Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Andrew Gallagher 

> On 10 Nov 2018, at 00:57, Dirk Gottschalk via Gnupg-users 
>  wrote:
> 
> I suggest using a Cron job, or a SystemD timer and service to do a
> refresh on a regular base.

I’ve found parcimonie to be useful. 

https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/

A___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Dirk Gottschalk via Gnupg-users 
Hello Stefan.

Am Samstag, den 10.11.2018, 00:41 +0100 schrieb Stefan Claas:

> Thanks too, Dirk,

> i already made a refresh.

Yeah, I read it right after I sent my Email.

I suggest using a Cron job, or a SystemD timer and service to do a
refresh on a regular base.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Stefan Claas 
On Sat, 10 Nov 2018 00:00:18 +0100, Dirk Gottschalk wrote:
> Hi Stefan.
> 
> Am Freitag, den 09.11.2018, 16:18 +0100 schrieb Stefan Claas:
> > On Fri, 9 Nov 2018 16:12:19 +0100, Peter Lebbing wrote:
> > 
> > [snip]
> > 
> > I get a valid signature but key has expired message, when
> > reading your posting.
> > 
> > Regards
> > Stefan  
> 
> Peters key is valid. Probably you have to refresh it or you are
> running into an issue I had a while ago with my keyring. Try to
> delete and re- import his key. In my case something with the
> pubring.kbx went wrong. In my case some of the keys were considered
> invalid without a reproducable reason.

Thanks too, Dirk,

i already made a refresh.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgphf_Phe3Q0k.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Dirk Gottschalk via Gnupg-users 
Hi Stefan.

Am Freitag, den 09.11.2018, 16:18 +0100 schrieb Stefan Claas:
> On Fri, 9 Nov 2018 16:12:19 +0100, Peter Lebbing wrote:
> 
> [snip]
> 
> I get a valid signature but key has expired message, when
> reading your posting.
> 
> Regards
> Stefan

Peters key is valid. Probably you have to refresh it or you are running
into an issue I had a while ago with my keyring. Try to delete and re-
import his key. In my case something with the pubring.kbx went wrong.
In my case some of the keys were considered invalid without a
reproducable reason.

Regards,
Dirk

PS: My system makes a nightly key refresh. Probably the expiry date was
changed shortly.

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Problem refreshing keys: Server indicated a failure

2018-11-09 Thread s7r 
Hello,

One of my notebooks running apparently fails to refresh keys from key
servers for so long time.

- it is running the latest gpg4win bundle (3.1.4);
- there is no firewall preventing gpg's connection to the key server;
- it just says: refreshing keys from hkps:// and hangs for like
10 - 15 minutes, after that ending with: Failed to refresh keys, server
indicated a failure. I have also tried the port 80 ubuntu key server,
but no success got the same error.

If I try to refresh keys via Thunderbird -> Enigmail (which is tied to
the same, system-wide gpg) I get exactly the same result (error) with
any key server I try. I have checked the servers I am trying to connect
via their web interface and they all seam accessible. Also ping and
traceroute to them give positive results.

Any ideas?

Thanks in advance.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Refreshing keys (was: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons))

2018-11-09 Thread Stefan Claas 
On Fri, 9 Nov 2018 16:40:18 +0100, Peter Lebbing wrote:
> On 09/11/2018 16:18, Stefan Claas wrote:
> > I get a valid signature but key has expired message, when
> > reading your posting.  
> 
> In that case you should refresh your copy of my public key from the
> keyservers or from the URL in my signature:
> 
> $ gpg --refresh-keys pe...@digitalbrains.com

Thanks, now it is o.k. 

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgp3fK8mQzwa2.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Guilhem Moulin 
Hi,

On Fri, 09 Nov 2018 at 16:12:19 +0100, Peter Lebbing wrote:
> On 07/10/2018 03:01, Daniel Kahn Gillmor wrote:
>> Does this make sense?  you just need to make sure you tie the version of
>> gpg and the keyring into the same initramfs build time.
> 
> The problem is that the gpg invocation is not at the time of building
> the initramfs.

It wasn't, but the hook file is a mere shell script where we can do
pretty much everything (as long as it's nullipotent from the main
system's perspective — besides creating the initramfs image of course).
In fact I implemented dkg's suggestion:

gpg --homedir="$DESTDIR/cryptroot/gnupghome" … --import <"$PUBRING"

is called by the hook file when the initramfs image is generated, using
the very same gpg(1) binary that's copied to the initramfs.  Hence we're
not relying on its homedir's internals, and we're safe as long as gpg(1)
is able to make use of the homedir content it generates (which is
definitely a reasonable assumption), even if the ‘gnupg’ package is
later is upgraded to a version with a different keyring format or file
name, and diverges from the version included in the initramfs image.
(In fact the ‘gnupg’ package can even be deleted on systems where one is
certain that the initramfs image won't be updated anymore.)

> I have an idea about elegantly handling the fact that the smartcard stub
> is not known during boot, since there doesn't seem to be a stable
> interface to transferring these stubs, and invoking gpg at initramfs
> build time will leave a running gpg-agent, which is rather avoided. I'll
> work this out when I have the time.

I look forward to see that! :-)  FWIW it's not the `gpg` invocation
during initramfs generation that's a blocker, but the fact that listing
secret key material spawns a gpg-agent(1) process hence breaks
nullpotency.  We could make make the hook nullpotent, but at the expense
of a brittle and racy logic I'm reluctant to write or merge in to
‘cryptsetup-initramfs’.

Cheers,
-- 
Guilhem.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

(OT) Re: Refreshing keys

2018-11-09 Thread Peter Lebbing 
Hmmm, normally Thunderbird will snip off the (was: ...) portion of a
Subject:-line on replies, but this thread persisted in having it in and
has just gotten an insane Subject:-line by my doing. Sorry for the messy
Subject:-line, I didn't notice until now.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Refreshing keys (was: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons))

2018-11-09 Thread Peter Lebbing 
On 09/11/2018 16:18, Stefan Claas wrote:
> I get a valid signature but key has expired message, when
> reading your posting.

In that case you should refresh your copy of my public key from the
keyservers or from the URL in my signature:

$ gpg --refresh-keys pe...@digitalbrains.com

or

$ gpg --fetch-keys http://digitalbrains.com/2012/openpgp-key-peter

or whatever method you prefer, possibly through your favourite frontend.

FWIW, my key's latest expiry was in October 2017, and then it was
refreshed until October 2019. At least, that's what it looks like to me.
I don't think I made a mistake somewhere, but it could be :-).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Stefan Claas 
On Fri, 9 Nov 2018 16:12:19 +0100, Peter Lebbing wrote:

[snip]

I get a valid signature but key has expired message, when
reading your posting.

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpjJrfGjd4Uh.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Update FAQ about revocation certificates?

2018-11-09 Thread Stefan Claas 
On Fri, 09 Nov 2018 09:22:13 +0100, Werner Koch wrote:
> On Thu,  8 Nov 2018 18:34, stefan.cl...@posteo.de said:
> 
> > apartment and accidentally threw away the box
> > in which the revocation cert was stored... :-(  
> 
> :-(
> 
> > How would you procede now?  
> 
> Fetch your backup which for you will have stored at a different
> venue .-)

Thanks, i think i have now learned my lesson... ;-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas


pgpCIQlFIVG9L.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

2018-11-09 Thread Peter Lebbing 
Daniel, many thanks for thinking about this! I'm sorry I didn't respond
earlier.

On 07/10/2018 03:01, Daniel Kahn Gillmor wrote:
> Does this make sense?  you just need to make sure you tie the version of
> gpg and the keyring into the same initramfs build time.

The problem is that the gpg invocation is not at the time of building
the initramfs. gpg is only invoked once during setup of the
smartcard-encrypted root. In the end, the --export during setup and
--import during early boot is probably the best alternative; since it's
an --import to an empty keyring, this shouldn't waste much time during
every boot anyway.

I have an idea about elegantly handling the fact that the smartcard stub
is not known during boot, since there doesn't seem to be a stable
interface to transferring these stubs, and invoking gpg at initramfs
build time will leave a running gpg-agent, which is rather avoided. I'll
work this out when I have the time.

> I don't know the answer to this about using concatenated TPKs as
> keyring.  Maybe Werner can weigh in?

Yes, I think it's useful to know what is a stable interface and what is
not, so I hope he will.

Thank you,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Update FAQ about revocation certificates?

2018-11-09 Thread Werner Koch 
On Thu,  8 Nov 2018 18:34, stefan.cl...@posteo.de said:

> apartment and accidentally threw away the box
> in which the revocation cert was stored... :-(

:-(

> How would you procede now?

Fetch your backup which for you will have stored at a different
venue .-)

Call the locksmith to open the lock; sometimes locksmiths are not able
to do that and will use brute force to open the door.  Then you have to
install a new lock.

With a private key you need to do the same - unfortunately, or better,
fortunately, you also need to build an entire new house and not just a
new lock.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp5JkaU6DkCL.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users