Re: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial

2018-08-16 Thread Peter Lebbing 
On 16/08/18 18:31, Peter Lebbing wrote:
> By the way, the GnuPG 2.1 in Ubuntu 16.04 hasn't been updated in almost 
> two years. I don't feel comfortable with it, and I would consider 
> alternatives.

s/two years/two and a half years/

It hasn't been updated since release. For a moment I was thinking about
the .10 releases.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial

2018-08-16 Thread Peter Lebbing 
gpg-preset-passphrase wants a keygrip, not a key fingerprint. To get the 
keygrip for a specific key, use f.e.:

--8<---cut here---start->8---
$ gpg --with-keygrip -k 211601B877A3395Apub   rsa1024 2012-03-17 [SC] [expires: 
2018-08-23]
  825472F37172B95ADC7349BE98B67DE4DCDFDFA4
  Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
uid   [  full  ] Test Teststra 
uid   [  full  ] Test Teststra (Koning van Wezel) 
sub   rsa1024 2012-03-17 [E]
  Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
sub   rsa2048 2016-01-12 [A]
  Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
--8<---cut here---end--->8---

Or for machine-parseable output, f.e.:

--8<---cut here---start->8---
$ gpg --batch --with-colons --with-keygrip -k 
211601B877A3395Atru::7:1534436270:1537177125
pub:f:1024:1:98B67DE4DCDFDFA4:1331982780:1535041047::n:::scESCA:::
fpr:825472F37172B95ADC7349BE98B67DE4DCDFDFA4:
grp:2F677680CA15F6F7B963AF35822E8EC01FBF840A:
uid:f1534436249::A57955B7E1CD67534EBEB1E2F56C1FA882CDDE44::Test Teststra 
:
uid:f1534436247::B56114536967B4C81D29D6942712F43E831224A5::Test Teststra 
(Koning van Wezel) :
sub:f:1024:1:211601B877A3395A:1331982780::e::
fpr:9A40F128868A76CF92320458211601B877A3395A:
grp:15CB764B81D542CF921978CA89910C69D53F4E2D:
sub:f:2048:1:0BF68DE438EF7410:1452622346::a::
fpr:029CE2AB6B2E28D10BF9E7140BF68DE438EF7410:
grp:3D88DC9D60F791821AF8D537EEAC3C8DF7720D63:
sub:e:1024:1:24FE6FCFC9685297:1490208195:1490812995:s::
fpr:39F1AE29CE8B6C313CEE723E24FE6FCFC9685297:
grp:B93CA4F1A44FAD92D45DC836DEC653769421E703:
--8<---cut here---end--->8---

Scan lines up to the signing subkey, and take the grp-record that 
follows the signing subkey. See doc/DETAILS for details about the 
format.

preset-passphrase works on individual keys, if you need to preset both 
encryption and signature keys, use it once for each keygrip.

By the way, the GnuPG 2.1 in Ubuntu 16.04 hasn't been updated in almost 
two years. I don't feel comfortable with it, and I would consider 
alternatives.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Unable to get gpg-preset-passphrase working with gpg2 + gpg-agent in Ubuntu Xenial

2018-08-16 Thread Austin Witt 
I want:

To be able to configure an Ubuntu Xenial machine with passphrase-protected
gpg2 keys on disk, and have a running gpg-agent with a passphrase for the
keys pre-loaded by a script. "Users" of this environment should never see a
gpg passphrase prompt: the script will have been run and will have
populated the gpg-agent with the passphrase for the keys before they run a
single command.

I'd settle for getting it working with vanilla gpg2, but ultimately I want
git to be able to sign commits.

I've had a hard time tracking down online documentation that speaks
specifically to gpg 2.1+; most of what I've found (on the stackexchange
sites, forums, and mailing lists, etc) reference older versions of gpg,
especially where gpg-agent is concerned.

I execute gpg-preset-passphrase to the best of my understanding, but all
GPG tools still prompt me for a passphrase. After entering the passphrase,
the gpg-agent correctly saves it and I avoid any future prompts.

I suspect that one of the following is true:

1. I don't know how to use gpg-preset-passphrase 2.1.11
2. gpg-preset-passphrase 2.1.11 doesn't work with gpg-agent 2.1.11
3. gpg-preset-passphrase 2.1.11 doesn't work in Ubuntu Xenial

To aid in debugging, I have created a git repository that builds an Ubuntu
Xenial Docker image that reproduces the issue. Really it just does what I
am trying to do, in the environment I was trying to do it in, and fails the
same way.

So, while I'll quickly tell you some relevant things about my environment,
e.g.

1. OS: Ubuntu 16.04.5 LTS
2. gpg2 version: gpg (GnuPG) 2.1.11
3. gpg-agent version: gpg-agent (GnuPG) 2.1.11
4. gpg-preset-passphrase version: gpg-preset-passphrase (GnuPG) 2.1.11

You can (if you have "docker" installed), visit & clone
https://github.com/Gengar003/linux-gpg2-agent-preset to reproduce & explore
my situation in my exact environment with my exact commands.

My actual questions are:

1. Am I using gpg-agent correctly for gpg 2.1+?
2. Am I using gpg-preset-passphrase correctly for gpg 2.1+?
3. Should gpg-preset-passphrase work with gpg 2.1+?
4. Does anyone know of a working example of a preset passphrase with
gpg-agent in gpg 2.1+?

Thank you for your time.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ECC smartcard (was: Cannot decrypt file encrypted with enQsig)

2018-08-16 Thread Peter Lebbing 
On 16/08/18 07:52, Felix E. Klee wrote:
> PS: I’m toying with the idea of switching from my smart card to a
> Trezor hardware token. This would mean generating an entirely new key
> (only 256 bit ECC supported).

I didn't look at the Trezor to check, but I'll assume it allows usage
with GnuPG based on the context you brought it up in.

Note that many OpenPGP peers might not support ECC. You could add ECC
subkeys to your current key, and arrange for peers that support them to
prefer those. That way, anybody able to send you an ECC-encrypted
document could do so, and others could fall back to the RSA encryption
subkey.

For signatures, you'd either still use RSA or accept the fact that only
people with ECC-supporting clients could verify your signatures. The
alternative is signing with both keys; if both are on cards/tokens, that
becomes tiresome really quickly, I'd imagine.

If you add ECC subkeys to your current key, you'd still use an RSA
primary key, without anything elliptic about it.

> OTOH there are several advantages such as the Trezor being a well
> documented open source device

There's also the GnuK, which is free software.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users