Redhat/Fedora still disabling brainpool curves (was: GnuPG 2.2.36 released
Am Mittwoch 13 Juli 2022 15:22:36 schrieb Todd Zullinger via Gnupg-users: > > Maybe it helps to report the problem of missing crypto algorithms to your > > GNU/Linux distribution. > > They aren't really missing but rather intentionally removed > due to legal issues on Fedora/Red Hat. This came up not so > long ago: > > https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html Thanks for the pointer, reading the fedora discussion: https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/#ZWQUWUYR7VVG6EXSXZYES5MWCWWKBNKG > Hopefully the legal issues will be cleared sometime soon and > Fedora will stop stripping brainpool. The last ping there was on April. As there is no open issue where users can track the progress on the Fedora legal team, maybe asking for an update after a quarter of a year is okay. (If you are a Fedora user and want brainpool algorithms included. ;) ) Regards Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Todd Zullinger via Gnupg-users wrote: > It's frustrating that the releases are signed with a cipher that cannot > be verified on a reasonably popular distro. At least, multiple signatures could be made. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
On Wed, Jul 13, 2022 at 09:22:36AM -0400, Todd Zullinger via Gnupg-users wrote: > > Maybe it helps to report the problem of missing crypto algorithms to your > > GNU/Linux distribution. > > They aren't really missing but rather intentionally removed > due to legal issues on Fedora/Red Hat. This came up not so > long ago: > > https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html Correct. RH considers Brainpool curves potentially patent-encumbered. > With the current Fedora (36), it's possible to enable these > ciphers via '--with brainpool' when building the libgcrypt > srpm. > > Hopefully the legal issues will be cleared sometime soon and > Fedora will stop stripping brainpool. > > It's frustrating that the releases are signed with a cipher > that cannot be verified on a reasonably popular distro. Indeed! For now, I worked around by verifying the signature on the swdb.lst file on a system where I have gnupg22-static installed, so I was able to build updated packages for my copr repos. Thanks, -Konstantin signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Bernhard Reiter wrote: > Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users: >>> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you. >> >> Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't >> verify it without building gnupg from scratch (without verifying it first). > > Maybe it helps to report the problem of missing crypto algorithms to your > GNU/Linux distribution. They aren't really missing but rather intentionally removed due to legal issues on Fedora/Red Hat. This came up not so long ago: https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html With the current Fedora (36), it's possible to enable these ciphers via '--with brainpool' when building the libgcrypt srpm. Hopefully the legal issues will be cleared sometime soon and Fedora will stop stripping brainpool. It's frustrating that the releases are signed with a cipher that cannot be verified on a reasonably popular distro. -- Todd signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Hi Ralf, Am Donnerstag 07 Juli 2022 05:35:57 schrieb Ralph Seichter via Gnupg-users: > GnuPG for OS X / macOS version 2.2.36 is now available via the URL > https://sourceforge.net/projects/gpgosx/files/ . > > This is the first relase since Patrick Brunschwig passed stewardship of > the project to me, thanks for maintaining the package! (And many thanks to Patrick for having done so before!) Best Regards, Bernhard -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users: > > See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you. > > Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't > verify it without building gnupg from scratch (without verifying it first). Maybe it helps to report the problem of missing crypto algorithms to your GNU/Linux distribution. -- https://intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
On Fri, Jul 08, 2022 at 11:07:36PM +0200, Ingo Klöcker wrote: > > That key doesn't appear to be provided via > > https://gnupg.org/signature_key.asc. > > Yes, it is. > > ``` > $ curl https://gnupg.org/signature_key.asc | gpg --import > [...] > gpg: key 549E695E905BA208: 1 signature not checked due to a missing key > gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)" > imported > gpg: Total number processed: 4 > gpg: imported: 4 > > $ gpg -k 02F38DFF731FF97CB039A1DA549E695E905BA208 > pub brainpoolP256r1/549E695E905BA208 2021-10-15 [SC] [expires: 2029-12-31] > 02F38DFF731FF97CB039A1DA549E695E905BA208 > uid [ unknown] GnuPG.com (Release Signing Key 2021) > ``` > > See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you. Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't verify it without building gnupg from scratch (without verifying it first). -K ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
On Freitag, 8. Juli 2022 22:55:07 CEST Konstantin Ryabitsev via Gnupg-users wrote: > I'm trying to verify swdb.lst.sig, but I can't: > > $ gpg --verify swdb.lst.sig > gpg: assuming signed data in 'swdb.lst' > gpg: Signature made Wed 06 Jul 2022 02:26:07 PM EDT > gpg:using ECDSA key 02F38DFF731FF97CB039A1DA549E695E905BA208 > gpg: Can't check signature: No public key > > That key doesn't appear to be provided via > https://gnupg.org/signature_key.asc. Yes, it is. ``` $ curl https://gnupg.org/signature_key.asc | gpg --import [...] gpg: key 549E695E905BA208: 1 signature not checked due to a missing key gpg: key 549E695E905BA208: public key "GnuPG.com (Release Signing Key 2021)" imported gpg: Total number processed: 4 gpg: imported: 4 $ gpg -k 02F38DFF731FF97CB039A1DA549E695E905BA208 pub brainpoolP256r1/549E695E905BA208 2021-10-15 [SC] [expires: 2029-12-31] 02F38DFF731FF97CB039A1DA549E695E905BA208 uid [ unknown] GnuPG.com (Release Signing Key 2021) ``` See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
On Wed, Jul 06, 2022 at 08:38:04PM +0200, Werner Koch via Gnupg-users wrote: > Hi! > > This is a quick announcement that a new GnuPG release for 2.2 is > available. We will also preprare a 2.3 release in the next days but due > to summer holidays things are a bit delayed. Hello: I'm trying to verify swdb.lst.sig, but I can't: $ gpg --verify swdb.lst.sig gpg: assuming signed data in 'swdb.lst' gpg: Signature made Wed 06 Jul 2022 02:26:07 PM EDT gpg:using ECDSA key 02F38DFF731FF97CB039A1DA549E695E905BA208 gpg: Can't check signature: No public key That key doesn't appear to be provided via https://gnupg.org/signature_key.asc. -K ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
* Andrew Gallagher: > As of 2130Z today this key still had not reached pgpkeys.eu, so I have > just uploaded it there by hand; most other syncing servers should have > it within the hour. Thanks, Andrew. For possible future key uploads, I'll keep in mind that pgp.mit.edu is not the most viable choice these days. Using it has been my habit for so many years that I forgot the server pool has changed considerably. -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
> On 7 Jul 2022, at 04:47, Ralph Seichter via Gnupg-users > wrote: > > 1.) Starting today, disk images (*.dmg) are signed with a new ed25519 > key (EAB0FE4FF793D9E7028EC8E2FD56297D9833FF7F). This key has been > uploaded to pgp.mit.edu today, but the site is once again very sluggish > and it might take a while to sync the key to other pool members. For > this reason, I'll include the public key here: As of 2130Z today this key still had not reached pgpkeys.eu, so I have just uploaded it there by hand; most other syncing servers should have it within the hour. I can see it is also available on keys.openpgp.org. Sadly, I would recommend against the use of pgp.mit.edu, as it is one of the most consistently unreliable keyservers. The graphs at https://spider.pgpkeys.eu/graphs now show a crude “N nines” reliability estimate for each available keyserver - this is based on an hourly poll and is only capable of resolving up to three nines, but it should give you a rough guide to which keyservers have a track record of responsiveness. A ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.2.36 released
* Werner Koch via Gnupg-users: > This is a quick announcement that a new GnuPG release for 2.2 is > available. GnuPG for OS X / macOS version 2.2.36 is now available via the URL https://sourceforge.net/projects/gpgosx/files/ . This is the first relase since Patrick Brunschwig passed stewardship of the project to me, so please note the following changes: 1.) Starting today, disk images (*.dmg) are signed with a new ed25519 key (EAB0FE4FF793D9E7028EC8E2FD56297D9833FF7F). This key has been uploaded to pgp.mit.edu today, but the site is once again very sluggish and it might take a while to sync the key to other pool members. For this reason, I'll include the public key here: -BEGIN PGP PUBLIC KEY BLOCK- mDMEYsY2JRYJKwYBBAHaRw8BAQdAHRCBW5+Dhmt7pdtksvpIkk3/SY8oULxLR6hs xg0yT/+0K1JhbHBoIFNlaWNodGVyIChHbnVQRyBmb3IgT1MgWCBzaWduaW5nIGtl eSmIlgQTFgoAPhYhBOqw/k/3k9nnAo7I4v1WKX2YM/9/BQJixjYlAhsDBQkJZgGA BQsJCAcDBRUKCQgLBRYDAgEAAh4FAheAAAoJEP1WKX2YM/9/HN8BAOcfzou/g9KI YRXA4ePZlVGSZrKCwfE4LL23YfikJr5jAQDKQRW4IQnYPHvlyHAHpcxDD/U/c1VO MylkSvfkkSBmBw== =MgmS -END PGP PUBLIC KEY BLOCK- 2.) The Install.pkg file included in the disk image is unsigned, because I have not subscribed to Apple's developer program. I am not sure yet if I will do so in the future. Thus, it might be necessary to right-click on Install.pkg and using the popup menu instead of double-clicking, depending on the version of macOS you are using. Should you wish to contact me off-list regarding the GnuPG for OS X project, please send mail to "gpgosx ~AT~ seichter ~DOT~ de". -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.2.36 released
Hi! This is a quick announcement that a new GnuPG release for 2.2 is available. We will also preprare a 2.3 release in the next days but due to summer holidays things are a bit delayed. See also https://dev.gnupg.org/T5949 Shalom-Salam, Werner Noteworthy changes in version 2.2.36 (2022-07-06) - * g10: Fix possibly garbled status messages in NOTATION_DATA. This bug could trick GPGME and other parsers to accept faked status lines. [T6027, CVE-2022-34903] * gpg: Handle leading zeroes in Ed25519 private keys and reverse change regarding Ed25519 SOS encoding as introduced with 2.2.34. [T5120] * gpg: Allow Unicode file names for iobuf_cancel under Windows. * gpgsm: Improve pkcs#12 import. [T6037,T5793,T4921,T4757] * scd,p15: Fix reading certificates w/o length info. * scd,p15: Improve the displayed S/N for Technology Nexus cards. * scd,openpgp: Add workaround for ECC attribute on Yubikey. [T5963] * scd: Fix use of SCardListReaders for PC/SC. [T5979] * gpgconf: New short options -X and -V. * Make sure to always set CONFIDENTIAL flag in Assuan. [T5977] Release-info: https://dev.gnupg.org/T5949 -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users