From contact at ikkerens.com Wed May 1 11:08:54 2024 From: contact at ikkerens.com (Rens Rikkerink) Date: Wed, 1 May 2024 11:08:54 +0200 Subject: Adding new uid to causes bad signature Message-ID: Greetings! Lately I've been trying to add a new uid to my public key, I have however so far been unsuccessful in doing so. Every time I try to do so, I then immediately get "1 bad signature" which wasn't present beforehand. It's probably worth noting that my private key is stored on a Yubikey 5 NFC (smartcard). In general, I don't think my procedure for adding a new uid is abnormal: $ gpg --edit-key 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 gpg> adduid gpg> save When then attempting to use this new uid, or even checking it, I get a bad signature error: gpg> check key 29AD46D6F58287A3: 1 bad signature Running this check before adding the new uid returns no results (assuming positive). I've been pretty stumped so far, not knowing how to debug this further. Your expert insights (or dare I say solutions) would be very much appreciated. If more information is required I would be more than happy to provide it. Yours sincerely, Rens Rikkerink General info: OS: Windows 11 (AtlasOS) & MacOS 14.1.1 (tried on both) GPG: GPG 2.4.4.-unknown (bundled with git-scm windows installer), GPG 2.4.5 (homebrew) My public keys: Before trying to add a new uid: -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEY1l6bBYJKwYBBAHaRw8BAQdAMN32War5Dy1d7V41g7p0xc8ZHuGMcuN9CRxL 2HdH8be0JVJlbnMgUmlra2VyaW5rIDxjb250YWN0QGlra2VyZW5zLmNvbT6IlAQT FgoAPBYhBECPsuvD3z274BQ9mimtRtb1goejBQJjWXpsAhshBQsJCAcCAyICAQYV CgkICwIEFgIDAQIeBwIXgAAKCRAprUbW9YKHo/PPAQCurWgz0NRqxmUXwID3dJqy n+/yEADiLXzIPZj+5FbfYAD/ZsCO17JMr132BJbkuhQqiOxLDx2XbJtleykpSzZl VQW4MwRjWXqGFgkrBgEEAdpHDwEBB0A/USFFrzWgy6A74nb29Tz1I9tfhE2AI9OJ /xV9qWw244jvBBgWCgAgFiEEQI+y68PfPbvgFD2aKa1G1vWCh6MFAmNZeoYCGwIA gQkQKa1G1vWCh6N2IAQZFgoAHRYhBGqm/FWX6JvcGa3Wr88v7FA6ibz/BQJjWXqG AAoJEM8v7FA6ibz//7gA+wR1zLmvFLMbiGFopa6XeYk8oxYIUaJcncx9iv6SnYjv AQCN8VvgBy6nZpfSWtdVIjIC5qD1+4MUduNZuopACnJrBOdhAP9iNbSNUkgiG6qz skoonppyLNYKA7XXc8T+lyvt4JKlQAD/clQ6Afc3/XiOTqB/CoukgDLMbuT9mzEL jcrBA5ADDwq4OARjWXqdEgorBgEEAZdVAQUBAQdAQpvHc87RQKTYUZUWkh9UF10Q cI7JfXd7PBy5vl9lGS4DAQgHiHgEGBYKACAWIQRAj7Lrw989u+AUPZoprUbW9YKH owUCY1l6nQIbDAAKCRAprUbW9YKHo0dkAQDAlqB9zKRRDAmRbHT/lYiGiikzp5zm vZfxK32lqcge3gEAgw0Mqav2ZsmbXBsvzqrRVWDjSIE+X7EPZ7umkMSgMA4= =8Gph -----END PGP PUBLIC KEY BLOCK----- After trying to add a new uid: -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEY1l6bBYJKwYBBAHaRw8BAQdAMN32War5Dy1d7V41g7p0xc8ZHuGMcuN9CRxL 2HdH8be0JVJlbnMgUmlra2VyaW5rIDxjb250YWN0QGlra2VyZW5zLmNvbT6IlAQT FgoAPBYhBECPsuvD3z274BQ9mimtRtb1goejBQJjWXpsAhshBQsJCAcCAyICAQYV CgkICwIEFgIDAQIeBwIXgAAKCRAprUbW9YKHo/PPAQCurWgz0NRqxmUXwID3dJqy n+/yEADiLXzIPZj+5FbfYAD/ZsCO17JMr132BJbkuhQqiOxLDx2XbJtleykpSzZl VQW0KlJlbnMgUmlra2VyaW5rIDxyZW5zLnJpa2tlcmlua0BsdW1pbmlzLmV1PoiT BBMWCgA7FiEEQI+y68PfPbvgFD2aKa1G1vWCh6MFAmYyBBsCGyEFCwkIBwICIgIG FQoJCAsCBBYCAwECHgcCF4AACgkQKa1G1vWCh6M3MQD/cMwMjCaM6z+2mjRbbOtn /37nwUEAeTY5ghZmmaOlBwEA/jM7DoadjZDLEw5E7utDeHUBvZt6CQFZVkM4hNUd OQYKuDMEY1l6hhYJKwYBBAHaRw8BAQdAP1EhRa81oMugO+J29vU89SPbX4RNgCPT if8VfalsNuOI7wQYFgoAIBYhBECPsuvD3z274BQ9mimtRtb1goejBQJjWXqGAhsC AIEJECmtRtb1goejdiAEGRYKAB0WIQRqpvxVl+ib3Bmt1q/PL+xQOom8/wUCY1l6 hgAKCRDPL+xQOom8//+4APsEdcy5rxSzG4hhaKWul3mJPKMWCFGiXJ3MfYr+kp2I 7wEAjfFb4Acup2aX0lrXVSIyAuag9fuDFHbjWbqKQApyawTnYQD/YjW0jVJIIhuq s7JKKJ6acizWCgO113PE/pcr7eCSpUAA/3JUOgH3N/14jk6gfwqLpIAyzG7k/Zsx C43KwQOQAw8KuDgEY1l6nRIKKwYBBAGXVQEFAQEHQEKbx3PO0UCk2FGVFpIfVBdd EHCOyX13ezwcub5fZRkuAwEIB4h4BBgWCgAgFiEEQI+y68PfPbvgFD2aKa1G1vWC h6MFAmNZep0CGwwACgkQKa1G1vWCh6NHZAEAwJagfcykUQwJkWx0/5WIhoopM6ec 5r2X8St9panIHt4BAIMNDKmr9mbJm1wbL86q0VVg40iBPl+xD2e7ppDEoDAO =YxeB -----END PGP PUBLIC KEY BLOCK----- From andrewg at andrewg.com Wed May 1 12:22:47 2024 From: andrewg at andrewg.com (Andrew Gallagher) Date: Wed, 1 May 2024 11:22:47 +0100 Subject: Adding new uid to causes bad signature In-Reply-To: References: Message-ID: On 1 May 2024, at 10:08, Rens Rikkerink via Gnupg-users wrote: > > Lately I've been trying to add a new uid to my public key, I have > however so far been unsuccessful in doing so. Every time I try to do > so, I then immediately get "1 bad signature" which wasn't present > beforehand. It's probably worth noting that my private key is stored > on a Yubikey 5 NFC (smartcard). FYI it?s not just gnupg that complains about the bad signature, so does hockeypuck. So I?d assume that the card didn?t create the signature properly. Does this happen consistently? A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From contact at ikkerens.com Wed May 1 12:38:57 2024 From: contact at ikkerens.com (Rens Rikkerink) Date: Wed, 1 May 2024 12:38:57 +0200 Subject: Adding new uid to causes bad signature In-Reply-To: References: Message-ID: Hey Andrew, Yes, this happens consistently, I have not been able to add a uid at all, using both my main yubikey and backup yubikey (which have the same private key on them) Yours, Rens From guru at unixarea.de Wed May 1 16:32:54 2024 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 1 May 2024 16:32:54 +0200 Subject: Using a GnuPG crypted RSA key for SSH Message-ID: Hello, I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to be exactly with an OpenPGP card in the phone). I can do fine: $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card $ ssh www.unixarea.de Enter passphrase for key '/home/guru/.ssh/id_rsa': ... $ rm id_rsa # so it can't get lost of teft of the L5 Is there some other solution for GnuPG+SSH without writing the private key id_rsa to a file? Or even better as well without the need of entering the passphrase for the RSA key? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From x10an14 at gmail.com Wed May 1 17:29:45 2024 From: x10an14 at gmail.com (Christian C.) Date: Wed, 1 May 2024 17:29:45 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: Message-ID: Smart cards like yubikeys, and termux okcagent integrations? _ _ Med vennlig hilsen/Kind regards, Christian C. Phone/Tlf: +47 922 22 603 (Sent from my smartphone device) On Wed, 1 May 2024, 17:19 Matthias Apitz, wrote: > > Hello, > > I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to > be exactly with an OpenPGP card in the phone). I can do fine: > > $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card > $ ssh www.unixarea.de > Enter passphrase for key '/home/guru/.ssh/id_rsa': > ... > $ rm id_rsa # so it can't get lost of teft of the L5 > > Is there some other solution for GnuPG+SSH without writing the private > key id_rsa to a file? Or even better as well without the need of > entering the passphrase for the RSA key? > > Thanks > > matthias > > -- > Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ > +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub > > I am not at war with Russia. > ? ?? ???? ? ???????. > Ich bin nicht im Krieg mit Russland. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hfollmann at itcfollmann.com Wed May 1 17:50:02 2024 From: hfollmann at itcfollmann.com (Henning Follmann) Date: Wed, 1 May 2024 11:50:02 -0400 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: Message-ID: On Wed, May 01, 2024 at 04:32:54PM +0200, Matthias Apitz wrote: > > Hello, > > I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to > be exactly with an OpenPGP card in the phone). I can do fine: > > $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card > $ ssh www.unixarea.de > Enter passphrase for key '/home/guru/.ssh/id_rsa': > ... > $ rm id_rsa # so it can't get lost of teft of the L5 > > Is there some other solution for GnuPG+SSH without writing the private > key id_rsa to a file? Or even better as well without the need of > entering the passphrase for the RSA key? > Well, if you have a authentication subkey on your card you could use that for ssh authentication directly. Your gpg-agent would then act as ssh-agent. That might be a better way to handle this. -H -- Henning Follmann | hfollmann at itcfollmann.com From wk at gnupg.org Thu May 2 08:17:58 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 May 2024 08:17:58 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: (Henning Follmann's message of "Wed, 1 May 2024 11:50:02 -0400") References: Message-ID: <87cyq47n55.fsf@jacob.g10code.de> On Wed, 1 May 2024 11:50, Henning Follmann said: > Well, if you have a authentication subkey on your card you could use that > for ssh authentication directly. > Your gpg-agent would then act as ssh-agent. I would even claim that this is the best way to work with ssh - I do this now for nearly 20 years: Noteworthy changes in version 1.9.16 (2005-04-21) ------------------------------------------------- * gpg-agent does now support the ssh-agent protocol and thus allows to use the pinentry as well as the OpenPGP smartcard with ssh. This even works on Windows as a preplcement of pageant and more recently ofbthe native OpenSSH Windows client. On Linux take care to add "enable-ssh-support" to gpg-agent.conf because on some distros the X config greps for this to decide whether to start the ssh-agent or leave this to gpg-agent. Technically the ssh support is always enabled and thus the option is not really required. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From guru at unixarea.de Thu May 2 10:33:15 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 2 May 2024 10:33:15 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: <87cyq47n55.fsf@jacob.g10code.de> References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: El d?a jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribi?: > ... > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > on some distros the X config greps for this to decide whether to start > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > always enabled and thus the option is not really required. I have this working now already up the point that ssh asks the gpg-agent to unlock the card and ask for the PIN to do so. But this is failing because gpg-agent uses: $ grep pinentry agent.tr 4692 execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"], 0xffffa8004be0 /* 41 vars */) = 0 which fails with an unsupported ioctl to fd=0 while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses $ grep pinentry agent-gpg.tr 4997 read(10, "OPTION allow-pinentry-notify\n", 1002) = 29 4997 write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40 5001 execve("/usr/bin/pinentry", ["pinentry"], 0xffffa80016d0 /* 41 vars */) = 0 i.e. the pinentry command without --display ... my config file for gpg-agent look as: $ cat .gnupg/gpg-agent.conf enable-ssh-support debug-pinentry debug ipc log-file /tmp/gpg-agent-debug.log max-cache-ttl 1 # pinentry-program /usr/bin/pinentry I tried to play with the config value of pinentry-program without luck. The environment of the gpg-agent contains: GNUPGHOME=/home/purism/.gnupg GPG_TTY=not a tty Any idea how to get gpg-agent asking correctly for the PIN? matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From hfollmann at itcfollmann.com Thu May 2 13:44:04 2024 From: hfollmann at itcfollmann.com (Henning Follmann) Date: Thu, 2 May 2024 07:44:04 -0400 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > El d?a jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribi?: > > > ... > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > > on some distros the X config greps for this to decide whether to start > > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > > always enabled and thus the option is not really required. > [deleted] I do not know what you did, but that looks like a mess Your pinentry was working before (I guess) and you should not change anything there. And there is no need for using trace - way too complicated! as Werner said add enable-ssh-support to your ~/.gnupg/gpg-agent.conf You might also create a ~/.gnupg/sshcontrol and add the keygrip of your authentication subkey in there and then finally tell ssh where to find the ssh-agnet socket. gpg will tell you that by: gpgconf --list-dirs agent-ssh-socket just put export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) in your ~/.bashrc and because gpg-agent does not usually run as deamon make shure it is running before you use ssh gpgconf --launch gpg-agent You also could add that to your .bashrc -H -- Henning Follmann | hfollmann at itcfollmann.com From guru at unixarea.de Thu May 2 13:58:37 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 2 May 2024 13:58:37 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: El d?a jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribi?: > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > > El d?a jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribi?: > > > > > ... > > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > > > on some distros the X config greps for this to decide whether to start > > > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > > > always enabled and thus the option is not really required. > > > [deleted] > > I do not know what you did, but that looks like a mess > Your pinentry was working before (I guess) and you should not change > anything there. > > And there is no need for using trace - way too complicated! > > as Werner said add > > enable-ssh-support > > to your ~/.gnupg/gpg-agent.conf I have had this in that file (as I said in my last mail) > You might also create a ~/.gnupg/sshcontrol and add the keygrip of your > authentication subkey in there > > and then finally tell ssh where to find the ssh-agnet socket. gpg will tell > you that by: > > gpgconf --list-dirs agent-ssh-socket > > just put > > export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) I have had this too. > > in your ~/.bashrc > > and because gpg-agent does not usually run as deamon make shure it is > running before you use ssh > > gpgconf --launch gpg-agent gpg-agent was always there, started by system boot. > > > You also could add that to your .bashrc The missing piece to get it working now was tell gpg-agent the correct TTY with: gpg-connect-agent updatestartuptty /bye which perhaps gpg command does, but ssh can't. Thanks for all the hints I got. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From hfollmann at itcfollmann.com Thu May 2 14:13:12 2024 From: hfollmann at itcfollmann.com (Henning Follmann) Date: Thu, 2 May 2024 08:13:12 -0400 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote: > El d?a jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribi?: > > > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > > > El d?a jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribi?: > > > > > > > and because gpg-agent does not usually run as deamon make shure it is > > running before you use ssh > > > > gpgconf --launch gpg-agent > > gpg-agent was always there, started by system boot. Are you certain? Did you change that at some point? Because if you use the default pureOS it doesn't. Just say'n > > > > > > > You also could add that to your .bashrc > > The missing piece to get it working now was tell gpg-agent the correct > TTY with: > > gpg-connect-agent updatestartuptty /bye > > which perhaps gpg command does, but ssh can't. > > Thanks for all the hints I got. > > > matthias > > -- > Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub > > I am not at war with Russia. ? ?? ???? ? ???????. > Ich bin nicht im Krieg mit Russland. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- Henning Follmann | hfollmann at itcfollmann.com From guru at unixarea.de Thu May 2 14:43:39 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 2 May 2024 14:43:39 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: El d?a jueves, mayo 02, 2024 a las 08:13:12 -0400, Henning Follmann escribi?: > On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote: > > > > gpg-agent was always there, started by system boot. > > Are you certain? Did you change that at some point? Because if you use the > default pureOS it doesn't. Just say'n Yes. It gets started by systemd (proc 719 here) at boot time: root at pureos:/home/purism# ps axl | grep gpg-agent | grep -v grep 0 1000 2246 719 20 0 83436 5312 do_sel SLs ? 0:01 /usr/bin/gpg-agent --supervised root at pureos:/home/purism# ps axl | grep 719 | head -1 4 1000 719 1 20 0 16440 8448 do_epo Ss ? 0:02 /lib/systemd/systemd --user I run the L5 with its OpenPGP card sind 2021 and I don't remember the exact setup now. In any case, gpg-agent is there after any reboot. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From guru at unixarea.de Thu May 2 15:31:25 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 2 May 2024 15:31:25 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: > I run the L5 with its OpenPGP card sind 2021 and I don't remember the > exact setup now. In any case, gpg-agent is there after any reboot. > One issue remains with the now working OpenPGP card for SSH: When the correct PIN was provided the card remains unlocked, regardless if or not the SSH session was successful. This is a security problem: On mobile theft all gpg files are open. Until now I only used the pass command from password-store and added at its end: purism at pureos:~$ tail -4 /usr/bin/pass # gpgconf --reload scdaemon sleep 2 exit 0 which locks the card again. Any ideas? matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From ming at imkuang.com Thu May 2 15:53:09 2024 From: ming at imkuang.com (Ming Kuang) Date: Thu, 2 May 2024 21:53:09 +0800 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: <001701da9c98$157e9430$407bbc90$@imkuang.com> On Thursday, May 2, 2024 8:44 PM +0200, Matthias Apitz wrote: > [snip] > Yes. It gets started by systemd (proc 719 here) at boot time: Just a heads up (not sure if it's relevant), it doesn't seem to be recommended to use systemd to start gnupg Refer to Werner's reply in this thread below: https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066959.html -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From ming at imkuang.com Thu May 2 15:55:32 2024 From: ming at imkuang.com (Ming Kuang) Date: Thu, 02 May 2024 21:55:32 +0800 Subject: Using a GnuPG crypted RSA key for SSH Message-ID: <18f3996c396.108775ad56003808.5451810225674431661@imkuang.com> On Thursday, May 2, 2024 8:44 PM +0200, Matthias Apitz wrote: > [snip] > Yes. It gets started by systemd (proc 719 here) at boot time: Just a heads up (not sure if it's relevant), it doesn't seem to be recommended to use systemd to start gnupg Refer to Werner's reply in this thread below: https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066960.html -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/octet-stream Size: 834 bytes Desc: not available URL: From mcepl at cepl.eu Thu May 2 16:58:22 2024 From: mcepl at cepl.eu (=?utf-8?q?Mat=C4=9Bj_Cepl?=) Date: Thu, 02 May 2024 16:58:22 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: <18f3996c396.108775ad56003808.5451810225674431661@imkuang.com> References: <18f3996c396.108775ad56003808.5451810225674431661@imkuang.com> Message-ID: On Thu May 2, 2024 at 3:55 PM CEST, Ming Kuang via Gnupg-users wrote: > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066957.html > https://lists.gnupg.org/pipermail/gnupg-users/2024-March/066960.html Just for the record, I find the explanation in the later email rather dubious: systemd can certainly manage a dependence on shared resource, and concurrent running of two processes at once. My deep suspicion is that we have here just a little case of the NIH syndrome (plus, a lack of understanding of containerized systems like my MicroOS). I still haven?t investigated this piece of Werner?s advice: > Using no-autostart in the common.conf might be useful. We use it always > when running a remote gpg. Best, Mat?j -- http://matej.ceplovi.cz/blog/, @mcepl at floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 In political activity men sail a boundless and bottomless sea; there is neither harbor for shelter nor floor for anchorage, neither starting point nor appointed destination. -- Michael Oakeshott: Rationalism in Politics -------------- next part -------------- A non-text attachment was scrubbed... Name: E09FEF25D96484AC.asc Type: application/pgp-keys Size: 3102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 216 bytes Desc: not available URL: From wk at gnupg.org Thu May 2 19:29:50 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 May 2024 19:29:50 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: (=?utf-8?Q?=22Mat=C4=9Bj?= Cepl via Gnupg-users"'s message of "Thu, 02 May 2024 16:58:22 +0200") References: <18f3996c396.108775ad56003808.5451810225674431661@imkuang.com> Message-ID: <87frv05dgx.fsf@jacob.g10code.de> On Thu, 2 May 2024 16:58, Mat?j Cepl said: > rather dubious: systemd can certainly manage a dependence on > shared resource, and concurrent running of two processes at Right. However, systemd does not use the same locking scheme as gnupg uses to avoid duplicate daemon startup. The gnupg internal startup of required daemons has been there before systemd was invented and it needs to work on all platforms - not just on Linux. Having different schemes here is major problem but the former Debian maintainer (dkg) promised to take care of all problems due to his patches which added that systemd startup (--supervised) feature. Given that history I consider it unlikely that Debian will ever provide an enhanced ssh version which can be configured to start its ssh-agent on connection failure. Thus we need to keep on using the updatestartuptty thing when using a curses pinentry or a remote X session. The updatestartup thing does actually two things: Make sure that gpg-agent is launched (most other commands will do this also) and, more important, to tell gpg-agent something about the current environment (GPG_TTY, DISPLAY, etc). I have a patch somewhere to extend the ssh-agent-protocol to convey envvars but more or less forgot about it. it would be a useful things also for other ssh-agent's > I still haven?t investigated this piece of Werner?s advice: > >> Using no-autostart in the common.conf might be useful. We use it always >> when running a remote gpg. That is easy: On a remote box you don't want to run gpg-agent because this shall instead be handled by ssh socket forwarding. Without such an option running gpg might start gpg-agent on the remote box and thus take over the forwarded socket. Instead of adding "no-autostart" to all config files of gnupg, adding this to common.conf will be sufficient. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From wk at gnupg.org Thu May 2 19:46:33 2024 From: wk at gnupg.org (Werner Koch) Date: Thu, 02 May 2024 19:46:33 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: (Matthias Apitz's message of "Thu, 2 May 2024 15:31:25 +0200") References: <87cyq47n55.fsf@jacob.g10code.de> Message-ID: <87bk5o5cp2.fsf@jacob.g10code.de> On Thu, 2 May 2024 15:31, Matthias Apitz said: > which locks the card again. Any ideas? If you really want to reset the card after an operation _and_ you are using pcscd you can use gpg-connect-agent 'scd disconnect' /bye But killing scdaemon is probably the easier and more reliable way: gpgconf -K scdaemon does this by sending the kill command gpg-connect-agent 'scd killscd' /bye Some card applications require a VERIFY command (i.e. asking for the PIN) for each operation. An OpenPGP card does this only for the signing key and only if that feature has been enabled (force command of --card-edit). Remember that there is no PIN cache[1] but the card application tales the descision when and how often a PIN is required after power up (of the card). If you only want to be asked whether the ssh-key shall be used, you can put a line Confirm: yes into the private-keys-v1.d/.key file of the AUTH (shadow-)key: *** Confirm If given and the value is "yes", a user will be asked confirmation by a dialog window when the key is about to be used for PKSIGN/PKAUTH/PKDECRYPT operation. If the value is "restricted", it is only asked for the access through extra/browser socket. Shalom-Salam, Werner [1] Actually there is a PIN cache to allow a Yubikey to switch between the OpenPGP and PIV appications back anf forth without requiring a PIN after each switch. A sample use-case is sending PGP signed mails and also using a browser or IMAP server with user certificate based authentication. -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From bostrom.richardh at proton.me Thu May 2 14:01:39 2024 From: bostrom.richardh at proton.me (Richard Bostrom) Date: Thu, 02 May 2024 12:01:39 +0000 Subject: Sirs. Message-ID: Clearsign not working on new debian install. NisT-P21. encryption/ decryption works. Hej. Yours sincerely Richardh Bostrom -------------- next part -------------- An HTML attachment was scrubbed... URL: From guru at unixarea.de Fri May 3 10:38:41 2024 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 3 May 2024 10:38:41 +0200 Subject: Using a GnuPG crypted RSA key for SSH In-Reply-To: <87bk5o5cp2.fsf@jacob.g10code.de> References: <87cyq47n55.fsf@jacob.g10code.de> <87bk5o5cp2.fsf@jacob.g10code.de> Message-ID: El d?a jueves, mayo 02, 2024 a las 07:46:33 +0200, Werner Koch via Gnupg-users escribi?: > On Thu, 2 May 2024 15:31, Matthias Apitz said: > > > which locks the card again. Any ideas? > > If you really want to reset the card after an operation _and_ you are > using pcscd you can use > > ... Thanks for all the hints. The problem with this OpenPGP card in the cellphone L5 is, that it is not an USB dongle which one could pull out to invalidate the access to the keys. It sits inside the phone as a Micro-SIM below the battery. So I now do with ~/.ssh/config: Host * # note: this needs in /etc/ssh/ssh_config: PermitLocalCommand yes # LocalCommand gpgconf --reload scdaemon This resets the card right after the PIN was provided for the SSH session. This works fine for ssh(1) command, but not for the scp(1) command. Even when I say: $ scp "-oPermitLocalCommand=yes" foo www.unixarea.de:. The "ssh" launched by "scp" shows in strace that it is launched with the valeu "-oPermitLocalCommand=no": $ grep exec scp.tr 10205 execve("/usr/bin/scp", ["scp", "-oPermitLocalCommand=yes", "foo", "www.unixarea.de"...], 0xffffdf2147a0 /* 32 vars */) = 0 10206 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oPermitLocalCommand=no", "-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o", "PermitLocalCommand=yes", "-oForwardAgent=no", "-l", "XXXXXXXXXXXXXXXX", "--", "www.unixarea.de", "scp -t ."], 0xffffe38c6780 /* 32 vars */) = 0 To overcome this problem I use now a macro "scp" defined in ~/.bashrc function scp { $(which scp) $@ # lock the OpenPGP card again gpgconf --reload scdaemon } Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From Eva.Bolten at gnupg.com Fri May 3 14:44:09 2024 From: Eva.Bolten at gnupg.com (Eva Bolten) Date: Fri, 03 May 2024 14:44:09 +0200 Subject: Adding new uid to causes bad signature In-Reply-To: References: Message-ID: <2352992.BaTRpjFos1@jackson> Hi, I have tried to replicate your issue using a Yubikey 5 NFC, doing what you did. > In general, I don't think my procedure for adding a new uid is abnormal: > $ gpg --edit-key 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 > gpg> adduid > gpg> save For my key and using gpg 2.4.5 on a standard Windows 10 system "check" didn't give an error and signing a document worked without any issues. I used a simple brainpool standard testkey with only one subkey, though. > General info: > OS: Windows 11 (AtlasOS) & MacOS 14.1.1 (tried on both) > GPG: GPG 2.4.4.-unknown (bundled with git-scm windows installer), GPG > 2.4.5 (homebrew) > > My public keys: > Before trying to add a new uid: > After trying to add a new uid: Importing your second pubkey did not change anything noticeable, gpg reported no changes on the key and there is no new UID to be seen. So it seems it was not exported. To avoid any confusion does gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 show the new UID for you? Is there additional info if you add "--list-options show-unusable-uids" before the "-k"? Regards Eva -- g10 Code GmbH GnuPG.com AmtsGer. Wuppertal HRB 14459 Bergstr. 3a Gesch?ftsf?hrung Werner Koch D-40699 Erkrath https://gnupg.com USt-Id DE215605608 From contact at ikkerens.com Fri May 3 15:06:56 2024 From: contact at ikkerens.com (Rens Rikkerink) Date: Fri, 3 May 2024 15:06:56 +0200 Subject: Adding new uid to causes bad signature In-Reply-To: <2352992.BaTRpjFos1@jackson> References: <2352992.BaTRpjFos1@jackson> Message-ID: Hey there Eva! And thank you for your reply. > For my key and using gpg 2.4.5 on a standard Windows 10 system "check" didn't > give an error and signing a document worked without any issues. I should perhaps clarify that signing anything else (documents, git commits) seems to work just fine. I can sign things, and then verify the signature, and it matches. My issue seems to solely relate to signing an extra uid. > Importing your second pubkey did not change anything noticeable, gpg reported > no changes on the key and there is no new UID to be seen. That is not the behaviour I am seeing on my end: $ gpg --import before.asc gpg: key 29AD46D6F58287A3: public key "Rens Rikkerink " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found $ gpg --import after.asc gpg: key 29AD46D6F58287A3: 1 bad signature gpg: key 29AD46D6F58287A3: "Rens Rikkerink " not changed gpg: Total number processed: 1 gpg: unchanged: 1 As you can see here, the second public key does trigger a slightly different response for me (1 bad signature), so it ignores it and marks the public key as otherwise unchanged. > To avoid any confusion does > > gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 > > show the new UID for you? Yes, it does: $ gpg -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 gpg: checking the trustdb gpg: no ultimately trusted keys found pub ed25519 2022-10-26 [CA] 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 uid [ unknown] Rens Rikkerink uid [ unknown] Rens Rikkerink sub ed25519 2022-10-26 [S] sub cv25519 2022-10-26 [E] > Is there additional info if you add "--list-options show-unusable-uids" > before the "-k"? No further information as far as I can tell: $ gpg --list-options show-unusable-uids -k 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 pub ed25519 2022-10-26 [CA] 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 uid [ unknown] Rens Rikkerink uid [ unknown] Rens Rikkerink sub ed25519 2022-10-26 [S] sub cv25519 2022-10-26 [E] Thank you for your time so far. Yours, Rens Rikkerink From wk at gnupg.org Fri May 3 15:36:20 2024 From: wk at gnupg.org (Werner Koch) Date: Fri, 03 May 2024 15:36:20 +0200 Subject: Adding new uid to causes bad signature In-Reply-To: (Rens Rikkerink via Gnupg-users's message of "Fri, 3 May 2024 15:06:56 +0200") References: <2352992.BaTRpjFos1@jackson> Message-ID: <87r0ej3tm3.fsf@jacob.g10code.de> Hi! Given that you have an uncommon primary key I would like to see some information of the card. Please run gpg-card to get infos on the card and used keys. In case you don't want to share this with the list, feel free to send it to Eva or me directly (wk at gnupg.org - no html parts). Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From contact at ikkerens.com Fri May 3 15:41:27 2024 From: contact at ikkerens.com (Rens Rikkerink) Date: Fri, 3 May 2024 15:41:27 +0200 Subject: Adding new uid to causes bad signature In-Reply-To: <87r0ej3tm3.fsf@jacob.g10code.de> References: <2352992.BaTRpjFos1@jackson> <87r0ej3tm3.fsf@jacob.g10code.de> Message-ID: Hey there Werner! And thank you too for your reply. > Please run > > gpg-card > > to get infos on the card and used keys. No problem at all: $ gpg-card Reader ...........: Yubico YubiKey OTP FIDO CCID 0 Card type ........: yubikey Card firmware ....: 5.4.3 Serial number ....: D2760001240100000006223145200000 Application type .: OpenPGP Version ..........: 3.4 Displayed s/n ....: 22 314 520 Manufacturer .....: Yubico (6) Name of cardholder: Rens Rikkerink Language prefs ...: en Salutation .......: Mr. URL of public key : https://github.com/ikkerens.gpg Login data .......: [not set] Signature PIN ....: not forced Max. PIN lengths .: 127 127 127 PIN retry counter : 3 0 3 Signature counter : 1192 Capabilities .....: key-import algo-change button priv-data KDF setting ......: on UIF setting ......: Sign=off Decrypt=off Auth=off Signature key ....: 4DCD2F5D0F303B60FAFDB469BA33F314281B2D1B keyref .....: OPENPGP.1 (sign,cert) algorithm ..: ed25519 stored fpr .: 6AA6FC5597E89BDC19ADD6AFCF2FEC503A89BCFF created ....: 2022-10-26 18:20:54 used for ...: OpenPGP main key .: fpr ......: 6AA6FC5597E89BDC19ADD6AFCF2FEC503A89BCFF created ..: 2022-10-26 18:20:54 user id ..: Rens Rikkerink user id ..: Rens Rikkerink Encryption key....: 993197BDCB9A09A16C4918DED4310EEF4B6582E2 keyref .....: OPENPGP.2 (encr) algorithm ..: cv25519 stored fpr .: FA57A5CBF68A422B1A54AC49A17864EE2C2102F8 created ....: 2022-10-26 18:21:17 used for ...: OpenPGP main key .: fpr ......: FA57A5CBF68A422B1A54AC49A17864EE2C2102F8 created ..: 2022-10-26 18:21:17 user id ..: Rens Rikkerink user id ..: Rens Rikkerink Authentication key: EB59A450FF4E1B233C523B860E458EF6D043DFE8 keyref .....: OPENPGP.3 (sign,auth) algorithm ..: ed25519 stored fpr .: 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 created ....: 2022-10-26 18:20:28 used for ...: OpenPGP main key .: fpr ......: 408FB2EBC3DF3DBBE0143D9A29AD46D6F58287A3 created ..: 2022-10-26 18:20:28 user id ..: Rens Rikkerink user id ..: Rens Rikkerink > Given that you have an uncommon primary key Out of sheer curiosity, would you mind enlightening me on what part of my primary key is "uncommon"? Yours, Rens Rikkerink From ming at imkuang.com Sat May 4 09:34:36 2024 From: ming at imkuang.com (Ming Kuang) Date: Sat, 4 May 2024 15:34:36 +0800 Subject: Adding new uid to causes bad signature In-Reply-To: <2352992.BaTRpjFos1@jackson> References: <2352992.BaTRpjFos1@jackson> Message-ID: <000001da9df5$85127a60$8f376f20$@imkuang.com> On Friday, May 3, 2024 8:44 PM +0800, Eva Bolten wrote: > [snip] > Importing your second pubkey did not change anything noticeable, gpg reported > no changes on the key and there is no new UID to be seen. > So it seems it was not exported. To avoid any confusion does This may be due to the fact that gunpg ignores invalid self-signed uids by default. There is an --allow-non-selfsigned-uid parameter that allows importing such a uid ( replaced email addresses to avoid crawler spamming): ~$ gpg --verbose --import --allow-non-selfsigned-uid test2.asc gpg: pub ed25519/29AD46D6F58287A3 2022-10-26 Rens Rikkerink gpg: key 29AD46D6F58287A3: 1 bad signature gpg: key 29AD46D6F58287A3: invalid self-signature on user ID "Rens Rikkerink " gpg: key 29AD46D6F58287A3: accepted non self-signed user ID "Rens Rikkerink " gpg: key 29AD46D6F58287A3: "Rens Rikkerink " 1 new user ID gpg: key 29AD46D6F58287A3: "Rens Rikkerink " 1 new signature gpg: Total number processed: 1 gpg: new user IDs: 1 gpg: new signatures: 1 And I've noticed that the preferences list seems a bit strange (only SHA1 digest?): gpg> showpref [ unknown] (1). Rens Rikkerink < xxx1> Cipher: AES256, AES192, AES, 3DES AEAD: OCB, [1] Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ unknown] (2) Rens Rikkerink < xxx2> Cipher: 3DES AEAD: Digest: SHA1 Compression: ZIP, Uncompressed Features: AEADKeyserver no-modify Also, @Werner, Do we have an error in the formatting of the Features line of the showpref command in --edit-key? I think there should be a comma between "AEAD" and "Keyserver no-modify". -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From ametzler at bebt.de Sat May 4 18:45:58 2024 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 4 May 2024 18:45:58 +0200 Subject: 2.2.43 and vsd-allow-ocb Message-ID: Hello, 2.2.42`s NEWS said * gpg: Support OCB encryption. [T6263] and https://dev.gnupg.org/T6263 shows two commits rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" rGa545e14e8a74 gpg: Support OCB encryption. The commit message for 0a355b2fe7d8 said | * g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb". | (main): And set it. Which understand to mean that 2.2.43 would by default both generate keys with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. And this behavior could have been disabled with '--compatibility-flags none'. However afaict (gpg --compatibility-flags ?) the flag is not set by default and indeed --quick-generate-key without --compatibility-flags vsd-allow-ocb generates a key without "AEAD: OCB" and does not use OCB for encrypting to a key with "AEAD: OCB" set. Is my understanding flawed? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Mon May 6 14:25:12 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 06 May 2024 14:25:12 +0200 Subject: 2.2.43 and vsd-allow-ocb In-Reply-To: (Andreas Metzler's message of "Sat, 4 May 2024 18:45:58 +0200") References: Message-ID: <87ikzr2klz.fsf@jacob.g10code.de> Hi! On Sat, 4 May 2024 18:45, Andreas Metzler said: > rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" > rGa545e14e8a74 gpg: Support OCB encryption. > Which understand to mean that 2.2.43 would by default both generate keys > with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. > And this behavior could have been disabled with '--compatibility-flags No misunderstood this. OCB encryption is indeed supported regardless of the compatibiliy flag. What the compatibility flag does is to allow OCB also in --compliance=de-vs mode. This was required because at the time of the release we had not yet an approval to use this for VS-NfD/Restricted communication. Thus in the GnuPG VS-Desktop configuraion this option is only set after we received the approval. For key generation the flag is indded not set by default: /* For now we require a compat flag to set OCB into the preferences. */ if (!(opt.compat_flags & COMPAT_VSD_ALLOW_OCB)) ocb = 0; Becuase we don't want to create key so that sites required to use de-vs compliance mode won't end up with keys which claim to support a non-approved encryption scheme. Thanks for this reminder, that compatibility flag can now be removed. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From ametzler at bebt.de Mon May 6 18:26:30 2024 From: ametzler at bebt.de (Andreas Metzler) Date: Mon, 6 May 2024 18:26:30 +0200 Subject: 2.2.43 and vsd-allow-ocb In-Reply-To: <87ikzr2klz.fsf@jacob.g10code.de> References: <87ikzr2klz.fsf@jacob.g10code.de> Message-ID: On 2024-05-06 Werner Koch wrote: > On Sat, 4 May 2024 18:45, Andreas Metzler said: > > rG0a355b2fe7d8 gpg: Add compatibility flag "vsd-allow-ocb" > > rGa545e14e8a74 gpg: Support OCB encryption. > > Which understand to mean that 2.2.43 would by default both generate keys > > with 'AEAD: OCB' and use OCB when encrypting to keys with that flag set. > > And this behavior could have been disabled with '--compatibility-flags > No misunderstood this. OCB encryption is indeed supported regardless of > the compatibiliy flag. > What the compatibility flag does is to allow OCB also in > --compliance=de-vs mode. [...] Hello Werner, So in my test (without --compliance=de-vs) 2.2.43 /should/ have automatically used OCB when encrypting for a key which has 'AEAD: OCB' set? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From wk at gnupg.org Tue May 7 09:28:31 2024 From: wk at gnupg.org (Werner Koch) Date: Tue, 07 May 2024 09:28:31 +0200 Subject: 2.2.43 and vsd-allow-ocb In-Reply-To: (Andreas Metzler's message of "Mon, 6 May 2024 18:26:30 +0200") References: <87ikzr2klz.fsf@jacob.g10code.de> Message-ID: <87o79i13og.fsf@jacob.g10code.de> On Mon, 6 May 2024 18:26, Andreas Metzler said: > So in my test (without --compliance=de-vs) 2.2.43 /should/ have > automatically used OCB when encrypting for a key which has 'AEAD: OCB' > set? Yes. Check with --debug=lookup which and why keys are selected. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From guru at unixarea.de Sat May 11 18:11:19 2024 From: guru at unixarea.de (Matthias Apitz) Date: Sat, 11 May 2024 18:11:19 +0200 Subject: setup of OpenPGP card not asking for keysize Message-ID: Hello, I'm setting up a new OpenPGP card I've got from Purism for my second mobile L5. During the key generation it is not asking for the length of the key 2024 or 4096 bits. The status is: purism at pureos:~$ gpg --card-status Reader ...........: L5 built-in SmartCard Reader 00 00 Application ID ...: D27600012401030400050000CF410000 Application type .: OpenPGP Version ..........: 3.4 Manufacturer .....: ZeitControl Serial number ....: 0000CF41 Name of cardholder: [not set] Language prefs ...: de Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ......: off Signature key ....: 0880 352D F31B 5AED 8E90 FC5B 0650 0BB7 D65F 4BE3 created ....: 2024-05-11 15:18:52 Encryption key....: 3E6E 4F1D 541F 9BD8 CEF7 C01C EE22 0666 1921 411A created ....: 2024-05-11 15:18:52 Authentication key: 1274 5D73 CDA7 69B5 979D 2FE9 5E3B 2EB2 1466 6396 created ....: 2024-05-11 15:18:52 General key info..: pub rsa2048/06500BB7D65F4BE3 2024-05-11 Matthias Apitz (OpenPGP card) sec> rsa2048/06500BB7D65F4BE3 created: 2024-05-11 expires: never card-no: 0005 0000CF41 ssb> rsa2048/5E3B2EB214666396 created: 2024-05-11 expires: never card-no: 0005 0000CF41 ssb> rsa2048/EE2206661921411A created: 2024-05-11 expires: never card-no: 0005 0000CF41 I can do 'generate' again because the keys are still no in use. Older cards in the dialog were asking (as my write-ups show): ... What keysize do you want for the Signature key? (2048) 4096 The card will now be re-configured to generate a key of 4096 bits ... How can i force keysize 4094? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From guru at unixarea.de Sun May 12 15:22:56 2024 From: guru at unixarea.de (Matthias Apitz) Date: Sun, 12 May 2024 15:22:56 +0200 Subject: setup of OpenPGP card not asking for keysize In-Reply-To: References: Message-ID: I did a factory reset and changed the keylength with the subcommand 'key-attr' to 4096. All fine and one must be patient as the key 'generate' takes significantly longer. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From wk at gnupg.org Mon May 13 08:09:09 2024 From: wk at gnupg.org (Werner Koch) Date: Mon, 13 May 2024 08:09:09 +0200 Subject: setup of OpenPGP card not asking for keysize In-Reply-To: (Matthias Apitz's message of "Sun, 12 May 2024 15:22:56 +0200") References: Message-ID: <87wmnyxmyi.fsf@jacob.g10code.de> On Sun, 12 May 2024 15:22, Matthias Apitz said: > I did a factory reset and changed the keylength with the subcommand > 'key-attr' to 4096. All fine and one must be patient as the key > 'generate' takes significantly longer. That's why I always suggest to use ECC instead of RSA on smartcards. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 247 bytes Desc: not available URL: From patrick at enigmail.net Wed May 15 06:48:19 2024 From: patrick at enigmail.net (Patrick Brunschwig) Date: Wed, 15 May 2024 06:48:19 +0200 Subject: Invitation to the 8th OpenPGP Email Summit Message-ID: <28a8effb-6de3-8cf9-2d18-11678955e644@enigmail.net> On behalf of the Wau Holland Stiftung, I'm happy to invite you to the 8th OpenPGP Email Summit which will take place: Friday, June 7 & Saturday, June 8 2024 in Dietzenbach near Frankfurt, at the Hotel Sonnenhof SCHEDULE OVERVIEW ================= Hacking Day: Thursday, June 6, 2024 Main Event: Friday June 7 & Saturday June 8, 2024 REGISTRATION & EVENT DETAILS ============================ All details including the agenda are available on the web site: https://wiki.gnupg.org/OpenPGPEmailSummit202406 ABOUT THE OpenPGP EMAIL SUMMIT ============================== This is an event open for anybody involved in the development of email clients using OpenPGP for encryption, and related software. We already had 7 OpenPGP Email Summits at various locations in Europe. These are meetings by technical experts of projects and tools dealing with OpenPGP with a focus on email encryption. The goals are to better get to know each other, and to discuss and work on issues that hopefully improve certain aspects of OpenPGP-based email encryption. For details, see https://wiki.gnupg.org/OpenPGPEmailSummit202406 Looking forward to meeting you in Dietzenbach -Patrick -- Wau-Holland-Stiftung W Zeiseweg 9 H O L L A N D 22765 Hamburg/Germany S T I F T U N G http://www.wauland.de -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 834 bytes Desc: OpenPGP digital signature URL: From guru at unixarea.de Wed May 15 11:34:47 2024 From: guru at unixarea.de (Matthias Apitz) Date: Wed, 15 May 2024 11:34:47 +0200 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card Message-ID: Hello, I'm using an OpenPGP card in my cellphone Puris L5 for GnuPG actions (password-store, SSH, ...). It mostly takes some 8-9 seconds until the PIN entry dialog pops up. I enabled debug log for the gpg-agent and the scdaemon, see below, and the time is consumed by the scdaemon waitinng for something. What does this mean? matthias /tmp/gpg-agent-debug.log: 2024-05-15 10:55:09 gpg-agent[2565] DBG: chan_11 -> BYE 2024-05-15 11:07:58 gpg-agent[2565] ssh handler 0xffffb17ff1e0 for fd 10 started 2024-05-15 11:07:58 gpg-agent[2565] ssh request handler for request_identities (11) started 2024-05-15 11:07:58 gpg-agent[2565] no running SCdaemon - starting it 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 gpg-agent[2565] DBG: first connection to SCdaemon established 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> GETINFO socket_name 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> OPTION event-signal=12 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> SERIALNO it takes 8-9 secs to get the card's SERIALNO from the scdaemon 2024-05-15 11:08:07 gpg-agent[2565] DBG: chan_11 <- S SERIALNO D27600012401030400050000A6FE0000 ... /tmp/scdaemon-debug.log: 2024-05-15 11:07:58 scdaemon[16983] listening on socket '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 scdaemon[16983] handler for fd -1 started 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- GETINFO socket_name 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- OPTION event-signal=12 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO It takes 8 secs until scdaemon detects the reader, waht does this maen? 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 00' 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 01' 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: not connected 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: active protocol: T1 2024-05-15 11:08:06 scdaemon[16983] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C 2024-05-15 11:08:06 scdaemon[16983] AID: D2 76 00 01 24 01 03 04 00 05 00 00 A6 FE 00 00 2024-05-15 11:08:06 scdaemon[16983] Historical Bytes: 00 31 F5 73 C0 01 60 05 90 00 2024-05-15 11:08:06 scdaemon[16983] Version-2+ .....: yes ... -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From guru at unixarea.de Thu May 16 08:18:00 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 16 May 2024 08:18:00 +0200 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: <87h6eyi9d7.fsf@akagi.fsij.org> References: <87h6eyi9d7.fsf@akagi.fsij.org> Message-ID: El d?a jueves, mayo 16, 2024 a las 03:00:52 +0900, NIIBE Yutaka escribi?: > Hello, > > I wonder if it taks always 8-9 secs, or it's only for the first time. > > Matthias Apitz wrote: > > /tmp/scdaemon-debug.log: > [...] > > 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO > > > > It takes 8 secs until scdaemon detects the reader, waht does this maen? > > > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 00' > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 01' > > The scdaemon dynamically loads PC/SC shared library and asks PC/SC > service for available card readers. PC/SC service is invoked, if not > there. Then, PC/SC service dynamically loads serial driver > (libccidtwin.so). And it's the serial driver which accesses the card > access chip (IIUC, it's STM32L4xx). That's what is going on. > > But 8 seconds are too much. Something is going wrong... purism at pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:10:56 AM CEST foo 100% 0 0.0KB/s 00:00 Thu 16 May 2024 08:11:11 AM CEST 15 secs (~4-5 of them to enter the PIN) purism at pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:22 AM CEST foo 100% 0 0.0KB/s 00:00 Thu 16 May 2024 08:11:30 AM CEST 8 secs (~4-5 of them to enter the PIN) purism at pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:42 AM CEST foo 100% 0 0.0KB/s 00:00 Thu 16 May 2024 08:11:49 AM CEST 7 secs (~4-5 of them to enter the PIN) purism at pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:12:33 AM CEST foo 100% 0 0.0KB/s 00:00 Thu 16 May 2024 08:12:41 AM CEST 8 secs (~4-5 of them to enter the PIN) It seems that the first time is longer. I will increase the debug-level for scdaemon. matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From gniibe at fsij.org Thu May 16 08:00:52 2024 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 16 May 2024 15:00:52 +0900 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: References: Message-ID: <87h6eyi9d7.fsf@akagi.fsij.org> Hello, I wonder if it taks always 8-9 secs, or it's only for the first time. Matthias Apitz wrote: > /tmp/scdaemon-debug.log: [...] > 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO > > It takes 8 secs until scdaemon detects the reader, waht does this maen? > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 00' > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 01' The scdaemon dynamically loads PC/SC shared library and asks PC/SC service for available card readers. PC/SC service is invoked, if not there. Then, PC/SC service dynamically loads serial driver (libccidtwin.so). And it's the serial driver which accesses the card access chip (IIUC, it's STM32L4xx). That's what is going on. But 8 seconds are too much. Something is going wrong... -- From gniibe at fsij.org Thu May 16 09:09:44 2024 From: gniibe at fsij.org (NIIBE Yutaka) Date: Thu, 16 May 2024 16:09:44 +0900 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: References: <87h6eyi9d7.fsf@akagi.fsij.org> Message-ID: <87eda2i66f.fsf@akagi.fsij.org> Hello, Matthias Apitz wrote: > It seems that the first time is longer. I will increase the debug-level > for scdaemon. Thank you for the information. I think that it's better to debug how PC/SC goes. To get full debug log in lower level, you can invoke pcscd manually with root: # LIBCCID_ifdLogLevel=0xffff pcscd -f --debug -- From guru at unixarea.de Thu May 16 10:14:04 2024 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 16 May 2024 10:14:04 +0200 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: <87eda2i66f.fsf@akagi.fsij.org> References: <87h6eyi9d7.fsf@akagi.fsij.org> <87eda2i66f.fsf@akagi.fsij.org> Message-ID: El d?a jueves, mayo 16, 2024 a las 04:09:44 +0900, NIIBE Yutaka escribi?: > Hello, > > Matthias Apitz wrote: > > It seems that the first time is longer. I will increase the debug-level > > for scdaemon. > > Thank you for the information. I think that it's better to debug how > PC/SC goes. > > To get full debug log in lower level, you can invoke pcscd manually with > root: > > # LIBCCID_ifdLogLevel=0xffff pcscd -f --debug This isn't that easy. The pcscd is running (when needed) as: purism at pureos:~$ ps ax | grep pcscd 2151 ? Ssl 0:00 /usr/sbin/pcscd --foreground --auto-exit it is launched by a system service: root at pureos:/home/purism# systemctl status pcscd ? pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor pres> Drop-In: /usr/lib/systemd/system/pcscd.service.d ??librem5.conf Active: active (running) since Thu 2024-05-16 10:02:44 CEST; 12s ago TriggeredBy: ? pcscd.socket Docs: man:pcscd(8) Process: 27601 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Process: 27602 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Main PID: 27603 (pcscd) Tasks: 5 (limit: 3015) Memory: 752.0K CPU: 303ms CGroup: /system.slice/pcscd.service ??27603 /usr/sbin/pcscd --foreground --auto-exit I killed a running pcscd and started it as root as you say, but this make gpg-agent failing to communicate. I have to figure out how to set your env var LIBCCID_ifdLogLevel=0xffff and to where the debug log of pcscd goes in this case. This will take a while.... matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland. From gniibe at fsij.org Fri May 17 06:39:55 2024 From: gniibe at fsij.org (NIIBE Yutaka) Date: Fri, 17 May 2024 13:39:55 +0900 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: References: <87h6eyi9d7.fsf@akagi.fsij.org> <87eda2i66f.fsf@akagi.fsij.org> Message-ID: <87jzjtgig4.fsf@akagi.fsij.org> Hello, Matthias Apitz wrote: > This isn't that easy. The pcscd is running (when needed) as: > > purism at pureos:~$ ps ax | grep pcscd > 2151 ? Ssl 0:00 /usr/sbin/pcscd --foreground --auto-exit > > it is launched by a system service: I see. IIUC, PureOS is Debian based. There should be a file for systemd as /lib/systemd/system/pcscd.service. Its content is something like: ========================== [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS ExecReload=/usr/sbin/pcscd --hotplug EnvironmentFile=-/etc/default/pcscd [Install] Also=pcscd.socket ========================== Then, to debug PC/SC service, you can have a file /etc/default/pcscd with: ========================== PCSCD_ARGS=--debug LIBCCID_ifdLogLevel=0xffff ========================== Kill pcscd by systemctl, if any. Kill the scdaemon by: $ gpgconf --kill scdaemon And then, when you try to access OpenPGP card by SSH or GnuPG, gpg-agent invokes scdaemon, scdaemon tries to access PC/SC service, pcscd is invoked by socket activation with systemd. You can see the debug log by journalctl. -- From guru at unixarea.de Fri May 17 07:21:45 2024 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 17 May 2024 07:21:45 +0200 Subject: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card In-Reply-To: <87jzjtgig4.fsf@akagi.fsij.org> References: <87h6eyi9d7.fsf@akagi.fsij.org> <87eda2i66f.fsf@akagi.fsij.org> <87jzjtgig4.fsf@akagi.fsij.org> Message-ID: El d?a viernes, mayo 17, 2024 a las 01:39:55 +0900, NIIBE Yutaka escribi?: > Hello, > > Matthias Apitz wrote: > > This isn't that easy. The pcscd is running (when needed) as: > > > > purism at pureos:~$ ps ax | grep pcscd > > 2151 ? Ssl 0:00 /usr/sbin/pcscd --foreground --auto-exit > > > > it is launched by a system service: > > I see. IIUC, PureOS is Debian based. There should be a file for systemd > as /lib/systemd/system/pcscd.service. Its content is something like: > ... I did it already with editing/creating the files and commands below. Putting '--debug' in an variable with Environment= as your hint is far more elegant and would remove the service override.conf method. The output went to /var/log/syslog, some 10.000 lines of one PIN request. I haven't found time to study them. matthias /lib/systemd/system/pcscd.service: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" ExecStart=/usr/sbin/pcscd --foreground --auto-exit ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /etc/systemd/system/pcscd.service.d/override.conf: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" # ExecStart=/usr/sbin/pcscd --foreground --auto-exit --debug ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /usr/lib/systemd/system/pcscd.service.d/librem5.conf: [Service] Environment="LIBCCID_ifdLogLevel=0xffff" ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 5" ExecStopPost=/bin/bash -c "echo 0 > /sys/class/leds/smc_en/brightness" StandardOutput=syslog StandardError=syslog systemctl stop pcscd.service systemctl daemon-reload systemctl start pcscd.service -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. ? ?? ???? ? ???????. Ich bin nicht im Krieg mit Russland.