Serve up ssh key *and* gpg key?

2016-09-13 Thread Daniel Haskin 
Long-time GPG user here, thanks so much for everyone's help and work on it.

 

I really like the feature GPG 2.1 has, where it can serve up a subkey of a
private key to SSH and act as an SSH agent. I use a particular subkey of my
master key for SSH authentication and I really like it.

 

But, at work, I was issued an SSH key to use to get into a particular server
via SSH. I was told to add it to my SSH-agent. 

 

My question is, can GPG serve up both? 

 

I don't think it's possible to turn the SSH key I was given into a GPG key,
or I would just do that so I gpg-agent could serve it and I could use it as
an SSH key.

 

I don't think it's possible to simultaneously run ssh-agent (or pageant, for
that matter) and gpg-agent at the same time.

 

Is there a way I would be able to have an application connect to gpg-agent
as if it were an ssh agent and have the gpg-agent serve both keys?

 

Thanks!

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Serve up ssh key *and* gpg key?

2016-09-13 Thread Damien Goutte-Gattat 

Hi,

On 09/13/2016 04:42 PM, Daniel Haskin wrote:

My question is, can GPG serve up both?


Yes.



I don't think it's possible to turn the SSH key I was given into a
GPG key


You don't need to do that. Just load the key into the agent using the 
ssh-add tool, as you would do if you were using the "regular" ssh-agent.




Is there a way I would be able to have an application connect to
gpg-agent as if it were an ssh agent and have the gpg-agent serve
both keys?


As long as gpg-agent is started with the --enable-ssh-support option, 
any program capable of talking to the "regular" ssh-agent can talk to 
gpg-agent. That's why you can just use ssh-add to load your key into the 
agent.



Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Signing and symmetrically encrypting files

2016-09-13 Thread Arbiel Perlacremaz 

Hi

 

I am a little confused with the many gpp's options and need advice.

 

I want to export files to public servers, keeping them with encryption confidential to any individual outside of a given set of people. These documents have to be accessible to groups of correspondants. I intend to define a specific password for each one of the groups to symmetrically encrypt the documents depending on which group they are dedicated to.

 

I also want to sign my documents to assess authentification.

 

To sign the documents, I intend to use the following gpg's options "--sign --local-user ${my_self}  [ --passphrase-file ${my_pass_file} | --passphrase ${my_passphrase ]".

and to symmetrically encrypt the documents : "--encrypt --symmetric" and another option to define the encryption key, but I cannot figure out which one,

and finally, "--output ${signed_encrypted_file} --no-use-agent --no-tty".

 

Thank you to anybody who will help me define the parameters and options of the gpg command.

 

Arbiel


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?

2016-09-13 Thread Scott R. Santos 
Dear Damien

Thank you greatly for your quick response and helpful information. This is very 
good news.

Setting up the reader for a normal user should be fairly straightforward using 
a udev rule, so thank you for the reminder.

Cheers,

Scott

Sent via Mutt from my Ubuntu Server.


Damien Goutte-Gattat wrote:
> On 09/13/2016 02:12 AM, Scott R. Santos wrote:
> > Specifically, has this reader been successfully used to read and
> >write to OpenPGP v2.1 Smartcards under current distros/versions of
> >Linux and/or Apple OS X using recent versions of gnupg?
> 
> I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1),
> under Slackware Linux with GnuPG 2.1.15.
> 
> It works both with Scdaemon's internal CCID driver and with the
> pcscd/libpcsclite stack.
> 
> 
> >Any info would be greatly appreciated and thank you in advance,
> 
> If you don't plan to use your reader for anything else than GnuPG,
> you may use the internal CCID driver. In that case, there's not much
> to do; about the only thing you may have to take care of (if it's
> not already done on your system) is to make sure that your own user
> account is allowed to access the reader.
> 
> (That's for GNU/Linux; as for OS X, I have no clue.)
> 
> Damien
> 




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Changing smartcard

2016-09-13 Thread Andrew Gallagher 
On 13/09/16 15:33, Werner Koch wrote:
> On Tue, 13 Sep 2016 14:02, andr...@andrewg.com said:
> 
>> 1. Why was the A keystub not deleted and regenerated when I did gpg
>> --delete-secret-keys; gpg --card-status, like the E and S ones
>> apparently were?
> 
> Did you get a pinentry prompt to confirm the deletion of the secret key
> (actually two prompts for primary and subkey)?

I did get two slightly different terminal prompts along the lines of
"Do you really want to delete this secret key? [Y/N]". I replied Y to both.

Thanks,
A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DANE-OpenPGPkey lookup with GnuPG

2016-09-13 Thread Werner Koch 
On Mon, 12 Sep 2016 23:54, r...@bartschnet.de said:

> I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
> 7929) using the command 'gpg2 --auto-key-locate dane --search-keys
> i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).

The command --search-keys is keyserver specific and may return a list of
keys.  What you want to use is --locate-keys which takes the
--auto-key-locate list in account.  For testing it is often useful to do
this:

  gpg --auto-key-locate clear,dane,local --locate-key  WHATEVER

clear clears all auto-key-locate settings from gpg.conf and the explicit
mentioning of local makes sure that "dane" is used before looking into
the "local" keyring.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpeCZ3LYDHqq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unknown Protocol error message

2016-09-13 Thread Werner Koch 
On Tue, 13 Sep 2016 12:54, je...@seibercom.net said:
> using claws-mail on a Windows 10 Pro / 64 bit machine, I see the
> following error message appear quite often on the bottom of the screen:
>
> The signature can't be checked - Unsupported protocol

Did you load all the OpenPGP and the S/MIME plugin?  
Is GnuPG-2 installed (try "gpgsm --version")?


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpki3KAP8yxX.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: DANE-OpenPGPkey lookup with GnuPG

2016-09-13 Thread Damien Goutte-Gattat 

Hi,

On 09/12/2016 11:54 PM, Rene "Renne" Bartsch, B.Sc. Informatics wrote:

I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
7929) using the command 'gpg2 --auto-key-locate dane --search-keys
i...@mail.de'

What's wrong with my command or gpg2?


I think the --search-keys command is specifically meant to retrieve keys 
from keyservers.


To retrieve a key using the auto-key-locate mechanisms, use the 
--locate-keys command instead:


  $ gpg2 --auto-key-locate dane --locate-keys i...@mail.de
  gpg: key 94206060: public key "i...@mail.de " imported
  gpg: Total number processed: 1
  gpg:   imported: 1
  gpg: automatically retrieved 'i...@mail.de' via DANE
  pub   rsa4096/94206060 2015-03-11 [SCA] [expires: 2020-03-09]
  uid [ unknown] i...@mail.de 
  sub   rsa4096/8113910E 2015-03-11 [E] [expires: 2020-03-09]


Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

DANE-OpenPGPkey lookup with GnuPG

2016-09-13 Thread Rene "Renne" Bartsch, B.Sc. Informatics 
Hi,

I'm new to the list, so a "Hello" to all! ;)


I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
7929) using the command 'gpg2 --auto-key-locate dane --search-keys
i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).
gpg2 always returns:

gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

What's wrong with my command or gpg2?

Thanx for any hint,

Renne



0x37460FFC.asc
Description: application/pgp-keys
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

DANE-OpenPGPkey lookup with GnuPG

2016-09-13 Thread Rene "Renne" Bartsch, B.Sc. Informatics 
Hi,

I'm new to the list, so a "Hello" to all! ;)


I'm trying to look up public OpenPGP-keys published via DNSSEC (IETF RFC
7929) using the command 'gpg2 --auto-key-locate dane --search-keys
i...@mail.de' on Ubuntu 16.04 (GnuPG version 2.1.11).
gpg2 always returns:

gpg: no keyserver known (use option --keyserver)
gpg: keyserver search failed: No keyserver available

What's wrong with my command or gpg2?

Thanx for any hint,

Renne

-- 

OpenPGP-Key: IETF RFC 7929 or 
https://openpgpkey.info/?email=r...@bartschnet.de, OpenPGPkeys on Key-Servers 
are invalid!



0x37460FFC.asc
Description: application/pgp-keys
<>

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

2016-09-13 Thread Robert J. Hansen 
> You mean GPG.  GnuPG includes GPG and GPGSM and thus support for OpenPGP
> and for S/MIME.

No, they refuse to learn GnuPG.  If S/MIME was provided by GPGSM they'd
refuse to use S/MIME -- they want something that "just works," not
something they have to install and fiddle with.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

2016-09-13 Thread Ralph Seichter 
On 12.09.2016 21:15, Anthony Papillion wrote:

> Assuming everyone is willing and comfortable with using GnuPG, is there
> any compelling reason (aside from easy setup and use) to use S/MIME?

The main reason I can think of is the fact that there are mail clients
that don't support PGP without significant hassle (or not at all), but
do support S/MIME, e.g. iOS devices. Not sure if you count this as a
specialized case of "easy setup and use".

-Ralph

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unknown Protocol error message

2016-09-13 Thread Jerry 
using claws-mail on a Windows 10 Pro / 64 bit machine, I see the
following error message appear quite often on the bottom of the screen:

The signature can't be checked - Unsupported protocol

I don't understand the reason for this or how to correct it. Can anyone
assist me?

-- 
Jerry

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Changing smartcard

2016-09-13 Thread Andrew Gallagher 
I recently decided to change my default smartcard on one machine
because it was easier to use and carry a flat card than one in a USB
reader, and that particular machine has a smartcard slot. I had two
smartcards anyway for testing purposes.

I thought it would be a simple matter of deleting the key stubs on the
machine in question and running gpg --card-status, but even after doing
this for both gpg and gpg2 (debian!) it still sometimes asked for the
old smartcard.

Things that worked: poldi (on login screen), enigmail
Things that didn't work: ssh, sudo/poldi (on command line)

The only thing that might explain why poldi works on the login screen
but not for sudo is the agent (which isn't running at login time, so
poldi must call scdaemon directly at that point).

Using gpg-connect-agent:

> keyinfo --list
S KEYINFO EDB763AD D - - - - - - -
S KEYINFO CFEF4E2C T
D27600012401020100053F99 OPENPGP.1 - - - - -
S KEYINFO 0EFB3577 T
D27600012401020100053F99 OPENPGP.2 - - - - -
S KEYINFO D39C4ACA D - - - - - - -
S KEYINFO 20FE2863 T
D27600012401020100052ED9 OPENPGP.3 - - - - -
OK

This seems to indicate that the agent is still looking for the old card
(the one ending "2ED9") for the slot 3 key (auth), but is correctly
configured for E and S (hence why enigmail works).

I found keystub entries that corresponded to these in
private-keys-v1.d. The offending keystub file had a modification date
earlier than the other two, so I deleted it and ran gpg --card-status
once more. The keystub file was regenerated and gpg-connect-agent now
reports the correct card ID. I didn't even have to log out and in.

So I'm happy now, but have two questions:

1. Why was the A keystub not deleted and regenerated when I did gpg
--delete-secret-keys; gpg --card-status, like the E and S ones
apparently were?

2. What do these fingerprint-like IDs in the agent and v1.d refer to?
They don't correspond to anything that --with-colons produces.

Thanks.
A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

2016-09-13 Thread Mark H. Wood 
On Mon, Sep 12, 2016 at 03:10:24PM -0400, Robert J. Hansen wrote:
> > I understand what S/MIME is and that it's probably the easiest crypto
> > solution for most email users. But why would someone comfortable with
> > GnuPG use it?
> 
> There's a subtle point here.  The question isn't whether you're comfortable 
> with GnuPG; the question is whether the people you want to send email to are 
> comfortable with GnuPG.

Indeed, it's like telephones:  for communication to happen, both
parties must have them.

> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's 
> close to an "it just works" solution.  Few of my co-workers have been willing 
> to learn GnuPG.

That echoes my experience.  At work we have a bulk-purchase
arrangement for certificates, so if I need one I just request one and
it magically appears.  OTOH most external correspondents have been
unwilling to pay the price of a certificate, so with those few who
*are* willing to pay the time to learn OpenPGP I use that.  At work,
Mutt (my MUA) is set up with keys for both and some rules to
automatically select the right one for each To: address.

In some workplaces, S/MIME is mandated.  That's another reason. :-)
With all the phishing going on these days, I foresee a wave of
companies issuing policies that unsigned mail seeming to come from a
fellow employee must be reported and then ignored.  Since it's already
easy to just buy certificates, they'll probably mostly go S/MIME.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Confusion about a statement in the FAQ

2016-09-13 Thread Andrew Gallagher 
On 11/09/16 02:13, Robert J. Hansen wrote:
>> Whichever "they" you had in mind when you brought it up...? ;-)
> 
> I said "Enigmail and other clients" -- if you don't specify which
> precise implementation you're interested in, I don't know which one you
> want to know about.

Well, I sort of wanted to know about them all, i.e. if there was an
emerging consensus. Not much use if all the MUAs do it differently. ;-)

>> memoryhole's readme (thanks for the link!) states that it has been
>> implemented in enigmail...
> 
> There's limited support for it.  I wouldn't say it's ready for prime
> time, but if you feel like living on the bleeding edge, go for it!  :)

I've waited 20 years for it, no harm waiting a little longer for
stability... :-P

Thanks again.

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Javascript and smartcard

2016-09-13 Thread Werner Koch 
On Tue, 13 Sep 2016 01:02, d...@fifthhorseman.net said:

> how to talk to gpg-agent for use of secret keys.  That way gpg-agent
> could delegate the work to the smartcard via scdaemon, and OpenPGP.js
> wouldn't need to know anything about the secret key material.

It might be worth to look at Native Messaging (Chrome) and Web
Extensions (Firefox) for accessing gpg-agent from OpenPGP.js.  The only
extra external dependency would then be a tool to connect stdin/stdout
to gpg-agent's socket (--browser-socket in that case) and maybe to
auto-start gpg-agent.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpxQx5CqPdmv.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why would I want S/MIME?

2016-09-13 Thread Werner Koch 
On Mon, 12 Sep 2016 21:10, r...@sixdemonbag.org said:

> I use S/MIME literally daily at work.  My co-workers like S/MIME because it's 
> close to an "it just works" solution.  Few of my co-workers have been willing 
> to learn GnuPG.

You mean GPG.  GnuPG includes GPG and GPGSM and thus support for OpenPGP
and for S/MIME.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpV5upFQzxfC.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Linux/OS X] Identiv SCR3500 A working with OpenPGP Smartcards 2.1?

2016-09-13 Thread Damien Goutte-Gattat 

On 09/13/2016 02:12 AM, Scott R. Santos wrote:

 Specifically, has this reader been successfully used to read and
write to OpenPGP v2.1 Smartcards under current distros/versions of
Linux and/or Apple OS X using recent versions of gnupg?


I am successfully using it with an OpenPGP Smartcard v2.0 (not 2.1), 
under Slackware Linux with GnuPG 2.1.15.


It works both with Scdaemon's internal CCID driver and with the 
pcscd/libpcsclite stack.




Any info would be greatly appreciated and thank you in advance,


If you don't plan to use your reader for anything else than GnuPG, you 
may use the internal CCID driver. In that case, there's not much to do; 
about the only thing you may have to take care of (if it's not already 
done on your system) is to make sure that your own user account is 
allowed to access the reader.


(That's for GNU/Linux; as for OS X, I have no clue.)

Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users