Re: Stripping expired subkey during export?

[Phil Pennock]

On 2017-03-03 at 09:51 +0100, Werner Koch wrote:
> Not cleaning expired subkeys is a good thing for secret key export, so
> that you can keep on decyrpting old mails.

Sure, but this is a non-secret export, for the versions for publication.

> Exporting an expired public
> key can be helpful to see your expired key.

I can see this for a signing key, so that old signatures can be
validated, but I don't see that it's a helpful default for encryption
subkeys, and since encryption subkeys are the only ones typically
created by default, that seems dominant.

> As a compatible hack we could add an 'expired' property to the
> export-filter's drop-subkey method.  Just did this:
> 
>  gpg --export-options export-clean \
>  --export-filter drop-subkey='expired -t' \
>  --export 1e42b367 
> 
> removes all my expired subkeys.  This is just a first step; we also need
> a properties for the key capability.

I see commit 1813f3be and will build/test this and report back on the
devel list if I experience issues.  Thanks!

> drop-sigs does not work on self-signatures - might this be your problem?
> I have not done any these, though.

Ugh, yes.  Thanks, I explored everything I could see and kept running
into roadblocks.  Thanks for clearing a new path through.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with GPGME returning "Not Implemented" or "Configuration error"

[Jeffrey Stedfast]

Anyone have any thoughts on this?

On 2/27/17, 9:20 AM, "Gnupg-users on behalf of Jeffrey Stedfast" 
 wrote:

Hi all,

I'm working on re-implementing GMime to use libgpgme (1.8.0 on Fedora 25) 
instead of using my own custom logic for fork()ing/exec()ing gpg & parsing the 
status-fd output to do PGP encryption and I've gotten that to work just fine 
for PGP, but I am having trouble using nearly identical logic (only diff is 
armor/textmode state) to sign or encrypt using the CMS backend.

For some reason, gpgme_op_sign() is returning GPG_ERR_NOT_IMPLEMENTED while 
gpgme_op_encrypt() is returning "Configuration error".

From what I can deduce by scouring the web for information, it seems like 
NOT_IMPLEMENTED should never get returned unless I am using options that just 
haven't been implemented yet but that doesn't seem like it should be the case 
since I don't think I'm doing anything out of the ordinary.

When signing, I've set armor=0, textmode=0, mode=DETACH (or NORMAL), and 
added a signer to the context.

For encrypting, I am getting "Configuration error" which I'm also confused 
about because I don't know what configuration options could be causing this.

Once again, armor=0, textmode=0, flags=0, and I've created a 
NULL-terminated list of recipient keys to pass to gpgme_op_encrypt().



Since my unit tests are re-using the same gpgme context to import some 
smime certs, then export some certs, then sign some streams, etc - could that 
be the problem? As I write this email, I realize that's something I haven't yet 
checked...

All I can think of is that perhaps there is some leftover state from 
gpgme_op_import() or gpgme_op_export_ext() that is breaking the gpgme_op_sign() 
when run at a later point?


Thanks for any help or guidance in tracking down these issues,

Jeff


___
Gnupg-users mailing list
Gnupg-users@gnupg.org

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users=02%7C01%7Cjestedfa%40microsoft.com%7Cb0a0640b2eed469e54fd08d45f3eba6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636238170396989821=FN1OyS2%2Byb2QBi4b8K2EoZqabLS%2FTzQgfDcVGGTHf%2B4%3D=0


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify with missing public key: unexpected returncode

[Kristian Fiskerstrand]

On 03/03/2017 06:04 PM, Gerd v. Egidy wrote:
> When reading the gpg2 manpage on return codes:

One quick observation, if using this in automated way and return code
matters, you likely want to check out "gpgv", otherwise you should be
parsing --status-fd output for more details

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.19 released

[Thomas Jarosch]

On Wednesday, 01 March 2017 20:27:00 CET Werner Koch wrote:
> Noteworthy changes in version 2.1.19
> 
>
> ..
>
>   * scd: Support for multiple card readers.
> 
>   * scd: Improved detection of card inserting and removal.

thanks for the new release!

The support for multiple card readers sounds very promising.
I tried that setup a year ago and it was difficult to configure
two isolated scademons at the same time.

Cheers,
Thomas


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify with missing public key: unexpected returncode

[Gerd v. Egidy]

Hi Kristian,

On Friday, 03 March 2017 18:11:04 CET Kristian Fiskerstrand wrote:
> On 03/03/2017 06:04 PM, Gerd v. Egidy wrote:
> > When reading the gpg2 manpage on return codes:

> One quick observation, if using this in automated way and return code
> matters, you likely want to check out "gpgv", otherwise you should be
> parsing --status-fd output for more details

Yes, this is an automated scenario. I'm already using --status-fd and parsing 
it's output. But to be on the safe side, I was checking the return code too. 

With the way gpg2 currently implements the return codes it seems I can't use 
them.

Kind regards,

Gerd


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How U2F works

[Thomas Jarosch]

On Tuesday, 28 February 2017 00:28:21 CET NIIBE Yutaka wrote:
> Anyhow, it would be possible for Gnuk to add U2F support (somehow
> limited, because of available resource on board).

regarding limited resources, the Yubikey people did a fine trick:
There is no per-website data stored on the Yubikey. So the amount
of websites you can use a single FIDO U2F key for is unlimited.

See "Limited storage on device" for details:
https://developers.yubico.com/U2F/Protocol_details/Key_generation.html


Also I think the attestation key is not enforced by websites,
so gnuk could just send a bogus / user configurable cert.

Cheers,
Thomas


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify with missing public key: unexpected returncode

[Gerd v. Egidy]

Hi Robert,

> > I think it should return 1 in this case. But I get 2. Why?
> 
> Because there were no bad signatures.  A signature which cannot be
> verified is neither good nor bad, it just is.

ok.

> The alternative would be for GnuPG to return a bad signature literally
> *whenever* it had no public key with which to verify the signature,
> meaning that 99% of signatures on a mailing list would be reported as
> bad.  Can you imagine the bug reports we'd get from people if that were
> the case?  "Your software package is listing every single signed message
> I've received as being bad!"

Hmm, but according to the manpage you currently get a returncode meaning 
"fatal error" in this case. That sounds much more severe to me than a bad 
signature.

Kind regards,

Gerd


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Verify with missing public key: unexpected returncode

[Robert J. Hansen]

> I think it should return 1 in this case. But I get 2. Why?

Because there were no bad signatures.  A signature which cannot be
verified is neither good nor bad, it just is.

The alternative would be for GnuPG to return a bad signature literally
*whenever* it had no public key with which to verify the signature,
meaning that 99% of signatures on a mailing list would be reported as
bad.  Can you imagine the bug reports we'd get from people if that were
the case?  "Your software package is listing every single signed message
I've received as being bad!"

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Verify with missing public key: unexpected returncode

[Gerd v. Egidy]

Hi,

I have a scenario where a signature on a file should be checked. The file is
signed by several keys and for this scenario it is ok if at least one is
correct. In some cases it can happen that the system doing the check does not
have access to all public keys that are used for signing.

When reading the gpg2 manpage on return codes:

> The program returns 0 if everything was fine, 1 if at least a signature was
> bad, and other error codes for fatal errors.

I think it should return 1 in this case. But I get 2. Why?

Here are the commands to reproduce:

$ gpg2 --verify test.asc.gpg 
gpg: Signature made Fri Mar  3 17:44:57 2017 CET using RSA key ID 
DB2D0998DC19EEA3
gpg: Good signature from "Foo Foo" [ultimate]
gpg: Signature made Fri Mar  3 17:45:01 2017 CET using RSA key ID 
467C036CA9014F3F
gpg: Good signature from "Bar Bar" [ultimate]

$ gpg2 --delete-secret-keys 467C036CA9014F3F
$ gpg2 --delete-keys 467C036CA9014F3F

$ gpg2 --verify test.asc.gpg ; echo "RET: $?"
gpg: Signature made Fri Mar  3 17:44:57 2017 CET using RSA key ID 
DB2D0998DC19EEA3
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Foo Foo" [ultimate]
gpg: Signature made Fri Mar  3 17:45:01 2017 CET using RSA key ID 
467C036CA9014F3F
gpg: Can't check signature: No public key
RET: 2

Kind regards,

Gerd


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.1.19 released

[Werner Koch]

On Wed,  1 Mar 2017 21:03, ankos...@gmail.com said:
> Would it be possible with the next release to build also the python-2
> & 3 bindings for Windows?

Good suggestion - we will look into it.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpTbMPwLFsdb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Stripping expired subkey during export?

[Werner Koch]

On Fri,  3 Mar 2017 07:21, gnupg-us...@spodhuis.org said:

> Why is `export-clean` not dropping the expired subkey?  Is it that
> export-clean only filters unusable userids, not unusable subkeys?

Right:
  /* Always do the cleaning on the public key part if requested.
   * Note that both export-clean and export-minimal only apply to
   * UID sigs (0x10, 0x11, 0x12, and 0x13).  A designated
   * revocation is never stripped, even with export-minimal set.  */

Not cleaning expired subkeys is a good thing for secret key export, so
that you can keep on decyrpting old mails.  Exporting an expired public
key can be helpful to see your expired key.

For sending keys to keyserver it would actually be better to remove
expired encryption subkeys.  But the keyservers will merge them anyway.

As a compatible hack we could add an 'expired' property to the
export-filter's drop-subkey method.  Just did this:

 gpg --export-options export-clean \
 --export-filter drop-subkey='expired -t' \
 --export 1e42b367 

removes all my expired subkeys.  This is just a first step; we also need
a properties for the key capability.

>   --import-filter drop-sig='sig_digest_algo < 8'
>
> and then exported clean/minimal from there; but there's no change.  This
> import filter appears to do nothing.

drop-sigs does not work on self-signatures - might this be your problem?
I have not done any these, though.

> Is there a reason beyond "nobody asked for it yet" why there's no
> "expired" filter for drop-subkey/drop-sig?

No.  I added filters only when I needed them.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpl1sj7CNsE_.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users