Re: Using gpg-agent --supervised with systemd

2018-03-23 Thread Daniel Kahn Gillmor 
On Wed 2018-03-21 14:48:26 -0700, Evan Klitzke wrote:
> I am using gpg 2.2.5 and stumbled across the --supervised option while 
> reading the man page. I was able to get the ssh-agent functionality 
> working perfectly, but I'm having problems with the gpg-agent 
> functionality.
>
> I created systemd user units for ssh-agent.socket, gpg-agent.socket, and 
> gpg-agent.service. I was able to get this all set up correctly so the 
> gpg-agent service knows where its sockets are:

it sounds like you might have created the systemd unit files yourself.
If you're running GnuPG from a distribution-supported package, that
package should have shipped them for you already (see for example the
packaging in debian).

even if you're building it yourself, or if your distro doesn't ship
them, i recommend starting from the example unit files in
doc/examples/systemd-user/ in the source tree.  can you compare those
unit files with your own unit files?

> $ sysu status gpg-agent.service

I'm assuming that sysu is some sort of local alias for "systemctl
--user" please let the list know if that's not the case.

> ...
> Mar 21 14:34:12 t460s systemd[1075]: Started GPG agent.
> Mar 21 14:34:12 t460s gpg-agent[2835]: gpg-agent (GnuPG) 2.2.5 starting in 
> supervised mode.
> Mar 21 14:34:12 t460s gpg-agent[2835]: using fd 3 for std socket 
> (/run/user/1000/gpg-agent.sock)
> Mar 21 14:34:12 t460s gpg-agent[2835]: using fd 4 for ssh socket 
> (/run/user/1000/ssh-agent.sock)
> Mar 21 14:34:12 t460s gpg-agent[2835]: listening on: std=3 extra=-1 
> browser=-1 ssh=4

these are not the standard socket locations, which is probably why gpg
isn't finding them for you.

> What is the trick to making this work correctly?

try using the shipped user service units instead :) If that doesn't work
for you, or if you have any suggestions for improvements, i'm happy to
help review and debug.

Regards,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is signing a file with multiple keys possible

2018-03-23 Thread Phil Pennock 
On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote:
> Is it possible to sign a file with multiple keys?

Yes.  Slightly lower-level operations than normal signing, but not by
much, you just need to know about enarmor/dearmor and how signatures are
put together.

> For Example: John, Harry and Sally wrote a file, lets assume it is a
> text file. Now all of them want to sign this file, so that when
> verifying it, all three signatures are visible.

8< multi-sign recipe >8-
curl -LO https://pt-dummy-app.herokuapp.com/poetry/if.txt

laptop$ gpg --detach --sign if.txt
laptop$ mv if.txt.sig if.txt.sig-laptop
securebox$ gpg --detach --sign if.txt
securebox$ mv if.txt.sig if.txt.sig-securebox

cat if.txt.sig-laptop if.txt.sig-securebox | gpg --enarmor > if.txt.asc

gpg --verify if.txt.asc
8< multi-sign recipe >8-

If the individual signatures are ASCII-armored, then use `gpg --dearmor`
to turn them into binary format.  Multiple signatures are just one after
another: there's no container _around_ them, no special merging tools
needed.

In the above example, the securebox is using:
  local-user 0xlong_subkey_1!
  local-user 0xlong_subkey_2!
in ~/.gnupg/gpg.conf to generate two signatures, so that I sign with
both EDDSA and RSA.  Thus the resulting `if.txt.asc' has _three_
signatures.

I've attached the combined signature.  You should be able to grab the
famous poem from the URL above and verify my signatures upon the text.

-Phil
-BEGIN PGP ARMORED FILE-
Comment: Use "gpg --dearmor" for unpacking

iQEzBAABCAAdFiEEq4gt1kA1okdY9paI0jG9pqefzuAFAlq1nX4ACgkQ0jG9pqef
zuAKlgf+P+trdLPknA/sNyNwAIbJoUzpqLxGxxaLT/0ZDrdOlgLsAXqTvYmMljEu
SBQiRLvfv+lGhKKnvZVWolpb4EsNZFFoqdsV65NnhVrFTw6wBQrrWgcHzP1WjGd9
Bw7AWLQzwmJUj3eULGJMce5k8W/aOzvbcJR7d7Kh66Sk+uuKsHznBHu0/3kr5XJ4
4tvyC4DfHyJ5xA2l+EV7mWDpPX7vaAnjs9fwKmXM9DXHP2aAeTW5w/ie3Sa1JW7D
P+hH1eTH2esJWxq9gvhFk8ubdlVjKcdJOpcbvSBvqb4EIx2J4G574/CWTPdDJtl+
dPguQ9NdhuDl3qVyIhwsip3bNKulhoh1BAAWCAAdFiEETlwXnn/8Tb+ObBMvURBO
Zo3QRIEFAlq1nb8ACgkQURBOZo3QRIEKuQEAkQmM+EVWoXYf0t9OyJZuW8A3OfBT
e4709WsddU83xAEA/RnAi9QAB/C5XyURCbcMsjshzHnj1oUjc0eChywebf8PiQIz
BAABCAAdFiEExpOgNOHtbulUyuLaE9rZnH5BUZwFAlq1ndcACgkQE9rZnH5BUZxX
4Q/9GY9PNo8c4E/C6no0LG2KUoYI1edDP2OjMJCj5r09URxR670a3lSjeztauewt
fIwX955lNuqsQUnz0asGh4PugNTN1NLCy99hDKYoY7Aczc3c5XhvJTrwJZiFXQh0
t1e16Qlmvu5FQmHygFCVrtRwZB3ZhEiKVwmzSN0MJkRQNDL0Hz3iPkp4LZF3zDwW
op7jwVJFN85qoavcxh/pYrBsOd7UNIvxePhw0joxne4gA1u0G54YKlIopWUc7ECB
ExYt0LciIfpolKQ1pBWDCchG/SrviLlPOVyTM/803IP8lnUD56QEPKck9QlwHzIP
ooVuPUWKM7vqGFYXO6ttFfurf2eVa/3qmTK5DWmmnDS9bxWjLxsebEBiTqmTqyHM
zVj1kXgPUjP5zgqpwkx4SNZCmvCC74x42VFOQ1c72kLf8i5K+q2shVjTQRkNhG5D
HA2KW0bvK6OE5BD3jbgx/USrb18N7MeVVNSZQ8eLbJ5vp9ee9ERnv7gM3UK+7++H
rAA9zTEyTtMeOdGnAv/cBpbOcpQK0LSh63BWZvTQF9N3bRbQ2qMQnYFMESOGvS5p
2mZPYYkWbjjoEmeqibbsr8TNl8gC0B9fFPuTEwonQsbRQPAYnuawgGesDUPtbOon
hh/i4/Co1NW2kf7JcJ0HtneASL7E/DIvGObFxQyBNaFBm8A=
=mISS
-END PGP ARMORED FILE-


signature.asc
Description: Digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is signing a file with multiple keys possible

2018-03-23 Thread Dirk Gottschalk via Gnupg-users 
Hello Phil.

Am Freitag, den 23.03.2018, 20:44 -0400 schrieb Phil Pennock:
> On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote:
> > Is it possible to sign a file with multiple keys?
> 
> Yes.  Slightly lower-level operations than normal signing, but not by
> much, you just need to know about enarmor/dearmor and how signatures
> are
> put together.
> ...

Thank you very much. It's like cahining up PEM Certs in OpenSSL. Why
didn'z I even think about this? The Format is so similar.

Thanks,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Writing DER certificates to Zeitcontrol Cards

2018-03-23 Thread Dirk Gottschalk via Gnupg-users 
Hello.

Yes, it's me again with another question.

I'm trying to import certificates in DER format to Zeitcontrol OpenPGP-
Cards (v2.1 and v3.3) and get this error message:

gpg/card> writecert 3 < cert.der
gpg: error writing certificate to card: Kartenfehler

The last word says "card error".

Are these cards not capable of getting certs written on, or am I missing 
something?

The Admin-Pin is correct, so this could not be the problem.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Is signing a file with multiple keys possible

2018-03-23 Thread Dirk Gottschalk via Gnupg-users 
Hello.

Is it possible to sign a file with multiple keys?

For Example: John, Harry and Sally wrote a file, lets assume it is a
text file. Now all of them want to sign this file, so that when
verifying it, all three signatures are visible.

Is this possible?

I tried with --clearsign, but that doesn't work, because the former
signatures are disabled by the latest signing process.

Is there any way to add a signature instead of overriding the former
Signature?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgme_set_passphrase_cb not cooperating...

2018-03-23 Thread Werner Koch 
On Thu, 22 Mar 2018 13:58, mangoc...@gmail.com said:

> Now, my target environment is CentOS 7, and they resolve /usr/bin/gpg with
> a link to /usr/bin/gpg2 - which does not play nice with
> set_passphrase_cb().  Any suggestions on the best way to untangle that knot?

Assuming this is GnuPG >= 2.1 you use:

gpgme_set_pinentry_mode (ctx, GPGME_PINENTRY_MODE_LOOPBACK);

and the callbacks will be activated again.  You can always call this
fucntion, gpgme knows when to actually pass the required option to gpg.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpGCoIlSQPgO.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is passphrase correct?

2018-03-23 Thread Peter Lebbing 
On 22/03/18 22:24, MyCraigs List via Gnupg-users wrote:
> In other words- I'm trying to make sure I haven't forgotten the
> passphrase and need a way to test it...preferably using command line
> (Linux).

--8<---cut here---start->8---
$ echo test | gpg -r '' -e | gpg -d
gpg: pe...@digitalbrains.com: Verified X signatures in the past 19 months.
 Encrypted Y messages in the past 15 months.
gpg: encrypted with 2048-bit RSA key, ID 26F7563E73A33BEE, created
2009-11-12
  "Peter Lebbing "
test
--8<---cut here---end--->8---

The fact that "test" shows up at the end proves that I could decrypt the
message, and that proves my passphrase was correct.

Note that I used my e-mail address as the "recipient" of the encrypted
message, but this might match multiple keys. Use your fingerprint to
uniquely select the correct key to check the passphrase for. The long
key ID is an okayish method of specifying it as well. Don't use the
short key ID.

--8<---cut here---start->8---
$ gpg --keyid-format long -k ''
pub   rsa1024/ADD8D49B3E4FCA14 2006-03-31 [SC] [revoked: 2009-11-12]
  F8D07102A4F52BD8DC1A7786ADD8D49B3E4FCA14
uid [ revoked] Peter Lebbing 

pub   rsa2048/AC46EFE6DE500B3E 2009-11-12 [C] [expires: 2019-10-13]
  8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
uid [  full  ] Peter Lebbing 
sub   rsa2048/969E018FDE6CDCA1 2009-11-12 [S] [expires: 2019-10-13]
sub   rsa2048/26F7563E73A33BEE 2009-11-12 [E] [expires: 2019-10-13]
--8<---cut here---end--->8---

The fingerprint is the really long hexadecimal number below the "pub"
line of the key you're looking for. The long key ID is the number after
"pub rsa2048/", and actually is just the last 16 digits of the fingerprint.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Missing feedback when changing a card pin fails

2018-03-23 Thread Johannes Zarl-Zierl 
Hi,

I've just spent half an hour scratching my head over an issue that should have 
been simple:

I initialized a new OpenPGP card (v2.1 from Zeitcontrol) and changed the 
(user) pin.

After this, I used the verify command to check whether the pin was working: I 
put my pin into the pinentry dialog, and verified that the retry count 
afterwards was still "3 0 3".
Still, when I was prompted the pin afterwards I got the error "wrong pin". 
Strangely enough, the retry counter did not decrease when entering the pin. 
Entering a different random pin resulted in the retry counter decreasing as it 
should.

[Fast-forward through lots of head-scratching, mild swearing and asking myself 
whether the card was broken.]

In the end the simple truth was that my pin code only had 5 digits, but the 
minimum length is higher. Yes, I know that I *should* know the minimum pin-
code length for my card, and that I *should* use longer pins anyways.

Is it possible to issue some kind of diagnostic for this? I.e. either a 
warning/error message when changing the pin, or at least the "verify" command 
issuing a warning on an incorrect pin?

Btw. my gpg version is 2.2.5.

Cheers,
  Johannes

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Followup: gpgme_set_passphrase_cb not working...

2018-03-23 Thread Andre Heinecke 
Hi,

On Wednesday, March 21, 2018 7:05:57 PM CET Mike Inman wrote:
> FWIW, here's the log entry from an attempt to use gpgme_set_passphrase_cb
> on a symmetric encryption.  For some reason I still cannot figure out, my
> callback function isn't being used, the system prompt still appears (twice,
> once to confirm.)

From the other thread I take it that you are using GPGME with GnuPG-2.0.28 ? 
In the log I don't see the gpg version, but I didn't see it mentioned in the 
other thread that the GnuPG-2.0.x series does not support the passphrase 
callback.

I ran into the same problem some time ago and documented it as a note in the 
GPGME manual. 
https://www.gnupg.org/documentation/manuals/gpgme/Passphrase-Callback.html#Passphrase-Callback
 :

"Note: The passphrase_cb only works with GnuPG 1.x and 2.1.x and not with the 
2.0.x series. "

An ugly workaround could be to use some kind of fake pinentry (see the tests 
in GPGME) and configure that in the gpg-agent.conf. But you are probably better 
of bundling a 2.1 / 2.2 Version of GnuPG with your Application.

Best Regards,
Andre


-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users