Re: AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

[Peter Lebbing]

On 03/09/18 18:56, Fiedler Roman wrote:
> With gpg1 a similar command should have verified, that the signature
> is exactly from the single public key stored in "key.pub".

This has never been a supported use of gpg, it just happened to work
because GnuPG 1.4 happened to use a bunch of exported OpenPGP
certificates as the format of its public keyring. This was an
implementation detail which enabled you to do this. Just because you can
use the rear side of a screwdriver to hammer in a small nail doesn't
mean you're meant to do carpentry that way ;-). In GnuPG, the homedir is
pretty much not part of the interface, it is internal with some
exceptions like .conf-files and being able to retrieve revocation
certificates from it. The keyring format has changed and GnuPG also
expects a lot of other different things in its homedir. So it no longer
works.

It could be that recently an option was added to check a signature by a
certificate in a file, but in general you need to import a certificate
before you can do verifications. I didn't see the new option in the few
announcements I read. Either it was discussed and not done or discussed
and implemented, can't recall.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: How to fix "ERROR key_generate 3355453" / "GENKEY' failed: IPC call has been cancelled"

[Fiedler Roman]

Hello List,

Just for the records: a gnupg2 "ERROR key_generate 33554531" is fixed by 
sending " %no-protection" via the command-fd. It seems that a password-less key 
was generated with gpg1 just by not setting a password. With gnupg2 this 
command is needed.

@Devs: It would be really nice to issue a message like "Refusing to create 
unprotected key, use %no-protection if you know what you are doing". Would have 
helped saving quite some time.


Just to continue the gpg1 -> gpg2 migration error message guessing game: what 
might be the issue with this command?

/usr/bin/gpg --no-options --batch --no-default-keyring --homedir [some-home] 
--keyring key.pub --lock-never --trust-model always --status-fd 2 --verify 
4b7b830243078d63.gpg
[GNUPG:] UNEXPECTED 0
gpg: verify signatures failed: Unexpected error
[GNUPG:] FAILURE verify 38

With gpg1 a similar command should have verified, that the signature is exactly 
from the single public key stored in "key.pub".

Best regards,
Roman

> Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag von
>
> Hello list,
>
> I am attempting to upgrade software to use gpg2 instead of gpg. After fixing
> the usual "Inappropriate ioctl for device" and "Sorry, we are in batchmode -
> can't get input" messages and applying all the gpg_agent security
> workarounds, I am now stuck at this sequence:
>
> The key generation command
>
> ['/usr/bin/gpg', '--homedir', '/tmp/tmp-3abk6l8', '--with-colons', 
> '--status-fd',
> '2', '--pinentry-mode', 'loopback', '--batch', '--gen-key', '--command-fd', 
> '0']
>
> with the security-sensitive passphrase-input via the command-fd
>
> b'%echo Generating key\nKey-Type: RSA\nKey-Length: 1024\nSubkey-Type:
> ELG-E\nSubkey-Length: 1024\nName-Real: AutomationKey\nExpire-Date:
> 0\n%commit\n',
>
> will generate following output:
>
> gpg: keybox '/tmp/tmp-3abk6l8/pubring.kbx' created
> gpg: Generating key
> [GNUPG:] INQUIRE_MAXLEN 100
> [GNUPG:] GET_HIDDEN passphrase.enter
> [GNUPG:] GOT_IT
> gpg: agent_genkey failed: Operation cancelled
> gpg: key generation failed: Operation cancelled
> [GNUPG:] ERROR key_generate 33554531
> [GNUPG:] KEY_NOT_CREATED
>
> It seems that agent and gpg are going through some "brain-split" episode as
> the errors seem to indicate, that everyone is thinking the other party
> canceled the transfer. The strace indicates, that gnupg itself sends the
> "cancel" request to the agent and is astonished by the result - it cannot even
> give a meaningful error message about the current condition. As there is no
> other syscall activity, all the reasons for have to be in gpg2.
>
> 2138  write(2, "[GNUPG:] INQUIRE_MAXLEN 100", 27) = 27
> 2138  write(2, "\n", 1) = 1
> 2138  write(2, "[GNUPG:] GET_HIDDEN passphrase.enter", 36) = 36
> 2138  write(2, "\n", 1) = 1
> 2138  read(0, "", 1)= 0
> 2138  write(2, "[GNUPG:] GOT_IT", 15)   = 15   --- not knowing what gnupg
> successfully got here as there is no passphrase to read
> 2138  write(2, "\n", 1) = 1
> 2138  write(3, "CAN", 3)= 3--- Gnupg sending 
> cancel
> 2138  write(3, "\n", 1) = 1
> 2138  read(3,  
> 2142  read(9, "CAN\n", 1002)= 4 --- Agent reading cancel
> 2142  getpid()  = 2141
> 2142  write(2, "gpg-agent[2141]: command 'GENKEY' failed: IPC call has been
> cancelled", 69) = 69
> 2142  write(2, "\n", 1) = 1
> 2142  write(9, "ERR 67109141 IPC call has been cancelled ", 52)
> = 52  --- Agent telling gnupg about cancel
> 2138  <... read resumed> "ERR 67109141 IPC call has been cancelled  Agent>", 1002) = 52 -- gpg reading cancel
> 2138  read(3,  
> 2142  write(9, "\n", 1) = 1
> 2138  <... read resumed> "\n", 950) = 1
> 2138  write(2, "gpg: agent_genkey failed: Operation cancelled", 45) = 45
> 2138  write(2, "\n", 1) = 1
> 2138  write(2, "gpg: key generation failed: Operation cancelled", 47) = 47
> 2138  write(2, "\n", 1) = 1
> 2138  write(2, "[GNUPG:] ERROR key_generate 33554531", 36) = 36
> 2138  write(2, "\n", 1) = 1
> 2138  write(2, "[GNUPG:] KEY_NOT_CREATED ", 25) = 25
> 2138  write(2, "\n", 1) = 1
> 2138  read(0, "", 8192) = 0
> 2138  munmap(0x7faad0a44000, 65536) = 0
> 2138  exit_group(2) = ?
> 2138  +++ exited with 2 +++
>
> Does someone know how to fix that?
>
> LG Roman

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: revocation troubles & smartcard troubles

[Dirk Gottschalk via Gnupg-users]

As long as you did not publish reports revocation, delete the key and re-import 
it without the revocation cert. 

Am 3. September 2018 17:03:19 MESZ schrieb "Roland Siemons (P)" 
:
>Dear GnuPG,
>
>I am already using GnuPG for a long time. But try to improve my
>understanding of and working with it.
>I became a member of Free Software Foundation Europe, and got a
>smartcard. I wanted to use it.
>
>And that is where the trouble started:
>I intended to copy all my personal keys to the smart card.
>In Kleopatra, I selected "Tools/Manage smartcards"
>Then I selected "Import a certificate from a file", and selected files
>from my laptop.
>I was under the impression that I was copying files to the smartcard.
>By doing so, I not only selected my private key but also my revocation
>key (because, why should I enable a thief of my laptop to revoke my
>key?).
>And then it appeared that I had revoked my entire key pair. Unintended!
>Apparently, under smartcard management, I was not at all copying files
>to the smartcard. Apparently, I was doing something else. Did I at all
>copy files to the smartcard?
>
>Questions:
>Can I UNrevoke that key?
>How can I see what is on the smartcard?
>How can I copy files to the smartcard?
>
>I studied the GnuPG Smartcard How-To
>(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
>entirely linux oriented.
>I am working on a win7 system.
>
>Can anyone help me further?
>
>Thanks!
>
>Roland

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

revocation troubles & smartcard troubles

[Roland Siemons (P)]

Dear GnuPG,

I am already using GnuPG for a long time. But try to improve my
understanding of and working with it.
I became a member of Free Software Foundation Europe, and got a
smartcard. I wanted to use it.

And that is where the trouble started:
I intended to copy all my personal keys to the smart card.
In Kleopatra, I selected "Tools/Manage smartcards"
Then I selected "Import a certificate from a file", and selected files
from my laptop.
I was under the impression that I was copying files to the smartcard.
By doing so, I not only selected my private key but also my revocation
key (because, why should I enable a thief of my laptop to revoke my key?).
And then it appeared that I had revoked my entire key pair. Unintended!
Apparently, under smartcard management, I was not at all copying files
to the smartcard. Apparently, I was doing something else. Did I at all
copy files to the smartcard?

Questions:
Can I UNrevoke that key?
How can I see what is on the smartcard?
How can I copy files to the smartcard?

I studied the GnuPG Smartcard How-To
(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
entirely linux oriented.
I am working on a win7 system.

Can anyone help me further?

Thanks!

Roland


0xAEEC5E2ED87628F5.asc
Description: application/pgp-keys
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: signing failed: Invalid length" when use brainpool512r1 keys to sign things

[mlnl]

Hi,

>> tested & confirmed with GnuPG 2.2.10, libgcrypt 1.8.3 Debian Stretch 9.5
> 
> Not reproducible here (similar on Debian Stretch).
> 
> I tested with no configuration.
> 
> Is it reproducible under no configuration?
> 
> I tested with:
> 
>   $ export GNUPGHOME=/tmp/g; mkdir -m=0700 $GNUPGHOME

I have looked at my gpg.conf and found a commented hint for myself ;):
# cert-digest-algo SHA512 for ECC >= 512-bit

Tested again with cert-digest-algo SHA512 without problems:
pub   brainpoolP512r1/0D9032C369992D8E 2018-09-03 [SCA] [verfällt:
2019-09-03]
Schl.-Fingerabdruck = 2601 6E4C BA25 2686 EEC1  EBB8 0D90 32C3 6999 2D8E
  Keygrip = 985D56A2FE62C404CC0382815C391E01B5769F58
uid  testbp512 

-- 
mlnl

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issue with pinentry GUI agent

[Kristian Fiskerstrand]

On 08/29/2018 12:41 AM, Kristian Fiskerstrand wrote:
> On 08/28/2018 08:22 PM, Daniel Kahn Gillmor wrote:
>> On Sat 2018-08-25 08:18:48 +0200, sunri...@gmx.com wrote:
>>> Hi all, since some days I'm having an issue with pinentry, I've set the 
>>> default agent as pinentry-qt4
>>> from update-alternatives (I've also tried pinentry-qt and pinentry-gnome) 
>>> but when I run gpg --decrypt file
>>> it's always falling on the cli for prompting the password. In 
>>> .gnupg/gpg-agent.conf as the first line I have 
>>> pinentry-program /usr/bin/pinentry-qt4 as well, but I don't get why it's 
>>> ignoring it.
>>> There's a way to debug what's going on?
>>
>> can you give a little bit more information about your system (OS,
>> version, version of gpg, version of pinentry, etc), and how you're
>> accessing it (e.g. via ssh, via a graphical environment, etc)?
>>
>> have you terminated your gpg-agent program ("gpgconf --kill gpg-agent")
>> after updating your settings in ~/.gnupg/gpg-agent.conf  so that the
>> settings would take effect?
> 
> Not sure if it is related, but I'm currently also investigating an issue
> with the qt pinentry for Gentoo installations. no similar issues for the
> other ones.. I'm able to reproduce failures with the auto-spawned
> gpg-agent though, that doesn't materialize when calling the pinentry
> application directly in an environment.
> 
> In this case the gtk2 pinentry works as expected though... but something
> is possibly off with the handling of DISPLAY (as far as I've gotten in
> my debugging that is the only diff in the env vars between the direct
> invocation and the bash propmpted one, it might not be ultimately relevant)
> 

Just to have it mentioned, turned out this was an issue with missing
keep-display in gpg-agent.conf, without this the Qt4/5 pinentry fail
(although I've been told it is not an issue in KDE environment).

gpg-agent without keep-display still seems to send display as argument
in --display :0 style, but this does not seem to be honored.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

"Strength lies in differences, not in similarities."
(Stephen Covey)



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: signing failed: Invalid length" when use brainpool512r1 keys to sign things

[NIIBE Yutaka]

mlnl  wrote:
>> gpg: signing failed: Invalid length
>> gpg: make_keysig_packet failed: Invalid length
>> Key generation failed: Invalid length
>
> tested & confirmed with GnuPG 2.2.10, libgcrypt 1.8.3 Debian Stretch 9.5

Not reproducible here (similar on Debian Stretch).

I tested with no configuration.

Is it reproducible under no configuration?

I tested with:

$ export GNUPGHOME=/tmp/g; mkdir -m=0700 $GNUPGHOME
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users