How to do pinentry in same screen as gpg
All, I have a script that I use to send mail (as part of pine/alpine) that needs to prompt for my key passphrase. I run alpine on a private unix server, within a screen session. It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Here's where I've gotten on a possible solution: I could possibly have every window within my screen session have my .cshrc check for a running gpg-agent, and start one if it's not (this seems wasteful considering how infrequently I sign). Along these lines, I'd probably have to have every single screen process update the running TTY, so that my most recently-opened screen would contain the dialog. It seems that the pinentry command is invoked behind the scenes by the agent, and then directly writes to and reads/from the tty specified (so it could in theory interfere with whatever else I'm running on that screen), for example, if I were doing something while su'd to root. -or- It would also be nice if pinentry could cause the spawning of a new screen window via screen -X, but as I have a password-protected screen, this isn't possible either. -or- It might also be nice if I could basically start a pinentry program in a dedicated window, and simply choose to use it when needed (similar in analog to how I might use a hardware pinpad, or a fingerprint reader). I don't know if this is possible. I could also start up some dummy program in a screen where the agent will spawn. I think that last one is the plan of attack I'll likely pursue. However, it would be really, really nice if, instead of gpg--agent--assuan--pinentry, GPG could just fall back to prompting for a password on the same tty where GPG is running. It would also be nice if GPG had some method of simply saying hey, I can't find a place to spawn this pinentry, and could exit cleanly. Thoughts are welcome. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to do pinentry in same screen as gpg
On Fri, 3 Jan 2014, Hauke Laging wrote: Am Fr 03.01.2014, 01:14:22 schrieb Dan Mahoney, System Admin: It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Do you start gpg-agent before gpg2? I would expect the behaviour to be the same like gpg if gpg-agent is not running. No, the agent is required, per the manpage. If GPG doesn't find an agent, it starts one: I just fired up a gpg --gen-key on my system where 2.x is installed. danm 74860 0.0 0.1 13728 2120 ?? Ss1:18PM 0:00.02 gpg-agent --daemon --use-standard-socket danm 74853 0.0 0.1 17408 3136 3 I+1:18PM 0:00.02 gpg --gen-key (gpg2) danm 74861 0.0 0.0 9264 1972 ?? I 1:18PM 0:00.01 pinentry (pinentry-curses) It leaves this agent running after you exit GPG, which feels sloppy -- ssh doesn't leave ssh-agent running after I connect, if I use it at all. It might also be nice if I could basically start a pinentry program in a dedicated window, You can write a wrapper around pinentry. This wrapper could start pinentry in a different console. See: http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047168.html http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048362.html I assume this is much more a screen problem. Some time ago I tried to create a pipeline between two processes running in different screen windows. I didn't manage to do that. But maybe there are tricks unknown to me. Maybe that can be done with redirecting stdin and stdout to a socket with socat or something like that. I seem to recall that I was able to do it by messing heavily with environment variables. As I want to get back into playing with smartcards, the agent become more necessary. (Or keeping v1 and v2 installed in parallel, which seems nonoptimal). Hauke, in your posts, you mention that the pinentry protocol isn't on the GPG website. Could that please be fixed by the people who maintain the project? I notice it also missing from http://www.gnupg.org/documentation/manuals/ If I come up with a good method for doing so, I'll post a howto/blog here. I do wonder how difficult it would be to write a pinentry-getline which doesn't try to do any fancy display tricks -- I just want enough magic to turn echoing off. (I think the ncurses are part of what mess alpine up). I may try this as well. Thanks all, -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to do pinentry in same screen as gpg
On Fri, 3 Jan 2014, Hauke Laging wrote: Am Fr 03.01.2014, 01:14:22 schrieb Dan Mahoney, System Admin: It basically works perfectly with gpg1, where I can get an inline prompt for a password, but gpg2 falls short where it tries to set up some kind of a unix-socket connection to a pinentry dialog, and this all falls apart within the simple exec() alpine is doing to launch the filter. GPG hangs up and I wind up needing to kill the whole window. Do you start gpg-agent before gpg2? I would expect the behaviour to be the same like gpg if gpg-agent is not running. It might also be nice if I could basically start a pinentry program in a dedicated window, You can write a wrapper around pinentry. This wrapper could start pinentry in a different console. See: http://lists.gnupg.org/pipermail/gnupg-users/2013-July/047168.html http://lists.gnupg.org/pipermail/gnupg-users/2013-December/048362.html I assume this is much more a screen problem. Some time ago I tried to create a pipeline between two processes running in different screen windows. I didn't manage to do that. But maybe there are tricks unknown to me. Maybe that can be done with redirecting stdin and stdout to a socket with socat or something like that. Actually -- it *looks like* loopback-pinentry is pretty much exactly what I'm looking for here, if I understand the feature. Hopefully recent fundraising activity can get 2.1 out the door soon. (I'm going to donate!) -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [gnupg-users] Re: Future of GnuPG 1.x.x?
On Sat, 4 Aug 2012, Robert J. Hansen wrote: On 08/04/2012 03:26 PM, Sin Trenton wrote: Is the plan to retire 1.x sometime in a not too distant future (I'm not saying that I assume an actual time plan being set)? I am not a GnuPG developer. My information is not definitive. Take it with a grain of salt. That said, my understanding is the GnuPG developers wish to end 1.4 support as soon as possible. This is reasonable, given that 2.0 has been out for a decade. When 2.0 first came out I was not a big fan, but it's become much more stable and useful over the past few years. However, ending GnuPG 1.4 support 'as soon as possible' is not the same as 'ending it now.' They want to minimize impact on end-users as much as possible. The 1.4 model still works better for certain things. I've never successfully managed to make pinentry work in a shell/screen session using my mailer, and I've never heard back from the GPG developers about allowing the main gnupg process to prompt for a pin directly, without needing the socket/window of pinentry. Both myself and Doug Barton have commented on this list to this effect. I consider this a blocking factor for moving to 2.0. When 1.4 support ends, expect an EOL date to be announced far in advance and a lot of help given to people who need to migrate to 2.0. See above. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No-Keyserver (and other) flags on keys
On Mon, 28 Jun 2010, David Shaw wrote: I presently consider synchronization broken. If there were only one network of keyservers out there, and I didn't have to search multiple places when trying to sign or request a key, I might think otherwise, but this is not the case. See my alternate request about being able to use multiple urls in auto-key-locate, which I don't believe currently works. It does. auto-key-locate hkp://pgp.mit.edu hkp://subkeys.pgp.net hkp://some.other.server.etc ldap://even.a.ldap.server.works Aah, perhaps here is a problem. auto-key-locate may in fact do this, but --search does not. Is there a way to make that work? -- Ca. Tas. Tro. Phy. -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using gpg2 without pinentry?
Hey there, I currently use gnupg 1 from within Alpine (running under screen), and it works okay, but I had a bear of a time using gpg2 because of the pinentry stuff. Specifically, gpg was launched within a mail filter, and had no idea how to spawn a third program (the pinentry window)) in a correct way. I've tried kludging it so it launches in a different screen by tweaking various environment variables, but this seems the wrong way to go about it. As does running with X-forwarding just to launch a tiny pinentry app (I can't guarantee I'll have an xserv everywhere I sit.) Is there some reasonable way that gpg can detect that it has a controlling termainal (or even, a config file option) and just ask me for my passphrase on stdin? I am my sysadmin. I trust me :) -Dan -- Let me tell you something about regrowing your dead wife Lucy, Harry. It's probably illegal, potentially dangerous, and definitely crazy. -Harry nods- Vincent Spano, as Boris in Creator. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
No-Keyserver (and other) flags on keys
All, How difficult would it be to propose some kind of extension flag to the PGP key format that in essence says don't publish me to a keyserver. Note that I'm asking from a technical point of view, not a social (i.e. making servers support it) or IETF one (insert bikesheds here). My question is: Is it possible to do in such a way that keys would be backward-compatible? (I have no idea about the internal format of a PGP key, to me it's just bricktext...at least right now). -Dan -- If you aren't going to try something, then we might as well just be friends. We can't have that now, can we? -SK Dan Mahoney, December 9, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No-Keyserver (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: On Jun 27, 2010, at 3:58 PM, Dan Mahoney, System Admin wrote: All, How difficult would it be to propose some kind of extension flag to the PGP key format that in essence says don't publish me to a keyserver. Note that I'm asking from a technical point of view, not a social (i.e. making servers support it) or IETF one (insert bikesheds here). My question is: Is it possible to do in such a way that keys would be backward-compatible? Not only is it possible, it already exists. GnuPG can even set it and unset it, as you like. Really? Where is it? Also, is it possible for either the manpage or the interactive help to include the meaning of the various preferences that are not cipher types? It's effectively a no-op though, as no server supports it. I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream. If I'm going to wade into that muck, I might as well have multiple things to try to make work. The change in the key file format is the hard part :) -Dan -- She's been getting attacked by these leeches, they're leaving these marks all over her neck. You gotta keep her out of those woods. If one more leech gets her, she's gonna get a smack. -Someone's Mother, December 18th, 1998 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: No-Keyserver (and other) flags on keys
On Sun, 27 Jun 2010, David Shaw wrote: It's a flag that can be set on a key user ID, similar to cipher or compression preferences. Run --edit-key on a key, and enter showpref or pref. You will probably see a mention of Keyserver no-modify (or no-ks-modify). You can turn it on and off with setpref, like any other preference: ks-modify allows keyserver modifications, and no-ks-modify disallows them. Note that the definition of no-modify is that only the keyholder (or the administrator of the keyserver) can override it. So the flag only applies to other people - the keyholder can choose to upload his key if he so desires. Also, is it possible for either the manpage or the interactive help to include the meaning of the various preferences that are not cipher types? Sure enough, it's not in the man page. I'll fix that. I'd love to see an editpref which more interactively presented you with options (and descriptions) you could toggle (but would still maintain backwards compatibility with apps that used showpref or setpref) It's effectively a no-op though, as no server supports it. I'm looking into making mods to at least one server type (we run one locally at work), and commit them upstream. If I'm going to wade into that muck, I might as well have multiple things to try to make work. The change in the key file format is the hard part :) Having keyservers support no-modify requires that they first support crypto at all. That's a really big step. The ones I've seen have enough awareness of what's in a key to pull a key apart and determine who's signed it, when, and when it's expired. Is there more than that to read these bits? Again:step zero may be to determine what the internal format is. However, you raise another question: How does a keyserver know who is uploading the key? (Note that this doesn't apply to my original question, since that was simply a keyservers should throw this away flag, where a user might choose to publish on his website, his .plan file, on his business cards, in DNS, or via LDAP or S/Mime autodiscovery.) -Dan -- Hitler, Satan, those Hanson kids, anything. Just not the curious anteater. -Peter Scolari, as Wayne Szalinki in Honey, I Shrunk The Kids--The Series Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Searching multiple keyservers
Hey all, Is there an easy syntax to chain multiple keyservers for searching? In theory it shouldn't be necessary, but there are distinct keyserver networks out there that don't share, as well as private hkp keyservers which might need to be searched first. -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Searching multiple keyservers
On Wed, 23 Jun 2010, MFPA wrote: PGP Command Output Warning: using insecure memory! gpg: Signature made Wed Jun 23 12:59:05 2010 EDT using RSA key ID AD0C6E69 gpg: Good signature from MFPA a...@b.c gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BA 23 9B 46 81 F1 EF 95 18 E6 BD 46 44 7E CA 03 --- Begin PGP Signed Message Verified 2010-06-23 13:25:55 -- Hi On Wednesday 23 June 2010 at 9:27:01 AM, in mid:ged4c21c...@laurent.jumet.skynet.be, Laurent Jumet wrote: Using GPGShell allows Update from all keyservers. all being simply all the ones you have listed in your gpgshell config file. IIRC, you have a list for fetching/updating keys and another list for submitting keys - the latter may be useful to specify servers you know don't synchronise reliably, when posting revocations. Considering I'm running on a FreeBSD system, however... -Dan -- It would be bad. -Egon Spengler, Ghostbusters Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA Status?
On Tue, 22 Jun 2010, Robert J. Hansen wrote: On 6/22/10 10:09 PM, Dan Mahoney, System Admin wrote: Is this very old and it's now supported? Or is it still not in for some other reason (either oversight, legal, or other). By modern standards, IDEA is not considered a promising cipher. There are some very good theoretical attacks against it. Between the varying patent expiration dates (2011 or so in some countries, IIRC) and the thin safety margin, the GnuPG community has generally decided IDEA is not a priority for inclusion. Could the FAQ be updated then, assuming you speak with some authority? -Dan -- Ca. Tas. Tro. Phy. -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using the clean function (and the PGP Global Directory)
It seems there's two interesting problems which inter-relate. The first is PGP corporation's global directory, which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. Finally, it will sign your non-photo-uids. With a very short signature time, and pollute them so they look like this: uid Dan Mahoney dmaho...@isc.org sig 3E919EC51 2008-11-22 Dan Mahoney dmahoney@ sig 3E8048D08 2009-10-15 Peter Losher Peter_Losher@ sig 68D482E2 2009-08-31 Guy Sisalli gsisalli@ sig CF9890F8 2009-07-01 Mark Andrews marka@ sig 08F13AD2 2009-10-14 Evan Hunt each@ sig 3294EC062 2009-06-30 Paul Vlaar vlaar@ sig 2DC6FF82 2009-10-14 Rob Austein sra@ sig 8FA50232 2010-06-13 Emma Smith esmith@ sig X CA57AD7C 2009-12-16 PGP Global Directory Verification Key sig X CA57AD7C 2009-12-29 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-12 PGP Global Directory Verification Key sig X CA57AD7C 2010-01-25 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-07 PGP Global Directory Verification Key sig X CA57AD7C 2010-02-20 PGP Global Directory Verification Key sig B38DB1BE 2010-06-13 Francisco Obispo (ISC) fobispo@ uid Dan Mahoney dan_maho...@isc.org Yes, I'm sure I need a signature added to my key EVERY TWO WEEKS. From the same ENTITY. So, to correct this, gpg has the clean function, except that it seems to be broken. I can then re-upload my key. clean kills off any local signature and uid that is expired, but it also removes keys I have no trust value for. This might make sense on someone ELSE'S key in my homedir. But I want EVERY nonexpired signature to stay on my public key, even if I don't have an explicit trust value for the person. A workaround is to assign some trust value to every other person who's signed my key, then run --clean, but this seems broken. So, all that said, two questions. 1) Is there some option I'm missing that will just remove expired signatures, and not other things? Assume I'm still interested in the social networking aspect of who-knows-who and who-trusts-who, but not interested in this automated I figured out a web url three years ago noise. 2) If I find the magic way to do #1, and upload it to a keyserver, will they accept it, or will they just re-merge the expired sigs in? (For most common keyservers). -Dan -- Ca. Tas. Tro. Phy. -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the clean function (and the PGP Global Directory)
On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's global directory, which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? clean strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. -Dan -- GO HOME AND COOK!!! Donielle Cocossa, Taco Bell, 2:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using the clean function (and the PGP Global Directory)
On Tue, 22 Jun 2010, Dan Mahoney, System Admin wrote: On Tue, 22 Jun 2010, David Shaw wrote: On Jun 22, 2010, at 11:02 PM, Dan Mahoney, System Admin wrote: It seems there's two interesting problems which inter-relate. The first is PGP corporation's global directory, which seems to operate orthogonally from every other keyserver I've seen. It's HTTP-only, not queryable by any of the open-source clients (in fact, it doesn't support wildcard searches at all, and returns a captcha before delivering results), and not SUBMITTABLE to from any of the open source clients. Not exactly. The GD speaks LDAP, so you can set your keyserver to ldap://keyserver.pgp.com and you can query and submit, etc. Interesting, I didn't see mention of that. I must try this (assuming I've built with LDAP support, that is, which under BSD is a bit obtuse). It's also the ONLY keyserver I've seen that supports photo IDs, and actually uses the web interface to show you the person. The SKS servers (i.e. pretty much everything that isn't the GD) do support photo IDs, but they do not use the web interface to show you the photo. That was what I meant to imply, perhaps I was unclear. Are you sure about that? clean strips off useless signatures (useless being defined as an invalid signature, a superseded signature, a revoked signature, and a signature from a key that isn't present on the keyring). Signatures from keys that are present, but have no trust value are not stripped off. Let me double check. I saw it earlier today when transferring my work sig to my personal one. But it might just have been that my coworkers did not have sigs present. It's entirely possible I mangled the windows. Yup, that's what happened. I had imported my work key to my personal machine, but didn't have the keys of all my coworkers on my personal box, so clean decided to be helpful. I pulled it off the keyserver again, and then pulled down the keys of all my coworkers, and was good. On a related subject, is there a way to say pull down the keys of all keyids who have signed key X? -Dan -- Long live little fat girls! -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ...key belongs to ...
On Sun, 30 May 2010, Michael D. Berger wrote: On a Linux box, in encrypting a file with gpg, I get this query: It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) n Now in the context in which this is being used, there is no uncertainty regarding key ownership, and the encryption is part of a bash script. The query stops the script. Therefore, how can I prevent this query? Edit the trust of the key, and or sign it with a trust signature. -Dan -- Don't be so depressed dear. I have no endorphins, what am I supposed to do? -DM and SK, February 10th, 1999 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new Installation... configure issues
On Mon, 24 May 2010, raviraj kondraguntla wrote: Hi, I am trying to install the gnupg 1.4.10 on solaris 10 server, I have received the below error configure:3550: /opt/SUNWspro/bin/cc --version 5 ./configure: line 3551: /opt/SUNWspro/bin/cc: No such file or directory configure:3553: $? = 127 configure:3560: /opt/SUNWspro/bin/cc -v 5 ./configure: line 3561: /opt/SUNWspro/bin/cc: No such file or directory configure:3563: $? = 127 configure:3570: /opt/SUNWspro/bin/cc -V 5 ./configure: line 3571: /opt/SUNWspro/bin/cc: No such file or directory configure:3573: $? = 127 configure:3596: checking for C compiler default output file name It seems, I need to install C compiler by installing SPROcc 9(unbundled SPARCworks Professional C compiler) Please advise on this. Thanks, Raj You could just install gcc. -Dan -- Blargy Frap! -mtreal, efnet #macintosh channel, 8.10.98, Approx 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Implications Of The Recent RSA Vulnerability
On Thu, 11 Mar 2010, erythrocyte wrote: With the recent news of researchers being able to crack 1024-bit RSA keys using power fluctuations, I was wondering if it would be a good idea to switch the RSA keys I have to some other algorithm. Both my signing and encryption keys are 4096-bit keys. Am I vulnerable to this security hole? Is it possible to generate a new keypair and retain/transfer the old signatures from my email buddies? Ref: http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/ Okay, let me sum up this article for you: Researchers who had physical enough access to be able to rewire the private-key-holder's system's power supply were able to compromise that system. If you're at that point, I don't think key length is your problem. -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Continued PKA problems on Windows
On Wed, 3 Mar 2010, Grant Olson wrote: On 3/3/2010 5:26 PM, Sean Rima wrote: Folks I downloaded and installed gpg4win-2.0.2rc1. I then tested my pka setup using: echo foo | gpg2 --no-default-keyring --keyring c:\temp\gpg --encrypt --armor --auto-key-locate pka -r s...@srima.eu -v 2 test.txt ... The only thing I can think is that the site is on Google apps or am I missing something else. I can post my gpg.conf if that helps Sean I noticed two things that may or may not matter... If I open http://prime.gushi.org/danm.pubkey.txt; in firefox, it opens right in the browser. If I open yours, it opens a Save As... window. So they have different content types. Also, the url listed in the firefox Save as window is some crazy computer generated url, not www.srima.eu. Just doing a quick test with curl, it takes like 4 302 redirects before you actually get to the file. It wouldn't be totally unsurprising to me if a series of redirects caused problems. So, if you're interested in comparing apples to apples, for curiosity I just uploaded your pubkey (sean.pubkey.txt) to the same url as danm.pubkey.txt). See if that fixes it, at least for testing. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Shamir's Secret Sharing Scheme integration?
On Sun, 21 Feb 2010, Richard Geddes wrote: Hello, Is there a utility that integrates gnupg with (Shamir's Secret Sharing Scheme)? And maybe using smartcards? If not has anyone seen a HowTo that shows how to integrate them? Ikinda do. I encoded my will with it before some surgery a few years ago, and documented it in the process, along with some other notes on short circuiting the whole thing. Have a look at www.gushi.org/willworks.txt -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win: running gpg-agent with SSH agent support?
On Mon, 1 Feb 2010, Werner Koch wrote: Yes, we do this on Windows because we have a well known socket name there. It may actually happen that two agents are started which does not harm because the the unused agent detects this case and terminates itself after some time. What's the socket location inder win32, if you don't mind me asking? -Dan -- You recreate the stars in the sky with cows? -Furrball, March 7 2005, on Katamari Damacy Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto For DNS Key publishing.
On Thu, 29 Oct 2009, Dan Mahoney, System Admin wrote: All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. David, Would it be possible to include my make-dns-cert.sh shell script with GPG? It solves both the problems of the existing tool being a not-built-by-default binary, as well as modernizes the DNS record formats used, heavily, and is easily used by people who have installed GPG via a package. -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypting with an message expiration date
On Sat, 2 Jan 2010, David Shaw wrote: On Jan 2, 2010, at 11:10 PM, Faramir wrote: Allen Schultz escribió: GnuPG-Users: Is there a way to force an expiration date when encrypting a message for additional security. I have a friend who is inquiring. I've already informed him of the for his/her eyes only option. What is that option? --for-your-eyes-only But don't think it adds real security. In OpenPGP, the FYEO option just sets a flag in the message that means (in effect), Pretty please, with sugar on top, treat this as for your eyes only. The recipient is free to ignore the flag and do whatever they like. Is that analagous to the flag in older versions of PGP that would cause a message to be displayed in a non-printable/non-copyable format? -Dan -- I want to see how you see. -SK, 6/2/99, 4:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Howto For DNS Key publishing.
On Thu, 29 Oct 2009, Ciprian Dorin, Craciun wrote: On Thu, Oct 29, 2009 at 7:52 AM, Dan Mahoney, System Admin d...@prime.gushi.org wrote: All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. I cited credit where possible, but if I missed your name, let me know. Suggestions, feedback, requests, corrections, are all welcome. Initial publishing is to my livejournal, but I'm planning to wrap the whole thing to my webpage during a revamp. http://gushi.livejournal.com/524199.html Regards, -Dan Mahoney Hello! Nice tutorial! I've tried to apply your methods (for now I'm just at the PKA method). But it seems that there is a problem with auto-key-locate option. For example for the following command: mkdir /tmp/gpg-test gpg2 --homedir /tmp/gpg-test --auto-key-locate pka --recipient cipr...@volution.ro --encrypt /dev/null it gives me the following error: gpg: requesting key A6FD8839 from http server stores.volution.ro gpg: /tmp/gpg-test/trustdb.gpg: trustdb created gpg: key A6FD8839: public key Ciprian Dorin Craciun cipr...@volution.ro imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 gpg: error retrieving `cipr...@volution.ro' via PKA: Unusable public key gpg: cipr...@volution.ro: skipped: No public key gpg: /dev/null: encryption failed: No public key Now, searching on the net for a solution, I've stumbled upon the following thread: http://lists.gnupg.org/pipermail/gnupg-users/2006-May/028637.html It seems that there was a bug in GnuPG. So the question is: * am I doing something wrong? * or is the bug still present in GnuPG? Thanks, Ciprian. Okay, so here's what I've learned. I've manually retrieved your key, and imported it manually to my machine with gpg --import file And I then get this: dmaho...@dmahoney-laptop:~/Desktop$ echo foo | gpg --encrypt -r cipr...@volution.ro gpg: cipr...@volution.ro: skipped: unusable public key gpg: [stdin]: encryption failed: unusable public key So it's not the PKA record. Upon examining it a little further, I see this: dmaho...@dmahoney-laptop:~/Desktop$ gpg --list-keys cipr...@volution.ro pub 3072D/A6FD8839 2008-10-19 [expires: 2009-11-21] uid Ciprian Dorin Craciun cipr...@volution.ro uid Ciprian Dorin Craciun ccrac...@cci.uvt.ro uid Ciprian Dorin Craciun ciprian.crac...@gmail.com uid Ciprian Dorin Craciun ccrac...@info.uvt.ro dmaho...@dmahoney-laptop:~/Desktop$ gpg cipr...@volution.ro.pub.gpg pub 3072D/A6FD8839 2008-10-19 Ciprian Dorin Craciun cipr...@volution.ro uidCiprian Dorin Craciun ccrac...@cci.uvt.ro uidCiprian Dorin Craciun ciprian.crac...@gmail.com uidCiprian Dorin Craciun ccrac...@info.uvt.ro sub 4096g/15F68B01 2008-10-19 [expires: 2009-10-19] Looks like your subkey that I'd use to encrypt to you has expired, and thus my GPG didn't import it. -- Man, this is such a trip -Dan Mahoney, October 25, 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Howto For DNS Key publishing.
All, I've written a pretty conclusive howto on how to publish keys in DNS, including detailing the advantages and disadvantages of each method, with full examples, details on testing, and real-world output. I've also re-implemented make-dns-cert as a shell script, so that it's more easily available to people who don't have the source, but who installed via a binary package (that's most people), including comments, cleaner record handling, auto-fingerprinting, etc. One command, three arguments, and you get all three record types. I cited credit where possible, but if I missed your name, let me know. Suggestions, feedback, requests, corrections, are all welcome. Initial publishing is to my livejournal, but I'm planning to wrap the whole thing to my webpage during a revamp. http://gushi.livejournal.com/524199.html Regards, -Dan Mahoney -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Wed, 21 Oct 2009, David Shaw wrote: On Oct 20, 2009, at 10:55 PM, Dan Mahoney, System Admin wrote: On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the fingerprint cert record. Oddly, running on gpg2 on an older debian system, I get: # echo foo | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case. Can you try again with a single key in your CERT? Alternately, if you want both of your keys, you could use 2 different CERT records for the gushi.gushi.org. name, each with one of your keys (rather than 1 CERT record with a payload containing two keys). Note that this will usually result in round-robining for those people who don't have your key, which may or may not be what you want. For the benefit of people who may search this later, what's the best set of args to extract the key with? Neither export-clean nor export-minimal seems to be what I want. In effect what I want is only the most recent signature from each other key, so some hybrid of export-clean and export-minimal? At least using gpg 2.0.13, and a single key in the CERT, this works properly for me. I can't speak for an earlier version. All of that said, I think it's worth pointing out that IPGP (the fingerprint+URL variation of CERT) is far more useful that PGP (the full key). Not all systems are going to be able to pass a 1718-byte DNS message, as yours is. As DNSSEC becomes more widely adopted, as EDNS0 and TCPDNS become more the norm, this is less of an issue. IPGP is also little more than a standards-based version of HKP, which I'm also publishing. If I've uncommented the line in options.skel (present in some distros, not others), the order will be: #auto-key-locate cert pka ldap hkp://subkeys.pgp.net (one of my other pet peeves is that gpg hangs up on unknown options, instead of falling to the next, so if I haven't compiled with LDAP support that whole line will break things. Is this worth filing a bug?) Anyway, if we assume most people just say yeah sounds good and uncomment the option, pka is a chance to get info out if CERT fails. Why would I duplicate the same info? If I've published an IPGP cert, and it fails to validate, the same info in PKA won't fare any better. Since there's no way to reliably publish both forms of CERT and have the client able to request one or the other (or parse all records until we find one that works, instead of the first it gets), the PGP variant actually gets the key out there in a case where the URL is unretrievable (for example, behind a firewall where outbound finger is blocked, or in a case where we're compiled without curl support, but hitting a host that requires HTTP 1.1). Put another way, with PGP, all the info you need is in the DNS packets. With IPGP, you have another step to chase down. Only parsing one CERT response also prevents one from putting in multiple keys with the same key retrievable via multiple URIs, i.e. one finger, one http, etc. (On a related note, I can't specify multiple keyservers to search on the command line or in my config file, which is also annoying, is this worth filing a bug?). Is the way a CERT record is parsed (i.e. only parsing the first one) goverened by an RFC? Or considering the likely little use this is getting, do you feel it's too late in the game to change the way multiple records would be handled? This is also why I asked for a list of what uri formats are supported, and it would help me to know which of those are retrievable by default with no external libs. Given an HTTPS-capable webserver where I also control vhost order, if I only have one URI-format to publish, what's my best chance to have this support the most clients? Hell, can one put an hkp:// uri in that URL field? I suspect strongly that this feature doesn't get the most broad platform testing. Let me know if you'd like to help. Please do! More
Re: A lot of questions about CERT, PKA and make-dns-cert
On Wed, 21 Oct 2009, David Shaw wrote: You didn't give an actual version number (run gpg2 --version), so I can only make an educated guess, but I do think I see your problem. You don't have one key in your CERT - you have two (309C17C5 and 624BB249) combined into one DNS record. That doesn't work - it's a one-name-one-key mapping. We should give a better error message in this case. Aah, yes, there we go. Now it seems to work on all my systems. For some reason I assumed --export would just pick one key to match on, just as --delete-keys does. Note there's still a secondary key, hence my confusion. So far, the commands for a PGP CERT are: gpg --list-keys gu...@gushi.org (read, get key id) gpg2 --export --export-options export-clean keyid.pub.bin -or- gpg2 --export --export-options export-minimal keyid.pub.bin make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. keyid.dnscert The commands for an IPGP cert are: gpg --list-keys y...@you.com Choose your keyid from the above. gpg2 --export --armor keyid keyid.pub.asc copy the ascii file somewhere where it's url accessable. Manually copy/paste your fingerprint into the next command: make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint keyid.dnscert Then, publish one (and only one) CERT record in dns per-label. In my case this also means signing the zone and all that. Finally, for an _PKA record, it involves manually: u...@domain.com becomes user._pka.domain.com. Get your keyid as above. 1) Export to a uri as for IPGP cert, above (presumably, it can be the same uri). Strip your fingerprint like so: 2) gpg --fingerprint keyid | grep Key fingerprint | cut -d = -f 2 | sed 's/ *//g' The format of the text record is simple: you._pka.domain.com. IN TXT v=pka1;fpr=[#1];uri=[#2] Where the values are substituted from the steps above. Publish this in DNS. Test using: dig you._pka.domain.com TXT, see if you get a result. Test with a GPG client that doesn't otherwise have the key: echo foo | gpg --auto-key-locate pka --armor --encrypt -r y...@domain.com and see if you get an output. So here's the laundry list: 0) Do the above look mostly-right? 1) What are the best options for exporting certs for a CERT record? For a uri-styled record? (i.e. which signatures do you want to include?) 2) Do either the pka or the IPGP standards require the key to be in binary/ascii format? 3) What's the sanctioned list of uri formats? Where is it defined for CERT? For PKA? 4) As I'm not a c-coder, how difficult would it be to have the make-dns-cert output in base64 instead of binary? 5) How solid is the output of --fingerprint? Is it likely to change between versions, or are the grep and sed listed likely to work most places? 6) How difficult would it be to get the cert-export functions right into gpg? 7) How difficult would it be to get make-dns-cert built-by-default? 8) (asked previously) Is it worth filing a bug on not being able to specify multiple keyservers for auto-key-locate? 9) (also previously) Is it worth filing a bug to not have auto-key-locate vomit on unsupported methods? With the answers to the above, I'll write up a nice howto doc including the prereqs for all the above, the DNS requirements, and the like. -Dan -- It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there. -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Thu, 15 Oct 2009, David Shaw wrote: On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal file; and make-dns-cert -n gushi.gushi.org -f file It works fine for me. What version of GPG are you using? I tried this again, after I nuked the fingerprint cert record. Oddly, running on gpg2 on an older debian system, I get: # echo foo | gpg2 -v -v --auto-key-locate cert --encrypt -r gu...@gushi.org gpg: no keyserver known (use option --keyserver) gpg: error retrieving `gu...@gushi.org' via DNS CERT: General error gpg: gu...@gushi.org: skipped: General error gpg: [stdin]: encryption failed: General error That first line specifically makes me scratch my head a bit. (The gpg manpage also appears to be a bit corrupted on this system). On my bsd system, I get what you see at http://www.gushi.org/gpg.txt. It retrieves the key, but complains of no fingerprint, however it actually DOES import the key, so it works a second time. If you require a shell to play with this, let me know and I'll provide one. With the demise of thawte's free cert offering, I'd really like to do what I can to increase awareness of this stuff. On my ubuntu desktop, it works fine. I suspect strongly that this feature doesn't get the most broad platform testing. Let me know if you'd like to help. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
A lot of questions about CERT, PKA and make-dns-cert
All, I'm in the process of writing a blog entry about the PKA and CERT methods. A couple people have written them a long time ago, and I'd like to bring some of the info up to date. (If this is better asked on gnupg-dev, let me know). For starters: 1) Currently the only tool that can generate a CERT record, make-dns-cert, is not built or packaged by default under any os I've found (I've tried FreeBSD and ubuntu). It has no documentation, no examples, and only a terse 4-line usage summary. I've also seen a few bugs reported with it, that I don't know if they're fixed, such as not handling whitespace in the key fingerprint properly. 2) I realize this is a fringe feature, but other than a few scattered blog posts that reference each other, some of which are written by gnupg developers, info on these methods is HARD TO FIND. There's nothing in the docs/faq about this, at all. I think adoption would be much more widespread if this were a faq-able item. It's mentioned once in the manpage, once in the default gnupg.conf, and that's really it. If you document it, people will use it (and with thawte dropping personal freemail certs lately, this is something you want). 3) As far as I know, PKA isn't standardized in any RFC. Has this been changed? I saw mention of applying to IANA for its own typecode. Is there a list somewhere of what uri types are supported? I saw talk of it not supporting http 1.1, but that may be fixed with curl. Of the two methods, I tend to actually prefer PKA because it lets me delegate _pka.example.com to its own sub-zone, whereas CERT records must be inserted into the main zone. 4) Try though I might, I can't seem to get my full-key in CERT format to recognize. I am not sure if this is because my key is complicated (i.e. it has subkeys), because the cert is not under my primary uid, or because I just plain exported it wrong. I'm running: echo foo | gpg -v -v --auto-key-locate cert --recipient gu...@gushi.org --encrypt -a And get gpg: error retrieving `gu...@gushi.org' via DNS CERT: No fingerprint I exported my key with: gpg --export --export-options minimal file; and make-dns-cert -n gushi.gushi.org -f file It's still live if anyone wants to try. 5) Finally, the quality of records being generated, while consistent with rfc3597, leaves them as a real bear to manage, and import. If you're going to export them in hex, could we please also get whitespace so we can get this into an editor easily? Ideally, the things would just be base64 encoded, in accordance with rfc4398. Most versions of bind9 understand the CERT record, with base64 representation, and numeric typecodes. bind9.6 understands the PGP type value mnemonic but not IPGP. BIND 9.7 understands IPGP. What would be really, really cool, is step by step instructions for exporting, or hell, let gpg generate these records, the way ssh-keygen generates SSHFP records. Those are my thoughts. -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A lot of questions about CERT, PKA and make-dns-cert
On Thu, 15 Oct 2009, David Shaw wrote: David, For starters let me thank you on both the fullness and the expedience of your answer. Far too many open source projects just go crickets when I send out a laundry list, and I need to recognize your time. Let me also apologize in advance for my wordiness. We have quite a bit of ground to cover. On Oct 15, 2009, at 9:37 PM, Dan Mahoney, System Admin wrote: 1) Currently the only tool that can generate a CERT record, make-dns-cert, is not built or packaged by default under any os I've found (I've tried FreeBSD and ubuntu). It has no documentation, no examples, and only a terse 4-line usage summary. I've also seen a few bugs reported with it, that I don't know if they're fixed, such as not handling whitespace in the key fingerprint properly. I was referencing this thread: http://lists.gnupg.org/pipermail/gnupg-users/2006-April/028314.html If that's no longer the case, then no worry. I suppose if doc were more abundant I wouldn't have had to pore over old mailing list entries looking for examples :) The few examples I've seen online as to how to use this have the FP whitespace-stripped, so I assumed it was done so deliberately to work around that, and I did the same. Whether TXT or CERT, though, it's a fairly high barrier for many users. True, and sadly, applying for a separate typecode would be an additional barrier to entry there. (SPF made TXT what it is today!) Is there a formal spec document? The most I could find was a PDF slideshow. I do encourage you to document it better, and I'm willing to help explain wherever necessary, or make code changes if there is something that could be done better. Docs, I'm totally on. I'm trying as much as I can to link to the standards docs as well, which is why I was asking for a supported-uri-format doc. Ideally there should be something in the gpg faq, something in the manpage, and at least a small README in tools that covers all the things in there (maybe we can talk about what the rest of those do as well). If you really feel up to making code changes: gpg --export --format cert-PGP d...@prime.gushi.org gpg --export --format cert-IPGP gu...@gushi.org [--url=http://foo] gpg --export --format pka f...@bar.com --url=http://foo Some variation on the above would all be wonderful, but I don't think I'm likely to get that wish granted. One of the tutorials I saw made reference of using pgp-clean -- what is the gnupg equivalent of this? If you build GnuPG with curl (which is the default, assuming you have curl), then you have HTTP 1.1 support. That said, is there a particular HTTP 1.1 feature that you need here? After the PKA parsing happens, GPG is just doing a regular HTTP GET. No, I'm just looking for a full list of what you can put in the uri= portion of a _pka record. I never found it enumerated. Is https supported? If so, does the system do cert validation? I've seen finger and http, but wouldn't know where in the code to try to read to figure out the full list. I also didn't find a clear listing of what format the key should be in, although the finger hinted at the usual armored format. From a code end, I'd like to know for sure if either/both work. 4) Try though I might, I can't seem to get my full-key in CERT format to recognize. It works fine for me. What version of GPG are you using? gpg (GnuPG) 2.0.12 libgcrypt 1.4.4 When you say it works for you, do you mean you're able to parse my key, or that you've been able to publish and retrieve your own CERT-PGP record? If I nuke things down to my single cert-ipgp record, could you try again? Incidentally, you have two different CERT records for gushi.gushi.org at the same time. You have both a fingerprint-style answer and a full-key answer. This is not a major problem (GPG won't care - it'll just take the first one that parses), but if your nameserver does some sort of round-robining, it can be confusing as to which record is the one that gets used. I did that because it complained about having no fingerprint, so I thought for a moment it needed both kinds, one with the key, and a separate one with the FP. Most versions of bind9 understand the CERT record, with base64 representation, and numeric typecodes. bind9.6 understands the PGP type value mnemonic but not IPGP. BIND 9.7 understands IPGP. The cert is a single, long, unbroken hex string. BIND will understand it if you chuck it into an include file or paste it in with a non-wrapping editor. But it's fragile and unwieldly. If you feel like carefully counting characters, you can wrap it, as long as you hit a hex boundary. Adding a few spaces and parens would make it just work if wrapped. And the presentation format should be base64, not binary (dnssec-signzone will convert both _pka and CERT records to this format anyway). When I wrote the code, precious few nameservers understood any
