Re: get OpenPGP pubkeys authenticated using German personal ID
Hi, On Wednesday, 31 May 2023 16:55:05 CEST Bernhard Reiter wrote: > https://pgp.governikus.de/?lang=EN > > """ > Governikus provides the online service for authenticating your OpenPGP key on > behalf of the German Federal Office for Information Security (BSI). This > online service compares the name read from your ID card, your electronic > residence permit or eID card for citizens of the European Union with the name > specified in your OpenPGP key. If the names match, your public key is > electronically signed by Governikus, confirming the match. > """ > > interesting, kind of cool. Cool, I was thinking about setting something like this up myself as I would love to use my ID card more. But damn this website has bad usability. I am using the AusweisApp on my Smartphone and used it in the past to sign PDFs using an online service. But that website just says "To continue use AusweisApp2" even if I open the website with my smartphone. The button has no functionality. It does nothing. Okay... Then how the hell do I open it. When I go to the download site, of course there is no option for Linux. So lets boot a Windows VM and install the software. Which of course requires root access and wants to open up my windows firewall. Sure! I trust the Government! Here you go. Then I start the Windows App and it wants to connect either to the smartphone or to an NFC reader. The option to connect to a smartphone is not shown, because apparently as they need to be in the same WLAN it is not offered to connect them because the VM, which is running on my Laptop in the same WLAN does not see it as WLAN but as a network. So I failed for now. And the link to the website how to get a PGP Software linking to that fishy "openpgp.org" website which lists Gpg4win as "Outlook software" on the same level with Gpg4o? And which links to Claws mail as PGP software to get a Key? WTF.. has no one even checked how a user with no technical understanding should navigate this? I mean would 2-3 Screenshots how to generate a PGP key be too much to ask instead of loosing the user on a confusing website that lists PGP Mail clients? Sorry for the rant but this is typical contracted Government Software which might follow some "Contractual requirements" but from the User Experience this comes close to a scam. I don't understand why I can't use this site on my phone which has the AusweisApp and everything works there. I can't use it in a VM. Maybe when I use my native Windows I could use it. I don't know... Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.HeineckeMail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: En-/Decryption speed for large files (GnuPG and Gpg4win)
Hi, On Sunday 15 January 2023 10:52:23 CET Christoph Klassen wrote: > When I was testing the decryption I also tried "gpg --decrypt > test_file.gpg" (without output file) with the 10 GB file and it took 8 > minutes and 47 seconds. I was wondering why it took longer when GnuPG > didn't need to create an output file. Yes that is expected. Gpg encrypt and decrypt with AES should be mostly IO Bound as with AES-NI instructions it is really fast in the CPU. So not writing the output to disk will result in faster operations. And one of the biggest differences you get is when you encrypt / decrypt on a faster disk. Another big difference what you will see in the perfomance of GnuPG is if you use -z 0 which disables compression. Currently GnuPG on the command line disables compression when the input file name already looks compressed depending on the file name. We want to improve that, especially since Kleopatra hands the filename only in a way that is not used in that compression calculation. E.g. Adding Media data formats there might already help in a lot of use cases. For uncompressable output, like random data, this will make the largest difference. You can put "compress-level 0" into your gpg.conf to cause Kleopatra to also use that. That issue is: https://dev.gnupg.org/T6332 If you could do a run of your tests and comment in that issue with the results that would be helpful. It does not surprise me that Kleopatra is much slower. Due to our Architecture Kleopatra passes Data, through GPGME directly to GnuPG. This results in additional overhead but gives us more flexibility what kind of data we encrypt / decrypt. E.g. a mail or something that is not even written on the File system. For some parts we want to change that. Most notably Ingo is currently working on Gpgtar. Gpgtar can nowadays directly encrypt / decrypt so there is no need to pipe the input / output of GnuPG to or from GpgTar. Using GpgTar directly should help a lot when working with larger Archives. https://dev.gnupg.org/ T5478 We also already increased the buffer size in GPGME to reduce the number of callbacks we do internally but there can be more optimization there. Currently our recommendation for Large Data is to use the command line directly, which will always be fastest as there is no overhead. > Did someone of you also try to en-/decrypt larger files? Maybe even > files that are larger than 1 TB? It would be really nice to know how > long GnuPG and Gpg4win are busy with such large files. I think my largest tests were around 40GB. But I don't have the numbers anymore, the testing I did there was mostly because there were reports that Kleopatra crashes on such large files. Maybe you can open a ticket for this with a reference to https:// dev.gnupg.org/T5478 about performance problems when decrypting / encrypting large files (In contrast to archives.) Best Regards, Andre P.S. we are currently also looking at the startup / initial keycache building time of Kleopatra. This might also be intresting for those looking at Kleo performance. https://dev.gnupg.org/T6259 -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.HeineckeMail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.3.7 released
erm keys of their respective owners. Current releases are signed by one or more of these four keys: rsa3072 2017-03-17 [expires: 2027-03-15] 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28 Andre Heinecke (Release Signing Key) ed25519 2020-08-24 [expires: 2030-06-30] 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA Werner Koch (dist signing 2020) ed25519 2021-05-19 [expires: 2027-04-04] AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD Niibe Yutaka (GnuPG Release Key) brainpoolP256r1 2021-10-15 [expires: 2029-12-31] 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208 GnuPG.com (Release Signing Key 2021) The keys are available at https://gnupg.org/signature_key.html and in any recently released GnuPG tarball in the file g10/distsigkey.gpg . Note that this mail has been signed by a different key. Since Werner Koch is currently only partially available this Announcement was signed by Andre Heinecke. -- GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.HeineckeMail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 signature.asc Description: This is a digitally signed message part. ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protect email experience not Subject:s (hypothesis, draft)
Hi, On Friday 29 January 2021 17:52:25 CET Bernhard Reiter wrote: > for many months now, my feeling is growing that > > encrypted subject headers in emails > shift the security balance in the wrong direction. I share that feeling. My goal that encrypted mails do not feel much different from unencrypted mails is made harder by subject encryption. So in a security VS. usability standpoint that assumes that if usability is bad, users will not encrypt mails or at least fewer mails I come to the same conclusion. This discussion is very relevant for me because GpgOL is starting to include protected-headers mime parts with the next version to transfer To and CC information. Putting the subject into it would be easy but it's more of a policy decision if we want to encourage or discourage this. > If it is understood that the header section is like notes > on a paper envelope, needed for mail transport and to be able to be seen by > the transporting agents, this can be used to assess what can be learned > from it. And then common ways of distracting from the contents can be used. > (I write 'common ways', because this is a core of my concept about how to > get end-to-end encryption - especially email - more usable: People already > know social ways how to deal with different levels of confidentiality. > Sofware application need not to hide it the aspects too much.) I agree with the mental image of notes on an envelope, this is also how I try to explain the Subject. We could probably try to explain this better. E.g. by showning this as information once the first encrypted mail is sent. > == Valid use cases? > Where the "Subject:" is a lot more than a writing on the envelope. > > * Example: a roundup-tracker fully run with OpenPGP/MIME mails, >by default it changes the title of an issue and there can be >commands to control the issue in the subject. (Also an example >where backwards compatiblity failed.) > > Implementation idea: per recipient (group) settings to explicitely > enable encrypted subjects for those groups and contexts where it is > known to be more useful. I'm not sure, if the user configures such rules by themself they already have an awareness that they don't really need automation for this. And if an Admin preconfigures this for a whole instiution we have the bad user expierence that the subject is "sometimes" encrypted. That would be even more confusion. Currently for GpgOL I'm tending to a global option to encrypt the subject which would be off by default and show a warning when it is activated that recipients will only see "..." in their message list and threading etc. will be broken. Just having the option and a warning related to the option could raise awareness about the issue. Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.HeineckeMail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to use WKD with python3?
Hi, I'll try to answer this even though I don't completely know how to do it in python, but I know how it's done in C / C++. On Wednesday 3 June 2020 12:52:46 CEST Ludwig Reiter wrote: > how do I get public keys over WKD with python3/gpgme? you can do a keylist with KEYLIST_MODE_LOCATE for a single mbox. If python does not have that (it was added later this mode is KEYLIST_MODE_EXTERNAL | KEYLIST_MODE_LOCAL) So I think it would be: ctx.keylist(some_uid, mode=(gpg.constants.keylist.mode.LOCAL | gpg.constants.keylist.mode.EXTERNAL)) or: ctx.keylist(some_uid, mode=gpg.constants.keylist.mode.LOCATE) > I didn't find anything about this in the web. It seems like python3-gpg > doesn't support to use WKD. You can force that only WKD is used in the keylist if you set the auto-key- locate context flag (gpgme_set_ctx_flag) to "clear,nodefault,wkd". > Can someone point me to a good start point? Good starting points are usually our "run-foo" test tools under gpgme/tests. I usually use them as a starting point and example. We maintain these tools because we usually use them when developing new features. ;-) Best regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.HeineckeMail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [openpgp-email] Invitation to the 5th OpenPGP Email Summit
Hi, On Sunday 8 September 2019 13:40:55 CEST Patrick Brunschwig wrote: > Up to now, I only got 12 replies. > > *Reminder: Please send me a mail if you plan to come* The GnuPG e.V. would cover the costs for privateers, those of you that do not work for OpenPGP-Email at your Job, again. Just send a request to bo...@gnupg.org Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, M.Gollowitzer, A.Heinecke.Mail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-2104-4938799 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.8 -- Trouble Decrypting using PowerShell script
Hi, just as a bit of advertising. There is professional support available under gpg4win-professio...@gpg4win.org I'm answering your problem inline below: On Monday, October 22, 2018 6:03:46 PM CEST Vijay. Akunuri wrote: > In command prompt we are using "& gpg -d --batch --passphrase comment C: \projects\successfactors\SuccessionTalentPool\incoming_files \Succession_Talent_Pool_Tableau_Report.csv.pgp " > > We are passing the passphrase but when we run the script the a window pops up to enter the passphrase manually like this below. Your command is missing "--pinentry-mode loopback" See: https://wiki.gnupg.org/TroubleShooting#Passphrase_on_the_command_line E.g.: "gpg --pinentry-mode loopback -d --batch --passphrase comment C:\projects \successfactors\SuccessionTalentPool\incoming_files \Succession_Talent_Pool_Tableau_Report.csv.pgp " > On local if enter the passphase in above prompted window then it is able to > decrypt the file. But on servers we can do that manually and that is the > reason we are passing it to command prompt. As a scheduled job on a server you might also want to set an explicit homedir in your command. See: https://wiki.gnupg.org/TroubleShooting#Windows_. 3E_8_and_Server_2012_Task_Scheduler_Problems > Kindly help us in resolving this issue. Let me know if you need more > information. I'm working professionally for Gpg4win. So please consider a volunatry payment to Gpg4win or donation to GnuPG if this helped to solve your problem. :-) Best Regards, Andre Heinecke -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Get notation value through --with-colons interface
Hi, On Monday, October 8, 2018 8:42:01 PM CEST Wiktor Kwapisiewicz via Gnupg-users wrote: > Is there any way to access it via API-like interface? GPGME does: gpg --with-colons --list-options show-sig-subpackets=\"20,26\" \ --list-sigs 6C8857E0D8E8F074 Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: converting gpg files into PEM and certification change confusion
Hi, On Friday, September 28, 2018 7:48:08 AM CEST Werner Koch wrote: > It is not possible to mix both protocols. There is one exception: With > a bit of magic it is possible to use a key stored on a a smartcard by > both protocols. This is because down at the lowest math level both use > the same algorithms. Oh! I would personally be very interested in that. I was asked this in Support and so far have answered -> Impossible. Any hints / documentation on how to achive this? Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cannot decrypt file symmetric encrypted
On Monday, August 6, 2018 9:28:21 AM CEST Stefano Tranquillini wrote: > i don't think that's the case. is there aa way to force the program to ask > passphrase? Try adding "--pinentry mode loopback" to your command. Maybe there is a problem with your installation / pinentry program so that it does not start or you are acidentally using a dummy / test pinentry which provides the wrong passphrase. -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: dirmngr cygwin resolv.conf
On Wednesday, July 4, 2018 2:25:41 PM CEST Werner Koch wrote: > We should not try to fix bugs for Cygwin > given that Cygwin is not offically supported. I think that you have spent already way too much time with this thread. ;-) IMO even a #ifdef __CYGWIN__ # error No you don't #endif in a central place would be appropiate. As the same policy is implicitly already applied for the much more important MSVC Windows target. There is one maintained way to get gnupg on windows. Cross compile it with mingw-w64 and run it natively. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How in Windows batch script generate Unattended key? option --batch
Hi, On Thursday 7 June 2018 15:49:40 CEST Piotr Przeklasa wrote: > How in Windows batch script generate Unattended key? option --batch The new "quick-gen-key" command is more conveniant then the old batch gen key mechanism. E.g. to create a key without passphrase for "f...@bar.baz" you can run: gpg --yes --pinentry-mode loopback --passphrase '' --quick-gen-key f...@bar.baz Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smartcards and GPGME
Hi, On Sunday, May 13, 2018 6:26:04 PM CEST Jacob Adams wrote: > As part of a program I'm writing this summer for GSoC, I'd like to be > able to both move gpg private keys to a smartcard and generate keys on > the smartcard from an application. While this can be done from gpg, it > doesn't look like I can do so from GPGME or any other wrappers that > exist. Have I missed something or is this simply not possible yet? > > While I could wrap this functionality of gpg, I'd really prefer not to > and I'd rather not drop the user to a gpg prompt if I don't have to. This is both pretty complicated thorugh GPGME, as there is indeed not a direct interface. Kleopatra and GPA use the "AssuanEngine" of GPGME to connect to the gpg-agent's assuan interface and issue / parse commands directly through that connection. You might want to take a look at GPA's implementation: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpa.git;a=blob;f=src/cm-openpgp.c Alternatively instead of wrapping gpg (and using the complicated edit interface) you could also wrap "gpg-connect-agent" and issue commands to scdaemon through that. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Hi , request help on a problem with gnupg that gpg decryption does not return after creating the decrypted file
Hi, On Friday, May 11, 2018 10:27:34 AM CEST arinit wrote: > Requesting inputs from anyone , if you have faced any issues on GPG decryption which is done uninteractively > > The version used is : gpg (GnuPG) Version: 2.2.4 / libgcrypt 1.8.2 windows > And automated job is scheduled from controlM to run on a Windows Edition - Windows Server 2016 Datacenter. > The return code is empty for decryption, even if it is handled at shell level , it looks GPG agent hangs and the job does not exit > The automated job uses commands like below along with other housekeeping functionality > gpg --debug-all -vvv --batch --pinentry-mode loopback --passphrase-file -o “ouputfile” --yes –decrypt “file to decrypt” > if it is made to kill the gpg ajent uninteractively after the outputs are generated then only the job exits with ok status In addition to the note about the missing argument to passphrase-file, it might also be that you are running into: https://wiki.gnupg.org/TroubleShooting#Windows_. 3E_8_and_Server_2012_Task_Scheduler_Problems Using the task scheduler GNUPG has a different Home Directory, so you might want to parse the --homedir parameter to specify directly which home directory (the directory with the keys etc.) should be used. Best Regards, Andre Heinecke -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can not decrypt and verify CD's
Hi, On Thursday, April 26, 2018 4:36:59 PM CEST Liana Falchetti wrote: > I work at a credit union that gets CD's with archived information on them > that upon arrival need to be Decrypted and verified by the GnuPG software. > > I have to say that I have never used GnuPG software for anything except > Decrypting and verifying these particular CD's. This past week I went to > > Tyr and decrypt one of the Cd's and now I can't get the Passphrase box to > pop up in order the download the contents. I have tried absolutely > > Everything and anything I can think of including googling the error messages > I am getting. I have no idea what I did to get this to not work properly. > > We are actually on a Data center network or like a cloud environment, if you > will, with our data processor and the first time the Kleopatra software > > Needed to be re-installed if what installed on the terminal server but I can > not run CD's on the DCN and therefore, it was then put on my desktop. > > This is what it looks like, which looks normal to me. Normal but outdated ;-) > But when I tried to Decrypt and verify the CD I always get this. I have > tried to Certify and Import the keys and nothing is working. This says (badly) that this file is not encrypted to the private key you have. > Every time I try to Import keys: > Could Not Determine the Certificate type of C:Program > File/GNU/GnuPG/Kleopatra.exe. Please update to Gpg4win-3.1.0 it's much better at detecting / importing certificates and allows you to import certificates by double click. > I also have the private key, as well as, the passphrase. I did change the > passphrase today to see if that would help but of course it didn't. No, the error is that the file is not encrypted to your private key. Changing the passphrase won't help. Kleopatra 3.1.0 should show an improved error and show you to which keys it is actually encrypted. Alternatively you can open the command line (cmd.exe) and call "gpg --decrypt " this will definetly show to which keys it is encrypted. Best Regards, Andre Heinecke -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Speedo build error on GnuPG 2.2.6
Hi, thanks for trying out up to date GnuPG :-) On Tuesday, April 17, 2018 5:55:26 PM CEST Yuki Ito wrote: > The build script verifies GnuPG version based on gnupg21_ver in swdb.lst: > https://dev.gnupg.org/source/gnupg/browse/master/build-aux/getswdb.sh; > 6fbe2ddbaf5123ae444c95fdf8da67840f794c76$178 > > But gnupg21_ver seems to be deleted by this commit: > https://dev.gnupg.org/rD2094fc1631aca2659732e0b28e03012e2dc67127 I noticed that, too and fixed it in the stable branch (should be merged into master soon) https://dev.gnupg.org/rG327fece0aed2c9974659c72304f9fd1f461d460c Can you try to cherry pick that commit and see if it works? When building from GIT I also use SELFCHECK=0 to avoid version problems. What works for me is: /usr/bin/make -f build-aux/speedo.mk native \ INSTALL_PREFIX=/opt/gnupg SELFCHECK=0 That works for me. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG usage for automatic remote decryption
Hi, On Thursday, April 5, 2018 9:46:25 PM CEST gnupg-users.d...@o.banes.ch wrote: > Two points: > A) You could try to automatically ssh into the remote machine to > trigger decryption and passphrase entry. For this usecase I'm using AgentForwarding ( https://wiki.gnupg.org/ AgentForwarding ). The GnuPG on the remote machine connects to a local Gpg- Agent. This allows me to SSH to a remote machine, do crypto there with secret keys that live on my local machine / security tokens. And I only need to enter the passphrase on the local machine. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Followup: gpgme_set_passphrase_cb not working...
Hi, On Wednesday, March 21, 2018 7:05:57 PM CET Mike Inman wrote: > FWIW, here's the log entry from an attempt to use gpgme_set_passphrase_cb > on a symmetric encryption. For some reason I still cannot figure out, my > callback function isn't being used, the system prompt still appears (twice, > once to confirm.) From the other thread I take it that you are using GPGME with GnuPG-2.0.28 ? In the log I don't see the gpg version, but I didn't see it mentioned in the other thread that the GnuPG-2.0.x series does not support the passphrase callback. I ran into the same problem some time ago and documented it as a note in the GPGME manual. https://www.gnupg.org/documentation/manuals/gpgme/Passphrase-Callback.html#Passphrase-Callback : "Note: The passphrase_cb only works with GnuPG 1.x and 2.1.x and not with the 2.0.x series. " An ugly workaround could be to use some kind of fake pinentry (see the tests in GPGME) and configure that in the gpg-agent.conf. But you are probably better of bundling a 2.1 / 2.2 Version of GnuPG with your Application. Best Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Dirmngr fails to communicate with keyservers (W32 binaries for GnuPG 2.1.22)
Hi, On Sunday, July 30, 2017 11:41:01 AM CEST Kosuke Kaizuka wrote: > On Sat, 29 Jul 2017 14:58:09 +0100, MFPA wrote:> > > I have installed the W32 package for GnuPG 2.1.22 and I find keys > > cannot be sent to keyservers, or fetched/refreshed. The operation > > fails with the message "keyserver send failed: Resource temporarily > > unavailable". > > > > In the event the dirmngr from 2.1.21 is already running, the operation > > succeeds. Yes, slipped our testing. We are working on it: https://dev.gnupg.org/T3318 Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to NOT gnutar files during encryption?
Hi, On Tuesday, July 18, 2017 4:30:13 PM CEST helices wrote: > How can this new client NOT gnutar files, and still properly encrypt the > ZIP file? The client could create a ZIP Archive with the files and then encrypt that as a single file. Kleopatra has no built in support for ZIP + Encrypt. FWIW Kleopatra would have automatically chosen a filename like archive.tar.gpg so your client must have manually changed that to have some kind of zip extension. On the other hand you could extend your process to also accept tarballs ;-) Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Hosting a Web Key Directory
Hi! I just published how to host your own Web Key Directory on the gnupg blog. Find below a plain text version of my blog entry https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html Andre 1 Hosting a Web Key Directory ═ With the improvements in GnuPG for Key Discovery (see: [Key Discovery Made Simple]) you may want to provide the OpenPGP keys for your domain. The Web Key Service (WKS) describes a protocol for Mail Service Providers or large organisations to maintain a Web Key Directory (WKD) for their users. A Web Key Directory is a static collection of keys provided under well known URLs under your domain. This directory can also be manually generated without using the Web Key Service protocol. By providing a Web Key Directory other people (or their Mail Software) can obtain the OpenPGP keys for your domain with a simple query like: ┌ │ $ gpg --auto-key-locate wkd --locate-keys └ In this note, I explain how to do that. Note: An updated version of this article may be available in the [GnuPG Wiki] [Key Discovery Made Simple] https://www.gnupg.org/blog/20160830-web-key-service.html [GnuPG Wiki] https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory 1.1 Requirements • A web server that provides https with a trusted certificate for your domain. • A client machine with Python and PyME installed (debian package python-pyme) • The script: [generate-openpgpkey-hu] (in the [Mercurial repository "wkd-tools"]) [generate-openpgpkey-hu] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu [Mercurial repository "wkd-tools"] https://hg.intevation.de/gnupg/wkd-tools/ 1.2 Setup ─ You can either export all the keys in your keyring that belong to a domain or provide an explicit keyring containing just those keys that you want to publish. The call: ┌ │ $ ./generate-openpgpkey-hu example.com hu └ Will create a directory called hu containing all the keys with user ids that include @example.com. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys that you want to publish. For example: ┌ │ $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ │ > gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import └ And then provide that keyring to generate-openpgpkey-hu: ┌ │ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg └ 1.3 Publishing ── The hu directory has to be published on your server as ┌ │ https://example.com/.well-known/openpgpkey/hu/ └ Create the directory structure and set the permissions accordingly. This example [Makefile] automates the hu directory generation and publishing. Edit the variables at the top of the makefile to set `RSYNC_TARGET' The `KEYRING' variable is optional and can be left empty. That's it. You can now test your setup by calling: ┌ │ $ gpg --auto-key-locate wkd --locate-keys └ you should see something like this: ┌ │ gpg: key AC12F94881D28CB7: public key "testuse...@test.gnupg.org" imported │ gpg: Total number processed: 1 │ gpg: imported: 1 │ gpg: automatically retrieved 'testuse...@test.gnupg.org' via WKD │ pub ed25519 2016-07-15 [SC] │ 5506894357DC548CC65B0BCFAC12F94881D28CB7 │ uid [ unknown] testuse...@test.gnupg.org │ sub cv25519 2016-07-15 [E] └ [Makefile] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Agent forwarding failure when the socketdir was autodeleted
Hi, On Wednesday 05 October 2016 13:46:51 Daniel Kahn Gillmor wrote: > > You may use > > > > gpgconf --create-socketdir > > > > to create the directory w/o running any daemon. It is a NOP if the > > directory already exists. Yes, that works but it's still a bit cludgy I'd like to have it working in a single ssh command. > The trouble is that the socket directory needs to be created before ssh > tries to forward the socket. when doing a forward from the command > line, the ssh channel that does socket forwarding is often established > before the channel that runs any shell or other interactive behavior. > > I really think this ought to be handled in OpenSSH. Exactly. I wrote a mail to openssh-unix-dev as you suggested to ask about that. Let's see :-) Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Agent forwarding failure when the socketdir was autodeleted
Hi, On Tuesday 04 October 2016 11:26:59 Daniel Kahn Gillmor wrote: > > But if I am not logged in or there is no gnupg process running. systemd > > autodeletes /var/run/user//gnupg this causes the remote forward of > > the > > Socket to fail because the directory for the socket does not exist and SSH > > won't create it. :-/ > > If you're not logged in, then how does the remote forward work? aren't > you actually still logged in (via ssh) as long as your remote forward is > running? Sorry for not formulating this better. You are of course right If I'm not logged in the remote forward is not working. That is not what I meant to say. The problem is, that when I disconnect the /run/.../gnupg dir is deleted and the next time I want to connect and ssh tries to set up the forwarding this will fail because the /run/.../gnupg directory in which the forwarded socket should be created does not exist. Warning: remote port forwarding failed for listen path /var/run/user//gnupg/S.gpg-agent My current workaround is to connect first and start dirmngr on the remote machine (to get the socketdir created and used). And then connect with ssh socket forwarding. This is a bit clunky to use. I've tried placing files in that folder, or to set up permissions to 000 for the gnupg folder (so that gnupg itself does not use it) but to no avail. It's still removed when disconnecting and the next connect will fail. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why GnuPG encrypted file has no icon?
Hi, On Saturday 01 October 2016 04:10:03 Rohit P wrote: > When you encrypt multiple files in a folder, GnuPG encrypted files have no > icon. It is difficult to immediately identify which are the encrypted > files. If you are using Gpg4win you can try out our Beta of gpg4win-3.0 (See: https://wiki.gnupg.org/Gpg4win/Testversions ) There we added set up of file extensions and handling of files by "double click" for Windows. > Any specific reason why encrypted files have no icon? One problem was that the .pgp / .gpg / .asc extentions are pretty general. It could be Keys, signed data, detached signatures, etc.. so to bind them to an application the application would have to detect what a file is and handle it appropiately. This is done now by Kleopatra. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Agent forwarding failure when the socketdir was autodeleted
Hi, Using GnuPG 2.1.15 I'm trying to SSH into a remote machine with OpenSSH 6.7 as described under: https://wiki.gnupg.org/AgentForwarding The problem is that the remote system uses systemd so /var/run/user/ exits and GnuPG will use it. But if I am not logged in or there is no gnupg process running. systemd autodeletes /var/run/user//gnupg this causes the remote forward of the Socket to fail because the directory for the socket does not exist and SSH won't create it. :-/ Any ideas how to solve this without requireing changes to the root configuration of the remote machine? I would happily update the wiki with a solution. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Side-By-Side Installation: Gpg4win and gnuPG
Hi, On Sunday 10 July 2016 00:57:51 Kob S wrote: > Running C:\gnupg2.1.13\gpg --expert --full-gen-key > ... > I suspect that gnuPG is looking at the same \AppData\Roaming\gnupg > directory that is being used by gpg4win. If that is the case, is there a > way to force gnuPG to use a different directory? I could not find any > config file that would let me do that. > > Thanks for any help, Although using the same homedir should not hurt much, gnupg-2.1 will migrate your secret keys to a new format but leave the files in a way that gnupg-2.0 can still read them. But there will be problems with the gnupg-agent as gnupg needs the same version of the agent that the program belongs to. To avoid that you should specify --homedir c:\testhome or something on the commandline to 2.1 calls. Then it will use that as a different homedir. e.g.: gpg --homedir c:\testhome --expert --full-gen-key would generate you a key in c:\testhome Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Obtaining SSH Key format from OpenPGP public certificate without gpgkey2ssh
Hi, In a previous thread it was noted that gpgkey2ssh is deprecated and will likely be removed. Niibe pointed out how to add a key to GnuPG sshcontrol and obtain the SSH key format from ssh-add -L https://lists.gnupg.org/pipermail/gnupg-users/2015-December/054871.html This works for myself. But I'm missing a way for someone that has only my public key to add this key to an SSH authorized_keys file without input from me. E.g. Another person has verified / signed my PGP key that has an Authentication Subkey. How can this Person get the SSH Key representation without having to ask me to provide it? (Assuming the person has my public key and without gpgkey2ssh) I think this use case is one of the nice features you get by associating an OpenPGP key with SSH Authentication and I would miss it if gpgkey2ssh is removed. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TOFU for GnuPG
Hi Neal, On Tuesday 03 November 2015 15:57:05 Neal H. Walfield wrote: > > I don't fully understand why you need formalized transition statements. > > Couldn't you just treat Key / UIDs that are signed by each other as "two > > valid keys for this UID"? > > > > So when I transition to another key I just sign it with the old key and > > GnuPG can detect that and not show a warning about it? > > > > This would also solve the problem that some users may have multiple keys > > with the same UID's which are both valid. > > This could work if both keys are available locally. If you need to > look up the new key, this is not so easy. Don't we need to lookup the new key anyway to make validity decisions? Until then we assume "Unknown" trust. Well I can see that one of the features of Tofu is that Unknown trust should no longer be presented to users but in that case we could add auto-key- retrieve? :-) > Another problem is that this assumes that the new key has the exact > same user ids. Oftentimes some emails will have been dropped or the > person's name changed (e.g., marriage, new title, etc.). You have lost me here. Why does it assume that? - I send you lots of mails as aheine...@intevation.de signed with C97822F5 - Now I send you once a mail as aheine...@intevation.de signed with 58BD45EC -> You can check if C97822F5 signed the User ID aheine...@intevation.de on key 58BD45EC. It has. So you can assume the new Key is also valid for that UID. Any new UID's on this key will have to be treated as first contact ID's. If the new key has less UID's I don't see a problem at all. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TOFU for GnuPG
Hi, On Tuesday 03 November 2015 16:34:39 you wrote: > At Tue, 03 Nov 2015 16:10:24 +0100, > > Andre Heinecke wrote: > > Don't we need to lookup the new key anyway to make validity decisions? > > Until then we assume "Unknown" trust. > > In the verify case, yes. But what about the sign case? We just see > that the old key has been revoked, but we don't know what the new key > is. I assume you mean the encrypt case (I don't see how this affects sign)? But still I don't see a problem there. If you don't have a valid key to encrypt to. You need to get a different key. How is the trust model involved in that? Once you have that new key you can do the UID / Signature checks I suggested. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TOFU for GnuPG
Hi, On Thursday 29 October 2015 22:28:54 Neal H. Walfield wrote: > At Thu, 29 Oct 2015 18:48:43 +0100, > > Johannes Zarl-Zierl wrote: > > Out of curiosity: Does the TOFU implementation for gpg already allow for > > key transition statements / is this planned for some point in the future? > Unfortunately, it doesn't. This is because there is currently no > standard way to communicate the id of the new key. I've proposed a > solution for this for the next OpenPGP version, which is currently > being work on. There appears to be some interest, but unfortunately I > haven't had time to work on that recently. I don't fully understand why you need formalized transition statements. Couldn't you just treat Key / UIDs that are signed by each other as "two valid keys for this UID"? So when I transition to another key I just sign it with the old key and GnuPG can detect that and not show a warning about it? This would also solve the problem that some users may have multiple keys with the same UID's which are both valid. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Installing gpg2/commads?
Hi, On Saturday 24 October 2015 00:48:47 Sebastian Rose-Indorf wrote: > are there some commands for installing the > gnupg-w32-2.1.x_.exe (like -silent or -no_registry)? Afaik only the standard NSIS command line options are supported. /S for silent install and /D to modify the destination directory. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG modern can't genereate keys on my Windows
Hi, On Monday, August 31, 2015 07:07:03 PM Andre Heinecke wrote: > If I use the pinentry-basic included in the gnupg-w32 installer I get the > "No pinentry" error. > So it looks like pinentry-basic also has a Problem on Windows > 8.1 This was a problem in my test setup. I probably had gpg4win installed when the agent was started and so it tried to use the pinentry from gpg4win even after I uninstalled gpg4win. Such things will be solved when gpg4win gets proper 2.1 support. After restarting the gpg-agent it picked up pinentry-basic and it worked fine. If you look at gpg-agent's debug output it will show you which pinentry it tries to start. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG modern can't genereate keys on my Windows
Hi, On Monday, August 31, 2015 01:49:06 PM Zero0 wrote: > I cleared the AppData and registry, installed > https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.1.7_20150811.exe to > D:\Program Files (x86)\GnuPG, started the command prompt, typed "gpg > --full-gen-key --expert" and get an EOF error after I entered the > password. I can confirm your Problem. Even without full-gen-key or any special options. I've opened an issue for this: https://bugs.gnupg.org/gnupg/issue2085 Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG modern can't genereate keys on my Windows
Hi, On Monday, August 31, 2015 01:53:48 PM Juan Miguel Navarro Martínez wrote: > I assume you are using a Windows 8 or higher. I already reported that on > another message in this same list. For some reason, making a passphrase > protected key makes GPG Agent crash. I think this is a different bug. When I use a pinentry from gpg4win I run into the gpg-agent crash described in this thread but still can do things that involve pinentry like signing. If I use the pinentry-basic included in the gnupg-w32 installer I get the "No pinentry" error. So it looks like pinentry-basic also has a Problem on Windows > 8.1 I've not reported a bug for this but I keep it in mind. (The issues are likely related) Works fine on Windows 7 though, curious. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG modern can't genereate keys on my Windows
Hi, On Monday, August 31, 2015 08:26:31 PM Juan Miguel Navarro Martínez wrote: > I don't know how to reply to the issue (or maybe I just can't), I think you can't. I've already complained to Werner several times that I find the aspect that only "Developers" or the original reporter can add information to a bug report hurts bugs.g10code.com > I wanted > to say that issues 2083[1], 2010[2] and 1819[3] may be related or just > the same. They all have the "End of file" error. > > [1]: https://bugs.gnupg.org/gnupg/issue2083 > [2]: https://bugs.gnupg.org/gnupg/issue2010 > [3]: https://bugs.gnupg.org/gnupg/issue1819 Thanks for that list! I guess I just opened another duplicate for this with issue 2085 :-o (Damn I thought I knew how roundup search worked but i did not find these.) I've consolidated them in 2085 (because that was my bug ;-) ) 2010 I guess is slightly different as it has the "No Pinentry" Problem so I've left that out. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: operating on remote files (Windows) using a UNC
Hi, Sorry for the late reply, gpg4win-users-en would probably have been a better place for this question. On Tuesday, June 30, 2015 09:57:55 PM Charles Spitzer wrote: Whenever I attempt to operate upon a remote file using a UNC, it doesn't seem to find the file. C:\Users\cspitzergpg --decrypt \\remote.machine.com\data\Vendor File Transfers\Archive\Input.2015-06-15.045720.csv.pgp gpg: can't open `remote.machine.com\\data \\Vendor File Transfers \\Archive\\Input.2015-06-15.045720.csv.pgp': No such file or directory gpg: decrypt_message failed: No such file or directory I stumbled upon this also once. You need to use forward slashes instead of backslashes for gnupg to work with UNC paths e.g.: gpg2 --decrypt //remote.machine/encrypted.gpg Works. -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: AES-NI, symmetric key generation
Hi, To answer your first question regarding gpg4win: On Monday, March 09, 2015 05:15:14 PM Maricel Gregoraschko wrote: Hello All,I would first like to thank you for your effort and time developing gnupgp.I have a couple of questions: 1. Does GnuGP (in particular, the Windows binaries distributed for gpg4win) use AES-NI, the Intel dedicated AES instruction set? No, it has been disabled due to a bug. I've opened gnupg/issue1919 to track this. There are some concerns, I'm not sure how realistic, about backdoors built into the CPU themselves. AES is an algorithm that produces deterministic results. Not really something to backdoor like a RNG. I noticed there is an option to configure, --disable-aesni-support. Where can I get the full configure command as it was used to build the posted gpg4win binaries, to check if that switch was present or not? http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/Makefile.am Look for gpg4win_pkg_package_configure (e.g. gpg4win_pkg_libgcrypt_configure) Also is there any option to turn hardware acceleration on or off at runtime? No. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.1.1 released
Hi, On Saturday 20 December 2014 12:21:08 Werner Koch wrote: Thus I do not think that Authenticate would harm even given that it is possible to buy the private key for an existing Authenticode certificate. I actually love authenticode. It means that you can do some steps to get to the Operating System level of trust. Sure you can buy your way into this but that is the Operating System level of trust that is asserted through HTTPS connections / Windows Update and so on. It is weak, i grant you that, but it is at least _some_ automatic authentication of binaries. I'm playing a game on a Windows Machine currently (Archeage) that requires administrative access for each launch!,.. and they did not even care to sign their binary. This is just security sadism. (I keep my GNU/Linux partitions on which i do any work or store secrets encrypted) In a different project at intevation we signed all binaries in our installer keeping packaging and building on different systems. As we won't expose our private keys to propietary systems that meant running wine to create the nsis uninstaller, Maybe this is also something for the future of gpg4win. (Btw. We use osslsigncode which is a really great tool that allows you to create authenticode PKCS#7 signatures under GNU/Linux.) With regards to the original question. I'd be happy to sign your experimental gnupg only installers with our code signing certificate (and be quick about it) after verifying your signature. Intevation trusts g10code (we heavilly use gnupg internally where the source is verified by Werner) Regards, Andre signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG tool for Windows Embeddd Compact 7
Hi, please keep the mailing list in CC so that others can also learn from this conversation. At Friday 21 February 2014 05:41:08 dbhukta . wrote: Dear Sir, Greetings. Thanking you for your kind support The Binary is not compatible with Windows Embedded Compact 7, Please forward some clue, how can be ported to winec7 from wince5 for the source code. We did use cegcc ( http://cegcc.sourceforge.net/ ) to build gnupg for wince. I'm not sure if this compiler actually works for your platform. So maybe you should start trying to get a Hello World program compiled with this before venturing into gnupg :) There is a convieniance option in the autogen.sh files of gnupg and it's libraries --build-w32ce that sets some build options and selects the toolchain. But generally it is not trivial to build for this platform and I'm pretty sure you will run into some problems. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG tool for Windows Embeddd Compact 7
Hi, On Wednesday 19 February 2014 08:13:36 dbhukta . wrote: Let me know any version which is compatible for Windows embedded Compact 7 to encrypt/decrypt a text file at least. GnuPG has been ported to Windows CE 5.0 so it should / could work on Windows embedded 7 (I guess its untested) as this work was done 2010 as part of a Project and there has been little interest in Windows CE since. We still have some binaries lying around: http://files.kolab.org/local/windows-ce/gpg-snapshots/gpg_wince-dev-190111.zip Sources for that version: http://files.kolab.org/local/windows-ce/gpg-snapshots/gpg-ce-dev-190111-src.zip And a signed sha1sums file in: http://files.kolab.org/local/windows-ce/gpg-snapshots/ Maybe it works, maybe not. Have fun -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Building Pinentry for Windows
Hi, On Thursday 24 October 2013 20:49:09 Nikola Radovanovic wrote: 1) When trying to build whole Gpg4Win i ran into several problems. Package for gtkhtmlviewer2 couldn't be found, but i have resolved it. This archive is now moved to plugins_obsolete folder (instead plugins) on a target url. Ah, such things happen, i'll see to it that the download url is updated. Then stow was not installed on a system, and i have installed it with apt-get install stow. But makensis, which is missing, must be installed also. And it cannot be installed with apt-get. It requires python, scons, zlib and gcc to be installed already, so it is a more complicated process. Werner, if you can give me some hints about installing makensis it would be great, but anyway i must analyze manual for installing makensis and all dependent components in order to proceed further. makensis is part of the package nsis, which can be installed with apt-get install nsis 2) As far as MXE is concerned, i have built and set successfully all required packages, and built gcc and qt successfully. And finally when it came to build pinentry it failed with message : 'No rule to make target 'pinentry'. Stop.' And that's it. I have downloaded the package and tried to build it manually with commands just like in .mk file, but with no success. Yes pinentry is not included in mxe. I have written a .mk file for it and attached it In my Mail from Wednesday. You should have dropped that pinentry.mk file into the src directory of mxe. Godspeed, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Building pinentry on Windows 7
Hi, On Wednesday 23 October 2013 10:14:37 Werner Koch wrote: However, unless you only want the really ugly native pinentry you need to install lots of libraries first. Thus using the gpg4win installer framework is easier. I've recently played around with MXE ( http://mxe.cc/ ) which is another cross compilation environment that aims to provide an easy way to handle dependencys for Windows. To build a static pinentry-qt4 with it you can just set it up as documented on their homepage. Drop the attached pinentry.mk in mxe/src/ and do make pinentry Worked like a charm for me on a debian wheezy system. Regards, Andre -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner PKG := pinentry $(PKG)_IGNORE := $(PKG)_VERSION := 0.8.3 $(PKG)_CHECKSUM := fc0efe5d375568f90ddbb23ee68e173411a49d4a $(PKG)_SUBDIR := pinentry-$($(PKG)_VERSION) $(PKG)_FILE := pinentry-$($(PKG)_VERSION).tar.bz2 $(PKG)_URL := ftp://ftp.gnupg.org/gcrypt/pinentry/$($(PKG)_FILE) $(PKG)_DEPS := gcc qt define $(PKG)_UPDATE $(WGET) -q -O- 'ftp://ftp.gnupg.org/gcrypt/pinentry/' | \ $(SED) -n 's,.*pinentry-\([1-9]\.[1-9][0-9][^]*\)\.tar.*,\1,p' | \ tail -1 endef define $(PKG)_BUILD cd '$(1)' ./configure \ --host='$(TARGET)' \ --build=`config.guess` \ --disable-shared \ --prefix='$(PREFIX)/$(TARGET)' \ --disable-pinentry-qt \ --disable-ncurses \ --disable-pinentry-gtk2 \ --disable-glibtest \ --disable-gtktest \ --enable-pinentry-qt4 \ --enable-pinentry-qt4-clipboard $(MAKE) -C '$(1)' -j '$(JOBS)' $(MAKE) -C '$(1)' -j 1 install endef ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users