Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 09:50 PM, Duane Whitty wrote: > > > On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote: >> On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote: >>> I did not and still do not want to import the oracle_vbox >>> public key into my key ring. I am happy to download it and >>> check it each time. > >> I think this is an interesting choice, but i don't understand >> why you've made it. Can you say more about why you don't want >> to import the key, and why you prefer to fetch it each time? > I perceive keys in my keyring as being ones I trust because of > out-of-band confirmation and used for two-way communications. I > think the VirtualBox key is just to give people assurance that they > are downloading what they intended to download from the source > they expected, in this case via apt or apt-get, etc. from an Oracle > repo. > > >>> Before I go down the road on offering an opinion on how the >>> man page should be "fixed" (maybe it's not really broken) can >>> you explain why it would be bad to let gpg generate and display >>> the fingerprint of a key in an ascii armoured file? > >> I'm not saying it's "bad" -- it's just not what --fingerprint >> does. > >> --fingerprint List all keys (or the specified ones) along with >> their finger‐ prints. This is the same output as >> --list-keys but with the additional output of a line with the >> fingerprint. May also be combined with --list-signatures or >> --check-signatures. If this command is given twice, the >> fingerprints of all secondary keys are listed too. This >> command also forces pretty printing of fingerprints if the keyid >> format has been set to "none". > >> So it's like --list-keys, which says: > >> --list-keys -k --list-public-keys List the specified keys. If >> no keys are specified, then all keys from the configured >> public keyrings are listed. > > >> in other words (or maybe it's not as explicitly stated as it >> should be), "list all the keys in your keyring that match the >> specification". This command is not intended for listing >> fingerprints of keys that come in on stdin, or of an external >> file. > > To me that reads as "if you provide a key then the fingerprint for > that key will be provided otherwise your keyring will be used". > Thanks for correcting my understanding. >> That said, you could combine it with: > >> --no-default-keyring --keyring /path/to/file.gpg > >> (as long as the file wasn't ascii-armored, and as long as you >> weren't concerned about updating your trustdb by accident, etc). >>> Again, i'm not saying this is particularly user-friendly, i'm >>> just >> trying to help you understand the current state of the tool. > >> If you have specific suggestions for how to improve the tool, >> please suggest them! >>> --dkg > > > I'm not exactly sure what a good suggestion would be. Would it be > correct to say that going forward usability changes would probably > be more likely to happen in the 2.1 branch? If so I guess I > should upgrade to the 2.1 branch. > > I can say that what I usually end up being challenged by is > importing keys into my keyring and on being able to choose which > UID I want to sign with. Maybe that just means I don't know the > software well enough. > > For instance, last night I wanted to add a friend's new public key > to my keyring. Gpg wouldn't add the key based on his email. I had > to use his email to search the key server and then use the > fingerprint of his new key to add it to my keyring. > > The approach I took was "gpg2 --search u...@domain.com" and "gpg2 > --recv-keys key-fingerprint". Then I did a "gpg2 --edit-key > key-fingerprint" to sign the key with my default UID. I thought I > would get a menu to select options from when I used --edit-key but > instead I was presented with the prompt "gpg>" and I had to type > the sign command. It worked but I might have chosen to sign the > key with a key from a different UID. Not sure if my method of > importing to my keyring and signing the new public key was the > usual or easiest method but it worked. > > Not sure there's actually a suggestion for improvement in there > :-) but you've given me a lot to consider and digest. Sincerely, > thanks! I love learning this stuff. > > > Best Regards, Duane > > Actually one suggestion, the way options and commands are specified look the same. It might make things clearer if there was a difference in the way they are expressed on the command line. Perhaps keep the "--" for options and enter commands without the "--". Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkkpvAAoJEOJfpr8UVxtkpsIH/2qGLUDNqwNMvkN+ItQw4/YZ KBhnNxomzScrGzJXN9xZ1xH5Ha0FIGZgMzYxiAA/uWU4mgkurCDpESirTxffaTBp ahuSx6EYFre4JJdYzD/3zdVMws/fSacFZ18+ODbrfo40T1VSExHcO2yVGH5SDZg+ zxvPg0jM0QrFw276eSj3uwyn9nwBKXpGAtYcW/oE7plmDvimqob0AbuNQ7AvHwKS
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 08:50 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote: >> I did not and still do not want to import the oracle_vbox public >> key into my key ring. I am happy to download it and check it >> each time. > > I think this is an interesting choice, but i don't understand why > you've made it. Can you say more about why you don't want to > import the key, and why you prefer to fetch it each time? I perceive keys in my keyring as being ones I trust because of out-of-band confirmation and used for two-way communications. I think the VirtualBox key is just to give people assurance that they are downloading what they intended to download from the source they expected, in this case via apt or apt-get, etc. from an Oracle repo. > >> Before I go down the road on offering an opinion on how the man >> page should be "fixed" (maybe it's not really broken) can you >> explain why it would be bad to let gpg generate and display the >> fingerprint of a key in an ascii armoured file? > > I'm not saying it's "bad" -- it's just not what --fingerprint > does. > > --fingerprint List all keys (or the specified ones) along with > their finger‐ prints. This is the same output as --list-keys > but with the additional output of a line with the fingerprint. May > also be combined with --list-signatures or --check-signatures. > If this command is given twice, the fingerprints of all secondary > keys are listed too. This command also forces pretty printing > of fingerprints if the keyid format has been set to "none". > > So it's like --list-keys, which says: > > --list-keys -k --list-public-keys List the specified keys. If no > keys are specified, then all keys from the configured public > keyrings are listed. > > > in other words (or maybe it's not as explicitly stated as it should > be), "list all the keys in your keyring that match the > specification". This command is not intended for listing > fingerprints of keys that come in on stdin, or of an external > file. > To me that reads as "if you provide a key then the fingerprint for that key will be provided otherwise your keyring will be used". Thanks for correcting my understanding. > That said, you could combine it with: > > --no-default-keyring --keyring /path/to/file.gpg > > (as long as the file wasn't ascii-armored, and as long as you > weren't concerned about updating your trustdb by accident, etc). >> Again, i'm not saying this is particularly user-friendly, i'm >> just > trying to help you understand the current state of the tool. > > If you have specific suggestions for how to improve the tool, > please suggest them! >> --dkg > I'm not exactly sure what a good suggestion would be. Would it be correct to say that going forward usability changes would probably be more likely to happen in the 2.1 branch? If so I guess I should upgrade to the 2.1 branch. I can say that what I usually end up being challenged by is importing keys into my keyring and on being able to choose which UID I want to sign with. Maybe that just means I don't know the software well enough. For instance, last night I wanted to add a friend's new public key to my keyring. Gpg wouldn't add the key based on his email. I had to use his email to search the key server and then use the fingerprint of his new key to add it to my keyring. The approach I took was "gpg2 --search u...@domain.com" and "gpg2 - --recv-keys key-fingerprint". Then I did a "gpg2 --edit-key key-fingerprint" to sign the key with my default UID. I thought I would get a menu to select options from when I used --edit-key but instead I was presented with the prompt "gpg>" and I had to type the sign command. It worked but I might have chosen to sign the key with a key from a different UID. Not sure if my method of importing to my keyring and signing the new public key was the usual or easiest method but it worked. Not sure there's actually a suggestion for improvement in there :-) but you've given me a lot to consider and digest. Sincerely, thanks! I love learning this stuff. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkkVBAAoJEOJfpr8UVxtkBDsH/0zoAMEuKvkkIzVC1r6v8kq9 Tmbqvd7i4Q8YobiExGilUXSx/s0psq4JKo1qcbvpuXnsRhJM+3/tH6TTgvdLJJOq Em8NN7HygzJ3Fhb7RaGZS9dBv2FQFem3qk+oFHzUMUlUGF1gF+agpeFM/CwKGsMk ClmBW9pSqQzH2z+hWXQPdAA8k8X2Wi3KH5BlrBT3kEKw+XdUJOqme8YPqWlo97XQ /BKmpPjiBiEE7qWkOXKTdD9ySIx/XO6fmcxvJEbvqygdjh/zp/Cm5jW2MrPoQC5N jWR18G8cRa5euNfXrzvyGm5o3SZTvoOEX3VHXPvQU8tyYVOV3sQVyM2hUWpyTfg= =ZuO1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
On Mon 2017-08-14 19:03:19 -0300, Duane Whitty wrote: > I did not and still do not want to import the oracle_vbox public key > into my key ring. I am happy to download it and check it each time. I think this is an interesting choice, but i don't understand why you've made it. Can you say more about why you don't want to import the key, and why you prefer to fetch it each time? > Before I go down the road on offering an opinion on how the man page > should be "fixed" (maybe it's not really broken) can you explain why > it would be bad to let gpg generate and display the fingerprint of a > key in an ascii armoured file? I'm not saying it's "bad" -- it's just not what --fingerprint does. --fingerprint List all keys (or the specified ones) along with their finger‐ prints. This is the same output as --list-keys but with the additional output of a line with the fingerprint. May also be combined with --list-signatures or --check-signatures. If this command is given twice, the fingerprints of all secondary keys are listed too. This command also forces pretty printing of fingerprints if the keyid format has been set to "none". So it's like --list-keys, which says: --list-keys -k --list-public-keys List the specified keys. If no keys are specified, then all keys from the configured public keyrings are listed. in other words (or maybe it's not as explicitly stated as it should be), "list all the keys in your keyring that match the specification". This command is not intended for listing fingerprints of keys that come in on stdin, or of an external file. That said, you could combine it with: --no-default-keyring --keyring /path/to/file.gpg (as long as the file wasn't ascii-armored, and as long as you weren't concerned about updating your trustdb by accident, etc). Again, i'm not saying this is particularly user-friendly, i'm just trying to help you understand the current state of the tool. If you have specific suggestions for how to improve the tool, please suggest them! --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 05:58 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 13:25:58 -0300, Duane Whitty wrote: >> Thanks for your response. So, what you are saying is that the >> man page is wrong ;-) > > I didn't think that was what i was saying, but there have certainly > been bugs in the documentation in the past. Is there specific text > that you think is wrong? do you have a suggestion about what it > should be changed to? > > --dkg > The situation is a little more clear since your last response. If I may quote you: "the trouble with these two invocations of gpg is that they offer no command. Each invocation of GnuPG is supposed to include exactly one command and zero or more options. ..." I ran gpg2 --with-fingerprint oracle_vbox.asc which did what I wanted and I received no complaints. I did not and still do not want to import the oracle_vbox public key into my key ring. I am happy to download it and check it each time. When I looked at the man page for how to do this it looked like gpg2 - --fingerprint oracle_vbox.asc should do the job but as you have pointed out gpg expects a key in my keyring to perform that action on. After reading the man page several times for the 1.4 and 2.0 versions I can see nothing that would make me believe that I needed to provide the program with a key from my keyring. That's fine though, I'm still learning. Now that you point it out I can see that --with-fingerprint is an option under the section "Key related options" and so it makes sense that a command should be entered as well. I am not sure I understand why it would be bad to do the following, which implies not importing the key to a keyring: gpg --with-fingerprint --fingerprint < public-key-file.asc where I substituted --fingerprint for --import However if I do that it's the same as running: gpg2 --with-fingerprint --fingerprint and the oracle_vbox.asc file containing the key is completely ignored and there are no warnings that it was ignored. Before I go down the road on offering an opinion on how the man page should be "fixed" (maybe it's not really broken) can you explain why it would be bad to let gpg generate and display the fingerprint of a key in an ascii armoured file? By the way, I really appreciate the assistance you're giving me in helping me to understand this. I know your busy. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkh4hAAoJEOJfpr8UVxtkwj0H/0bPfVYbKMlbvLBsF+9pTFPW 9PwNRA47dARN8eBwtRr106br0iCLFxs31ObXyh80M+cGJFTIQN61y3FfD8GsEv9/ BS9xzjHv4q/sO+pF2yOy2ygmjoxouvbPIL86yobhJA+bKBw4piH9UxaPnQmO+SLC j450uLxl2C7ZWOcSI4bi0myHTnsZkvkbrPlYfo0zjbyJXIP+3DonRZhhVR2nzUwr DNX1K5TRy2Dw4NN430o0q9Bcef05XywExJFpCaxFWDOJdTgwVOkrfodDoaXKotjx M+nqD9sduQHXiCeXR1cN7aZ9rYCJ301xeFAiRJTOHl/sTUpoEdP2sj5i3Fog+pQ= =mBYf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
On Mon 2017-08-14 13:25:58 -0300, Duane Whitty wrote: > Thanks for your response. So, what you are saying is that the man > page is wrong ;-) I didn't think that was what i was saying, but there have certainly been bugs in the documentation in the past. Is there specific text that you think is wrong? do you have a suggestion about what it should be changed to? --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
On Mon 2017-08-14 15:09:22 -0400, Todd Zullinger wrote: > $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary > pub 4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25) >> Key fingerprint = C437 DCCD 558A 66A3 7D6F 4372 4089 D8F2 FDB1 9C98 > > $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary > pub rsa4096 2016-03-31 [SCE] > C437 DCCD 558A 66A3 7D6F 4372 4089 D8F2 FDB1 9C98 > uid Fedora 25 Primary (25) the trouble with these two invocations of gpg is that they offer no command. Each invocation of GnuPG is supposed to include exactly one command and zero or more options. As the gpg(1) manpage says: gpg [--homedir dir] [--options file] [options] command [args] --with-fingerprint is a GnuPG option, not a command. When you give gpg no command, you're basically saying "hey, gpg, do whatever you think is reasonable." more recent versions of gpg will complain: gpg: WARNING: no command supplied. Trying to guess what you mean ... Please see https://dev.gnupg.org/T2943 for more discussion of this situation and why it is problematic. > Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the > command above complains about the show-only option: > > $ gpg2 --version > gpg (GnuPG) 2.1.22 > > $ gpg2 --with-fingerprint --import-options show-only --import < > /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary > gpg: unknown option 'show-only' > gpg: invalid import options > > Is there a typo in that command or is show-only not in the latest > release of the 2.1 branch? the latest release of the 2.1 branch is 2.1.23. show-only was added in 2.1.23. --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
Daniel Kahn Gillmor wrote: with more modern versions of gnupg, you can just use: gpg --with-fingerprint --import-options show-only --import < public-key-file.asc FWIW, I've used "gpg --with-fingerprint public-key-file.asc" for what seems like years to do this sort of quick fingerprint check of keys. It's particularly handy with linux distribution package signing keys, which are typically not something I have any need to import to my keyring. On a fedora-25 system: $ gpg --version gpg (GnuPG) 1.4.22 $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary pub 4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25)Key fingerprint = C437 DCCD 558A 66A3 7D6F 4372 4089 D8F2 FDB1 9C98 $ gpg2 --version gpg (GnuPG) 2.1.13 $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary pub rsa4096 2016-03-31 [SCE] C437 DCCD 558A 66A3 7D6F 4372 4089 D8F2 FDB1 9C98 uid Fedora 25 Primary (25) I haven't looked at the documentation for --with-fingerprint in a while, but it does seem like it's at least leaving out some details regarding its use on key files which are not imported. I have no idea whether those differences are intended and should simply be documented or it's considered a bug that --fingerprint and --with-fingerprint differ in handling unimported keys. Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the command above complains about the show-only option: $ gpg2 --version gpg (GnuPG) 2.1.22 $ gpg2 --with-fingerprint --import-options show-only --import < /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary gpg: unknown option 'show-only' gpg: invalid import options Is there a typo in that command or is show-only not in the latest release of the 2.1 branch? -- Todd ~~ The most overlooked advantage to owning a computer is that if they foul up, there's no law against whacking them around a little. -- Eric Porterfield signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17-08-14 12:14 PM, Daniel Kahn Gillmor wrote: > On Mon 2017-08-14 03:32:08 -0300, Duane Whitty wrote: >> I was recently trying to compare the fingerprint of a key I >> downloaded to its online stated value. I thought I should be >> able to accomplish my goal with "gpg --fingerprint >> public-key-file.asc". Gpg returned "gpg: error reading key: No >> public key" > > "gpg --fingerprint" displays the fingerprint of a key that is > already in the user's keyring. > > you'll need to "gpg --import public-key-file.asc" first, and then > ask for its fingerprint, especially with older versions of gnupg. > > If you really want to isolate the imported key, you can use an > ephemeral GNUPGHOME directory, like so: > > export GNUPGHOME=$(mktemp -d) gpg --import < public-key-file.asc > gpg --fingerprint rm -rf $GNUPGHOME > > with more modern versions of gnupg, you can just use: > > gpg --with-fingerprint --import-options show-only --import < > public-key-file.asc > > hth, > > --dkg > Hi Daniel, Thanks for your response. So, what you are saying is that the man page is wrong ;-) Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkc8RAAoJEOJfpr8UVxtk+5MIAKEtESbPZG+CHDr6hh+dkRaf OhlOQyNw9HuZzAhOXKQZKXukiwDSinlOQ+cJn4JbYtYUVZtDCQz/mu/WAkgtdN5U WM4FrZYxciDdJrZKzD4i+sc6MujKo2UEeTz4MqDO1DhKaD94fJ3EqRakPzmD6t7Y 1F6mvWDquz0Camr41NTrrkB3v6ISt7b/TA3H5v/XJCfZ9Wv5GHNKxzFeftmBEcQY lw/9geYKRahIFKGdMHVA2eQQteW4uq8wMgJSDUEOuxv/WyztWxvNeiwzZtjhAYl2 3J1j3pvL9XV7Q/Y+u/sjE941ieVSr3nbm7xy/VW5GLyWxWP3/dgjsh0CEaqGTjM= =TLc2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: fingerprint of key
On Mon 2017-08-14 03:32:08 -0300, Duane Whitty wrote: > I was recently trying to compare the fingerprint of a key I downloaded > to its online stated value. I thought I should be able to accomplish > my goal with "gpg --fingerprint public-key-file.asc". Gpg returned > "gpg: error reading key: No public key" "gpg --fingerprint" displays the fingerprint of a key that is already in the user's keyring. you'll need to "gpg --import public-key-file.asc" first, and then ask for its fingerprint, especially with older versions of gnupg. If you really want to isolate the imported key, you can use an ephemeral GNUPGHOME directory, like so: export GNUPGHOME=$(mktemp -d) gpg --import < public-key-file.asc gpg --fingerprint rm -rf $GNUPGHOME with more modern versions of gnupg, you can just use: gpg --with-fingerprint --import-options show-only --import < public-key-file.asc hth, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
fingerprint of key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Tested on: $ gpg --version gpg (GnuPG) 1.4.16 $ gpg2 --version gpg (GnuPG) 2.0.22 lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 14.04.5 LTS Release:14.04 Codename: trusty I was recently trying to compare the fingerprint of a key I downloaded to its online stated value. I thought I should be able to accomplish my goal with "gpg --fingerprint public-key-file.asc". Gpg returned "gpg: error reading key: No public key" So I did a search and found --with-fingerprint. Worked as I hoped it would. According to gpg(1) and gpg2(1) - "--with-fingerprint Same as the command --fingerprint but changes only the format of the output and may be used together with another command." So is this a bug in gpg or a bug in the man page or am I missing something so trivial and obvious that I will smack myself in the forehead when someone points it out to me? I understand dev cycles are being focused primarily(?) on the 2.1 branch but I figured this might be worth mentioning. I confess, I haven't checked the archives to see if it already has been. Best Regards, Duane - -- Duane Whitty du...@nofroth.com -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZkUPfAAoJEOJfpr8UVxtkLy8H/3ffsaDpy1YWfZNjRBTu3vGZ H/QrXGa7Mo7I9yFTojhyI9u9GCPzPu3sl/ZbvwGXEVpMoME5VuU8Fz5Dl1DGd9GF E1qT6Kk2L+H/eZiQNc4LFXjn3TQXNCIjq/HFiw7Eh/31eUcBZ+6/kjd9pvRmtzEO S4SAVn36PId23pZln/qaLJIpgmqBdGKWZ9KtmguDu9mMr63SDfJXRrSxdTvkjEBT 8w/3C3bs1/i0qEUepGXAlIIsllSQ2OgUZB477JTk8YfH/LH5WHDLvm+tHcTZ5Jg7 uYstNr8dgQEWSmqvWrQXBCZp3qTSfI1xW7Nzug8DtNFZ1Np2uhVuo2Uqv5HIZcg= =t2JQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users