Re: [gpgtools-users] This key may be unsafe
Hi, in this context: http://www.keylength.com/en/compare/ Best regards, Alex On 07.03.2011, at 22:03, Charly Avital wrote: GPG Keychain Access 0.8.4 shows a red warning 'This key maybe unsafe' for *any* key with a length equal or inferior to 1024 bits. GPG Keychain Access 0.8.4 is a GUI for key management for Mac users. http://www.gpgtools.org/keychain.html A Google search with key sentence This key maybe unsafe between inverted commas, to limit the search to the whole sentence, displays hits that relate directly or indirectly (Twitter) only to GPGTools' lists. I am cross-posting to gnupg-users to try and get more feedback about this issue: Are keys whose length is equal or inferior to 1024 bits *unsafe*? If so, how are they unsafe? Where is this key length unsafe situation documented? As a personal example, my primary key A57A8EFA is a DSA old 1024 bit key, but its encryption subkey is 2048 bit long, and I use a sign-only 2048 bit long RSA subkey. I also get that red warning with GPG Keychain Access 0.8.4 TIA. Charly ___ gpgtools-users mailing list gpgtools-us...@lists.gpgtools.org FAQ: http://www.gpgtools.org/faq.html Changes: http://lists.gpgtools.org/mailman/listinfo/gpgtools-users Unsubscribe: http://lists.gpgtools.org/mailman/options/gpgtools-users/a...@willner.ws?unsub=Unsubscribeunsubconfirm=1 This email sent to: a...@willner.ws smime.p7s Description: S/MIME cryptographic signature PGP.sig Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signature Verification using GPG
Hello everyone, I hope that this is the right place for my question - if not please forgive me. Anyway, any form of help will is appreciated. I'm currently trying to write a kernel module that checks digital signatures of binaries. For the cryptographic part I'm using the sourcecode of GPG 1.4.11 (the SHA1 computation, the RSA verifcation and the MPI part) - I think I made everything correctly, but that it would work... Some Infos: For the sake of simplicity we can assume that the keys are correctly initalized and both the hash that was signed as well as the signature itself (i.e. the whole packet as specified by RFC 4880) was read correctly. Now I compute the new hash over the old hash plus the trailer (parts of the packet body plus some 6-byte information), convert this new hash as well as the original signature to an MPI and call rsa_verify(). But it just won't work. And finally my code, I left out all error handling to keep it compact - so it should be pretty self-explanatory, but I'll answer every question if somethings unclear ofcouse: http://pastebin.com/gs99VdmF Again, it would be great if someone could help me. If this was the wrong place to ask, please tell me also (maybe with a hint where to ask instead :)) Regards, Chris ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.1 beta 2 released
Hello! We just released the second *beta version* of GnuPG 2.1. It has been released to give you the opportunity to check out the new features. It is marked as a beta versions and the plan is to release a couple more betas in the next months before we can declare 2.1.0 stable enough for general use. In any case the 2.1 series won't replace the 2.0 series. If you need stable and fully maintained version of GnuPG, you should in general use 2.0.x or even 1.4.x. Eventually we will release 2.2 as the new stable version but that may take some time. Noteworthy changes in version 2.1.0beta2 (2011-03-08) - * ECC support for GPG as described by draft-jivsov-openpgp-ecc-06.txt. * New GPGSM feature to create certificates from a parameter file. Add prompt to the --gen-key UI to create self-signed certificates. * Dirmngr has taken over the function of the keyserver helpers. Thus we now have a specified direct interface to keyservers via Dirmngr. LDAP, DNS and mail backends are not yet implemented. * TMPDIR is now also honored when creating a socket using --no-standard-socket and with symcryptrun's temp files. * Fixed a bug where SCdaemon sends a signal to Gpg-agent running in non-daemon mode. * Print AES128 instead of AES. This change introduces a little incompatibility for tools using gpg --list-config. We hope that these tools are written robust enough to accept this new algorithm name as well. * Fixed CRL loading under W32 (bug#1010). * Fixed TTY management for pinentries and session variable update problem. Noteworthy changes already found in beta1: * GPG does not anymore use secring.gpg but delegates all secret key operations to gpg-agent. The import command moves secret keys to the agent. * The OpenPGP import command is now able to merge secret keys. * The G13 tool for disk encryption key management has been added. * If the agent's --use-standard-socket option is active, all tools try to start and daemonize the agent on the fly. In the past this was only supported on W32; on non-W32 systems the new configure option --disable-standard-socket may now be used to disable this new default. * Dirmngr is now a part of this package. Dirmngr is now also expected to run as a system service and the configuration directories are changed to the GnuPG name space. * Removed GPG options: --export-options: export-secret-subkey-passwd --simple-sk-checksum * New GPG options: --try-secret-key * Support DNS lookups for SRV, PKA and CERT on W32. * The default for --include-cert is now to include all certificates in the chain except for the root certificate. * Numerical values may now be used as an alternative to the debug-level keywords. * New GPGSM option --ignore-cert-extension. * Support for Windows CE. * Given sufficient permissions Dirmngr is started automagically. * Bug fixes. Migration from 1.4 or 2.0 = The major change in 2.1 is that gpg-agent now takes care of the OpenPGP secret keys (those managed by GPG). The former secring.gpg will not be used anymore. Newly generated keys are generated and stored in the agent's key store (~/.gnupg/private-keys-v1.d/). To migrate your existing keys to the agent you should run this command gpg2 --import ~/.gnupg/secring.gpg The agent will you ask for the passphrase of each key. You may use the Cancel button of the Pinentry to skip importing this key. If you want to stop the import process and you use one of the latest pinentries, you should close the pinentry window instead of hitting the cancel button. Secret keys already imported are skipped by the import command. It is advisable to keep the secring.gpg for use with older versions of GPG. Note that gpg-agent now uses a fixed socket by default. All tools will start the gpg-agent as needed. In general there is no more need to set the GPG_AGENT_INFO environment variable. The SSH_AUTH_SOCK environment variable should be set to a fixed value. GPG's smartcard commands --card-edit and --card-status as well as the card related sub-commands of --edit-key are not yet supported. However, signing and decryption with a smartcard does work. The Dirmngr is now part of GnuPG proper. Thus there is no more need to install the separate dirmngr package. The directroy layout of Dirmngr changed to make use of the GnuPG directories; for example you use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs. Dirmngr needs to be started as a system daemon. Getting the Software GnuPG 2.1 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta2.tar.bz2.sig and soon on all mirrors http://www.gnupg.org/mirrors.html. Note that libgcrypt 1.5.0 is now required; it is available at
Re: Signature Verification using GPG
On Tue, 8 Mar 2011 14:53, christoph.rachin...@ce.stud.uni-erlangen.de said: I'm currently trying to write a kernel module that checks digital signatures of binaries. For the cryptographic part I'm using the sourcecode of GPG 1.4.11 (the SHA1 computation, the RSA verifcation and FWIW: You might be interested in ftp://ftp.g10code.com/people/werner/crypto/sfsv-0.5.0.tar.gz which is a implementation of OpenPGP signature verification for ELF object. It is DSA only but may it may be of help to get your code working. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
signed messages take an eternity to be formatted by evolution
Hi everybody, I am using ubuntu 10.10, gpg and evolution. And I am reading this mailing list for quite some time. Lately to read this list is a pain since many keys are no longer found on the key server(s) I have entered into the keyserver list and for any mail thus signed with an unknown key I have to wait till the keyservers time limit is reached. When a message's key is not found I get the following: message signed, but the public key is required. a click on the symbol reveals: gpg: ASCII-Hülle: Version: GnuPG v2.0.18-gitcb2f55e (GNU/Linux) gpg: ASCII-Hülle: Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ gpg: Signatur am Di 01 Mär 2011 03:20:12 CET mit RSA Schlüssel, ID A18A54D6, erfolgt gpg: Schlüssel A18A54D6 von hkp Server wwwkeys.eu.pgp.net anfordern gpg: Schlüsselserver hat das Zeitlimit überschritten gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht gefunden i.e. last three lines: get the key from the key server time limit of the key server reached signature can not be tested, no public key found I would be very gratefull if someone could point me to a remedy of this situation. Greetings from the Black Forest Bernhard signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users