Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día viernes, mayo 17, 2024 a las 01:39:55 +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > This isn't that easy. The pcscd is running (when needed) as: > > > > purism@pureos:~$ ps ax | grep pcscd > >2151 ?Ssl0:00 /usr/sbin/pcscd --foreground --auto-exit > > > > it is launched by a system service: > > I see. IIUC, PureOS is Debian based. There should be a file for systemd > as /lib/systemd/system/pcscd.service. Its content is something like: > ... I did it already with editing/creating the files and commands below. Putting '--debug' in an variable with Environment= as your hint is far more elegant and would remove the service override.conf method. The output went to /var/log/syslog, some 10.000 lines of one PIN request. I haven't found time to study them. matthias /lib/systemd/system/pcscd.service: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" ExecStart=/usr/sbin/pcscd --foreground --auto-exit ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /etc/systemd/system/pcscd.service.d/override.conf: [Unit] Description=PC/SC Smart Card Daemon Requires=pcscd.socket Documentation=man:pcscd(8) [Service] ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 2" # ExecStart=/usr/sbin/pcscd --foreground --auto-exit --debug ExecReload=/usr/sbin/pcscd --hotplug [Install] Also=pcscd.socket /usr/lib/systemd/system/pcscd.service.d/librem5.conf: [Service] Environment="LIBCCID_ifdLogLevel=0x" ExecStartPre=/bin/bash -c "echo 1 > /sys/class/leds/smc_en/brightness && sleep 5" ExecStopPost=/bin/bash -c "echo 0 > /sys/class/leds/smc_en/brightness" StandardOutput=syslog StandardError=syslog systemctl stop pcscd.service systemctl daemon-reload systemctl start pcscd.service -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día jueves, mayo 16, 2024 a las 04:09:44 +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > It seems that the first time is longer. I will increase the debug-level > > for scdaemon. > > Thank you for the information. I think that it's better to debug how > PC/SC goes. > > To get full debug log in lower level, you can invoke pcscd manually with > root: > > # LIBCCID_ifdLogLevel=0x pcscd -f --debug This isn't that easy. The pcscd is running (when needed) as: purism@pureos:~$ ps ax | grep pcscd 2151 ?Ssl0:00 /usr/sbin/pcscd --foreground --auto-exit it is launched by a system service: root@pureos:/home/purism# systemctl status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor pres> Drop-In: /usr/lib/systemd/system/pcscd.service.d └─librem5.conf Active: active (running) since Thu 2024-05-16 10:02:44 CEST; 12s ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Process: 27601 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Process: 27602 ExecStartPre=/bin/bash -c echo 1 > /sys/class/leds/smc_en/> Main PID: 27603 (pcscd) Tasks: 5 (limit: 3015) Memory: 752.0K CPU: 303ms CGroup: /system.slice/pcscd.service └─27603 /usr/sbin/pcscd --foreground --auto-exit I killed a running pcscd and started it as root as you say, but this make gpg-agent failing to communicate. I have to figure out how to set your env var LIBCCID_ifdLogLevel=0x and to where the debug log of pcscd goes in this case. This will take a while matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
El día jueves, mayo 16, 2024 a las 03:00:52 +0900, NIIBE Yutaka escribió: > Hello, > > I wonder if it taks always 8-9 secs, or it's only for the first time. > > Matthias Apitz wrote: > > /tmp/scdaemon-debug.log: > [...] > > 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO > > > > It takes 8 secs until scdaemon detects the reader, waht does this maen? > > > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > > Reader 00 00' > > 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard > > Reader 00 01' > > The scdaemon dynamically loads PC/SC shared library and asks PC/SC > service for available card readers. PC/SC service is invoked, if not > there. Then, PC/SC service dynamically loads serial driver > (libccidtwin.so). And it's the serial driver which accesses the card > access chip (IIUC, it's STM32L4xx). That's what is going on. > > But 8 seconds are too much. Something is going wrong... purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:10:56 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:11 AM CEST 15 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:22 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:30 AM CEST 8 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:11:42 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:11:49 AM CEST 7 secs (~4-5 of them to enter the PIN) purism@pureos:~$ date ; scp foo $ua:. ; date Thu 16 May 2024 08:12:33 AM CEST foo 100%0 0.0KB/s 00:00 Thu 16 May 2024 08:12:41 AM CEST 8 secs (~4-5 of them to enter the PIN) It seems that the first time is longer. I will increase the debug-level for scdaemon. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
It takes 8-9 secs until pinentry asks for the PIN of the OpenPGP card
Hello, I'm using an OpenPGP card in my cellphone Puris L5 for GnuPG actions (password-store, SSH, ...). It mostly takes some 8-9 seconds until the PIN entry dialog pops up. I enabled debug log for the gpg-agent and the scdaemon, see below, and the time is consumed by the scdaemon waitinng for something. What does this mean? matthias /tmp/gpg-agent-debug.log: 2024-05-15 10:55:09 gpg-agent[2565] DBG: chan_11 -> BYE 2024-05-15 11:07:58 gpg-agent[2565] ssh handler 0xb17ff1e0 for fd 10 started 2024-05-15 11:07:58 gpg-agent[2565] ssh request handler for request_identities (11) started 2024-05-15 11:07:58 gpg-agent[2565] no running SCdaemon - starting it 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 gpg-agent[2565] DBG: first connection to SCdaemon established 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> GETINFO socket_name 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: additional connections at '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> OPTION event-signal=12 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 <- OK 2024-05-15 11:07:58 gpg-agent[2565] DBG: chan_11 -> SERIALNO it takes 8-9 secs to get the card's SERIALNO from the scdaemon 2024-05-15 11:08:07 gpg-agent[2565] DBG: chan_11 <- S SERIALNO D2760001240103040005A6FE ... /tmp/scdaemon-debug.log: 2024-05-15 11:07:58 scdaemon[16983] listening on socket '/run/user/1000/gnupg/S.scdaemon' 2024-05-15 11:07:58 scdaemon[16983] handler for fd -1 started 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- GETINFO socket_name 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> D /run/user/1000/gnupg/S.scdaemon 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- OPTION event-signal=12 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 -> OK 2024-05-15 11:07:58 scdaemon[16983] DBG: chan_7 <- SERIALNO It takes 8 secs until scdaemon detects the reader, waht does this maen? 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 00' 2024-05-15 11:08:06 scdaemon[16983] detected reader 'L5 built-in SmartCard Reader 00 01' 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: not connected 2024-05-15 11:08:06 scdaemon[16983] reader slot 0: active protocol: T1 2024-05-15 11:08:06 scdaemon[16983] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C 2024-05-15 11:08:06 scdaemon[16983] AID: D2 76 00 01 24 01 03 04 00 05 00 00 A6 FE 00 00 2024-05-15 11:08:06 scdaemon[16983] Historical Bytes: 00 31 F5 73 C0 01 60 05 90 00 2024-05-15 11:08:06 scdaemon[16983] Version-2+ .: yes ... -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: setup of OpenPGP card not asking for keysize
I did a factory reset and changed the keylength with the subcommand 'key-attr' to 4096. All fine and one must be patient as the key 'generate' takes significantly longer. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
setup of OpenPGP card not asking for keysize
Hello, I'm setting up a new OpenPGP card I've got from Purism for my second mobile L5. During the key generation it is not asking for the length of the key 2024 or 4096 bits. The status is: purism@pureos:~$ gpg --card-status Reader ...: L5 built-in SmartCard Reader 00 00 Application ID ...: D2760001240103040005CF41 Application type .: OpenPGP Version ..: 3.4 Manufacturer .: ZeitControl Serial number : CF41 Name of cardholder: [not set] Language prefs ...: de Salutation ...: URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 4 KDF setting ..: off Signature key : 0880 352D F31B 5AED 8E90 FC5B 0650 0BB7 D65F 4BE3 created : 2024-05-11 15:18:52 Encryption key: 3E6E 4F1D 541F 9BD8 CEF7 C01C EE22 0666 1921 411A created : 2024-05-11 15:18:52 Authentication key: 1274 5D73 CDA7 69B5 979D 2FE9 5E3B 2EB2 1466 6396 created : 2024-05-11 15:18:52 General key info..: pub rsa2048/06500BB7D65F4BE3 2024-05-11 Matthias Apitz (OpenPGP card) sec> rsa2048/06500BB7D65F4BE3 created: 2024-05-11 expires: never card-no: 0005 CF41 ssb> rsa2048/5E3B2EB214666396 created: 2024-05-11 expires: never card-no: 0005 CF41 ssb> rsa2048/EE2206661921411A created: 2024-05-11 expires: never card-no: 0005 CF41 I can do 'generate' again because the keys are still no in use. Older cards in the dialog were asking (as my write-ups show): ... What keysize do you want for the Signature key? (2048) 4096 The card will now be re-configured to generate a key of 4096 bits ... How can i force keysize 4094? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 07:46:33 +0200, Werner Koch via Gnupg-users escribió: > On Thu, 2 May 2024 15:31, Matthias Apitz said: > > > which locks the card again. Any ideas? > > If you really want to reset the card after an operation _and_ you are > using pcscd you can use > > ... Thanks for all the hints. The problem with this OpenPGP card in the cellphone L5 is, that it is not an USB dongle which one could pull out to invalidate the access to the keys. It sits inside the phone as a Micro-SIM below the battery. So I now do with ~/.ssh/config: Host * # note: this needs in /etc/ssh/ssh_config: PermitLocalCommand yes # LocalCommand gpgconf --reload scdaemon This resets the card right after the PIN was provided for the SSH session. This works fine for ssh(1) command, but not for the scp(1) command. Even when I say: $ scp "-oPermitLocalCommand=yes" foo www.unixarea.de:. The "ssh" launched by "scp" shows in strace that it is launched with the valeu "-oPermitLocalCommand=no": $ grep exec scp.tr 10205 execve("/usr/bin/scp", ["scp", "-oPermitLocalCommand=yes", "foo", "www.unixarea.de"...], 0xdf2147a0 /* 32 vars */) = 0 10206 execve("/usr/bin/ssh", ["/usr/bin/ssh", "-x", "-oPermitLocalCommand=no", "-oClearAllForwardings=yes", "-oRemoteCommand=none", "-oRequestTTY=no", "-o", "PermitLocalCommand=yes", "-oForwardAgent=no", "-l", "", "--", "www.unixarea.de", "scp -t ."], 0xe38c6780 /* 32 vars */) = 0 To overcome this problem I use now a macro "scp" defined in ~/.bashrc function scp { $(which scp) $@ # lock the OpenPGP card again gpgconf --reload scdaemon } Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
> I run the L5 with its OpenPGP card sind 2021 and I don't remember the > exact setup now. In any case, gpg-agent is there after any reboot. > One issue remains with the now working OpenPGP card for SSH: When the correct PIN was provided the card remains unlocked, regardless if or not the SSH session was successful. This is a security problem: On mobile theft all gpg files are open. Until now I only used the pass command from password-store and added at its end: purism@pureos:~$ tail -4 /usr/bin/pass # gpgconf --reload scdaemon sleep 2 exit 0 which locks the card again. Any ideas? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 08:13:12 -0400, Henning Follmann escribió: > On Thu, May 02, 2024 at 01:58:37PM +0200, Matthias Apitz wrote: > > > > gpg-agent was always there, started by system boot. > > Are you certain? Did you change that at some point? Because if you use the > default pureOS it doesn't. Just say'n Yes. It gets started by systemd (proc 719 here) at boot time: root@pureos:/home/purism# ps axl | grep gpg-agent | grep -v grep 0 10002246 719 20 0 83436 5312 do_sel SLs ? 0:01 /usr/bin/gpg-agent --supervised root@pureos:/home/purism# ps axl | grep 719 | head -1 4 1000 719 1 20 0 16440 8448 do_epo Ss ? 0:02 /lib/systemd/systemd --user I run the L5 with its OpenPGP card sind 2021 and I don't remember the exact setup now. In any case, gpg-agent is there after any reboot. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 07:44:04 -0400, Henning Follmann escribió: > On Thu, May 02, 2024 at 10:33:15AM +0200, Matthias Apitz wrote: > > El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via > > Gnupg-users escribió: > > > > > ... > > > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > > > on some distros the X config greps for this to decide whether to start > > > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > > > always enabled and thus the option is not really required. > > > [deleted] > > I do not know what you did, but that looks like a mess > Your pinentry was working before (I guess) and you should not change > anything there. > > And there is no need for using trace - way too complicated! > > as Werner said add > > enable-ssh-support > > to your ~/.gnupg/gpg-agent.conf I have had this in that file (as I said in my last mail) > You might also create a ~/.gnupg/sshcontrol and add the keygrip of your > authentication subkey in there > > and then finally tell ssh where to find the ssh-agnet socket. gpg will tell > you that by: > > gpgconf --list-dirs agent-ssh-socket > > just put > > export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) I have had this too. > > in your ~/.bashrc > > and because gpg-agent does not usually run as deamon make shure it is > running before you use ssh > > gpgconf --launch gpg-agent gpg-agent was always there, started by system boot. > > > You also could add that to your .bashrc The missing piece to get it working now was tell gpg-agent the correct TTY with: gpg-connect-agent updatestartuptty /bye which perhaps gpg command does, but ssh can't. Thanks for all the hints I got. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using a GnuPG crypted RSA key for SSH
El día jueves, mayo 02, 2024 a las 08:17:58 +0200, Werner Koch via Gnupg-users escribió: > ... > On Linux take care to add "enable-ssh-support" to gpg-agent.conf because > on some distros the X config greps for this to decide whether to start > the ssh-agent or leave this to gpg-agent. Technically the ssh support is > always enabled and thus the option is not really required. I have this working now already up the point that ssh asks the gpg-agent to unlock the card and ask for the PIN to do so. But this is failing because gpg-agent uses: $ grep pinentry agent.tr 4692 execve("/usr/bin/pinentry", ["pinentry", "--display", ":0"], 0xa8004be0 /* 41 vars */) = 0 which fails with an unsupported ioctl to fd=0 while a command 'gpg -d foo.asc' works fine, and here gpg-agent uses $ grep pinentry agent-gpg.tr 4997 read(10, "OPTION allow-pinentry-notify\n", 1002) = 29 4997 write(7, "chan_10 <- OPTION allow-pinentry"..., 40) = 40 5001 execve("/usr/bin/pinentry", ["pinentry"], 0xa80016d0 /* 41 vars */) = 0 i.e. the pinentry command without --display ... my config file for gpg-agent look as: $ cat .gnupg/gpg-agent.conf enable-ssh-support debug-pinentry debug ipc log-file /tmp/gpg-agent-debug.log max-cache-ttl 1 # pinentry-program /usr/bin/pinentry I tried to play with the config value of pinentry-program without luck. The environment of the gpg-agent contains: GNUPGHOME=/home/purism/.gnupg GPG_TTY=not a tty Any idea how to get gpg-agent asking correctly for the PIN? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Using a GnuPG crypted RSA key for SSH
Hello, I've on my Linux cellphone L5 my RSA key for SSH crypted with GnuPG (to be exactly with an OpenPGP card in the phone). I can do fine: $ gpg -d id_rsa.asc > id_rsa # which asks for the PIN of the OpenPGP card $ ssh www.unixarea.de Enter passphrase for key '/home/guru/.ssh/id_rsa': ... $ rm id_rsa # so it can't get lost of teft of the L5 Is there some other solution for GnuPG+SSH without writing the private key id_rsa to a file? Or even better as well without the need of entering the passphrase for the RSA key? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día jueves, febrero 29, 2024 a las 01:40:53 +0100, Ingo Klöcker escribió: > "CCID L5" doesn't strike me as a sufficiently unique identifier for a key. If > I > add a (secondary) user ID "CCID L5" to my key and trick Matthias into > importing it won't pass start encrypting their passwords for my key? > > My ~/.password-store/.gpg-id contains the fingerprint of my password > encryption > key. Mine too now: purism@pureos:~$ gpg --list-keys --fingerprint /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] purism@pureos:~$ cat .password-store/.gpg-id 336E B968 92FE 9FE7 F6AD 01D6 529B 7423 F360 8141 Thanks for this hint. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió: > On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said: > > > Therefore, pass(1) almost certainly has its own list of keys stored > > pass stores the fingerprints of the keys in a .gpg-id file and allows to > set different ones per directories. Werner, I have only one .gpg-id file on my L5 mobile in my password-store: purism@pureos:~$ find .password-store/ -name .gpg-id .password-store/.gpg-id purism@pureos:~$ cat .password-store/.gpg-id CCID L5 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 27, 2024 a las 08:52:55 -0600, Jacob Bachmeyer via Gnupg-users escribió: > > It says: > > > > purism@pureos:~$ gpg --list-keys > > /home/purism/.gnupg/pubring.kbx > > --- > > pub rsa2048 2021-10-30 [SC] > > 336EB96892FE9FE7F6....... > > uid [ultimate] Matthias Apitz (GnuPG CCID L5) > > sub rsa2048 2021-10-30 [A] > > sub rsa2048 2021-10-30 [E] > > > > [...] > > Are you sure that *that* is the list of public keys used by pass(1)? It > almost certainly is not, since GPG's public key collection is meant to > collect keys for a variety of uses. For example, sending encrypted emails > or verifying signatures. You probably do not want your password store > encrypted to everyone you correspond with! > > Therefore, pass(1) almost certainly has its own list of keys stored > somewhere else. Your regular public key was probably copied to that list > when you initialized the password store. That is the list that you need to > regularly check, lest Mallory be able to sneak his key onto it. That list > is *also* where you need to add your new public key in order to migrate your > password store. > > ... It must be *that* list pass(1) is using, because: purism@pureos:~$ ls -ld .gnu* drwx-- 5 purism purism 4096 Feb 28 05:59 .gnupg purism@pureos:~$ env | grep GNU GNUPGHOME=/home/purism/.gnupg purism@pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism@pureos:~$ gpg -da .password-store/test.gpg (it ask for the card's PIN on the L5 display desktop) gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret purism@pureos:~$ cat .password-store/.gpg-id CCID L5 I'm attaching the shell script /usr/bin/pass; the code for the "init" command of pass(1) starts at line 300 and I don't see that any other key is used then the one in GNUPGHOME. If I understand this correctly if any other public key would be added to the file /home/purism/.gnupg/pubring.kbx, pass(1) would only use the key "CCID L5" to encrypt any new object stored in ~/.password-store and not the public key of Mallory. Am I wrong? I will consider your hints about RSA4096 when initializing the new second card. Thanks for them. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. #!/usr/bin/env bash # Copyright (C) 2012 - 2018 Jason A. Donenfeld . All Rights Reserved. # This file is licensed under the GPLv2+. Please see COPYING for more information. umask "${PASSWORD_STORE_UMASK:-077}" set -o pipefail GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" ) GPG="gpg" export GPG_TTY="${GPG_TTY:-$(tty 2>/dev/null)}" which gpg2 &>/dev/null && GPG="gpg2" [[ -n $GPG_AGENT_INFO || $GPG == "gpg2" ]] && GPG_OPTS+=( "--batch" "--use-agent" ) PREFIX="${PASSWORD_STORE_DIR:-$HOME/.password-store}" EXTENSIONS="${PASSWORD_STORE_EXTENSIONS_DIR:-$PREFIX/.extensions}" X_SELECTION="${PASSWORD_STORE_X_SELECTION:-clipboard}" CLIP_TIME="${PASSWORD_STORE_CLIP_TIME:-45}" GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}" CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:graph:]}" CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}" export GIT_CEILING_DIRECTORIES="$PREFIX/.." # # BEGIN helper functions # set_git() { INNER_GIT_DIR="${1%/*}" while [[ ! -d $INNER_GIT_DIR && ${INNER_GIT_DIR%/*}/ == "${PREFIX%/}/"* ]]; do INNER_GIT_DIR="${INNER_GIT_DIR%/*}" done [[ $(git -C "$INNER_GIT_DIR" rev-parse --is-inside-work-tree 2>/dev/null) == true ]] || INNER_GIT_DIR="" } git_add_file() { [[ -n $INNER_GIT_DIR ]] || return git -C "$INNER_GIT_DIR" add "$1" || return [[ -n $(git -C "$INNER_GIT_DIR" status --porcelain "$1") ]] || return git_commit "$2" } git_commit() { local sign="" [[ -n $INNER_GIT_DIR ]] || return [[ $(git -C "$INNER_GIT_DIR" config --bool --get pass.signcommits) == "true" ]] && sign="-S" git -C "$INNER_GIT_DIR" commit $sign -m "$1" } yesno() { [[ -t 0 ]] || return 0
Re: Second OpenPGP-card
El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió: > Matthias Apitz wrote: > > [...] > > Said/showed that, I can't imagine that, when I SCP the file > > .password-store/test.gpg to another mobile with another OpenPGP card, > > that this system would be able to decrypt the file and reencrypt it > > again with the new card. > > Correct. You must first copy the *new* public key to the *old* system and > re-encrypt the password store to *both* public keys on the *old* system, > then transfer the encrypted blobs to the new system. > ... Thanks for the clarification and clear instruction. > While you are here, this is a good time to remind you to regularly check the > list of public keys used with your password store. If Mallory can sneak > *his* key onto that list, he will be able to get your passwords! It says: purism@pureos:~$ gpg --list-keys /home/purism/.gnupg/pubring.kbx --- pub rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6... uid [ultimate] Matthias Apitz (GnuPG CCID L5) sub rsa2048 2021-10-30 [A] sub rsa2048 2021-10-30 [E] What makes me wonder it the last modification date of the file: purism@pureos:~$ ls -l /home/purism/.gnupg/pubring.kbx -rw--- 1 purism purism 172324 feb 1 11:13 /home/purism/.gnupg/pubring.kbx I've never done anything with this and expected it also at date 2021-10-30 (when I initialized the OpenPGP card in the mobile L5). matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de Only for the record: Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de can't cut out the Micro-SIM size. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. I have here an example file of an entry 'test' in my .password-storage: purism@pureos:~$ pass test ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 0000A6FE │ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ secret purism@pureos:~$ file .password-store/test.gpg .password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b . purism@pureos:~$ gpg -da .password-store/test.gpg ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 0000A6FE │ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30 "Matthias Apitz (GnuPG CCID L5) " secret Said/showed that, I can't imagine that, when I SCP the file .password-store/test.gpg to another mobile with another OpenPGP card, that this system would be able to decrypt the file and reencrypt it again with the new card. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 12:47:13 +0100, Klaus Ethgen escribió: > Hi, > > Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz: > > Next question: Can I transfer somehow the key from one card to the > > other to use the same encrypted files foo.gpg from my password store: > > > > purism@pureos:~$ find .password-store/ -type f | wc -l > > 373 > > Well, pass has its mechanism itself. Just reinit your store with both > keys and it should reencrypt them. > > I did that in the past with subdirs (where you can have different keys). Hi Klaus, I do not fully understand the procedure. Actually the .password-store/ is encrypted with the gpg-key-A on the phone L5, number 1. When I now create on the phone number 2 with the other OpenPGP card a gpg-key-B, and transfer the .password-store/ by SCP to this phone number 2, and run there: pass init gpg-key-B How 'pass' (i.e. gnupg) can decrypt the files of the .password-store/ without having access to the OpenPGP card in phone 1 to re-encrypt them with gpg-key-B? Could you or someone please be so kind and clarify this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribió: > On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > > > > floss-shop.de > > > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > > > I do not know who you talked to but they offer their cards with a > ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the > corners with sandpaper. > That is the exact size you are looking for. No. The card sizes are: Standard SIM: 15 x 25mm. Micro SIM: 12 x 15mm. Nano SIM: 8.8 x 12.3mm. We need here 'Microm SIM'. And I talked to the owner of floss-shop. They do not offer a way to pop out Micro SIM. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 03:40:12p. m. +0100, Jakob Bohm via Gnupg-users escribió: > On 2024-02-13 14:32, Matthias Apitz wrote: > > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via > > Gnupg-users escribió: > > > > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > > > > > So, can I buy this card here in Europe or even in Germany? > > > floss-shop.de > > I've contacted floss-shop.de. They can not provide (i.e. cut) the card > > to Micro-SIM format. And I will not cut it itself because it must fit > > exactly in the internal reader slot behint the battery, or it will not > > come out anyore. > Because the GPG specific code installed on the card is FLOSS, you might be > able to > buy blank cards in the desired form factor and install the code yourself, > provided > the parts (code and card) can be legally transported to Cuba despite US > sanctions. > In particular, the Card Operating System or runtime may be of US origin and > thus > subject to sanctions. I live in Europa and travel often to Cuba. Where could I get a blank card MicroSIM, the code and a manual how to flash it into the card? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Second OpenPGP-card
El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 9 Feb 2024 15:36, Matthias Apitz said: > > > So, can I buy this card here in Europe or even in Germany? > > floss-shop.de I've contacted floss-shop.de. They can not provide (i.e. cut) the card to Micro-SIM format. And I will not cut it itself because it must fit exactly in the internal reader slot behint the battery, or it will not come out anyore. > > > If not, I could with a script decrypt all the files in this tree and > > encrypt them again after setup the card. But, it would be better just > > copy the files over by SCP, also when passwords get added or updated. > > Actually we have an open task for re-encryption: > https://dev.gnupg.org/T1825 > > For small messages this is easy but there is no easy solution for large > data. A detached encryption packet is a theoretical option. The files of the password store are very small, normal two lines like secret Username: g...@unixarea.de Is this code already available for testing? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Second OpenPGP-card
I do use an OpenPGP-card, bought from Purism in one of my L5 mobiles and I want to buy a second one for my other L5. I use two L5, one in Europe, the other in Cuba with a cuban SIM card. I could buy the 2nd card in Purism to, but would have to pay $65 shipping fee for the $15 card. So, can I buy this card here in Europe or even in Germany? Next question: Can I transfer somehow the key from one card to the other to use the same encrypted files foo.gpg from my password store: purism@pureos:~$ find .password-store/ -type f | wc -l 373 If not, I could with a script decrypt all the files in this tree and encrypt them again after setup the card. But, it would be better just copy the files over by SCP, also when passwords get added or updated. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --card-status
El día lunes, enero 01, 2024 a las 09:10:01p. m. +0100, Ingo Klöcker escribió: > On Montag, 1. Januar 2024 20:33:28 CET Matthias Apitz wrote: > > It seems from the man page that only '#' is documented: > > Must be an older version. The manual page of GnuPG 2.4.3 reads: You are correct: $ gpg --version | grep ^gpg gpg (GnuPG) 1.4.23 $ man gpg | col -b | grep -A5 -- -K -K List all keys from the secret keyrings, or just the ones given on the command line. A # after the letters sec means that the secret key is not usable (for example, if it was created via --export-secret-subkeys). $ gpg2 --version | grep ^gpg gpg (GnuPG) 2.4.3 $ man gpg2 | col -b | grep -A5 -- -K -K List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command --export-secret-subkeys). A > after these ... Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --card-status
El día domingo, diciembre 31, 2023 a las 05:34:42p. m. +0100, Ingo Klöcker escribió: > On Samstag, 30. Dezember 2023 23:30:39 CET Felix E. Klee wrote: > > Line 25: “sec>” means secret primary key. Where does the key ID come > > from? Is it read from the card? Or it read from the public key ring on > > disk? > > > > Line 27: “ssb>” means secret sub key. > > > > Line 29: “ssb#” means secret sub key, but without the matching secret > > key on the card. This I just learned from Ingo Klöcker in another > > thread. > > The meaning of ">" and "#" is documented in the description of the command > `--list-secret-keys` in the manual page of gpg. > > Regards, > Ingo It seems from the man page that only '#' is documented: man gpg ... --list-secret-keys -K List all keys from the secret keyrings, or just the ones given on the command line. A # after the letters sec means that the secret key is not usable (for example, if it was created via --export-secret-subkeys). What does '>' means? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub I am not at war with Russia. Я не воюю с Россией. Ich bin nicht im Krieg mit Russland. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
El día martes, septiembre 26, 2023 a las 09:35:52a. m. +0900, NIIBE Yutaka escribió: > Matthias Apitz wrote: > > $ gdb /usr/local/libexec/scdaemon > > ... > > r --debug-all --verbose --verbose --server > > ... > > OK GNU Privacy Guard's Smartcard server ready > > SERIALNO > > [New LWP 101967 of process 2622] > > > > Thread 2 "pipe-connection" received signal SIGSEGV, Segmentation fault. > > Address not mapped to object. > > [Switching to LWP 101959 of process 2622] > > 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > > (gdb) bt > > #0 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #1 0x0008004314ef in ?? () from /usr/local/lib/libgpg-error.so.0 > > #2 0x0008004304e4 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #3 0x00080042fdad in ?? () from /usr/local/lib/libgpg-error.so.0 > > #4 0x00080042d5e3 in ?? () from /usr/local/lib/libgpg-error.so.0 > > #5 0x0008004343ad in ?? () from /usr/local/lib/libgpg-error.so.0 > > #6 0x000800432bef in gpgrt_log_info () > >from /usr/local/lib/libgpg-error.so.0 > > #7 0x002436e8 in ?? () > > It looks like SEGV when debug output. Does it work when it's invoked > without --verbose? Bingo! I removed --verbose from the cmd line and from the file scdaemon.conf. A test on shell show now: /usr/local/libexec/scdaemon --debug-all --verbose --verbose --server scdaemon[2131]: reading options from '/home/guru/.gnupg-ccid/scdaemon.conf' scdaemon[2131.a884ac12000]: reading options from '[cmdline]' scdaemon[2131.a884ac12000]: enabled debug flags: mpi crypto memory cache memstat hashing ipc card cardio reader app OK GNU Privacy Guard's Smartcard server ready SERIALNO S SERIALNO D2760001240102010005532B OK And also decryption with the OpenPGP card works fine after providing the card's PIN: pass web/test1 bla foo One should file a bug PR. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
gnugp 2.4.3 fails to build with --disable-ldap
As the subject says: cd gnupg-2.4.3 ./configure --prefix=/home/sisis/scdaemon/usr-local --with-libgpg-error-prefix=/home/sisis/scdaemon/usr-local --with-libgcrypt-prefix=/home/sisis/scdaemon/usr-local --with-libassuan-prefix=/home/sisis/scdaemon/usr-local --with-libksba-prefix=/home/sisis/scdaemon/usr-local --with-npth-prefix=/home/sisis/scdaemon/usr-local --with-ntbtls-prefix=/home/sisis/scdaemon/usr-local --disable-ldap make ... gcc -std=gnu99 -I/home/sisis/scdaemon/usr-local/include -I/home/sisis/scdaemon/usr-local/include -I/home/sisis/scdaemon/usr-local/include -I/home/sisis/scdaemon/usr-local/include -I/home/sisis/scdaemon/usr-local/include -I/home/sisis/scdaemon/usr-local/include -Wall -Wno-format-zero-length -Wno-pointer-sign -Wpointer-arith -g -O2 -o dirmngr dirmngr.o server.o crlcache.o crlfetch.o fakecrl.o certcache.o domaininfo.o workqueue.o loadswdb.o cdblib.o misc.o ocsp.o validate.o dns-stuff.o http.o http-common.o http-ntbtls.o ks-action.o ks-engine-hkp.o ks-engine-http.o ks-engine-finger.o ks-engine-kdns.o dns.o ../common/libcommonpth.a -lresolv -L/home/sisis/scdaemon/usr-local/lib64 -lassuan -L/home/sisis/scdaemon/usr-local/lib64 -lksba -lgpg-error -L/home/sisis/scdaemon/usr-local/lib64 -lnpth -lpthread -L/home/sisis/scdaemon/usr-local/lib64 -lntbtls -lgpg-error -L/home/sisis/scdaemon/usr-local/lib64 -lgcrypt -L/home/sisis/scdaemon/usr-local/lib64 -lgpg-error /usr/lib64/gcc/x86_64-suse-linux/7/../../../../x86_64-suse-linux/bin/ld: server.o: in function `cmd_ad_query': /home/sisis/scdaemon/gnupg-2.4.3/dirmngr/server.c:2779: undefined reference to `ks_ldap_help_variables' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:937: dirmngr] Fehler 1 There is an older closed bug against 2.3.8: https://dev.gnupg.org/T6239 How to fix this? I helped me as workaround with: touch /home/guru/scdaemon/gnupg-2.4.3/dirmngr/dirmngr With this the 'make && make install' went fine. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problem with building libgcrypt-1.10.2 from source
Please forget my mail and forgive me the noise. I used the wrong HOME. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
problem with building libgcrypt-1.10.2 from source
I'm building the full GnuPG suite from source (to get a version for debugging a scdaemon problem). To not break the installed version in the OS I'm building with a prefix directory below my HOME. After downloading the sources from www.gnupg.org and unpacking them, I started with: cd libgpg-error-1.47 ./configure --prefix=/home/sisis/scdaemon/usr-local make make install This went fine and produced esp. the following results: ls -l /home/sisis/scdaemon/usr-local/bin insgesamt 188 -rwxr-xr-x 1 sisis sisis 82768 25. Sep 09:58 gpg-error -rwxr-xr-x 1 sisis sisis 16426 25. Sep 09:58 gpgrt-config -rwxr-xr-x 1 sisis sisis 85488 25. Sep 09:58 yat2m ls -l /home/sisis/scdaemon/usr-local/lib64 insgesamt 656 -rwxr-xr-x 1 sisis sisis978 25. Sep 09:58 libgpg-error.la lrwxrwxrwx 1 sisis sisis 22 25. Sep 09:58 libgpg-error.so -> libgpg-error.so.0.34.0 lrwxrwxrwx 1 sisis sisis 22 25. Sep 09:58 libgpg-error.so.0 -> libgpg-error.so.0.34.0 -rwxr-xr-x 1 sisis sisis 658688 25. Sep 09:58 libgpg-error.so.0.34.0 drwxr-xr-x 1 sisis sisis 24 25. Sep 09:58 pkgconfig But the configure step for libcrypt failes: cd libgcrypt-1.10.2 ./configure --prefix=/home/guru/scdaemon/usr-local --with-libgpg-error-prefix=/home/guru/scdaemon/usr-local ... checking for gpg-error-config... /home/guru/scdaemon/usr-local/bin/gpg-error-config checking for gpgrt-config... no ./configure: line 15527: /home/guru/scdaemon/usr-local/bin/gpg-error-config: No such file or directory ./configure: line 15542: test: : integer expression expected ./configure: line 15545: test: : integer expression expected checking for GPG Error - version >= 1.27... no configure: error: libgpg-error is needed. See ftp://ftp.gnupg.org/gcrypt/libgpg-error/ . I looked into the source tree of libgpg-error-1.47 to see why /home/guru/scdaemon/usr-local/bin/gpg-error-config is missing: find libgpg-error-1.47 -name 'gpg-error-confi*' libgpg-error-1.47/doc/gpg-error-config.1 libgpg-error-1.47/src/gpg-error-config.in libgpg-error-1.47/src/gpg-error-config-test.sh.in libgpg-error-1.47/src/gpg-error-config-old libgpg-error-1.47/src/gpg-error-config-test.sh libgpg-error-1.47/src/gpg-error-config i.e. libgpg-error-1.47/src/gpg-error-config was built but not installed: s -l libgpg-error-1.47/src/gpg-error-config -rwxr-xr-x 1 sisis sisis 2115 25. Sep 09:57 libgpg-error-1.47/src/gpg-error-config sisis@srap51dxr1:~/scdaemon> ls -l usr-local/bin/gpg-error* -rwxr-xr-x 1 sisis sisis 82768 25. Sep 09:58 usr-local/bin/gpg-error I run the make of libgpg-error-1.47 again with cd libgpg-error-1.47 make clean nohup make nohup make install grep gpg-error-config nohup.out cd .. && /bin/sh ./config.status src/gpg-error-config-old config.status: creating src/gpg-error-config-old cd .. && /bin/sh ./config.status src/gpg-error-config-test.sh config.status: creating src/gpg-error-config-test.sh Confirm gpg-error-config works... good cp gpg-error-config-old gpg-error-config i.e. gpg-error-config is built fine but not installed. What did I wrong? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: after OS update I can't use my OpenPGP card anymore
El día lunes, septiembre 25, 2023 a las 11:03:23a. m. +0900, NIIBE Yutaka escribió: > Hello, > > Matthias Apitz wrote: > > After an update of FreeBSD from 13-CURRENT to 14-CURRENT I can't used > > my OpenPGP card with the USB token anymore. In /var/log/messages > > it says: > [...] > > Any hints how to debug this > > You can run scdaemon as a foreground process to debug. An example > session is like: > > $ SOME_PATH_TO_scdaemon --debug-all --verbose --verbose --server > ... > SERIALNO > ... > BYE > $ > > (Here, "SERIALNO" and "BYE" is input from terminal by a user) > > Likewise, you can invoke scdaemon as a foreground process from GDB. > Then, you may locate the place where it crashes. > -- I run it in GDB as: $ gdb /usr/local/libexec/scdaemon ... r --debug-all --verbose --verbose --server ... OK GNU Privacy Guard's Smartcard server ready SERIALNO [New LWP 101967 of process 2622] Thread 2 "pipe-connection" received signal SIGSEGV, Segmentation fault. Address not mapped to object. [Switching to LWP 101959 of process 2622] 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 (gdb) bt #0 0x000800434a57 in ?? () from /usr/local/lib/libgpg-error.so.0 #1 0x0008004314ef in ?? () from /usr/local/lib/libgpg-error.so.0 #2 0x0008004304e4 in ?? () from /usr/local/lib/libgpg-error.so.0 #3 0x00080042fdad in ?? () from /usr/local/lib/libgpg-error.so.0 #4 0x00080042d5e3 in ?? () from /usr/local/lib/libgpg-error.so.0 #5 0x0008004343ad in ?? () from /usr/local/lib/libgpg-error.so.0 #6 0x000800432bef in gpgrt_log_info () from /usr/local/lib/libgpg-error.so.0 #7 0x002436e8 in ?? () ... I have to compile it by my own (and not install it as a FreeBSD pkg) and with debug symbols. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
after OS update I can't use my OpenPGP card anymore
Hello, After an update of FreeBSD from 13-CURRENT to 14-CURRENT I can't used my OpenPGP card with the USB token anymore. In /var/log/messages it says: Sep 24 19:33:02 c720-1400094 kernel: ugen0.4: at usbus0 Sep 24 19:33:07 c720-1400094 kernel: pid 3886 (scdaemon), jid 0, uid 1001: exited on signal 11 and in the debug log of scdaemon I have the following lines which let me think, that the communication with the card seems to work and scdaemon pid=3886 crashes while communicating with the card Any hints how to debug this Thanks matthias 2023-09-24 19:33:07 scdaemon[3886.28ae4d612000] escuchando en el socket '/var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.scdaemon' 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] manejador del descriptor -1 iniciado 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- GETINFO socket_name 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> D /var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.scdaemon 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- OPTION event-signal=31 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 -> OK 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: chan_7 <- SERIALNO --all 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: apdu_open_reader: BAI=400 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: apdu_open_reader: new device=400 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: using CCID reader 0 (ID=04E6:5816:55511725600891:0) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: idVendor: 04E6 idProduct: 5816 bcdDevice: 0202 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: ChipCard Interface Descriptor: 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bLength 54 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bDescriptorType33 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bcdCCID 1.10 (Warning: Only accurate for version 1.0) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: nMaxSlotIndex 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bVoltageSupport 7 ? 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwProtocols 3 T=0 T=1 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwDefaultClock 4800 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxiumumClock 16000 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bNumClockSupported 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwDataRate 12903 bps 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxDataRate 60 bps 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bNumDataRatesSupp. 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxIFSD 252 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwSyncProtocols 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMechanical 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwFeatures 000100BA 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto configuration based on ATR (assumes auto voltage) 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto voltage selection 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto clock change 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto baud rate change 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: Auto PPS made by CCID 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: TPDU level exchange 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwMaxCCIDMsgLen 271 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bClassGetResponseecho 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bClassEnvelope echo 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: wlcdLayout none 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bPINSupport 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bMaxCCIDBusySlots 1 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: PC_to_RDR_IccPowerOn: 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: dwLength ..: 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bSlot .: 0 2023-09-24 19:33:07 scdaemon[3886.28ae4d612700] DBG: ccid-driver: bSeq
GnuPG on Macbook Pro
Hello, In the company I'm working for I can't use anymore a Virtual Machine with FreeBSD and had to elect between Win and a Macbook Pro. No need to discuss this further. I'm actively used to use GnuPG on all my private FreeBSD and L5 mobile devices. Can I use GnuPG (and passwordstore, the latter is only a shell script) on Mac? The shell looks nearly like a normal Linux system (behind a colorful desktop) and the kernel is this: $ uname -a Darwin APITZM-1MBPOH 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 20:20:07 PDT 2022; root:xnu-8020.140.49~2/RELEASE_ARM64_T8110 arm64 also a compiler seems to be installed: $ gcc -v Apple clang version 14.0.0 (clang-1400.0.29.102) Target: arm64-apple-darwin21.6.0 Thread model: posix InstalledDir: /Library/Developer/CommandLineTools/usr/bin Any hints are welcome. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: passwords with UFT8 chars?
El día viernes, septiembre 02, 2022 a las 10:33:13a. m. +0200, Uwe Brauer via Gnupg-users escribió: > > Hi > > Sorry for this elementary question, but I can't find an answer googling. > > Is it possible to have a password that contains UTF8 chars, like Arabic, > Hebrew, Chinese or some IPA symbols??? That concerns also gpgsm You can put whatever you want as password, also Russian in UTF-8. The question is beeing able to key it in on any keyboard. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! Мир вместо НАТО! Frieden statt NATO! ¡Paz en vez de OTAN! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backing up your PGP key by hand
I think, paper tapes as in the years 70 would be the best media for this approach. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! Мир вместо НАТО! Frieden statt NATO! ¡Paz en vez de OTAN! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
using OpenPGP card to unlock a LUKS device on boot
Hello, Can someone please comment in the forum or here (and I copy it over) how an OpenPGP card could be used to unlock a ciphered LUKS partition during boot of the L5 mobile device, see this posting at the end: https://forums.puri.sm/t/librem-5-unlock-luks-volume-with-a-fido2-device/16890/7 Werner, what about your L5? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! Мир вместо НАТО! Frieden statt NATO! ¡Paz en vez de OTAN! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: use text pinentry in the console
El día martes, febrero 22, 2022 a las 05:28:00p. m. +0100, Fourhundred Thecat via Gnupg-users escribió: > Hello, > > when I type a gpg command in the terminal, such as: > > gpg -c foo > > the GUI pinentry dialog pops up to ask for password (I guess its > pinentry-gtk-2) > > How can I confugure so that the ncurses (text based) dialog is used > instead ? > > I am using gpg 2.2.12 on Debian 10 Run # ls -l /usr/bin/pinent* and set the sym-link to your needs. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Peace instead of NATO! Мир вместо НАТО! Frieden statt NATO! ¡Paz en vez de OTAN! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día lunes, noviembre 08, 2021 a las 11:18:37a. m. +0100, Matthias Apitz escribió: > > You did the > > > > gpg-connect-agent updatestartuptty /bye > > > > thing to tell gpg-agent where it shall pop up the pinentry? Further > > ... > > Thanks for the hints. Magically it works now by its own after adding > this to the ~purism/.bashrc (the terminal app does not source .profile). > > In a SSH session a 'pass test' asks now inline for the PIN and in the > terminal app some Gnome window pops up. Re/ pinentry there is even more inteligent "magic": The available pinentry pgms are: purism@pureos:~$ which pinentry /usr/bin/pinentry purism@pureos:~$ ls -l /usr/bin/pinentry lrwxrwxrwx 1 root root 26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry purism@pureos:~$ ls -l /etc/alternatives/pinentry lrwxrwxrwx 1 root root 24 Sep 11 08:25 /etc/alternatives/pinentry -> /usr/bin/pinentry-gnome3 purism@pureos:~$ ls -l /usr/bin/pinentr* lrwxrwxrwx 1 root root26 Nov 5 18:05 /usr/bin/pinentry -> /etc/alternatives/pinentry -rwxr-xr-x 1 root root 59848 May 8 2020 /usr/bin/pinentry-curses -rwxr-xr-x 1 root root 72136 May 8 2020 /usr/bin/pinentry-gnome3 lrwxrwxrwx 1 root root30 Sep 11 08:25 /usr/bin/pinentry-x11 -> /etc/alternatives/pinentry-x11 And when the PIN is needed in a SSH session, then the PIN is asked in the SSH session with: ┌──┐ │ Please unlock the card │ │ │ │ Number: 0005 0000A6FE│ │ Holder: Matthias Apitz │ │ │ │ PIN │ │ │ │ │ └──┘ *when* the L5 is locked, when the L5 is not locked the PIN is asked on its screen with the /usr/bin/pinentry-gnome3. Nice! matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día domingo, noviembre 07, 2021 a las 02:14:59p. m. +0100, Werner Koch via Gnupg-users escribió: > On Fri, 5 Nov 2021 17:30, Matthias Apitz said: > > > But, it does not work locally on the L5 in its "terminal app", the > > "pass" command in the terminal raises an error about no secret provided. > > You did the > > gpg-connect-agent updatestartuptty /bye > > thing to tell gpg-agent where it shall pop up the pinentry? Further > ... Thanks for the hints. Magically it works now by its own after adding this to the ~purism/.bashrc (the terminal app does not source .profile). In a SSH session a 'pass test' asks now inline for the PIN and in the terminal app some Gnome window pops up. See also: https://forums.puri.sm/t/terminal-app-purism-profile/15325 Maybe you want subscribe to this forum (if not already done). It's a pity that Purism uses a "forum" and not a standard mailing-list :-( matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
BT -> mutt -> SMTP -> Wifi
Hello Werner, This message is typed on a BT keyboard connected to the L5 and sent from mutt on the L5 via SMTP and Wifi to the list while sitting in the sun in a beergarden. Only a short example of useability of the L5 matthias ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
Werner, I have an issue with the 'pinentry' in the L5: /usr/bin/pinentry is as default a symlink to /etc/alternatives/pinentry and pops up on the L5 as somekind graphical application, also when I use the OpenPGP card in the L5 when connected via SSH to the L5, which is not what I wanted have to key in the PIN in the L5 when im using it via SSH (and the L5 sits in some other room). That's why I changed the symlink to point to /usr/bin/pinentry-curses which works fine via SSH, i.e. the PIN is asked in the terminal where I run the SSH session. But, it does not work locally on the L5 in its "terminal app", the "pass" command in the terminal raises an error about no secret provided. The "pass" command is just a shell script and uses "gpg" to decrypt the file containing the requested password for some web access, running so,ething like: $GPG -d "${GPG_OPTS[@]}" "$passfile" What could be the reason for this? I tried /usr/bin/pinentry-curses in the "terminal app" which does work. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día viernes, noviembre 05, 2021 a las 08:32:17a. m. +0100, Werner Koch via Gnupg-users escribió: > it is good that things work for you. And thanks for the hint with the > smartcard. I was probably blind that I didn't noticed it. I put an > older card into the slot (cut down with a sharp wire cutter) but I have > not seen the device. Hello Werner, To get the OpenPGP card working, please follow the steps in my attachment OpenPGP-L5.txt. You must flash some firmware into the device. > Even after an OS update there is still no Bluetooth device (regardless > of the kill switch position) and the WLAN sometimes needs a reboot. I > also wonder why there are no easy accessible teardown images - the long > Youtube video is not very helpful because it shows obvious things, To solve the Bluetooth / WLAN problems, follow the steps here how to load again some other firmware. Esp. change also after this in the file /etc/modprobe.d/librem5-devkit.conf the value dev_oper_mode from 5 to 13 https://forums.puri.sm/t/bluetooth-support-for-librem-5/14965/45 Hope it helps matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... How to setup the OpenPGP card in the Purism L5 phone g...@unixarea.de, October 2021 https://puri.sm/posts/openpgp-in-your-pocket/ (includes video about inserting the card) https://source.puri.sm/angus.ainslie/ttxs-firmware/-/blob/purism/PURISM.md install and get the software: $ cd ~/guru $ sudo apt install stm32flash git $ git clone https://source.puri.sm/angus.ainslie/ttxs-firmware $ cd ttxs-firmware Upgrade the smart card reader firmware: $ ./scripts/stm_reflash.sh ... stm32flash 0.5 http://stm32flash.sourceforge.net/ Using Parser : Raw BINARY Interface serial_posix: 57600 8E1 Version : 0x31 Option 1 : 0x00 Option 2 : 0x00 Device ID: 0x0435 (STM32L43xxx/44xxx) - RAM: Up to 48KiB (12544b reserved by bootloader) - Flash : Up to 256KiB (size first sector: 1x2048) - Option RAM : 16b - System RAM : 28KiB Write to memory Erasing memory Wrote address 0x08002388 (100.00%) Done. And set up the smart card: $ ./scripts/smartcard_setup.sh There have been issues, see also: https://forums.puri.sm/t/openpgp-card-waiting-for-the-first-reader/15189 https://source.puri.sm/Librem5/OS-issues/-/issues/119 What helped was: # stty -F /dev/ttymxc2 raw cstopb -parenb cs8 115200 # pcscd -f --debug The startup of pcscd is to be configured here and start is via systemctl: # vim /lib/systemd/system/pcscd.service # systemctl status pcscd # systemctl stop pcscd # systemctl start pcscd Setting up the card $ gpg --card-status Reader ...: TTXS serial 00 00 Application ID ...: D2760001240103040005A6FE Application type .: OpenPGP Version ..: 3.4 Manufacturer .: ZeitControl Serial number : A6FE Name of cardholder: [not set] Language prefs ...: de Salutation ...: URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ..: off Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] $ gpg --change-pin # changed the PIN and Admin PIN $ gpg --card-edit # generated the keys $ export GNUPGHOME=/home/guru/.gnupg $ pass init 'CCID L5' Password store initialized for g...@unixarea.de $ pass insert -m test ... $ gpg --with-keygrip -K /home/purism/.gnupg/pubring.kbx --- sec> rsa2048 2021-10-30 [SC] 336EB96892FE9FE7F6AD01D6529B7423F3608141 Keygrip = FCBA9E53DF1AF8D6E8D82B0418A01FA33264F704 Card serial no. = 0005 A6FE uid [ultimate] Matthias Apitz (GnuPG CCID L5) ssb> rsa2048 2021-10-30 [A] Keygrip = EE34E2B1F932D1567A6E21023F4D65B71CF953FF ssb> rsa2048 2021-10-30 [E] Keygrip = C544F16750F7F55DCEF781CF57C232015DDF1F90 the '>' means that these keys are on the card; export the pub key with: $ gpg --export --armor > ccid-L5-export-key-guru.pub lock the card again: $ gpgconf --reload scdaemon I added this to the pass cmd: $ tail -8 /usr/bin/pass # power down the OpenPGP card # g...@unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 so the card gets loecked again after each operation with the pass cmd. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 09:45:57a. m. +, Andrew Gallagher via Gnupg-users escribió: > On 04/11/2021 08:40, Matthias Apitz wrote: > > I bought the OpenPGP card from > > Purism for USD 15, I don't know if the small format exist here in > > Germany. > > Not Germany, but Cryptoshop in Vienna sells them: > > https://en.cryptoshop.com/products/smartcards/open-pgp-smartcard-v2-id-000.html > I have the above card for some years in an USB dongle. But the one which fits in the L5 is smaller: https://shop.puri.sm/shop/purism-openpgp-card/ matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 09:40:40a. m. +0100, Matthias Apitz escribió: > ... > > I have and have had some Linux mobiles, also the OpenMoko. The > Purism L5 is the most usefull until now for me. You see, I really don't > share your opinion. The biggest problem until now is the duration of the > battery of 8-10 hours, because the phone until now dows not suspend to > RAM. They're working on it... > I forgot to add a joke. The L5 has 3 hardware kill switches, real kill switches, i.e. the power down is not done by software but by cutting the electrical power line of the respective chips: 1) the modem or 2) Wifi+Bluetooth or 3) cam+micro. When I did the first test voice calls to my family at home, nobody could hear me. Guess why :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día jueves, noviembre 04, 2021 a las 08:31:08a. m. +0100, Werner Koch via Gnupg-users escribió: > On Wed, 3 Nov 2021 18:55, Matthias Apitz said: > > > card, and available without any laptop or USB dongel, just in my phone -- a > > big progress. Thanks to Purism to bring this with the L5 to the Linux > > world! > > You mean the Librem5 has indeed a second slot for a smartcard? I > recently received mine but it is more or less unusable to me. It even > comes w/o a bluetooth device - at least according to the warning notice > I see - for things I can see because the network setting are not fully > accessible. It is more or less a brick; the OpenMoko used to be better. Hello Werner, I got mine in early October after exactly 4 years waiting. I do not share your opinions about the L5. I moved my 100++ contacts from the Ubuntu phone E4.5 to the L5 (which was a matter of seconds, export to VCF, SCP over and load; both use the same evolution database for storing them). I bought a SIM, have Internet via G4 on the road, or Wifi. Both do fine, Wifi with any access point until now. I can attach a Bluetooth keyboard with an integrated touchpad. Both work fine, see this foto: http://www.unixarea.de/l5-with-bt-keyboard.jpg The slot for the mini OpenPGP card in behind the battery, just pull the battery out and you will see. I bought the OpenPGP card from Purism for USD 15, I don't know if the small format exist here in Germany. Here you have a small video showing the card insert etc.: https://puri.sm/posts/openpgp-in-your-pocket/ And, I hacked together a Spanish OSK for the terminal app, because I write a lot in Spanish with a command line telegram client. I have and have had some Linux mobiles, also the OpenMoko. The Purism L5 is the most usefull until now for me. You see, I really don't share your opinion. The biggest problem until now is the duration of the battery of 8-10 hours, because the phone until now dows not suspend to RAM. They're working on it... matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and gpg-agent TTL
El día martes, noviembre 02, 2021 a las 06:34:16p. m. +0100, Werner Koch via Gnupg-users escribió: > On Sat, 30 Oct 2021 15:50, Matthias Apitz said: > > > I just withdraw the USB dongle after the operation. I was thinking that > > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked > > state of the OpenPGP card, which it does not. How could I do this? > > No, it does not because it is the decision of the card how long the > VERIFY command send to the card allows the use of the key. For most > cards and keys the keys are unlocked by VERIFY until the card is powered > down. The OpenPGP cards allow to limit the VERIFY command for the first > key to one signing operation ("forcesig" toggles this). > > As a workaround use "gpgconf --reload scdaemon" to power down the card. > Thanks. As I will use the card in the phone mostly (only) with the pass command, i've added this to the script to get the card locked after any usage with pass: purism@pureos:~$ tail -8 /usr/bin/pass # power down the OpenPGP card # g...@unixarea.de # gpgconf --reload scdaemon sleep 2 exit 0 I have now my ~330 passwords always with me, encrypted with an OpenPGP card, and available without any laptop or USB dongel, just in my phone -- a big progress. Thanks to Purism to bring this with the L5 to the Linux world! matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using two OpenPGP cards
El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió: > Matthias Apitz wrote: > > The question here is: Can I somehow transfer the keys from the used > > OpenPGP card to this new card (and copy over the tree of encrypted > > passwords to the phone) or do I have to move the passwords in clear and > > crypt them again with the new card? > > If I understand correctly that your tool uses public keys, The password store is a tree of GnuPG encrypted file as: $ find .password-store .password-store .password-store/web .password-store/web/test1.gpg .password-store/web/test2.gpg .password-store/web/test3.gpg .password-store/web/hwiconnect.net.gpg .password-store/web/es-la.facebook.com.gpg ... it was once (2017) initialized with $ pass init g...@unixarea.de and one can see the gpg-id in the file of the store: $ cat .password-store/.gpg-id g...@unixarea.de This mail addr is the reference to the (public) key: $ gpg2 -K /home/guru/.gnupg-ccid/pubring.kbx -- sec> rsa4096 2017-05-14 [SC] 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11 Card serial no. = 0005 532B uid [ultimate] Matthias Apitz (GnuPG CCID) ssb> rsa4096 2017-05-14 [A] ssb> rsa4096 2017-05-14 [E] > you will need to: > > 1. Generate keys on your new device. I did so and created for testing a password store on the mobile L5 with: purism@pureos:~$ pass init 'CCID L5' mkdir: created directory '/home/purism/.password-store/' Password store initialized for CCID L5 purism@pureos:~$ cat .password-store/.gpg-id CCID L5 purism@pureos:~$ echo secret | pass insert -m test Enter contents of test and press Ctrl+D when finished: purism@pureos:~$ find .password-store/ .password-store/ .password-store/test.gpg .password-store/.gpg-id purism@pureos:~$ killall gpg-agent purism@pureos:~$ pass test secret (it asked me to unlock the OpenPGP card with its PIN) > 2. Export the public key for your new smartcard. I did so: purism@pureos:~$ gpg --export --armor > ccid-L5-export-key-guru.pub purism@pureos:~$ file ccid-L5-export-key-guru.pub ccid-L5-export-key-guru.pub: PGP public key block Public-Key (old) > 3. Arrange for your password store to be encrypted for *both* public keys. Perhaps I should now import the above Public-Key on the laptop and re-init there the password store with both gpg-id: $ pass init 'GnuPG CCID' 'CCID L5' I will test this after making bakups of GNUPGHOME and ~/password-store. > 4. Copy the appropriately encrypted password store to the new device. > 5. Use the new card's secret key to access the encrypted password store. > Thanks for your hints matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card and gpg-agent TTL
Hello, I'm using GnuPG together with an OpenPGP card. When I want to decrypt something the gpg-agent is via pinentry asking for the PIN to unlock the card. Normally I don't care about how long the card remains unlocked, because I just withdraw the USB dongle after the operation. I was thinking that the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked state of the OpenPGP card, which it does not. How could I do this? Because in the Purism L5 mobile the OpenPGP card is internally inserted behind the battery and so I can't remove it that easy :-) Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using two OpenPGP cards
Hello, For some years I do use an OpenPGP card with GnuPG to encrypt all my passwords (and other secrets). The passwors are managed with password-store which is basically a tree of passwords along the web sites where they're required to login. I got now a mobile phone device, running Debian, the Purism L5, which has its own OpenPGP card (until now no set up): purism@pureos:~$ gpg --card-status Reader ...: TTXS serial 00 00 Application ID ...: D2760001240103040005A6FE Application type .: OpenPGP Version ..: 3.4 Manufacturer .: ZeitControl Serial number : A6FE Name of cardholder: [not set] Language prefs ...: de Salutation ...: URL of public key : [not set] Login data ...: [not set] Signature PIN : forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ..: off Signature key : [none] Encryption key: [none] Authentication key: [none] General key info..: [none] The question here is: Can I somehow transfer the keys from the used OpenPGP card to this new card (and copy over the tree of encrypted passwords to the phone) or do I have to move the passwords in clear and crypt them again with the new card? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub August 13, 1961: Better a wall than a war. And, while the GDR was still existing, no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: “Hardware problem” with OpenPGP smart card
On Sun, 6 Dec 2020 16:34:40 +0100, Nicolas Boullis wrote: > Hi, > > On Sun, Dec 06, 2020 at 12:37:19PM +0100, Werner Koch wrote: >> >> To make sure that this is really the card (or reader), I'd like to ask >> you to put >> >> --8<---cut here---start->8--- >> log-file /some/path/scd.log >> verbose >> debug cardio >> --8<---cut here---end--->8--- >> >> into scdaemon.conf. Kill scdaemon.conf and retry. You should see a line >> with status code 0x6581 (EEPROM FAILURE) in response to a VERIFY (00 20 >> ... PIN) APDU or a PSO (00 2A ) APDU. If that is the case you are >> probably out of luck. It is a rare thing; iirc, I recall one other >> report about a hardware failure. > > Thanks for your suggestion. > I just tried it, and found, in the scd.log file: > > 2020-12-06 16:26:24 scdaemon[4732] DBG: send apdu: c=00 i=20 > p1=00 p2=82 lc=8 le=-1 em=0 > 2020-12-06 16:26:24 scdaemon[4732] DBG: raw apdu: 00 20 00 82 08 ***PIN*** > 2020-12-06 16:26:24 scdaemon[4732] DBG: response: sw=6581 datalen=0 > 2020-12-06 16:26:24 scdaemon[4732] verify CHV2 failed: Hardware problem > 2020-12-06 16:26:24 scdaemon[4732] operation decipher result: > Hardware problem > 2020-12-06 16:26:24 scdaemon[4732] app_decipher failed: Hardware problem > > Do you think there is still a chance that the reader is at fault rather > than the smartcard? > Any hope besides replacing the smartcard *and the subkeys*? > > Testing a new reader dongle is the best option. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mobile mini computers for GnuPG/OpenPGP usage instead of smartphone usage
> > Could you please tell me more when you get this device? > > best regards > Juergen I will do too :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mobile mini computers for GnuPG/OpenPGP usage instead of smartphone usage
El día sábado, noviembre 28, 2020 a las 07:59:40a. m. +, Stefan Claas via Gnupg-users escribió: > ... > > After googling a bit I found these IMHO super mini PCs, which looked very > attractive to me and I purchased one (should be delivered in a couple of > days). > > https://www.gpd.hk/gpdmicropc > > and for fans of MacBook designs: > > https://www.gpd.hk/gpdpocket2 > > Hope you find this info useful! > > P.S. I purchased the GPD MicroPC with Ubuntu Mate instead of Microsoft > Windows. > > P.P.S. These little computers are mostly sold out when looking around, but I > had > luck to find a German reseller who still has some in stock. Hi Stefan, Could you please share with me the contact to the German reseller? Thanks in advance. Have you seen this alternative: https://puri.sm/posts/librem-5-visual-walkthrough/ I funded the campaign in October 2017 (USD 599) and now, after three years they start delivery to the backers. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Ban HTML mails? Really?(was: Re: Thunderbird / Enigmail / Autocrypt)
El día martes, noviembre 24, 2020 a las 12:16:12a. m. +, Philihp Busby via Gnupg-users escribió: > As a personal policy, I do not respond to emails if they are only in HTML. It > provides an excellent signal on when an email is actually worth the > distraction. Even password-reset/verify-your-email emails will have text-only > components. Mailchimp marketing emails, on the other hand, often skip over > the plaintext version (text-only emails don't convert in their metrics, i > imagine the images don't load and they don't know you read it). > > This battle has only been lost when you give up. > There are some other two battles to win: Don't top post and, second, break your text lines around coulmn 72 :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
El día lunes, noviembre 23, 2020 a las 07:22:19a. m. +, cqcallaw escribió: > > Since ages human read mails in ASCII or UTF-8 text. Why you think this > > is not a "human readable format"? > > > > HTML as e-mail (read carefully: as email, not as attachment) should be > > forbidden because most MUA automatically fetch additional remote content > > which violates privacy and can fetch bad content into your system. > > You're warned. > > > > matthias > > > > At my job, I frequently send out summary charts and graphs surrounded by text. > Attachments simply do not work; my audience cannot spend the mental energy to > context-switch between text and attachments, and my reports become unusable. > > I also provide hyperlinks in my reports. Sharing hyperlinks in plaintext > emails > is possible, but verbose and unfriendly to the viewer. > > In such circumstances, plaintext email is not human readable; I must use HTML. Below you find a good example of such HTML SPAM going directly to an external web server to fetch an "IMG" which could contain malisious code. Is this what you really want to send to your boss or colleagues? matthias Unbenanntes Dokument FFP2 Maske 1,89 bzw. 1,99 Euro. Die beliebteste und meist getragene Atemmaske der Welt. Sehr geehrte Damen und Herren, Folgende Angebote sind sofort lieferbar, einzeln verschweisst: https://scontent-frx5-1.xx.fbcdn.net/v/t1.0-9/126513141_2743524842569455_973641306125964327_o.jpg?_nc_cat=100ccb=2_nc_sid=730e14_nc_ohc=NfVk0yNJgskAX9WQt3q_nc_ht=scontent-frx5-1.xxoh=2064e0f7143521537359d540ebc4a7c4oe=5FDF8DE4; width="650" height="650" /> CE-Zertifiziert durch Institut der europischen Union. Schutzklasse FFP2! (KN95) Guter Schutz vor SARSCoV2 - Covid19CoronaViren. Lieferung an Firmen, Behrden, Arztpraxen, Apotheken, Kliniken usw.: Abnahmemengen: 10er weise oder 100er weise. FFP2 Atemschutzmasken: (Auch nach AT, CH, NL, LU) 10 St. 19,90 Euro zzgl. 16 Proz. MwSt. Angebot fr Firmen, Kliniken, Arztpraxen: 100 St. 189,- Euro zzgl. 16 Proz. MwSt. (Grere Mengen auch sofort lieferbar.) Bestellen Sie ganz einfach und zeitsparend, in dem Sie uns auf dieses Schreiben einfach antworten. (Lieferung auf Rechnung. Keine Vorkasse oder hnliches.) cesch...@gmx.de Versandkostenfreie Lieferung! 6 Wochen Rckgaberecht bei Nichtgefallen! Ihnen enstehen keine Kosten. Mit freundlichen Gren, Michaela Kress CE-Schutz Vertrieb Hannover Bitte antworten Sie uns direkt per Email. EU-Kunden knnen gern die Umsatzsteuernummer (VAT) angeben. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Thunderbird / Enigmail / Autocrypt
El día lunes, noviembre 23, 2020 a las 03:03:54a. m. +0100, Johan Wevers escribió: > On 22-11-2020 12:38, Juergen Bruckner via Gnupg-users wrote: > > > I don't understand why HTML in e-Mails is so important for some people. > > I agree on a personal level, but if you use your email also to > communicate with business users (usually using Outlook) it would be nice > to get their mails in a human readable format. Which requires, > unfortunately, usually html. Since ages human read mails in ASCII or UTF-8 text. Why you think this is not a "human readable format"? HTML as e-mail (read carefully: as email, not as attachment) should be forbidden because most MUA automatically fetch additional remote content which violates privacy and can fetch bad content into your system. You're warned. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
binary distribution of GnuPG for SuSE Linux SLES 15
Hello, Is there any provider for a binary RPM for this OS: # cat /etc/os-release NAME="SLES" VERSION="15-SP1" VERSION_ID="15.1" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP1" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp1" Or do we have to compile it from source? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?
El día domingo, octubre 11, 2020 a las 03:55:25p. m. +0200, Stefan Claas escribió: > > I haven't tested it, but it is wiely known, for example: > > > > https://gototags.com/blog/understanding-nfc-shortcuts-iphone > > Thanks, nice way to automate things with iOS. Hmm, nice that others can rewrite your NFC tag (the UID matters) with bad shortcut commands, only having loosely access to a NFC tag you tabbed, for example, in your car. Maybe we have different opinions about 'nice'. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?
El día sábado, octubre 10, 2020 a las 09:04:18p. m. +0200, Stefan Claas escribió: > > As one of the testers: Using an iOS system is not a real world option for me > > because the iOS can execute commands stored on the NFC tag and getting a > > plain file out of the tag over to some UNIX laptop is tricky. A real > > world option for me would only be a Linux based mobile, like the UBports.com > > ones or a Purism L5, both have no NFC hardware at the moment and would > > need an additional reader gadget. > > Thanks for pointing this out. Could you elaborate a bit on how this works? I haven't tested it, but it is wiely known, for example: https://gototags.com/blog/understanding-nfc-shortcuts-iphone matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU .... Are you sure that this is really advantageous?
El día sábado, octubre 10, 2020 a las 03:57:39p. m. +0200, Stefan Claas escribió: > Stefan Claas wrote: > > > Since I have started the thread publicity to let GnuPG users know > > other communication forms and which can be be read everywhere, > > without access restrictions, it will be interesting to see if all > > postcards will arrive ... ;-) > > Update. > > I received feedback from (not all*) participants and they had no > problems to read the NFC tags, with smart phones or an external > reader, so they were in proper condition, as expected. As of my > understanding, iOS users will probably need iOS 14 in order to > read NFC tags natively, while iOS 13 users and below most likely > need and NFC app from the AppStore. Regarding Android, reports > were also good and people used apps from their store(s). As one of the testers: Using an iOS system is not a real world option for me because the iOS can execute commands stored on the NFC tag and getting a plain file out of the tag over to some UNIX laptop is tricky. A real world option for me would only be a Linux based mobile, like the UBports.com ones or a Purism L5, both have no NFC hardware at the moment and would need an additional reader gadget. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Five volunteers needed (EU only please)
El día lunes, octubre 05, 2020 a las 05:37:57p. m. +0200, Stefan Claas escribió: > ... > > Why I came up with this idea? Well I thought of a way to send private content > digitally, > without Internet usage, so that 3rd parties outside the EU have it difficult > to intercept > such messages, in order to protect EU businesses and to show the young > generation that > local postal services should be supported, in favor of a globally surveilled > Internet. > I think, even 3rd parties inside the EU will (and should) have it difficult to intercept messages in order to protect communication in the EU (and not only businesses). Why do you underlined outside only? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Без книги нет знания, без знания нет коммунизма (Влaдимир Ильич Ленин) Without books no knowledge - without knowledge no communism (Vladimir Ilyich Lenin) Sin libros no hay saber - sin saber no hay comunismo. (Vladimir Ilich Lenin) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
El día Montag, August 10, 2020 a las 09:07:51 +0200, Stefan Claas escribió: > > One can use a Linux mobile phone running UBports.com (as I and all my > > family do) > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). > > Yes, people gave me already (not from here of course) good advise for other > OSs > which one can use. The question is how long will those OSs been unaffected ... The kernel and all apps are OpenSource i.e. people can (and do) read the sources. It's impossible to build in backdoors. The attack could come through the firmware in the chips (which are not OpenSource). For this the Puri.sm L5 (and the laptops they make also) have 3 hardware keys to poweroff WiFi, Cellular, Microphone/Cameras (all 3 will turn off GPS). The authorities can not track you. See: https://puri.sm/products/librem-5/ matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: In case you use OpenPGP on a smartphone ...
El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió: > > This article showed up today, when I did a Google search again: > > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware> > > > > Trustworthy source. > > Mmmhhh, it is getting 'better and better' for smartphone users. > > https://www.androidauthority.com/government-tracking-apps-1145989/ > One can use a Linux mobile phone running UBports.com (as I and all my family do) or the upcoming Puri.sm L5 (as I pre-ordered in October 2017). Stop whining, stand up and fight and protect yourself. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can not encrypt (but decrypt) dues to missing pub key
El día Mittwoch, April 01, 2020 a las 10:19:09 +0200, Erich Eckner escribió: > > I assume that there's no way to shift the expiration date? > > I assumed so, too, for a long time. But I was wrong: > > gpg --edit-key 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 > expire > ... > Hello Ingo and Erich, You both saved my day. Thank you! Bleibt gesund! matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can not encrypt (but decrypt) dues to missing pub key
El día Mittwoch, April 01, 2020 a las 09:42:48 +0200, Ingo Klöcker escribió: > > $ gpg --list-public-keys --with-colons g...@unixarea.de > > tru::1:1585750650:0:3:1:5 > > pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::: > > fpr:8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: > > uid:e1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::guru@unixarea > > .de: sub:e:2048:1:2802AB9D46B97090:1520759851::e:: > > fpr:8D06C9C9460222C8A26181142802AB9D46B97090: > > sub:e:2048:1:4FAD759204AFE5CB:1585762137::e:: > > fpr:D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: > > As I assumed, the keys are expired, as can be seen by the :e: after pub/uid/ > sub. > > If you do > gpg --list-public-keys g...@unixarea.de > you should see when the keys expired. (It's also listed above, but the unix > timestamp 1583831851 isn't easy to read for humans.) Yes, the key expired some days ago: $ gpg --list-public-keys g...@unixarea.de pub rsa2048 2018-03-11 [SC] [expired: 2020-03-10] 8BCE0232807D4CCB4F8800D17BA6AC955EAA2665 uid [ expired] g...@unixarea.de I don't know how this happened when I generated the keys. I assume that there's no way to shift the expiration date? If not, I will decrypt all files, generate new keys and crypt the files again. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can not encrypt (but decrypt) dues to missing pub key
El día Mittwoch, April 01, 2020 a las 08:06:01 +0200, Ingo Klöcker escribió: > On Mittwoch, 1. April 2020 19:39:24 CEST Matthias Apitz wrote: > > El día Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Klöcker escribió: > > > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > > > I encounter in my server the following situation: I can decrypt files > > > > but not encrypting any file: > > Maybe the key is expired or not usable for encryption for some other reason. > gpg will happily use an expired key for decryption (of old encrypted data), > but it won't use an expired key for encryption. > > What does > gpg --list-public-keys --with-colons g...@unixarea.de > say? $ gpg --list-public-keys --with-colons g...@unixarea.de tru::1:1585750650:0:3:1:5 pub:e:2048:1:7BA6AC955EAA2665:1520759851:1583831851::u:::sc::: fpr:8BCE0232807D4CCB4F8800D17BA6AC955EAA2665: uid:e1520759851::DD2F57BCBE052BF39F1E41416DB8DF884B56DB02::g...@unixarea.de: sub:e:2048:1:2802AB9D46B97090:1520759851::e:: fpr:8D06C9C9460222C8A26181142802AB9D46B97090: sub:e:2048:1:4FAD759204AFE5CB:1585762137::e:: fpr:D9BF745D512FEA9BBEF8923A4FAD759204AFE5CB: Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: can not encrypt (but decrypt) dues to missing pub key
El día Mittwoch, April 01, 2020 a las 06:59:17 +0200, Ingo Klöcker escribió: > On Mittwoch, 1. April 2020 17:30:29 CEST Matthias Apitz wrote: > > I encounter in my server the following situation: I can decrypt files > > but not encrypting any file: > > > > $ gpg2 --version > > Here you are using gpg2. > > > > > $ gpg -d sybase.gpg > > Now you are using gpg. Sorry for this confusion. gpg is just a symlink to gpg2: $ which gpg /usr/local/bin/gpg $ which gpg2 /usr/local/bin/gpg2 $ ls -l /usr/local/bin/gpg /usr/local/bin/gpg2 lrwxr-xr-x 1 root wheel 4 27 mar. 2017 /usr/local/bin/gpg -> gpg2 -r-xr-xr-x 1 root wheel 903648 5 mar. 2017 /usr/local/bin/gpg2 > > $ gpg2 -r g...@unixarea.de -ea test > > Here you are using gpg2 again. My guess is that the second call uses gpg 1.x > and a different home (including a different key ring). > > > It seems that there is the file pubring.gpg missing: > > Of course, because pubring.gpg is the public key container of gpg <2. Ok, this explains its absence. > > > $ ls -ltr /home/guru/.gnupg-v2.1.19 > > total 36 > > -rw--- 1 guru wheel32 11 mar. 2018 pubring.kbx~ > > -rw-r--r-- 1 guru wheel 1396 11 mar. 2018 pubring.kbx > > pubring.kbx holds the public keys of gpg2. Ok, but why encryption does not work? As you see the file pubring.kbx is not changed since it was created. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
can not encrypt (but decrypt) dues to missing pub key
Hello, I encounter in my server the following situation: I can decrypt files but not encrypting any file: $ gpg2 --version gpg (GnuPG) 2.1.19 libgcrypt 1.7.6 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/guru/.gnupg-v2.1.19 Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ gpg -d sybase.gpg gpg: encrypted with 2048-bit RSA key, ID 2802AB9D46B97090, created 2018-03-11 "g...@unixarea.de" ... (clear text deleted) $ gpg2 -r g...@unixarea.de -ea test gpg: g...@unixarea.de: skipped: No public key gpg: test: encryption failed: No public key It seems that there is the file pubring.gpg missing: $ ls -ltr /home/guru/.gnupg-v2.1.19 total 36 -rw--- 1 guru wheel32 11 mar. 2018 pubring.kbx~ -rw-r--r-- 1 guru wheel 1396 11 mar. 2018 pubring.kbx drwx-- 2 guru wheel 512 11 mar. 2018 private-keys-v1.d drwx-- 2 guru wheel 512 11 mar. 2018 openpgp-revocs.d -rw-r- 1 guru wheel 676 28 mar. 2018 sshcontrol srwx-- 1 guru wheel 0 11 abr. 2018 S.scdaemon -rw-r--r-- 1 guru wheel 7 11 abr. 2018 reader_0.status -rw-r--r-- 1 guru wheel37 1 ene. 2019 gpg-agent.conf -rw--- 1 guru wheel 600 6 sept. 2019 random_seed srwx-- 1 guru wheel 0 1 abr. 15:40 S.gpg-agent srwx-- 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.extra srwx-- 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.browser srwx-- 1 guru wheel 0 1 abr. 15:40 S.gpg-agent.ssh -rw--- 1 guru wheel 1280 1 abr. 16:17 trustdb.gpg Can I re-create the missing information/file somehow? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Broken / lost smartcard
El día domingo, marzo 08, 2020 a las 09:11:49a. m. +0100, Andreas K. Huettel via Gnupg-users escribió: > [changing the subject since this is quite a different topic] > > > What I would like to know how people handle the case when a SmardCard gets > > lost, broken or maybe confiscicated at an Airport etc.? > > Well, that's the argument for having at least primary/cert key and encryption > subkey not *only* on the smartcard but also in a safe place somewhere. > > For a signature subkey it doesnt matter then if you lose it (just make a new > one), and for an authentication subkey you need to prepare to have some > alternative means of access (or also a backup). For me the bigger problem would be the stored crypted data in the password-store where I have nearly 300 credentials: $ find .password-store -type f | wc -l 282 I wrote a script which decrypts all these files to STDOUT in a form which could be fed again into the pass(1) command and stores this in some secure place from time to time. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Deutschland raus aus der NATO! NATO raus aus Deutschland! Frieden mit Russland! Germany out of NATO! NATO out of Germany! Peace with Russia! ¡Alemania fuera de OTAN! ¡OTAN fuera de Alemania! ¡Paz con Rusia! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: security/pinentry-qt5
fyi; maybe it's a change somewhere in GnuPG land? - Forwarded message from Matthias Apitz - Date: Sat, 22 Feb 2020 10:11:20 +0100 From: Matthias Apitz To: jh...@freebsd.org, freebsd-po...@freebsd.org Subject: security/pinentry-qt5 Hello, I use security/pinentry-qt5 in KDE5 on FreeBSD CURRENT (all from SVN HEAD, compiled by my own, ports with poudriere on February, 11). security/pinentry-qt5 is used to unlock my OpenPGP card. In the past the pinentry-qt5 pop-up window have had automatically the focus, now the focus stays in the terminal window from one starts, for example, the SSH session und the PIN goes into the terminal window, visible to all and is executed as command on the remoe host and then there in the bash history. This is highly a security risk! Any idea how to avoid this or what triggered this change of behaviour? Thanks matthias ___ freebsd-po...@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" - End forwarded message - -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
command "SCD SERIALNO openpgp" not answered correctly
Hello, I'm preparing the move to a new FreeBSD version (bleeding edge CURRENT with all ports from beginning of February). My OpenPGP card works in the "Identiv uTrust 3512 SAM slot Token" fine on the new setup for decrypting my passwordstore and SSH. On the old system where GnuPG is 2.2.12, the 'gpg2 --card-status' says: $ gpg2 --card-status Reader ...: 04E6:5816:55511725600891:0 Application ID ...: D2760001240102010005532B Version ..: 2.1 Manufacturer .: ZeitControl Serial number : 532B Name of cardholder: Matthias Apitz ... But on the new system it does work correctly. Here are the details: $ uname -a FreeBSD c720-r357756 13.0-CURRENT FreeBSD 13.0-CURRENT #2 r357756: Tue Feb 11 18:52:09 CET 2020 guru@jet:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 $ gpg2 --version gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/guru/.gnupg-ccid Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 $ gpg2 --card-status gpg: selecting card failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device $ gpg2 --card-edit gpg: selecting card failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device gpg/card> A trussing (it's like Linux strace) shows the offending dialog with the gpg-agent: $ truss -o tr gpg2 --card-status ... connect(3,{ AF_UNIX "/var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.gpg-agent" },65) = 0 (0x0) read(3,"OK Pleased to meet you",1002)= 22 (0x16) read(3,"\n",980) = 1 (0x1) write(3,"RESET",5) = 5 (0x5) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON|MAP_ALIGNED(12),-1,0x0) = 34379100160 (0x801277000) mmap(0x0,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON|MAP_ALIGNED(12),-1,0x0) = 34379104256 (0x801278000) write(3,"OPTION ttyname=/dev/pts/1",25) = 25 (0x19) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) write(3,"OPTION ttytype=rxvt-unicode-256c"...,36) = 36 (0x24) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) write(3,"OPTION display=:0",17) = 17 (0x11) write(3,"\n",1) = 1 (0x1) read(3,"OK\n",1002) = 3 (0x3) write(3,"OPTION xauthority=/home/guru/.Xa"...,40) = 40 (0x28) write(3,"\n",1) = 1 (0x1) read(3,"OK\n",1002) = 3 (0x3) write(3,"OPTION lc-ctype=es_ES.UTF-8",27)= 27 (0x1b) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) write(3,"OPTION lc-messages=es_ES.UTF-8",30) = 30 (0x1e) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) write(3,"GETINFO version",15)= 15 (0xf) write(3,"\n",1) = 1 (0x1) read(3,"D 2.2.19\n",1002)= 9 (0x9) read(3,"OK\n",1002) = 3 (0x3) write(3,"OPTION allow-pinentry-notify",28) = 28 (0x1c) write(3,"\n",1) = 1 (0x1) read(3,"OK\n",1002) = 3 (0x3) write(3,"OPTION agent-awareness=2.1.0",28) = 28 (0x1c) write(3,"\n",1) = 1 (0x1) read(3,"OK",1002)= 2 (0x2) read(3,"\n",1000)= 1 (0x1) write(3,"SCD GETINFO version",19)= 19 (0x13) wri
Re: gpg: There is no assurance this key belongs to the named user
El día martes, octubre 22, 2019 a las 08:18:36p. m. +0200, Matthias Apitz escribió: > El día lunes, octubre 21, 2019 a las 08:38:04p. m. +0200, Matthias Apitz > escribió: > > > El día lunes, octubre 21, 2019 a las 07:32:48p. m. +0200, Matthias Apitz > > escribió: > > > > > > > > Hello, > > > > > > I wanted to insert a new password into my password store, but I can't do > > > so anymore. It says: > > > > > > $ pass insert -m web/test3 > > > Enter contents of web/test3 and press Ctrl+D when finished: > > > > > > gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the > > > named user > > > gpg: [stdin]: encryption failed: Unusable public key > > > Password encryption aborted. > > > > The culprit was this file: > > > > $ ls -l ~/.gnupg-ccid/trustdb* > > -rw--- 1 guru wheel 1280 23 may. 2017 > > /home/guru/.gnupg-ccid/trustdb.gpg > > -rw--- 1 guru wheel 1280 11 oct. 14:02 > > /home/guru/.gnupg-ccid/trustdb.gpg.20191011 > > > > after renaming it and restoring the previous version (not modified for > > ages) of trustdb.gpg all is fine again. What caused the change on > > October 11 remains unclear so far. > > I exported both files which gives the same export: > > $ ls -l trustdb.gp* > -rw--- 1 guru wheel 1280 23 may. 2017 trustdb.gpg > -rw--- 1 guru wheel 1280 11 oct. 14:02 trustdb.gpg.20191011 > $ diff trustdb.gp* > Binary files trustdb.gpg and trustdb.gpg.20191011 differ > $ gpg2 --trustdb-name trustdb.gpg.20191011 --export-ownertrust > # List of assigned trustvalues, created Tue Oct 22 20:14:22 2019 CEST > # (Use "gpg --import-ownertrust" to restore them) > 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11:6: > > $ gpg2 --export-ownertrust > # List of assigned trustvalues, created Tue Oct 22 20:14:27 2019 CEST > # (Use "gpg --import-ownertrust" to restore them) > 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11:6: > > What does this mean? Why gpg2 was unwilling to use the file > trustdb.gpg.20191011? Is this a FAQ or otherwise stupid question, or what's the reason that nobody wants to give me some hint about this? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: There is no assurance this key belongs to the named user
El día lunes, octubre 21, 2019 a las 08:38:04p. m. +0200, Matthias Apitz escribió: > El día lunes, octubre 21, 2019 a las 07:32:48p. m. +0200, Matthias Apitz > escribió: > > > > > Hello, > > > > I wanted to insert a new password into my password store, but I can't do > > so anymore. It says: > > > > $ pass insert -m web/test3 > > Enter contents of web/test3 and press Ctrl+D when finished: > > > > gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named > > user > > gpg: [stdin]: encryption failed: Unusable public key > > Password encryption aborted. > > The culprit was this file: > > $ ls -l ~/.gnupg-ccid/trustdb* > -rw--- 1 guru wheel 1280 23 may. 2017 > /home/guru/.gnupg-ccid/trustdb.gpg > -rw--- 1 guru wheel 1280 11 oct. 14:02 > /home/guru/.gnupg-ccid/trustdb.gpg.20191011 > > after renaming it and restoring the previous version (not modified for > ages) of trustdb.gpg all is fine again. What caused the change on > October 11 remains unclear so far. I exported both files which gives the same export: $ ls -l trustdb.gp* -rw--- 1 guru wheel 1280 23 may. 2017 trustdb.gpg -rw--- 1 guru wheel 1280 11 oct. 14:02 trustdb.gpg.20191011 $ diff trustdb.gp* Binary files trustdb.gpg and trustdb.gpg.20191011 differ $ gpg2 --trustdb-name trustdb.gpg.20191011 --export-ownertrust # List of assigned trustvalues, created Tue Oct 22 20:14:22 2019 CEST # (Use "gpg --import-ownertrust" to restore them) 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11:6: $ gpg2 --export-ownertrust # List of assigned trustvalues, created Tue Oct 22 20:14:27 2019 CEST # (Use "gpg --import-ownertrust" to restore them) 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11:6: What does this mean? Why gpg2 was unwilling to use the file trustdb.gpg.20191011? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 3. Oktober! Wir gratulieren! Der Berliner Fernsehturm wird 50 aus: https://www.jungewelt.de/2019/10-02/index.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: There is no assurance this key belongs to the named user
El día lunes, octubre 21, 2019 a las 07:32:48p. m. +0200, Matthias Apitz escribió: > > Hello, > > I wanted to insert a new password into my password store, but I can't do > so anymore. It says: > > $ pass insert -m web/test3 > Enter contents of web/test3 and press Ctrl+D when finished: > > gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named > user > gpg: [stdin]: encryption failed: Unusable public key > Password encryption aborted. The culprit was this file: $ ls -l ~/.gnupg-ccid/trustdb* -rw--- 1 guru wheel 1280 23 may. 2017 /home/guru/.gnupg-ccid/trustdb.gpg -rw--- 1 guru wheel 1280 11 oct. 14:02 /home/guru/.gnupg-ccid/trustdb.gpg.20191011 after renaming it and restoring the previous version (not modified for ages) of trustdb.gpg all is fine again. What caused the change on October 11 remains unclear so far. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 3. Oktober! Wir gratulieren! Der Berliner Fernsehturm wird 50 aus: https://www.jungewelt.de/2019/10-02/index.php ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: There is no assurance this key belongs to the named user
Hello, I wanted to insert a new password into my password store, but I can't do so anymore. It says: $ pass insert -m web/test3 Enter contents of web/test3 and press Ctrl+D when finished: gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key Password encryption aborted. I can decrypt fine anything in the password store: $ gpg2 -d ~/.password-store/web/test2.gpg gpg: encrypted with 4096-bit RSA key, ID 61F1ECB625C9A6C3, created 2017-05-14 "Matthias Apitz (GnuPG CCID) " 4711 0815 but encryption seems to be the problem: $ gpg2 -ea -r "Matthias Apitz (GnuPG CCID) " file gpg: 61F1ECB625C9A6C3: There is no assurance this key belongs to the named user sub rsa4096/61F1ECB625C9A6C3 2017-05-14 Matthias Apitz (GnuPG CCID) Primary key fingerprint: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 Subkey fingerprint: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) What might be the problem in my $GNUPGHOME: $ ls -l $GNUPGHOME total 456 srwx-- 1 guru wheel 0 Oct 21 18:16 S.gpg-agent srwx-- 1 guru wheel 0 Oct 21 18:16 S.gpg-agent.browser srwx-- 1 guru wheel 0 Oct 21 18:16 S.gpg-agent.extra srwx-- 1 guru wheel 0 Oct 21 18:16 S.gpg-agent.ssh srwx-- 1 guru wheel 0 Oct 21 18:16 S.scdaemon drwx-- 2 guru wheel1024 Sep 21 10:08 crls.d -rw--- 1 guru wheel2649 May 12 2017 dirmngr.conf -rw-r--r-- 1 guru wheel 95 Jan 1 2019 gpg-agent.conf -rw--- 1 guru wheel5191 May 12 2017 gpg.conf drwx-- 2 guru wheel 512 May 14 2017 openpgp-revocs.d drwx-- 2 guru wheel 512 May 14 2017 private-keys-v1.d -rw--- 1 guru wheel 38835 Oct 11 14:02 pubring.gpg -rw--- 1 guru wheel 38835 Oct 11 14:02 pubring.gpg~ -rw--- 1 guru wheel 159155 Sep 30 16:46 pubring.kbx -rw--- 1 guru wheel 157316 Sep 21 10:07 pubring.kbx~ -rw--- 1 guru wheel 600 Oct 5 16:57 random_seed -rw-r--r-- 1 guru wheel 7 Oct 21 19:01 reader_0.status -rwxr-xr-x 1 guru wheel3386 Mar 15 2018 scd-event -rw-r--r-- 1 guru wheel 123 Jan 5 2019 scdaemon.conf -rw-r--r-- 1 guru wheel 141 Mar 13 2018 scdaemon.conf.away -rw--- 1 guru wheel 0 Dec 28 2017 secring.gpg -r 1 guru wheel1865 May 14 2017 sk_61F1ECB625C9A6C3.gpg -rw-r- 1 guru wheel 676 May 15 2017 sshcontrol -rw--- 1 guru wheel1280 Oct 11 14:02 trustdb.gpg -rw-r- 1 guru wheel1900 Jul 22 21:52 trustlist.txt I have enough older backups of this part of my $HOME, but would like to understand what is missing or damaged, and how it happened, and how to fix it. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 3. Oktober! Wir gratulieren! Der Berliner Fernsehturm wird 50 aus: https://www.jungewelt.de/2019/10-02/index.php signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
unknown modified files in GNUPGHOME
Hello, While doing a backup of my $HOME it turned out (what I never saw before), that some file were changed in GNUPGHOME: -rw--- 1 guru wheel157316 21 sept. 10:07 .gnupg-ccid/pubring.kbx -rw--- 1 guru wheel155467 21 sept. 10:07 .gnupg-ccid/pubring.kbx~ drwx-- 2 guru wheel 1024 21 sept. 10:08 .gnupg-ccid/crls.d/ -rw--- 1 guru wheel 3997 21 sept. 10:08 .gnupg-ccid/crls.d/DIR.txt -rw--- 1 guru wheel 17715895 21 sept. 10:08 .gnupg-ccid/crls.d/crl-CDECFDC58640B7262B39CCB59B61E8EEFF2ED4D0.db All more or less at the same moment. Any ideas what could have caused this? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Mientras haya voluntad de lucha habrá esperanza de vencer. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Forbes article: The Encryption Debate Is Over - Dead At The Hands Of Facebook
Can you please move this discussion elsewhere. The purpose of this list is: https://lists.gnupg.org/mailman/listinfo/gnupg-users About Gnupg-users GnuPG user help mailing list. The topic of this is list is help and discussion among users of GnuPG. This includes questions on how to script GnuPG, how to create or sign keys and general discussion on encryption and digital signatures as long as it somehow pertains to GnuPG. ^^^ Thanks. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent systemd user service [was: Re: GnuPG and SSH_AUTH_SOCK value]
El día martes, junio 25, 2019 a las 11:12:43a. m. -0400, Daniel Kahn Gillmor escribió: > On Tue 2019-06-25 13:07:03 +0200, Dirk Gottschalk via Gnupg-users wrote: > > This is my $HOME/.config/systemd/user/gpg-agent.service: > > If you're using gpg-agent as a systemd user service, please use the > systemd unit files (.service and .socket definitions) that ship with > GnuPG itself. > > ... Thanks for all the helping hands and hints about systemd(8), but FreeBSD normally does not run/use this. AFAIK, there is not even an official port of it in the FreeBSD's ports collection. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG and SSH_AUTH_SOCK value
El día sábado, junio 22, 2019 a las 09:47:12a. m. +0200, Werner Koch via Gnupg-users escribió: > That seems to be deep in the innards of KDE's X startup or Wayland or > Systemd configuration. I try to avoid all this and use the old > fashioned but easy to debug ~/.xsession I'm used to use 'startx' and ~/.xinitrc to bring up Xorg+KDE: $ cat ~/.xinitrc # set SSH_AUTH_SOCK # unset SSH_AGENT_PID unset SSH_AUTH_SOCK SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"; export SSH_AUTH_SOCK echo SSH_AUTH_SOCK: $SSH_AUTH_SOCK >> /tmp/xinit # setxkbmap de,us -option terminate:ctrl_alt_bksp xrandr --output default --mode 1366x768 /usr/local/bin/xbindkeys exec ck-launch-session startkde The idea is to set env var SSH_AUTH_SOCK correctly for all the xterm/urxvt processes "below" KDE. But, before the start of KDE (last line) the SSH_AUTH_SOCK is still /home/guru/.gnupg-ccid/S.gpg-agent.ssh and later when KDE is up the 'gpgconf --list-dirs agent-ssh-socket' returns /var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.gpg-agent.ssh i.e. the env var SSH_AUTH_SOCK is set wrong and I have to reset it in any terminal. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG and SSH_AUTH_SOCK value
El día viernes, junio 21, 2019 a las 03:13:45p. m. +0200, Werner Koch via Gnupg-users escribió: > On Fri, 21 Jun 2019 11:20, g...@unixarea.de said: > > > What I do not understand is, why this value without the KDE5 environment > > is > > > > $ gpgconf --list-dirs agent-ssh-socket > > /home/guru/.gnupg-ccid/S.gpg-agent.ssh > > That is because you have a > GNUPGHOME=/home/guru/.gnupg-ccid > and /var/run/users/1001 does not exist. > > > and after start of Xorg and KDE5 it is: > > > > $ gpgconf --list-dirs agent-ssh-socket > > /var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.gpg-agent.ssh > > /var/run/users/1001 has been created (systemd mess?) and thus GnuPG > expects ist sockets below /var/run/user/. The token is the hash of > the homedir's name so that we don't get a too long path. Thanks for the explanation. But why GNUPGHOME is not also used for the place where the sockets should be created when X11/KDE is up? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG signature of mails && web.de
Am Samstag, 18. Mai 2019 17:36:07 CEST schrieb Stefan Claas : Am Sat, 18 May 2019 11:59:00 +0100 schrieb MFPA <2017-r3sgs86x8e-lists-gro...@riseup.net>: All that a web search gave me was [0] Secure mail account You can send and receive encrypted e-mails (PGP). Add a PIN code to secure your WEB.DE Mail app. [0] https://play.google.com/store/apps/details?id=de.web.mobile.android.mail=en_US What he could do, as a gentlemen, is to spend 5 minutes of his time, create an test account there and play with the options, so that he can help her first hand. . I do have for tests a mail account in web.de (and any 3 months they want it close due to inactivity), but I don't have that app and no iOs or Android gadget. matthias -- Sent from my Ubuntu phone http://www.unixarea.de/ NO to the EU! NEIN zur EU! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG signature of mails && web.de
Hello, I'm signing my mails with GnuPG (like this one), but a colleague is claiming that she can't open the mails with some "App WebDe" (I don't know this and do not have more information). She sent me two screens, the list view of all mails in her INBOX says (in German) "ciphered mail" about my mails and when she tries to open them it pops up a screen (in German) "You still didn't have activated crypt on this device! What do you want todo? For the activation you need some QR code or the restore code you got when activating Web." Any hints I could give her? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ProtonMail and Anonymity
El día lunes, mayo 06, 2019 a las 07:15:06a. m. +0200, Stefan Claas escribió: > > > https://protonmail.com/ > > > > > > > I suppose like anything else it all comes down to whether you believe > > them or not. I do. > > [snip] > > Well, I just asked myself ... > > What is the purpose behind an unlinked hash. > > Well, I'm asking myself: What has all this thread to do with GnuPG? matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please start a new thread
El día Tuesday, March 26, 2019 a las 05:00:33PM +0530, Shweta Tyagi escribió: > Hi Peter, > How can start a new thread? Please advise. > if you any solution for this please help me find out the solution. > Hi, This depends on your Mail User Agent. It means "start a new mail with a new Subject" to the addr gnupg-users@gnupg.org. DO NOT reply to another thread when you have a new issue/problem/question. And, DO NOT top post, btw. matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: reader with 2 USB connectors
Hello, I'm using an OpenPGP card in my FreeBSD laptop and my Ubuntu mobile phone (see photo http://www.unixarea.de/UbuntuPhone-GnuPG-card2.jpg ) The read is an Identiv uTrust 3512 SAM slot Token which works just fine (after solving an issue in the FreeBSD USB driver). To connect it to the mobile device one needs an small adapter or a cable. See the photo. All this is not very stable, esp. the connector in the mobile device. Are there any readers with two USB connectors like some USB memory sticks have? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG: Bad Passphrase (try 2 of 3)
Hello, I've GnuPG 2.1.12 on my mobile device (without any OpenPGP card) and generated there a new secret key to encrypt credentials I'm using on this device. I was a bit surprised reading (after entering a bas passphrase for testing): ┌┐ │ Please enter the passphrase to unlock the OpenPGP secret key: │ │ "Matthias Apitz (BQ E4.5 key) " │ │ 4096-bit RSA key, ID FA46903FD2B8E5E9, │ │ created 2019-01-07 (main key ID 8F3E3E3C247AB779). │ │ │ │ │ **> │ Bad Passphrase (try 2 of 3) │ │ │ │ Passphrase: __ │ │ │ │ │ └┘ Note: This is not with the PIN of an OpenPGP-card. What would happen exactly after the 3rd bad value? Destroy of the key or my device? :-) Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió: > Hello Matthias. > > Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz: > > Hello, > > > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of > > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work > > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card > > Reader) after withdraw and re-insert. It works fine after boot, I > > have to enter the PIN to unlock the card and all tested functions are > > working. > > Did you check the config for pcscd? Probably it was overwrittenby the > update process. To close this thread: It turned out being an issue in the USB chips in my laptop which was not correctly handeled by the USB driver in the kernel. It is fixed since yesterday with this commit: https://svnweb.freebsd.org/changeset/base/342778 matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día miércoles, enero 02, 2019 a las 11:36:54a. m. +0100, Werner Koch escribió: > On Tue, 1 Jan 2019 08:36, g...@unixarea.de said: > > > with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after > > Take care: Usual Omnikey problems with creating and using large keys > apply. Thanks. But I'm using this card and reader for a long time. And the same problem is with the uTrust reader. > > How can I meanwhile 'reset' the OpenPGP card so that on next request for > > the secrets (decrypt, signing, ssh) the PIN is requested? > > gpgconf --reload scdaemon > > is the easiest way. You can also use --kill as it is the same for > scdaemon. THANKS!!! This works and I now at least can disable the card when I go a way from the laptop. BTW: The CCID and the readers have no manuals how, i.e. in which directions, one has to insert the CCID. Yesterday I took pictures to have this clear now :-) matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card: how to lock the card again so that PIN is required
El día martes, enero 01, 2019 a las 06:40:56p. m. +0100, Dirk Gottschalk escribió: > Hello Matthias. > > Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz: > > Hello, > > > This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of > > the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work > > anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card > > Reader) after withdraw and re-insert. It works fine after boot, I > > have to enter the PIN to unlock the card and all tested functions are > > working. > > Did you check the config for pcscd? Probably it was overwrittenby the > update process. There is no config file for pcscd, only for serial devices. Interestingly the pcscd started via devd at boot time works fine: $ ps ax | grep pc 536 v0- S 0:00,98 /usr/local/sbin/pcscd --debug --foreground When I disable this start at boot time and start the same command as root from the shell (to investigate/debug), this just hangs. Also system USB commands, like 'ucbconfig list', show the same problem. It looks like something in the boot process after start of the above PID damages the USB stack. > > I have to investigate this further or change the 'scdaemon' to let it > > directly access the OpenPGP bypassing the 'pcscd' (comments on this > > are welcome). > > You can use the internal ccid-reader of scdaemon. This should work with > the OmniKey readers, AFAIK. You have to disable PC/SC, oherwise this > won't work. I did so, it shows (as started after boot) the same problem. > > How can I meanwhile 'reset' the OpenPGP card so that on next request > > for the secrets (decrypt, signing, ssh) the PIN is requested? > > For the signature PIN just enable the forcepin option as admin with > --card-edit. The for the other functions you need to power cycle the > card, easiest done by removal and re-insertion. Yes, this was what I did before the update :-) Thanks for your replay anyway. mattihas -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card: how to lock the card again so that PIN is required
Hello, This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card Reader) after withdraw and re-insert. It works fine after boot, I have to enter the PIN to unlock the card and all tested functions are working. I have to investigate this further or change the 'scdaemon' to let it directly access the OpenPGP bypassing the 'pcscd' (comments on this are welcome). How can I meanwhile 'reset' the OpenPGP card so that on next request for the secrets (decrypt, signing, ssh) the PIN is requested? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, Druschba instead of Nazis, to live instead of to survive. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gnupg to crypt credentials used by application to access a database server
El día Monday, July 16, 2018 a las 09:06:58AM +0200, Michael Kesper escribió: > Hi all, > > Am Samstag, den 14.07.2018, 15:15 +0200 schrieb Matthias Apitz: > > We are looking for a way to change this situation and one of the > > options > > or ideas I have, is crypt the credentials with GnuPG in some file. > > I use pass [0] for this. > It uses gnupg under the hood and also has ansible integration. > Adding and removing users is a bit of hassle but it integrates much > better with git than e.g. keepass or the like. > Hi, Michael, I do use pass too for all my firefox credentials for access of webpages and services, i.e. I know how this works. I use for this GnuPG together with an OpenPGP card and to unlock the password storage I have to provide the 6 digit PIN of the card. The storage remains unlocked until card removal. This works all fine. But, I do not see how this could fit into the scene I described. When an application server starts on the UNIX host, it needs the database access credentials and there is no human to key in any PIN, for example when the server start at boot time ... How do you think, that pass could fit? Maybe I do overlook something... Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Using gnupg to crypt credentials used by application to access a database server
Hello, We have large application servers (written in C and C++), but also Perl and Java applications which all contact a Sybase database server over the network to do its work. They have to present a USER and a PASSWORD information to connect to the Sybase ASE listening on some port. As the USER and the PASSWORD are not entered by humans, at least not in the moment when the access of the application is made, they are stored in clear text in files in the UNIX (Linux, SunOS) file system. They are entered once, when the software is installed, or get modified with a text editor, when the credentials for whatever reason should be changed. Ofc, storing them in clear text was always a bad idea. Any person with access to the server and a bit of knowledge could read and misuse them, even for dropping the complete database or manipulating accountancy data. We are looking for a way to change this situation and one of the options or ideas I have, is crypt the credentials with GnuPG in some file. Any application have to decrypt this file on the flight (perhaps with a shell command) to get the USER and PASSWORD into its environment variables or internal variables to make use of them to connect to the database server, and will forget the credentials again asap. Decrypting with GnuPG needs a passphrase, normally read from /dev/tty which can not be done here in this case. My idea here is to write a special 'pinentry' program which provides the passphrase, which is crypted itself with blowfish internally in the 'pinentry' program, and the 'pinentry' will only work, if the proc which is calling GnuPG send over a socket or a file some information to authorize the access to this special 'pinentry'. Any other and better ideas for this? Thanks in advance. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)
El día Tuesday, May 15, 2018 a las 10:44:16AM +0200, Werner Koch escribió: > On Tue, 15 May 2018 03:31, je...@seibercom.net said: > > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability > > Note VU #122919. > > Doesn't CERT read the paper before produciong a report? The table of > vulnerable MUAs is easy enough to read. To better see what we are > discussing, here is the table in plain text format with the check marks > replaced by yes and no. > > --8<---cut here---start->8--- > TABLE OF VULNERABLE MAIL CLIENTS > > | OS | Client | S/MIME | PGP | > | | || -MDC | +MDC | SE | > |-+-++--+--+-| > | Windows | Outlook 2007| yes| yes | yes | no | > | | Outlook 2010| yes| no | no | no | > | | Outlook 2013| user | no | no | no | > | | Outlook 2016| user | no | no | no | > | | Win. 10 Mail| yes| –| –| – | > | | Win. Live Mail | yes| –| –| – | > | | The Bat!| user | no | no | no | > | | Postbox | yes| yes | yes | yes | > | | eM Client | yes| no | yes | no | > | | IBM Notes | yes| –| –| – | > | Linux | Thunderbird | yes| yes | yes | yes | > | | Evolution | yes| no | no | no | > | | Trojitá | yes| no | no | no | > | | KMail | user | no | no | no | > | | Claws | no | no | no | no | > | | Mutt| no | no | no | no | > | macOS | Apple Mail | yes| yes | yes | yes | > | | MailMate| yes| no | no | no | > | | Airmail | yes| yes | yes | yes | > | iOS | Mail App| yes| –| –| – | > | | Canary Mail | – | no | no | no | > | Android | K-9 Mail| – | no | no | no | > | | R2Mail2 | yes| no | yes | no | > | | MailDroid | yes| no | yes | no | > | | Nine| yes| –| –| – | > | Webmail | United Internet | – | no | no | no | > | | Mailbox.org | – | no | no | no | > | | ProtonMail | – | no | no | no | > | | Mailfence | – | no | no | no | > | | GMail | yes| –| –| – | > | Webapp | Roundcube | – | no | no | yes | > | | Horde IMP | user | no | yes | yes | > | | AfterLogic | – | no | no | no | > | | Rainloop| – | no | no | no | > | | Mailpile| – | no | no | no | > > > -= Encryption not supported > no = Not vulnerable > yes = Vulnerable > user = Vulnerable after user consent > > -MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets > --8<---cut here---end--->8--- > > My conclusion is that S/MIME is vulnerable in most clients with the > exception of The Bat!, Kmail, Claws, Mutt and Horde IMP. I take the > requirement for a user consent as non-vulnerable. Most of the > non-vulnerable clients use GnuPG as their engine. Werner, my conclusion in addition is that the table is incorrect. Most (if not even all) of the MUA which are noted for Linux do run on nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition runs on Canonical Ubuntu for smartphones/tablets and UBports devices. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD planned for Purism's laptops and Librem 5 phone
El día Thursday, March 15, 2018 a las 10:27:04AM +0100, Bernhard Reiter escribió: > https://puri.sm/posts/purism-collaboration-with-cryptography-expert-werner-koch/ > > have joined forces with leading cryptography pioneer, Werner Koch, to > integrate hardware encryption into the company’s Librem laptops and > forthcoming Librem 5 phone. > .. >to include encryption by default into its hardware, software, and services. > .. >by default into communications such as email and messaging >through a new process called Web Key Directory > > ... I have ordered in the crowd funding on October 7, 2017 one of these Librem 5 phones (~600 Euro) and I'm keen to get hands on it next year in spring. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card bricked
-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 4 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bStatus ...: 65 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bError : 254 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_reset => sw=0x10009 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_connect => sw=0x10009 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_close_reader: slot=0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_disconnect: slot=0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_disconnect => sw=0x0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: PC_to_RDR_IccPowerOff: 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 5 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: [0007] 00 00 00 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: RDR_to_PC_SlotStatus: 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: dwLength ..: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSlot .: 0 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bSeq ..: 5 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bStatus ...: 1 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: bClockStatus ..: 0x01 (stopped-L) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: libusb_cancel_transfer 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: ccid-driver: libusb_handle_events_completed 2018-03-14 16:33:10 scdaemon[2735.802280a00] DBG: ccid-driver: CCID: interrupt callback 3 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_close_reader => 0x0 (close_reader) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: enter: apdu_open_reader: portstr=(null) 2018-03-14 16:33:10 scdaemon[2735.802017900] pcsc_establish_context failed: no service (0x8010001d) 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: leave: apdu_open_reader => slot=-1 [pc/sc] 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 -> ERR 100696144 Operation not supported by device 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 <- RESTART 2018-03-14 16:33:10 scdaemon[2735.802017900] DBG: chan_7 -> OK -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card bricked
El día martes, marzo 13, 2018 a las 04:00:04p. m. +0100, Peter Lebbing escribió: > On 13/03/18 15:34, Matthias Apitz wrote: > > Is there some config missing so that scdaemon opens directly the reader? > > What does 'pcsc_establish_context failed' mean? > > A notable difference between the built-in CCID driver and pcscd is probably > the > user credentials that open the USB device. Make sure you have write access to > the character device in /dev/bus/usb that corresponds to your smartcard: Please note, this is not Linux but FreeBSD. But you pointed in the correct direction: missing rw perms in /dev/usb/* device files; I'm in the group operator, but they have had only 0600 perms; I fixed this to: # ls -l /dev/usb total 0 crw-rw 1 root operator 0x2c 13 mar. 15:17 0.1.0 crw-rw 1 root operator 0x3d 13 mar. 15:17 0.1.1 crw-rw 1 root operator 0x40 13 mar. 15:17 0.2.0 crw-rw 1 root operator 0x42 13 mar. 15:17 0.2.1 crw-rw 1 root operator 0x43 13 mar. 15:17 0.2.7 crw-rw 1 root operator 0x44 13 mar. 15:17 0.3.0 crw-rw 1 root operator 0x46 13 mar. 15:17 0.3.1 crw-rw 1 root operator 0x47 13 mar. 15:17 0.3.2 crw-rw 1 root operator 0x48 13 mar. 15:17 0.3.3 crw-rw 1 root operator 0x7e 13 mar. 15:26 0.4.0 crw-rw 1 root operator 0x80 13 mar. 15:26 0.4.1 crw-rw 1 root operator 0x81 13 mar. 15:26 0.4.2 crw-rw 1 root operator 0x82 13 mar. 15:26 0.4.3 and this gives more log; see below; > Also, if I were you, I'd clean the smartcard contacts with isopropyl alcohol. > I'm not sure what other cleaning agents would work well, I just use that one. > > It could be that your card has just died. Smartcards are not the most robust > devices, and they are subjected to stress usually. Thanks for this hint too. 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 <- GETINFO version 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 -> D 2.1.19 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: chan_7 <- SERIALNO openpgp 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: apdu_open_reader: BAI=400 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: apdu_open_reader: new device=400 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: using CCID reader 0 (ID=04E6:5816:55511514602745:0) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: idVendor: 04E6 idProduct: 5816 bcdDevice: 0202 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: ChipCard Interface Descriptor: 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bLength 54 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bDescriptorType33 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bcdCCID 1.10 (Warning: Only accurate for version 1.0) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: nMaxSlotIndex 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bVoltageSupport 7 ? 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwProtocols 3 T=0 T=1 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwDefaultClock 4800 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxiumumClock 16000 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bNumClockSupported 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwDataRate 12903 bps 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxDataRate 60 bps 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bNumDataRatesSupp. 0 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxIFSD 252 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwSyncProtocols 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMechanical 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwFeatures 000100BA 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto configuration based on ATR (assumes auto voltage) 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto voltage selection 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto clock change 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto baud rate change 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: Auto PPS made by CCID 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: TPDU level exchange 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: dwMaxCCIDMsgLen 271 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid-driver: bClassGetResponseecho 2018-03-13 16:23:16 scdaemon[2508.802017900] DBG: ccid
Re: OpenPGP card bricked
El día martes, marzo 13, 2018 a las 06:54:25p. m. +0900, NIIBE Yutaka escribió: > > > What can I do? > [...] > > Identiv uTrust 3512 SAM slot Token > > I believe that GnuPG's in-stock driver just works fine with this reader, > because it runs at TPDU level exchange. > > Please try without PC/SC-lite, and see how it goes. > > With following ~/.gnupg/scdaemon.conf, you can get debug log. > > ~/.gnupg/scdaemon.conf > verbose > verbose > debug-level guru > debug-all > debug-ccid-driver > log-file /some/where/scdaemon-debug.log > I moved the /usr/local/sbin/pcscd out of the way. The scdaemon writes the following log: 2018-03-13 15:28:10 scdaemon[2508.802016000] listening on socket '/home/guru/.gnupg-ccid/S.scdaemon' 2018-03-13 15:28:10 scdaemon[2508.802017900] manejador del descriptor -1 iniciado 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK GNU Privacy Guard's Smartcard server ready 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- GETINFO socket_name 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> D /home/guru/.gnupg-ccid/S.scdaemon 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- OPTION event-signal=31 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- SERIALNO 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: enter: apdu_open_reader: portstr=(null) 2018-03-13 15:28:10 scdaemon[2508.802017900] pcsc_establish_context failed: no service (0x8010001d) 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: leave: apdu_open_reader => slot=-1 [pc/sc] 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> ERR 100696144 Operation not supported by device 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 <- RESTART 2018-03-13 15:28:10 scdaemon[2508.802017900] DBG: chan_7 -> OK Is there some config missing so that scdaemon opens directly the reader? What does 'pcsc_establish_context failed' mean? Thanks for your help matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card bricked
:IFDHGetCapabilities() tag: 0xFB1, usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 0012 ifdhandler.c:379:IFDHGetCapabilities() tag: 0xFB2, usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 0011 eventhandler.c:201:EHDestroyEventHandler() Request stopping of polling thread 0011 ifdhandler.c:344:IFDHStopPolling() usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 00401709 eventhandler.c:502:EHStatusHandlerThread() Die 0177 eventhandler.c:216:EHDestroyEventHandler() Thread stomped. 0019 readerfactory.c:1130:RFUnInitializeReader() Attempting shutdown of Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00. 0025 ifdhandler.c:282:IFDHCloseChannel() usb:04e6/5816:libusb-1.0:0:2:0 (lun: 0) 9467 ccid_usb.c:189:close_libusb_if_needed() libusb_exit 0089 readerfactory.c:991:RFUnloadReader() Unloading reader driver. 0133 winscard_svc.c:152:ContextsDeinitialize() remaining threads: 0 0059 pcscdaemon.c:781:at_exit() cleaning /var/run/pcscd -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в Сталинградской битве! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
using the SSH secret key fails sometimes
Hello, This is on FreeBSD with: $ gpg2 --version gpg (GnuPG) 2.1.19 libgcrypt 1.7.6 $ ps ax | egrep 'gnu|pcs' 1034 - Ss 0:00,59 gpg-agent --homedir /home/guru/.gnupg-ccid --use-standard-socket 1036 - S 0:02,24 scdaemon --multi-server --homedir /home/guru/.gnupg-ccid 3844 - S 0:01,04 /usr/local/sbin/pcscd From time to time (let's say 1-2 times a day) the access to the SSH secret on the OpenPGP card fails. The card is already unlocked in this moment because the unlocking the KDE desktop has asked for the PIN. Initializing a SSH session produces the attached error in the scdaemon's log file. It helps to withdraw the card and insert it again (which starts a new proc /usr/local/sbin/pcscd). Any idea where to look? Thanks matthias 2018-03-05 10:53:40 scdaemon[1036.802017e00] manejador del descriptor 13 iniciado 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK GNU Privacy Guard's Smartcard server ready 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETINFO card_list 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO --demand=D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR $AUTHKEYID 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S $AUTHKEYID OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR SERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- READKEY OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(548 byte(s) skipped) ] 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- GETATTR $DISPSERIALNO 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S $DISPSERIALNO 0005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SERIALNO --demand=D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> S SERIALNO D2760001240102010005532B 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- SETDATA 3021300906052B0E03021A05000414579704ECB5FC67E700FAD99C8080277E86DCAD94 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> OK 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 <- PKAUTH OPENPGP.3 2018-03-05 10:53:40 scdaemon[1036.802017e00] pcsc_transmit failed: not transacted (0x80100016) 2018-03-05 10:53:40 scdaemon[1036.802017e00] apdu_send_simple(0) failed: general error 2018-03-05 10:53:40 scdaemon[1036.802017e00] operation auth result: General error 2018-03-05 10:53:40 scdaemon[1036.802017e00] app_auth failed: General error 2018-03-05 10:53:40 scdaemon[1036.802017e00] DBG: chan_13 -> ERR 100663297 General error 2018-03-05 10:54:04 scdaemon[1036.802017e00] DBG: chan_13 <- BYE 2018-03-05 10:54:04 scdaemon[1036.802017e00] DBG: chan_13 -> OK closing connection 2018-03-05 10:54:04 scdaemon[1036.802017e00] manejador del descriptor 13 terminado -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: gnupg SmartCard V3.3
El día Thursday, March 01, 2018 a las 09:14:15AM +0900, NIIBE Yutaka escribió: > Hello, > > Werner Koch <w...@gnupg.org> wrote: > > @gniibe: Do you have any more up to date information on macOS and > > smartcard readers? > > If possible, I recommend to use GnuPG's in-stock driver to access > smartcard. It is direct access by libusb, not using PC/SC service. > > For GNU/Linux, if you don't have any other use of PC/SC service, please > uninstall it, or disable the service, and try again with GnuPG's > in-stock driver. > > For the driver, I maintain this list: > > https://wiki.debian.org/GnuPG/CCID_Driver > > For macOS, I think that it still uses old PC/SC and libccid library. > I'm afraid that new readers (with new features like pinpad support) > don't work well, or don't work at all. > Hello, I do yous the following USB token ond FreeBSD-12 CURRENT and the 'pcscd' is configured to be started by devd on device attach: Mar 1 08:00:56 r314251-amd64 kernel: ugen0.2: at usbus0 Mar 1 08:00:56 r314251-amd64 root: CCID uTrust, type: ATTACH, system: USB, subsystem: INTERFACE Mar 1 08:00:56 r314251-amd64 root: /usr/local/sbin/pcscd Mar 1 08:00:56 r314251-amd64 root: Unknown USB device: vendor 0x04e6 product 0x5816 bus uhub0 The OpenPGP card works fine as: $ gpg2 --card-status Reader ...: Identiv uTrust 3512 SAM slot Token (55511514602745) 00 00 Application ID ...: D2760001240102010005532B Version ..: 2.1 Manufacturer .....: ZeitControl Serial number : 532B Name of cardholder: Matthias Apitz ... Do I have any chance to use the USB token and the card directly without 'pcscd'? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problems sending to the list
El día domingo, febrero 11, 2018 a las 12:56:40p. m. +0100, Peter Lebbing escribió: > I think you're not setting the "envelope from" correctly. While the > e-mail itself has your normal e-mail address, the bounce is going to the > address I quoted above, so apparently that is the envelope sender. Yes. This was the issue. The MUA in question is mutt which uses sendmail to send the mail. There was (I don't know why) the -f ... missing. matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в Сталинградской битве! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
problems sending to the list
Hello, Sometimes I do SSH into my server of my ISP and send email to the list from there. This always failes with the message below. Can some list admin please check, why? Thanks matthias - Forwarded message from Mail Delivery System <mailer-dae...@sh4-5.1blu.de> - Date: Fri, 09 Feb 2018 11:14:13 +0100 From: Mail Delivery System <mailer-dae...@sh4-5.1blu.de> To: ftp51246-2575...@sh4-5.1blu.de Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: gnupg-users@gnupg.org host kerckhoffs.g10code.com [217.69.77.222] SMTP error from remote mail server after RCPT TO:<gnupg-users@gnupg.org>: 451 Could not complete sender verify callout: retry timeout exceeded Reporting-MTA: dns; sh4-5.1blu.de Action: failed Final-Recipient: rfc822;gnupg-users@gnupg.org Status: 5.0.0 Remote-MTA: dns; kerckhoffs.g10code.com Diagnostic-Code: smtp; 451 Could not complete sender verify callout: retry timeout exceeded Date: Mon, 5 Feb 2018 11:12:12 +0100 From: Matthias Apitz <g...@unixarea.de> To: gnupg-users@gnupg.org Subject: OpenPGP card && exporting secret keys Hello, I'm using an OpenPGP card and gnupg 2.1.19 on my FreeBSD workstations and my Ubuntu mobile device to store crypted passwords (tool: password-store), to lock/unlock desktop sessions and to sign emails. This is all working fine and without any hick-ups. What makes me worry, is that single point of failure: the OpenPGP card. While I do backups of alls the encrypted password files, they would be all useless in case of lost/teft of the token or hardware fault of the SIM card. What I do at the moment is something like: $ find ~/.password-store -name '*.gpg' -exec printf "%s:\n" {} \; -and -exec gpg2 -d {} 2> /dev/null \; -and -exec echo \; > /tmp/clear-password-store.txt $ GNUPGHOME=... $ gpg -ea /tmp/clear-password-store.txt $ mv /tmp/clear-password-store.txt.asc $GNUPGHOME $ rm -P /tmp/clear-password-store.txt where the other GNUPGHOME contains secret and pub-keys created for this special purpose and living outside (i.e. without) the OpenPGP card. ANd in case of lost/teft of the token I could recover at least all passwords again... Is there any way to export the secret keys from the OpenPGP card to use them directly (with a passphrase) and without the OpenPGP card? Thanks matthias - End forwarded message - -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в Сталинградской битве! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP card && exporting secret keys
Hello, I'm using an OpenPGP card and gnupg 2.1.19 on my FreeBSD workstations and my Ubuntu mobile device to store crypted passwords (tool: password-store), to lock/unlock desktop sessions and to sign emails. This is all working fine and without any hick-ups. What makes me worry, is that single point of failure: the OpenPGP card. While I do backups of alls the encrypted password files, they would be all useless in case of lost/teft of the token or hardware fault of the SIM card. What I do at the moment is something like: $ find ~/.password-store -name '*.gpg' -exec printf "%s:\n" {} \; -and -exec gpg2 -d {} 2> /dev/null \; -and -exec echo \; > /tmp/clear-password-store.txt $ GNUPGHOME=... $ gpg -ea /tmp/clear-password-store.txt $ mv /tmp/clear-password-store.txt.asc $GNUPGHOME $ rm -P /tmp/clear-password-store.txt where the other GNUPGHOME contains secret and pub-keys created for this special purpose and living outside (i.e. without) the OpenPGP card. ANd in case of lost/teft of the token I could recover at least all passwords again... Is there any way to export the secret keys from the OpenPGP card to use them directly (with a passphrase) and without the OpenPGP card? Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub Thanks to the Soviet Army for the Victory in Stalingrad! -- Победа в Сталинградской битве! signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users