Re: No secret key

2024-03-04 Thread Eva Bolten via Gnupg-users 
Hi,

First of all: The usual procedure when asking for advice is to tell us which 
gpg version you are using. And on which operation system. 
But it seems likely that in this case the info is not necessary. 

> I received this message when using --clear-sign.
> gpg: no default secret key: No secret key
> gpg: clear-sign dialed: No secret key

Please always post complete gpg comand lines and the corresponding output - 
you can of course obfuscate names and other personal info.

I assume you have entered something like:

gpg --clear-sign test.txt 

without specifiying the key to use on the command line and no default key 
defined in you gpg.conf.

The gpg man page describes how to specify that key:

--clearsign
  Make  a cleartext signature.  The content in a cleartext sig‐
  nature is readable  without  any  special  software.  OpenPGP
  software  is  only needed to verify the signature.  cleartext
  signatures may modify end-of-line whitespace for platform in‐
  dependence  and are not intended to be reversible.  The sign‐
  ing key is chosen by default or can be set  explicitly  using
  the --local-user and --default-key options

Therefore, If you did not set a default key in your gpg.conf, you have to 
provide the key to use on the command line as described.
 
Regards

Eva






___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

No secret key

2024-03-04 Thread Richard Bostrom via Gnupg-users 
Sirs and ladie!

I received this message when using --clear-sign.
gpg: no default secret key: No secret key
gpg: clear-sign dialed: No secret key

Both my public and private key has been imported.
The key was made with a different user (as sudo)The current user is a non-sudo 
user.

Yours truly
Richardh Bostrom

Sent with [Proton Mail](https://proton.me/) secure email.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

[SOLVED] gpg: signing failed: Bad secret key

2024-02-18 Thread Leo Coogan via Gnupg-users 
I solved my issue so I'm posting this for the benefit of users who might 
have the same issue.


I solved my issue my generating a new key pair because there seemed to 
be no way to work around the incompatibility that caused the key to not 
be able to sign on my NixOS machine. I'm not sure what caused this, but 
it's solved now.


On 1/24/24 12:37, Werner Koch wrote:

On Tue, 23 Jan 2024 12:38, Leo Coogan said:


sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
   C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
   Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB

You don't have a signing key.  Ther primary key has been taken offline
('#') and can thus not be used for signing.


ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]
   143454E3276F11C51D01B35363D14EA6FDB00D9F
   Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21

The subkey is not capable of signing (by usage flags and algorithm).

Did you had another signing subkey and that one expired?
Add

   --list-options show-unusable-subkeys

to the listing command to check.


Salam-Shalom,

Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to get a pubkey with WKD (Re: Incompatible secret key format between 2.4.4 and 2.2.27?)

2024-02-15 Thread Werner Koch via Gnupg-users 
On Thu, 15 Feb 2024 11:48, Bernhard Reiter said:

> But it does not get the current version of the pubkey in some circumstances.

Example?  I am not zware of it.

> And the long version works in a few more elder GnuPG versions. ;)

Since 2.2.17 from summer 2019 - 5 years passed since then with a couple
of CVEs.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

How to get a pubkey with WKD (Re: Incompatible secret key format between 2.4.4 and 2.2.27?)

2024-02-15 Thread Bernhard Reiter via Gnupg-users 


Am Donnerstag 15 Februar 2024 10:45:53 schrieb Werner Koch:
>  The following will get his pubkey by WKD on the command line:
> >  gpg  --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org
>
> FWIW,
>
>   gpg --locate-external-key w...@gnupg.org
>
> is much easier that the abvove long list of options.

FWIW

But it does not get the current version of the pubkey in some circumstances.
And the long version works in a few more elder GnuPG versions. ;)

Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-15 Thread Werner Koch via Gnupg-users 
On Wed, 14 Feb 2024 11:24, Bernhard Reiter said:

> The following will get his pubkey by WKD on the command line:
>  gpg  --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org


FWIW,

  gpg --locate-external-key w...@gnupg.org

is much easier that the abvove long list of options.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-14 Thread Bernhard Reiter via Gnupg-users 
Am Dienstag 13 Februar 2024 15:50:55 schrieb mlist_e9e869bc--- via 
Gnupg-users:
> Is wk at gnupg.org the private email I can send the public key to you?

Yes, that is one of Werner's pubkeys.

The following will get his pubkey by WKD on the command line:
 gpg  --locate-keys --auto-key-locate clear,nodefault,wkd w...@gnupg.org

> I'm willing to send you a copy to examine but not publicly as that's
> (now I remember) a result of a dumb experiment.


-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-13 Thread mlist_e9e869bc--- via Gnupg-users 
On 13/02/2024 09:57, Werner Koch 'wk at gnupg.org' wrote:
> Can you please try to import that key (with the v5 key signature) using
> a current 2.2. version (2.2.42)?  Or you can send me the public key by
> private mail so that I can check what's going on.
>
>
> Salam-Shalom,
>
> Werner
>
I couldn't find a distro with 2.2.42 so I have to compile it myself. I'm 
using Docker with ubuntu:latest.

In conclusion, the import failed.

```
$ gpg --version
gpg (GnuPG) 2.2.42
libgcrypt 1.9.4
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
     CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed

$ gpg --import PUBLIC_v5_certify.asc
gpg: packet(2) with unknown version 5
gpg: read_block: read error: Invalid packet
gpg: import from 'PUBLIC_v5_certify.asc' failed: Invalid keyring
gpg: Total number processed: 0
```

Is wk at gnupg.org the private email I can send the public key to you? 
I'm willing to send you a copy to examine but not publicly as that's 
(now I remember) a result of a dumb experiment.

Regards,
Hartman



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-13 Thread Werner Koch via Gnupg-users 
On Sun, 11 Feb 2024 20:28, mlist_e9e869bc--- said:

> signature is done in Version 5, instead of Version 4 like other parts of 
> the key. With that certify signature removed, I can import the secret 
> key to GPG 2.2.27 no problem.

Can you please try to import that key (with the v5 key signature) using
a current 2.2. version (2.2.42)?  Or you can send me the public key by
private mail so that I can check what's going on.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-11 Thread mlist_e9e869bc--- via Gnupg-users 
On 11/02/2024 18:09, IngoKlöcker 'kloecker at kde.org' wrote:
> Are you sure that the problem isn't the decryption? I checked the code and
> this error message is emitted by the armor/dearmor code. My guess is that the
> decryption fails and therefore outputs nothing and importing nothing results
> exactly in the above error message:
> ```
> $ echo "" | gpg --import -
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
> ```
>
> Regards,
> Ingo

Hello Ingo,

Thanks for the reply. It seems like the update I sent yesterday didn't 
went out. Apologize for being a noob on mailing list.

The problem is in the certify signature. For some reason a certify 
signature is done in Version 5, instead of Version 4 like other parts of 
the key. With that certify signature removed, I can import the secret 
key to GPG 2.2.27 no problem.

Now the unrelated decryption. It actually decrypt nicely to an armoured 
PGP private key block. However, it just not importable even with GPG 
2.4.4. I guess the data with in is corrupted but no way to verify.

Regards,
Hartman
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-11 Thread Ingo Klöcker 
On Sonntag, 11. Februar 2024 02:05:52 CET mlist_e9e869bc--- via Gnupg-users 
wrote:
> I'm trying to import a key generated from GPG 2.4.4 to 2.2.27 but
> unsuccessful.
> 
> Upon importing, it returns `gpg: no valid OpenPGP data found.`
> 
> I tried with compliance options but it does nothing.
> 
> Command I used:
> 
> - export: `gpg -a --export-secret-subkey  | gpg -a -c
> --cipher-algo AES --force-mdc -o `
> - import: `gpg --decrypt -o - keys.sec.asc | gpg --import -`
> 
> What else I can do? I can't update the GPG version because one of my
> import device is an Android phone which stuck at 2.2.27 for quite a long
> time.

Are you sure that the problem isn't the decryption? I checked the code and 
this error message is emitted by the armor/dearmor code. My guess is that the 
decryption fails and therefore outputs nothing and importing nothing results 
exactly in the above error message:
```
$ echo "" | gpg --import -
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
```

Regards,
Ingo

signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Incompatible secret key format between 2.4.4 and 2.2.27?

2024-02-10 Thread mlist_e9e869bc--- via Gnupg-users 
Hello all,

I'm trying to import a key generated from GPG 2.4.4 to 2.2.27 but 
unsuccessful.

Upon importing, it returns `gpg: no valid OpenPGP data found.`

I tried with compliance options but it does nothing.

Command I used:

- export: `gpg -a --export-secret-subkey  | gpg -a -c 
--cipher-algo AES --force-mdc -o `
- import: `gpg --decrypt -o - keys.sec.asc | gpg --import -`

What else I can do? I can't update the GPG version because one of my
import device is an Android phone which stuck at 2.2.27 for quite a long
time.

Regards,
Hartman
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: signing failed: Bad secret key

2024-01-25 Thread Ingo Klöcker 
On Mittwoch, 24. Januar 2024 22:05:53 CET Leo Coogan via Gnupg-users wrote:
> It looks like there's only that non-functioning signing subkey. Huh. Do
> I need to create a new signing subkey?

Copy the content of ~/.gnupg/private-keys-v1.d from your fedora machine to 
your nixox machine (after making a backup) to restore the missing secret key.

Regards,
Ingo

> On 1/24/24 12:37, Werner Koch wrote:
> > On Tue, 23 Jan 2024 12:38, Leo Coogan said:
> >> sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
> >> 
> >>C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
> >>Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB
> > 
> > You don't have a signing key.  Ther primary key has been taken offline
> > ('#') and can thus not be used for signing.
> > 
> >> ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]
> >> 
> >>143454E3276F11C51D01B35363D14EA6FDB00D9F
> >>Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21
> > 
> > The subkey is not capable of signing (by usage flags and algorithm).
> > 
> > Did you had another signing subkey and that one expired?
> > Add
> > 
> >--list-options show-unusable-subkeys
> > 
> > to the listing command to check.
> > 
> > 
> > Salam-Shalom,
> > 
> > Werner
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users



signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: signing failed: Bad secret key

2024-01-25 Thread Leo Coogan via Gnupg-users 

Here's the command run on my fedora machine:

```

> gpg -K  --list-options show-unusable-subkeys
/home/lcoogan/.gnupg/pubring.kbx

sec   ed25519 2023-03-03 [SC] [expires: 2025-03-02]
  C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
uid   [ultimate] Leo Coogan (Personal) 

uid   [ultimate] Leo Coogan (Personal GPG key) 


ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]

```

and on my nixos machine:

```

> gpg -K  --list-options show-unusable-subkeys
gpg: enabled compatibility flags:
gpg: using pgp trust model
/home/lcoogan/.gnupg/pubring.kbx

sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
  C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
uid   [ultimate] Leo Coogan (Personal) 

uid   [ultimate] Leo Coogan (Personal GPG key) 


ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]

```

It looks like there's only that non-functioning signing subkey. Huh. Do 
I need to create a new signing subkey?


On 1/24/24 12:37, Werner Koch wrote:

On Tue, 23 Jan 2024 12:38, Leo Coogan said:


sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
   C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
   Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB

You don't have a signing key.  Ther primary key has been taken offline
('#') and can thus not be used for signing.


ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]
   143454E3276F11C51D01B35363D14EA6FDB00D9F
   Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21

The subkey is not capable of signing (by usage flags and algorithm).

Did you had another signing subkey and that one expired?
Add

   --list-options show-unusable-subkeys

to the listing command to check.


Salam-Shalom,

Werner



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: signing failed: Bad secret key

2024-01-24 Thread Werner Koch via Gnupg-users 
On Tue, 23 Jan 2024 12:38, Leo Coogan said:

> sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
>   C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
>   Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB

You don't have a signing key.  Ther primary key has been taken offline
('#') and can thus not be used for signing.

> ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]
>   143454E3276F11C51D01B35363D14EA6FDB00D9F
>   Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21

The subkey is not capable of signing (by usage flags and algorithm).

Did you had another signing subkey and that one expired?
Add

  --list-options show-unusable-subkeys

to the listing command to check.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: signing failed: Bad secret key

2024-01-23 Thread Leo Coogan via Gnupg-users 

This is Nixos.

I don't believe I have two binaries of gpg.

My Nixos config contains:

```nix

    programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
    };
```

and the package pinentry-gnome is installed.

I did `which` gpg and gpg2, and gpg2 was a symlink to gpg. So I don't 
believe I have another binary of gpg.



```

> gpg -K --with-subkey-fingerprint --with-keygrip  \
 --list-options show-pref-verbose  \
 C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2>&1| wl-copy

gpg: enabled compatibility flags:
gpg: using pgp trust model
sec#  ed25519 2023-03-03 [SC] [expires: 2025-03-02]
  C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
  Keygrip = 38953FFD2BD558606473A90A6EDD5B26F03FA3CB
uid   [ultimate] Leo Coogan (Personal) 


  Cipher: AES256, AES192, AES, 3DES
  AEAD: OCB
  Digest: SHA512, SHA384, SHA256, SHA224, SHA1
  Compression: ZLIB, BZIP2, ZIP, Uncompressed
  Features: MDC, AEAD, Keyserver no-modify
uid   [ultimate] Leo Coogan (Personal GPG key) 


  Cipher: AES256, AES192, AES, 3DES
  AEAD: OCB
  Digest: SHA512, SHA384, SHA256, SHA224, SHA1
  Compression: ZLIB, BZIP2, ZIP, Uncompressed
  Features: MDC, AEAD, Keyserver no-modify
ssb   cv25519 2023-03-03 [E] [expires: 2025-03-02]
  143454E3276F11C51D01B35363D14EA6FDB00D9F
  Keygrip = 02EE4AA6089E9DEF7792F548C01FFD8C05F1EC21

```

On 1/22/24 02:48, Werner Koch wrote:

Hi!


[GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2
gpg: writing to stdout
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: Bad secret key

Plase run

   gpg -K --with-subkey-fingerprint --with-keygrip  \
  --list-options show-pref-verbose  \
  C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B


Is there a second gpg binary on your system?

Is that Debian?


Salam-Shalom,

Werner




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: gpg: signing failed: Bad secret key

2024-01-21 Thread Leo Coogan via Gnupg-users 

Oops, I meant to 'reply-all'.



 Forwarded Message 
Subject:Re: gpg: signing failed: Bad secret key
Date:   Sun, 21 Jan 2024 13:02:40 -0500
From:   Leo Coogan 
To: Werner Koch 



with `verbose` added to ~/.gnupg/gpg.conf:

```


git commit -m test

error: gpg failed to sign the data:
gpg: enabled compatibility flags:
[GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2
gpg: writing to stdout
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: Bad secret key
[GNUPG:] FAILURE sign 67108871
gpg: signing failed: Bad secret key

fatal: failed to write commit object
```

```


pass insert test

An entry already exists for test. Overwrite it? [y/N] y
Enter password for test:
Retype password for test:
gpg: enabled compatibility flags:
gpg: using pgp trust model
gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B
gpg: automatically retrieved 'leocoogan@existential.beauty' via Local
gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B
gpg: This key belongs to us
gpg: reading from '[stdin]'
gpg: writing to '/home/lcoogan/.password-store/test.gpg'
gpg: ECDH/AES256.OCB encrypted for: "63D14EA6FDB00D9F Leo Coogan 
(Personal) "

error: gpg failed to sign the data:
gpg: enabled compatibility flags:
[GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2
gpg: writing to stdout
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: Bad secret key
[GNUPG:] FAILURE sign 67108871
gpg: signing failed: Bad secret key

fatal: failed to write commit object

```

And on my Fedora machine were the command runs successfully:

```


pass insert test

An entry already exists for test. Overwrite it? [y/N] y
Enter password for test:
Retype password for test:
gpg: enabled compatibility flags:
gpg: using pgp trust model
gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B
gpg: automatically retrieved 'leocoogan@existential.beauty' via Local
gpg: using subkey 63D14EA6FDB00D9F instead of primary key 3D7F617CDE5C9A9B
gpg: This key belongs to us
gpg: reading from '[stdin]'
gpg: writing to '/home/lcoogan/.password-store/test.gpg'
gpg: ECDH/AES256.OCB encrypted for: "63D14EA6FDB00D9F Leo Coogan 
(Personal) "

[master 6800a72] Add given password for test to store.
 1 file changed, 0 insertions(+), 0 deletions(-)
```

Not sure if that helps much.

On 1/20/24 15:26, Werner Koch wrote:

On Fri, 19 Jan 2024 14:19, Leo Coogan said:

When I run `git commit -m` on nixos, I receive this error:

For debugging add "verbose" to ~/.gnupg/gpg.conf . This should give you
more information what's up.


Shalom-Salam,

Werner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: signing failed: Bad secret key

2024-01-20 Thread Werner Koch via Gnupg-users 
On Fri, 19 Jan 2024 14:19, Leo Coogan said:
> When I run `git commit -m` on nixos, I receive this error:

For debugging add "verbose" to ~/.gnupg/gpg.conf .  This should give you
more information what's up.


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: signing failed: Bad secret key

2024-01-19 Thread Leo Coogan via Gnupg-users 

When I run `git commit -m` on nixos, I receive this error:

```

error: gpg failed to sign the data:
[GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: Bad secret key
[GNUPG:] FAILURE sign 67108871
gpg: signing failed: Bad secret key

fatal: failed to write commit object

```

Here's my git config:

```
[user]
email =leocoogan@existential.beauty
name = Leo Coogan
signingkey = C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
#signingkey = 3D7F617CDE5C9A9B

[commit]
gpgsign = true

```

And here's `gpg -k`:
```
/home/lcoogan/.gnupg/pubring.kbx

pub   ed25519 2023-03-03 [SC] [expires: 2025-03-02]
  C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B
uid   [ultimate] Leo Coogan (Personal)
uid   [ultimate] Leo Coogan (Personal GPG key)
sub   cv25519 2023-03-03 [E] [expires: 2025-03-02]

```

The same error happens when I write to a file with `pass`:
```

pass insert test

An entry already exists for test. Overwrite it? [y/N] y
Enter password for test:
Retype password for test:
error: gpg failed to sign the data:
[GNUPG:] KEY_CONSIDERED C0156FFBE02B4E03F7792EB53D7F617CDE5C9A9B 2
[GNUPG:] BEGIN_SIGNING H10
gpg: signing failed: Bad secret key
[GNUPG:] FAILURE sign 67108871
gpg: signing failed: Bad secret key

fatal: failed to write commit object
```

Really not sure what I'm supposed to do. I looked up the error, but I didn't 
find any sources that had this exact error, 'bad secret key'.

This only happens on my nixos machine. My other machine I run fedora on has 
never had signing errors.

Any help, advice, or suggestions would be greatly appreciated. I've had this 
issue for several months, but I've put it off.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-22 Thread Alexander Leidinger via Gnupg-users 

Am 2023-09-13 12:34, schrieb Werner Koch:

Hi,

so everthing looks okay.  What I would now do is to strace pinentry;
Here is a wpinentry wrapper I have used in the past.

--8<---cut here---start->8---
#!/bin/sh

MYPINENTRY="/usr/local/bin/pinentry-qt"

locale >/tmp/pinentry.err
set >>/tmp/pinentry.err
exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY -v -d "$@" 
2>>/tmp/pinentry.err

#exec valgrind  $MYPINENTRY  -d "$@" 2>>/tmp/pinentry.err
--8<---cut here---end--->8---

Adjust to your needs and put


pinentry-tty doesn't support "-v" (removed), and I used the FreeBSD 
ktrace...



pinentry-program /home/foo/bin/pinentry-wrapper

into gpg-agent.conf.  gpgconf --kill gpg-agent and try again.


The issue is, that pinentry-tty can't open the tty. The errno is no such 
file or directory, but it is is visible with ls. The reason why this 
happens is that I ssh to the FreeBSD host, and from there login into a 
jail. The jail imposes some access restrictions on processes within the 
jail.


If I ssh into this account, a new tty is opened and the export works as 
it should.


As such I opened a discussion on the FreeBSD side about this behavior. 
The is at least a mismatch of what you see (the pts) and what you can do 
(normally if you see a pts, you can access it), so to me either it 
should allow the access, or not show the pts in ls...


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-13 Thread Werner Koch via Gnupg-users 
Hi,

so everthing looks okay.  What I would now do is to strace pinentry;
Here is a wpinentry wrapper I have used in the past.

--8<---cut here---start->8---
#!/bin/sh

MYPINENTRY="/usr/local/bin/pinentry-qt"

locale >/tmp/pinentry.err
set >>/tmp/pinentry.err
exec strace -o /tmp/pinentry.trc -e read=0 $MYPINENTRY -v -d "$@" 
2>>/tmp/pinentry.err
#exec valgrind  $MYPINENTRY  -d "$@" 2>>/tmp/pinentry.err
--8<---cut here---end--->8---

Adjust to your needs and put

pinentry-program /home/foo/bin/pinentry-wrapper

into gpg-agent.conf.  gpgconf --kill gpg-agent and try again.


Salam-Shalom,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-13 Thread Bernhard Reiter 
Am Freitag 08 September 2023 15:40:43 schrieb Alexander Leidinger via 
Gnupg-users:
> > You clicked on CANCEL or closed the window.
>
> No prompt at all in the console / ssh connection (and no graphics, so
> nothing to click on). So no manual cancelling from me.

There used to be pinentries issues with terminal size in the past
https://dev.gnupg.org/T5322
https://dev.gnupg.org/T4924

Maybe that helps with debugging. You could try a large terminal window.

Bernhard
-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-08 Thread Alexander Leidinger via Gnupg-users 

Am 2023-09-08 15:26, schrieb Werner Koch:

On Fri,  8 Sep 2023 13:49, Alexander Leidinger said:



2023-09-08 13:37:54 gpg-agent[94491] DBG: error calling pinentry:
Operation cancelled 


You clicked on CANCEL or closed the window.


No prompt at all in the console / ssh connection (and no graphics, so 
nothing to click on). So no manual cancelling from me.



gpg: key 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C: asking agent for
the secret parts

[...]

gpg: key 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C: error receiving key
from agent: Operation cancelled - skipped


You canceled, gpg-agent could not unprotect the key and and thus you 
get

the error code.

Given that you said it worked in loopback mode - I assume the pinentry
is broken and returns Cancel due to other reasons.  Did you

GPG=$(tty)
export GPG_TTY


% echo $GPG_TTY
/dev/pts/5


in your target's bashrc etc?  The simple tty pinentry is used and it
needs to know its tty - is /dev/pts/5 the correct one?  Try running


Yes it is:
% tty
/dev/pts/5

And there is no other one (this is a FreeBSD jail):
% ll /dev/pts
total 0
crw--w  1 netchild tty 0x190  8 Sep. 15:36 5


pinentry on the target directly:

$ pinentry
getpin

should show the prompt.  Does it - if not, strace the process etc.


I only have two pinentry binaries installed, both are not for a 
graphical environment:


% ll /usr/local/bin/pinentry*
lrwxr-xr-x  1 root wheel   12B 31 Aug. 08:20 /usr/local/bin/pinentry@ -> 
pinentry-tty
-r-xr-xr-x  1 root wheel   71K  1 Sep. 00:13 
/usr/local/bin/pinentry-curses*
-r-xr-xr-x  1 root wheel   61K 31 Aug. 03:00 
/usr/local/bin/pinentry-tty*


% pinentry
Warning: using insecure memory!
OK Pleased to meet you
getpin
pinentry-tty
PIN:
D asdf
OK
bye
OK closing connection

% pinentry-curses
Warning: using insecure memory!
OK Pleased to meet you
getpin

D asdf
OK
bye
OK closing connection

Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-08 Thread Werner Koch via Gnupg-users 
On Fri,  8 Sep 2023 13:49, Alexander Leidinger said:

> default-yes=_Yes
> 2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- ERR 83886254
> Unknown option 

Don't care about this error.  It is shown but ignored.  Future
Pinentries might want to implement a yes button and gpg provides the
translation here.


> 2023-09-08 13:37:54 gpg-agent[94491] DBG: error calling pinentry:
> Operation cancelled 

You clicked on CANCEL or closed the window.

> gpg: key 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C: asking agent for
> the secret parts
[...]
> gpg: key 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C: error receiving key
> from agent: Operation cancelled - skipped

You canceled, gpg-agent could not unprotect the key and and thus you get
the error code.

Given that you said it worked in loopback mode - I assume the pinentry
is broken and returns Cancel due to other reasons.  Did you

GPG=$(tty)
export GPG_TTY

in your target's bashrc etc?  The simple tty pinentry is used and it
needs to know its tty - is /dev/pts/5 the correct one?  Try running
pinentry on the target directly:

$ pinentry
getpin

should show the prompt.  Does it - if not, strace the process etc.



Salam-Shalom,

   Werner


-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-08 Thread Alexander Leidinger via Gnupg-users 

Am 2023-09-05 16:50, schrieb Werner Koch:

On Mon,  4 Sep 2023 19:45, Alexander Leidinger said:


If I specify --pinentry-mode loopback it works. Shouldn't this also
work without this option? If yes, what's wrong or how to debug this


Sure, this shall work.  You may want to add

--8<---cut here---start->8---
debug ipc
debug-pinentry
log-file /some/file
--8<---cut here---end--->8---

to gpg-agent.conf, restart  the agent and check the log file.


The debug log:
---snip---
2023-09-08 13:37:48 gpg-agent[94276] listening on socket 
'/home/netchild/.gnupg/S.gpg-agent'
2023-09-08 13:37:48 gpg-agent[94276] listening on socket 
'/home/netchild/.gnupg/S.gpg-agent.extra'
2023-09-08 13:37:48 gpg-agent[94276] listening on socket 
'/home/netchild/.gnupg/S.gpg-agent.browser'
2023-09-08 13:37:48 gpg-agent[94276] listening on socket 
'/home/netchild/.gnupg/S.gpg-agent.ssh'

2023-09-08 13:37:48 gpg-agent[94491] gpg-agent (GnuPG) 2.4.3 started
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK Pleased to meet 
you

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- RESET
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION 
ttyname=/dev/pts/5

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION 
ttytype=tmux-256color

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION lc-ctype=C
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION lc-messages=C
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- GETINFO version
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> D 2.4.3
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION 
allow-pinentry-notify

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- OPTION 
agent-awareness=2.1.0

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- KEYWRAP_KEY --export
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> [[Confidential data 
not shown]]

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- HAVEKEY --list=1000
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> [ 44 20 2a 2b f8 18 
37 63 7b b2 14 a3 34 4a 2a 5f ...(66 byte(s) skipped) ]

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- KEYINFO 
89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> S KEYINFO 
89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C D - - - P - - -
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK2023-09-08 
13:37:48 gpg-agent[94491] DBG: chan_8 <- SETKEYDESC 
Please+enter+the+passphrase+to+export+the+OpenPGP+secret+key:%0A%22Alexander+Leidinger+%22%0A4096-bit+RSA+key,+ID+8F31830F9F2772BF,%0Acreated+2016-08-16.%0A

2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 -> OK
2023-09-08 13:37:48 gpg-agent[94491] DBG: chan_8 <- EXPORT_KEY --openpgp 
 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C

2023-09-08 13:37:48 gpg-agent[94491] starting a new PIN Entry
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK Pleased to meet 
you, process 94491
2023-09-08 13:37:53 gpg-agent[94491] DBG: connection to PIN entry 
established

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION no-grab
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
ttyname=/dev/pts/5

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
ttytype=tmux-256color

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION lc-ctype=C
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION lc-messages=C
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
allow-external-password-cache

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
default-ok=_OK

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
default-cancel=_Cancel

2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- OK
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 -> OPTION 
default-yes=_Yes
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan_9 <- ERR 83886254 Unknown 
option 
2023-09-08 13:37:53 gpg-agent[94491] DBG: chan

Re: gpg: signing failed: No secret key

2023-09-07 Thread Robert J. Hansen via Gnupg-users 

Please don't send HTML to this list.


gpg: key "6O0PDA84A36B6C98B261AC2020546703CDADFA53" not found


That's not a valid key ID.  Key IDs are strings of hexadecimal digits. 
Your second 'digit' there is the letter O, which is not a valid hexit.



gpg --delete-secret-keys CDSXFA53


That's not a valid key ID.  Neither S nor X are valid hexits.


OpenPGP_signature
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: signing failed: No secret key

2023-09-07 Thread isp_stream via Gnupg-users 
I get these endearing messages.

I cannot sign my message with the key.


I cannot delete the secret key.

I can decrypt with the secret key





gpg: signing failed: No secret key
gpg: message: clear-sign failed: No secret key

gpg: key "6O0PDA84A36B6C98B261AC2020546703CDADFA53" not found
gpg: 6O0PDA84A36B6C98B261AC2020546703CDADFA53: delete key failed: Not found

sec# nistp521 2023-08-11 [SC]

6O0PDA84A36B6C98B261AC2020546703CDADFA53
uid [ unknown] Richardh Bostrom 
ssb nistp521 2023-08-11 [E]

gpg --delete-secret-keys CDSXFA53
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


gpg: key "CDSXFA53" not found
gpg: CDSXFA53: delete key failed: Not found




Thank you.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Failed to export secret key

2023-09-05 Thread Werner Koch via Gnupg-users 
On Mon,  4 Sep 2023 19:45, Alexander Leidinger said:

> If I specify --pinentry-mode loopback it works. Shouldn't this also
> work without this option? If yes, what's wrong or how to debug this

Sure, this shall work.  You may want to add

--8<---cut here---start->8---
debug ipc
debug-pinentry
log-file /some/file
--8<---cut here---end--->8---

to gpg-agent.conf, restart  the agent and check the log file.

Reminder: In case of any problems, please try invoking gpg with
--verbose (or -v).  You will see more diagnostics.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein


openpgp-digital-signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Failed to export secret key

2023-09-04 Thread Alexander Leidinger via Gnupg-users 

Hi,

gpg 2.4.3 complains about not being able to export my key. The issue is 
it can not query the secring password from my ssh session. How to debug 
this further?


This is what I have:
---snip---
% LANG=C gpg --export-secret-key -a -o netchild_sec.pgp 8F31830F9F2772BF
gpg: Warning: using insecure memory!
gpg: key 89DE8BFC8A2A81F8C9BD2F7940C7373A4DE34E7C: error receiving key 
from agent: Operation cancelled - skipped

gpg: WARNING: nothing exported


% LANG=C gpg --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/netchild/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

 % LANG=C gpg --list-secret-key 8F31830F9F2772BF
gpg: Warning: using insecure memory!
sec   rsa4096 2016-08-16 [SC] [expires: 2024-02-08]
  034055A31F550AD032E2F6D78F31830F9F2772BF
uid   [ultimate] Alexander Leidinger 
uid   [ultimate] Alexander Leidinger 
uid   [ultimate] [jpeg image of size 9696]
ssb   rsa4096 2018-10-07 [E] [expires: 2024-02-08]
ssb   rsa4096 2018-10-07 [S] [expires: 2024-02-08]
ssb   rsa4096 2018-10-07 [S] [expires: 2024-02-08]

% cat .gnupg/gpg-agent.conf
#pinentry-program /usr/local/bin/pinentry-tty
log-file /tmp/gpgagent.log
disable-scdaemon

% cat .gnupg/options | grep -v "^#"

no-greeting

default-key 0x8F31830F9F2772BF

escape-from-lines

charset utf-8

lock-once

keyserver hkp://keys.openpgp.org

ask-cert-level
default-cert-level 2
import-options import-clean-sigs import-clean-uids
export-options export-clean-sigs export-clean-uids
keyserver-options no-include-revoked import-clean-sigs import-clean-uids 
export-clean-sigs export-clean-uids


fixed-list-mode
keyid-format 0xlong
with-fingerprint
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES 
CAST5 BZIP2 ZLIB ZIP Uncompressed

verify-options show-uid-validity
list-options show-uid-validity
sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g
cert-digest-algo SHA512

% cat /tmp/gpgagent.log
2023-09-04 19:23:46 gpg-agent[88711] gpg-agent (GnuPG) 2.4.3 started
2023-09-04 19:24:14 gpg-agent[88711] failed to unprotect the secret key: 
Verarbeitung wurde abgebrochen
2023-09-04 19:24:14 gpg-agent[88711] command 'EXPORT_KEY' failed: 
Verarbeitung wurde abgebrochen 
2023-09-04 19:24:43 gpg-agent[88711] failed to unprotect the secret key: 
Verarbeitung wurde abgebrochen
2023-09-04 19:24:43 gpg-agent[88711] command 'EXPORT_KEY' failed: 
Verarbeitung wurde abgebrochen 


 % ll /usr/local/bin/pinentry*
lrwxr-xr-x  1 root wheel   12B 31 Aug. 08:20 /usr/local/bin/pinentry@ -> 
pinentry-tty
-r-xr-xr-x  1 root wheel   71K  1 Sep. 00:13 
/usr/local/bin/pinentry-curses*
-r-xr-xr-x  1 root wheel   61K 31 Aug. 03:00 
/usr/local/bin/pinentry-tty*


% tty
/dev/pts/2

 % echo $GPG_TTY
/dev/pts/2
---snip---

If I specify --pinentry-mode loopback it works. Shouldn't this also work 
without this option? If yes, what's wrong or how to debug this further?


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Error importing secret key

2022-07-09 Thread wkuz--- via Gnupg-users 
Hello!
Some time ago I have made a backup of my secret key and all the
subkeys, and then deleted by-hand the master secret key by

rm ~/.gnupg/private-keys-v1.d/[keygrip].key

The subkeys were moved to a yubikey. Everything was great. Now I wanted
to import my master key for a moment... and here we have a problem.
Right now what happens, after running

gpg --import secret_key.asc

is:

1) gpg complains:

gpg: key D444252908A80B6D: "sxrmn" not changed
gpg: key D444252908A80B6D/D444252908A80B6D: error sending to
agent: Invalid argument
gpg: key D444252908A80B6D: secret key
imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1

2) gpg -K is aware of the master secret key, though it says
it's not there:

sec#  ed25519 2022-07-06 [SC]
902404424B39514B6126A2F2D444252908A80B6D
uid[   absolutne   ] sxrmn
ssb>  cv25519 2022-07-06 [E]
ssb>  ed25519 2022-07-06 [S]

3) seret subkeys get imported (now they are back on yubikey,
but they got imported OK)

So... any ideas why this happens and what can I do about it?

-- 
xWK

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Error importing secret key

2022-07-09 Thread wkuz--- via Gnupg-users 
Hello!
Some time ago I have made a backup of my secret key and all the
subkeys, and then deleted by-hand the master secret key by

rm ~/.gnupg/private-keys-v1.d/[keygrip].key

The subkeys were moved to a yubikey. Everything was great. Now I wanted
to import my master key for a moment... and here we have a problem.
Right now what happens, after running

gpg --import secret_key.asc

is:

1) gpg complains:

gpg: key D444252908A80B6D: "sxrmn" not changed
gpg: key D444252908A80B6D/D444252908A80B6D: error sending to
agent: Invalid argument
gpg: key D444252908A80B6D: secret key
imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1

2) gpg -K is aware of the master secret key, though it says
it's not there:

sec#  ed25519 2022-07-06 [SC]
902404424B39514B6126A2F2D444252908A80B6D
uid[   absolutne   ] sxrmn
ssb>  cv25519 2022-07-06 [E]
ssb>  ed25519 2022-07-06 [S]

3) seret subkeys get imported (now they are back on yubikey,
but they got imported OK)

So... any ideas why this happens and what can I do about it?

-- 
xWK


pgphi07w2Th70.pgp
Description: Podpis cyfrowy OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: Note: secret key [...] expired...

2021-11-10 Thread Keine Eile 

Thanks for pointing that out


As far as I could see in the source code, this is always printed when you
decrypt something that was encrypted for this key.[...]

Some times is is so simple, just own stupidity.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: Note: secret key [...] expired...

2021-11-09 Thread Werner Koch via Gnupg-users 
On Tue,  9 Nov 2021 15:28, Keine Eile said:

> I have a revoked private key in my key ring, which I replaced with new
> one. I really do not want to discard this old key, for what I think
> good reasons. Is there a way to let gpg ignore this key or suppress
> this this¹ notification?

You can delete your old key from the keyring.  However, you would also
lose the ability to decrypt old messages.  Thus in general not a good
idea.

>> gpg: Note: secret key [KeyID] expired at [Some day in September]
>> gpg: Note: key has been revoked

We can't suppress the latter diagnostic because that is an important
information.  The former diagnostic is also of some interest.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: Note: secret key [...] expired...

2021-11-09 Thread Ingo Klöcker 
On Dienstag, 9. November 2021 15:28:27 CET Keine Eile wrote:
> I have a revoked private key in my key ring, which I replaced with new one.
> I really do not want to discard this old key, for what I think good
> reasons. Is there a way to let gpg ignore this key or suppress this this¹
> notification?
> 
> > gpg: Note: secret key [KeyID] expired at [Some day in September]
> > gpg: Note: key has been revoked

As far as I could see in the source code, this is always printed when you 
decrypt something that was encrypted for this key. There is no option to 
suppress this except maybe by suppressing all informational messages. --quiet 
may help.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg: Note: secret key [...] expired...

2021-11-09 Thread Keine Eile 

Hi list members,

I have a revoked private key in my key ring, which I replaced with new one. I 
really do not want to discard this old key, for what I think good reasons. Is 
there a way to let gpg ignore this key or suppress this this¹ notification?

1)

gpg: Note: secret key [KeyID] expired at [Some day in September]
gpg: Note: key has been revoked


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-10 Thread Abhisht Sharma via Gnupg-users 
Hi Robert,

I am trying to write in plain text mode so hopefully you won't be
seeing it in HTML.
I really appreciate the help you have provided me so far.

I am really not into networking and encryption stuff, so please expect
few dumb questions from me.

Can you please suggest to me the steps that I should follow to
redesign my solution, considering the password security?
I have the private keys and passphrase of the PGP encrypted files.

Now, my basic question is where/how should I store the decryption
password and what would be my "gpg" command.

Appreciate your help.

-regards,
Abhisht Sharma


On Thu, 10 Jun 2021 at 10:46, Robert J. Hansen  wrote:
>
> > But, this command had a risk of exposing *$PASSPHRASE* to the UNIX
> > console if any user executes *ps -ef* command while the code is running.
> > This was a huge security breach so I chose the *--passphrase-file*
> > option to read the decryption password from a file.
> >
> > Now, all I need is to place the file, which stores the decryption
> > password, with strict user permissions.
>
> And this is probably a bad idea.
>
> Clearly, you have a place where you feel it's safe to store a file
> containing the passphrase for your certificate.  So remove the
> passphrase from your certificate and store it there, in that safe place
> on your filesystem.
>
> > Having said that, just to add a little bit of more security...
>
> This is a really bad habit: thinking that "I'll just add one more step
> to add a little bit more security."  It's endemic to the community --
> you are far from the only person to have it.  But it's a bad habit, and
> here's why: security decisions always need to be connected to your
> threat model.
>
> Is there something in your threat model you can point to and say,
> "because of this particular threat we're concerned about, this step I
> want to take is warranted"?  If so, go for it.  If not, don't.



--
With Regards,
Abhisht Sharma
+353 899875624

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-10 Thread Robert J. Hansen via Gnupg-users 

I am trying to write in plain text mode so hopefully you won't be
seeing it in HTML.


Success!  Thank you.


Can you please suggest to me the steps that I should follow to
redesign my solution, considering the password security?


I already have, twice.

For the third time: remove the passphrase from your private key, and 
make sure the location where you're storing your private key is safe.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-10 Thread Abhisht Sharma via Gnupg-users 
I am writing this email to you in plain text... I am surprised how is it
coming to as HTML.

Any idea?

Any special things I need to check before sending the email?

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 02:58 Robert J. Hansen,  wrote:

> I'm not going to respond to this until you re-send it as plain text
> without HTML.  The very first thing I wrote in my last email was that
> this mailing list strongly prefers plain text without HTML.
>
> We're willing to help you, but you need to follow the rules.
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-10 Thread Abhisht Sharma via Gnupg-users 
Please note that the resolution of this problem is really critical so any
quick help will be highly appreciated!

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 09:18 Abhisht Sharma,  wrote:

> I am writing this email to you in plain text... I am surprised how is it
> coming to as HTML.
>
> Any idea?
>
> Any special things I need to check before sending the email?
>
> -Regards
> Abhisht Sharma
> +61 420410228
>
> On Thu, 10 Jun 2021, 02:58 Robert J. Hansen,  wrote:
>
>> I'm not going to respond to this until you re-send it as plain text
>> without HTML.  The very first thing I wrote in my last email was that
>> this mailing list strongly prefers plain text without HTML.
>>
>> We're willing to help you, but you need to follow the rules.
>>
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-09 Thread Robert J. Hansen via Gnupg-users 
I am writing this email to you in plain text... I am surprised how is it 
coming to as HTML.


As I don't use GMail, I can't help you.  You'll need to ask Google. 
Your message comes through as having both plaintext and HTML parts. 
This, for instance, is part of the source of your email:


Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable



I am writing this email to you in plain text... I am surp=

rised how is it coming to as HTML.Any idea?Any speci=

al things I need to check before sending the email?-RegardsAbhisht Sharma+61 4204=

10228On Thu, 10 Jun 2021, 02:58 Robert J. Hansen, mailto:r...@sixdemonbag.org;>r...@sixdemonbag.org wrote:>.8ex;border-left:1=


px #ccc solid;padding-left:1ex">Im not going to respond to this until =

you re-send it as plain text 

without HTML.=C2=A0 The very first thing I wrote in my last email was that =



this mailing list strongly prefers plain text without HTML.



Were willing to help you, but you need to follow the rules.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-09 Thread Robert J. Hansen via Gnupg-users 
But, this command had a risk of exposing *$PASSPHRASE* to the UNIX 
console if any user executes *ps -ef* command while the code is running. 
This was a huge security breach so I chose the *--passphrase-file* 
option to read the decryption password from a file.


Now, all I need is to place the file, which stores the decryption 
password, with strict user permissions.


And this is probably a bad idea.

Clearly, you have a place where you feel it's safe to store a file 
containing the passphrase for your certificate.  So remove the 
passphrase from your certificate and store it there, in that safe place 
on your filesystem.



Having said that, just to add a little bit of more security...


This is a really bad habit: thinking that "I'll just add one more step 
to add a little bit more security."  It's endemic to the community -- 
you are far from the only person to have it.  But it's a bad habit, and 
here's why: security decisions always need to be connected to your 
threat model.


Is there something in your threat model you can point to and say, 
"because of this particular threat we're concerned about, this step I 
want to take is warranted"?  If so, go for it.  If not, don't.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-09 Thread Robert J. Hansen via Gnupg-users 
I'm not going to respond to this until you re-send it as plain text 
without HTML.  The very first thing I wrote in my last email was that 
this mailing list strongly prefers plain text without HTML.


We're willing to help you, but you need to follow the rules.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-09 Thread Abhisht Sharma via Gnupg-users 
Hi Robert,

Many thanks for your email.
I will try to give you the background of the problem that led me to this
approach.

*Problem:*

I have a situation where the password-protected PGP/GPG encrypted files
need to be decrypted, processed through ETL operations and loaded in HIVE.
I had a generic Korn Shell script which executes below command.

cmd 1:
*gpg --batch --yes --quite --always-trust -o $OUTPUT_FILE --passphrase
$PASSPHRASE -d  $ENCRYPTED_SOURCE_FILE*

But, this command had a risk of exposing *$PASSPHRASE* to the UNIX console
if any user executes *ps -ef* command while the code is running. This was a
huge security breach so I chose the *--passphrase-file* option to read the
decryption password from a file.

Now, all I need is to place the file, which stores the decryption password,
with strict user permissions.

Having said that, just to add a little bit of more security I was thinking
of encrypting the above mentioned file (which stores the Decryption
password) and within my shell script, decrypt it, read it and pass the
password to the "*gpg*" command.
This encryption needs to be passwordless using 7za utility otherwise we
will be stuck in a loop of storing the new password securely.

Below 7za command was used to encrypt without password.
cmd 2:
*7za a -mx=9 -mhe -t7z $ENCRYPTED_OUTPUT_FILE $SOURCE_FILE*

Now "cmd 1" has been updated to the below command, which UNIX shell script
will use to read the above file and pass on the passphrase to the gpg
decryption command.

cmd 3:
*echo `7za -x -so $FILE_WITH_DECRYPTION_PASSWORD` | gpg  --batch --yes
--quite --always-trust -o $OUTPUT_FILE  -d  $ENCRYPTED_SOURCE_FILE *


The problem I mentioned in my original post starts from here.
The above command doesn't run and fails for "No secret Key found" issue and
runs fine if it is executed immediately after the second part of command
i.e.  *gpg  --batch --yes --quite --always-trust -o $OUTPUT_FILE  -d
$ENCRYPTED_SOURCE_FILE*

There is a similar command as mentioned below, which runs fine.

cmd 4:
*echo `7za x -so  $FILE_WITH_DECRYPTION_PASSWORD` | 7za x -o$OUTPUT_FILE
$7Z_ENCRYPTED_FILE*

Please note that in the above command (cmd 4) the source files are
encrypted with 7z utility (or compressed with password, as many people say).

The whole intention of doing all of this is just to avoid any possible
PASSWORD security breach.

I hope I was able to give you a clearer picture of the requirement.

I am even open for any new design approach, if you experts can suggest.
Please let me know in case of any queries.

-regards,
Abhisht Sharma



On Tue, 8 Jun 2021 at 20:10, Robert J. Hansen  wrote:

> Please do not send HTML to this mailing list.  Many of our members
> refuse to open HTML emails from unknown parties, so when you send HTML
> email to this list you're limiting the number of people who can see your
> question -- and maybe be able to help you!
>
> > Step 2. Instead, I have thought of storing the passphrase in a file
> > (passphrase.dat.pgp), encrypted that file without password and passing
> > the password to do the work using below command.
>
> How exactly do you "encrypt that file without password"?
>
> At any rate, this is probably a bad idea.  Often the best way to proceed
> for scripting GnuPG tasks is to remove the passphrase from the certificate.
>
> > Step 3. To my wonder, when I execute Step 1 first and then Step 2
> > (within a short span), it works, but if I directly run Step 2 ( which
> > actually will be happening as a part of solution), then it doesn't and
> > fails for "No secret key" error.
>
> This tells me that GnuPG is caching your passphrase with gpg-agent.
> When you run it the second time GnuPG sees the passphrase is in the
> cache and uses that, without ever needing to ask you for the passphrase.
>


-- 
With Regards,
Abhisht Sharma
+353 899875624
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG : "No secret key found" error

2021-06-08 Thread Robert J. Hansen via Gnupg-users 
Please do not send HTML to this mailing list.  Many of our members 
refuse to open HTML emails from unknown parties, so when you send HTML 
email to this list you're limiting the number of people who can see your 
question -- and maybe be able to help you!


Step 2. Instead, I have thought of storing the passphrase in a file 
(passphrase.dat.pgp), encrypted that file without password and passing 
the password to do the work using below command.


How exactly do you "encrypt that file without password"?

At any rate, this is probably a bad idea.  Often the best way to proceed 
for scripting GnuPG tasks is to remove the passphrase from the certificate.


Step 3. To my wonder, when I execute Step 1 first and then Step 2 
(within a short span), it works, but if I directly run Step 2 ( which 
actually will be happening as a part of solution), then it doesn't and 
fails for "No secret key" error.


This tells me that GnuPG is caching your passphrase with gpg-agent. 
When you run it the second time GnuPG sees the passphrase is in the 
cache and uses that, without ever needing to ask you for the passphrase.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG : "No secret key found" error

2021-06-08 Thread Abhisht Sharma via Gnupg-users 
Hi

Please keep me in CC as I think I am not a  subscribed user yet.

GPG:

I am using the gpg command in a UNIX Shell script triggered by the Abinitio
ETL Tool to decrypt my encrypted source files. I am following below steps
to achieve my goal.

Step 1. As a POC, I can successfully executed below command.
gpg --batch --yes --quiet --always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp

The above command will simply ask for password and decrypt the source file.
Please note that I am intentionally not using --passphrase as password will
be exposed to console using ps command.

Step 2. Instead, I have thought of storing the passphrase in a file
(passphrase.dat.pgp), encrypted that file without password and passing the
password to do the work using below command.

echo gpg --batch --yes --quiet --always-trust -d
/home/sharma43/passphrase.dat.pgp | gpg --batch --yes --quiet
--always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp
<https://gpgtools.tenderapp.com/discussions/nightly/2094-gpg-command-failing-for-no-secret-key?anon_token=c5d07b882#now-the-problem-comes-when-i-execute-above-command-and-it-fails-for-below-error->Now
the problem comes when I execute above command and it fails for below error.

gpg: cancelled by user
<https://gpgtools.tenderapp.com/discussions/nightly/2094-gpg-command-failing-for-no-secret-key?anon_token=c5d07b882#gpg-decryption-failed-no-secret-key->gpg:
decryption failed: No secret key

Obviously, I have the required secret key as the POC done in Step 1 was
successful.

Step 3. To my wonder, when I execute Step 1 first and then Step 2 (within a
short span), it works, but if I directly run Step 2 ( which actually will
be happening as a part of solution), then it doesn't and fails for "No
secret key" error.

Can you please explain why this could be happening? Is there a specific
location where GPG private keys should be imported?

Please note the version I am using is "gpg (GnuPG) 2.0.22 version".
-Regards
Abhisht Sharma
+61 420410228
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-06-08 Thread sergio via Gnupg-users 

Thank you anon85786376!!

--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-06-06 Thread anon85786376 via Gnupg-users 

‐‐‐ Original Message ‐‐‐
On Sunday, June 6, 2021 2:24 PM, sergio via Gnupg-users  
wrote:

> I found the sequence to reproduce my problem:
>
> $ rm -rf .gnupg
> $ gpg --gen-key --batch < %echo Generating a 25519 key
> Key-Type: eddsa
> Key-Curve: Ed25519
> Key-Usage: cert
> Subkey-Type: ecdh
> Subkey-Curve: Ed25519

The problem is the subkey curve being ed25519. It will not import correctly. 
For an encryption subkey you must use "Subkey-Curve: cv25519".

See: https://dev.gnupg.org/T5401

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-06-06 Thread sergio via Gnupg-users 

I found the sequence to reproduce my problem:


$ rm -rf .gnupg
$ gpg --gen-key --batch <gpg: revocation certificate stored as 
'/home/test/.gnupg/openpgp-revocs.d/268017E33AFCBAD119C2FB626C6DB60F0545821C.rev'

gpg: done
$ gpg -K
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/test/.gnupg/pubring.kbx
-
sec   ed25519 2021-06-06 [C]
  268017E33AFCBAD119C2FB626C6DB60F0545821C
uid   [ultimate] test 
ssb   ed25519 2021-06-06 [E]

$ echo test | gpg --encrypt --recipient t...@test.com | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID 683197C0DF776EC0, created 
2021-06-06

  "test "
test

$ gpg --export-secret-keys -a > keys.asc
$ rm -rf .gnupg
$ gpg --import --trust-model always keys.asc
gpg: directory '/home/test/.gnupg' created
gpg: keybox '/home/test/.gnupg/pubring.kbx' created
gpg: key 6C6DB60F0545821C: public key "test " imported
gpg: key 6C6DB60F0545821C: secret key imported
gpg: Total number processed: 1
gpg:   imported: 1
gpg:   secret keys read: 1
gpg:   secret keys imported: 1
$ gpg -K
gpg: /home/test/.gnupg/trustdb.gpg: trustdb created
/home/test/.gnupg/pubring.kbx
-
sec   ed25519 2021-06-06 [C]
  268017E33AFCBAD119C2FB626C6DB60F0545821C
uid   [ unknown] test 
ssb#  ed25519 2021-06-06 [E]

$ echo test | gpg --encrypt --recipient t...@test.com | gpg --decrypt
gpg: 683197C0DF776EC0: There is no assurance this key belongs to the 
named user


sub  ed25519/683197C0DF776EC0 2021-06-06 test 
 Primary key fingerprint: 2680 17E3 3AFC BAD1 19C2  FB62 6C6D B60F 0545 
821C
  Subkey fingerprint: C0E4 F2BE 8532 1C1A 3777  8963 6831 97C0 DF77 
6EC0


It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
gpg: encrypted with 256-bit ECDH key, ID 683197C0DF776EC0, created 
2021-06-06

  "test "
gpg: decryption failed: No secret key
$


Is this a gnupg bug or I'm doing something wrong?

--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-05-31 Thread sergio via Gnupg-users 
I tried the same sequence on the same host A but for new test user with 
clean ~/.gnupg without success. Could you help me to debug this, please.


--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-05-20 Thread sergio via Gnupg-users 

> --export-secret-keys

Sorry, this is a typo, or course. And to be absolutely sure, I re-checked:

B $ gpg --import secret.key
gpg: key : public key "name (comment) " imported
gpg: key : secret key imported
gpg: Total number processed: 1
gpg:   imported: 1
gpg:   secret keys read: 1
gpg:   secret keys imported: 1
gpg:  secret keys unchanged: 1



--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: "gpg: decryption failed: No secret key" after export-import to another host

2021-05-20 Thread Erich Eckner via Gnupg-users 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

have a look at the manpage at --export-secret-keys:

"Same as --export, but exports the secret keys instead. ..."

regards,
Erich

On Thu, 20 May 2021, sergio via Gnupg-users wrote:


I have generated a key on host A and it works fine:

A $ echo test | gpg --encrypt --recipient  | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID , created 
 "Name (comment) "
test

I copied it to host B:

A $ gpg --armor --export  > private.key
A $ scp private.key B:
B $ gpg --import private.key

But it doesn't work on B:
B % echo test | gpg --encrypt --recipient  | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID , created 
 "name (comment) "
gpg: decryption failed: No secret key


gpg version is the same on both hosts: 2.2.27-2 from debian sid


$ gpg --list-secret-keys --with-subkey-fingerprint
show the same key on both hosts


--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmCmUfwACgkQCu7JB1Xa
e1oSqg/9EepKvPziEfCmyDFe/4DIfkilsYWGqIOmXuKZyyykxXqBegyxAgZ8p3BK
aqkzq/lS9IgB0AiyZ9whFRH1q9rVXfZwmfxjN4eEkz4dkrNaPSGk9OlWC2l4ZM1n
Nxld2teVd6zbXFZiOCWXqpgLTj9tzY1Jv3bKyYa03NmIzTS3aI5nd9ES9je/veiO
+t9Ytii18nsNApj8VgFqT4Q/5Ie3hu2VYHcCx/tdjNe+biZsEUAmPl1hY4Z/Rhko
e5q8WRJzybnaPBX0llWkZ6G6cYHxAlIytmLjlSWAsLbCbd0/WwOQcdwqlBLM9sUg
dq1EE5FXJNlqwhZ+xzYqSvmYfrS0Hzp+j4FCBiM8I1g0aWQzfGD5RDD2SLm1JD8z
5pjs9dfAv0IwlXjoZ5t3cflqHp0Q+BUXgJigGIwNs9LYwsdreNEv2FqA0Rc0gW3j
F6MsfI4hfeLAY/cwr5LyDB/UOjl5p4i83Z8DmVbQYZfhnuhAwq07yHcXIae9iy3s
taNpurM+4QJchtq7Xs+MgyvZtATb9Kc1XduAgQ1U50Lepm5ppS4orh13d8qyk8P0
um2J+MpvxJILIlHxBPwF7cLYA/N++4+9FlOlHNH/S9SPyYBFaa4OviKCPoWrNr7L
3r9dMdiF89CCYF8frRF/qW0+weBPR+ePTwa9cRXm81innUQHeZM=
=uft7
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

"gpg: decryption failed: No secret key" after export-import to another host

2021-05-20 Thread sergio via Gnupg-users 

I have generated a key on host A and it works fine:

A $ echo test | gpg --encrypt --recipient  | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID , created 
  "Name (comment) "
test

I copied it to host B:

A $ gpg --armor --export  > private.key
A $ scp private.key B:
B $ gpg --import private.key

But it doesn't work on B:
B % echo test | gpg --encrypt --recipient  | gpg --decrypt
gpg: encrypted with 256-bit ECDH key, ID , created 
  "name (comment) "
gpg: decryption failed: No secret key


gpg version is the same on both hosts: 2.2.27-2 from debian sid


$ gpg --list-secret-keys --with-subkey-fingerprint
show the same key on both hosts


--
sergio.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Security-Token: "No secret key" unless "gpg --card-status" first

2020-12-08 Thread Werner Koch via Gnupg-users 
On Tue,  8 Dec 2020 10:03, Patrick Ben Koetter said:

> $ gpg: Entschlüsselung fehlgeschlagen: Kein geheimer Schlüssel

(gpg: decryption failed: No secret key)

> $ gpg --version
> gpg (GnuPG) 2.2.24

Please update to 2.2.25 because of

  * scd: Fix regression in 2.2.24 requiring gpg --card-status before
signing or decrypting.  [#5065]



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Security-Token: "No secret key" unless "gpg --card-status" first

2020-12-08 Thread Patrick Ben Koetter via Gnupg-users 
Greetings,

my PGP secret key is stored on a Yubikey security token and until recently I
would simply plug it into my computer and use it to encrypt/decrypt data. This
stopped working and now all I get is this unless I command gpg first to list
the card status using "gpg --card-status":

$ gpg: Entschlüsselung fehlgeschlagen: Kein geheimer Schlüssel


I'm not familiar with all the components that need to play together for this
to work "plug & play", so I figured I'd start here first and find out if gpg
requires some change in config to let it use the security token immediately.

I'm on ARCH Linux and the software installed and hardware used is:

$ gpg --version
gpg (GnuPG) 2.2.24
libgcrypt 1.8.7

$ ykinfo -v
version: 5.1.2

$ ykman --version
YubiKey Manager (ykman) version: 3.1.1
Libraries:
libykpers 1.20.0
libusb 1.0.23

$ gpg --card-status
Reader ...: 1050:0407:X:0
Application ID ...: D276000124010201000609507516
Application type .: OpenPGP
Version ..: 2.1
Manufacturer .: Yubico
Serial number : 09507516
Name of cardholder: Patrick Ben Koetter
Language prefs ...: [nicht gesetzt]
Salutation ...: Hr.
URL of public key : [nicht gesetzt]
Login data ...: p...@sys4.de
Signature PIN : nicht zwingend
Key attributes ...: rsa2048 rsa4096 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key : [none]
Encryption key: 74B5 --redacted--
  created : 2014-03-28 16:28:13
Authentication key: [none]
General key info..: sub  rsa4096/3AB431AF62D277F5 2014-03-28 Patrick Ben 
Koetter 
sec   rsa4096/5677226BCD1FD704  erzeugt: 2014-03-28  verfällt: niemals
ssb>  rsa4096/3AB431AF62D277F5  erzeugt: 2014-03-28  verfällt: niemals
Kartennummer:0006 09507516


TIA,

p@rick


-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?

2020-11-17 Thread Werner Koch via Gnupg-users 
On Tue, 17 Nov 2020 02:28, Gao Xiaohui said:

> conf.conf". At present, the "--s2k-count" option can be used in both
> gpg.exe and gpg-agent.exe.Thank you.

In gpg.conf this is used for deriving a passphrase for symmetric
encryption.

In gpg-agent.conf it is used to override the calibrated iteration code
for protecting keys in gpg-agent.  There is no need to change the
algorithms.  For interoperability and maintenance reasons we try to
limit the number of user modifiable parameters.  Eventually there will
be change to an AEAD algorithm, howver interoperability is the main
concern and not theoretical attacks.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?

2020-11-17 Thread Gao Xiaohui via Gnupg-users 
Thank you for your reply to my question.
In "https://dev.gnupg.org/T1800;, Werner responded: "It is an open question 
whether gpg should be allowed to change the s2k options because the keys are a 
property of the agent and not of gpg. For export it might hwoever make sense to 
be able to change that (think export for use on a slower box)."Excuse me, why 
not use "--s2k-digest-algo" and "--s2k-cipher-algo" and other options for 
gpg-agent.exe, so you can also write these options in "gpg- conf.conf". At 
present, the "--s2k-count" option can be used in both gpg.exe and 
gpg-agent.exe.Thank you.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?

2020-11-13 Thread Werner Koch via Gnupg-users 
On Thu, 12 Nov 2020 09:27, A NiceBoy said:

> 1. The solution is also in this report. Just install gpg version 2.0.x,

Don't!

2.0 reached end-of-life 3 years ago - there are no security fixes etc.
You shall not use that version anymore.

> Then you can see the algo changed to AES256 and digest changed to SHA512.

If you want to convey secret keys do not rely on the passphrase
protection of OpenPGP but use a secure transport channel.  Which may be
just a gpg encrypted file.  The problem with the passphrase is that you
need to transport a secure passphrase via another secured medium and in
this case you can also a transport the secret key with a "weaker"
passphrase.  Whether you use SHA256 or SHA512 does not matter.  The
iteration count matters more but in any case you can't create better
security from a weak passphrase - the iteration count is a failstop
thing but not a proper cryptographic replacement for a weak passphrase.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?

2020-11-12 Thread A NiceBoy via Gnupg-users 
Hello Gao,

Your question could be stated more clearly as in this bug report:
https://dev.gnupg.org/T1800


1. The solution is also in this report. Just install gpg version
2.0.x, which prior to version 2.1, then run the following command to
generate the key:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 
> --s2k-count 6500 --gen-key

Then export, using the s2k options in case they're needed here instead:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 
> --s2k-count 6500 --export-secret-keys | gpg2 --list-packets

Then you can see the algo changed to AES256 and digest changed to SHA512.


2. To modify the existing key, you still have to install gpg version
2.0.x first, which prior to version 2.1, then add the following
options into your gpg.conf:

> #-
> # algorithm and ciphers
> #-
> # Limits the algorithms used
> personal-cipher-preferences AES256
> personal-digest-preferences SHA512
> default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH 
> BLOWFISH ZLIB BZIP2 ZIP Uncompressed
> cipher-algo AES256
> digest-algo SHA512
> cert-digest-algo SHA512
> compress-algo ZLIB
> disable-cipher-algo 3DES
> #weak-digest SHA1
> s2k-cipher-algo AES256
> s2k-digest-algo SHA512
> s2k-mode 3
> s2k-count 65011712

Then reset the passphrase of the private key, using the above
settings, then export the private key to file. Here is the output of
command of --list-packets :

> iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024
> protect count: 65011712 (255)

This idea comes from the links:
https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
,  https://security.stackexchange.com/a/90617


3. There is a small tool along with the command of --list-packets,
called pgpdump which is available at
http://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of
the private key file.


Best regards

On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users
 wrote:
>
> Hello,
> Excuse me,When using "gpg --list-packets [private secret key file]",it print 
> "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ", 
> how to change "algo:7" and "hash:2"?
> I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" command 
> with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" options could 
> change them, but I tested,It could not change them. Tell me  the correct way 
> please.Thank you very much.
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?

2020-11-12 Thread A NiceBoy via Gnupg-users 
Hello Gao,

Your question could be stated more clearly as in this bug report:
https://dev.gnupg.org/T1800


1. The solution is also in this report. Just install gpg version 2.0.x,
which prior to version 2.1, then run the following command to generate the
key:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 6500 --gen-key

Then export, using the s2k options in case they're needed here instead:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 6500 --export-secret-keys | gpg2 --list-packets

Then you can see the algo changed to AES256 and digest changed to SHA512.


2. To modify the existing key, you still have to install gpg version 2.0.x
first, which prior to version 2.1, then add the following options into your
gpg.conf:

> #-
> # algorithm and ciphers
> #-
> # Limits the algorithms used
> personal-cipher-preferences AES256
> personal-digest-preferences SHA512
> default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH
BLOWFISH ZLIB BZIP2 ZIP Uncompressed
> cipher-algo AES256
> digest-algo SHA512
> cert-digest-algo SHA512
> compress-algo ZLIB
> disable-cipher-algo 3DES
> #weak-digest SHA1
> s2k-cipher-algo AES256
> s2k-digest-algo SHA512
> s2k-mode 3
> s2k-count 65011712

Then reset the passphrase of the private key, using the above settings,
then export the private key to file. Here is the output of command of
--list-packets :

> iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024
> protect count: 65011712 (255)

This idea comes from the links:
https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 ,
https://security.stackexchange.com/a/90617


3. There is a small tool along with the command of --list-packets, called
pgpdump which is available at https://www.mew.org/~kazu/proj/pgpdump/en/ ,
to provide more details of the private key file.


Best regards



On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> Hello,
> Excuse me,When using "gpg --list-packets [private secret key file]",it
> print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
> ", how to change "algo:7" and "hash:2"?
> I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key"
> command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512"
> options could change them, but I tested,It could not change them. Tell me
>  the correct way please.Thank you very much.
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Subkeys export to Security Token fails: Secret key available.

2020-08-08 Thread Ángel 


> Am 8. August 2020 02:05:44 MESZ schrieb "Ángel":
> You had some "full" keys (public+private part). Then "moved" them to 
> the
> Yubikey, so the private part was now in the yubikey, and locally you
> left just a stub saying "go look at yubikey #1234 for this key".
> 
> Do you have a backup of the full, original key?
> 
> 
> Cheers

On 2020-08-08 at 09:52 +0200, Thomas via Gnupg-users wrote:
> I have a backup of any key.

Then just restore the full key (either on your normal keyring or on a
temporary one, GNUPGHOME is your friend) and start again from that. It
should work that time.

Best regards

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Subkeys export to Security Token fails: Secret key available.

2020-08-08 Thread Thomas via Gnupg-users 
I have a backup of any key.

Am 8. August 2020 02:05:44 MESZ schrieb "Ángel" :
>On 2020-08-07 at 08:33 +0200, Thomas Schneider wrote:
>> All subkeys are marked as Stub which is correct because the keys have
>> been exported before.
>> However now the keys don't exist anymore on the keycard.
>> 
>> Can you please advise how to fix this issue?
>> 
>> THX
>
>You had some "full" keys (public+private part). Then "moved" them to
>the
>Yubikey, so the private part was now in the yubikey, and locally you
>left just a stub saying "go look at yubikey #1234 for this key".
>
>Do you have a backup of the full, original key?
>
>
>Cheers
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Subkeys export to Security Token fails: Secret key available.

2020-08-07 Thread Ángel 
On 2020-08-07 at 08:33 +0200, Thomas Schneider wrote:
> All subkeys are marked as Stub which is correct because the keys have
> been exported before.
> However now the keys don't exist anymore on the keycard.
> 
> Can you please advise how to fix this issue?
> 
> THX

You had some "full" keys (public+private part). Then "moved" them to the
Yubikey, so the private part was now in the yubikey, and locally you
left just a stub saying "go look at yubikey #1234 for this key".

Do you have a backup of the full, original key?


Cheers

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Subkeys export to Security Token fails: Secret key available.

2020-08-07 Thread Thomas Schneider via Gnupg-users 
Hi,
I had to reset my blocked Yubikey.
Then I started with setting up the key again; all worked fine including
"key attributes".

After this I tried to export the PGP keys to the token, however this
fails with error message:
gpg: KEYTOCARD failed: Unusable secret key

I don't understand how to fix this issue, and I don't understand what's
causing this issue.
When I execute "gpg --expert --edit-key 0x I can see this:
Secret key available.

pub rsa4096/Secret subkey is available.

pub rsa4096/
created: 2020-01-06 expires: 2021-01-05 Nutzung: C
Trust: unbekannt Validity: unbekannt
ssb rsa4096/
created: 2020-01-06 expires: 2021-01-05 Nutzung: A
Card number:0006 
ssb rsa4096/
created: 2020-01-06 expires: 2021-01-05 Nutzung: S
Card number:0006 
ssb rsa4096/
created: 2020-01-06 expires: 2021-01-05 Nutzung: E
Card number:0006 

All subkeys are marked as Stub which is correct because the keys have
been exported before.
However now the keys don't exist anymore on the keycard.

Can you please advise how to fix this issue?

THX

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-30 Thread Peter Lebbing 
On 27/07/2020 22:53, Ayoub Misherghi wrote:
> With API I mean something like GPGME.

It seems to me that including options in gpg.conf that GPGME does not
expect people to put there might throw it out of whack.

> 1) It is preferable to have "--batch" on command line even in
> unattended operation; and not in the gpg.conf file?

Precisely when you do unattended operation should you have it on the
command line. And it should not be in your gpg.conf.

Why do you say "_even_ in unattended operation"?

> 2) --pinentry-mode when needed goes in gpg.conf

No, it makes more sense to specify this on the command line in the
instances you actually need this. However, I explained two methods[1] of
seeding the passphrase, neither of which uses --pinentry-mode.
--pinentry-mode is a great way to shoot oneself in the foot
security-wise.

> 3) --allow-loopback-pinentry when needed goes in gpg-agent.conf

It's already the default, if you want to disallow it you would specify
--no-allow-loopback-pinentry.

Please see the man page.

> Is it true that command line parameters only go to gpg and gpg-agent?

I don't really understand the question.

Usually, you only specify command line parameters to gpg. gpg might
launch a gpg-agent, or connect to an already running instance. There
are gpg command line parameters that influence the command line used to
launch gpg-agent, but in general, gpg's parameters do not propagate to
gpg-agent.

They each have their own set of parameters, documented in the man pages
gpg(1) and gpg-agent(1) respectively. GnuPG consists of more binaries,
but those two are the major ones.

HTH,

Peter.

[1] https://lists.gnupg.org/pipermail/gnupg-users/2020-July/063825.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-27 Thread Ayoub Misherghi via Gnupg-users 

With API I mean something like GPGME.


This is what came across to me:


1) It is preferable to have "--batch" on command line even in unattended 
operation; and not in the gpg.conf file?



2) --pinentry-mode when needed goes in gpg.conf


3) --allow-loopback-pinentry when needed goes in gpg-agent.conf



New related question:


Is it true that command line parameters only go to gpg and gpg-agent?



Ayoub


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-27 Thread Ayoub Misherghi via Gnupg-users 



The same thing happens when I give the option --no-batch on the command 
line.



The problem seems to have gone away when I moved the config option 
inentry-mode loopback


to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf


In the final version when development ends, I am going to have 
"no-batch" in the config because the final version works


non-interactively (and through the API.) That is why I have it in the 
config now.



Thanks guys,


Ayoub




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-27 Thread Peter Lebbing 
On 27/07/2020 20:56, Ayoub Misherghi wrote:
> The same thing happens when I give the option --no-batch on the
> command line.

But that only passes --no-batch to gpg, not to gpg-agent. Werner said
you shouldn't put these options in your .conf-files. Please just include
--batch on the command line with the actual batch commands.

> The problem seems to have gone away when I moved the config option
> inentry-mode loopback
> 
> to the $HOME/.gnupg/gpg.conf from the $HOME/.ngupg/gpg-agent.conf

--pinentry-mode is a gpg option, not a gpg-agent option. The
loopback-related option to gpg-agent is --allow-loopback-pinentry.

> In the final version when development ends, I am going to have
> "no-batch" in the config because the final version works
> 
> non-interactively (and through the API.) That is why I have it in the
> config now.

Please just include --batch (I assume you mistyped when you wrote
--no-batch) on the command line with the actual batch commands.

Not sure what you mean by through the API.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-27 Thread Peter Lebbing 
On 27/07/2020 11:17, Werner Koch wrote:
> of the "batch" option.  This option should in general not be used for
> gpg-agent.

Which, by the way, is documented well in the man page gpg-agent(1):

   --batch
  Don't  invoke  a  pinentry or do any other thing requiring human
  interaction

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-27 Thread Werner Koch via Gnupg-users 
On Sun, 26 Jul 2020 13:25, Ayoub Misherghi said:
> I am not asked for pass phrase.

Right; that is because:

> # Lines uncommented in $HOME/.gnupg/gpg-agent.conf
> log-file $HOME/gpg-log.txt
> # The same thing happens when I comment this line out
> allow-loopback-pinentry
>
> batch

of the "batch" option.  This option should in general not be used for
gpg-agent.

> # Lines uncommented in $HOME/.gnupg/gpg.conf
>
> batch

Do not but this option into the conf file.  All kind of stuff won't
work; --batch is used case-by-case on the command line.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-26 Thread Ayoub Misherghi via Gnupg-users 

I am not asked for pass phrase.

The following lines show you what I have in the ".conf-file"


###
###
#
# Lines uncommented in $HOME/.gnupg/gpg-agent.conf
log-file $HOME/gpg-log.txt
# The same thing happens when I comment this line out
allow-loopback-pinentry

batch

###
###
# Lines uncommented in $HOME/.gnupg/gpg.conf

batch
require-secmem
no-greeting


Ayoub

On 7/26/2020 2:49 AM, Peter Lebbing wrote:

On 20/07/2020 20:25, Ayoub Misherghi via Gnupg-users wrote:

gpg: decryption failed: No secret key

Are your gpg.conf and gpg-agent.conf (or let's just say any .conf-file
in your GnuPG home, ~/.gnupg) empty? Do you get a pinentry popup asking
for a passphrase?

Peter.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Why is there no secret key?

2020-07-26 Thread Peter Lebbing 
On 20/07/2020 20:25, Ayoub Misherghi via Gnupg-users wrote:
> gpg: decryption failed: No secret key

Are your gpg.conf and gpg-agent.conf (or let's just say any .conf-file
in your GnuPG home, ~/.gnupg) empty? Do you get a pinentry popup asking
for a passphrase?

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Why is there no secret key?

2020-07-20 Thread Ayoub Misherghi via Gnupg-users 

ayoub@vboxpwfl:~/testdir$ ls

textfile


ayoub@vboxpwfl:~/testdir$ gpg -r develop1 -e textfile
ayoub@vboxpwfl:~/testdir$ ls

textfile  textfile.gpg



ayoub@vboxpwfl:~/testdir$ gpg -u develop1 -o textfile.dcr -d textfile.gpg
gpg: encrypted with 256-bit ECDH key, ID 367BD2210D4E904D, created 
2020-07-09

  "develop1"
gpg: public key decryption failed: End of file

gpg: decryption failed: No secret key



ayoub@vboxpwfl:~/testdir$ gpg --list-secret-keys
/home/ayoub/.gnupg/pubring.kbx
--
sec   ed25519 2020-07-09 [SC] [expired: 2020-07-19]
  3C5B212A55B966881E2D2718A45398B520BEE91E
uid   [ expired] sentry

sec   ed25519 2020-07-09 [SC] [expires: 2021-07-09]
  7A675D7F52BC905C22F8249091556BC29D4C595E
uid   [ultimate] develop1
ssb   cv25519 2020-07-09 [E] [expires: 2021-07-09]

ayoub@vboxpwfl:~/testdir$


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-10 Thread Juergen Bruckner via Gnupg-users 

Hi Stefan


Since you and Andrew are using smard cards or tokens I would like to
ask the following, prior considering purchasing one myself in the near
future.

Well my first choice - as it is a OpenSource product - is always a 
Nitrokey [1], I use both the NK Start as well as the NK Pro.


But also see the following


I use Windows 10 and Android (Samsung A40) and would like to know,
in case the is possible with my smartphone and under Windows 10 to
use a smard card where I can enter a PIN, thus only putting a secret
key without a passphrase on it, for ease of use, because my bank card
also has only a PIN. Is there software for such PIN entering for Win
and Android availalble and if so what Android email client software
would you or Andrew recommend, which allows to use a secret key without
a passphrase from a smard card?


Well, Nitrokeys do also work on Android devices, with a USB-Adapter.

In case you want to use your SmartCard/Token on the Andoid device via 
NFC, the best choice would be a Yubikey 5 NFC [2].


The Windows software to enter the PIN-Code is your PGP Software with 
SmartCard Support. On Android you should use Openkeychain for that.


As Android e-mail-client the most people who use PGP, also use K9-Mail;
my personal preference and my strong recommendation is the app called 
"FairEmail", as this app supports both, PGP (via Openkeychain) and also 
S/MIME.


I hope i have been able to help you a bit.

Best regards
Juergen


[1] https://www.nitrokey.com/de
[2] https://www.yubico.com

--
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Franck Routier (perso) 
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit :
> Juergen Bruckner via Gnupg-users wrote:
>  
> Hi Juergen
> 
> > It's a good question what to do if you lose your SC or token.
> > Basically, it has to be said that you should definitely have a
> > backup of
> > your key. And you have to be very careful with your SC or tokens.
> > In principle it is almost the same as losing your credit card or
> > passport etc. while traveling; you have to provide alternatives
> > (e.g.
> > multiple smartcards).
> 
> Since you and Andrew are using smard cards or tokens I would like to
> ask the following, prior considering purchasing one myself in the
> near
> future.
> 
> I use Windows 10 and Android (Samsung A40) and would like to know,
> in case the is possible with my smartphone and under Windows 10 to
> use a smard card where I can enter a PIN, thus only putting a secret
> key without a passphrase on it, for ease of use, because my bank card
> also has only a PIN. Is there software for such PIN entering for Win
> and Android availalble and if so what Android email client software
> would you or Andrew recommend, which allows to use a secret key
> without
> a passphrase from a smard card?
> 
> Regards
> Stefan
> 

For Android (actually I use /e/ degoogled OS), I use K9Mail and
OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
all sort of passwords, that I synchronize using git with my other
devices.

Franck


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Franck Routier (perso) 
Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit :
> Juergen Bruckner via Gnupg-users wrote:
>  
> Hi Juergen
> 
> > It's a good question what to do if you lose your SC or token.
> > Basically, it has to be said that you should definitely have a
> > backup of
> > your key. And you have to be very careful with your SC or tokens.
> > In principle it is almost the same as losing your credit card or
> > passport etc. while traveling; you have to provide alternatives
> > (e.g.
> > multiple smartcards).
> 
> Since you and Andrew are using smard cards or tokens I would like to
> ask the following, prior considering purchasing one myself in the
> near
> future.
> 
> I use Windows 10 and Android (Samsung A40) and would like to know,
> in case the is possible with my smartphone and under Windows 10 to
> use a smard card where I can enter a PIN, thus only putting a secret
> key without a passphrase on it, for ease of use, because my bank card
> also has only a PIN. Is there software for such PIN entering for Win
> and Android availalble and if so what Android email client software
> would you or Andrew recommend, which allows to use a secret key
> without
> a passphrase from a smard card?
> 
> Regards
> Stefan
> 

For Android (actually I use /e/ degoogled OS), I use K9Mail and
OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
all sort of passwords, that I synchronize using git with my other
devices.

Franck


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Stefan Claas 
Franck Routier (perso) wrote:
 
> Le jeudi 09 juillet 2020 à 14:58 +0200, Stefan Claas a écrit :
> > Juergen Bruckner via Gnupg-users wrote:
> >  
> > Hi Juergen
> > 
> > > It's a good question what to do if you lose your SC or token.
> > > Basically, it has to be said that you should definitely have a
> > > backup of
> > > your key. And you have to be very careful with your SC or tokens.
> > > In principle it is almost the same as losing your credit card or
> > > passport etc. while traveling; you have to provide alternatives
> > > (e.g.
> > > multiple smartcards).
> > 
> > Since you and Andrew are using smard cards or tokens I would like to
> > ask the following, prior considering purchasing one myself in the
> > near
> > future.
> > 
> > I use Windows 10 and Android (Samsung A40) and would like to know,
> > in case the is possible with my smartphone and under Windows 10 to
> > use a smard card where I can enter a PIN, thus only putting a secret
> > key without a passphrase on it, for ease of use, because my bank card
> > also has only a PIN. Is there software for such PIN entering for Win
> > and Android availalble and if so what Android email client software
> > would you or Andrew recommend, which allows to use a secret key
> > without
> > a passphrase from a smard card?
> > 
> > Regards
> > Stefan
> > 
> 
> For Android (actually I use /e/ degoogled OS), I use K9Mail and
> OpenKeyChain, together with a NFC Yubikey. I also use PasswordStore for
> all sort of passwords, that I synchronize using git with my other
> devices.

Thanks for the information, much appreciated!

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Stefan Claas 
Andrew Gallagher wrote:
 
> On 09/07/2020 13:58, Stefan Claas wrote:
> > Is there software for such PIN entering for Win
> > and Android availalble
> 
> The standard GPG4win package handles smartcards and PINs. I'm not an
> Android user though, so can't help you there.
> 

Ah, good to know that this works with Windows. Thanks!

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Andrew Gallagher 
On 09/07/2020 13:58, Stefan Claas wrote:
> Is there software for such PIN entering for Win
> and Android availalble

The standard GPG4win package handles smartcards and PINs. I'm not an
Android user though, so can't help you there.

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Stefan Claas 
Juergen Bruckner via Gnupg-users wrote:
 
Hi Juergen

> It's a good question what to do if you lose your SC or token.
> Basically, it has to be said that you should definitely have a backup of
> your key. And you have to be very careful with your SC or tokens.
> In principle it is almost the same as losing your credit card or
> passport etc. while traveling; you have to provide alternatives (e.g.
> multiple smartcards).

Since you and Andrew are using smard cards or tokens I would like to
ask the following, prior considering purchasing one myself in the near
future.

I use Windows 10 and Android (Samsung A40) and would like to know,
in case the is possible with my smartphone and under Windows 10 to
use a smard card where I can enter a PIN, thus only putting a secret
key without a passphrase on it, for ease of use, because my bank card
also has only a PIN. Is there software for such PIN entering for Win
and Android availalble and if so what Android email client software
would you or Andrew recommend, which allows to use a secret key without
a passphrase from a smard card?

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-09 Thread Stefan Claas 
Ángel wrote:
 
> On 2020-07-08 at 23:24 +0200, Stefan Claas wrote:
> > Ryan McGinnis via Gnupg-users wrote:
> >  
> > > The thing is, if you can't remember a string of random words, are you 
> > > likely to remember a string 20 random letters,
> > > numbers, and characters?  Generally, if your non-randomly-generated 
> > > password is easy for you to remember, it's also easy
> > > for a computer to guess.  Diceware is the attempt to make something easy 
> > > as possible to remember while still being truly
> > > high-entropy.  If you're really paranoid you don't use the javascript 
> > > program to generator your random phrases, you buy an
> > > EFF book and roll some casino dice.  The entropy comes from the dice and 
> > > so is verifiable.
> > 
> > How do I do that when traveling, because I can't memorize the diceware pass 
> > phrase and then roll dices and tell via a
> > non-secure channel my now generated pass phrase, or do I make a mistake now 
> > in thinking?
> 
> You only use the dices suggested by Ryan for creating a new password. 

This is the problem what I mean ..., When I create a diceware pass phrase with 
dices (prior traveling)
I can't memorize the the words. If I would use the dices after arrival I do not 
have a way to transfer
the pass phrase securely.

[...]

Thanks for explaining the detailed procedure.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Ángel 
On 2020-07-08 at 23:24 +0200, Stefan Claas wrote:
> Ryan McGinnis via Gnupg-users wrote:
>  
> > The thing is, if you can't remember a string of random words, are you 
> > likely to remember a string 20 random letters, numbers,
> > and characters?  Generally, if your non-randomly-generated password is easy 
> > for you to remember, it's also easy for a
> > computer to guess.  Diceware is the attempt to make something easy as 
> > possible to remember while still being truly
> > high-entropy.  If you're really paranoid you don't use the javascript 
> > program to generator your random phrases, you buy an
> > EFF book and roll some casino dice.  The entropy comes from the dice and so 
> > is verifiable.
> 
> How do I do that when traveling, because I can't memorize the diceware pass 
> phrase and then roll dices and tell via a
> non-secure channel my now generated pass phrase, or do I make a mistake now 
> in thinking?

You only use the dices suggested by Ryan for creating a new password. 
A local program is probably perfectly fine for creating "random"
passwords, though.


If you are traveling, you would do as in home: you bring with you your
password manager. You should probably prepare in advance a list of all
credentials you might need, and then only bring a reduced "travel-size"
version of your stored passwords (you could also take with you a
"simple" one you expect to use and a bigger -not necessarily complete-
one that you expect not to need to unlock).

Note that "bringing" could involve a physical entity, such as a file in
your laptop or a usb key, but also simply the ability to download it
from the internet (after logging into , probably).


You may obviously rotate all those passwords after you are back (as well
as before you depart, if you wish).

You still need to properly protect the master password of that manager,
which should probably involve memorizing it.


If you are only concerned about part of your travel itinerary, such as a
layover at a foreign location with few privacy guarantees, or just until
the time you cross the border (as is the case when crossing the British
or US border, where otherwise constitutional rights are
suspended),[1][2] you could actually deprive yourself from the required
knowledge to decrypt the content.
Let's suppose that you arrive Friday night, and will meet with the
foreign client on Monday, showcasing some company confidential
information to them stored in an encrypted laptop.

You could memorize half of the password, then get told the other half by
phone on Monday morning by your corporate lawyer. You would then a of
being unable to decrypt it while crossing the border, which means you
can't be coerced to provide it. This would make quite sense from the
point of view of the company. The border agents may not be happy with
that, though. And maybe result as well in a not-so-nice experience for
the employee.

On the other hand, if you were targeted by e.g. the MI5, you would
probably be returned a bugged hardware, and you better didn't travel
with a laptop there to begin with.


Kind regards


1- https://www.schneier.com/blog/archives/2008/05/crossing_border.html
2- 
https://www.thelawforlawyerstoday.com/2018/10/border-searches-of-your-e-device-encryption-may-be-of-limited-value-in-protecting-client-data/




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> The thing is, if you can't remember a string of random words, are you likely 
> to remember a string 20 random letters, numbers,
> and characters?  Generally, if your non-randomly-generated password is easy 
> for you to remember, it's also easy for a
> computer to guess.  Diceware is the attempt to make something easy as 
> possible to remember while still being truly
> high-entropy.  If you're really paranoid you don't use the javascript program 
> to generator your random phrases, you buy an
> EFF book and roll some casino dice.  The entropy comes from the dice and so 
> is verifiable.

How do I do that when traveling, because I can't memorize the diceware pass 
phrase and then roll dices and tell via a
non-secure channel my now generated pass phrase, or do I make a mistake now in 
thinking?

> Probably the best PGP key passphrase would be to have some sort of high 
> security locally stored password manager like
> KeepassXC, encrypt that password database with a good long diceware 
> passphrase that you train yourself to remember, and then
> have that program generate some random 30 or 40 character gibberish passwords 
> to copypasta into PGP when it asks.  While
> you're at it, use that to create different random passwords for every site 
> and service you use.

Well, for home usage, I have an offline computer, when using PGP, but I wanted 
to show/know a good way, for traveling.

Regards
Stefan


-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread vedaal via Gnupg-users 



On 7/8/2020 at 3:49 PM, "Juergen Bruckner via Gnupg-users" 
 wrote:

>Basically, it has to be said that you should definitely have a 
>backup of your key. And you have to be very careful with your SC or tokens.
>In principle it is almost the same as losing your credit card or
>passport etc. while traveling; you have to provide alternatives 
>(e.g.
>multiple smartcards).

=

There is an alternative travel approach that works for me:

[1] No real keyring on my laptop, (just a dummy one to be able to use GnuPG 2.x 
on the laptop)

[2] Bootable 1 tb usb,(same size as ordinary usb drive), which has bootable 
ubuntu OS on it, 
with the keyrings in a Veracrypt container after Ubuntu loads.
(Ubuntu allows for the entire bootable drive to be encrypted, doesn't need 
yubi, or other programs. 
It can make the usb drive bootable using ubuntu OS installation options).

Laptop can be used for everything not requiring a secret key.

In event that a secret key needs to be used, (decrypt, sign, authenticate, 
etc), the laptop can be booted from the usb drive.

Also, have a backup of the keyring in a Veracrypt container that easily fits on 
an microSD card on any android phone with microSD slots.


vedaal


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Ryan McGinnis via Gnupg-users 
The thing is, if you can't remember a string of random words, are you likely to 
remember a string 20 random letters, numbers, and characters?  Generally, if 
your non-randomly-generated password is easy for you to remember, it's also 
easy for a computer to guess.  Diceware is the attempt to make something easy 
as possible to remember while still being truly high-entropy.  If you're really 
paranoid you don't use the javascript program to generator your random phrases, 
you buy an EFF book and roll some casino dice.  The entropy comes from the dice 
and so is verifiable.  


Probably the best PGP key passphrase would be to have some sort of high 
security locally stored password manager like KeepassXC, encrypt that password 
database with a good long diceware passphrase that you train yourself to 
remember, and then have that program generate some random 30 or 40 character 
gibberish passwords to copypasta into PGP when it asks.  While you're at it, 
use that to create different random passwords for every site and service you 
use.


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 2:40 PM, Stefan Claas  wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Went to a security seminar where I asked a random FBI agent after a 
> > presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and 
> > that the passwords were randomly generated letters
> > and numbers and symbols and that they were changed fairly often. If you're 
> > trying to protect something from offline brute
> > forcing and the password is the weak point, you're probably best off coming 
> > up with a really long randomly generated diceware
> > phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.
> 

> Thanks for the info! Regarding diceware, I looked into it long ago, but must 
> admit I am not good at remembering many word
> sequences, for many strong passwords, even if diceware words are easy once.
> 

> Regards
> Stefan
> 

> 
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Juergen Bruckner via Gnupg-users 
Hello Stefan,

despite my cooperation with the p≡p foundation, the lack of support for
smart cards and tokens is THE knockout criterion why I do not use
sequoia pgp.

It's a good question what to do if you lose your SC or token.
Basically, it has to be said that you should definitely have a backup of
your key. And you have to be very careful with your SC or tokens.
In principle it is almost the same as losing your credit card or
passport etc. while traveling; you have to provide alternatives (e.g.
multiple smartcards).

regards
Juergen

Am 08.07.20 um 21:17 schrieb Stefan Claas:
> Juergen Bruckner via Gnupg-users wrote:
>  
>> Well i think that's one more reason why you need a smart card or token
>> like GnuPG-Card or Nitrokey (or a Yubikey for my sake).
> 
> Hi Juergen,
> 
> well the thing is I no longer use GnuPG and instead sequoia pgp, which
> currently has no smard-card support IIRC.
> 
> And regarding smard cards, what do people do when they are traveling
> and the smard card gets by accident broken or lost?
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> Went to a security seminar where I asked a random FBI agent after a 
> presentation about passwords; he said just to get into
> their personal terminals it was something like 17 characters minimum and that 
> the passwords were randomly generated letters
> and numbers and symbols and that they were changed fairly often.  If you're 
> trying to protect something from offline brute
> forcing and the password is the weak point, you're probably best off coming 
> up with a really long randomly generated diceware
> phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.

Thanks for the info! Regarding diceware, I looked into it long ago, but must 
admit I am not good at remembering many word
sequences, for many strong passwords, even if diceware words are easy once.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Andrew Gallagher 


> On 8 Jul 2020, at 20:17, Stefan Claas  wrote:
> 
> And regarding smard cards, what do people do when they are traveling
> and the smard card gets by accident broken or lost?

Multiple smart cards. If you quit rather than save after transferring your 
subkeys to smart card, they remain on disk and you can transfer them again. I 
recommend keeping a backup of your encryption key at least, on a safe offline 
medium such as a Tails persistent volume.

A
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Juergen Bruckner via Gnupg-users wrote:
 
> Well i think that's one more reason why you need a smart card or token
> like GnuPG-Card or Nitrokey (or a Yubikey for my sake).

Hi Juergen,

well the thing is I no longer use GnuPG and instead sequoia pgp, which
currently has no smard-card support IIRC.

And regarding smard cards, what do people do when they are traveling
and the smard card gets by accident broken or lost?

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Ryan McGinnis via Gnupg-users 
Went to a security seminar where I asked a random FBI agent after a 
presentation about passwords; he said just to get into their personal terminals 
it was something like 17 characters minimum and that the passwords were 
randomly generated letters and numbers and symbols and that they were changed 
fairly often.  If you're trying to protect something from offline brute forcing 
and the password is the weak point, you're probably best off coming up with a 
really long randomly generated diceware phrase (7 words ought to be safe) 
https://www.rempe.us/diceware/#eff.

I always figure that if you upset a nation-state enough that they're willing to 
throw their supercomputers at you to get at your goodies, they'll likely just 
tie you up and brute force your body until they get what they need.

-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 11:36 AM, Stefan Claas  wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
> > passwords per second. I imagine it's significantly
> > more by now.
> 

> Holy cow! That raises then probably one more question, i.e. the required 
> minimum length for a strong password nowadays.
> 

> Regards
> Stefan
> 

> --
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Juergen Bruckner via Gnupg-users 
Well i think that's one more reason why you need a smart card or token
like GnuPG-Card or Nitrokey (or a Yubikey for my sake).

Regards
Juergen

Am 08.07.20 um 18:36 schrieb Stefan Claas:
> Ryan McGinnis via Gnupg-users wrote:
>  
>> Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
>> passwords per second.  I imagine it's significantly
>> more by now.  
> 
> Holy cow! That raises then probably one more question, i.e. the required 
> minimum length for a strong password nowadays.
> 
> Regards
> Stefan
> 

-- 
Juergen M. Bruckner
juergen@bruckner.email



smime.p7s
Description: S/MIME Cryptographic Signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Ryan McGinnis via Gnupg-users wrote:
 
> Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
> passwords per second.  I imagine it's significantly
> more by now.  

Holy cow! That raises then probably one more question, i.e. the required 
minimum length for a strong password nowadays.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Ryan McGinnis via Gnupg-users 
Six years ago Snowden said to assume the NSA can try roughly 1 Trillion 
passwords per second.  I imagine it's significantly more by now.  



-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐ Original Message ‐‐‐
On Wednesday, July 8, 2020 6:33 AM, Stefan Claas  wrote:

> Andrew Gallagher wrote:

> Do they store the information, like I do with my humble approach? I have read 
> years ago that for example
> the NSA is capable of searching for seven billion passwords per second.


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Andrew Gallagher wrote:
 
> Entropy checkers only provide an *estimate* of randomness, at best an upper 
> bound. Once you know that someone has used a
> particular key expansion algorithm, the entropy estimate can go down 
> dramatically. This is because randomness is a measure of
> ignorance, and new information changes the calculation (cf the Monty Hall 
> problem).

Thanks for the info, much appreciated!

I must admit that I have not looked how GnuPG saves passwords, or better pass 
phrases. I would assume
that GnuPG does also additional salting and/or stretching.

The questions for me would be how those password cracking databases store 
passwords, when doing brute force.

Do they store the information, like I do with my humble approach? I have read 
years ago that for example
the NSA is capable of searching for seven billion passwords per second.

Additionally I could use my humble approach and tell people the following:

(Let's assume I would use 'Holidays Day 1, 2, 3 etc.') I could tell them also L 
or R 3 (delete 3 chars
at left or right from the strong string, and add 'house' and 'mouse' to the 
left and/or right.

This would then IMHO not match the database strings anymore, in case they look 
like my approach.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Andrew Gallagher 
Entropy checkers only provide an *estimate* of randomness, at best an upper 
bound. Once you know that someone has used a particular key expansion 
algorithm, the entropy estimate can go down dramatically. This is because 
randomness is a measure of ignorance, and new information changes the 
calculation (cf the Monty Hall problem).

Andrew Gallagher

> On 8 Jul 2020, at 11:53, Stefan Claas  wrote:
> 
> Ingo Klöcker wrote:
> 
>>> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
>>> Let's say you travel a lot and do not want to risk that your secret key
>>> gets compromised due to border control etc.
>>> 
>>> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
>>> the key and the passphrase is needed, one simply issues:
>>> 
>>> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
>>> and then one gets a string with an entropy of over 200, which is more than
>>> secure. This would one IMHO allow to have a strong passphrase but generated
>>> with an easy to remember password.
>> 
>> I'm sorry, but you cannot increase the entropy of "simple password" by 
>> hashing 
>> it. What you propose is "security by obscurity". And that was never a good 
>> idea.
> 
> Well, if I use a simple password like: 'Holidays Day 1' and run it through:
> 
> http://rumkin.com/tools/password/passchk.php for example
> 
> it gives an entropy of 62.6 bits.
> 
> If I use now this simple password and run it through my program the result is:
> 
> e|}]2$8$lI#:#h%|$}ody#$RT;$L4^qm??D (sha256+base91)
> 
> and 
> 
> C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64)
> 
> which gives an entropy of 192.3 and 234.2.
> 
> Regards
> Stefan
> 
> -- 
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-08 Thread Stefan Claas 
Ingo Klöcker wrote:
 
> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
> > Let's say you travel a lot and do not want to risk that your secret key
> > gets compromised due to border control etc.
> > 
> > One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> > the key and the passphrase is needed, one simply issues:
> > 
> > echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> > and then one gets a string with an entropy of over 200, which is more than
> > secure. This would one IMHO allow to have a strong passphrase but generated
> > with an easy to remember password.
> 
> I'm sorry, but you cannot increase the entropy of "simple password" by 
> hashing 
> it. What you propose is "security by obscurity". And that was never a good 
> idea.

Well, if I use a simple password like: 'Holidays Day 1' and run it through:

http://rumkin.com/tools/password/passchk.php for example

it gives an entropy of 62.6 bits.

If I use now this simple password and run it through my program the result is:

e|}]2$8$lI#:#h%|$}ody#$RT;$L4^qm??D (sha256+base91)

and 

C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64)

which gives an entropy of 192.3 and 234.2.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key (was: As a fan of GnuPG ... )

2020-07-08 Thread Ingo Klöcker 
On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
> Let's say you travel a lot and do not want to risk that your secret key
> gets compromised due to border control etc.
> 
> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> the key and the passphrase is needed, one simply issues:
> 
> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> and then one gets a string with an entropy of over 200, which is more than
> secure. This would one IMHO allow to have a strong passphrase but generated
> with an easy to remember password.

I'm sorry, but you cannot increase the entropy of "simple password" by hashing 
it. What you propose is "security by obscurity". And that was never a good 
idea.

Regards,
Ingo


signature.asc
Description: This is a digitally signed message part.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key (was: As a fan of GnuPG ... )

2020-07-07 Thread Philihp Busby via Gnupg-users 
Regenerating your secret key like this is perhaps dangerous and easy to do 
wrong, for example you will probably leak it in your shell's history. If an 
attacker finds out this is your scheme, they can then start to brute force your 
secret key without need any access to your data, which happened with 
Brainflayer[1].

Since your secret key is stored symmetrically-encrypted with a passphrase, it's 
not game over if it gets leaked (e.g. border control). It is a concern that you 
could have leaked without knowing, and your passphrase could _eventually_ being 
cracked; better would be to put it on a smart-card like an Yubikey, which will 
only give Mallory a couple chances to guess before the tape self-destructs.

[1] 
https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

On 2020-07-07T22:42:07+0200 Stefan Claas  wrote 1.9K bytes:

> Stefan Claas wrote:
>  
> > ... you should try this out in your terminal and look at the beginning
> > of the output:
> > 
> > $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc
> > -base64
> 
> I thought about this technique a bit for easy to remember passwords, which
> can be converted to strong passwords.
> 
> Let's say you travel a lot and do not want to risk that your secret key
> gets compromised due to border control etc.
> 
> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> the key and the passphrase is needed, one simply issues:
> 
> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> and then one gets a string with an entropy of over 200, which is more than
> secure. This would one IMHO allow to have a strong passphrase but generated
> with an easy to remember password.
> 
> Here's a little Go program, wich does this without the above commands,
> so that it can be used on Windows without OpenSSL:
> 
> package main
> 
> import (
>   "crypto/sha256"
>   "bufio"
> "os"
>   "fmt"
>   "encoding/base64"
> 
> "ekyu.moe/base91"
> )
> 
> func main(){
> scanner := bufio.NewScanner(os.Stdin)
> scanner.Scan() // use `for scanner.Scan()` to keep reading
> src := scanner.Text()
> hash := sha256.Sum256([]byte(src))
> fmt.Println(base91.EncodeToString([]byte(hash[:])))
> fmt.Println(base64.StdEncoding.EncodeToString(hash[:]))
> }
> 
> One simply starts the program and then types the easy to
> remember password and presses enter and the program returns
> a base91 and base64 string to choose from.
> 
> And with passhprase2pgp one needs always to remember the
> Unix Expoch Time, for key creation, so that always the
> same secret key will be generated.
> 
> [1] https://github.com/skeeto/passphrase2pgp
> 
> Regards
> Stefan
> 
> -- 
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-07 Thread Stefan Claas 
Stefan Claas wrote:

> Well, just a thought ... because I thought about the entropy for a strong 
> password, while it can be memorized
> easily.

P.S. I would also say there is a difference between the article you linked to 
and my approach.

With the brainflayer approach one enters his/her easy to remember password into 
the Bitcoin software and then it
gets converted to a secret key, which then can be brute forced easily, like the 
article states.

With my humble approach one would input the strong password, derived from the 
easy to remember one.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key (was: As a fan of GnuPG ... )

2020-07-07 Thread Stefan Claas 
Philihp Busby wrote:
 
> Regenerating your secret key like this is perhaps dangerous and easy to do 
> wrong, for example you will probably leak it in
> your shell's history. If an attacker finds out this is your scheme, they can 
> then start to brute force your secret key
> without need any access to your data, which happened with Brainflayer[1].
> 
> Since your secret key is stored symmetrically-encrypted with a passphrase, 
> it's not game over if it gets leaked (e.g. border
> control). It is a concern that you could have leaked without knowing, and 
> your passphrase could _eventually_ being cracked;
> better would be to put it on a smart-card like an Yubikey, which will only 
> give Mallory a couple chances to guess before the
> tape self-destructs.
> 
> [1] 
> https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

Thanks for the valuable input!

While the echo and OpenSSL commands leave it in your history, the Go program 
does not display it in history.

Also, when using a Windows Computer, without gpg4win installed, this could 
maybe useful too, because nobody would
see that you have GnuPG installed and one installs it only after arrival.

Or one use this technique with other symmetric encryption software, or for 
login credentials and telling family
and friends only the easy to use password prior departure, which then can also 
be changed daily with a scheme
like password = 'Holidays Day 1', next day 'Holidays Day 2' etc. 

Well, just a thought ... because I thought about the entropy for a strong 
password, while it can be memorized
easily.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Traveling without a secret key

2020-07-07 Thread Stefan Claas 
Stefan Claas wrote:
 
> Stefan Claas wrote:

[...]

> Here's a little Go program, wich does this without the above commands,
> so that it can be used on Windows without OpenSSL:
> 
> package main
> 
> import (
>   "crypto/sha256"
>   "bufio"
>   "os"
>   "fmt"
>   "encoding/base64"
> 
>   "ekyu.moe/base91"
> )
> 
> func main(){
> scanner := bufio.NewScanner(os.Stdin)
> scanner.Scan() // use `for scanner.Scan()` to keep reading
> src := scanner.Text()
> hash := sha256.Sum256([]byte(src))
> fmt.Println(base91.EncodeToString([]byte(hash[:])))
> fmt.Println(base64.StdEncoding.EncodeToString(hash[:]))
> }

Forgot to mention, issue a 'go get -u ekyu.moe/base91' prior compiling.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

  1   2   3   4   5   >