Re: 32768-bit key

2023-07-10 Thread Todd Zullinger via Gnupg-users 
Robert J. Hansen via Gnupg-users wrote:
>> I don't know that there's anything to file a bug about.  I
>> don't see any non-rsa4096 keys on the Tails website:
> 
> One of their certificates has a Curve-25519 subkey.  I wonder if that's what
> the original poster saw, and mistook it for being a 25,519-bit subkey.

Ahh, that's a very good guess. I missed that sub key while I
was skimming the list of keys.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 32768-bit key

2023-07-10 Thread Robert J. Hansen via Gnupg-users 

I don't know that there's anything to file a bug about.  I
don't see any non-rsa4096 keys on the Tails website:


One of their certificates has a Curve-25519 subkey.  I wonder if that's 
what the original poster saw, and mistook it for being a 25,519-bit 
subkey.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Looking for keyserver software without any validation or fancy features

2023-07-10 Thread Andrew Gallagher via Gnupg-users 
(resending because the previous mail went out HTML-only, apologies)

Hi, Bernd.

> hagrid and huckeypuck are total overkill,

(Disclaimer: I’m one of the hockeypuck contributors)

If you have docker-compose installed, it’s *very* easy to spin up a test 
instance of hockeypuck, see the README at 
https://github.com/hockeypuck/hockeypuck

You will need a non-empty keydump to start with, but you can export a single 
key to a file with the suffix “.gpg” and it should suffice.

> and at least hagrid is not
> even /intended/ to be "self hosted".

I’m pretty sure you can self-host hagrid, although I haven’t tested it.

> I have seen https://github.com/SKS-Keyserver/sks-keyserver but still
> have to check it out if it really suites my needs.

SKS-keyserver is very similar to hockeypuck (hockeypuck was first developed as 
an SKS-keyserver replacement). It does have the ability for a quick-build that 
serves static files directly without ingesting them into a database in advance, 
however you will still probably have to build the ptree (at least in its 
default configuration). It also has an unofficial docker image at 
https://registry.hub.docker.com/r/zhusj/sks 

> Are there any other options?

https://github.com/PennockTech/openpgpkey-control comes to mind.

A



signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg --card-edit" with multiple card readers (Yubikey)

2023-07-10 Thread Bernhard Reiter 
Michael, 

Am Freitag 07 Juli 2023 20:32:15 schrieb Michael Richardson:
>     > I should eventually describe the environment.
>
> Yes please.
> Could it go into a wiki page or something that people can comment on and/or
> amend?

feel free to open a page with the info that Werner has already given on
  https://wiki.gnupg.org

Regards,
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg --card-edit" with multiple card readers (Yubikey)

2023-07-10 Thread Juanjo via Gnupg-users 
On Fri, Jul 7, 2023 at 2:54 PM Werner Koch  wrote:
>
> On Fri,  7 Jul 2023 14:22, Juanjo said:
>
> > This works fine with a single Yubikey, but we wanted to have more than
> > one connected at the same time in order to batch-configure them and
> > even to try to use multiple SSH key authentication in specific target
>
> Most of the time I am using several Yubikeys and other smardcards.  Some
> even remotely.  For example I use an SSH connection with socket
> forwarding to out build server.  Over that connection I provide access
> to an Authenticode token, my release key and ssh keys on tokens.
>
> I should eventually describe the environment.  As a starter:
> "no-autostart" in common.conf on the build box, gpg-card with "verify"
> to unlock keys on the desktop for remote use by the build process
> (Authenticode), and some keywords in the private key files (Use-for-p11,
> Use-for-ssh).
>
> To create keys, use gpg-card which can easily be scripted.  Examples:
>
>$ " list D27600012401000615493283  \
>  -- yubikey disable nfc all \
>  -- yubikey disable usb otp u2f piv oath fido2 \
>  -- yubikey list
>OTP  no no
>U2F  no no
>OPGP yesno
>PIV  no no
>OATH no no
>FIDO2no no

OK, we are currently using Yubico "ykman" to do this job, it's nice
that "gpg-card" can configure this natively.

There are other setting managed via "ykman" not provided by "gpg-card" :
* The number of PIN retry attempts: ykman openpgp access set-retries
* The touch policy: ykman openpgp keys set-touch

>$ gpg-card
>[...]
>gpg/card> help generate
>GENERATE [--force] [--algo=ALGO{+ALGO2}] KEYREF
>
>Create a new key on a card.
>Use --force to overwrite an existing key.
>Use "help" for ALGO to get a list of known algorithms.
>For OpenPGP cards several algos may be given.
>Note that the OpenPGP key generation is done interactively
>unless a single ALGO or KEYREF are given.
>[Supported by: OpenPGP, PIV]

According to gpg-card [1], only the LIST command accepts parameter [n]
to select a specific Yubikey (via card number --provided by "gpg-card
list --cards"--- or serial number).

But playing a little more with gpg-card (still version 2.3.3) I have
noticed that the LIST command "changes" the default card for the
following commands in the same invocations, so I can achieve my
initial goal:

  $ gpg-card list D27600012401000615493283 -- generate
  $ gpg-card list D27600012401000615493283 -- passwd pinref

where "pinref" is the numeric menu entry you use in interactive mode:

  $ gpg-card
  Reader ...: Yubico YubiKey CCID 02 00
  Card type : yubikey
  Card firmware : 5.4.3
  [...]

  gpg/card> passwd
  OpenPGP card no. XX YY ZZZ detected

  1 - change the PIN
  2 - unblock and set new a PIN
  3 - change the Admin PIN
  4 - set the Reset Code
  Q - quit

  Your selection? Q
  gpg/card> Q

  $

Unfortunately, "gpg-card" doesn't provide the "key-attr" command we
used to change from default rsa2048 to rsa4096.

Werner, thanks for your help, but I think we are going to use the
gnupg version shipped with AlmaLinux 9 and configure the Yubikey one
by one.

Regards,
   Juanjo

> Salam-Shalom,
>
>Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

[1] https://gnupg.org/documentation/manuals/gnupg24/gpg-card.1.html

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users