Re: Wrong Keygrip (gpg2 --card-status --with-keygrip)

[NIIBE Yutaka]

Hello,

Thanks for your report.

Dirk Gottschalk via Gnupg-users  wrote:
> gpg outputs the wrhon keygrip with --card-edit --with-keygrip. The
> output is:
[...]
> As you see, it returns the same grip for enc. and auth. key. This is
> wrong and "gpg2 -K --with-keygrip" returns the correct Keygrips.
>
> My gpg version is 2.2.6

It's a new feature introduced in 2.2.6, and I did not review the patch
well.

Just fixed and pushed in 71903eee8.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Wrong Keygrip (gpg2 --card-status --with-keygrip)

[Dirk Gottschalk via Gnupg-users]

Hi,

gpg outputs the wrhon keygrip with --card-edit --with-keygrip. The
output is:

Signature key : DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
  created : 2018-03-01 13:46:51
  keygrip : 5707164106D237EB453D5359F9D319955BAA33A2
Encryption key: 092D 9CEB 9D34 B154 E0FC  5761 CAE0 7B25 1AE3 F69E
  created : 2018-03-01 13:46:51
  keygrip : A3B4BF3DA9F46E9BCC5687A7E59680A8B008DA8E
Authentication key: B982 A7AC F65C FBBB 1E7B  2B05 774B 4700 4B02 B274
  created : 2018-03-01 13:47:25
  keygrip : A3B4BF3DA9F46E9BCC5687A7E59680A8B008DA8E

As you see, it returns the same grip for enc. and auth. key. This is
wrong and "gpg2 -K --with-keygrip" returns the correct Keygrips.

My gpg version is 2.2.6

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Backup .gnupg using git

[Wink Saville]

On Sun, Apr 22, 2018 at 1:27 PM, Damien Goutte-Gattat
 wrote:
> On 04/21/2018 05:32 PM, Wink Saville wrote:
>>
>> Comments on the security of what I'm doing?
>
>
> Can't really tell anything without knowing your adversary (is it Mossad or
> not-Mossad? [1]), but here are a few remarks.

Not-Mossad, it seems if its Mossad it doesn't matter. My goal is to have
as good a security as possible while make it relatively easy to use. Using
the smart card seemed to increase the security by not having any secret
keys directly on my computer, hence that choice.

>
> You do not say which version of GnuPG you are using.

$ gpg --version
gpg (GnuPG) 2.2.6
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/wink/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

> Assuming you are using
> the latest available version on your system (which you should), most of the
> options you put in your gpg.conf and dirmngr.conf are useless, as they are
> already in the default settings (something many authors of those "create a
> perfect keypair" howtos seem to ignore).
>
> Also, your gpg.conf contains the following:
>
>   # Avoid information leaked
>   [...]
>   export-options export-minimal
>
> If the goal here is to avoid revealing who signed your key (this option
> tells GnuPG to remove all third-party signatures on your key), then this is
> completely defeated by the fact that you upload your entire public keyring
> to a world-readable Github repository!
>
> Combined with the trust database that you *also* upload, this is a pretty
> serious information leak IMO, as anyone can learn not only who signed your
> key, but also which keys you collected over time, which keys you signed
> (even if you only signed them locally), and how much you trust the owners of
> all those keys. Are you fine with that, or didn't you realize the
> implications of uploading those files?

I'm ignorant and didn't realize what I did :)

At the moment I've not signed any keys nor have I had any signed so nothing
lost so far (I think). On the other hand, I haven't run across any
information that
would allow me to control what information other people might leak.

Also, it would seem if you're using "Public Key Encryption" you have to assume
all "Public" information is already leaked, correct?

>
> Finally and as a general rule, if you are not sure of what you are doing, I
> am strongly of favour of following only those two advices:

Definitely me.

>
> * Use the latest GnuPG version available on your system. In particular, if
> you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
> * Use the default settings.

I'm using 2.2.6 on Arch Linux systems which I update about once a week,
so hopefully keeping up to date and I'm now "just using the defaults".

>
> Damien
>
>
> [1] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058046.html
>

TXS, Wink

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users