From klaus at vink-slott.dk Thu Jan 1 18:16:06 2026 From: klaus at vink-slott.dk (Klaus Vink Slott) Date: Thu, 1 Jan 2026 18:16:06 +0100 Subject: pinentryQT timeout In-Reply-To: <2580878.XAFRqVoOGU@daneel> References: <9941ad91-3182-4f2c-8fd2-5e19a47cc2de@vink-slott.dk> <2580878.XAFRqVoOGU@daneel> Message-ID: Den 31.12.2025 kl. 19.22 skrev Ingo Kl?cker: > On Mittwoch, 31. Dezember 2025 10:38:01 Mitteleurop?ische Normalzeit Klaus > Vink Slott via Gnupg-users wrote: ... >> I've searched through the options in the PIN entry program for a "stay >> on top" option, not finding any - also tried to add an extended time to >> the gpg-agent.conf file, but it didn't help. >> >> Do you have any ideas, or should I give up on the KDE relaunch feature? > > Maybe you can set Special Window settings or Special Application settings for > pinentry-qt to keep its window on top. Right-click on the title bar of > pinentry, select More Actions... and then Configure Special Window Settings... > Then add the "Keep above other windows" property (under Arrangement & Access). That was a good hint ? I can now keep the Window on top. Unfortunately it still looses focus, but at least I can regain focus quick as the window itself stays on top. I will have to dig a bit deeper into KDE setting if I can avoid loosing focus. -- Klaus From dev at nixonnet.org Mon Jan 5 02:50:03 2026 From: dev at nixonnet.org (Bow) Date: Sun, 4 Jan 2026 17:50:03 -0800 Subject: Securing multiple keys with one smart card References: Message-ID: Hello GnuPG Users, Is there a known way to encrypt multiple/all private keys in the keyring with a single smart card? Use case: I have separate keys for separate identities (e.g. personal and professional) and I would like to secure these keys with a smart card (actual ISO 7816 card, not a USB token) such that I can access the private keys using the card and a PIN or PINs. My goal is to have the ease of a card and shorter PIN, and the security of needing two factors. I will be installing the OpenPGP Card applet onto the card myself, so modified versions are an option. Using one card per identity is cost and convenience prohibitive. Currently I am using GPG 2.4.8 with libcrypt 1.11.2 installed from the Arch Linux repository. Thank you for your time, Bow -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From wk at gnupg.org Tue Jan 6 08:50:35 2026 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Jan 2026 08:50:35 +0100 Subject: Securing multiple keys with one smart card In-Reply-To: (Bow via Gnupg-users's message of "Sun, 4 Jan 2026 17:50:03 -0800") References: Message-ID: <87pl7nnpro.fsf@jacob.g10code.de> Hi! > Is there a known way to encrypt multiple/all private keys in the > keyring with a single smart card? Do you mean to replace the passphrase by some kind of encryption using a smartcard? This is not possible but it may be worth to discuss such an option. > Using one card per identity is cost and convenience prohibitive. In theory you can create several *PGP keys with the same physical key on the smartcard. But there are some problems. It is better to use smartcard which allows to store/create several keys and not just the 3 keys we specified for the OpenPGP card. An updated specification of the OpenPGP card will support more keys. The drawback of this all is that smartcards may build up a defect and you would loose access to all your private keys.q Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From poontele at gmail.com Tue Jan 6 19:43:48 2026 From: poontele at gmail.com (=?UTF-8?B?6Zmz5b2l5L2Q?=) Date: Wed, 7 Jan 2026 02:43:48 +0800 Subject: Inquiry regarding official GnuPG recommendation for Android Message-ID: <8a4c714f-922b-4a40-9bbb-04482ef0bdf0@gmail.com> Hello, I noticed that gnupg.org currently references the Guardian Project for Android support. However, the Guardian Project's official page states that the project is unmaintained and now recommends OpenKeychain. Could you please clarify whether there is currently an officially supported or recommended GnuPG application for Android? I am specifically looking for a maintained solution that is available on F-Droid. Thank you for your assistance. From dev at nixonnet.org Tue Jan 6 22:40:50 2026 From: dev at nixonnet.org (Bow) Date: Tue, 6 Jan 2026 13:40:50 -0800 Subject: Securing multiple keys with one smart card In-Reply-To: <87pl7nnpro.fsf@jacob.g10code.de> References: <87pl7nnpro.fsf@jacob.g10code.de> Message-ID: > Do you mean to replace the passphrase by some kind of encryption > using a smartcard? I did, but I understand that is not supported by GnuPG (currently). I was hoping that I was mistaken about that limitation or that there was a work-around of some sort. My goal is have my private key material protected by more than just a usable (that is, a long but not very long) password. Ideally with a card as a second factor. > It is better to use smartcard which allows to store/create several > keys and not just the 3 keys we specified for the OpenPGP card. It is my understanding that GnuPG only supports OpenPGP Card smart cards. Is there another card type that would work? My card has space for plenty of keys so storing all the keys on-card is feasible and would work very well for me. > An updated specification of the OpenPGP card will support more keys. I saw some discussion in a dev. mailing list about supporting more than 3 keys, but got the impression it was not likely to happen. Do you have more information or can you point me to where I can learn more? With gratitude, Bow -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From soyeomul at doraji.xyz Wed Jan 7 05:15:49 2026 From: soyeomul at doraji.xyz (Byunghee HWANG (Gmailify)) Date: Wed, 07 Jan 2026 13:15:49 +0900 Subject: verifying gpg signature under opendkim-lua script Message-ID: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> Hellow GnuPG Hackers, This is a very uncommon situation. I am running some news-letter mailing under postfix mail server [yw-0919.doraji.xyz; Ubuntu 18.04.6 LTS] (Google Cloud's Compute Engine). That news-letter email is sent automatically every day by cron. And that email be signed with gpg signature in start time (ed25519; 0x031016E4BEA9EA6A3A0F7D4DF60CC059E52D9596; made by GnuPG 2.2.4). And outbond's mail server [yw-1204.doraji.xyz; Debian 11 (Bullseye)] has OpenDKIM filter (with lua script). If possible, i would like to verify the gpg fingerprint of that email with this OpenDKIM lua script. *This point is my real question.* Then the OpenDKIM filter do signing DKIM that email after verification (success). If gpg fingerprint verification fails, the DKIM signing will be withheld. Any comments, ideas, thoughts, advice welcome! Sincerely, Byunghee from South Korea -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From ThSchweikle at bfs.de Wed Jan 7 14:38:34 2026 From: ThSchweikle at bfs.de (Thomas Schweikle) Date: Wed, 7 Jan 2026 13:38:34 +0000 Subject: gpgpass.exe - the gpg4win gpg based password manager is missing Message-ID: <6fe57859-66f6-45b8-9eb5-232091baa143@bfs.de> Hi! From the install binary available at https://files.gpg4win.org/Beta/gpg4win-5.0.0-beta479/gpg4win-5.0.0-beta479.exe The password manager gpgpass.exe is missing. It is not available within this installation. Is this only a bug, or ist this thing removed? -- Thomas From sebastian.wagner at intevation.de Wed Jan 7 17:54:24 2026 From: sebastian.wagner at intevation.de (Sebastian Wagner) Date: Wed, 7 Jan 2026 17:54:24 +0100 Subject: gpgpass.exe - the gpg4win gpg based password manager is missing In-Reply-To: <6fe57859-66f6-45b8-9eb5-232091baa143@bfs.de> References: <6fe57859-66f6-45b8-9eb5-232091baa143@bfs.de> Message-ID: <7301d016-c81f-4443-a2d8-486de2b4a5b2@intevation.de> Hi Thomas On 07/01/2026 14:38, Thomas Schweikle via Gnupg-users wrote: > From the install binary available at > https://files.gpg4win.org/Beta/gpg4win-5.0.0-beta479/gpg4win-5.0.0-beta479.exe > The password manager gpgpass.exe is missing. It is not available within > this installation. > > Is this only a bug, or ist this thing removed? It appears the program has been removed: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=commit;h=10aa3f1ed73f91c8421e968c7a8107fd1ec47137 Best regards -- Sebastian Wagner | +49-541-335083-164 | https://intevation.de Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Thu Jan 8 05:46:03 2026 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 7 Jan 2026 23:46:03 -0500 Subject: verifying gpg signature under opendkim-lua script In-Reply-To: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> References: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> Message-ID: <2039212a-074a-44b6-826e-69423386132e@sixdemonbag.org> > This is a very uncommon situation. I am running some news-letter mailing > under postfix mail server [yw-0919.doraji.xyz; Ubuntu 18.04.6 LTS] > (Google Cloud's Compute Engine). That news-letter email is sent > automatically every day by cron. And that email be signed with gpg > signature in start time (ed25519; > 0x031016E4BEA9EA6A3A0F7D4DF60CC059E52D9596; made by GnuPG 2.2.4). > > And outbond's mail server [yw-1204.doraji.xyz; Debian 11 (Bullseye)] has > OpenDKIM filter (with lua script). If possible, i would like to verify > the gpg fingerprint of that email with this OpenDKIM lua script. *This > point is my real question.* I've been holding off on this in the hopes someone better at Lua scripting than I would speak up, but apparently I'm what you get. My first question is, "what are you hoping to achieve by verifying the fingerprint?" Do you actually mean verifying the digital signature on the email? From soyeomul at doraji.xyz Thu Jan 8 07:23:30 2026 From: soyeomul at doraji.xyz (Byunghee HWANG) Date: Thu, 08 Jan 2026 15:23:30 +0900 Subject: verifying gpg signature under opendkim-lua script In-Reply-To: <2039212a-074a-44b6-826e-69423386132e@sixdemonbag.org> (Robert J. Hansen via Gnupg-users's message of "Wed, 7 Jan 2026 23:46:03 -0500") References: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> <2039212a-074a-44b6-826e-69423386132e@sixdemonbag.org> Message-ID: <87bjj4pqql.fsf@thinkpad-e495.home.arpa> Hellow Robert, "Robert J. Hansen via Gnupg-users" writes: >> This is a very uncommon situation. I am running some news-letter mailing >> under postfix mail server [yw-0919.doraji.xyz; Ubuntu 18.04.6 LTS] >> (Google Cloud's Compute Engine). That news-letter email is sent >> automatically every day by cron. And that email be signed with gpg >> signature in start time (ed25519; >> 0x031016E4BEA9EA6A3A0F7D4DF60CC059E52D9596; made by GnuPG 2.2.4). >> >> And outbond's mail server [yw-1204.doraji.xyz; Debian 11 (Bullseye)] has >> OpenDKIM filter (with lua script). If possible, i would like to verify >> the gpg fingerprint of that email with this OpenDKIM lua script. *This >> point is my real question.* > > I've been holding off on this in the hopes someone better at Lua > scripting than I would speak up, but apparently I'm what you get. > > My first question is, "what are you hoping to achieve by verifying the > fingerprint?" I don't archive it. The above was an example fingerprint used for questioning. > Do you actually mean verifying the digital signature on > the email? My ultimate goal is to route emails using gpg's fingerprinting. This is the first step toward that goal. That is all. Sincerely, -- ^????? _????_ ?????_^))// -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From rjh at sixdemonbag.org Thu Jan 8 08:01:56 2026 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Jan 2026 02:01:56 -0500 Subject: verifying gpg signature under opendkim-lua script In-Reply-To: <87bjj4pqql.fsf@thinkpad-e495.home.arpa> References: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> <2039212a-074a-44b6-826e-69423386132e@sixdemonbag.org> <87bjj4pqql.fsf@thinkpad-e495.home.arpa> Message-ID: > My ultimate goal is to route emails using gpg's fingerprinting. This is > the first step toward that goal. That is all. Lua doesn't have GPGME bindings, so you'll likely have to do this the error-prone way: fire up GnuPG and verify the signature, after hooking up --status-fd to a file descriptor of your choice. _Do not_ parse the normal console output: only the status-fd output should be used. When verifying a message with gpg --verify, you'll see a message stanza like: [GNUPG:] KEY_CONSIDERED CC11BE7CBBED77B120F37B011DCBDC01B44427C7 0 [GNUPG:] SIG_ID qtBYYa4lfH60IDd2oOz06S6QBjc 2026-01-08 1767855159 [GNUPG:] GOODSIG 1DCBDC01B44427C7 Robert J. Hansen The first, KEY_CONSIDERED, gives you the full fingerprint. If you then see GOODSIG the message has passed its signature verification and then you can have Lua do what you want with the message. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From m at gnupg.org Thu Jan 8 09:45:06 2026 From: m at gnupg.org (Meik Michalke) Date: Thu, 08 Jan 2026 09:45:06 +0100 Subject: gpgpass.exe - the gpg4win gpg based password manager is missing In-Reply-To: <6fe57859-66f6-45b8-9eb5-232091baa143@bfs.de> References: <6fe57859-66f6-45b8-9eb5-232091baa143@bfs.de> Message-ID: <3937190.i8XQvsm1lU@kasidy> [i replied yesterday, but didn't notice it wasn't also sent to the list...] hi thomas, Am Mittwoch, 7. Januar 2026, 14:38:34 CET schrieb Thomas Schweikle via Gnupg- users: > From the install binary available at > https://files.gpg4win.org/Beta/gpg4win-5.0.0-beta479/gpg4win-5.0.0-beta479.e > xe The password manager gpgpass.exe is missing. It is not available within > this installation. > > Is this only a bug, or ist this thing removed? this was done on purpose. the tool is not dead, but there's still too many open issues and missing features that so we were not yet convinced to have it as part of a stable Gpg4Win 5.0 release. the alternative would have been to wait a lot longer for 5.0, but we think we're getting there soon. so after Gpg4Win 5.0 is out, it'll probably come back with one of the next beta versions and hopefully mature enough to no longer consider it "experimental". viele gr??e :: m.eik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 265 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Thu Jan 8 11:20:55 2026 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Jan 2026 11:20:55 +0100 Subject: verifying gpg signature under opendkim-lua script In-Reply-To: (Robert J. Hansen via Gnupg-users's message of "Thu, 8 Jan 2026 02:01:56 -0500") References: <87ms2qkqh6.fsf@thinkpad-e495.home.arpa> <2039212a-074a-44b6-826e-69423386132e@sixdemonbag.org> <87bjj4pqql.fsf@thinkpad-e495.home.arpa> Message-ID: <87o6n4mmm0.fsf@jacob.g10code.de> On Thu, 8 Jan 2026 02:01, Robert J. Hansen said: > The first, KEY_CONSIDERED, gives you the full fingerprint. If you then but you may see severeal of these status lines. > see GOODSIG the message has passed its signature verification and then That is okay but if you need the fingerprint parse the also emitted [GNUPG:] VALIDSIG 6DAA6E64A76D2840571B4902528897B826403ADA 2025-12-30 1767102089 0 4 0 22 10 00 6DAA6E64A76D2840571B4902528897B826403ADA is the better option: The args are: - - - - - - - - - - [ ] This status indicates that the signature is cryptographically valid. This is similar to GOODSIG, EXPSIG, EXPKEYSIG, or REVKEYSIG (depending on the date and the state of the signature and signing key) but has the fingerprint as the argument. Multiple status lines (VALIDSIG and the other appropriate *SIG status) are emitted for a valid signature. All arguments here are on one long line. sig-timestamp is the signature creation time in seconds after the epoch. expire-timestamp is the signature expiration time in seconds after the epoch (zero means "does not expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a 2-byte hex value) are all straight from the signature packet. PRIMARY-KEY-FPR is the fingerprint of the primary key or identical to the first argument. This is useful to get back to the primary key without running gpg again for this purpose. The primary-key-fpr parameter is used for OpenPGP and not available for CMS signatures. The sig-version as well as the sig class is not defined for CMS and currently set to 0 and 00. Note, that *-TIMESTAMP may either be a number of seconds since Epoch or an ISO 8601 string which can be detected by the presence of the letter 'T'. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From guru at unixarea.de Thu Jan 8 13:48:35 2026 From: guru at unixarea.de (Matthias Apitz) Date: Thu, 8 Jan 2026 13:48:35 +0100 Subject: pass / gnupg is caching? Message-ID: I'm using the 'pass' command of password-store for all my stored credentials. While looking for some other problem I detected that it seems that gnupg (used by pass to decrypt the credentials) is storing the result of decryption somehow, at least it does not do again a read access to the file of the stored secret. In both cases I was asked for the PIN to unlock the OpenPGP card: $ ls -lu .password-store/test.gpg -rw------- 1 purism purism 585 Nov 26 14:45 .password-store/test.gpg $ pass test secret $ ls -lu .password-store/test.gpg -rw------- 1 purism purism 585 Jan 8 13:27 .password-store/test.gpg $ pass test secret $ ls -lu .password-store/test.gpg -rw------- 1 purism purism 585 Jan 8 13:27 .password-store/test.gpg i.e. the 2nd time does not modify the read access time of the file. Why? Thanks matthias -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub From wk at gnupg.org Thu Jan 8 16:47:18 2026 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Jan 2026 16:47:18 +0100 Subject: pass / gnupg is caching? In-Reply-To: (Matthias Apitz's message of "Thu, 8 Jan 2026 13:48:35 +0100") References: Message-ID: <875x9cm7i1.fsf@jacob.g10code.de> Hi Matthias, > i.e. the 2nd time does not modify the read access time of the file. Why? I don't think that pass as a shell script caches anything. Neither does gpg. I think you need to have "strictatime" in the mount options to get accurate atimes. The default seems to be "relatime" (Access time is only updated if the previous access time was earlier than the current modify or change time). Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From Bjorn at xn--rombobjrn-67a.se Thu Jan 8 16:40:45 2026 From: Bjorn at xn--rombobjrn-67a.se (=?UTF-8?B?QmrDtnJu?= Persson) Date: Thu, 8 Jan 2026 16:40:45 +0100 Subject: pass / gnupg is caching? In-Reply-To: References: Message-ID: <20260108164045.1a12e803@tag.xn--rombobjrn-67a.se> Matthias Apitz wrote: > i.e. the 2nd time does not modify the read access time of the file. Why? Is your filesystem perchance mounted with the "relatime" option? Writing a timestamp to the disk every time a file is read from the cache turned out to be bad for performance, and bad for the longevity of SSDs, so that's often omitted these days. Bj?rn Persson -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signatur URL: From guru at unixarea.de Fri Jan 9 09:49:46 2026 From: guru at unixarea.de (Matthias Apitz) Date: Fri, 9 Jan 2026 09:49:46 +0100 Subject: pass / gnupg is caching? In-Reply-To: <875x9cm7i1.fsf@jacob.g10code.de> References: <875x9cm7i1.fsf@jacob.g10code.de> Message-ID: El d?a jueves, enero 08, 2026 a las 04:47:18p. m. +0100, Werner Koch via Gnupg-users escribi?: > Hi Matthias, > > > i.e. the 2nd time does not modify the read access time of the file. Why? > > I don't think that pass as a shell script caches anything. Neither does > gpg. I think you need to have "strictatime" in the mount options to get > accurate atimes. The default seems to be "relatime" (Access time is > only updated if the previous access time was earlier than the current > modify or change time). Hi Werner, Yes. The file system in my phone is mounted as: purism at pureos:~$ mount | grep ext4 /dev/mapper/crypt_root on / type ext4 (rw,relatime,errors=remount-ro) Thanks for the hints. matthias > -- > The pioneers of a warless world are the youth that > refuse military service. - A. Einstein -- Matthias Apitz, ? guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub An die deutsche Bundesregierung: Nein, meine S?hne geb' ich nicht f?r Ihren Krieg! Al Gobierno alem?n: ?No, no doy mis hijos para su guerra! To the German Government: No, I will not give my sons for your war! From me at paulapplegate.com Fri Jan 9 04:10:55 2026 From: me at paulapplegate.com (Paul Applegate) Date: Thu, 8 Jan 2026 22:10:55 -0500 Subject: GnuPG Development Hub Access Message-ID: <41C34F4A-ADF1-4912-8A96-B9B8B511B4AB@paulapplegate.com> May I have access to the GnuPG Development Hub ( https://dev.gnupg.org/ )? Username : mrapplegate Email : me at paulapplegate.com Thanks. Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: From fxkl47BF at protonmail.com Mon Jan 12 01:30:31 2026 From: fxkl47BF at protonmail.com (fxkl47BF at protonmail.com) Date: Mon, 12 Jan 2026 00:30:31 +0000 Subject: pass / gnupg is caching? In-Reply-To: <875x9cm7i1.fsf@jacob.g10code.de> References: <875x9cm7i1.fsf@jacob.g10code.de> Message-ID: <53q49r99-88q8-ooso-674r-6q3r21833946@cebgbaznvy.pbz> On Thu, 8 Jan 2026, Werner Koch via Gnupg-users wrote: > Hi Matthias, > >> i.e. the 2nd time does not modify the read access time of the file. Why? > > I don't think that pass as a shell script caches anything. Neither does > gpg. I think you need to have "strictatime" in the mount options to get > accurate atimes. The default seems to be "relatime" (Access time is > only updated if the previous access time was earlier than the current > modify or change time). the man page says caching is the default for symmetric encryption From steve at sawczyn.com Mon Jan 12 07:26:19 2026 From: steve at sawczyn.com (Steve Sawczyn) Date: Mon, 12 Jan 2026 00:26:19 -0600 Subject: Questions about web of trust, new keys, and whether it's even a thing any more Message-ID: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> I was going through some ancient backups and came across my original PGP 2.X keys from way back in the day. Back then, many of us worked hard to collect signatures to establish a web of trust. Of course this was ages ago now and as things have evolved, I?m now using newer keys. I?m not sure why this hadn?t occurred to me until now, but in migrating to newer keys, all those old signatures were lost. To be fair, I?m sure that most of those signatures could no longer be validated anyway since I?m sure everyone has moved on, but it got me thinking about the web of trust: Is that something people really even focus on any more? Also, how can the web of trust remain intact when there will inevitably come a time when key structures/algorithms will change again and people will need to generate new keys? What about key expiration, wouldn?t that cause a person to essentially have to start over with gathering signatures for new keys, or otherwise re-establishing trust? I?m sure I?m missing something very basic, but would really appreciate any thoughts or explanation. Thanks in advance, Steve From wk at gnupg.org Mon Jan 12 11:27:24 2026 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Jan 2026 11:27:24 +0100 Subject: pass / gnupg is caching? In-Reply-To: <53q49r99-88q8-ooso-674r-6q3r21833946@cebgbaznvy.pbz> (fxkl47BF's message of "Mon, 12 Jan 2026 00:30:31 +0000") References: <875x9cm7i1.fsf@jacob.g10code.de> <53q49r99-88q8-ooso-674r-6q3r21833946@cebgbaznvy.pbz> Message-ID: <87ms2jktwz.fsf@jacob.g10code.de> On Mon, 12 Jan 2026 00:30, fxkl47BF--- said: > the man page says caching is the default for symmetric encryption Caching of ones own symmtric passphrase is a little hack and for most users not very useful: gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase. The option --no-symkey-cache can be used to disable this feature. But that was not the question here. For the smartcard PIN's there is no caching but the smartcards decide on their own whether you need to enter the PIN for each signature/decryption. The only caching for those PINs is to overcome a problem wityh Yubikeys which do not keep the PIN-verified state when switching back and forth between the applications (OpenPGP <-> PIV) Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From wk at gnupg.org Mon Jan 12 11:34:00 2026 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Jan 2026 11:34:00 +0100 Subject: Questions about web of trust, new keys, and whether it's even a thing any more In-Reply-To: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> (Steve Sawczyn via Gnupg-users's message of "Mon, 12 Jan 2026 00:26:19 -0600") References: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> Message-ID: <87ikd7ktlz.fsf@jacob.g10code.de> On Mon, 12 Jan 2026 00:26, Steve Sawczyn said: > migrating to newer keys, all those old signatures were lost. To be > fair, I?m sure that most of those signatures could no longer be That's right and shows tha the WebofTrust does not really work to its full extend in real life. The reasons why old PGP 2 keys can't be used anymore are: - GnuPG 2.x dropped almost all support for those v3 (and v2) keys. - GnuPG does not anymore support the really broken MD5 hash algorithm - Some people fear collission attacks on SHA-1 keys and thus by default SHA-1 key signatures, as done for may years, are now not anymore usable. Note that gpg 1.4 is still available to decrypt old encrypted data. > change again and people will need to generate new keys? What about > key expiration, wouldn?t that cause a person to essentially have to > start over with gathering signatures for new keys, or otherwise It is possible and suggested to prolong the expiration time of a key. However, some folks used a signature expiration time when doing their 3rd party key signatures; this can only be solved by issuing a new key signature. Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: openpgp-digital-signature.asc Type: application/pgp-signature Size: 284 bytes Desc: not available URL: From rjh at sixdemonbag.org Mon Jan 12 17:17:58 2026 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 12 Jan 2026 11:17:58 -0500 Subject: Questions about web of trust, new keys, and whether it's even a thing any more In-Reply-To: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> References: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> Message-ID: <7fc7ec58-826d-487a-a0b6-f06971a27e28@sixdemonbag.org> tl;dr: your questions are good ones, but there are solid answers to them. :) > Is [the Web of Trust] something people really even focus on any > more? As with most things, there is no easy yes or no answer here. Everyone has their own particular GnuPG use case and threat model: under some of these the Web of Trust is irrelevant, and under others the Web of Trust is irreplaceable. As an example of irreplaceable Web of Trust usage: businesses that wish for all employees to automatically treat other employee certificates as validated might want to run their own certificate authority (CA), which will sign each employee's certificate with the business's certificate before putting the certificate in a company-wide keystore. When employees need to send email within the company, it acquires the needed certificate, checks the CA has signed it, and presto. This is probably the most common way the Web of Trust is used in the real world. Other good examples of the Web of Trust include things like software supply chains, where each individual release might have its own certificate signed by the project's master certificate. > Also, how can the web of trust remain intact when there will > inevitably come a time when key structures/algorithms will change > again and people will need to generate new keys? The trust spider needs to do constant upkeep on its web, that's for sure. But a lot of this can be mitigated via trusted introducer chaining, or dual signatures, or both. E.g.: certificate 23806BE5D6B98E10 was revoked in January of 2017. Before it did, though, it signed certificate 1DCBDC01B44427C7. If you trusted rjh at sixdemonbag.org as identified by certificate 23806BE5D6B98E10, you would probably also be fairly safe trusting rjh at sixdemonbag.org as identified by certificate 1DCBDC01B44427C7. That's how introducer chaining works. Dual signatures exploit the fact that messages can bear more than one signature. If I want to create public trust in a new certificate (say, 1E7A94D4E87F91D5), one can publicly sign messages with both the old certificate (1DCBDC01B44427C7) and the new certificate (1E7A94D4E87F91D5). Get a few messages out there in the wild with both signatures, and people begin to get the idea maybe the same person is behind both certificates. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From ratbag at gmx.com Tue Jan 13 09:44:00 2026 From: ratbag at gmx.com (Rat Bag) Date: Tue, 13 Jan 2026 01:44:00 -0700 Subject: gpg 1.4 In-Reply-To: <87ikd7ktlz.fsf@jacob.g10code.de> References: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> <87ikd7ktlz.fsf@jacob.g10code.de> Message-ID: > Note that gpg 1.4 is still available to decrypt old encrypted data. Is using gpg 1.4 on an "air-gaped" computer to generate RSA 4096 keys and encrypting files/messages to owners of such keys still considered safe? TIA, R.B. From rjh at sixdemonbag.org Tue Jan 13 12:06:25 2026 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 13 Jan 2026 06:06:25 -0500 Subject: gpg 1.4 In-Reply-To: References: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> <87ikd7ktlz.fsf@jacob.g10code.de> Message-ID: > Is using gpg 1.4 on an "air-gaped" computer to generate RSA 4096 keys > and encrypting files/messages to owners of such keys still considered > safe? No idea. We're not you. We don't know your threat model, what actors you're facing, what environment you're in. GnuPG just provides tools. Knowing what to do with it, how, and why, is on you. Please don't mistake this for a sarcastic answer. It's an honest one. There is no way Werner, or anyone, can answer your question without first asking a lot of questions. That kind of individualized consultation usually costs money. I will say this: I'm unaware of any reason it would be considered unsafe. Whether it would be considered safe is an open question. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: From mm at dorfdsl.de Tue Jan 13 12:37:38 2026 From: mm at dorfdsl.de (Marco Moock) Date: Tue, 13 Jan 2026 12:37:38 +0100 Subject: gpg 1.4 In-Reply-To: References: <5AF166B8-44DA-4142-9C28-7AD02F4CF1C7@sawczyn.com> <87ikd7ktlz.fsf@jacob.g10code.de> Message-ID: <20260113123738.147fc276@dorfdsl.de> On 13.01.2026 01:44 Rat Bag via Gnupg-users wrote: > Is using gpg 1.4 on an "air-gaped" computer to generate RSA 4096 keys > and encrypting files/messages to owners of such keys still considered > safe? I am not aware of any issues with that. The gnupg.org website mentions that 1.4 is legacy and will only receive important security updates. Be ware that other outdated software on your system might pose a risk. Is there a special reason not to upgrade to the current version?