2021 17:00:11 schrieb Phil Pennock via Gnupg-users:
> I think what I _want_ is `trust-model pgp+federated+tofu`, which means,
> in order: (1) any sigs from the WoT; (2) origin information from the
> key, if the origin shows the key was safely retrieved from a federated
> origin in a provable way (WKD, various DNSSEC storage options, etc); (3)
> TOFU as a fallback if there's nothing better.
>
> I might even just want `trust-model pgp+federated` if I'm feeling more
> cautious. ?But in reality tofu helps a little.
>
> Does this make sense to people? ?Is there a security problem with this?
> Does this seem like a reasonable feature request?

Yes, not really, yes. ;)

To me it is important that the behaviour of the application using this 
information is ideally not black and white, you probabaly now
  
  https://wiki.gnupg.org/AutomatedEncryption

which is a vision how email clients can deal with pubkeys that they have 
different levels of confidence in.

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211025/6d1bea56/attachment-0001.sig>

From bernhard at intevation.de  Mon Oct 25 12:28:32 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Mon, 25 Oct 2021 12:28:32 +0200
Subject: Why does one machine allow me to use two yubikeys simultaneously
 connected, while another only allows one?
In-Reply-To: <CAF6oXFvM9AiCW0b-7fLTLJS56RJdyVYwUS4sb+_6h8A3K3JyTA@mail.gmail.com>
References: <CAF6oXFvM9AiCW0b-7fLTLJS56RJdyVYwUS4sb+_6h8A3K3JyTA@mail.gmail.com>
Message-ID: <202110251228.32873.bernhard@intevation.de>

Hi Christian,

Am Freitag 22 Oktober 2021 15:24:27 schrieb Christian Chavez via Gnupg-users:
> Anyone got any suggestions on how to debug this?

if you swap in the elder versiong of GnuPG, you could conclude that it is 
indeed the change of behaviour between the versions.

If so you could find out which version in particular introduced this change
and look at the detailed changelogs.

Otherwise what is helping we often is to step of the verbosity and logs
of the different components in trying to see more about what is going on.
E.g. add --verbose, then a second one and then go further with the --debug*
options.

HTH
Regards
Bernhard
-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211025/275c2e84/attachment.sig>

From neal at walfield.org  Mon Oct 25 15:12:06 2021
From: neal at walfield.org (Neal H. Walfield)
Date: Mon, 25 Oct 2021 15:12:06 +0200
Subject: trust-model and federated lookups
In-Reply-To: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>
References: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>
Message-ID: <87lf2hdza1.wl-neal@walfield.org>

Hi Phil,

On Fri, 22 Oct 2021 17:00:11 +0200,
Phil Pennock via Gnupg-users wrote:
> When evaluating the trust we have in the identity attached to a key, I
> often see "WARNING: We have NO indication whether the key belongs to the
> person named as shown above"; at the same time, `--with-key-origin` for
> the very same key will show "origin=wkd".
> 
> GnuPG uses the trust-model option to decide how to evaluate the trust we
> have in a key.  I've looked through the options, and checked the release
> notes for the 2.3.x series to confirm nothing new there.
> 
> I'm currently using "trust-model tofu+pgp"/"tofu-default-policy unknown"
> 
> I think what I _want_ is `trust-model pgp+federated+tofu`, which means,
> in order: (1) any sigs from the WoT; (2) origin information from the
> key, if the origin shows the key was safely retrieved from a federated
> origin in a provable way (WKD, various DNSSEC storage options, etc); (3)
> TOFU as a fallback if there's nothing better.
> 
> I might even just want `trust-model pgp+federated` if I'm feeling more
> cautious.  But in reality tofu helps a little.
> 
> Does this make sense to people?  Is there a security problem with this?
> Does this seem like a reasonable feature request?

This absolutely makes sense.  One way to model this in the web of
trust is to imagine that you have a "WKD key," which you consider a
partially trusted introducer, and which certifies keys that you
retrieve via WKD.  Practically, it's a bit more complicated using the
available mechanisms.

:) Neal


From martin at postzone.org  Mon Oct 25 17:01:15 2021
From: martin at postzone.org (Martin)
Date: Mon, 25 Oct 2021 17:01:15 +0200
Subject: GnuPG 2.2.32 with libgcrypt 1.8.8
Message-ID: <mpro.r1jge304luudx1jpt.martin@postzone.org>

Hi

I am really not a programmer ;-) but I tried to compile GnuPG 2.2.32 on my
Ubuntu 20.04 system.

Before I compiled libgcrypt 1.8.8 - seems to work, no error messages. So
these libreriers are going to /usr/local/lib

So I tell configure for GnuPG 2.2.32 to take this libgcrypt 1.8.8 files

with ./configure --with-libgcrypt-prefix=/usr/local

And configure tells me that files are found:

checking for libgcrypt-config... /usr/local/bin/libgcrypt-config
checking for LIBGCRYPT - version >= 1.8.0... yes (1.8.8)

But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use
libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository).

gpg --version
gpg (GnuPG) 2.2.32
libgcrypt 1.8.5

What I am doing wrong?

-- 
Regards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 516 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211025/2109e7be/attachment.sig>

From gnupg-users at spodhuis.org  Mon Oct 25 19:26:59 2021
From: gnupg-users at spodhuis.org (Phil Pennock)
Date: Mon, 25 Oct 2021 13:26:59 -0400
Subject: trust-model and federated lookups
In-Reply-To: <87lf2hdza1.wl-neal@walfield.org>
References: <YXLR+xn13rTTzN0N@fullerene.field.pennock-tech.net>
 <87lf2hdza1.wl-neal@walfield.org>
Message-ID: <YXbo48d96U882qOA@fullerene.field.pennock-tech.net>

On 2021-10-25 at 15:12 +0200, Neal H. Walfield wrote:
> This absolutely makes sense.  One way to model this in the web of
> trust is to imagine that you have a "WKD key," which you consider a
> partially trusted introducer, and which certifies keys that you
> retrieve via WKD.  Practically, it's a bit more complicated using the
> available mechanisms.

Oh, I do this now, for keys which I care about, but since GnuPG started
tracking origin information it just seems to be something which could be
more automated.

Specifically, I have a laptop-only key which I don't advertise, but is
trusted by my various other boxes, and it uses `--lsign-key` with a
`--cert-notation` for various scenarios.

So for WKD:
  gpg \
    --cert-notation 'wkd-src at pennock-tech.com=YYYY-MM-DD:email at example.org' \
    --lsign-key 0xDEADBEEF

Thus I have WKD introduction as trusted already, I'm just hoping to have
to do less and instead leverage the information GnuPG is already
tracking, with GnuPG issuing fewer scary warnings for _all_ users, not
just those who understand cert notations and local sigs.

My cert-notations patterns for lsigns to date are here, in case they're
helpful to others, whether for copying or because it informs trust
storage models:

  https-web-src at pennock-tech.com=${YYYY_MM_DD}:${URL}
  https-web-fpr-src at pennock-tech.com=${YYYY_MM_DD}:${URL}
    -- page only has fingerprint, key retrieved from keyservers
  keybase at pennock-tech.com=${YYYY_MM_DD}:${KEYBASE_ID}
    -- would nowadays just use public-account@
  wkd-src at pennock-tech.com=${YYYY_MM_DD}:${EMAIL}
  git-repo at pennock-tech.com=${YYYY_MM_DD}:${GIT_DESCRIBE}:${REPO_URL}
    -- when there's an official project repo;
       eg: 2020-01-15:b67a2b9:https://github.com/canterberry/nodejs-keys
       `git describe --tags --always` for the field (haven't yet had to
       escape colons in tags)
  public-account at pennock-tech.com=${YYYY_MM_DD}:${SERVICE}:${ACCOUNT}
    -- eg, github:foo -> <https://github.com/foo.gpg> (uploaded at <https://github.com/settings/keys>)

-Phil


From bernhard at intevation.de  Tue Oct 26 09:37:47 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Tue, 26 Oct 2021 09:37:47 +0200
Subject: GnuPG 2.2.32 with libgcrypt 1.8.8
In-Reply-To: <mpro.r1jge304luudx1jpt.martin@postzone.org>
References: <mpro.r1jge304luudx1jpt.martin@postzone.org>
Message-ID: <202110260937.47635.bernhard@intevation.de>

Am Montag 25 Oktober 2021 17:01:15 schrieb Martin:
> But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use
> libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository).

Maybe you need to modify the LD_LIBRARY_PATH accordingly.

(When self compiling I often create a small file like "setgnupg"
and source it in my shell to set all the path. Here is my file for the 
packages of Phil. For those LD_LIBRARY_PATH is not needed but this maybe 
different in your situation.)

more setgnupg /dev/null
::::::::::::::
setgnupg
::::::::::::::
base=/opt/gnupg

# from Phil Pennock and gnupg-devel:
# LD_LIBRARY_PATH is unneeded,
#   because the executables have the RPATH stamped into them.
#export LD_LIBRARY_PATH=$base/lib:$LD_LIBRARY_PATH

# You _shouldn't_ need to set MANPATH explicitly on any modern man(1)
# system, because they have facilities to translate $PATH to $MANPATH
# accordingly. 
#export MANPATH=$base/share/man:$MANPATH
export PATH=$base/bin:$PATH
export INFOPATH=$base/share/info:$INFOPATH
::::::::::::::

. setgnupg
gets me the new version as preferred binary.

Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/f38c664f/attachment.sig>

From martin at postzone.org  Tue Oct 26 10:23:57 2021
From: martin at postzone.org (Martin)
Date: Tue, 26 Oct 2021 10:23:57 +0200
Subject: GnuPG 2.2.32 with libgcrypt 1.8.8
In-Reply-To: <202110260937.47635.bernhard@intevation.de>
References: <mpro.r1jge304luudx1jpt.martin@postzone.org>
 <202110260937.47635.bernhard@intevation.de>
Message-ID: <174503908.20211026102357@postzone.org>

Hello Bernhard,

Tuesday, October 26, 2021, 9:37:47 AM, you wrote:

> Am Montag 25 Oktober 2021 17:01:15 schrieb Martin:
>> But after "make" and "make install" I see the the GnuPG 2.2.32 doesn't use
>> libgcrypt 1.8.8 but 1.8.5 (which was installed by Ubuntu repository).

> Maybe you need to modify the LD_LIBRARY_PATH accordingly.

Exactly, that was the solution! 

gpg --version
gpg (GnuPG) 2.2.32
libgcrypt 1.8.8

Thank you.
-- 
Best regards,
Martin



From marlow.agents at gmail.com  Tue Oct 26 17:08:56 2021
From: marlow.agents at gmail.com (Andrew Marlow)
Date: Tue, 26 Oct 2021 16:08:56 +0100
Subject: Using gpg to add digital signature to a linux executable
Message-ID: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>

Hello everyone,

For some time now where I work there has been a rule saying "thou shalt add
a digital signature to every executable and shared library when shipping
software designed to run on Windows". This is quite doable and all is well
and good. At least, on Windows. But what about linux? The only thing I've
seen for linux is to create separate digital signatures using tools like
gpg (GNU Privacy Guard). I can find no mention of how to attach them to an
executable or shared library. Has anyone here ever done anything like this
please? It seems to me there is real benefit in doing it. So, much as I
detest Windows, this seems to be one area in which Windows is slightly
ahead.

-- 
Regards,

Andrew Marlow
http://www.andrewpetermarlow.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/bf80d7b1/attachment-0001.html>

From rich.hammett at warnermedia.com  Tue Oct 26 18:40:40 2021
From: rich.hammett at warnermedia.com (Hammett, Rich)
Date: Tue, 26 Oct 2021 16:40:40 +0000
Subject: v2.3 of gnupg for automation?
Message-ID: <8282DDE5-9601-4838-8BED-E82B1E9BCF79@warnermedia.com>

We?ve been using v1.4 of gnupg because I read in the documentation and user comments and in my testing, that v2.X couldn?t be used in software automation workflows.  As I recall from the comments a year or two ago, there was a feature (that seemed intentional) that the passphrase had to be entered manually in a popup window in v2.X.  And that even when that was supposedly not required, it still happened occasionally to users, that their automation couldn?t process the file because gnupg v2.X required the manual input.

Can anyone clarify this, or say if this has definitely been removed from v 2.3.3, that manual intervention is no longer required?  A new developer has moved to that version in his testing, and it seems to be working for us, but I remember that people said the problem was intermittent before.

Thanks for any assistance!

Rich Hammett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/fb8b8f67/attachment.html>

From mailinglist at chiraag.me  Tue Oct 26 21:44:25 2021
From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=)
Date: Tue, 26 Oct 2021 19:44:25 +0000
Subject: Using gpg to add digital signature to a linux executable
In-Reply-To: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
References: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
Message-ID: <YXhakpYNMF12nJZJ@chiraag-desktop>

12021/07/18 04:64.54 ?????, Andrew Marlow via Gnupg-users <gnupg-users at gnupg.org> ??????:
> Hello everyone,
> 
> For some time now where I work there has been a rule saying "thou shalt add a
> digital signature to every executable and shared library when shipping software
> designed to run on Windows". This is quite doable and all is well and good. At
> least, on Windows. But what about linux? The only thing I've seen for linux is
> to create separate digital signatures using tools like gpg (GNU Privacy Guard).
> I can find no mention of how to attach them to an executable or shared library.
> Has anyone here ever done anything like this please? It seems to me there is
> real benefit in doing it. So, much as I detest Windows, this seems to be one
> area in which Windows is slightly ahead.
> 
> --
> Regards,
> 
> Andrew Marlow
> [1]http://www.andrewpetermarlow.co.uk
> 
> 
> References:
> 
> [1] http://www.andrewpetermarlow.co.uk/

Why not do a detached signature using e.g. gpg -sb --output file.sig file? Then, someone can run gpg --verify file.sig file to ensure that the signature is valid.

HTH,

Chiraag
-- 
?????? ??????
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 713 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/25d3a1c3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/25d3a1c3/attachment.sig>

From stuartl at longlandclan.id.au  Tue Oct 26 23:46:42 2021
From: stuartl at longlandclan.id.au (Stuart Longland)
Date: Wed, 27 Oct 2021 07:46:42 +1000
Subject: Using gpg to add digital signature to a linux executable
In-Reply-To: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
References: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
Message-ID: <20211027074642.4714c0ba@longlandclan.id.au>

On Tue, 26 Oct 2021 16:08:56 +0100
Andrew Marlow via Gnupg-users <gnupg-users at gnupg.org> wrote:

> For some time now where I work there has been a rule saying "thou shalt add
> a digital signature to every executable and shared library when shipping
> software designed to run on Windows". This is quite doable and all is well
> and good. At least, on Windows. But what about linux? The only thing I've
> seen for linux is to create separate digital signatures using tools like
> gpg (GNU Privacy Guard). I can find no mention of how to attach them to an
> executable or shared library.

I think your first challenge is that I'm not sure ELF has any mechanism
for digital signatures.  *BUT*, that doesn't stop one from adding a
section in the ELF binary that embeds a digital signature.

The trick is knowing what parts of the ELF binary need digital
signature protection.  I would suggest at a minimum the .text and .data
sections.  .text contains the machine code and .data contains the
statically-allocated variables and read-only data.

You could conceptually extract these as raw binary images, concatenate
them with some sort of describing header (derived from the ELF header)
that indicates where they are loaded and whatever metadata you think is
appropriate, then digitally sign *that* blob, generating a new
OpenPGP-format binary blob.

https://stackoverflow.com/questions/1088128/adding-section-to-elf-file
might provide some inspiration too.

To verify, you'd simply use `objcopy` to extract the bits, re-assemble
the signed parts then verify the signature.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


From rjh at sixdemonbag.org  Wed Oct 27 00:17:46 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 26 Oct 2021 18:17:46 -0400
Subject: Using gpg to add digital signature to a linux executable
In-Reply-To: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
References: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
Message-ID: <ab79b3d4-7581-bf71-e80c-381f9b394365@sixdemonbag.org>

> all is well and good. At least, on Windows. But what about linux?

As a general rule, Windows signs executables more than it signs 
packages; Linux signs packages more than it signs executables.  The best 
practice seems to be to use GnuPG to attach a digital signature to an 
RPM or DEB (or Snap or Flatpak or what-have-you), rather than to sign 
the executables directly.

> doing it. So, much as I detest Windows, this seems to be one area in 
> which Windows is slightly ahead.

"Ahead" might be putting it a little strongly.  The two operating 
systems are different and have different approaches to supply chain 
security.  :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/debf49b9/attachment-0001.sig>

From rjh at sixdemonbag.org  Wed Oct 27 00:21:16 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 26 Oct 2021 18:21:16 -0400
Subject: v2.3 of gnupg for automation?
In-Reply-To: <8282DDE5-9601-4838-8BED-E82B1E9BCF79@warnermedia.com>
References: <8282DDE5-9601-4838-8BED-E82B1E9BCF79@warnermedia.com>
Message-ID: <f2ea362a-e9e4-2098-cc87-34a687b3dcc6@sixdemonbag.org>

> We?ve been using v1.4 of gnupg because I read in the documentation
> and user comments and in my testing, that v2.X couldn?t be used in
> software automation workflows.

This might have been true several years ago, but it isn't true today.

> there was a feature (that seemed intentional) that the passphrase had
> to be entered manually in a popup window in v2.X.

That's true, and is correct.  If you're passing a passphrase via the
command line, that passphrase becomes visible to anyone with the
privileges to get a list of processes and arguments.  At that point the
passphrase really isn't providing much in the way of security.

> And that even when that was supposedly not required, it still
> happened occasionally to users, that their automation couldn?t
> process the file because gnupg v2.X required the manual input.

I'm unaware of any instance of this being true.  I am aware of *many*
instances of people discovering they did, in fact, have a passphrase on
their key after swearing up and down they didn't.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/48e76044/attachment.sig>

From rjh at sixdemonbag.org  Wed Oct 27 00:24:22 2021
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 26 Oct 2021 18:24:22 -0400
Subject: Using gpg to add digital signature to a linux executable
In-Reply-To: <YXhakpYNMF12nJZJ@chiraag-desktop>
References: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
 <YXhakpYNMF12nJZJ@chiraag-desktop>
Message-ID: <5baa696d-b003-5a1b-c31d-387a18abeeee@sixdemonbag.org>

> Why not do a detached signature using e.g. gpg -sb --output file.sig
> file? Then, someone can run gpg --verify file.sig file to ensure that
> the signature is valid.

(a) because the OP specifically said he was looking for integrated 
signatures, and

(b) detached signatures have a way of getting lost, not distributed with 
the executables, and so on.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211026/08be6a65/attachment.sig>

From gnupg at eckner.net  Wed Oct 27 06:20:11 2021
From: gnupg at eckner.net (Erich Eckner)
Date: Wed, 27 Oct 2021 06:20:11 +0200 (CEST)
Subject: Using gpg to add digital signature to a linux executable
In-Reply-To: <ab79b3d4-7581-bf71-e80c-381f9b394365@sixdemonbag.org>
References: <CAFN3dw0HtMD8pNR7SH6AY6RMCMSQa1YXghvChU=pOqYsu06syQ@mail.gmail.com>
 <ab79b3d4-7581-bf71-e80c-381f9b394365@sixdemonbag.org>
Message-ID: <e3f9efe9-6439-f011-89f1-81b7e5c589e@eckner.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 26 Oct 2021, Robert J. Hansen via Gnupg-users wrote:

>> all is well and good. At least, on Windows. But what about linux?
>
> As a general rule, Windows signs executables more than it signs packages; 
> Linux signs packages more than it signs executables.  The best practice seems 
> to be to use GnuPG to attach a digital signature to an RPM or DEB (or Snap or 
> Flatpak or what-have-you), rather than to sign the executables directly.
>
>> doing it. So, much as I detest Windows, this seems to be one area in which 
>> Windows is slightly ahead.
>
> "Ahead" might be putting it a little strongly.  The two operating systems are 
> different and have different approaches to supply chain security.  :)
>

The possibility to sign individual executables and libraries sounds very 
interesting to me as a (more or less pure) linux user: If I want to make 
sure, the files are in order, currently, I need to find the package, that 
contained the file, check its signature and compare with the filesystem 
state. However, if there was (also) a signature on the file, I could more 
easily check single files - and I could even easily identify files, which 
were not installed by the package manager.

tl;dr: If you have some results regarding signing binaries in-situ, share 
them with the public!

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmF403wACgkQCu7JB1Xa
e1pAfw/+PIeCaWCXvwgbtEEksd6HU0lSgA2PW1j5ZpcyhrH+9L5164nzCqyhMFA9
7NBmEzZVP0GFm8RGeWA+1cAAFWTbeyAAfqAbaOm/cCkCAApGMfJxeMPiqJuEBox1
LdoNoiLIOq6OgUvlIr5CcSYG7pppI6eSNX0GwC7CuLVZo2+FDdjUNE5S/D9KIwM8
rlbpo3cKWgcCwdXzQ2KyTyPUL1dLxQ2fWXYHiAV9HFugVZBbMXpiAHFD5C5VqeMx
aJFWo74uGJXXd1bqD/JktFgUBwG3pZ7QG7eq9XfPCk8fPZfch4L/7oPuEekwP9Bg
DPLRZS79mNnq/I30L6pHA+yvAQjnGgH3K2QNCBUdrUUBPXUxllUeP78tHKjP37Tp
VfCTEeByuaC9evt4Rg1A9NXw5tQb1+fx+agDAJsPCD6+tKZA48Hw0AcGuWGehASG
aPe6JJWulYvOUbx0s/q7aW6w9uuZE+4INT0MhhuUShhizFBCbKaDcEKEN/LAUQph
NapPteQCnb/JZl2LIfXrK997CSQMpMCr/k1a2LboYy86bNqVzWTBlBNOKkLazDEY
wYH7r/afkBqrGZ5cJDTJ5OvpuzBWMhrREXENhJ8EsS5/qyd5Eph40wjGDHhWNnpl
glHa/oLOMRXfnwb+ZnUO3mn5iFfa7e0DUTIfwpMQdCoJ3CKwXKk=
=FbRx
-----END PGP SIGNATURE-----


From wk at gnupg.org  Wed Oct 27 09:33:16 2021
From: wk at gnupg.org (Werner Koch)
Date: Wed, 27 Oct 2021 09:33:16 +0200
Subject: v2.3 of gnupg for automation?
In-Reply-To: <f2ea362a-e9e4-2098-cc87-34a687b3dcc6@sixdemonbag.org> (Robert
 J. Hansen via Gnupg-users's message of "Tue, 26 Oct 2021 18:21:16
 -0400")
References: <8282DDE5-9601-4838-8BED-E82B1E9BCF79@warnermedia.com>
 <f2ea362a-e9e4-2098-cc87-34a687b3dcc6@sixdemonbag.org>
Message-ID: <87wnlykjlv.fsf@wheatstone.g10code.de>

On Tue, 26 Oct 2021 18:21, Robert J. Hansen said:

> That's true, and is correct.  If you're passing a passphrase via the
> command line, that passphrase becomes visible to anyone with the
> privileges to get a list of processes and arguments.  At that point the
> passphrase really isn't providing much in the way of security.

I fully agree.

If, for whatever reasons, a passphrase is required the suggested
workaround is to add

  --pinentry-mode=loopback

to the gpg invocation.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211027/505c2e7d/attachment.sig>

From christoph-klassen at mail.de  Wed Oct 27 18:16:14 2021
From: christoph-klassen at mail.de (Christoph Klassen)
Date: Wed, 27 Oct 2021 18:16:14 +0200
Subject: Error when trying to locate key via WKD
Message-ID: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>

Hello,

I tried to get a key via WKD (using the command --locate-keys), but it 
didn't work as expected. The error message I got was:

gpg: using pgp trust model
gpg: error retrieving 'christoph-klassen at mail.de' via Local: No public key
gpg: Note: WKD uses a cached result
gpg: error retrieving 'christoph-klassen at mail.de' via WKD: No data
gpg: error reading key: No data

But when I use the following link (direct method), it is possible to 
download the key:

https://mail.de/.well-known/openpgpkey/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6

I used GnuPG 2.2.19.


Regards,

Christoph




From kloecker at kde.org  Wed Oct 27 20:54:28 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Wed, 27 Oct 2021 20:54:28 +0200
Subject: Error when trying to locate key via WKD
In-Reply-To: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
Message-ID: <1640885.nFqEM8oKAJ@breq>

On Mittwoch, 27. Oktober 2021 18:16:14 CEST Christoph Klassen via Gnupg-users wrote:
> Hello,
> 
> I tried to get a key via WKD (using the command --locate-keys), but it
> didn't work as expected. The error message I got was:
> 
> gpg: using pgp trust model
> gpg: error retrieving 'christoph-klassen at mail.de' via Local: No public key
> gpg: Note: WKD uses a cached result
> gpg: error retrieving 'christoph-klassen at mail.de' via WKD: No data
> gpg: error reading key: No data
> 
> But when I use the following link (direct method), it is possible to
> download the key:
> 
> https://mail.de/.well-known/openpgpkey/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6

I added
```
log-file <some-absolute-path>/dirmngr.log
debug-level guru
debug-all
```
in dirmngr.conf, ran the command and got the below log.

The important part is
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
i.e. in the URL that dirmngr requests there is an additional "mail.de"
between "/openpgp/" and "/hu/" that is missing in your URL.

```
[...]
2021-10-27 20:44:04 dirmngr[26980.6] DBG: chan_6 <- WKD_GET -- christoph-klassen at mail.de
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: libdns initialized
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(openpgpkey.mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: chan_6 -> S SOURCE https://openpgpkey.mail.de
2021-10-27 20:44:04 dirmngr[26980.6] number of system provided CAs: 520
2021-10-27 20:44:04 dirmngr[26980.6] DBG: Using TLS library: GNUTLS 3.7.2
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:connect_server: trying name='openpgpkey.mail.de' port=443
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(openpgpkey.mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:1917:socket_new: object 0x00007efc7404ced0 for fd 7 created
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> Host: openpgpkey.mail.de\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request-header:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> \r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:response:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> HTTP/1.1 301 Moved Permanently\r\n
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Server: nginx'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Date: Wed, 27 Oct 2021 18:44:04 GMT'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Content-Type: text/html'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Content-Length: 162'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Connection: close'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: 'Location: https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen'
2021-10-27 20:44:04 dirmngr[26980.6] http.c:RESP: ''
2021-10-27 20:44:04 dirmngr[26980.6] URL 'https://openpgpkey.mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen' redirected to 'https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen' (301)
2021-10-27 20:44:04 dirmngr[26980.6] DBG: Using TLS library: GNUTLS 3.7.2
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:connect_server: trying name='mail.de' port=443
2021-10-27 20:44:04 dirmngr[26980.6] DBG: dns: resolve_dns_name(mail.de): Success
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:1917:socket_new: object 0x00007efc740157f0 for fd 7 created
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen HTTP/1.0\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> Host: mail.de\r\n
2021-10-27 20:44:04 dirmngr[26980.6] DBG: http.c:request-header:
2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> \r\n
2021-10-27 20:44:05 dirmngr[26980.6] DBG: http.c:response:
2021-10-27 20:44:05 dirmngr[26980.6] DBG: >> HTTP/1.1 404 Not Found\r\n
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Server: nginx'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Date: Wed, 27 Oct 2021 18:44:05 GMT'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Content-Type: text/html; charset=UTF-8'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Content-Length: 13'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: 'Connection: close'
2021-10-27 20:44:05 dirmngr[26980.6] http.c:RESP: ''
2021-10-27 20:44:05 dirmngr[26980.6] error accessing 'https://mail.de/.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=christoph-klassen': http status 404
2021-10-27 20:44:05 dirmngr[26980.6] command 'WKD_GET' failed: No data
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 -> ERR 167772218 No data <Dirmngr>
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 <- BYE
2021-10-27 20:44:05 dirmngr[26980.6] DBG: chan_6 -> OK closing connection
[...]
```

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211027/9fbf53c5/attachment-0001.sig>

From kloecker at kde.org  Wed Oct 27 22:54:48 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Wed, 27 Oct 2021 22:54:48 +0200
Subject: Error when trying to locate key via WKD
In-Reply-To: <dcfb9b26-1765-af93-c5a9-d91671ab8453@mail.de>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <1640885.nFqEM8oKAJ@breq> <dcfb9b26-1765-af93-c5a9-d91671ab8453@mail.de>
Message-ID: <2660343.vDmsG4xQrA@breq>

[Putting this back on the mailing list. Please keep replies on the list.]

On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
> On 27.10.21 20:54, Ingo Kl?cker wrote:
> > The important part is
> > 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
> > /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
> > istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
> > an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
> > your URL.
> 
> That would be the advanced method of WKD (Here's the draft:
> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
> which indeed doesn't work with my mail provider. But when I try the
> direct method (Example from the draft:
> https://example.org/.well-known/openpgpkey/
> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
> provider's WKD server. I admit I forgot the parameter in the URL I post.
> 
> But that wasn't the point. My problem is that GnuGP couldn't get the key
> via WKD and I don't understand why because it seems like it should work.

The problem is that the domain openpgpkey.mail.de exists (or seems to exist) 
although mail.de doesn't support the advanced method. The draft you mentioned 
says:

   There are two variants on how to form the request URI: The advanced
   and the direct method.  Implementations MUST first try the advanced
   method.  Only if the required sub-domain does not exist, they SHOULD
   fall back to the direct method.

   The advanced method requires that a sub-domain with the fixed name
   "openpgpkey" is created and queried.

Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist), 
gpg first tries the advanced method. This fails. gpg doesn't fall back to the 
direct method as per the spec: "Only if the required sub-domain does not 
exist, they SHOULD fall back to the direct method."

The problem is that mail.de redirects any sub-domain to mail.de, e.g.
`curl https://foobar.mail.de` is also redirected to `https://mail.de`. The 
problem with wildcard sub-domains and WKD has been discussed here or on 
gnupg-devel recently.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211027/7f5802d1/attachment.sig>

From gnupg at raf.org  Thu Oct 28 06:09:22 2021
From: gnupg at raf.org (raf)
Date: Thu, 28 Oct 2021 15:09:22 +1100
Subject: v2.3 of gnupg for automation?
In-Reply-To: <87wnlykjlv.fsf@wheatstone.g10code.de>
References: <8282DDE5-9601-4838-8BED-E82B1E9BCF79@warnermedia.com>
 <f2ea362a-e9e4-2098-cc87-34a687b3dcc6@sixdemonbag.org>
 <87wnlykjlv.fsf@wheatstone.g10code.de>
Message-ID: <YXoicm+du7L60H/r@raf.org>

On Wed, Oct 27, 2021 at 09:33:16AM +0200, Werner Koch via Gnupg-users <gnupg-users at gnupg.org> wrote:

> On Tue, 26 Oct 2021 18:21, Robert J. Hansen said:
> 
> > That's true, and is correct.  If you're passing a passphrase via the
> > command line, that passphrase becomes visible to anyone with the
> > privileges to get a list of processes and arguments.  At that point the
> > passphrase really isn't providing much in the way of security.
> 
> I fully agree.
> 
> If, for whatever reasons, a passphrase is required the suggested
> workaround is to add
> 
>   --pinentry-mode=loopback
> 
> to the gpg invocation.
> 
> Salam-Shalom,
> 
>    Werner

But be warned, loopback doesn't handle password retries after a failure.
If it did, it would be great. But for automation, that shouldn't matter.

cheers,
raf



From christoph-klassen at mail.de  Thu Oct 28 09:32:55 2021
From: christoph-klassen at mail.de (Christoph Klassen)
Date: Thu, 28 Oct 2021 09:32:55 +0200
Subject: Error when trying to locate key via WKD
In-Reply-To: <2660343.vDmsG4xQrA@breq>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <1640885.nFqEM8oKAJ@breq> <dcfb9b26-1765-af93-c5a9-d91671ab8453@mail.de>
 <2660343.vDmsG4xQrA@breq>
Message-ID: <3eb1e9ae-e126-397b-195f-e4f2ef60fde0@mail.de>

On 27.10.21 22:54, Ingo Kl?cker wrote:
> [Putting this back on the mailing list. Please keep replies on the list.]
>
> On Mittwoch, 27. Oktober 2021 21:20:03 CEST Christoph Klassen wrote:
>> On 27.10.21 20:54, Ingo Kl?cker wrote:
>>> The important part is
>>> 2021-10-27 20:44:04 dirmngr[26980.6] DBG: >> GET
>>> /.well-known/openpgpkey/mail.de/hu/9w5z5jua7mhm8xoha4aixbdx4rotdwm6?l=chr
>>> istoph-klassen HTTP/1.0\r\n i.e. in the URL that dirmngr requests there is
>>> an additional "mail.de" between "/openpgp/" and "/hu/" that is missing in
>>> your URL.
>> That would be the advanced method of WKD (Here's the draft:
>> https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/),
>> which indeed doesn't work with my mail provider. But when I try the
>> direct method (Example from the draft:
>> https://example.org/.well-known/openpgpkey/
>> hu/iy9q119eutrkn8s1mk4r39qejnbu3n5q?l=Joe.Doe) I can get the key from my
>> provider's WKD server. I admit I forgot the parameter in the URL I post.
>>
>> But that wasn't the point. My problem is that GnuGP couldn't get the key
>> via WKD and I don't understand why because it seems like it should work.
> The problem is that the domain openpgpkey.mail.de exists (or seems to exist)
> although mail.de doesn't support the advanced method. The draft you mentioned
> says:
>
>     There are two variants on how to form the request URI: The advanced
>     and the direct method.  Implementations MUST first try the advanced
>     method.  Only if the required sub-domain does not exist, they SHOULD
>     fall back to the direct method.
>
>     The advanced method requires that a sub-domain with the fixed name
>     "openpgpkey" is created and queried.
>
> Because the sub-domain openpgpkey.mail.de exists (or rather, seems to exist),
> gpg first tries the advanced method. This fails. gpg doesn't fall back to the
> direct method as per the spec: "Only if the required sub-domain does not
> exist, they SHOULD fall back to the direct method."
>
> The problem is that mail.de redirects any sub-domain to mail.de, e.g.
> `curl https://foobar.mail.de` is also redirected to `https://mail.de`. The
> problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.

Thank you for your explanation, Ingo! Now I understand what you meant. 
It's a pity that GPG doesn't fall back to the direct method.


Regards,

Christoph




From bernhard at intevation.de  Thu Oct 28 11:44:40 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 28 Oct 2021 11:44:40 +0200
Subject: Error when trying to locate key via WKD
In-Reply-To: <3eb1e9ae-e126-397b-195f-e4f2ef60fde0@mail.de>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <2660343.vDmsG4xQrA@breq> <3eb1e9ae-e126-397b-195f-e4f2ef60fde0@mail.de>
Message-ID: <202110281144.45876.bernhard@intevation.de>

Am Donnerstag 28 Oktober 2021 09:32:55 schrieb Christoph Klassen via 
Gnupg-users:
> that GPG doesn't fall back to the direct method.

AFAIU it cannot fall back, because openpgpkey.mail.de seem to exist.


Am Mittwoch 27 Oktober 2021 22:54:48 schrieb Ingo Kl?cker:
> The problem with wildcard sub-domains and WKD has been discussed here or on
> gnupg-devel recently.

Ingo,
can you provide me a pointer to the gnupg-devel thread?
(Did a few minutes of searching, I probably missed something.)

Best Regards,
Bernhard

-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/97421411/attachment.sig>

From andrewg at andrewg.com  Thu Oct 28 12:07:52 2021
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Thu, 28 Oct 2021 11:07:52 +0100
Subject: Error when trying to locate key via WKD
In-Reply-To: <202110281144.45876.bernhard@intevation.de>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <2660343.vDmsG4xQrA@breq> <3eb1e9ae-e126-397b-195f-e4f2ef60fde0@mail.de>
 <202110281144.45876.bernhard@intevation.de>
Message-ID: <f99f9102-7934-8fdc-657b-3ab903fbfedc@andrewg.com>

On 28/10/2021 10:44, Bernhard Reiter wrote:
> Am Mittwoch 27 Oktober 2021 22:54:48 schrieb Ingo Kl?cker:
>> The problem with wildcard sub-domains and WKD has been discussed here or on
>> gnupg-devel recently.
> 
> Ingo,
> can you provide me a pointer to the gnupg-devel thread?
> (Did a few minutes of searching, I probably missed something.)
> 

The megathread from hell starts here :-)

https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html

But the most concise summary is probably this:

https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064575.html

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/986ef244/attachment.sig>

From bernhard at intevation.de  Thu Oct 28 13:25:05 2021
From: bernhard at intevation.de (Bernhard Reiter)
Date: Thu, 28 Oct 2021 13:25:05 +0200
Subject: WKD,
 wildcard DNS resolution (Re: Error when trying to locate key via WKD)
In-Reply-To: <f99f9102-7934-8fdc-657b-3ab903fbfedc@andrewg.com>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <202110281144.45876.bernhard@intevation.de>
 <f99f9102-7934-8fdc-657b-3ab903fbfedc@andrewg.com>
Message-ID: <202110281325.11315.bernhard@intevation.de>



Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via 
Gnupg-users:
> On 28/10/2021 10:44, Bernhard Reiter wrote:

> > can you provide me a pointer to the gnupg-devel thread?
> > (Did a few minutes of searching, I probably missed something.)
>
> The megathread from hell starts here :-)
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html

That is not gnupg-_devel_ (where I was searching). :)
I actually read most of the January thread on "WKD for GitHub pages".

Interesting to me is:
https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
Ingo explaning that it is considered a security drawback if a domain
for the advanced method is there but does not allow a connection
with a valid TLS certificate.

The understanding of the current draft therefore is
  If the subdomain for the advanced method resolves via DNS,
  the direct method MUST NOT be used. 

Rationale: if the webspace of my email domain is not under my direct control, 
I'll use the advanced method to indicate a different WKD server I'll trust
(and control sufficiently to do so) by creating the necessary DNS entry.
If a WKD client would ask this email domain webspace in the direct method, 
there is an additional attack vector because I do not control the webserver.

On the other hand, if I trust my email domain webserver, the DNS provider can 
create the advanced method DNS entry and attack me. However this DNS provider
could also just change the entry to my email domain webserver.

If so, maybe the phrasing can be improved for the next draft.

Regards,
Bernhard



-- 
www.intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/5cad014b/attachment-0001.sig>

From andrewg at andrewg.com  Thu Oct 28 13:59:39 2021
From: andrewg at andrewg.com (Andrew Gallagher)
Date: Thu, 28 Oct 2021 12:59:39 +0100
Subject: WKD, wildcard DNS resolution (Re: Error when trying to locate key
 via WKD)
In-Reply-To: <202110281325.11315.bernhard@intevation.de>
References: <d02a1e46-2768-912e-e761-8d15172b25f8@mail.de>
 <202110281144.45876.bernhard@intevation.de>
 <f99f9102-7934-8fdc-657b-3ab903fbfedc@andrewg.com>
 <202110281325.11315.bernhard@intevation.de>
Message-ID: <64cad0e4-f407-2d3c-cb71-2b6f82e30c97@andrewg.com>

On 28/10/2021 12:25, Bernhard Reiter wrote:
> Am Donnerstag 28 Oktober 2021 12:07:52 schrieb Andrew Gallagher via
> Gnupg-users:
>> The megathread from hell starts here :-)
>> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064567.html
> 
> That is not gnupg-_devel_ (where I was searching). :)

To be fair to Ingo, he did say "here OR on gnupg-devel" :-)

> Interesting to me is:
> https://lists.gnupg.org/pipermail/gnupg-users/2021-January/064584.html
> Ingo explaning that it is considered a security drawback if a domain
> for the advanced method is there but does not allow a connection
> with a valid TLS certificate.
> 
> The understanding of the current draft therefore is
>    If the subdomain for the advanced method resolves via DNS,
>    the direct method MUST NOT be used.

As Werner pointed out on the other thread, the mail provider can disable 
the advanced method by creating a TXT record for openpgpkey.mail.de - 
the existence of the TXT record will prevent the wildcard from matching 
the advanced method's A lookup, and gnupg should fail back to the old 
method.

The ball belongs in mail.de's court IMO, however the confusion is 
understandable.

> On the other hand, if I trust my email domain webserver, the DNS provider can
> create the advanced method DNS entry and attack me. However this DNS provider
> could also just change the entry to my email domain webserver.

Indeed, if you don't trust your DNS provider, you have worse problems... ;-)

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211028/4f966740/attachment.sig>

From chris at christaylordeveloper.co.uk  Fri Oct 29 10:17:16 2021
From: chris at christaylordeveloper.co.uk (Chris Taylor)
Date: Fri, 29 Oct 2021 10:17:16 +0200
Subject: Unable to decrypt file copied from USB thumb drive.
Message-ID: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>

Hello Group,

I am developing a backup process for personal files, on USB thumb 
drive.? I tar and zip my files (30GB) then encrypt them with:

gpg --no-symkey-cache --symmetric --cipher-algo AES256 my-backup.tar.gz

I copy my-backup.tar.gz.gpg to my USB thumb drive.? I am using Ubuntu so 
the USB drive is formatted to Ext4.

I try to decrypt with:

gpg --output my-backup.tar.gz --decrypt my-backup.tar.gz.gpg

and get the following error:

gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
gpg: block_filter 0x0000556d112aa1e0: read error (size=13328,a->size=13328)
gpg: WARNING: encrypted message has been manipulated!
gpg: block_filter: pending bytes!

I have gpg version 2.2.19, libgcrypt 1.8.5.? Without encryption this 
process has worked perfectly well many times.

Any advice greatly appreciated.

Chris.




From dirkx at webweaving.org  Fri Oct 29 12:05:35 2021
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Fri, 29 Oct 2021 12:05:35 +0200
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
References: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
Message-ID: <B1A69628-9DF5-41BF-87DA-FFF94E3ED81F@webweaving.org>

On 29 Oct 2021, at 10:17, Chris Taylor <chris at christaylordeveloper.co.uk> wrote:
> I am developing a backup process for personal files, on USB thumb drive.  I tar and zip my files (30GB) then encrypt them with:
> 
> gpg --no-symkey-cache --symmetric --cipher-algo AES256 my-backup.tar.gz
> 
> I copy my-backup.tar.gz.gpg to my USB thumb drive.  I am using Ubuntu so the USB drive is formatted to Ext4.
> 
> I try to decrypt with:
> 
> gpg --output my-backup.tar.gz --decrypt my-backup.tar.gz.gpg
> 
> and get the following error:
> 
> gpg: AES256 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: block_filter 0x0000556d112aa1e0: read error (size=13328,a->size=13328)
> gpg: WARNING: encrypted message has been manipulated!
> gpg: block_filter: pending bytes!
> 
> I have gpg version 2.2.19, libgcrypt 1.8.5.  Without encryption this process has worked perfectly well many times.

I'd first check with something like

	openssl sha256  my-backup.tar.gz

prior to copy / post copy if your thumb drive is good.

Dw.

From chris at christaylordeveloper.co.uk  Fri Oct 29 14:30:19 2021
From: chris at christaylordeveloper.co.uk (Chris Taylor)
Date: Fri, 29 Oct 2021 14:30:19 +0200
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <B1A69628-9DF5-41BF-87DA-FFF94E3ED81F@webweaving.org>
References: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
 <B1A69628-9DF5-41BF-87DA-FFF94E3ED81F@webweaving.org>
Message-ID: <c7d33549-b38c-0032-f356-2e483bcbca89@christaylordeveloper.co.uk>

Thank you - I will check.

Almost certainly the hash of my .gpg file will be different after it has 
passed through the Thumb Drive.? However, no other files on the Thumb 
Drive get corrupted.? So, my question will probably become how can I 
protect my .gpg file when it is moved off my laptop onto other meda?

Chris.


On 29/10/2021 12:05, Dirk-Willem van Gulik wrote:
> On 29 Oct 2021, at 10:17, Chris Taylor <chris at christaylordeveloper.co.uk> wrote:
>> I am developing a backup process for personal files, on USB thumb drive.  I tar and zip my files (30GB) then encrypt them with:
>>
>> gpg --no-symkey-cache --symmetric --cipher-algo AES256 my-backup.tar.gz
>>
>> I copy my-backup.tar.gz.gpg to my USB thumb drive.  I am using Ubuntu so the USB drive is formatted to Ext4.
>>
>> I try to decrypt with:
>>
>> gpg --output my-backup.tar.gz --decrypt my-backup.tar.gz.gpg
>>
>> and get the following error:
>>
>> gpg: AES256 encrypted data
>> gpg: encrypted with 1 passphrase
>> gpg: block_filter 0x0000556d112aa1e0: read error (size=13328,a->size=13328)
>> gpg: WARNING: encrypted message has been manipulated!
>> gpg: block_filter: pending bytes!
>>
>> I have gpg version 2.2.19, libgcrypt 1.8.5.  Without encryption this process has worked perfectly well many times.
> I'd first check with something like
>
> 	openssl sha256  my-backup.tar.gz
>
> prior to copy / post copy if your thumb drive is good.
>
> Dw.


From kkobayashi at edgematrix.com  Fri Oct 29 09:24:57 2021
From: kkobayashi at edgematrix.com (Kazunori Kobayashi)
Date: Fri, 29 Oct 2021 16:24:57 +0900
Subject: Too many open files caused by repeated decryption operations via a
 GPGME API
Message-ID: <c9307d9c-8847-e53f-b507-d50b540d2f62@edgematrix.com>

Hi,

On modern Linux, we can change the maximum number of file descriptors per process in some ways. This feature is a well-known way for long time operation without reboot in cases such as server machines.

When I tried many iteration test of decryption via gpgme_op_decrypt() with the maximum number of file descriptors increased, "Too many open files" was caught from its result. At that time, the number of used file descriptors in the process did not reached to the limit I set.

The following error log was observed with the debug level of 5 enabled.

GPGME 2021-10-21 16:18:26 <0x047e>? gpgme_op_decrypt:493: error: Too many open files <GPGME>

I investigated where this error was caused in the source code, then found the following if statement to see if a value of file descriptor is bigger than FD_SETSIZE assumed the passed file descriptor is invalid and set the error code as EMFILE.

https://github.com/gpg/gpgme/blob/gpgme-1.10.0/src/posix-io.c#L673

The file descriptor seemed to be counted up to 1024 by repeating decryption operations. This value is derived from the upper limit of select(), but poll() is currently recommended on Linux and no limiting values are determined. This code using select() seems incompatible with the current file descriptor management on Linux.

My failure case occurred in v1.10.0, but the logic in master has the same if statement. For this reason, this problem will occur in the latest version.

https://github.com/gpg/gpgme/blob/master/src/posix-io.c#L725

One of the solution to avoid this issue would be to export the I/O callback functions to the caller side. I think we can avoid using the internal select() code and do appropriate synchronization I hope outside the gpgme library.

I referred to the following document.

https://www.gnupg.org/documentation/manuals/gpgme/I_002fO-Callback-Example.html#I_002fO-Callback-Example

However I feel that way is different from the original purpose of exporting the I/O callbacks, so it's just a workaround. If there is a more appropriate way to handle file descriptors more than the system default in GPGME, please let me know.

Regards,

-- 
Kazunori Kobayashi
EDGEMATRIX Inc.
https://edgematrix.com



From mailinglist at chiraag.me  Fri Oct 29 15:01:27 2021
From: mailinglist at chiraag.me (=?utf-8?B?4LKa4LK/4LKw4LK+4LKX4LONIOCyqOCyn+CysOCyvuCynOCzjQ==?=)
Date: Fri, 29 Oct 2021 13:01:27 +0000
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
References: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
Message-ID: <YXvwn7qzXIVka39D@chiraag-desktop>

12021/07/21 01:78.66 ?????, Chris Taylor <chris at christaylordeveloper.co.uk> ??????:
> Hello Group,
> 
> I am developing a backup process for personal files, on USB thumb
> drive.? I tar and zip my files (30GB) then encrypt them with:
> 
> gpg --no-symkey-cache --symmetric --cipher-algo AES256 my-backup.tar.gz
> 
> I copy my-backup.tar.gz.gpg to my USB thumb drive.? I am using Ubuntu so
> the USB drive is formatted to Ext4.
> 
> I try to decrypt with:
> 
> gpg --output my-backup.tar.gz --decrypt my-backup.tar.gz.gpg
> 
> and get the following error:
> 
> gpg: AES256 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: block_filter 0x0000556d112aa1e0: read error (size=13328,a->size=13328)
> gpg: WARNING: encrypted message has been manipulated!
> gpg: block_filter: pending bytes!
> 
> I have gpg version 2.2.19, libgcrypt 1.8.5.? Without encryption this
> process has worked perfectly well many times.
> 
> Any advice greatly appreciated.
> 
> Chris.

Do you get the same error if you try to decrypt it before moving the file? I tried with the exact same arguments with gpg 2.3.1, libgcrypt 1.9.4 and everything worked well (though I didn't try moving the files to another medium).

I also wonder if you're waiting until the file has been fully written (you can ensure this by running `sync` and waiting until it has returned) before trying to decrypt?

- Chiraag
-- 
?????? ??????
Pronouns: he/him/his
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - mailinglist at chiraag.me - b0c8d720.asc
Type: application/pgp-keys
Size: 713 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211029/c9412351/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211029/c9412351/attachment.sig>

From skquinn at rushpost.com  Fri Oct 29 14:54:48 2021
From: skquinn at rushpost.com (Shawn K. Quinn)
Date: Fri, 29 Oct 2021 07:54:48 -0500
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <c7d33549-b38c-0032-f356-2e483bcbca89@christaylordeveloper.co.uk>
References: <da0caf4d-3aa6-e7d7-e5dd-bc2b5f8100b3@christaylordeveloper.co.uk>
 <B1A69628-9DF5-41BF-87DA-FFF94E3ED81F@webweaving.org>
 <c7d33549-b38c-0032-f356-2e483bcbca89@christaylordeveloper.co.uk>
Message-ID: <5c7edc8b-7f62-b5bd-3f7f-a21f70e4970a@rushpost.com>

On 10/29/21 07:30, Chris Taylor wrote:
> Thank you - I will check.
> 
> Almost certainly the hash of my .gpg file will be different after it has
> passed through the Thumb Drive.? However, no other files on the Thumb
> Drive get corrupted.? So, my question will probably become how can I
> protect my .gpg file when it is moved off my laptop onto other meda?
> 
> Chris.

If the hash is changing the file is getting corrupted, even if by only
one bit.

-- 
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com


From guru at unixarea.de  Fri Oct 29 21:00:28 2021
From: guru at unixarea.de (Matthias Apitz)
Date: Fri, 29 Oct 2021 21:00:28 +0200
Subject: Using two OpenPGP cards
Message-ID: <YXxEzMSxDWo+Gsgz@c720-r368166>

Hello,

For some years I do use an OpenPGP card with GnuPG to encrypt all my
passwords (and other secrets). The passwors are managed with
password-store which is basically a tree of passwords along the web
sites where they're required to login. 

I got now a mobile phone device, running Debian, the Purism L5, which
has its own OpenPGP card (until now no set up):

purism at pureos:~$ gpg --card-status
Reader ...........: TTXS serial 00 00
Application ID ...: D27600012401030400050000A6FE0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: ZeitControl
Serial number ....: 0000A6FE
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

The question here is: Can I somehow transfer the keys from the used
OpenPGP card to this new card (and copy over the tree of encrypted
passwords to the phone) or do I have to move the passwords in clear and
crypt them again with the new card?

Thanks

	matthias

-- 
Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...


From x10an14 at gmail.com  Fri Oct 29 22:51:02 2021
From: x10an14 at gmail.com (Christian Chavez)
Date: Fri, 29 Oct 2021 22:51:02 +0200
Subject: Using two OpenPGP cards
In-Reply-To: <YXxEzMSxDWo+Gsgz@c720-r368166>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
Message-ID: <CAF6oXFsnCYXaKqgRJM77b4z52PtHCoM0EC0xKx5sqTCi90zssQ@mail.gmail.com>

On Fri, Oct 29, 2021 at 10:15 PM Matthias Apitz <guru at unixarea.de> wrote:

> The question here is: Can I somehow transfer the keys from the used
> OpenPGP card to this new card (and copy over the tree of encrypted
> passwords to the phone) or do I have to move the passwords in clear and
> crypt them again with the new card?
>

I guess you know this already, but if you didn't:

A secure gpg smart card will not allow (by hardware and design) read of
it's private keys - only public keys.
I think that might answer your question, no?

-- 
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211029/35e84f8d/attachment.html>

From romain.lebrun-thauront at insa-lyon.fr  Fri Oct 29 23:45:58 2021
From: romain.lebrun-thauront at insa-lyon.fr (Romain LT)
Date: Fri, 29 Oct 2021 23:45:58 +0200
Subject: Using two OpenPGP cards
In-Reply-To: <YXxEzMSxDWo+Gsgz@c720-r368166>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
Message-ID: <BE697BBD-EDCC-43AB-9317-D94C449A99B8@insa-lyon.fr>

Hi,

I'm not sure to grasp the entirety of the problematic but I though that should be mention :

From  'man pass' :

```
id...
      Initialize new password storage and use gpg-id
      for encryption. Multiple gpg-ids may be
      specified, in order to encrypt each password
      with multiple ids. This command must be run
      first before a password store can be used. If
      the specified gpg-id is different from the key
      used in any existing files, these files will
      be reencrypted to use the new id.  Note that
      use of gpg-agent(1) is recommended so that the
      batch decryption does not require as much user
      intervention. If --path or -p is specified,
      along with an argument, a specific gpg-id or
      set of gpg-ids is assigned for that specific
      sub folder of the password store. If only one
      gpg-id is given, and it is an empty string,
      then the current .gpg-id file for the
      specified sub-folder (or root if unspecified)
      is removed.
```

If you can get the 2 keys on your PC or the 2 keys on your phone you can add your new key or even replace the old with the new one by running 'pass Id ...'


On October 29, 2021 9:00:28 PM GMT+02:00, Matthias Apitz <guru at unixarea.de> wrote:
>Hello,
>
>For some years I do use an OpenPGP card with GnuPG to encrypt all my
>passwords (and other secrets). The passwors are managed with
>password-store which is basically a tree of passwords along the web
>sites where they're required to login. 
>
>I got now a mobile phone device, running Debian, the Purism L5, which
>has its own OpenPGP card (until now no set up):
>
>purism at pureos:~$ gpg --card-status
>Reader ...........: TTXS serial 00 00
>Application ID ...: D27600012401030400050000A6FE0000
>Application type .: OpenPGP
>Version ..........: 3.4
>Manufacturer .....: ZeitControl
>Serial number ....: 0000A6FE
>Name of cardholder: [not set]
>Language prefs ...: de
>Salutation .......:
>URL of public key : [not set]
>Login data .......: [not set]
>Signature PIN ....: forced
>Key attributes ...: rsa2048 rsa2048 rsa2048
>Max. PIN lengths .: 64 64 64
>PIN retry counter : 3 0 3
>Signature counter : 0
>KDF setting ......: off
>Signature key ....: [none]
>Encryption key....: [none]
>Authentication key: [none]
>General key info..: [none]
>
>The question here is: Can I somehow transfer the keys from the used
>OpenPGP card to this new card (and copy over the tree of encrypted
>passwords to the phone) or do I have to move the passwords in clear and
>crypt them again with the new card?
>
>Thanks
>
>	matthias
>
>-- 
>Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
>Public GnuPG key: http://www.unixarea.de/key.pub
>August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
>no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

Romain LEBRUN THAURONT
5TC - D?partement Telecommunication, Services et Usages
INSA Lyon
Responsable Logistique du Karnaval Humanitaire

** Please consider using PGP to communicate with me, encrypt your
e-mails https://www.openpgp.org/
My key's fingerprint: 912B 29BE EDBE 8E73 8E3F 8758 869E 9A75 3DCA 4320
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211029/78556c6a/attachment-0001.html>

From x10an14 at gmail.com  Sat Oct 30 00:09:16 2021
From: x10an14 at gmail.com (Christian Chavez)
Date: Sat, 30 Oct 2021 00:09:16 +0200
Subject: Using two OpenPGP cards
In-Reply-To: <BE697BBD-EDCC-43AB-9317-D94C449A99B8@insa-lyon.fr>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
 <BE697BBD-EDCC-43AB-9317-D94C449A99B8@insa-lyon.fr>
Message-ID: <CAF6oXFsUVaV-aaZBw1X_kYPu0sxWoRAEc6oGTP70gRncqS65KA@mail.gmail.com>

On Fri, Oct 29, 2021 at 11:46 PM Romain LT via Gnupg-users <
gnupg-users at gnupg.org> wrote:

> If you can get the 2 keys on your PC or the 2 keys on your phone you can
> add your new key or even replace the old with the new one by running 'pass
> Id ...'
>
Never heard of the `pass id` command, maybe it's installed as a plugin on
your machine?
Not showing in my `man pass` at least, your description seems to fit `pass
init` though.

I can confirm this works, I've done the same myself:

```shell
$ pass init <Hex fingerprint of backup & daily gpg Key/smart card's primary
keys>
$ pass generate email/website/password
$ pass init -p email/website/2fa <Hex fingerprint of backup & daily 2fa gpg
Key/smart card's primary keys>
```

-- 
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/dc5ed09f/attachment.html>

From romain.lebrun-thauront at insa-lyon.fr  Fri Oct 29 16:04:11 2021
From: romain.lebrun-thauront at insa-lyon.fr (Romain LT)
Date: Fri, 29 Oct 2021 16:04:11 +0200
Subject: What are the file in ~/.gnupg ?
Message-ID: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>

Hi,

I'm sorry for this beginner question but I could not find answers on the
web nor the manpage nor the doc of gpg, even though it is a quite
general question :

What are the files in gnupg homedir ?
I could not find a complete listing so I'm writing what I know and do
not know here. If you know more than me can you fill in th blank ? :)

dirmngr.conf :
	configuration for dirmngr (keyserver access)

gpg-agent.conf
	configuration for gpg-agent (key caching and key acces by other
	apps)

gpg.conf
	conf for the gpg command line utility

crls.d/DIR.txt
	????

openpgp-revocs.d/
	folder to store revocs certificates (for my own keys ?) (only
	for issued certificates or should I store certificates in this
	waiting for the moment my keys are compromised ?)

private-keys-v1.d/
	folder with private keys files, named afte key or subkey keygrip
	Is there only the private key part of my own keys in this ? or
	is there a way to obtain public+private key from one of those
	files ?

pubring.kbx
	"database" of where the public keys are. (yours from your
	own keys, and other people public keys too.

random_seed
	state of the random number generator

sshcontrol
	list of keys with (A) capabilities (authentication) which will be
	used as ssh key by the gpg-agent. (by keygrip)

tofu.db
	is an sqlite database and mean Trust On First Use. But what does
	it means and what does it contains ?

trustdb.gpg
	the "trust database" which seem to be usefull for web of trust.
	The doc says to not backup this file. Why, and why did it
	contains, and what is it for ?


any help is welcome, and if I miss this information in the docs feel
free to point me to the right manual sections.

Aeredren
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211029/ef026058/attachment.sig>

From romain.lebrun-thauront at insa-lyon.fr  Sat Oct 30 00:27:38 2021
From: romain.lebrun-thauront at insa-lyon.fr (Romain LT)
Date: Sat, 30 Oct 2021 00:27:38 +0200
Subject: Using two OpenPGP cards
In-Reply-To: <CAF6oXFsUVaV-aaZBw1X_kYPu0sxWoRAEc6oGTP70gRncqS65KA@mail.gmail.com>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
 <BE697BBD-EDCC-43AB-9317-D94C449A99B8@insa-lyon.fr>
 <CAF6oXFsUVaV-aaZBw1X_kYPu0sxWoRAEc6oGTP70gRncqS65KA@mail.gmail.com>
Message-ID: <96EFF19D-5948-448B-B693-7D09B8FC2F14@insa-lyon.fr>

Hmm yes it's pass init ^^'

I miss read the man page which was wrongly display in my android screen
 Thx

On October 30, 2021 12:09:16 AM GMT+02:00, Christian Chavez <x10an14 at gmail.com> wrote:
>On Fri, Oct 29, 2021 at 11:46 PM Romain LT via Gnupg-users <
>gnupg-users at gnupg.org> wrote:
>
>> If you can get the 2 keys on your PC or the 2 keys on your phone you can
>> add your new key or even replace the old with the new one by running 'pass
>> Id ...'
>>
>Never heard of the `pass id` command, maybe it's installed as a plugin on
>your machine?
>Not showing in my `man pass` at least, your description seems to fit `pass
>init` though.
>
>I can confirm this works, I've done the same myself:
>
>```shell
>$ pass init <Hex fingerprint of backup & daily gpg Key/smart card's primary
>keys>
>$ pass generate email/website/password
>$ pass init -p email/website/2fa <Hex fingerprint of backup & daily 2fa gpg
>Key/smart card's primary keys>
>```
>
>-- 
>Med vennlig hilsen/Kind regards,
>Christian Chavez
>Phone/Tlf: +47 922 22 603

Romain LEBRUN THAURONT
5TC - D?partement Telecommunication, Services et Usages
INSA Lyon
Responsable Logistique du Karnaval Humanitaire

** Please consider using PGP to communicate with me, encrypt your
e-mails https://www.openpgp.org/
My key's fingerprint: 912B 29BE EDBE 8E73 8E3F 8758 869E 9A75 3DCA 4320
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/fb4d8500/attachment.html>

From dgouttegattat at incenp.org  Sat Oct 30 01:20:40 2021
From: dgouttegattat at incenp.org (Damien Goutte-Gattat)
Date: Sat, 30 Oct 2021 00:20:40 +0100
Subject: What are the file in ~/.gnupg ?
In-Reply-To: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>
References: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>
Message-ID: <20211029232040.b6v5wqudryinr2nx@dynein.local.incenp.org>

Hi,

On Fri, Oct 29, 2021 at 04:04:11PM +0200, Romain LT via Gnupg-users wrote:
>dirmngr.conf :
>	configuration for dirmngr (keyserver access)

Dirmngr is also used for fetching the Certificate Revocation Lists 
(CRLs), if you?re using GpgSM (the X.509/SMIME part of GnuPG).


>crls.d/DIR.txt
>	????

This is where dirmngr stores the aforementioned CRLs. The DIR.txt file 
acts as a kind of index for the CRLs that are cached in that folder. It 
is normal for that folder to be empty (save for the DIR.txt file) if you 
don?t use GpgSM.


>openpgp-revocs.d/
>	folder to store revocs certificates (for my own keys ?)

Yes. This is where Gpg writes out the revocation certificate it 
automatically generates upon creating a new key.


> should I store certificates in this waiting for the moment my keys are 
> compromised ?)

That is ultimately dependent on your threat model. Keep in mind that, 
contrary to your private key, the revocation certificate is *not* 
passphrase-protected (whoever manages to grab it can use it to revoke 
your key without needing anything else). That may be reason enough to 
want to move it offline, elsewhere than on your computer, instead of 
leaving it in the openpgp-revocs.d folder.


>private-keys-v1.d/
>	folder with private keys files, named afte key or subkey keygrip
>	Is there only the private key part of my own keys in this ? or
>	is there a way to obtain public+private key from one of those
>	files ?

Private key only. I believe the purely ?mathematical? components of the 
public key can be derived from it (though I may be wrong here), but that 
does not include the User IDs and associated signatures, that are 
necessary to make a ?full? public key ? those components are in 
pubring.kbx.


>tofu.db
>	is an sqlite database and mean Trust On First Use. But what does
>	it means and what does it contains ?

TOFU is a new (or not so new anymore, it has been introduced in 2015 or 
so) trust model, that can either replace the web of trust or be used in 
combination with the web of trust.

The TOFU database is what allows GnuPG to keep track of which email 
address a given key is associated with, so that it can detect any future 
mismatch (which could be a sign that a MITM attack is under way).

>
>trustdb.gpg
>	the "trust database" which seem to be usefull for web of trust.
>	The doc says to not backup this file. Why, and why did it
>	contains, and what is it for ?

This is indeed the database for the web of trust. It contains the 
ownertrust value you assigned to the public keys of you keyring. (The 
?onwertrust value? is when you state how much you trust the owner of a 
key to sign other people?s keys.) In the web-of-trust model, GnuPG uses 
the ownertrust values combined with key signatures to decide whether a 
public key in your keyring is valid.

Those values should be backed up (unless you don?t mind manually 
re-assigning ownertrust values for all the keys you trust if you come to 
lose the trustdb.gpg file). The current manual page says:

   There is no need to backup this file; it is better to backup the 
   ownertrust values (see option --export-ownertrust).

This is not intended to mean the trustdb.gpg file is worthless, merely 
that its contents should be backed up using the --export-ownertrust 
command instead of simply doing a file-level backup:

   gpg --export-ownertrust > ownertrust.backup
   # to restore
   gpg --import-ownertrust < ownertrust.backup


Hope that helps,

- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/69087c1b/attachment.sig>

From jcb62281 at gmail.com  Sat Oct 30 03:53:05 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Fri, 29 Oct 2021 20:53:05 -0500
Subject: What are the file in ~/.gnupg ?
In-Reply-To: <20211029232040.b6v5wqudryinr2nx@dynein.local.incenp.org>
References: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>
 <20211029232040.b6v5wqudryinr2nx@dynein.local.incenp.org>
Message-ID: <617CA581.4030404@gmail.com>

Damien Goutte-Gattat via Gnupg-users wrote:
> On Fri, Oct 29, 2021 at 04:04:11PM +0200, Romain LT via Gnupg-users 
> wrote:
> [...]
>> private-keys-v1.d/
>> folder with private keys files, named afte key or subkey keygrip
>> Is there only the private key part of my own keys in this ? or
>> is there a way to obtain public+private key from one of those
>> files ?
>
> Private key only. I believe the purely ?mathematical? components of 
> the public key can be derived from it (though I may be wrong here), 
> but that does not include the User IDs and associated signatures, that 
> are necessary to make a ?full? public key ? those components are in 
> pubring.kbx.

You are correct: key generation for asymmetric systems involves randomly 
choosing a private key and calculating the corresponding public key. The 
mathematics are such that this is easy but the reverse is believed to be 
computationally infeasible. There are a variety of "neat math tricks" to 
make the system more efficient under various conditions, but ultimately 
public keys are derived from private keys and this determines which key 
is which.

For example, RSA relies on the ease of calculating a product versus the 
presumed difficulty of factoring composites of two approximately 
similar-magnitude primes. Either key can decrypt a message encrypted by 
the other; smoothing over some mathematical and cryptographic details, 
this is used for signatures by encrypting the signature with the private 
key which allows the public key to decrypt (verify) it.

Again, the difference between the public and private keys is that, given 
the private key the public key can be calculated, while the private key 
cannot be (feasibly) calculated given the public key.

You may note that I have been very light on details; this is 
intentional. If you are unclear about a basic detail like this, you will 
almost certainly fall into one of numerous pitfalls that make asymmetric 
systems easily breakable. Do not roll your own; use an existing 
well-vetted Free program (like GPG!) instead. ***NEVER*** trust nonfree 
cryptographic software: you have no way to even begin to effectively 
audit such a "black box" for backdoors and the history of proprietary 
encryption is exceptionally bad, ranging from simple incompetence 
(proprietary algorithms tend to fall to cryptanalysis quite quickly once 
they are examined) to deliberate backdoors.


-- Jacob


From jcb62281 at gmail.com  Sat Oct 30 03:35:43 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Fri, 29 Oct 2021 20:35:43 -0500
Subject: Using two OpenPGP cards
In-Reply-To: <YXxEzMSxDWo+Gsgz@c720-r368166>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
Message-ID: <617CA16F.4080901@gmail.com>

Matthias Apitz wrote:
> The question here is: Can I somehow transfer the keys from the used
> OpenPGP card to this new card (and copy over the tree of encrypted
> passwords to the phone) or do I have to move the passwords in clear and
> crypt them again with the new card?

If I understand correctly that your tool uses public keys, you will need to:

1.  Generate keys on your new device.
2.  Export the public key for your new smartcard.
3.  Arrange for your password store to be encrypted for *both* public keys.
4.  Copy the appropriately encrypted password store to the new device.
5.  Use the new card's secret key to access the encrypted password store.

If your tool is using a symmetric key embedded in the smartcard, you 
will need to transfer the passwords "in the clear" but you could use a 
keypair to wrap the bundle during transit.  The entire purpose of a 
smartcard here is that the secret keys cannot be extracted from it.


-- Jacob



From tlikonen at iki.fi  Sat Oct 30 08:52:18 2021
From: tlikonen at iki.fi (Teemu Likonen)
Date: Sat, 30 Oct 2021 09:52:18 +0300
Subject: What are the file in ~/.gnupg ?
In-Reply-To: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>
References: <20211029140411.niqb7apf35gh7y5b@aeredrenLaptop>
Message-ID: <87a6ir80nx.fsf@iki.fi>

* 2021-10-29 16:04:11+0200, Romain LT via Gnupg-users wrote:

> tofu.db
> 	is an sqlite database and mean Trust On First Use. But what does
> 	it means and what does it contains ?

tofu.db contains a log for every signature and encryption by/for every
key and email address. This means in human language:

   "I have verified this signature made by this key and email address at
    that time." (time of the signature and time of verification are
    recorded)

   "I have encrypted for this key and email at that time."

GnuPG can tell some of that information in techical form:

    gpg --list-keys --with-colons --with-tofu-info

In SQL terms the tofu.db database has this schema:

    $ sqlite3 ~/.gnupg/tofu.db .schema

    CREATE TABLE version (version INTEGER);
    CREATE TABLE bindings
     (oid INTEGER PRIMARY KEY AUTOINCREMENT,
      fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER,
      policy INTEGER CHECK (policy in (1, 2, 3, 4, 5)),
      conflict STRING, effective_policy INTEGER DEFAULT 0
        CHECK (effective_policy in (0, 1, 2, 3, 4, 5)),
      unique (fingerprint, email));
    CREATE TABLE sqlite_sequence(name,seq);
    CREATE TABLE signatures  (binding INTEGER NOT NULL, sig_digest TEXT,
        origin TEXT, sig_time INTEGER, time INTEGER,
        primary key (binding, sig_digest, origin));
    CREATE TABLE encryptions (binding INTEGER NOT NULL,  time INTEGER);
    CREATE INDEX bindings_fingerprint_email
     on bindings (fingerprint, email);
    CREATE INDEX bindings_email on bindings (email);
    CREATE INDEX encryptions_binding on encryptions (binding);
    CREATE TABLE ultimately_trusted_keys (keyid);

-- 
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/bc302771/attachment.sig>

From guru at unixarea.de  Sat Oct 30 15:50:21 2021
From: guru at unixarea.de (Matthias Apitz)
Date: Sat, 30 Oct 2021 15:50:21 +0200
Subject: OpenPGP card and gpg-agent TTL
Message-ID: <YX1NnazggvXUBBSb@c720-r368166>


Hello,

I'm using GnuPG together with an OpenPGP card. When I want to decrypt
something the gpg-agent is via pinentry asking for the PIN to unlock the card.

Normally I don't care about how long the card remains unlocked, because
I just withdraw the USB dongle after the operation. I was thinking that
the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
state of the OpenPGP card, which it does not. How could I do this? 

Because in the Purism L5 mobile the OpenPGP card is internally inserted behind
the battery and so I can't remove it that easy :-)

Thanks

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...


From chris at christaylordeveloper.co.uk  Sat Oct 30 14:24:58 2021
From: chris at christaylordeveloper.co.uk (Chris Taylor)
Date: Sat, 30 Oct 2021 14:24:58 +0200
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <mailman.181.1635543967.30538.gnupg-users@gnupg.org>
References: <mailman.181.1635543967.30538.gnupg-users@gnupg.org>
Message-ID: <846caaaa-b9c2-a466-7069-5c8fd68ec2c3@christaylordeveloper.co.uk>

The hash of my gpg file on my laptop is different to it's hash on the 
thumb drive.? For comparison, the hash of the tar.gz file (i.e. before 
encryption) is the same before and after I copy it to the thumb drive.

Are there any techniques I should be using to protect my gpg file?

Chris Taylor



From kloecker at kde.org  Sat Oct 30 19:38:07 2021
From: kloecker at kde.org (Ingo =?ISO-8859-1?Q?Kl=F6cker?=)
Date: Sat, 30 Oct 2021 19:38:07 +0200
Subject: Unable to decrypt file copied from USB thumb drive.
In-Reply-To: <846caaaa-b9c2-a466-7069-5c8fd68ec2c3@christaylordeveloper.co.uk>
References: <mailman.181.1635543967.30538.gnupg-users@gnupg.org>
 <846caaaa-b9c2-a466-7069-5c8fd68ec2c3@christaylordeveloper.co.uk>
Message-ID: <1917070.6ltK4Vc2AG@breq>

On Samstag, 30. Oktober 2021 14:24:58 CEST Chris Taylor wrote:
> The hash of my gpg file on my laptop is different to it's hash on the
> thumb drive.

If the hash of any file on your laptop differs from the hash of the same file 
after copying it to the thumb drive this can only mean two things:

1. Either you made something wrong when you copied the file to the thumb 
drive, e.g. you unplugged the thumb drive before the file was actually fully 
written to the thumb drive.
Solution: Always make sure to "eject" the thumb drive before unplugging it.

2. Or your thumb drive has a hardware error. Or it is a forged thumb drive 
which claims to be larger than it actually is. There are loads of forged thumb 
drives sold on the Internet. Don't assume you are making a bargain when you 
are offered a large thumb drive to an insanely low price.
Solution: Destroy the thumb drive physically (to make sure nobody can get 
access to the data stored on it) and then throw it away.

> For comparison, the hash of the tar.gz file (i.e. before
> encryption) is the same before and after I copy it to the thumb drive.
> 
> Are there any techniques I should be using to protect my gpg file?

Yes, but those "techniques" are not special for gpg files. They apply to any 
files. The "techniques" are:
* Don't unplug the thumb drive before all data was fully written to it.
* Don't use thumb drives with hardware defects or with forged size.
* If you want to be really sure that a file was transferred correctly to the 
thumb drive, then unplug the thumb drive, re-plug it and then compare the 
hashes of the file.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20211030/e5895c79/attachment.sig>

From stuartl at longlandclan.id.au  Sun Oct 31 07:26:29 2021
From: stuartl at longlandclan.id.au (Stuart Longland)
Date: Sun, 31 Oct 2021 16:26:29 +1000
Subject: Getting OpenSC PKCS#11 and GnuPG to play nice with a YubiKey 5
Message-ID: <20211031162629.45e3911f@longlandclan.id.au>

Hi all,

At my workplace, we've recently adopted YubiKeys as a means for doing
2FA, I've been using mine for 2FA-based authentication with OpenSSH
servers (using `gpg-agent` and the YubiKey OpenPGP applet), and we plan
to use the PIV component of these keys to authenticate with some HTTPS
services.

I've also set up the OpenPGP part for code signing and email security.

Under GnuPG 2.2, I mostly had this working.  Sometimes GnuPG would
block `opensc-pkcs11` or vice versa and I'd have to either re-plug the
dongle and/or tickle it with `gpg --card-status` when I try to commit
something or log into a server.

It seems under GnuPG 2.3 (v2.3.2 currently on Gentoo Linux), OpenSC
seems completely unable to communicate with the PIV applet on the same
YubiKey as GnuPG.  As it's likely we'll be swapping between using HTTPS
and SSH frequently, I'd like the two services to co-operate if at all
possible, nothing on paper suggests why these should be in conflict.

- Has anyone managed to do the above?
- any particular advice regarding `opensc` drivers, is `pcscd` needed?
- Is this just a quirk of the YubiKey?  (e.g. is NitroKey? affected?)
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.


1. Watching these from a distance, but I'm waiting for the COVID-19
situation to settle down so that the shipping price between DE and AU
can come down from the stratosphere.  I'm open to other "open hardware"
alternatives too -- contact me off-list about that.


From guru at unixarea.de  Sun Oct 31 10:20:35 2021
From: guru at unixarea.de (Matthias Apitz)
Date: Sun, 31 Oct 2021 10:20:35 +0100
Subject: Using two OpenPGP cards
In-Reply-To: <617CA16F.4080901@gmail.com>
References: <YXxEzMSxDWo+Gsgz@c720-r368166>
 <617CA16F.4080901@gmail.com>
Message-ID: <YX5f4yodaKGDdyhx@c720-r368166>

El d?a viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribi?:

> Matthias Apitz wrote:
> > The question here is: Can I somehow transfer the keys from the used
> > OpenPGP card to this new card (and copy over the tree of encrypted
> > passwords to the phone) or do I have to move the passwords in clear and
> > crypt them again with the new card?
> 
> If I understand correctly that your tool uses public keys,

The password store is a tree of GnuPG encrypted file as:

$ find .password-store
.password-store
.password-store/web
.password-store/web/test1.gpg
.password-store/web/test2.gpg
.password-store/web/test3.gpg
.password-store/web/hwiconnect.net.gpg
.password-store/web/es-la.facebook.com.gpg
...

it was once (2017) initialized with

$ pass init guru at unixarea.de

and one can see the gpg-id in the file of the store:

$ cat .password-store/.gpg-id
guru at unixarea.de

This mail addr is the reference to the (public) key:

$ gpg2 -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec>  rsa4096 2017-05-14 [SC]
      5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
ssb>  rsa4096 2017-05-14 [A]
ssb>  rsa4096 2017-05-14 [E]

> you will need to:
> 
> 1.  Generate keys on your new device.

I did so and created for testing a password store on the mobile L5
with:

purism at pureos:~$ pass init 'CCID L5'
mkdir: created directory '/home/purism/.password-store/'
Password store initialized for CCID L5
purism at pureos:~$ cat .password-store/.gpg-id
CCID L5
purism at pureos:~$ echo secret | pass insert -m test
Enter contents of test and press Ctrl+D when finished:

purism at pureos:~$ find .password-store/
.password-store/
.password-store/test.gpg
.password-store/.gpg-id

purism at pureos:~$ killall gpg-agent
purism at pureos:~$ pass test
secret

(it asked me to unlock the OpenPGP card with its PIN)

> 2.  Export the public key for your new smartcard.

I did so:

purism at pureos:~$ gpg --export --armor > ccid-L5-export-key-guru.pub
purism at pureos:~$ file ccid-L5-export-key-guru.pub
ccid-L5-export-key-guru.pub: PGP public key block Public-Key (old)

> 3.  Arrange for your password store to be encrypted for *both* public keys.

Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:

$ pass init 'GnuPG CCID' 'CCID L5'

I will test this after making bakups of GNUPGHOME and ~/password-store.

> 4.  Copy the appropriately encrypted password store to the new device.
> 5.  Use the new card's secret key to access the encrypted password store.
> 

Thanks for your hints

	matthias
-- 
Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...


From jcb62281 at gmail.com  Sun Oct 31 19:43:45 2021
From: jcb62281 at gmail.com (Jacob Bachmeyer)
Date: Sun, 31 Oct 2021 13:43:45 -0500
Subject: Using two OpenPGP cards
In-Reply-To: <YX5f4yodaKGDdyhx@c720-r368166>
References: <YXxEzMSxDWo+Gsgz@c720-r368166> <617CA16F.4080901@gmail.com>
 <YX5f4yodaKGDdyhx@c720-r368166>
Message-ID: <617EE3E1.6040604@gmail.com>

Matthias Apitz wrote:
> El d?a viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribi?:
>   
>> Matthias Apitz wrote:
>>     
>>> The question here is: Can I somehow transfer the keys from the used
>>> OpenPGP card to this new card (and copy over the tree of encrypted
>>> passwords to the phone) or do I have to move the passwords in clear and
>>> crypt them again with the new card?
>>>       
>> If I understand correctly that your tool uses public keys,
>>     
>
> The password store is a tree of GnuPG encrypted file as:
>
> $ find .password-store
> .password-store
> .password-store/web
> .password-store/web/test1.gpg
> .password-store/web/test2.gpg
> .password-store/web/test3.gpg
> .password-store/web/hwiconnect.net.gpg
> .password-store/web/es-la.facebook.com.gpg
> ...
>
> it was once (2017) initialized with
>
> $ pass init guru at unixarea.de
>
> and one can see the gpg-id in the file of the store:
>
> $ cat .password-store/.gpg-id
> guru at unixarea.de
>
> This mail addr is the reference to the (public) key:
>
> $ gpg2 -K
> /home/guru/.gnupg-ccid/pubring.kbx
> ----------------------------------
> sec>  rsa4096 2017-05-14 [SC]
>       5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
>       Card serial no. = 0005 0000532B
> uid           [ultimate] Matthias Apitz (GnuPG CCID) <guru at unixarea.de>
> ssb>  rsa4096 2017-05-14 [A]
> ssb>  rsa4096 2017-05-14 [E]
>
> [...]
>> 3.  Arrange for your password store to be encrypted for *both* public keys.
>>     
>
> Perhaps I should now import the above Public-Key on the laptop and
> re-init there the password store with both gpg-id:
>
> $ pass init 'GnuPG CCID' 'CCID L5'
>
> I will test this after making bakups of GNUPGHOME and ~/password-store.
>   

I do not know the details of how pass(1) operates, so this will be 
necessarily vague.  What you need to accomplish is re-encrypting all of 
the files in password-store to both keys, where they are currently 
encrypted only for your old key.

Importing your new public key on your old device is certainly a step in 
this process, but I am not sure of the best way to re-encrypt the 
files.  There may be a way to do this with pass(1), or you may need to 
use GPG directly.  Check the pass(1) documentation for a "key rotation" 
procedure.

There is also a question of whether you want to continue to use both 
devices, if so, you will need to import your old public key on your new 
device and configure the new password store to also use both public 
keys.  Then you need only synchronize the encrypted files between 
devices and your passwords will be securely available on both.

> Thanks for your hints
>   
You are welcome.



-- Jacob