Re: Stripping expired subkey during export?
On 2017-03-03 at 09:51 +0100, Werner Koch wrote: > Not cleaning expired subkeys is a good thing for secret key export, so > that you can keep on decyrpting old mails. Sure, but this is a non-secret export, for the versions for publication. > Exporting an expired public > key can be helpful to see your expired key. I can see this for a signing key, so that old signatures can be validated, but I don't see that it's a helpful default for encryption subkeys, and since encryption subkeys are the only ones typically created by default, that seems dominant. > As a compatible hack we could add an 'expired' property to the > export-filter's drop-subkey method. Just did this: > > gpg --export-options export-clean \ > --export-filter drop-subkey='expired -t' \ > --export 1e42b367 > > removes all my expired subkeys. This is just a first step; we also need > a properties for the key capability. I see commit 1813f3be and will build/test this and report back on the devel list if I experience issues. Thanks! > drop-sigs does not work on self-signatures - might this be your problem? > I have not done any these, though. Ugh, yes. Thanks, I explored everything I could see and kept running into roadblocks. Thanks for clearing a new path through. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems with GPGME returning "Not Implemented" or "Configuration error"
Anyone have any thoughts on this? On 2/27/17, 9:20 AM, "Gnupg-users on behalf of Jeffrey Stedfast"wrote: Hi all, I'm working on re-implementing GMime to use libgpgme (1.8.0 on Fedora 25) instead of using my own custom logic for fork()ing/exec()ing gpg & parsing the status-fd output to do PGP encryption and I've gotten that to work just fine for PGP, but I am having trouble using nearly identical logic (only diff is armor/textmode state) to sign or encrypt using the CMS backend. For some reason, gpgme_op_sign() is returning GPG_ERR_NOT_IMPLEMENTED while gpgme_op_encrypt() is returning "Configuration error". From what I can deduce by scouring the web for information, it seems like NOT_IMPLEMENTED should never get returned unless I am using options that just haven't been implemented yet but that doesn't seem like it should be the case since I don't think I'm doing anything out of the ordinary. When signing, I've set armor=0, textmode=0, mode=DETACH (or NORMAL), and added a signer to the context. For encrypting, I am getting "Configuration error" which I'm also confused about because I don't know what configuration options could be causing this. Once again, armor=0, textmode=0, flags=0, and I've created a NULL-terminated list of recipient keys to pass to gpgme_op_encrypt(). Since my unit tests are re-using the same gpgme context to import some smime certs, then export some certs, then sign some streams, etc - could that be the problem? As I write this email, I realize that's something I haven't yet checked... All I can think of is that perhaps there is some leftover state from gpgme_op_import() or gpgme_op_export_ext() that is breaking the gpgme_op_sign() when run at a later point? Thanks for any help or guidance in tracking down these issues, Jeff ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.gnupg.org%2Fmailman%2Flistinfo%2Fgnupg-users=02%7C01%7Cjestedfa%40microsoft.com%7Cb0a0640b2eed469e54fd08d45f3eba6b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636238170396989821=FN1OyS2%2Byb2QBi4b8K2EoZqabLS%2FTzQgfDcVGGTHf%2B4%3D=0 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verify with missing public key: unexpected returncode
On 03/03/2017 06:04 PM, Gerd v. Egidy wrote: > When reading the gpg2 manpage on return codes: One quick observation, if using this in automated way and return code matters, you likely want to check out "gpgv", otherwise you should be parsing --status-fd output for more details -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 Qui audet vincit Who dares wins signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.19 released
On Wednesday, 01 March 2017 20:27:00 CET Werner Koch wrote: > Noteworthy changes in version 2.1.19 > > > .. > > * scd: Support for multiple card readers. > > * scd: Improved detection of card inserting and removal. thanks for the new release! The support for multiple card readers sounds very promising. I tried that setup a year ago and it was difficult to configure two isolated scademons at the same time. Cheers, Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verify with missing public key: unexpected returncode
Hi Kristian, On Friday, 03 March 2017 18:11:04 CET Kristian Fiskerstrand wrote: > On 03/03/2017 06:04 PM, Gerd v. Egidy wrote: > > When reading the gpg2 manpage on return codes: > One quick observation, if using this in automated way and return code > matters, you likely want to check out "gpgv", otherwise you should be > parsing --status-fd output for more details Yes, this is an automated scenario. I'm already using --status-fd and parsing it's output. But to be on the safe side, I was checking the return code too. With the way gpg2 currently implements the return codes it seems I can't use them. Kind regards, Gerd ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How U2F works
On Tuesday, 28 February 2017 00:28:21 CET NIIBE Yutaka wrote: > Anyhow, it would be possible for Gnuk to add U2F support (somehow > limited, because of available resource on board). regarding limited resources, the Yubikey people did a fine trick: There is no per-website data stored on the Yubikey. So the amount of websites you can use a single FIDO U2F key for is unlimited. See "Limited storage on device" for details: https://developers.yubico.com/U2F/Protocol_details/Key_generation.html Also I think the attestation key is not enforced by websites, so gnuk could just send a bogus / user configurable cert. Cheers, Thomas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verify with missing public key: unexpected returncode
Hi Robert, > > I think it should return 1 in this case. But I get 2. Why? > > Because there were no bad signatures. A signature which cannot be > verified is neither good nor bad, it just is. ok. > The alternative would be for GnuPG to return a bad signature literally > *whenever* it had no public key with which to verify the signature, > meaning that 99% of signatures on a mailing list would be reported as > bad. Can you imagine the bug reports we'd get from people if that were > the case? "Your software package is listing every single signed message > I've received as being bad!" Hmm, but according to the manpage you currently get a returncode meaning "fatal error" in this case. That sounds much more severe to me than a bad signature. Kind regards, Gerd ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verify with missing public key: unexpected returncode
> I think it should return 1 in this case. But I get 2. Why? Because there were no bad signatures. A signature which cannot be verified is neither good nor bad, it just is. The alternative would be for GnuPG to return a bad signature literally *whenever* it had no public key with which to verify the signature, meaning that 99% of signatures on a mailing list would be reported as bad. Can you imagine the bug reports we'd get from people if that were the case? "Your software package is listing every single signed message I've received as being bad!" ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Verify with missing public key: unexpected returncode
Hi, I have a scenario where a signature on a file should be checked. The file is signed by several keys and for this scenario it is ok if at least one is correct. In some cases it can happen that the system doing the check does not have access to all public keys that are used for signing. When reading the gpg2 manpage on return codes: > The program returns 0 if everything was fine, 1 if at least a signature was > bad, and other error codes for fatal errors. I think it should return 1 in this case. But I get 2. Why? Here are the commands to reproduce: $ gpg2 --verify test.asc.gpg gpg: Signature made Fri Mar 3 17:44:57 2017 CET using RSA key ID DB2D0998DC19EEA3 gpg: Good signature from "Foo Foo" [ultimate] gpg: Signature made Fri Mar 3 17:45:01 2017 CET using RSA key ID 467C036CA9014F3F gpg: Good signature from "Bar Bar" [ultimate] $ gpg2 --delete-secret-keys 467C036CA9014F3F $ gpg2 --delete-keys 467C036CA9014F3F $ gpg2 --verify test.asc.gpg ; echo "RET: $?" gpg: Signature made Fri Mar 3 17:44:57 2017 CET using RSA key ID DB2D0998DC19EEA3 gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Good signature from "Foo Foo" [ultimate] gpg: Signature made Fri Mar 3 17:45:01 2017 CET using RSA key ID 467C036CA9014F3F gpg: Can't check signature: No public key RET: 2 Kind regards, Gerd ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.19 released
On Wed, 1 Mar 2017 21:03, ankos...@gmail.com said: > Would it be possible with the next release to build also the python-2 > & 3 bindings for Windows? Good suggestion - we will look into it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpTbMPwLFsdb.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Stripping expired subkey during export?
On Fri, 3 Mar 2017 07:21, gnupg-us...@spodhuis.org said: > Why is `export-clean` not dropping the expired subkey? Is it that > export-clean only filters unusable userids, not unusable subkeys? Right: /* Always do the cleaning on the public key part if requested. * Note that both export-clean and export-minimal only apply to * UID sigs (0x10, 0x11, 0x12, and 0x13). A designated * revocation is never stripped, even with export-minimal set. */ Not cleaning expired subkeys is a good thing for secret key export, so that you can keep on decyrpting old mails. Exporting an expired public key can be helpful to see your expired key. For sending keys to keyserver it would actually be better to remove expired encryption subkeys. But the keyservers will merge them anyway. As a compatible hack we could add an 'expired' property to the export-filter's drop-subkey method. Just did this: gpg --export-options export-clean \ --export-filter drop-subkey='expired -t' \ --export 1e42b367 removes all my expired subkeys. This is just a first step; we also need a properties for the key capability. > --import-filter drop-sig='sig_digest_algo < 8' > > and then exported clean/minimal from there; but there's no change. This > import filter appears to do nothing. drop-sigs does not work on self-signatures - might this be your problem? I have not done any these, though. > Is there a reason beyond "nobody asked for it yet" why there's no > "expired" filter for drop-subkey/drop-sig? No. I added filters only when I needed them. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpl1sj7CNsE_.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users