Re: Automating and integrating GPG

[Kristian Fiskerstrand]

On 09/19/2017 03:53 PM, Andreas Heinlein wrote:
> Handling of the passphrase is about one of the most sensitive
> tasks when dealing with encryption. I currently can think of no way you
> could handle passphrases on your own in python which I would call
> 'secure'.

In such a scenario I'd likely use a custom pinentry, that'd be the same
recommendation for a password manager etc, as for security info is
passed in the socket that is protected using regular unix user
permissions / ACLs and anyways same as regular pinentry uses.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"To live is the rarest thing in the world. Most people exist, that is all."
Oscar Wilde



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OT: Which smartphone would you use

[Andreas Ronnquist]

On Mon, 18 Sep 2017 17:32:51 +0200,
Thomas Hejze wrote:

>Hello everyone,
>I know this is off-topic, but since it is related to IT security and
>therefore more or less to GNUPG, I hope that I get some helping
>answers, though.
>
>Having been objecting to smartphones for a long time I fear that the
>time has come that I get one for myself. The question is which one.
>
>IPhone is not an option, Android probably not, due to security
>considerations. I want a hardware/software combination which provides
>a decent amount of security for my personal data. Jolla or Tizen comes
>to my mind, but as far as I have come with my research, hardware for
>those is difficult to get at least in Europe. So I am looking for some
>advice from the experts which are regulars on this mailing list and
>recommendations which hardware/software combination they would use
>resp. are using.
>

If I had the money, I would pledge for one of these: 

https://puri.sm/shop/librem-5/

I believe It will fit with the GnuPG thoughts on privacy and security
very well.

-- Andreas Rönnquist
mailingli...@gusnan.se
andr...@ronnquist.net


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.2.1 released

[Werner Koch]

Hello!

We are is pleased to announce the availability of a new GnuPG release:
version 2.2.1.  This is a maintenance release; see below for a list of
fixed bugs.


About GnuPG
===

The GNU Privacy Guard (GnuPG) is a complete and free implementation
of the OpenPGP standard which is commonly abbreviated as PGP.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  A wealth of frontend applications
and libraries making use of GnuPG are available.  As an Universal Crypto
Engine GnuPG provides support for S/MIME and Secure Shell in addition to
OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.1
===

  * gpg: Fix formatting of the user id in batch mode key generation
if only "name-email" is given.

  * gpgv: Fix annoying "not suitable for" warnings.

  * wks: Convey only the newest user id to the provider.  This is the
case if different names are used with the same addr-spec.

  * wks: Create a complying user id for provider policy mailbox-only.

  * wks: Add workaround for posteo.de.

  * scd: Fix the use of large ECC keys with an OpenPGP card.

  * dirmngr: Use system provided root certificates if no specific HKP
certificates are configured.  If build with GNUTLS, this was
already the case.

Further, the Windows installer has been built against an updated NTBTLS
libary which does now support ECC curves secp384r1, secp521r1, as well
as brainpool curves.


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.2.1 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.1.tar.bz2 (6385k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.1.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.1_20170919.exe (3799k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.1_20170919.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.  The new Gpg4win 3.0 installer
featuring this version of GnuPG will be available in a few days.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.1.tar.bz2 you would use this command:

 gpg --verify gnupg-2.2.1.tar.bz2.sig gnupg-2.2.1.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.1.tar.bz2, you run the command like this:

 sha1sum gnupg-2.2.1.tar.bz2

   and check that the output matches the next line:

5455373fd7208b787f319027de2464721cdd4413  gnupg-2.2.1.tar.bz2
bcf1905655e52e2eec794bcbba72485f7b9ed2d3  gnupg-w32-2.2.1_20170919.exe
72ab40a7336be7b2c9fb4f6ff1f15e5c5b8cdb6f  gnupg-w32-2.2.1_20170919.tar.xz


Internationalization


This version of GnuPG has support for 26 languages with Chinese, Czech,
French, German, Japanese, Norwegian, Russian, and Ukrainian being almost
completely translated.


Documentation
=

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details availabale only in thee manual.  The manual is also available
online at

  

Re: using --keyserver but still getting gpg: no keyserver known (use option --keyserver)

[Werner Koch]

On Mon, 18 Sep 2017 23:37, d...@fifthhorseman.net said:

> modern versions of gpg should default to the hkps pool, and shouldn't
> need any explicit configuration.

Right, and it is also more future proof to use the keyserver option in
dirmngr.conf instead of gpg.conf.  But as you say, no configuration is
even better.

FWIW, I just released 2.2.1 which fixes problems with some keyservers,
in particular on Windows where the default installer is built against
libntbtls.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpMCwNOPDvO4.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users