Re: Fwd: which program use: gpg or gpgv?

2017-07-05 Thread Shawn K. Quinn 
On 07/04/2017 03:40 PM, fuflono--- via Gnupg-users wrote:
> -Original Message-
> From: fuflono 
> To: gnupg-users 
> Sent: Mon, Jul 3, 2017 4:01 pm
> Subject: which program use: gpg or gpgv?
> 
> Hi,
> my Debian8.8 has the programs about gpg:
> 
> -rwxr-xr-x  1 root   root1128700 Sep  3  2016 gpg
> -rwxr-xr-x  1 root   root 913236 Sep  3  2016 gpg2
> -rwxr-xr-x  1 root   root 334260 Sep  3  2016 gpg-agent
> -rwxr-xr-x  1 root   root 148108 Sep  3  2016 gpgconf
> -rwxr-xr-x  1 root   root 165508 Sep  3  2016 gpg-connect-agent
> -rwxr-xr-x  1 root   root  38144 Sep  3  2016 gpgkey2ssh
> -rwxr-xr-x  1 root   root  25908 Sep  3  2016 gpgparsemail
> -rwxr-xr-x  1 root   root  59104 Sep  3  2016 gpgsplit
> -rwxr-xr-x  1 root   root 407820 Sep  3  2016 gpgv
> -rwxr-xr-x  1 root   root   3303 Sep  3  2016 gpg-zip
> 
> Are they enough or no, for  verifying integrity of packages?
> 
> Also  is  ~/.gnupg
> drwx--  2 user user 4096 Aug 13  2016 private-keys-v1.d #it's empty#
> -rw---  1 user user0 Jun 24 15:34 pubring.gpg
> -rw---  1 user user0 Jun 28 12:45 secring.gpg
> -rw---  1 user user   40 Jun 30 07:19 trustdb.gpg
> user@debian:~/.gnupg$
> 
> And I don;t know which program use: gpg or gpgv?
> --
> ~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig
> screen-4.5.1.tar.gz
> gpg: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
> version 4, created 1488037815, md5len 0, sigclass 0x00
> digest algo 8, begin of digest 2e ec
> hashed subpkt 33 len 21 (?)
> hashed subpkt 2 len 4 (sig created 2017-02-25)
> subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
> data: [4095 bits]
> gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID
> F747ABD7
> gpg: Can't check signature: public key not found
> user@debian:~/Downloads/screen-4.5.1$
> ~/Downloads/screen-4.5.1$

This means you do not have the correct key in pubring.gpg where the main
gpg executable is expecting it. As pubring.gpg is a zero byte file, this
is entirely to be expected. To fix this, add the appropriate keys.

> --
> :~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig
> gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error
> gpgv: armor: BEGIN PGP SIGNATURE
> :signature packet: algo 1, keyid 21F968DEF747ABD7
> version 4, created 1488037815, md5len 0, sigclass 0x00
> digest algo 8, begin of digest 2e ec
> hashed subpkt 33 len 21 (?)
> hashed subpkt 2 len 4 (sig created 2017-02-25)
> subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
> data: [4095 bits]
> gpgv: no signed data
> gpgv: can't hash datafile: file open error
> user@debian:~/Downloads/screen-4.5.1$
> ---

The first line means there is no trustedkeys.gpg keyring. This is the
keyring that gpgv uses. Unlike the main gpg program, it assumes
everything on that keyring is a valid and fully trustable key.

Which one you decide to use to verify packages is ultimately a matter of
personal choice. If you wish to keep a separate keyring for the purpose
of verifying signatures on certain files such as software releases, then
perhaps gpgv is the better choice. If you think that's overkill and you
are content with one keyring for both correspondence and signature
verification, then the main gpg program will do. Debian itself uses gpgv
to verify updates but there is a specific reason for this, that being
that the apt and dpkg tools used by most users never need to sign or
encrypt anything, only verify signatures.

-- 
Shawn K. Quinn 
http://www.rantroulette.com
http://www.skqrecordquest.com



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: which program use: gpg or gpgv?

2017-07-05 Thread Daniel Kahn Gillmor 
On Tue 2017-07-04 16:40:17 -0400, fuflono--- via Gnupg-users wrote:
> Hi,
> my Debian8.8 has the programs about gpg: 
>
> -rwxr-xr-x  1 root   root1128700 Sep  3  2016 gpg
> -rwxr-xr-x  1 root   root 913236 Sep  3  2016 gpg2
> -rwxr-xr-x  1 root   root 334260 Sep  3  2016 gpg-agent
> -rwxr-xr-x  1 root   root 148108 Sep  3  2016 gpgconf
> -rwxr-xr-x  1 root   root 165508 Sep  3  2016 gpg-connect-agent
> -rwxr-xr-x  1 root   root  38144 Sep  3  2016 gpgkey2ssh
> -rwxr-xr-x  1 root   root  25908 Sep  3  2016 gpgparsemail
> -rwxr-xr-x  1 root   root  59104 Sep  3  2016 gpgsplit
> -rwxr-xr-x  1 root   root 407820 Sep  3  2016 gpgv
> -rwxr-xr-x  1 root   root   3303 Sep  3  2016 gpg-zip
>
> Are they enough or no, for  verifying integrity of packages?

more recent versions of debian will use gpgv for verifying integrity of
downloaded system packages, and do not need gpg itself for this purpose.

If you want to verify packages signed by other developers, you'll need
to get their keys, though, and that requires knowing their keys.

According to the versions at https://ftp.gnu.org/gnu/screen/, it looks
screen 4.5.1 has been signed with key
0x71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7, while the most recent
version of screen (4.6.0) has been signed with
0x2EE59A5D0C50167B5535BBF1B708A383C53EF3A4.

Which of these keys is a legitimate key to validate versions of screen?
I don't know!  They're both listed in
https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen
though, so perhaps they're both acceptable.


If you fetch the maintainers' file from savannah, and convert it into an
OpenPGP binary form, you should be able to validate the screen package
against it:

wget -O screen-keys.asc 
'https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=screen=1'
gpg --dearmor < screen-keys.asc > screen-keys.gpg

wget https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz 
https://ftp.gnu.org/gnu/screen/screen-4.5.1.tar.gz.sig
gpgv --keyring $(pwd)/screen-keys.gpg screen-4.5.1.tar.gz.sig 
screen-4.5.1.tar.gz


This should show you something like:

gpgv: Signature made Sat 25 Feb 2017 10:50:15 AM EST
gpgv:using RSA key 71AA09D9E8870FDB0AA7B61E21F968DEF747ABD7
gpgv: Good signature from "Alexander Naumov "

Note, however, that you've only moved the responsibility from verifying
the package to verifying which keys actually are the legitimate keys for
the maintainers of GNU screen.  So it's a win, but it's not perfect.

hth,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

2017-07-05 Thread Marcus Brinkmann via Gnupg-users 
On 07/05/2017 04:13 PM, Bernhard Reiter wrote:
> Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
>> On Tue,  4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said:
>>> Is 1.4 vulnerable to this attack as well? I know it ows not use
>>> libgcrypt but I'm not sure about the vulnerability.
>>
>> Maybe.  And probably also to a lot of other local side channel attacks.
>
> In general I think it would be useful to have information available that
> shows which versions of GnuPG and libgcrypt are exposed to this or other
> weaknesses and what the consequences are.
>
> People now know which that there are versions
> with this vulnerability and without it.
>
> My concept so far:
> not vulnerable:
>   libgcrypt 1.7.8
>   libgcrypt 1.8 -beta since commit
> Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
> 8725c99ffa41778f382ca97233183bcd687bb0ce
>
> vulnerable

Caveat: I have only looked at the code of the oldest and newest
versions.  Remember that old versions may not even have 64-bit support,
so they run on different CPU architectures.  But the code is essentially
the same as the vulnerable code in libgcrypt 1.7.7 for these:

>   libgcrypt v<=?

Probably all versions up to 1.7.7, starting from at least 1.2.0 (which
is the oldest I could find).

>   GnuPG v1.?

Probably all versions from 1.0.4 up to 1.4.21.  (I could not find 1.0.3,
which according to the NEWS file is the first version with RSA support).

I made a backport of the patch for GPG 1.4.21 here:

https://dev.gnupg.org/D438

I have also found a paper that indicates that the exponent blinding
defense is not as solid as one might think naively, and in which the
author indicates that OpenSSL defended against these kind of attacks
conclusively in 0.9.8f (Oct 2007). I have only glanced over the claims,
but it's certainly intriguing:

Schindler, W.: Exclusive Exponent Blinding May Not Suffice
to Prevent Timing Attacks on RSA (2015), Bundesamt für Sicherheit in der
Informationstechnik

Preprint available at https://eprint.iacr.org/2014/869.pdf







signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] Libgcrypt 1.7.8 released to fix CVE-2017-7526

2017-07-05 Thread Bernhard Reiter 
Am Dienstag 04 Juli 2017 18:30:28 schrieb Werner Koch:
> On Tue,  4 Jul 2017 12:05, joh...@vulcan.xs4all.nl said:
> > Is 1.4 vulnerable to this attack as well? I know it ows not use
> > libgcrypt but I'm not sure about the vulnerability.
>
> Maybe.  And probably also to a lot of other local side channel attacks.

In general I think it would be useful to have information available that 
shows which versions of GnuPG and libgcrypt are exposed to this or other 
weaknesses and what the consequences are.

People now know which that there are versions
with this vulnerability and without it.

My concept so far:
not vulnerable:
  libgcrypt 1.7.8
  libgcrypt 1.8 -beta since commit
Thu, 29 Jun 2017 04:11:37 +0200 (11:11 +0900)
8725c99ffa41778f382ca97233183bcd687bb0ce

vulnerable 
  libgcrypt v<=?
  GnuPG v1.?

Best regards,
Bernhard
-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Access denied when using gpg4win via command prompt

2017-07-05 Thread Kristian Fiskerstrand 
On 07/04/2017 03:22 PM, S via Gnupg-users wrote:


> My OS : Windows 10 (1607 version)Gpg4win version : 2.33
> Any help's appreciated.
> Thanks
> 

You seem to try to output the revocation certificate to
c:\windows\system32 , does the error persist if not outputting to a
system directory?

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"History repeats itself; historians repeat each other"
(Philip Guedalla)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: which program use: gpg or gpgv?

2017-07-05 Thread fuflono--- via Gnupg-users 

 

 

fufl...@aol.com

 

 

-Original Message-
From: fuflono 
To: gnupg-users 
Sent: Mon, Jul 3, 2017 4:01 pm
Subject: which program use: gpg or gpgv?


Hi,
my Debian8.8 has the programs about gpg: 

-rwxr-xr-x  1 root   root1128700 Sep  3  2016 gpg
-rwxr-xr-x  1 root   root 913236 Sep  3  2016 gpg2
-rwxr-xr-x  1 root   root 334260 Sep  3  2016 gpg-agent
-rwxr-xr-x  1 root   root 148108 Sep  3  2016 gpgconf
-rwxr-xr-x  1 root   root 165508 Sep  3  2016 gpg-connect-agent
-rwxr-xr-x  1 root   root  38144 Sep  3  2016 gpgkey2ssh
-rwxr-xr-x  1 root   root  25908 Sep  3  2016 gpgparsemail
-rwxr-xr-x  1 root   root  59104 Sep  3  2016 gpgsplit
-rwxr-xr-x  1 root   root 407820 Sep  3  2016 gpgv
-rwxr-xr-x  1 root   root   3303 Sep  3  2016 gpg-zip

Are they enough or no, for  verifying integrity of packages?

Also  is  ~/.gnupg
drwx--  2 user user 4096 Aug 13  2016 private-keys-v1.d #it's empty#
-rw---  1 user user0 Jun 24 15:34 pubring.gpg
-rw---  1 user user0 Jun 28 12:45 secring.gpg
-rw---  1 user user   40 Jun 30 07:19 trustdb.gpg
user@debian:~/.gnupg$ 

And I don;t know which program use: gpg or gpgv?
--
~/Downloads/screen-4.5.1$ gpg -vv --verify screen-4.5.1.tar.gz.sig 
screen-4.5.1.tar.gz
gpg: armor: BEGIN PGP SIGNATURE
:signature packet: algo 1, keyid 21F968DEF747ABD7
version 4, created 1488037815, md5len 0, sigclass 0x00
digest algo 8, begin of digest 2e ec
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2017-02-25)
subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
data: [4095 bits]
gpg: Signature made Sat 25 Feb 2017 10:50:15 AM EST using RSA key ID F747ABD7
gpg: Can't check signature: public key not found
user@debian:~/Downloads/screen-4.5.1$ 
~/Downloads/screen-4.5.1$ 
--
:~/Downloads/screen-4.5.1$ gpgv -vv screen-4.5.1.tar.gz.sig
gpgv: keyblock resource `/home/user/.gnupg/trustedkeys.gpg': file open error
gpgv: armor: BEGIN PGP SIGNATURE
:signature packet: algo 1, keyid 21F968DEF747ABD7
version 4, created 1488037815, md5len 0, sigclass 0x00
digest algo 8, begin of digest 2e ec
hashed subpkt 33 len 21 (?)
hashed subpkt 2 len 4 (sig created 2017-02-25)
subpkt 16 len 8 (issuer key ID 21F968DEF747ABD7)
data: [4095 bits]
gpgv: no signed data
gpgv: can't hash datafile: file open error
user@debian:~/Downloads/screen-4.5.1$ 
---
I guess don't enough  public keys at me. Please prompt me what to do, and 
excuse my stupid questions:
While I shall attempt operate with gpg or gpgv, of course there will done some 
wrong things. May I remove improper files, which will appear? Need I switch on 
cookies when try get keys? Reminding, me need justl verify screen-4.5.1.tar.gz 
by  screen-4.5.1.tar.gz.sig ,  I hope learn this program after.
Thanks all.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon does not "see" card insertion

2017-07-05 Thread Matthias Apitz 
El día miércoles, julio 05, 2017 a las 09:23:06a. m. +0900, NIIBE Yutaka 
escribió:

> Hello,
> 
> Matthias Apitz  wrote:
> > The script 'scd-event' is only invoked on card removal (I do just en
> > echo of the args):
> [...]
> > A card insert is only seen *after* some agent requires something, for
> > example the SSH client needs access to the secret key on the card;
> 
> Right.  Scdaemon only watches the event of card removal and card reader
> removal.
> 
> ...

Hello,

Thanks for all explanations. For now I implemented the scd-event script
as:

...

DISPLAY=:0 export DISPLAY
if [ x$status = xNOCARD ]; then
nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
while true; do
  # Signature key : 5E69 FBAC ...
  gpg2 --card-status | grep '5E69 FBAC' >> /tmp/scd-event.log  && {
  killall kscreenlocker_greet
  break
  }
  sleep 1  
done
fi

which works nice: on card removal it locks the screen and on card insert
it unlocks it fine.

> > On the UNIX system level the card insert triggers via devd(8) the start
> > of /usr/local/sbin/pcscd and the card removal triggers a 'killall pcscd'.
> > This is working fine, i.e. an inserted card is useable immediately, 
> > requesting 
> > the PIN entry.
> 
> IIUC, system level service like devd can only handle the event of card
> reader insertion, not card insertion.  I may be wrong here.

No, you are correct, I was inprecise.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/  ☎ 
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users