Re: Fwd: which program use: gpg or gpgv?
On 07/04/2017 03:40 PM, fuflono--- via Gnupg-users wrote: > -Original Message- > From: fuflono> To: gnupg-users > Sent: Mon, Jul 3, 2017 4:01 pm > Subject: which program use: gpg or gpgv? > > Hi, > my Debian8.8 has the programs about gpg: > > -rwxr-xr-x 1 root root1128700 Sep 3 2016 gpg > -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2 > -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent > -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf > -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent > -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh > -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail > -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit > -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv > -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip > > Are they enough or no, for verifying integrity of packages? > > Also is ~/.gnupg > drwx-- 2 user user 4096 Aug 13 2016 private-keys-v1.d #it's empty# > -rw--- 1 user user0 Jun 24 15:34 pubring.gpg > -rw--- 1 user user0 Jun 28 12:45 secring.gpg > -rw--- 1 user user 40 Jun 30 07:19 trustdb.gpg > user@debian:~/.gnupg$ > > And I don;t know which program use: gpg or gpgv? > -- > ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig > screen-4.5.1.tar.gz > gpg: armor: BEGIN PGP SIGNATURE > :signature packet: algo 1, keyid 21F968DEF747ABD7 > version 4, created 1488037815, md5len 0, sigclass 0x00 > digest algo 8, begin of digest 2e ec > hashed subpkt 33 len 21 (?) > hashed subpkt 2 len 4 (sig created 2017-02-25) > subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) > data: [4095 bits] > gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID > F747ABD7 > gpg: Can't check signature: public key not found > user@debian:~/Downloads/screen-4.5.1$ > ~/Downloads/screen-4.5.1$ This means you do not have the correct key in pubring.gpg where the main gpg executable is expecting it. As pubring.gpg is a zero byte file, this is entirely to be expected. To fix this, add the appropriate keys. > -- > :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig > gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error > gpgv: armor: BEGIN PGP SIGNATURE > :signature packet: algo 1, keyid 21F968DEF747ABD7 > version 4, created 1488037815, md5len 0, sigclass 0x00 > digest algo 8, begin of digest 2e ec > hashed subpkt 33 len 21 (?) > hashed subpkt 2 len 4 (sig created 2017-02-25) > subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) > data: [4095 bits] > gpgv: no signed data > gpgv: can't hash datafile: file open error > user@debian:~/Downloads/screen-4.5.1$ > --- The first line means there is no trustedkeys.gpg keyring. This is the keyring that gpgv uses. Unlike the main gpg program, it assumes everything on that keyring is a valid and fully trustable key. Which one you decide to use to verify packages is ultimately a matter of personal choice. If you wish to keep a separate keyring for the purpose of verifying signatures on certain files such as software releases, then perhaps gpgv is the better choice. If you think that's overkill and you are content with one keyring for both correspondence and signature verification, then the main gpg program will do. Debian itself uses gpgv to verify updates but there is a specific reason for this, that being that the apt and dpkg tools used by most users never need to sign or encrypt anything, only verify signatures. -- Shawn K. Quinn http://www.rantroulette.com http://www.skqrecordquest.com signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: which program use: gpg or gpgv?
On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote: > Hi, > my Debian8.8 has the programs about gpg: > > -rwxr-xr-x 1 root root1128700 Sep 3 2016 gpg > -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2 > -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent > -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf > -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent > -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh > -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail > -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit > -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv > -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip > > Are they enough or no, for verifying integrity of packages? more recent versions of debian will use gpgv for verifying integrity of downloaded system packages, and do not need gpg itself for this purpose. If you want to verify packages signed by other developers, you'll need to get their keys, though, and that requires knowing their keys. According to the versions at https://ftp.gnu.org/gnu/screen/, it looks screen 4.5.1 has been signed with key 0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent version of screen (4.6.0) has been signed with 0x2EE59A5D0C50167B5535BBF1B708A383C53EF3A4. Which of these keys is a legitimate key to validate versions of screen? I don't know! They're both listed in https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen though, so perhaps they're both acceptable. If you fetch the maintainers' file from savannah, and convert it into an OpenPGP binary form, you should be able to validate the screen package against it: wget -O screen-keys.asc 'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen=1' gpg --dearmor < screen-keys.asc > screen-keys.gpg wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz This should show you something like: gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST gpgv:using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7 gpgv: Good signature from "Alexander Naumov" Note, however, that you've only moved the responsibility from verifying the package to verifying which keys actually are the legitimate keys for the maintainers of GNU screen. So it's a win, but it's not perfect. hth, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526
On 07/05/2017 04:13 PM, Bernhard Reiter wrote: > Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch: >> On Tue, 4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said: >>> Is 1.4 vulnerable to this attack as well? I know it ows not use >>> libgcrypt but I'm not sure about the vulnerability. >> >> Maybe. And probably also to a lot of other local side channel attacks. > > In general I think it would be useful to have information available that > shows which versions of GnuPG and libgcrypt are exposed to this or other > weaknesses and what the consequences are. > > People now know which that there are versions > with this vulnerability and without it. > > My concept so far: > not vulnerable: > libgcrypt 1.7.8 > libgcrypt 1.8 -beta since commit > Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900) > 8725c99ffa41778f382ca97233183bcd687bb0ce > > vulnerable Caveat: I have only looked at the code of the oldest and newest versions. Remember that old versions may not even have 64-bit support, so they run on different CPU architectures. But the code is essentially the same as the vulnerable code in libgcrypt 1.7.7 for these: > libgcrypt v<=? Probably all versions up to 1.7.7, starting from at least 1.2.0 (which is the oldest I could find). > GnuPG v1.? Probably all versions from 1.0.4 up to 1.4.21. (I could not find 1.0.3, which according to the NEWS file is the first version with RSA support). I made a backport of the patch for GPG 1.4.21 here: https://dev.gnupg.org/D438 I have also found a paper that indicates that the exponent blinding defense is not as solid as one might think naively, and in which the author indicates that OpenSSL defended against these kind of attacks conclusively in 0.9.8f (Oct 2007). I have only glanced over the claims, but it's certainly intriguing: Schindler, W.: Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA (2015), Bundesamt für Sicherheit in der Informationstechnik Preprint available at https://eprint.iacr.org/2014/869.pdf signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526
Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch: > On Tue, 4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said: > > Is 1.4 vulnerable to this attack as well? I know it ows not use > > libgcrypt but I'm not sure about the vulnerability. > > Maybe. And probably also to a lot of other local side channel attacks. In general I think it would be useful to have information available that shows which versions of GnuPG and libgcrypt are exposed to this or other weaknesses and what the consequences are. People now know which that there are versions with this vulnerability and without it. My concept so far: not vulnerable: libgcrypt 1.7.8 libgcrypt 1.8 -beta since commit Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900) 8725c99ffa41778f382ca97233183bcd687bb0ce vulnerable libgcrypt v<=? GnuPG v1.? Best regards, Bernhard -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Access denied when using gpg4win via command prompt
On 07/04/2017 03:22 PM, S via Gnupg-users wrote: > My OS : Windows 10 (1607 version)Gpg4win version : 2.33 > Any help's appreciated. > Thanks > You seem to try to output the revocation certificate to c:\windows\system32 , does the error persist if not outputting to a system directory? -- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 "History repeats itself; historians repeat each other" (Philip Guedalla) signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: which program use: gpg or gpgv?
fufl...@aol.com -Original Message- From: fuflonoTo: gnupg-users Sent: Mon, Jul 3, 2017 4:01 pm Subject: which program use: gpg or gpgv? Hi, my Debian8.8 has the programs about gpg: -rwxr-xr-x 1 root root1128700 Sep 3 2016 gpg -rwxr-xr-x 1 root root 913236 Sep 3 2016 gpg2 -rwxr-xr-x 1 root root 334260 Sep 3 2016 gpg-agent -rwxr-xr-x 1 root root 148108 Sep 3 2016 gpgconf -rwxr-xr-x 1 root root 165508 Sep 3 2016 gpg-connect-agent -rwxr-xr-x 1 root root 38144 Sep 3 2016 gpgkey2ssh -rwxr-xr-x 1 root root 25908 Sep 3 2016 gpgparsemail -rwxr-xr-x 1 root root 59104 Sep 3 2016 gpgsplit -rwxr-xr-x 1 root root 407820 Sep 3 2016 gpgv -rwxr-xr-x 1 root root 3303 Sep 3 2016 gpg-zip Are they enough or no, for verifying integrity of packages? Also is ~/.gnupg drwx-- 2 user user 4096 Aug 13 2016 private-keys-v1.d #it's empty# -rw--- 1 user user0 Jun 24 15:34 pubring.gpg -rw--- 1 user user0 Jun 28 12:45 secring.gpg -rw--- 1 user user 40 Jun 30 07:19 trustdb.gpg user@debian:~/.gnupg$ And I don;t know which program use: gpg or gpgv? -- ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig screen-4.5.1.tar.gz gpg: armor: BEGIN PGP SIGNATURE :signature packet: algo 1, keyid 21F968DEF747ABD7 version 4, created 1488037815, md5len 0, sigclass 0x00 digest algo 8, begin of digest 2e ec hashed subpkt 33 len 21 (?) hashed subpkt 2 len 4 (sig created 2017-02-25) subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) data: [4095 bits] gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID F747ABD7 gpg: Can't check signature: public key not found user@debian:~/Downloads/screen-4.5.1$ ~/Downloads/screen-4.5.1$ -- :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error gpgv: armor: BEGIN PGP SIGNATURE :signature packet: algo 1, keyid 21F968DEF747ABD7 version 4, created 1488037815, md5len 0, sigclass 0x00 digest algo 8, begin of digest 2e ec hashed subpkt 33 len 21 (?) hashed subpkt 2 len 4 (sig created 2017-02-25) subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7) data: [4095 bits] gpgv: no signed data gpgv: can't hash datafile: file open error user@debian:~/Downloads/screen-4.5.1$ --- I guess don't enough public keys at me. Please prompt me what to do, and excuse my stupid questions: While I shall attempt operate with gpg or gpgv, of course there will done some wrong things. May I remove improper files, which will appear? Need I switch on cookies when try get keys? Reminding, me need justl verify screen-4.5.1.tar.gz by screen-4.5.1.tar.gz.sig , I hope learn this program after. Thanks all. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon does not "see" card insertion
El día miércoles, julio 05, 2017 a las 09:23:06a. m. +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitzwrote: > > The script 'scd-event' is only invoked on card removal (I do just en > > echo of the args): > [...] > > A card insert is only seen *after* some agent requires something, for > > example the SSH client needs access to the secret key on the card; > > Right. Scdaemon only watches the event of card removal and card reader > removal. > > ... Hello, Thanks for all explanations. For now I implemented the scd-event script as: ... DISPLAY=:0 export DISPLAY if [ x$status = xNOCARD ]; then nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock & while true; do # Signature key : 5E69 FBAC ... gpg2 --card-status | grep '5E69 FBAC' >> /tmp/scd-event.log && { killall kscreenlocker_greet break } sleep 1 done fi which works nice: on card removal it locks the screen and on card insert it unlocks it fine. > > On the UNIX system level the card insert triggers via devd(8) the start > > of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'. > > This is working fine, i.e. an inserted card is useable immediately, > > requesting > > the PIN entry. > > IIUC, system level service like devd can only handle the event of card > reader insertion, not card insertion. I may be wrong here. No, you are correct, I was inprecise. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ ☎ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdió la Guerra. May 8, 1945: Who does not celebrate lost the War. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users