Semantics of WOT and Subkeys

[Evan Klitzke]

I am trying to understand the semantics of how GnuPG's WOT model 
interacts with subkeys. This is a pretty basic question, so feel free to 
direct me to existing resources if there are any; there must be 
something written on this topic already, but I failed to find anything.


Suppose Alice and Bob want to start using PGP, so they both install GPG 
and create keypairs. At this point in time they both sign each other's 
keys, meaning that they sign each other's master/certification key.


Later Alice learns about subkeys, so she creates a new signing subkey 
for signing her mail/git commits/whatever. How does this work when Bob 
sees the new subkey? Does Bob/GPG treat the signing subkey to be just as 
trusted as Alice's master key? Or is it somehow treated as less trusted, 
since it's one step away from the master key?


Similarly, let's say Carol also starts using PGP, and Alice signs 
Carol's key. From Bob's point of view, is there a difference which key 
(the master key or the subkey) Alice used when signing Carol's key?


--
Evan Klitzke  pgp: 0x157EFCACBC648422
e: e...@eklitzke.org  w: https://eklitzke.org

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: dirmngr timeout

[Daniel Kahn Gillmor]

On Fri 2018-04-13 11:00:59 +0100, Laszlo Papp wrote:
> Yes, I meant to reply yesterday after solving this.
>
> systemd --user import-environment http_proxy
>
> is what I used.

i think you mean:

systemctl --user import-environment http_proxy

Please read the "Environment Commands" section of systemctl(1) for more
details.

Another alternative is to add an Environment= directive to
dirmngr.service -- you can do this with:

systemctl --user edit dirmngr.service

or simply by putting the following two lines in
~/.config/systemd/user/dirmngr.service.d/proxy.conf :

[Service]
Environment=http_proxy=http://192.0.2.8:3128


hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: dirmngr timeout

[Daniel Kahn Gillmor]

Hi Laszlo--

I'm afraid we don't know the details of how your docker instance is set
up; which versions of which packages you have installed inside docker
vs. outside of docker, what's bind-mounted, what the networking
constraints are in place.  this makes debugging remotely a bit more
difficult.

On Fri 2018-04-13 15:29:50 +0100, Laszlo Papp wrote:
> gpg: connecting dirmngr at '/home/nic/.gnupg/S.dirmngr' failed: IPC connect 
> call failed
> gpg: keyserver receive failed: No dirmngr

if a standard user runtime dir is mounted on /run/user/$UID , the
dirmngr socket could be mounted there.  It sounds like that is probably
not mounted, so gpg is falling back to the socket location in the home
directory.

but if no dirmngr is running listening on the expected socket, then gpg
normally tries to launch it itself.

for example, i'd expect to see the following:

gpg-connect-agent: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg-connect-agent: waiting for the dirmngr to come up ... (5s)
gpg-connect-agent: waiting for the dirmngr to come up ... (4s)
gpg-connect-agent: connection to dirmngr established

But i don't see that in your logs.  What version of GnuPG is installed?

how did dirmnger get installed on this docker system?  how did gpg
itself get installed?

what is the output of:

 gpgconf --list-dirs

(within the docker instance, that is)

hth,

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pinentry problems

[Daniel Kahn Gillmor]

On Tue 2018-04-17 23:05:44 +0200, Paul H. Hentze wrote:
> I did. This works fine as I asses that.

I'm glad it's working now.

> Now I'm still stuck with the pinentry problem.

can you explain the pinentry problem you're seeing?  I'm afraid the bad
ownership of your files was distracting from any other problems you were
reporting.

One simple way to test pinentry (without gpg or gpg-agent in the mix)
is:

 echo getpin | pinentry

that should show you a dialog box that prompts you for a password.  you
can put in whatever you like, and it should be emitted on the console
where you ran the above command.

  --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.2.6 released

[sgarl...@gmail.com]

unsubscribe
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG Made Easy (GPGME) 1.11.1 released

[Werner Koch]

Hello!

We are pleased to announce version 1.11.0 of GPGME.

GnuPG Made Easy (GPGME) is a C language library that allows to add
support for cryptography to a program.  It is designed to make access to
public key crypto engines like gpg and gpgsm easier for applications.
GPGME provides a high-level crypto API for encryption, decryption,
signing, signature verification, and key management.  GPGME comes with
language bindings for Common Lisp, C++, QT, Python 2 and 3.

See https://gnupg.org/software/gpgme for more.


Noteworthy changes in version 1.11.0


 * New encryption API to support direct key specification including
   hidden recipients option and taking keys from a file.  This also
   allows to enforce the use of a subkey.

 * New encryption flag for the new API to enforce the use of plain
   mail addresses (addr-spec).

 * The import API can now tell whether v3 keys are skipped.  These old
   and basically broken keys are not anymore supported by GnuPG 2.1.

 * The decrypt and verify API will now return the MIME flag as
   specified by RFC-4880bis.

 * The offline mode now has an effect on gpg by disabling all network
   access.  [#3831]

 * A failed OpenPGP verification how returns the fingerprint of the
   intended key if a recent gpg version was used for signature
   creation.

 * New tool gpgme-json as native messaging server for web browsers.
   As of now public key encryption and decryption is supported.
   Requires Libgpg-error 1.29.

 * New context flag "request-origin" which has an effect when used
   with GnuPG 2.2.6 or later.

 * New context flag "no-symkey-cache" which has an effect when used
   with GnuPG 2.2.7 or later.

 * New convenience constant GPGME_KEYLIST_MODE_LOCATE.

 * Improved the Python documentation.

 * Fixed a potential regression with GnuPG 2.2.6 or later.

 * Fixed a crash in the Python bindings on 32 bit platforms.  [#3892]

 * Various minor fixes.


Download


You may download this library and its OpenPGP signature from:

  https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.11.0.tar.bz2 (1382k)
  https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.11.0.tar.bz2.sig

or from ftp.gnupg.org.  The SHA-1 checksum is

  17772bf86eef70ab0c77cbb6df0b90f002af0030  gpgme-1.11.0.tar.bz2

but you better check the integrity using the provided signature. See
 for details.


Thanks
==

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs one full-time developer and two
contractors.  Both work exclusivly on GnuPG and closely related software
like Libgcrypt, GPGME and GPA.

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, answering questions on the mailing lists
and with financial support.


Happy hacking,

  Your GnuPG hackers



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-devel 'at' gnupg.org mailing list.

p.p.s 
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  rsa2048 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) 

  rsa2048 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) 

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at  and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpZlgt8925tN.pgp
Description: PGP signature
___
Gnupg-announce mailing list
gnupg-annou...@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: dirmngr timeout

[Laszlo Papp]

I still have not managed to solve this. Does anyone have an idea?

On Fri, Apr 13, 2018 at 3:29 PM, Laszlo Papp  wrote:

> Unfortunately, I am seeing the following issue in docker, still. What
> would be the solution to this? I am using 2.2.6.
>
> Step 12/46 : RUN dirmngr < /dev/null && echo "honor_http_proxy" >
> /home/nic/.gnupg/dirmngr.conf && touch ~/.gnupg/dirmngr_ldapservers.conf
> && ls -ld ~/.gnupg &&  gpg --keyserver hkp://p80.pool.sks-keyservers.
> net:80 --recv-key 702353E0F7E48EDB; cd ~ && git clone
> https://aur.archlinux.org/lib32-ncurses5-compat-libs.git
> lib32-ncurses5-compat-libs && cd lib32-ncurses5-compat-libs && makepkg -f
> --noconfirm
>  ---> Running in 698013ee8936
> dirmngr[8]: error opening '/home/nic/.gnupg/dirmngr_ldapservers.conf': No
> such file or directory
> dirmngr[8.0]: permanently loaded certificates: 136
> dirmngr[8.0]: runtime cached certificates: 0
> dirmngr[8.0]:trusted certificates: 136 (135,0,0,1)
> dirmngr[8.0]: failed to open cache dir file '/home/nic/.gnupg/crls.d/DIR.txt':
> No such file or directory
> dirmngr[8.0]: creating directory '/home/nic/.gnupg'
> dirmngr[8.0]: creating directory '/home/nic/.gnupg/crls.d'
> dirmngr[8.0]: new cache dir file '/home/nic/.gnupg/crls.d/DIR.txt' created
> # Home: /home/nic/.gnupg
> # Config: [none]
> OK Dirmngr 2.2.6 at your service
> drwx-- 3 nic admin 4096 Apr 13 13:45 /home/nic/.gnupg
> gpg: keybox '/home/nic/.gnupg/pubring.kbx' created
> gpg: connecting dirmngr at '/home/nic/.gnupg/S.dirmngr' failed: IPC
> connect call failed
> gpg: keyserver receive failed: No dirmngr
> Cloning into 'lib32-ncurses5-compat-libs'...
> ==> Making package: lib32-ncurses5-compat-libs 6.1-1 (Fri Apr 13 13:46:14
> UTC 2018)
> ==> Checking runtime dependencies...
> ==> Checking buildtime dependencies...
> ==> Retrieving sources...
>   -> Downloading ncurses-6.1.tar.gz...
>   % Total% Received % Xferd  Average Speed   TimeTime Time
> Current
>  Dload  Upload   Total   SpentLeft
> Speed
> 100 3286k  100 3286k0 0   221k  0  0:00:14  0:00:14 --:--:--
> 765k
>   -> Downloading ncurses-6.1.tar.gz.sig...
>   % Total% Received % Xferd  Average Speed   TimeTime Time
> Current
>  Dload  Upload   Total   SpentLeft
> Speed
> 10072  100720 0  5  0  0:00:14  0:00:12  0:00:02
>   21
> ==> Validating source files with md5sums...
> ncurses-6.1.tar.gz ... Passed
> ncurses-6.1.tar.gz.sig ... Skipped
> ==> Verifying source file signatures with gpg...
> ncurses-6.1.tar.gz ... FAILED (unknown public key 702353E0F7E48EDB)
> ==> ERROR: One or more PGP signatures could not be verified!
> The command '/bin/sh -c dirmngr < /dev/null && echo "honor_http_proxy" >
> /home/nic/.gnupg/dirmngr.conf && touch ~/.gnupg/dirmngr_ldapservers.conf
> && ls -ld ~/.gnupg &&  gpg --keyserver hkp://p80.pool.sks-keyservers.
> net:80 --recv-key 702353E0F7E48EDB; cd ~ && git clone
> https://aur.archlinux.org/lib32-ncurses5-compat-libs.git
> lib32-ncurses5-compat-libs && cd lib32-ncurses5-compat-libs && makepkg -f
> --noconfirm' returned a non-zero code: 1
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users