publishing PGP keys in DNS

2016-12-20 Thread Bjoern Schiessle 
Hi all,

I want to publish my GnuPG key in DNS, therefore I followed this Howto:
http://www.gushi.org/make-dns-cert/HOWTO.html

I can lookup the DNS entry and it looks OK to me:

$ dig +short bjoern._pka.schiessle.org. TXT
"v=pka1;fpr=244FCEB0CB099524B21FB8962378A753E2BF04F6;uri=https://www.schiessle.org/privacy/gpg-key.txt;

But if I try to test it with gpg like described in the Howto:

echo "foo" | gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt
--armor --auto-key-locate pka -r bjo...@schiessle.org

I get this error:

gpg: 0xE2BF04F6: skipped: No public key
gpg: [stdin]: encryption failed: No public key

Any idea what's wrong?

Thanks!
Björn

-- 
Björn Schießle 
www: http://www.schiessle.org
twitter: @schiessle
gnupg/pgp key: 0x0x2378A753E2BF04F6
verify: https://keybase.io/BeS
fingerprint: 244F CEB0 CB09 9524 B21F B896 2378 A753 E2BF 04F6

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Heinz Diehl 
On 20.12.2016, Christoph Moench-Tegeder wrote: 

> Or is that just me and a local issue?

Most probably. For me, it works:

[htd@chiara Downloads]$ gpg --verify gnupg-2.1.17.tar.bz2.sig 
gnupg-2.1.17.tar.bz2
gpg: Signature made Tue 20 Dec 2016 14:59:50 CET using RSA key ID 4F25E3B6
gpg: Good signature from "Werner Koch (dist sig)"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Werner Koch 
On Tue, 20 Dec 2016 13:46, c...@burggraben.net said:

> I believe there's something wrong with the signature of the latest
> release.

Sorry, my fault.  To create the signature I use

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2

Today I forgot the -b and thus a non-detached signature was created
(suffix .gpg).  After realizing that I fixed that but probably I did

  gpg -sbvu SIGNINGKEY gnupg-2.1.17.tar.bz2.gpg

which is obviously wrong.  Then I copied gnupg-2.1.17.tar.bz2{,.sig} to
the final locations.  The end result is that the detached signature was
over a binary signed tarball and not over the plain tarball.  I can't
prove that anymore because I deleted the .gpg files before I noticed
that the signature were wrong.

Before you ask: Yes, I should add a make target for signing.  Actually I
did this for the Windows installer's yesterday.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpoSaGpiid56.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Christoph Moench-Tegeder 
## Christoph Moench-Tegeder (c...@burggraben.net):

> This fails:
> gpg: Signature made Tue Dec 20 11:33:11 2016 CET

Since then, this has been fixed:
gpg: Signature made Tue Dec 20 14:59:50 2016 CET
gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [unknown]

Note the newer timestamp. Also, HTTP reports that the signature has been
replaced: "Last-Modified: Tue, 20 Dec 2016 14:05:28 GMT"

(Almost) everything is fine,
Christoph

-- 
Spare Space

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Stephan Beck 
Hi,

Christoph Moench-Tegeder:
> Hi,
> 
> I believe there's something wrong with the signature of the latest
> release.
> 
> ## Werner Koch (w...@gnupg.org):
> 
>>  * If you already have a version of GnuPG installed, you can simply
>>verify the supplied signature.  For example to verify the signature
>>of the file gnupg-2.1.17.tar.bz2 you would use this command:
>>
>>  gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2
> 
> This fails:
> gpg: Signature made Tue Dec 20 11:33:11 2016 CET
> gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
> gpg: BAD signature from "Werner Koch (dist sig)" [unknown]
> 

using the command --recv-keys you have to retrieve the key
D8692123C4065DEA5E0F3AB5249B39D24F25E3B6 from keyservers and then do the
--verify again.

If it's still BAD SIGNATURE then, you'll have a good reason for opening
a new thread. :-)

Note that you cannot verify a signature of a gnupg tarball if you do not
have a (previous) version of gpg installed. In this case, you can only
check the checksum, or use another system with gpg installed for verifying.
Do not verify the signature using the gpg version you just downloaded.
Well, that's all part of the text of the usual announce mail posted on
this very list.

Cheers

Stephan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Kristian Fiskerstrand 
On 12/20/2016 04:21 PM, Daniel Baur wrote:
> PS: What’s “public key algorithm 22”?

Elliptic Curves, specifically, EdDSA (in this case the warning is likely
related to a signature on the key used for verification that is using
Ed25519 which can't be verified by your client application)

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Nulla regula sine exceptione
No rule without exception



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Daniel Baur 
Hello,
Am 20.12.2016 um 13:46 schrieb Christoph Moench-Tegeder:
> SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7
> SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d
> 
> Or is that just me and a local issue?

it works for me (see below), but the sig-file I downloaded has another
hash (dfdfe72c4dd7e10bef283d25fa365cfa022305de) than yours, so maybe
there was an issue and it is fixed already?

Sincerely,
DaB.

PS: What’s “public key algorithm 22”?

-- snip ---

16:15:39dab@dabpc:/tmp$ LC_ALL=C gpg2 -v gnupg-2.1.17.tar.bz2.sig
:signature packet: algo 1, keyid 249B39D24F25E3B6
version 4, created 1482242390, md5len 0, sigclass 0x00
digest algo 8, begin of digest d8 f7
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2016-12-20)
subpkt 16 len 8 (issuer key ID 249B39D24F25E3B6)
data: [2046 bits]
gpg: assuming signed data in 'gnupg-2.1.17.tar.bz2'
gpg: Signature made Tue Dec 20 14:59:50 2016 CET
gpg:using RSA key 0x249B39D24F25E3B6
gpg: can't handle public key algorithm 22
gpg: using PGP trust model
gpg: key 0x2D3EE2D42B255885: accepted as trusted key
gpg: Good signature from "Werner Koch (dist sig)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the
owner.
Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
gpg: binary signature, digest algorithm SHA256


-- snap ---





signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.17 released

2016-12-20 Thread Christoph Moench-Tegeder 
Hi,

I believe there's something wrong with the signature of the latest
release.

## Werner Koch (w...@gnupg.org):

>  * If you already have a version of GnuPG installed, you can simply
>verify the supplied signature.  For example to verify the signature
>of the file gnupg-2.1.17.tar.bz2 you would use this command:
> 
>  gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2

This fails:
gpg: Signature made Tue Dec 20 11:33:11 2016 CET
gpg:using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: BAD signature from "Werner Koch (dist sig)" [unknown]

But the SHA1 hash of the release tarball matches the one in the
release announcement.
I downloaded directly from gnupg.org. For reference, the hashes of
the release file and the signature (as downloaded here) are:

SHA1 (gnupg-2.1.17.tar.bz2) = d83ab893faab35f37ace772ca29b939e6a5aa6a7
SHA1 (gnupg-2.1.17.tar.bz2.sig) = 34cea3e6d139cb340bf14f04ff217cb6960cf36d

Or is that just me and a local issue?

Regards,
Christoph

-- 
Spare Space

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.1.17 released

2016-12-20 Thread Werner Koch 
Hello!

Today marks the 19th anniversary of GnuPG and we are pleased to announce
the availability of a new release: GnuPG 2.1.17.  See below for a list
of new features and bug fixes.


About GnuPG
=

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  Since version 2 GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different branches of GnuPG are actively maintained:

- GnuPG "modern" (2.1) comes with the latest features and is suggested
  for most users.  This announcement is about this branch.

- GnuPG "stable" (2.0) is the currently mostly used branch which will be
  maintain until 2017-12-31.

- GnuPG "classic" (1.4) is a simplified version of GnuPG, required on
  very old platforms or to decrypt data created with PGP-2 keys.

You may not install "modern" (2.1) and "stable" (2.0) at the same time.
However, it is possible to install "classic" (1.4) along with any of the
other versions.


Noteworthy changes in version 2.1.17


 * gpg: By default new keys expire after 2 years.

 * gpg: New command --quick-set-expire to conveniently change the
   expiration date of keys.

 * gpg: Option and command names have been changed for easier
   comprehension.  The old names are still available as aliases.

 * gpg: Improved the TOFU trust model.

 * gpg: New option --default-new-key-algo.

 * scd: Support OpenPGP card V3 for RSA.

 * dirmngr: Support for the ADNS library has been removed.  Instead
   William Ahern's Libdns is now source included and used on all
   platforms.  This enables Tor support on all platforms.  The new
   option --standard-resolver can be used to disable this code at
   runtime.  In case of build problems the new configure option
   --disable-libdns can be used to build without Libdns.

 * dirmngr: Lazily launch ldap reaper thread.

 * tools: New options --check and --status-fd for gpg-wks-client.

 * The UTF-8 byte order mark is now skipped when reading conf files.

 * Fixed many bugs and regressions.

 * Major improvements to the test suite.  For example it is possible
   to run the external test suite of GPGME.

A detailed description of the changes found in this 2.1 branch can be
found at .


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.1.17 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.17.tar.bz2  (5830k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.17.tar.bz2.sig
or here:
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.17.tar.bz2
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.1.17.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.17_20161220.exe  (3665k)
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.17_20161220.exe.sig
or here
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.17_20161220.exe
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.17_20161220.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  This Windows installer comes with
TOFU support, translations, and support for Tor; it is still missing
HKPS and Web Key Directory support, though.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.17.tar.bz2 you would use this command:

 gpg --verify gnupg-2.1.17.tar.bz2.sig gnupg-2.1.17.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of

Re: Smartcards and tokens

2016-12-20 Thread sivmu 


Am 18.12.2016 um 10:49 schrieb Peter Lebbing:
> On 18/12/16 01:56, Robert J. Hansen wrote:
>> Nope.  OpenPGP requires each RSA encryption add at least eight random
>> bytes to the data pre-encryption in order to make even identical
>> messages encrypt to different ciphertexts.
> 
> However, this randomness is added by the host, not by the smartcard. The
> OpenPGP smartcard really only does a deterministic action, and its
> correctness can be verified simply by doing the RSA public key operation
> on the output and checking that the result is identical to what was fed
> to the smartcard.
> 

Thats good to know. Thanks

> I can't think of a side channel to leak the private key to an attacker
> through an uncompromised host, but I wouldn't be surprised if there is
> such a side channel. Does anybody have a cool way to leak this? Single
> bits at a time will do! :-)
> 

Implement a GSM chip into the token? :)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent 2.1.16 needs about 10s for initialization saying need_entropy before it completes its first op

2016-12-20 Thread sivmu 


Am 19.12.2016 um 02:20 schrieb Jan Kundrát:
> Hi,
> we're using gpgme's C++ bindings in Trojita [1], an IMAP e-mail client.
> After an update of gnupg from 2.1.15 to 2.1.16, gpg-agent appears to
> need more than 10s to initialize itself during startup -- or at least
> our very first decryptAndVerify() operation takes more than 10s.
> 

I can confirm simular behavior.
After upgrading to 2.1.16 it takes 10 seconds on the first operation
performed. Any following operations are fast as usual.



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users