Re: Second OpenPGP-card

2024-02-21 Thread Valtteri Vuorikoski via Gnupg-users 
Some Javacards are available in at least larger SIM form factors. IIRC
the NXP J3H145 was available SIM-cut from Smartcard Focus at some
point, but it has been a while since I ordered one.

If it's an option for you to install an OpenPGP applet such as
SmartPGP (https://github.com/github-af/SmartPGP) on such card,
Javacards might be an easier avenue than cutting the official card.

I have a couple of NXP cards and SmartPGP appeared to work fine when I
tried it, but I mostly use them with a PIV applet so not sure about
the state of functionality with current (2.4-era) GnuPG versions.

 -Valtteri
 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hints on how to check for a WKD key (was: Trying to get PKA working)

2024-02-21 Thread Werner Koch via Gnupg-users 
On Wed, 21 Feb 2024 15:52, Philip Colmer said:

> that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use
> gpg --homedir "$(mktemp -d)" --verbose --locate-keys
> your.em...@example.org ... and this doesn't work.

Its a wiki and ppl change it at will and worse nobody checks and updates
it.

The above seems to be an old idea to make sure tha the key does not yet
exist.  In contrast to --locate-key --locate-external-key loads the key
from external resources even if it already exists.  Thus this is a
refresh key function.  Some folks don't like to clutter their keyring
with more keys and thus use a temporary GNUPGHOME directory (i..e
--homedir). For me the above works:

$ gpg --homedir "$(mktemp -d)" --verbose --locate-keys w...@gnupg.org
[...]
gpg: pub  ed25519/63113AE866587D0A 2018-09-28  w...@gnupg.org
gpg: key 63113AE866587D0A: public key "w...@gnupg.org" imported
gpg: no running gpg-agent - starting '/usr/local/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to the agent established
gpg: Total number processed: 1
gpg:   imported: 1
gpg: auto-key-locate found fingerprint AEA84EDCF01AD86C4701C85C63113AE866587D0A
gpg: automatically retrieved 'w...@gnupg.org' via WKD
pub   ed25519 2018-09-28 [SC] [expires: 2027-01-31]
  AEA84EDCF01AD86C4701C85C63113AE866587D0A
uid   [ unknown] w...@gnupg.org
sub   cv25519 2018-09-28 [E] [expired: 2022-01-31]
sub   ed25519 2020-08-04 [S]
sub   brainpoolP384r1 2021-06-28 [E] [expires: 2027-01-10]

Another way to test is

$ gpg-wks-client check -v w...@gnupg.org
gpg-wks-client: public key for 'w...@gnupg.org' found via WKD
gpg-wks-client: fingerprint: AEA84EDCF01AD86C4701C85C63113AE866587D0A
gpg-wks-client: user-id: w...@gnupg.org
gpg-wks-client: created: Mon 01 Oct 2018 05:39:07 PM CEST
gpg-wks-client:   addr-spec: w...@gnupg.org

This is develpment version, you need to use the classical thing though:

$ gpg-wks-client --check -v w...@gnupg.org

If you add --debug=ipc you can actually see what has been requested from
the server.  Without any option you just get an returns status for
scripting.

Now someone(tm) should update the wiki.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trying to get PKA working

2024-02-21 Thread Philip Colmer via Gnupg-users 
Thank you, Werner, for your helpful reply.

One thing I would like to check. You said that gpg
--locate-external-key -v f...@example.org can be used to test this, and
that works. The wiki (https://wiki.gnupg.org/WKDHosting) says to use
gpg --homedir "$(mktemp -d)" --verbose --locate-keys
your.em...@example.org ... and this doesn't work.

Should I be concerned? Do I need to change something for the latter
example to work? Or is that deprecated now and your example is the
valid one?

Regards

Philip

On Wed, 21 Feb 2024 at 11:39, Werner Koch  wrote:
>
> Hi!
>
> Please don't use PKA.  Any remaining support will be removed anyway.
> The Web Key Directory is a far better and easiert way to get
> certificates.  In fact it is enabled by default and used transparently
> in Kleopatra and with the Windows GpgOL plugin.  Other Unix mailers
> might also have support for it.
>
> https://wiki.gnupg.org/WKD
>
> But take care; this is a wiki and information may be a bit confusing.
> For example I would suggest to use the gpg-wks-client command
> --install-key or even --mirror to prepare a local copy of the WKD and
> then sync this to the server.  This way you don't need to install the
> web Key Server stuff etc.
>
> Testing is a mere
>
>   gpg --locate-external-key -v f...@example.org
>
>
>
> Salam-Shalom,
>
>Werner
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Trying to get PKA working

2024-02-21 Thread Werner Koch via Gnupg-users 
Hi!

Please don't use PKA.  Any remaining support will be removed anyway.
The Web Key Directory is a far better and easiert way to get
certificates.  In fact it is enabled by default and used transparently
in Kleopatra and with the Windows GpgOL plugin.  Other Unix mailers
might also have support for it.

https://wiki.gnupg.org/WKD

But take care; this is a wiki and information may be a bit confusing.
For example I would suggest to use the gpg-wks-client command
--install-key or even --mirror to prepare a local copy of the WKD and
then sync this to the server.  This way you don't need to install the
web Key Server stuff etc.

Testing is a mere

  gpg --locate-external-key -v f...@example.org



Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Trying to get PKA working

2024-02-21 Thread Philip Colmer via Gnupg-users 
Hello all

I'm using gpg 2.2.19:

$ gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/ubuntu/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I've followed the instructions I found at
https://gushi.org/make-dns-cert/HOWTO.html to publish a public key via
a TXT record in DNS but, when I get to the testing step of:

echo "foo" | gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt
--armor --auto-key-locate pka -r y...@you.com

(where y...@you.com is the address to be tested) then I get:

error retrieving '' via PKA: No name

I've tried testing it against the author's details
(d...@prime.gushi.org) but I get the same "No name" error.

There wasn't a configuration file in place for gpg so I created one
with just this entry:

auto-key-locate pka

Should there be other entries in that file? Is that why I'm getting
the "No name error"?

Thank you.

Regards

Philip

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users