[Announce] GnuPG Made Easy (GPGME) 1.13.0 released

[Werner Koch]

Hello!

We are pleased to announce version 1.13.0 of GPGME.

GnuPG Made Easy (GPGME) is a C language library that allows to add
support for cryptography to a program.  It is designed to make access to
public key crypto engines like gpg and gpgsm easier for applications.
GPGME provides a high-level crypto API for encryption, decryption,
signing, signature verification, and key management.  GPGME comes with
language bindings for Common Lisp, C++, QT, Python 2 and 3.

See https://gnupg.org/software/gpgme for more.


Noteworthy changes in version 1.13.0


 * Support GPGME_AUDITLOG_DIAG for gpgsm.  [#4426]

 * New context flag "trust-model".

 * Removed support for WindowsCE and Windows ME.

 * Aligned the gpgrt-config code with our other libaries.

 * Auto-check for all installed Python versions.  [#3354]

 * Fixed generating card key in the C++ bindings.  [#4428]

 * Fixed a segv due to bad parameters in genkey.  [#4192]

 * Fixed crash if the plaintext is ignored in a CMS verify.

 * Fixed memleak on Windows.  [T4238]

 * Tweaked the Windows I/O code.

 * Fixed random crashes on Windows due to closing an arbitrary
   handle.  [#4237]

 * Fixed a segv on Windows.  [#4369]

 * Fixed test suite problems related to dtags.  [#4298]

 * Fixed bunch of python bugs.  [#4242,commit 9de1c96ac3cf]

 * Several fixes to the Common Lisp bindings.

 * Fixed minor bugs in gpgme-json.  [#4331,#4341,#4342,#4343

 * Require trace level 8 to dump all I/O data.

 * The compiler must now support variadic macros.

 * Interface changes relative to the 1.12.0 release:
 ~~
 gpgme_set_ctx_flag   EXTENDED: New flag 'trust-model'.
 cpp: Context::create   NEW.
 cpp: Key::isBadNEW.
 cpp: Subkey::isBad NEW.
 cpp: UserID::isBad NEW.
 cpp: UserID::Signature::isBad  NEW.
 cpp: GenCardKeyInteractor::setAlgo NEW.
 [c=C33/A22/R0 cpp=C15/A9/R0 qt=C10/A3/R3]

 Release-info: https://dev.gnupg.org/T4376


Download


You may download this library and its OpenPGP signature from:

  https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.13.0.tar.bz2 (1777k)
  https://gnupg.org/ftp/gcrypt/gpgme/gpgme-1.13.0.tar.bz2.sig

or from ftp.gnupg.org.  The SHA-1 checksum is

4653b273fd2820ba4d5f382474b3e79a9367beb9  gpgme-1.13.0.tar.bz2

but you better check the integrity using the provided signature. See
 for details.


Thanks
==

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs two full-time developer and one
contractor.  All work exclusively on GnuPG and closely related software
like Libgcrypt and GPGME.

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.

Many thanks to our numerous financial supporters, both corporate and
individuals.  Without you it would not be possible to keep GnuPG in a
good shape and address all the small and larger requests made by our
users.  Thanks.


Happy hacking,

  Your GnuPG hackers



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-devel 'at' gnupg.org mailing list.

p.p.s 
List of Release Signing Keys:

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  rsa2048 2011-01-12 [expires: 2019-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048 2014-10-29 [expires: 2019-12-31]
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) 

  rsa2048 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) 

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at  and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-announce mailing list
gnupg-annou...@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-announce___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Please start a new thread

[Matthias Apitz]

El día Tuesday, March 26, 2019 a las 05:00:33PM +0530, Shweta Tyagi escribió:

> Hi Peter,
> How can start a new thread? Please advise.
> if you any solution for this please help me find out the solution.
> 

Hi,

This depends on your Mail User Agent. It means "start a new mail with a
new Subject" to the addr gnupg-users@gnupg.org. DO NOT reply to another
thread when you have a new issue/problem/question.

And, DO NOT top post, btw.

matthias
-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, 
Druschba
instead of Nazis, to live instead of to survive.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[Announce] GnuPG 2.2.15 released

[Werner Koch]

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.15.  This is a maintenance release; see below for a list
changes.


About GnuPG
===

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.15


  * sm: Fix --logger-fd and --status-fd on Windows for non-standard
file descriptors.

  * sm: Allow decryption even if expired keys are configured.  [#4431]

  * agent: Change command KEYINFO to print ssh fingerprints with other
hash algos.

  * dirmngr: Fix build problems on Solaris due to the use of reserved
symbol names.  [#4420]

  * wkd: New commands --print-wkd-hash and --print-wkd-url for
gpg-wks-client.

  Release-info: https://dev.gnupg.org/T4434


Getting the Software


Please follow the instructions found at  or
read on:

GnuPG 2.2.15 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.15.tar.bz2 (6548k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.15.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.15_20190326.exe (4078k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.15_20190326.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.


Checking the Integrity
==

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.15.tar.bz2 you would use this command:

 gpg --verify gnupg-2.2.15.tar.bz2.sig gnupg-2.2.15.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.15.tar.bz2, you run the command like this:

 sha1sum gnupg-2.2.15.tar.bz2

   and check that the output matches the next line:

1909afdad3cf29583126c471298da290399270f4  gnupg-2.2.15.tar.bz2
540abc655dbed525bb216c62e5e43a88f952193c  gnupg-w32-2.2.15_20190326.tar.xz
f5f7eeadfdf6ad971b5313f045083b4f95ace07b  gnupg-w32-2.2.15_20190326.exe


Internationalization


This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Japanese,
Norwegian, Russian, and Ukrainian being almost completely translated.


Documentation and Support
=

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how to
set up the whole thing.  You may also want to search the 

Re: Please start a new thread

[Shweta Tyagi]

Hi Peter,
How can start a new thread? Please advise.
if you any solution for this please help me find out the solution.



Shweta Tyagi  Netsuite Technical Consultant
Upaya - The Solution Inc
p: 408-868-4477
w: www.upayasolution.com e: shw...@upayasolution.com
s: shweta.tyagi97
a: 4320 Stevens Creek Blvd Suite # 124, San Jose, CA 95129

   








On Tue, Mar 26, 2019 at 4:59 PM Peter Lebbing 
wrote:

> Hi,
>
> On 26/03/2019 12:20, Shweta Tyagi wrote:
> > gpg --batch --passphrase-fd n and it stops popup which asks for the
> > passphrase
>
> Please start a new thread with your question, it is something completely
> different than the thread you replied to.
>
> Thanks,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Shweta Tyagi]

Hi All,

I am using the following command

gpg --batch --passphrase-fd n and it stops popup which asks for the
passphrase. but when I run this command on window server 12 it's not
working its always show popup for the passphrase. can someone please help
me how can I stop popup on window server 12.



Shweta Tyagi  Netsuite Technical Consultant
Upaya - The Solution Inc
p: 408-868-4477
w: www.upayasolution.com e: shw...@upayasolution.com
s: shweta.tyagi97
a: 4320 Stevens Creek Blvd Suite # 124, San Jose, CA 95129

   








On Tue, Mar 26, 2019 at 4:22 PM Peter Lebbing 
wrote:

> On 26/03/2019 09:16, Werner Koch wrote:
> > This lists all keys allowed for ssh with its keygrip (1234. and the
> > corresponding ssh fingerprint (SHA256:PTJI).  Details as usual by using
> > 'help keyinfo'.
>
> Right, yes, the comment lines in sshcontrol are also really helpful for
> keys in sshcontrol.
>
> I should have been more explicit about my weird edge case.
>
> I use OpenPGP cards with a key in the authentication slot which is not
> part of any OpenPGP certificate, and is not in sshcontrol. gpg-agent is
> fine with this: if I have the card inserted, it will be offered as an
> authentication key to SSH servers. If I don't have the card inserted, it
> is not offered. This in contrast to the case where you were to add it to
> sshcontrol: then it would /ask/ for the card to be inserted if the
> server accepts the key. If it is not in sshcontrol, it will not be
> offered for SSH authentication.
>
> In this particular case, it is actually very easy to pick the correct
> SSH public key, because gpg-agent will add the comment "cardno:XXX",
> where XXX is the serial number of the card, to the public key when you
> do ssh-add -l or -L.
>
> It is more difficult to find the keygrip, though. While participating in
> this thread, I worked from the assumption that the key, for whatever
> reason, was not in sshcontrol, to catch edge cases such as this. I don't
> know whether there are other edge cases than this specific one where SSH
> keys are not in sshcontrol, though. This might be the only one.
>
> The use case I considered is this: I have a card I use on two PC's, but
> one of the PC's also has an on-disk SSH key. Some SSH accounts will only
> accept the card for authentication, but there are accounts which accept
> either key. If I'm on the machine with the on-disk key and my card is
> not inserted, it will pick the on-disk key. If I'm on the PC without
> the on-disk key, I cannot log in to that account without inserting the
> card.
>
> If the card were in sshcontrol, and it were offered before the on-disk
> key, I would be prompted to insert the card. But this would be
> unnecessary, since I have an on-disk key that will do the job just as
> well.
>
> But I have to say I no longer actually use this scenario :-). I did in
> the past, though.
>
> What would actually help in this use case, might be to have
> --card-status accept a --with-keygrip option. Then you have the
> "cardno:XXX" comment in ssh-add to pick the public key or its
> fingerprint, and --card-status to find the keygrip.
>
> > (I don't like the base64 encoding becuase it is hard to visual compare,
> > but that is how it is)
>
> Yes, I totally agree. And when matching stuff together like we do in
> this thread, we don't actually use any cryptographic properties of the
> fingerprint, there is no adversary. So MD5 might be easier on the eyes,
> but it has the disadvantage that the user needs to be /aware/ that they
> can get the same fingerprint format from ssh-keygen, ssh-add and
> gpg-agent.  If they just see one format here and another there, they
> might very well not realise they can be made to match.
>
> So I'm inclined to think the default should be to output it in the same
> format in both tools.
>
> Plus, when it's purely for identification purposes, you can skip reading
> more letters of the base64 encoding once you've identified the right
> key.
>
> > I fixed that for 2.2.15 so that the above option is considered.
> > Further, it is also possible to use
>
> Neat! Thanks!
>
> > p.s.  Eventually someone(tm) should write a GUI tool to list and manage
> > all kind of private keys in GnuPG.  For example to list all users of a
> > certain private key.
>
> :-)
>
> Sorry for the long mail. I didn't see a lot of opportunity to shorten it
> without losing clarity. If I were to introduce a misunderstanding, it
> will only take even more time to sort out.
>
> Cheers,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at 
>
> 

Re: Please start a new thread

[Peter Lebbing]

Hi Shweta,

On 26/03/2019 12:30, Shweta Tyagi wrote:
> How can start a new thread? Please advise.

Start a new e-mail (rather than replying to one), and address it to
. That will start a new thread.

Oh, I forgot this the previous time, but some mailing list members
might appreciate it if you send a plain-text e-mail rather than one that
has plain text as well as HTML content. If you don't know how to, I
think it is acceptable to send them as you do now (not entirely sure
about how strict that policy is).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Please start a new thread

[Peter Lebbing]

Hi,

On 26/03/2019 12:20, Shweta Tyagi wrote:
> gpg --batch --passphrase-fd n and it stops popup which asks for the
> passphrase

Please start a new thread with your question, it is something completely
different than the thread you replied to.

Thanks,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Peter Lebbing]

On 26/03/2019 09:16, Werner Koch wrote:
> This lists all keys allowed for ssh with its keygrip (1234. and the
> corresponding ssh fingerprint (SHA256:PTJI).  Details as usual by using
> 'help keyinfo'.

Right, yes, the comment lines in sshcontrol are also really helpful for
keys in sshcontrol.

I should have been more explicit about my weird edge case.

I use OpenPGP cards with a key in the authentication slot which is not
part of any OpenPGP certificate, and is not in sshcontrol. gpg-agent is
fine with this: if I have the card inserted, it will be offered as an
authentication key to SSH servers. If I don't have the card inserted, it
is not offered. This in contrast to the case where you were to add it to
sshcontrol: then it would /ask/ for the card to be inserted if the
server accepts the key. If it is not in sshcontrol, it will not be
offered for SSH authentication.

In this particular case, it is actually very easy to pick the correct
SSH public key, because gpg-agent will add the comment "cardno:XXX",
where XXX is the serial number of the card, to the public key when you
do ssh-add -l or -L.

It is more difficult to find the keygrip, though. While participating in
this thread, I worked from the assumption that the key, for whatever
reason, was not in sshcontrol, to catch edge cases such as this. I don't
know whether there are other edge cases than this specific one where SSH
keys are not in sshcontrol, though. This might be the only one.

The use case I considered is this: I have a card I use on two PC's, but
one of the PC's also has an on-disk SSH key. Some SSH accounts will only
accept the card for authentication, but there are accounts which accept
either key. If I'm on the machine with the on-disk key and my card is
not inserted, it will pick the on-disk key. If I'm on the PC without
the on-disk key, I cannot log in to that account without inserting the
card.

If the card were in sshcontrol, and it were offered before the on-disk
key, I would be prompted to insert the card. But this would be
unnecessary, since I have an on-disk key that will do the job just as
well.

But I have to say I no longer actually use this scenario :-). I did in
the past, though.

What would actually help in this use case, might be to have
--card-status accept a --with-keygrip option. Then you have the
"cardno:XXX" comment in ssh-add to pick the public key or its
fingerprint, and --card-status to find the keygrip.

> (I don't like the base64 encoding becuase it is hard to visual compare,
> but that is how it is)

Yes, I totally agree. And when matching stuff together like we do in
this thread, we don't actually use any cryptographic properties of the
fingerprint, there is no adversary. So MD5 might be easier on the eyes,
but it has the disadvantage that the user needs to be /aware/ that they
can get the same fingerprint format from ssh-keygen, ssh-add and
gpg-agent.  If they just see one format here and another there, they
might very well not realise they can be made to match.

So I'm inclined to think the default should be to output it in the same
format in both tools.

Plus, when it's purely for identification purposes, you can skip reading
more letters of the base64 encoding once you've identified the right
key.

> I fixed that for 2.2.15 so that the above option is considered.
> Further, it is also possible to use

Neat! Thanks!

> p.s.  Eventually someone(tm) should write a GUI tool to list and manage
> all kind of private keys in GnuPG.  For example to list all users of a
> certain private key.

:-)

Sorry for the long mail. I didn't see a lot of opportunity to shorten it
without losing clarity. If I were to introduce a misunderstanding, it
will only take even more time to sort out.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Werner Koch]

On Mon, 25 Mar 2019 16:02, pe...@digitalbrains.com said:

> But something more user friendly to match SSH fingerprint and keygrip
> could be beneficial. I'm not sure what that would look like and neither

You can build a script based on this:

  $ gpg-connect-agent 'keyinfo --ssh-list --ssh-fpr' /bye
  S KEYINFO 1234[...] D - - - P SHA256:PtJi[...] - S
  [...]

This lists all keys allowed for ssh with its keygrip (1234. and the
corresponding ssh fingerprint (SHA256:PTJI).  Details as usual by using
'help keyinfo'.

> For one thing, OpenSSH seems to prefer SHA256 SSH fingerprints over the
> old MD5 ones now.

That is right and you can tell gpg-agent this by using

ssh-fingerprint-digest sha256

(I don't like the base64 encoding becuase it is hard to visual compare,
but that is how it is).  Note that while writing this I noticed that the
KEYINFO command always printed MD5 fingerprints.  I fixed that for
2.2.15 so that the above option is considered.  Further, it is also
possible to use

 keyinfo --ssh-list --ssh-fpr-md5
 keyinfo --ssh-list --ssh-fpr=sha1
 keyinfo --ssh-list --ssh-fpr=sha256

to select a certain fingerprint format independent of the option.


Salam-Shalom,

   Werner


p.s.  Eventually someone(tm) should write a GUI tool to list and manage
all kind of private keys in GnuPG.  For example to list all users of a
certain private key.

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users