Serve up ssh key *and* gpg key?
Long-time GPG user here, thanks so much for everyone's help and work on it. I really like the feature GPG 2.1 has, where it can serve up a subkey of a private key to SSH and act as an SSH agent. I use a particular subkey of my master key for SSH authentication and I really like it. But, at work, I was issued an SSH key to use to get into a particular server via SSH. I was told to add it to my SSH-agent. My question is, can GPG serve up both? I don't think it's possible to turn the SSH key I was given into a GPG key, or I would just do that so I gpg-agent could serve it and I could use it as an SSH key. I don't think it's possible to simultaneously run ssh-agent (or pageant, for that matter) and gpg-agent at the same time. Is there a way I would be able to have an application connect to gpg-agent as if it were an ssh agent and have the gpg-agent serve both keys? Thanks! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Serve up ssh key *and* gpg key?
Hi, On 09/13/2016 04:42 PM, Daniel Haskin wrote: My question is, can GPG serve up both? Yes. I don't think it's possible to turn the SSH key I was given into a GPG key You don't need to do that. Just load the key into the agent using the ssh-add tool, as you would do if you were using the "regular" ssh-agent. Is there a way I would be able to have an application connect to gpg-agent as if it were an ssh agent and have the gpg-agent serve both keys? As long as gpg-agent is started with the --enable-ssh-support option, any program capable of talking to the "regular" ssh-agent can talk to gpg-agent. That's why you can just use ssh-add to load your key into the agent. Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Signing and symmetrically encrypting files
Hi I am a little confused with the many gpp's options and need advice. I want to export files to public servers, keeping them with encryption confidential to any individual outside of a given set of people. These documents have to be accessible to groups of correspondants. I intend to define a specific password for each one of the groups to symmetrically encrypt the documents depending on which group they are dedicated to. I also want to sign my documents to assess authentification. To sign the documents, I intend to use the following gpg's options "--sign --local-user ${my_self} [ --passphrase-file ${my_pass_file} | --passphrase ${my_passphrase ]". and to symmetrically encrypt the documents : "--encrypt --symmetric" and another option to define the encryption key, but I cannot figure out which one, and finally, "--output ${signed_encrypted_file} --no-use-agent --no-tty". Thank you to anybody who will help me define the parameters and options of the gpg command. Arbiel ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?
Dear Damien Thank you greatly for your quick response and helpful information. This is very good news. Setting up the reader for a normal user should be fairly straightforward using a udev rule, so thank you for the reminder. Cheers, Scott Sent via Mutt from my Ubuntu Server. Damien Goutte-Gattat wrote: > On 09/13/2016 02:12 AM, Scott R. Santos wrote: > > Specifically, has this reader been successfully used to read and > >write to OpenPGP v2.1 Smartcards under current distros/versions of > >Linux and/or Apple OS X using recent versions of gnupg? > > I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1), > under Slackware Linux with GnuPG 2.1.15. > > It works both with Scdaemon's internal CCID driver and with the > pcscd/libpcsclite stack. > > > >Any info would be greatly appreciated and thank you in advance, > > If you don't plan to use your reader for anything else than GnuPG, > you may use the internal CCID driver. In that case, there's not much > to do; about the only thing you may have to take care of (if it's > not already done on your system) is to make sure that your own user > account is allowed to access the reader. > > (That's for GNU/Linux; as for OS X, I have no clue.) > > Damien > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing smartcard
On 13/09/16 15:33, Werner Koch wrote: > On Tue, 13 Sep 2016 14:02, andr...@andrewg.com said: > >> 1. Why was the A keystub not deleted and regenerated when I did gpg >> --delete-secret-keys; gpg --card-status, like the E and S ones >> apparently were? > > Did you get a pinentry prompt to confirm the deletion of the secret key > (actually two prompts for primary and subkey)? I did get two slightly different terminal prompts along the lines of "Do you really want to delete this secret key? [Y/N]". I replied Y to both. Thanks, A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: DANE-OpenPGPkey lookup with GnuPG
On Mon, 12 Sep 2016 23:54, r...@bartschnet.de said: > I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC > 7929) using the command 'gpg2 --auto-key-locate dane --search-keys > i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11). The command --search-keys is keyserver specific and may return a list of keys. What you want to use is --locate-keys which takes the --auto-key-locate list in account. For testing it is often useful to do this: gpg --auto-key-locate clear,dane,local --locate-key WHATEVER clear clears all auto-key-locate settings from gpg.conf and the explicit mentioning of local makes sure that "dane" is used before looking into the "local" keyring. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpeCZ3LYDHqq.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Unknown Protocol error message
On Tue, 13 Sep 2016 12:54, je...@seibercom.net said: > using claws-mail on a Windows 10 Pro / 64 bit machine, I see the > following error message appear quite often on the bottom of the screen: > > The signature can't be checked - Unsupported protocol Did you load all the OpenPGP and the S/MIME plugin? Is GnuPG-2 installed (try "gpgsm --version")? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpki3KAP8yxX.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: DANE-OpenPGPkey lookup with GnuPG
Hi, On 09/12/2016 11:54 PM, Rene "Renne" Bartsch, B.Sc. Informatics wrote: I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC 7929) using the command 'gpg2 --auto-key-locate dane --search-keys i...@mail.de' What's wrong with my command or gpg2? I think the --search-keys command is specifically meant to retrieve keys from keyservers. To retrieve a key using the auto-key-locate mechanisms, use the --locate-keys command instead: $ gpg2 --auto-key-locate dane --locate-keys i...@mail.de gpg: key 94206060: public key "i...@mail.de" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: automatically retrieved 'i...@mail.de' via DANE pub rsa4096/94206060 2015-03-11 [SCA] [expires: 2020-03-09] uid [ unknown] i...@mail.de sub rsa4096/8113910E 2015-03-11 [E] [expires: 2020-03-09] Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
DANE-OpenPGPkey lookup with GnuPG
Hi, I'm new to the list, so a "Hello" to all! ;) I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC 7929) using the command 'gpg2 --auto-key-locate dane --search-keys i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11). gpg2 always returns: gpg: no keyserver known (use option --keyserver) gpg: keyserver search failed: No keyserver available What's wrong with my command or gpg2? Thanx for any hint, Renne 0x37460FFC.asc Description: application/pgp-keys ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
DANE-OpenPGPkey lookup with GnuPG
Hi, I'm new to the list, so a "Hello" to all! ;) I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC 7929) using the command 'gpg2 --auto-key-locate dane --search-keys i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11). gpg2 always returns: gpg: no keyserver known (use option --keyserver) gpg: keyserver search failed: No keyserver available What's wrong with my command or gpg2? Thanx for any hint, Renne -- OpenPGP-Key: IETF RFC 7929 or https://openpgpkey.info/?email=r...@bartschnet.de, OpenPGPkeys on Key-Servers are invalid! 0x37460FFC.asc Description: application/pgp-keys <> signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why would I want S/MIME?
> You mean GPG. GnuPG includes GPG and GPGSM and thus support for OpenPGP > and for S/MIME. No, they refuse to learn GnuPG. If S/MIME was provided by GPGSM they'd refuse to use S/MIME -- they want something that "just works," not something they have to install and fiddle with. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why would I want S/MIME?
On 12.09.2016 21:15, Anthony Papillion wrote: > Assuming everyone is willing and comfortable with using GnuPG, is there > any compelling reason (aside from easy setup and use) to use S/MIME? The main reason I can think of is the fact that there are mail clients that don't support PGP without significant hassle (or not at all), but do support S/MIME, e.g. iOS devices. Not sure if you count this as a specialized case of "easy setup and use". -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Unknown Protocol error message
using claws-mail on a Windows 10 Pro / 64 bit machine, I see the following error message appear quite often on the bottom of the screen: The signature can't be checked - Unsupported protocol I don't understand the reason for this or how to correct it. Can anyone assist me? -- Jerry ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Changing smartcard
I recently decided to change my default smartcard on one machine because it was easier to use and carry a flat card than one in a USB reader, and that particular machine has a smartcard slot. I had two smartcards anyway for testing purposes. I thought it would be a simple matter of deleting the key stubs on the machine in question and running gpg --card-status, but even after doing this for both gpg and gpg2 (debian!) it still sometimes asked for the old smartcard. Things that worked: poldi (on login screen), enigmail Things that didn't work: ssh, sudo/poldi (on command line) The only thing that might explain why poldi works on the login screen but not for sudo is the agent (which isn't running at login time, so poldi must call scdaemon directly at that point). Using gpg-connect-agent: > keyinfo --list S KEYINFO EDB763AD D - - - - - - - S KEYINFO CFEF4E2C T D27600012401020100053F99 OPENPGP.1 - - - - - S KEYINFO 0EFB3577 T D27600012401020100053F99 OPENPGP.2 - - - - - S KEYINFO D39C4ACA D - - - - - - - S KEYINFO 20FE2863 T D27600012401020100052ED9 OPENPGP.3 - - - - - OK This seems to indicate that the agent is still looking for the old card (the one ending "2ED9") for the slot 3 key (auth), but is correctly configured for E and S (hence why enigmail works). I found keystub entries that corresponded to these in private-keys-v1.d. The offending keystub file had a modification date earlier than the other two, so I deleted it and ran gpg --card-status once more. The keystub file was regenerated and gpg-connect-agent now reports the correct card ID. I didn't even have to log out and in. So I'm happy now, but have two questions: 1. Why was the A keystub not deleted and regenerated when I did gpg --delete-secret-keys; gpg --card-status, like the E and S ones apparently were? 2. What do these fingerprint-like IDs in the agent and v1.d refer to? They don't correspond to anything that --with-colons produces. Thanks. A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why would I want S/MIME?
On Mon, Sep 12, 2016 at 03:10:24PM -0400, Robert J. Hansen wrote: > > I understand what S/MIME is and that it's probably the easiest crypto > > solution for most email users. But why would someone comfortable with > > GnuPG use it? > > There's a subtle point here. The question isn't whether you're comfortable > with GnuPG; the question is whether the people you want to send email to are > comfortable with GnuPG. Indeed, it's like telephones: for communication to happen, both parties must have them. > I use S/MIME literally daily at work. My co-workers like S/MIME because it's > close to an "it just works" solution. Few of my co-workers have been willing > to learn GnuPG. That echoes my experience. At work we have a bulk-purchase arrangement for certificates, so if I need one I just request one and it magically appears. OTOH most external correspondents have been unwilling to pay the price of a certificate, so with those few who *are* willing to pay the time to learn OpenPGP I use that. At work, Mutt (my MUA) is set up with keys for both and some rules to automatically select the right one for each To: address. In some workplaces, S/MIME is mandated. That's another reason. :-) With all the phishing going on these days, I foresee a wave of companies issuing policies that unsigned mail seeming to come from a fellow employee must be reported and then ignored. Since it's already easy to just buy certificates, they'll probably mostly go S/MIME. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confusion about a statement in the FAQ
On 11/09/16 02:13, Robert J. Hansen wrote: >> Whichever "they" you had in mind when you brought it up...? ;-) > > I said "Enigmail and other clients" -- if you don't specify which > precise implementation you're interested in, I don't know which one you > want to know about. Well, I sort of wanted to know about them all, i.e. if there was an emerging consensus. Not much use if all the MUAs do it differently. ;-) >> memoryhole's readme (thanks for the link!) states that it has been >> implemented in enigmail... > > There's limited support for it. I wouldn't say it's ready for prime > time, but if you feel like living on the bleeding edge, go for it! :) I've waited 20 years for it, no harm waiting a little longer for stability... :-P Thanks again. A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Javascript and smartcard
On Tue, 13 Sep 2016 01:02, d...@fifthhorseman.net said: > how to talk to gpg-agent for use of secret keys. That way gpg-agent > could delegate the work to the smartcard via scdaemon, and OpenPGP.js > wouldn't need to know anything about the secret key material. It might be worth to look at Native Messaging (Chrome) and Web Extensions (Firefox) for accessing gpg-agent from OpenPGP.js. The only extra external dependency would then be a tool to connect stdin/stdout to gpg-agent's socket (--browser-socket in that case) and maybe to auto-start gpg-agent. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpxQx5CqPdmv.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why would I want S/MIME?
On Mon, 12 Sep 2016 21:10, r...@sixdemonbag.org said: > I use S/MIME literally daily at work. My co-workers like S/MIME because it's > close to an "it just works" solution. Few of my co-workers have been willing > to learn GnuPG. You mean GPG. GnuPG includes GPG and GPGSM and thus support for OpenPGP and for S/MIME. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpV5upFQzxfC.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?
On 09/13/2016 02:12 AM, Scott R. Santos wrote: Specifically, has this reader been successfully used to read and write to OpenPGP v2.1 Smartcards under current distros/versions of Linux and/or Apple OS X using recent versions of gnupg? I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1), under Slackware Linux with GnuPG 2.1.15. It works both with Scdaemon's internal CCID driver and with the pcscd/libpcsclite stack. Any info would be greatly appreciated and thank you in advance, If you don't plan to use your reader for anything else than GnuPG, you may use the internal CCID driver. In that case, there's not much to do; about the only thing you may have to take care of (if it's not already done on your system) is to make sure that your own user account is allowed to access the reader. (That's for GNU/Linux; as for OS X, I have no clue.) Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users