From pikolasikolatest2 at gmail.com Mon Aug 4 12:13:47 2025 From: pikolasikolatest2 at gmail.com (walid falcon) Date: Mon, 4 Aug 2025 11:13:47 +0100 Subject: =?UTF-8?B?2LTZh9in2K/YqSDYp9mE2KPYqNmI2Kkg2YHZiiDYp9mE2YXYutix2Kg=?= Message-ID: ?? ?? ????? ?????? ??? ????? ?????? ??????? ????? ????? ????? ?? ???? ?????? ??????? https://www.targir.com/2025/04/blog-post_14.html ??????? ????? ???????? ????? ?????? ?????????? ????????? ???????? ??? ?? ?? ????? ?????? ?? ??????? ????? ?????? ????? ??????? ???? ????? ??? ??? ?????? ?????? ??????? ??????? ??? ????? ?????? ?????????? ?? ??? ??? ???? ??? ???? ???? ?? ????? ????. ????? ??? ??????? ????? ?? ????????? ???????? ???? ???? ??? ????? ?????? ???????. ??????? ???? ?????? ??????? ????? ?????? 1. ??????? ??? ???????? ?? ?????? ??????? ????? ???? ??? ???? ???? ?????? ?? ?? ??????? ???? ??????? ?? ???? ?????? ???????? ????? ???? ??? ??? ???? ?????? ??? ????? ??????. 2. ????? ????? ?? ???? ??? ???? ?? ????? ??? ???? ????? ?????? ??? ???????? ????? ??? ??????? ?????? ??????? ???????. ??????? ?????? ??? ????? ?????? ????: ??? ???? ???? ??????? ????? ??? ???? ?? ??? ??? ????? ????? ??? ??? ??????? ?????????? ???? ??? ???? ??? ??? ????? ?? ????? ???? ?? ??? ????? ??? ????? ?????? ??????. ??????: ??????? ???????? ???? ?? ????? ??????? ??????? ??? ???????? ????? ?????? (?? ????) ????? ???? ??????? ????? ?????? ????? ?? ??????? ???? ????? ???? ?????? ????? ????? ?????? pdf ???? ??? ??????? ??????????? ????? ????? ????? ?????? PDF ???? ???????? ??? ?? ??????? ?????? ?? ??? ??? ??? ??? ?????? ???? ??????? ?????? ?????? ??????? ?????? ?????. ??????? ??????? ??? ????? ?????? ?? ???? ????? ??? ????? ?????? ??????????? ??? ??????? ??? ?????? ?????? ?????? ???? ???????. ?? ?? ??? ?????? ??? ????? ??????? ?? ????? ????? ??? ??? ???????? ???? ???? ?? ?????? ??? ??? ??? ????? ????? ??? ????? ?????. ??? ??? ????? ?????? ???? ???????? ????????? ?????? ?? ????? ??? ??? ?????? ??? ????? ?????? ???? ???????? ????????? ?????? ???? ???? ???? ??????? ???: 1. ??????? ?????? ?????? ????? ?????? ?? ????? ?? ??? ??????? ????????? ????? ????? ???? ??? ??????? ????? ??????? ??? ?? ????? ??: ??????? ???????? ???????? ????? ????? ?? ????? ??????? ????? ???? ?????? ??????? ?????? ?????????? 2. ??????? ??????? ????? ????? ?? ????? ??? ???? ????? ???? ????? ??? ??????? ?? ????? ??????? ??? ????? ?? ????? ?????? ?? ????? ?????? ?????????? ??? ?? ???? ????? ?????? ?????? ?? ??? ??????? ????????? ??????. ????? ?????? ?????? ?? ??? ??????? ?? ????? ????? ?????? ?????? ???? ??? ????? ?? ????? ?????? ?? ???? ?? ??? ??????? ????????. ???? ????? ??????? ?????? ??????? ??????? ???????? ??????? ?????? : ? ????? ??????? ? ? ?????? ??????? ??????? ?????? : ? ????? ????? ???? ? ? ?????? ??????? . ??????? ??????? ??????? ??????? ???????? ??????? ???????? ??????? ???? ????? ???? ????? ??????? ??????? ?????? ?????? ??????? ???????? ??????? ???? ????? ???? ????? ?? ???? ???? ?????? ??? ?????? ????? ?????? ???? ??????? ????? ?????? ???????? ???????? ???? ????????? (??????? ???????) ????? ?????? ???????? ????????_????? ????? ????? ????? ?? ???? ?????? ??????? ????? ????? ?????? ??????? ????? ?????? ??: [??? ???????] ??? ?????: [????? ???????] ??? ??????: [????? ???????] ???? ????? ??????? ??? ?????? ?????: ????? ??????: [????? ?????? ????] ??? ????? ??????? ???????: [??? CIN] ????? ????? ????????: [????? ????? ????? ????] ??????? ??????: [????? ???????] ??????: [?????? ???????] ?????? ????? ???? ?????? ???? ??????? ??????????? ??? ???: ?? ????? (?) ?????? (?): [??? ?????/?] ??????? (?) ??????: [????? ???????] ??: [???? ???????] ??(??) ????/????? ?????????(?)? ??? ????(?) ????? ????? ????? ????? ???? ???? ??????: [??? ????]? ???????? ??????: [????? ????? ????]? ???????? ???? ????? ??????? ???????: [??? CIN ????]. ?????? ???? ????????? ????????? ???????? ???? ??? ?????/?? ????? ?? ??????? ??????? ????? ??? ????? ???? ??? ????? ??? ??????? ?? ??????? ?? ?????? ???????. ??????? ????? ??????: _____________________ ???????: ___________________________ ???????: ____ / ____ / ________ ??????? : ????? ??? ??????? ???????? ??????? ??: ???? ??????? ???????? ????? ??????? ????? ???????? ??????. ?????? ??? ????? ??? ??????? ?????????? (??? ???? ??????) ???? ??? ??? ???????? ??? ????? ????? ?? ??? ??? ????. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at apnorton.com Mon Aug 11 20:10:48 2025 From: andrew at apnorton.com (Andrew Norton) Date: Mon, 11 Aug 2025 14:10:48 -0400 Subject: No announcement for GnuPG 2.4.8? Message-ID: Hi all, I was setting up a new computer (so I have no *existing* trusted gpg installation to verify a signature), and I was attempting to follow the instructions to perform an integrity check on the 2.4.8 tarbar on gnupg.org . The instructions state: > If you are not able to use an old version of GnuPG, you can still verify > the file's SHA-1 checksum. This is less secure, because if someone modified > the files as they were transferred to you, it would not be much more effort > to modify the checksums that you see on this webpage. As such, if you use > this method, you should compare the checksums with those in release > announcement. This is sent to the gnupg-announce mailing list (among > others), which is widely mirrored. Don't use the mailing list archive on > this website, but find the announcement on several other websites and make > sure the checksum is consistent. This makes it more difficult for an > attacker to trick you into installing a modified version of the software. However, I cannot locate any release announcement for 2.4.8 ; the NEWS file just goes straight from 2.4.6 to 2.5.0. All I can find online anywhere is a Reddit thread of someone asking why there was no release announcement and not getting an answer. Is there another source I can reference for the checksum? As it stands, it looks like I might have to install an older version for which I can find a release announcement, then use the older version to validate the signature on the newer release. Thanks, Andrew -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Aug 12 09:49:59 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Aug 2025 09:49:59 +0200 Subject: No announcement for GnuPG 2.4.8? In-Reply-To: (Andrew Norton's message of "Mon, 11 Aug 2025 14:10:48 -0400") References: Message-ID: <87zfc5nfmg.fsf@jacob.g10code.de> On Mon, 11 Aug 2025 14:10, Andrew Norton said: > However, I cannot locate any release announcement for 2.4.8 Indded there is no announcement. I recall that I wanted to wait for gpg4win 4.4.1 and that took longer than expected and the announcement was then forgotten. Frankly we are mostly working on 2.5 which will soon be 2.6 and then replace 2.4. > Is there another source I can reference for the checksum? As it stands, it > looks like I might have to install an older version for which I can find a https://gnupg.org/download/integrity_check.html has the checksums for all current versions. You can also download https://versions.gnupg.org/swdb.lst https://versions.gnupg.org/swdb.lst.sig which has the checksums and the file is signed. > release announcement, then use the older version to validate the signature I assumed that any system has some version of gpg installed. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Tue Aug 12 10:08:04 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Aug 2025 10:08:04 +0200 Subject: [Announce] GnuPG 2.4.8 was released in May Message-ID: <87v7mtnesb.fsf@jacob.g10code.de> Hello! We forgot to send out the announcement for GnuPG 2.4.8 which was released in May 2025. Please note that the 2.4 series will reach end-of-life on 2026-06-30 and for new systems we suggest to already use the 2.5 version. Note also the new Debian syle packages. What is GnuPG ============= The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation of the OpenPGP (aka LibrePGP) and S/MIME standards. GnuPG allows to encrypt and sign data and communication, features a versatile key management system as well as access modules for public key directories. GnuPG itself is a command line tool with features for easy integration with other applications. The separate library GPGME provides a uniform API to use the GnuPG engine by software written in common programming languages. A wealth of frontend applications and libraries making use of GnuPG are available. As an universal crypto engine GnuPG provides support for S/MIME and Secure Shell in addition to OpenPGP. GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License. Noteworthy changes in version 2.4.8 (2025-05-14) ------------------------------------------------ * gpg: Fix a verification DoS due to a malicious subkey in the keyring. [T7527] * gpg: Fix a regression in 2.4.7 for generating a key from card. [T7457] * gpg: Fix --quick-add-key for Weierstrass ECC with usage given. [T7506] * gpg: Fully implement the group key flag. [rGedd01d8fc4] * gpg: Make combination of show-only-fpr-mbox and show-unusable-uid work. [rGeb2a90d343] * gpgsm: Do not return an error code when importing a certificate with an empty subject. [T7171] * scd: Accept P15 cards with a zero-length label. [rG18b4ebb28a] * keyboxd: Use case-insensitive search for mail addresses. [T7576] * gpgconf: Fix reload and kill of keyboxd. [T7569] * w32: Fix posssible lockup due to lost select results. [rG9448d01d61] Release-info: https://dev.gnupg.org/T7428 Getting the Software ==================== Please follow the instructions found at or read on: GnuPG may be downloaded from one of the GnuPG mirror sites or direct from its primary FTP server. The list of mirrors can be found at . Note that GnuPG is not available at ftp.gnu.org. The GnuPG source code and its OpenPGP signature are available here: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2 (8M) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.8.tar.bz2.sig A source code version with all GnuPG related libraries: https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.4.8_20250514.tar.xz (16M) https://gnupg.org/ftp/gcrypt/gnupg/gnupg-w32-2.4.8_20250514.tar.xz.sig For some Debian based systems we also provide binaries. See https://repos.gnupg.org/deb/gnupg/bookworm/ https://repos.gnupg.org/deb/gnupg/trixie/ https://repos.gnupg.org/deb/gnupg/daedalus/ https://repos.gnupg.org/deb/gnupg/excalibur/ https://repos.gnupg.org/deb/gnupg/jammy/ https://repos.gnupg.org/deb/gnupg/noble/ https://repos.gnupg.org/deb/gnupg/plucky/ For the suggested 2.5 version just replace "gnupg" in the URLs by "gnupg-devel". Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a version of GnuPG installed, you can simply verify the supplied signature. For example to verify the signature of the file gnupg-2.4.8.tar.bz2 you would use this command: gpg --verify gnupg-2.4.8.tar.bz2.sig gnupg-2.4.8.tar.bz2 This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by one or more of the release signing keys. Make sure that this is a valid key, either by matching the shown fingerprint against a trustworthy list of valid release signing keys or by checking that the key has been signed by trustworthy other keys. See the end of this mail for information on the signing keys. * If you are not able to use an existing version of GnuPG, you have to verify the SHA-1 checksum. On Unix systems the command to do this is either "sha1sum" or "shasum". Assuming you downloaded the file gnupg-2.4.8.tar.bz2, you run the command like this: sha1sum gnupg-2.4.8.tar.bz2 and check that the output matches the next line: c704085aa7cc131a67edd0b7c0c90e5c35ee4adb gnupg-2.4.8.tar.bz2 c5b3e12f2cfb8771d4f6e089039d84844f6cba70 gnupg-w32-2.4.8_20250514.exe ec77cc97ff3cbe920f534b73624a608c0b10d6e6 gnupg-w32-2.4.8_20250514.tar.xz Internationalization ==================== This version of GnuPG has support for 26 languages with Chinese (traditional and simplified), Czech, French, German, Italian, Japanese, Norwegian, Polish, Portuguese, Russian, Turkish, and Ukrainian being almost completely translated. Documentation and Support ========================= The file gnupg.info has the complete reference manual of the system. Separate man pages are included as well but they miss some of the details available only in the manual. The manual is also available online at https://gnupg.org/documentation/manuals/gnupg/ or can be downloaded as PDF at https://gnupg.org/documentation/manuals/gnupg.pdf You may also want to search the GnuPG mailing list archives or ask on the gnupg-users mailing list for advise on how to solve problems. Most of the new features are around for several years and thus enough public experience is available. https://wiki.gnupg.org has user contributed information around GnuPG and relate software. In case of build problems specific to this release please first check https://dev.gnupg.org/T7428 for updated information. Please consult the archive of the gnupg-users mailing list before reporting a bug: https://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at https://bugs.gnupg.org. If you need commercial support go to https://gnupg.com or https://gnupg.org/service.html. If you are a developer and you need a certain feature for your project, please do not hesitate to bring it to the gnupg-devel mailing list for discussion. Thanks ====== Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH and has mostly been financed by donations. Several full-time employed developers and contractors are working exclusively on GnuPG and closely related software like Libgcrypt, GPGME, Kleopatra and Gpg4win. Fortunately, and this is still not common with free software, we have established a way of financing the development while keeping all our software free and freely available for everyone. Our model is similar to the way RedHat manages RHEL and Fedora: Except for the actual binary of the MSI installer for Windows and client specific configuration files, all the software is available under the GNU GPL and other Open Source licenses. Thus customers may even build and distribute their own version of the software as long as they do not use our trademarks GnuPG Desktop? or GnuPG VS-Desktop?. We like to thank all the nice people who are helping the GnuPG project, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word, answering questions on the mailing lists, or helped us in the past with their donations. *Thank you all* Your GnuPG hackers p.s. This is an announcement only mailing list. Please send replies only to the gnupg-users at gnupg.org mailing list. * List of Release Signing Keys: To guarantee that a downloaded GnuPG version has not been tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: ed25519 2020-08-24 [SC] [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [SC] [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) rsa3072 2025-05-09 [SC] [expires: 2033-03-03] 3B76 1AE4 E63B F351 9CE7 D63B ECB6 64CB E133 2EEF Alexander Kulbartsch (GnuPG Release Key) brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. * Debian Package Signing Key: The new Debian style packages are signed using this key: ed25519 2025-07-08 [SC] [expires: 2035-07-14] 3209 7B71 9B37 45D6 E61D DA1B 85C4 5AE3 E1A2 B355 GnuPG.org Package Signing Key See the package website (https://repos.gnupg.org/deb/gnupg) for a list of supported distributions and a download link for the key. -- Arguing that you don't care about the right to privacy because you have nothing to hide is no different from saying you don't care about free speech because you have nothing to say. - Edward Snowden -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From p at sys4.de Fri Aug 22 01:21:48 2025 From: p at sys4.de (Patrick Ben Koetter) Date: Fri, 22 Aug 2025 01:21:48 +0200 Subject: error signing data: Not trusted Message-ID: Greetings, I'm using neomutt on a Mac and I'd like to S/MIME sign messages. It used to work, but since a while it fails with an "error signing data: Not trusted" the moment I try to send and sign a message. My S/MIME key is valid until 2027 and the key's cert is imported into gpgsm as well. What is it I'm missing? The CA cert? Can I / must I set a trust for a (CA) cert? Any help to debug is very much welcome as I don't really know what to look at or where to start. TIA, p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From rjh at sixdemonbag.org Mon Aug 25 12:03:08 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 25 Aug 2025 06:03:08 -0400 Subject: Egon Message-ID: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Proton Mail has a neat feature where you can fetch the certificate of a Proton account and, upon importing it into your own local OpenPGP app, enjoy end to end encryption between yourself and any Proton user automagically. The problem is every time I need to do this I need to look up the URL to fetch certs from, download the cert, import it into GnuPG? nothing is hard, but it is time-consuming and annoying. So I automated the process using libcurl and GPGME. $ egon rob.hansen at protonmail.com ... will cheerfully query Proton for my OpenPGP certificate and import it into GnuPG. It is not ready for primetime. It's literally something I hacked together in a couple of hours while waiting for a doctor's appointment. But it's already mildly useful to me, and who knows, it might be mildly useful to others. Apache 2.0-licensed, although linking against GPGME incurs its own licensing. Share and enjoy. ("Why Egon?" In the movie _Ghostbusters,_ Egon Spengler was the designer of the famous proton pack. Proton, Egon, it made sense to me?) https://github.com/rjhansen/egon -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Mon Aug 25 12:18:40 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 25 Aug 2025 06:18:40 -0400 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <77a35fd7-391a-49ce-a3bb-d8e2e178e8ab@sixdemonbag.org> > Does `gpg --locate-key` not work for you? They expose a WKD server... Wasn't aware it existed, and a five-minute web search didn't turn this up as an option. Thank you! -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From andrewg at andrewg.com Mon Aug 25 12:10:38 2025 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 25 Aug 2025 11:10:38 +0100 Subject: Egon In-Reply-To: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: Hi, Rob! On 25 Aug 2025, at 11:03, Robert J. Hansen via Gnupg-users wrote: > > Proton Mail has a neat feature where you can fetch the certificate of a Proton account and, upon importing it into your own local OpenPGP app, enjoy end to end encryption between yourself and any Proton user automagically. > > The problem is every time I need to do this I need to look up the URL to fetch certs from, download the cert, import it into GnuPG? nothing is hard, but it is time-consuming and annoying. > > So I automated the process using libcurl and GPGME. > > $ egon rob.hansen at protonmail.com > > ... will cheerfully query Proton for my OpenPGP certificate and import it into GnuPG. Does `gpg --locate-key` not work for you? They expose a WKD server... A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From ratbag at gmx.com Mon Aug 25 16:37:57 2025 From: ratbag at gmx.com (Rat Bag) Date: Mon, 25 Aug 2025 16:37:57 +0200 Subject: Egon (Proton OpenPGP interoperability) In-Reply-To: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <32796ffe-2fdd-4b4d-9231-924f325d741b@gmx.com> For someone already using OpenPGO encryption, to locate and ingest Proton user's public key is a problem that pales compared to what a Proton user must do in order to be able to communicate securely with (what they call) "external user", even when his or her public key is available via WKD and is on keys.openpgp.org. In addition, it is almost axiomatic that that "external user" is probably not using "web-mail" but a mail-client on his computer (Thunderbird or equivalent) and is likely much more technically capable than the typical web-mail Proton user. The reluctance of Proton to automate importation of external user's public keys makes their claim of "OpenPGP interoperability" somewhat shallow. Increasing the number of e-mail users that encrypt their mail in general would probably increase their user population more than a minuscule number of current POP/SMTP mail users they hope to convert to web-mail use (and their service). R.B. From andrewg at andrewg.com Mon Aug 25 19:59:36 2025 From: andrewg at andrewg.com (Andrew Gallagher) Date: Mon, 25 Aug 2025 18:59:36 +0100 Subject: Egon In-Reply-To: <22514.1756143657@obiwan.sandelman.ca> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <22514.1756143657@obiwan.sandelman.ca> Message-ID: <120F6BF3-B544-48C6-B495-789D247F2747@andrewg.com> Hi, Michael. On 25 Aug 2025, at 18:40, Michael Richardson wrote: > > Andrew Gallagher via Gnupg-users wrote: >>> So I automated the process using libcurl and GPGME. >>> >>> $ egon rob.hansen at protonmail.com >>> >>> ... will cheerfully query Proton for my OpenPGP certificate and import >>> it into GnuPG. > >> Does `gpg --locate-key` not work for you? They expose a WKD server... > > I didn't know about --locate-key. > I wondered if it would work on my own key. > I have a not-very-scalable WKD server created with some Apache rewrites. Your WKD server seems to be broken: ~~~ andrewg at serenity % curl https://openpgpkey.sandelman.ca/.well-known/openpgpkey/sandelman.ca/policy curl: (6) Could not resolve host: openpgpkey.sandelman.ca andrewg at serenity % curl https://sandelman.ca/.well-known/openpgpkey/policy curl: (28) Failed to connect to sandelman.ca port 443 after 75249 ms: Could not connect to server ~~~ A -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From mcr at sandelman.ca Mon Aug 25 19:40:57 2025 From: mcr at sandelman.ca (Michael Richardson) Date: Mon, 25 Aug 2025 13:40:57 -0400 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <22514.1756143657@obiwan.sandelman.ca> Andrew Gallagher via Gnupg-users wrote: >> So I automated the process using libcurl and GPGME. >> >> $ egon rob.hansen at protonmail.com >> >> ... will cheerfully query Proton for my OpenPGP certificate and import >> it into GnuPG. > Does `gpg --locate-key` not work for you? They expose a WKD server... I didn't know about --locate-key. I wondered if it would work on my own key. I have a not-very-scalable WKD server created with some Apache rewrites. obiwan-[~](3.3.8) mcr 10037 %gpg --locate-key mcr at sandelman.ca pub rsa3072 2019-11-07 [SC] [expired: 2020-11-06] A30FF5A8356001B58BDB3C587002AEC2CCD88043 uid [ expired] Michael Richardson uid [ expired] Michael Richardson uhm. What? It's not even valid. That's not useful, given: obiwan-[~](3.3.8) mcr 10038 %gpg --list-keys mcr at sandelman.ca pub rsa2048 2005-11-06 [SC] [expires: 2026-01-20] 6ECC8B13383FA944C0E37BA8808B70FBDDD0DD65 uid [ultimate] Michael Richardson (general purpose type 4 key) uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson uid [ultimate] Michael Richardson sub rsa2048 2006-11-16 [E] pub rsa3072 2019-11-07 [SC] [expired: 2020-11-06] A30FF5A8356001B58BDB3C587002AEC2CCD88043 uid [ expired] Michael Richardson uid [ expired] Michael Richardson So I expected --locate-key would actually go and find the key, and see if it might need updating. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 511 bytes Desc: not available URL: From wk at gnupg.org Tue Aug 26 10:36:14 2025 From: wk at gnupg.org (Werner Koch) Date: Tue, 26 Aug 2025 10:36:14 +0200 Subject: error signing data: Not trusted In-Reply-To: (Patrick Ben Koetter via Gnupg-users's message of "Fri, 22 Aug 2025 01:21:48 +0200") References: Message-ID: <87o6s2h43l.fsf@jacob.g10code.de> On Fri, 22 Aug 2025 01:21, Patrick Ben Koetter said: > My S/MIME key is valid until 2027 and the key's cert is imported into gpgsm as > well. What is it I'm missing? The CA cert? Can I / must I set a trust for a > (CA) cert? Any help to debug is very much welcome as I don't really know what Yes you need to assign trust to the Root-CA cert. Unless the "no-allow-mark-trusted" option is set in gpg-agent.conf you should see a prompt to verify the fingerprint of the Root CA's certificate. If that option is set you need to insert it yourself into ~/.gnupg/trustlist.txt - there is a comment at the top explaining it. Rules for GnuPG (VS-)Desktop are a bit different; see the respecitive FAQ. I would suggest to run gpgsm --list-chain --with-validation This should give enough hints on what is going on. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From p at sys4.de Tue Aug 26 16:44:23 2025 From: p at sys4.de (Patrick Ben Koetter) Date: Tue, 26 Aug 2025 16:44:23 +0200 Subject: error signing data: Not trusted In-Reply-To: <87o6s2h43l.fsf@jacob.g10code.de> References: <87o6s2h43l.fsf@jacob.g10code.de> Message-ID: Werner, you're spot on with your diagnosis. Still I am unable to make it work and it may be that I haven't understood the important part yet. Please read on? * Werner Koch via Gnupg-users : > On Fri, 22 Aug 2025 01:21, Patrick Ben Koetter said: > > > My S/MIME key is valid until 2027 and the key's cert is imported into gpgsm as > > well. What is it I'm missing? The CA cert? Can I / must I set a trust for a > > (CA) cert? Any help to debug is very much welcome as I don't really know what > > Yes you need to assign trust to the Root-CA cert. Unless the > "no-allow-mark-trusted" option is set in gpg-agent.conf you should see a > prompt to verify the fingerprint of the Root CA's certificate. If that I don't have no-allow-mark-trusted set in gpg-agent.conf: % cat .gnupg/gpg-agent.conf default-cache-ttl 600 max-cache-ttl 7200 And when I run gpgsm --list-chain --with-validation 0x3CE75B94 it tells me *my* cert would not be trusted, while it says the Root CA and all intermediate certs are good: [keyboxd] --------- ID: 0x3CE75B94 S/N: 7575B7A3CA4820B8AC6C0AAC5B56E654C216F4BE (dec): 670577104657847191671762158918724704718357460158 Issuer: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH Subject: /CN=Patrick Koetter/O=sys4 AG/L=Munchen/ST=BY/C=DE/EMail=p at sys4.de/2.5.4.97=NTRDE-DED2601V.HRB199263 aka: p at sys4.de validity: 2024-09-21 11:59:52 through 2027-09-21 11:59:52 key type: rsa4096 key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested) policies: 2.23.140.1.5.3.1:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.13:N: sha1 fpr: 10:32:B7:3A:C1:7A:62:45:28:61:23:A0:C6:39:F9:6A:3C:E7:5B:94 sha2 fpr: 59:4F:F9:5B:73:2E:01:66:54:C7:E5:1E:18:6D:82:50:1A:D6:A8:DE:3F:65:4C:1C:AC:51:1D:1A:76:85:1B:02 [Die CRL konnte nicht gepr?ft werden: Nicht vertrauensw?rdig] [certificate is bad: Nicht vertrauensw?rdig] Certified by ID: 0x064CD0CD S/N: 3E50FE6114AC70E44C4E7956BEC81FFC0F3B02EB (dec): 355763646962456683480335676319500923810294203115 Issuer: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH Subject: /CN=SwissSign RSA SMIME SV ICA 2024 - 1/O=SwissSign AG/C=CH validity: 2024-05-28 09:03:21 through 2036-05-28 09:03:21 key type: rsa4096 key usage: certSign crlSign ext key usage: clientAuth (suggested), emailProtection (suggested), ms-smartcardLogon (suggested), ms-encryptedFileSystem (suggested) policies: 2.23.140.1.5.3.1:N:,2.23.140.1.5.3.2:N:,2.23.140.1.5.3.3:N:,0.4.0.2042.1.1:N:,2.16.756.1.89.2.1.12:N:,2.16.756.1.89.2.1.13:N: chain length: 0 sha1 fpr: A6:11:C4:18:88:29:CE:85:E1:CF:6C:B5:29:2E:3F:4B:06:4C:D0:CD sha2 fpr: 7E:30:19:88:A1:02:A5:E9:3D:22:49:66:6B:B6:31:02:0B:A5:8F:C7:03:DE:7B:58:3E:91:D5:44:9F:D0:D3:AF [certificate is good] Certified by ID: 0xA07D0AEA S/N: 00B30511B116B4A056511D7C681F877D (dec): 929523951410811236428169985765902205 Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH Subject: /CN=SwissSign RSA SMIME Root CA 2022 - 1/O=SwissSign AG/C=CH validity: 2022-06-28 11:26:01 through 2036-09-22 11:26:01 key type: rsa4096 key usage: certSign crlSign policies: 2.5.29.32.0:N: chain length: unlimited sha1 fpr: D5:37:4C:8C:93:CE:C7:93:35:B9:C6:6F:4A:22:BE:33:A0:7D:0A:EA sha2 fpr: 5A:84:C9:40:54:D3:40:D6:50:A2:99:85:EF:97:BB:39:63:52:E2:15:AE:D6:C0:B3:3C:A7:FF:DD:3B:D5:D2:A2 [certificate is good] Certified by ID: 0x9F1A2761 S/N: 00BB401C43F55E4FB0 (dec): 13492815561806991280 Issuer: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH Subject: /CN=SwissSign Gold CA - G2/O=SwissSign AG/C=CH validity: 2006-10-25 08:30:35 through 2036-10-25 08:30:35 key type: rsa4096 key usage: certSign crlSign policies: 2.16.756.1.89.1.2.1.1:N: chain length: unlimited sha1 fpr: D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61 sha2 fpr: 62:DD:0B:E9:B9:F5:0A:16:3E:A0:F8:E7:5C:05:3B:1E:CA:57:EA:55:C8:68:8F:64:7C:68:81:F2:C8:35:7B:95 [certificate is good] If I check my cert using openssl it says it was signed by the intermediate CA last in chain before my personal cert: % openssl x509 -in p.pem -noout -issuer -subject issuer=C=CH, O=SwissSign AG, CN=SwissSign RSA SMIME SV ICA 2024 - 1 subject=C=DE, ST=BY, L=Munchen, O=sys4 AG, organizationIdentifier=NTRDE-DED2601V.HRB199263, emailAddress=p at sys4.de, CN=Patrick Koetter Does this mean I need to explicitly trust *my* cert by putting it (some of the data) into ~/.gnupg/trustlist.txt? TIA, p at rick > option is set you need to insert it yourself into ~/.gnupg/trustlist.txt > - there is a comment at the top explaining it. Rules for GnuPG > (VS-)Desktop are a bit different; see the respecitive FAQ. > > I would suggest to run > > gpgsm --list-chain --with-validation > > This should give enough hints on what is going on. > > > Salam-Shalom, > > Werner > > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From gnupg-users at city17.xyz Tue Aug 26 21:58:49 2025 From: gnupg-users at city17.xyz (jman) Date: Tue, 26 Aug 2025 21:58:49 +0200 Subject: Egon In-Reply-To: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> (Robert J. Hansen via Gnupg-users's message of "Mon, 25 Aug 2025 06:03:08 -0400") References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <87bjo1dfd2.fsf@nyarlathotep> "Robert J. Hansen via Gnupg-users" writes: > Proton Mail has a neat feature where you can fetch the certificate of > a Proton account and, upon importing it into your own local OpenPGP > app, enjoy end to end encryption between yourself and any Proton user > automagically. > > The problem is every time I need to do this I need to look up the URL > to fetch certs from, download the cert, import it into GnuPG? nothing > is hard, but it is time-consuming and annoying. I think I am doing the download part with a quick bash script: --8<---------------cut here---------------start------------->8--- $ type ssh-import-id-protonmail ssh-import-id-protonmail is a function ssh-import-id-protonmail () { URL="https://mail-api.proton.me/pks/lookup?op=get&search=$1"; curl -fsS "$URL" > $TMPDIR/$1.asc; printf "Saved pubkey in $TMPDIR/%s.asc\n" "$1" } --8<---------------cut here---------------end--------------->8--- then the pubkey must be manually imported but I believe it's just another command? Best, From rjh at sixdemonbag.org Tue Aug 26 23:57:05 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 26 Aug 2025 17:57:05 -0400 Subject: Egon In-Reply-To: <87bjo1dfd2.fsf@nyarlathotep> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> Message-ID: > then the pubkey must be manually imported but I believe it's just > another command? I don't mean to give offense, really, but that's pretty much exactly the attitude that for so many years kept UNIX as a fringe player. First off, whenever anyone says "it's just another command," 90% of the time they're wrong. Hackers and geeks massively underestimate the amount of interaction routine tasks take. Let's look at what your solution involves: 1. Learn bash well enough to understand whether you need to put this command in .profile, .bashrc, .bash_profile, or wherever. (bash has an embarrassing number of configuration files which are read under very slightly different conditions.) 2. Edit the appropriate configuration file to add this command 3. Remember to reload your configuration file 4. Run ssh-import-id-protonmail 5. ssh-import-id-protonmail gives a path: remember that path for the next step 6. gpg --import (the path given in step 5) 7. rm (the path given in step 5) Steps 1-3 only need to be done once; steps 4-7 need to be done each time. I don't doubt that your solution works great for you! For technically sophisticated users it makes a lot of sense. But there's also something to be said for: 1. Download an installer package 2. Double-click on it 3. At the command prompt, type "egon name at protonmail.com" ... and have everything else done automagically. For non-technical users, steps 1-2 are easier than steps 1-3 in the bash version, and step 3 is easier than steps 4-7 of the bash version. The heart of good UX is to reduce the amount of user intervention that's necessary to achieve routine tasks. If you want to get someone's certificate from Proton Mail, that should literally be a one-liner that only requires you to remember the person's email address. I don't much care whether someone uses "gpg --locate-key name at protonmail.com" or "egon name at protonmail.com". I do care that we make it as easy as possible for non-technical users, and make the experience streamlined. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From Eva.Bolten at gnupg.com Wed Aug 27 10:08:40 2025 From: Eva.Bolten at gnupg.com (Eva Bolten) Date: Wed, 27 Aug 2025 10:08:40 +0200 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> Message-ID: <2934919.IiZFdycYaL@jackson> Hi Robert, On Dienstag, 26. August 2025 23:57:05 CEST Robert J. Hansen via Gnupg-users wrote: > I don't much care whether someone uses "gpg --locate-key > name at protonmail.com" or "egon name at protonmail.com". I do care that we > make it as easy as possible for non-technical users, and make the > experience streamlined. :) In this case I'd recommend using Kleopatra. There's a "Lookup on Server" button, the search looks on WKD and the configured keyserver. At least in Kleopatra versions which are not too old, I'm not sure when exactly we added the WKD search there. One from 2024 should be ok. Regards, Eva -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 265 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Aug 27 12:34:35 2025 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Aug 2025 12:34:35 +0200 Subject: Egon In-Reply-To: (Andrew Gallagher via Gnupg-users's message of "Mon, 25 Aug 2025 11:10:38 +0100") References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <87qzwxf3yc.fsf@jacob.g10code.de> On Mon, 25 Aug 2025 11:10, Andrew Gallagher said: > Does `gpg --locate-key` not work for you? They expose a WKD server... Indeed, this does a Web Key Directory lookup if the key does not exists. This is actually the same as using "-r foo at example.org" which does the same as locate-key or view it vice versa. In case you already have an old key you may want to use gpg --locate-external-key foo at exmaple.org which does the lookup even if the key already exists in your local keyring. Egon is indeed a cool name but WKD is used at more sites than Proton; for example kernel.org. I think we have some list at wiki.gnupg.org. BTW, it is a pitty that the Web Key Directory support was removed from Thunderbird. Many years ago we added it to Enigmail but afaik it has not been implement in the current Thunderbird PGP implementation. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Wed Aug 27 12:38:46 2025 From: wk at gnupg.org (Werner Koch) Date: Wed, 27 Aug 2025 12:38:46 +0200 Subject: error signing data: Not trusted In-Reply-To: (Patrick Ben Koetter via Gnupg-users's message of "Tue, 26 Aug 2025 16:44:23 +0200") References: <87o6s2h43l.fsf@jacob.g10code.de> Message-ID: <87ms7lf3rd.fsf@jacob.g10code.de> On Tue, 26 Aug 2025 16:44, Patrick Ben Koetter said: > [Die CRL konnte nicht gepr?ft werden: Nicht vertrauensw?rdig] > [certificate is bad: Nicht vertrauensw?rdig] You also need to trust the issuer of the CRL. Quich workaround is "disable-crl-checks" in gpgsm.conf but that is not the idea of CRLs. To track this down you need to check whey dirmngr does not trust the CRL. Put "debug ipc,lookup" intodirmngr.conf and fine a log-file too. dirmngr --debug help gives a list of debug options. Maybe "verbose" in dirmngr.conf will be sufficient. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From gnupg-users at city17.xyz Wed Aug 27 13:05:46 2025 From: gnupg-users at city17.xyz (jman) Date: Wed, 27 Aug 2025 13:05:46 +0200 Subject: Egon In-Reply-To: (Robert J. Hansen's message of "Tue, 26 Aug 2025 17:57:05 -0400") References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> Message-ID: <87349d9g8l.fsf@nyarlathotep> "Robert J. Hansen" writes: > I don't mean to give offense, really, but that's pretty much exactly > the attitude that for so many years kept UNIX as a fringe player. Apologies if I came across belittling your solution. Both are of course equally fine. If you like writing C++ code and it works for you, then great! To each one its own. I just meant to provide an alternate solution a little closer to Protonmail documentation: https://proton.me/support/download-public-private-key#:~:text=You%20can%20also%20download%20your%20own%20public%20key (FWIW they suggest using "https://mail-api.proton.me") Best, From christoph.klassen at intevation.de Wed Aug 27 20:03:38 2025 From: christoph.klassen at intevation.de (Christoph Klassen) Date: Wed, 27 Aug 2025 20:03:38 +0200 Subject: mailbox.org's WKD implementation In-Reply-To: <8c9d71cc-729e-43a2-a6b0-fc864ad214b7@mailbox.org> References: <8c9d71cc-729e-43a2-a6b0-fc864ad214b7@mailbox.org> Message-ID: <96a62897-4dff-425e-9a31-94d6d4642722@intevation.de> Hi Lin, On 24.07.25 16:51, xlin--- via Gnupg-users wrote: > I can confirm it does work now, but I did not find a entry for > submitting suggestions for the wiki, thus this email. thanks for your email! I rewrote the items about mailbox so it's now clear that mailbox offers WKD. If you want to edit entries in the wiki it is necessary that you create an account: https://wiki.gnupg.org/Index?action=newaccount. Currently, the registration process is a bit more complicated to prevent spam. Greetings, Christoph -- Christoph Klassen | https://intevation.de Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Thu Aug 28 11:04:37 2025 From: wk at gnupg.org (Werner Koch) Date: Thu, 28 Aug 2025 11:04:37 +0200 Subject: mailbox.org's WKD implementation In-Reply-To: <96a62897-4dff-425e-9a31-94d6d4642722@intevation.de> (Christoph Klassen via Gnupg-users's message of "Wed, 27 Aug 2025 20:03:38 +0200") References: <8c9d71cc-729e-43a2-a6b0-fc864ad214b7@mailbox.org> <96a62897-4dff-425e-9a31-94d6d4642722@intevation.de> Message-ID: <87a53jg6l6.fsf@jacob.g10code.de> Hi! BTW, there is an easy way to check whether a domain supports WKD: $ gpg-wks-client supported --with-colons mailbox.org kernel.org mailbox.org:1:0::0:0:0: kernel.org:1:1::0:0:0: ^ ^ ! !- Supports Web Key Service (upload via mail challenge) !--- Supports Web Key Directory (just lookup) Without --with-colons there is only human readable output (with -v) and an exit status telling whether Web Key _Service_ is supported. Older versions may not support "supported" but require the now optional two leading dashes ("--supported") Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From xlin at mailbox.org Thu Aug 28 22:05:03 2025 From: xlin at mailbox.org (Xinchang Lin) Date: Thu, 28 Aug 2025 22:05:03 +0200 Subject: mailbox.org's WKD implementation In-Reply-To: <87a53jg6l6.fsf@jacob.g10code.de> References: <8c9d71cc-729e-43a2-a6b0-fc864ad214b7@mailbox.org> <96a62897-4dff-425e-9a31-94d6d4642722@intevation.de> <87a53jg6l6.fsf@jacob.g10code.de> Message-ID: <9bf6c865-642b-42be-8b62-77ffb5239f0b@mailbox.org> On 8/28/25 11:04, Werner Koch wrote: > $ gpg-wks-client supported --with-colons mailbox.org kernel.org > mailbox.org:1:0::0:0:0: > kernel.org:1:1::0:0:0: > ^ ^ > ! !- Supports Web Key Service (upload via mail challenge) > !--- Supports Web Key Directory (just lookup) Thank you so much, this is really helpful! Sincerely, Lin From dbs at brandes.xyz Fri Aug 29 15:04:04 2025 From: dbs at brandes.xyz (Daniel Brandes) Date: Fri, 29 Aug 2025 15:04:04 +0200 Subject: Egon In-Reply-To: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: Hello there! > $ egon rob.hansen at protonmail.com It's not yet available from Homebrew it seems? Thanks, Daniel From jb-gnumlists at wisemo.com Fri Aug 29 16:52:11 2025 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Fri, 29 Aug 2025 16:52:11 +0200 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> Message-ID: <2e30631d-3c10-d3c0-8965-a88791697543@wisemo.com> On 8/26/2025 11:57 PM, Robert J. Hansen via Gnupg-users wrote: >> then the pubkey must be manually imported but I believe it's just >> another command? > I don't mean to give offense, really, but that's pretty much exactly > the attitude that for so many years kept UNIX as a fringe player. > > First off, whenever anyone says "it's just another command," 90% of > the time they're wrong. Hackers and geeks massively underestimate the > amount of interaction routine tasks take. Let's look at what your > solution involves: > > 1. Learn bash well enough to understand whether you need to put > ?? this command in .profile, .bashrc, .bash_profile, or wherever. > ?? (bash has an embarrassing number of configuration files which > ?? are read under very slightly different conditions.) > 2. Edit the appropriate configuration file to add this command > 3. Remember to reload your configuration file > 4. Run ssh-import-id-protonmail > 5. ssh-import-id-protonmail gives a path: remember that path for > ?? the next step > 6. gpg --import (the path given in step 5) > 7. rm (the path given in step 5) > > Steps 1-3 only need to be done once; steps 4-7 need to be done each time. > > I don't doubt that your solution works great for you! For technically > sophisticated users it makes a lot of sense. > > But there's also something to be said for: > > 1. Download an installer package > 2. Double-click on it > 3. At the command prompt, type "egon name at protonmail.com" > > ... and have everything else done automagically. For non-technical > users, steps 1-2 are easier than steps 1-3 in the bash version, and > step 3 is easier than steps 4-7 of the bash version. > > The heart of good UX is to reduce the amount of user intervention > that's necessary to achieve routine tasks. If you want to get > someone's certificate from Proton Mail, that should literally be a > one-liner that only requires you to remember the person's email address. > > I don't much care whether someone uses "gpg --locate-key > name at protonmail.com" or "egon name at protonmail.com". I do care that we > make it as easy as possible for non-technical users, and make the > experience streamlined. :) > I believe the logic with gpg --auto-key-retrieve is to automatically download keys for anyone you receive signed mail from, upon first encountering their gpg signature, no need to schedule commands every time you log on to your workstation or terminal.?? While --auto-key-import is a built-in egon-like mechanism that only does anything if you request a key of someone not already in your local keyring.? All these options need is for the proton WKD server to be listed in gnupg.conf along with other popular WKD servers (or a public meta-server that queries the others for you, provided you trust the WKD server operators to not gather traffic analysis data about whose key each IP address is searching for). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From andrewg at andrewg.com Fri Aug 29 17:42:03 2025 From: andrewg at andrewg.com (Andrew Gallagher) Date: Fri, 29 Aug 2025 16:42:03 +0100 Subject: Egon In-Reply-To: <2e30631d-3c10-d3c0-8965-a88791697543@wisemo.com> References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> <2e30631d-3c10-d3c0-8965-a88791697543@wisemo.com> Message-ID: On 29 Aug 2025, at 15:52, Jakob Bohm via Gnupg-users wrote: > > All these options need is for the proton > WKD server to be listed in gnupg.conf along with other popular WKD servers (or a public > meta-server that queries the others for you, provided you trust the WKD server operators > to not gather traffic analysis data about whose key each IP address is searching for). You do not need to configure individual WKD servers, they are hosted at predictable locations relative to the root of the email domain and can therefore be located automatically (and usually transparently). A -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From jb-gnumlists at wisemo.com Fri Aug 29 18:18:57 2025 From: jb-gnumlists at wisemo.com (Jakob Bohm) Date: Fri, 29 Aug 2025 18:18:57 +0200 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> <87bjo1dfd2.fsf@nyarlathotep> <2e30631d-3c10-d3c0-8965-a88791697543@wisemo.com> Message-ID: <172f9047-ab9b-f8ad-a958-9d4cb77699c0@wisemo.com> On 8/29/2025 5:42 PM, Andrew Gallagher wrote: > On 29 Aug 2025, at 15:52, Jakob Bohm via Gnupg-users > wrote: >> >> All these options need is for the proton >> WKD server to be listed in gnupg.conf along with other popular WKD >> servers (or a public >> meta-server that queries the others for you, provided you trust the >> WKD server operators >> to not gather traffic analysis data about whose key each IP address is >> searching for). > > You do not need to configure individual WKD servers, they are hosted at > predictable locations relative to the root of the email domain and can > therefore be located automatically (and usually transparently). > > A > Cool, maybe put that information in the man page near the affected options (I looked up the options in the Debian Bookworm packaged man page from package version 2.2.40-1.1) Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From rjh at sixdemonbag.org Fri Aug 29 18:41:25 2025 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 29 Aug 2025 12:41:25 -0400 Subject: Egon In-Reply-To: References: <46f0c4e6-f3f4-4779-97ad-6408c0526e87@sixdemonbag.org> Message-ID: <3e0f7034-c803-4374-b52f-efb87dec0ca7@sixdemonbag.org> > It's not yet available from Homebrew it seems? Expecting a Homebrew package for it just a few days after it was put up on GitHub may be expecting a lot. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From zyx at envs.net Sat Aug 30 22:41:19 2025 From: zyx at envs.net (=?UTF-8?Q?zyxhere=F0=9F=92=AD?=) Date: Sun, 31 Aug 2025 01:41:19 +0500 Subject: Get pinentry to work in a container Message-ID: <5563d48260499725b73ae97a942a4a5ec8b02470.camel@envs.net> Hi! I have created a container for development purposes with bubblewrap[1] and unshare, so far it has been working great the only thing that isn't?working is gpg signed commits with git I have bind mounted the $GNUPGHOME into the container and gpg can see it with gpg --list-keys. Now when I sign commits with it I gett: ``` gpg: signing failed: Inappropriate ioctl for device ``` This was fixed by adding `export GPG_TTY=$(tty)` to ~/.bash_profile ($(tty) points to /dev/console).But now I get: ``` localhost # git commit -s -S -a -m "test" error: gpg failed to sign the data: gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 [GNUPG:] BEGIN_SIGNING H8 [GNUPG:] PINENTRY_LAUNCHED 59 curses 1.3.1-unknown /dev/console xterm-256color :0 20620/1000/65534 0/0 0 gpg: signing failed: Permission denied [GNUPG:] FAILURE sign 83918849 gpg: signing failed: Permission denied fatal: failed to write commit object ``` I don't know what its trying to access anyone with the experties know what going wrong? I have also tried with bind mounting /dev/console but when I do that the tty command becomes: ``` localhost # tty not a tty ``` And get: ``` localhost # git commit -s -S -a -m "test" error: gpg failed to sign the data: gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 [GNUPG:] BEGIN_SIGNING H8 [GNUPG:] PINENTRY_LAUNCHED 60 curses 1.3.1-unknown not a tty xterm-256color :0 ? 0/0 0 gpg: signing failed: No such file or directory [GNUPG:] FAILURE sign 83918929 gpg: signing failed: No such file or directory fatal: failed to write commit object ``` I can see that the :0 is the $DISPLAY variable and after that its showing the UIDs? So TLDR: I can't get pinentry to work. More info: If I use the tty pinenctry regardless of /dev/console being bind mounted or not I get: ``` localhost # git commit -s -S -a -m "test" error: gpg failed to sign the data: gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 [GNUPG:] BEGIN_SIGNING H8 [GNUPG:] PINENTRY_LAUNCHED 58 tty 1.3.1-unknown - xterm-256color :0 - 0/0 0 gpg: signing failed: Operation cancelled [GNUPG:] FAILURE sign 83886179 gpg: signing failed: Operation cancelled fatal: failed to write commit object ``` The host's UID is 1000 and inside the container I'm 100000(root) surely thats messing with it but I don't know how ncurses works. Permissions on /dev/console (that bubblwrap creates): ``` localhost # ll /dev/console crw--w---- 1 1000 nobody 136, 1 Aug 30 20:37 /dev/console ``` Permissions of bind mounted /dev/console: ``` localhost # ll /dev/console crw--w---- 1 nobody nobody 5, 1 Aug 29 21:45 /dev/console ``` -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 358 bytes Desc: This is a digitally signed message part URL: From zyx at envs.net Sun Aug 31 00:27:47 2025 From: zyx at envs.net (=?UTF-8?Q?zyxhere=F0=9F=92=AD?=) Date: Sun, 31 Aug 2025 03:27:47 +0500 Subject: Get pinentry to work in a container In-Reply-To: <5563d48260499725b73ae97a942a4a5ec8b02470.camel@envs.net> References: <5563d48260499725b73ae97a942a4a5ec8b02470.camel@envs.net> Message-ID: <1e8e287ea5a29d7d080a0cb617b4f3c26781a143.camel@envs.net> On Sun, 2025-08-31 at 01:41 +0500, zyxhere? via Gnupg-users wrote: > Hi! I have created a container for development purposes with > bubblewrap[1] and unshare, so far it has been working great > the only thing that isn't?working is gpg signed commits with > git I have bind mounted the $GNUPGHOME into the container > and gpg can see it with gpg --list-keys. Now when I sign > commits with it I gett: > ``` > gpg: signing failed: Inappropriate ioctl for device > ``` > > This was fixed by adding `export GPG_TTY=$(tty)` to > ~/.bash_profile ($(tty) points to /dev/console).But now > I get: > ``` > localhost # git commit -s -S -a -m "test" > error: gpg failed to sign the data: > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > [GNUPG:] BEGIN_SIGNING H8 > [GNUPG:] PINENTRY_LAUNCHED 59 curses 1.3.1-unknown /dev/console xterm-256color :0 20620/1000/65534 0/0 0 > gpg: signing failed: Permission denied > [GNUPG:] FAILURE sign 83918849 > gpg: signing failed: Permission denied > > fatal: failed to write commit object > ``` > > I don't know what its trying to access anyone with the > experties know what going wrong? I have also tried with bind > mounting /dev/console but when I do that the tty command > becomes: > ``` > localhost # tty > not a tty > ``` > And get: > ``` > localhost # git commit -s -S -a -m "test" > error: gpg failed to sign the data: > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > [GNUPG:] BEGIN_SIGNING H8 > [GNUPG:] PINENTRY_LAUNCHED 60 curses 1.3.1-unknown not a tty xterm-256color :0 ? 0/0 0 > gpg: signing failed: No such file or directory > [GNUPG:] FAILURE sign 83918929 > gpg: signing failed: No such file or directory > > fatal: failed to write commit object > ``` > I can see that the :0 is the $DISPLAY variable and after > that its showing the UIDs? > > So TLDR: I can't get pinentry to work. > > More info: > If I use the tty pinenctry regardless of /dev/console being > bind mounted or not I get: > ``` > localhost # git commit -s -S -a -m "test" > error: gpg failed to sign the data: > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > [GNUPG:] BEGIN_SIGNING H8 > [GNUPG:] PINENTRY_LAUNCHED 58 tty 1.3.1-unknown - xterm-256color :0 - 0/0 0 > gpg: signing failed: Operation cancelled > [GNUPG:] FAILURE sign 83886179 > gpg: signing failed: Operation cancelled > > fatal: failed to write commit object > ``` > > The host's UID is 1000 and inside the container I'm > 100000(root) surely thats messing with it but I don't know > how ncurses works. > > Permissions on /dev/console (that bubblwrap creates): > ``` > localhost # ll /dev/console > crw--w---- 1 1000 nobody 136, 1 Aug 30 20:37 /dev/console > ``` > Permissions of bind mounted /dev/console: > ``` > localhost # ll /dev/console > crw--w---- 1 nobody nobody 5, 1 Aug 29 21:45 /dev/console > ``` Nevermind I was able to get it to work via https://ao.bloat.cat/exchange/stackoverflow.com/questions/51504367/gpg-agent-forwarding-inappropriate-ioctl-for-device#59170001 Need to add ``` use-agent pinentry-mode loopback ``` to gpg.conf and ``` allow-loopback-pinentry ``` to gpg-agent.conf Sorry for the noise! From zyx at envs.net Sun Aug 31 00:40:08 2025 From: zyx at envs.net (=?UTF-8?Q?zyxhere=F0=9F=92=AD?=) Date: Sun, 31 Aug 2025 03:40:08 +0500 Subject: Get pinentry to work in a container In-Reply-To: <1e8e287ea5a29d7d080a0cb617b4f3c26781a143.camel@envs.net> References: <5563d48260499725b73ae97a942a4a5ec8b02470.camel@envs.net> <1e8e287ea5a29d7d080a0cb617b4f3c26781a143.camel@envs.net> Message-ID: <12e6b5be185f4484a1755b22bfd4bbf4cd32c0d3.camel@envs.net> On Sun, 2025-08-31 at 03:27 +0500, zyxhere? via Gnupg-users wrote: > On Sun, 2025-08-31 at 01:41 +0500, zyxhere? via Gnupg-users wrote: > > Hi! I have created a container for development purposes with > > bubblewrap[1] and unshare, so far it has been working great > > the only thing that isn't?working is gpg signed commits with > > git I have bind mounted the $GNUPGHOME into the container > > and gpg can see it with gpg --list-keys. Now when I sign > > commits with it I gett: > > ``` > > gpg: signing failed: Inappropriate ioctl for device > > ``` > > > > This was fixed by adding `export GPG_TTY=$(tty)` to > > ~/.bash_profile ($(tty) points to /dev/console).But now > > I get: > > ``` > > localhost # git commit -s -S -a -m "test" > > error: gpg failed to sign the data: > > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > > [GNUPG:] BEGIN_SIGNING H8 > > [GNUPG:] PINENTRY_LAUNCHED 59 curses 1.3.1-unknown /dev/console xterm-256color :0 20620/1000/65534 0/0 0 > > gpg: signing failed: Permission denied > > [GNUPG:] FAILURE sign 83918849 > > gpg: signing failed: Permission denied > > > > fatal: failed to write commit object > > ``` > > > > I don't know what its trying to access anyone with the > > experties know what going wrong? I have also tried with bind > > mounting /dev/console but when I do that the tty command > > becomes: > > ``` > > localhost # tty > > not a tty > > ``` > > And get: > > ``` > > localhost # git commit -s -S -a -m "test" > > error: gpg failed to sign the data: > > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > > [GNUPG:] BEGIN_SIGNING H8 > > [GNUPG:] PINENTRY_LAUNCHED 60 curses 1.3.1-unknown not a tty xterm-256color :0 ? 0/0 0 > > gpg: signing failed: No such file or directory > > [GNUPG:] FAILURE sign 83918929 > > gpg: signing failed: No such file or directory > > > > fatal: failed to write commit object > > ``` > > I can see that the :0 is the $DISPLAY variable and after > > that its showing the UIDs? > > > > So TLDR: I can't get pinentry to work. > > > > More info: > > If I use the tty pinenctry regardless of /dev/console being > > bind mounted or not I get: > > ``` > > localhost # git commit -s -S -a -m "test" > > error: gpg failed to sign the data: > > gpg: WARNING: unsafe ownership on homedir '/root/.gnupg' > > [GNUPG:] KEY_CONSIDERED 64DA0EF748DCFAB0D2661171005C84091F5630E0 2 > > [GNUPG:] BEGIN_SIGNING H8 > > [GNUPG:] PINENTRY_LAUNCHED 58 tty 1.3.1-unknown - xterm-256color :0 - 0/0 0 > > gpg: signing failed: Operation cancelled > > [GNUPG:] FAILURE sign 83886179 > > gpg: signing failed: Operation cancelled > > > > fatal: failed to write commit object > > ``` > > > > The host's UID is 1000 and inside the container I'm > > 100000(root) surely thats messing with it but I don't know > > how ncurses works. > > > > Permissions on /dev/console (that bubblwrap creates): > > ``` > > localhost # ll /dev/console > > crw--w---- 1 1000 nobody 136, 1 Aug 30 20:37 /dev/console > > ``` > > Permissions of bind mounted /dev/console: > > ``` > > localhost # ll /dev/console > > crw--w---- 1 nobody nobody 5, 1 Aug 29 21:45 /dev/console > > ``` > Nevermind I was able to get it to work via https://ao.bloat.cat/exchange/stackoverflow.com/questions/51504367/gpg-agent-forwarding-inappropriate-ioctl-for-device#59170001 > Need to add > ``` > use-agent > pinentry-mode loopback > ``` > to gpg.conf and > ``` > allow-loopback-pinentry > ``` > to gpg-agent.conf > > Sorry for the noise! I hope there isn't anything wrong with using stdin for the password! (Not surer why its disabled by default). So if there is a way to keep using the ncurses prompt I would really appreciate it!