Re: A question about WKD

2019-01-02 Thread Stefan Claas 
On Wed, 2 Jan 2019 11:18:25 +0100, Wiktor Kwapisiewicz wrote:

Hi Wiktor,

> Revoke your current key locally and generate a new one, now export both binary
> keys (that includes revocation) to a file. Place it in 
> .well-known/openpgpkey/hu
> overwriting the old file.
> 
> Now, when GnuPG does --locate-key it will fetch both keys, revoke your old one
> and add the new one.

Thank you very much, i did not know that it can be done this way.
 
> If someone already has your old key GnuPG will do the fetch automatically when
> the old key expires (you didn't use expiry as far as I can see so it won't
> happen automatically).
> 
> One can still "force" the WKD refresh using:
> 
> $ gpg --auto-key-locate clear,wkd,nodefault --locate-key s...@300baud.de
> 
> I just tested this all with some dummy key on my end and it worked just 
> fine...
> hope it works on your end too.

I hope so too and i will see once i have the new key.

> As for signing, if you specify signing key using "e-mail notation" GnuPG will
> embed Signer's UID packet and when the recipient uses --auto-key-retrieve it
> will grab your key using WKD instead of keyservers. But I didn't test what 
> would
> happen if the old key is already present in the keyring that doesn't match the
> signature, probably nothing.

That's interesting and i must admit i did not know this either, so thanks again!

> (You can inspect this file with pgpdump if you want to see the packet:
> $ curl https://metacode.biz/.well-known/security.txt | pgpdump
> )

O.k. 

> Happy New Year!

Happy New Year!

Best regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2019-01-02 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 01.01.2019 13:19, Stefan Claas wrote:
> Hi Wiktor and all,
> 
> since my current WKD key is a temporary key i would like to know
> for best practice the following:
> 
> In a couple of days i will receive my Kanguru Defender 3000 USB stick
> and then i will create a new key pair and put it on the stick, along
> with other things. This key will then also be signed by Governikus.
> 
> Because WKD currently does not cover revocation certs i would like
> to know how to continue. Should i upload then my revoked temp
> key to SKS or should i simply replace the keys. If possible i would
> like to avoid SKS usage in the future.
> 
> Does GnuPG detects when i use a new WKD pub key, once i signed
> a new message?

Stefan,

Revoke your current key locally and generate a new one, now export both binary
keys (that includes revocation) to a file. Place it in .well-known/openpgpkey/hu
overwriting the old file.

Now, when GnuPG does --locate-key it will fetch both keys, revoke your old one
and add the new one.

If someone already has your old key GnuPG will do the fetch automatically when
the old key expires (you didn't use expiry as far as I can see so it won't
happen automatically).

One can still "force" the WKD refresh using:

$ gpg --auto-key-locate clear,wkd,nodefault --locate-key s...@300baud.de

I just tested this all with some dummy key on my end and it worked just fine...
hope it works on your end too.

As for signing, if you specify signing key using "e-mail notation" GnuPG will
embed Signer's UID packet and when the recipient uses --auto-key-retrieve it
will grab your key using WKD instead of keyservers. But I didn't test what would
happen if the old key is already present in the keyring that doesn't match the
signature, probably nothing.

(You can inspect this file with pgpdump if you want to see the packet:
$ curl https://metacode.biz/.well-known/security.txt | pgpdump
)

Happy New Year!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2019-01-01 Thread Dirk Gottschalk via Gnupg-users 
Hello Stefan.

Am Dienstag, den 01.01.2019, 13:19 +0100 schrieb Stefan Claas:
> On Sat, 29 Dec 2018 20:18:54 +0100, Wiktor Kwapisiewicz via Gnupg-
> users wrote:
> > On 29.12.2018 15:48, Stefan Claas wrote:
> > > Hi all,

> > Just create more files in .well-known/openpgpkey/hu directory.

> since my current WKD key is a temporary key i would like to know
> for best practice the following:

> In a couple of days i will receive my Kanguru Defender 3000 USB stick
> and then i will create a new key pair and put it on the stick, along
> with other things. This key will then also be signed by Governikus.

> Because WKD currently does not cover revocation certs i would like
> to know how to continue. Should i upload then my revoked temp
> key to SKS or should i simply replace the keys. If possible i would
> like to avoid SKS usage in the future.

> Does GnuPG detects when i use a new WKD pub key, once i signed
> a new message?

I would at least publicate the revocation via the SKS servers.

GPG searches all keys on the SKS-Servers, regardless of their origin.
So during a refresh the revocation is added to the keyring, AFAIK.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2019-01-01 Thread Stefan Claas 
On Tue, 1 Jan 2019 13:19:34 +0100, Stefan Claas wrote:

> Hi Wiktor and all,

I wish everybody a Happy New Year 2019!

Best regards
Stefan


pgpOAPgmyGZdO.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2019-01-01 Thread Stefan Claas 
On Sat, 29 Dec 2018 20:18:54 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:
> On 29.12.2018 15:48, Stefan Claas wrote:
> > Hi all,
> > 
> > is it also possible to add manually more pub keys to WKD
> > or do i have to install WKS for that purpose?
> > 
> > I ask, because in case i like to add more users to my
> > mail server.  
> 
> Just create more files in .well-known/openpgpkey/hu directory.

Hi Wiktor and all,

since my current WKD key is a temporary key i would like to know
for best practice the following:

In a couple of days i will receive my Kanguru Defender 3000 USB stick
and then i will create a new key pair and put it on the stick, along
with other things. This key will then also be signed by Governikus.

Because WKD currently does not cover revocation certs i would like
to know how to continue. Should i upload then my revoked temp
key to SKS or should i simply replace the keys. If possible i would
like to avoid SKS usage in the future.

Does GnuPG detects when i use a new WKD pub key, once i signed
a new message?

Regards
Stefan


pgpc5S2ClfWLO.pgp
Description: Digitale Signatur von OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-29 Thread Stefan Claas 
On Sat, 29 Dec 2018 20:18:54 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:
> On 29.12.2018 15:48, Stefan Claas wrote:

> Just create more files in .well-known/openpgpkey/hu directory.

Ah, o.k. thanks!

> I didn't follow how you set it up initially but you can grab the file name
> (hash) using this command:
> 
> $ gpg --with-wkd -k KEY
> 
> Substitute KEY with key ID or an email, etc.
> 
> For example  for me it prints the following line of hash:
> 
> gebusffkx9g581i6ch4t3ewgwd6dc...@metacode.biz
> 
> If you export binary key to .well-known/openpgpkey/hu and name it
> "gebusffkx9g581i6ch4t3ewgwd6dctmp" (no quotes, no extension, just like that)
> then it would work.

I did the same steps.

> WKS is not needed. Actually WKS is only when you want users to manage their 
> keys
> using their e-mail client. I know other people that manage WKD differently, 
> e.g.
> Gentoo has a strict set of known keys and they update their WKD directory 
> with a
> cron job (so developers update the key on keyservers and WKD is automatically
> refreshed).

Good to know! :-)

> I did a small proof-of-concept checker for small deployments, that you may 
> find
> useful: https://metacode.biz/openpgp/web-key-directory

That is very interesting! I checked Werner's, yours and my key.

With yours everything is fine, with Werner's there is one issue and
with mine the same issue as with Werner's and also it says with my key that
it is ASCII armored, which is not the case because i exported as binary.

I ask also several people on Win / Mac boxes which could get my key
via WKD. You could also fetch my key with your latest GnuPG version,
under Linux, IIRC.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-29 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 29.12.2018 20:50, Stefan Claas wrote:
>> I did a small proof-of-concept checker for small deployments, that you may 
>> find
>> useful: https://metacode.biz/openpgp/web-key-directory
> That is very interesting! I checked Werner's, yours and my key.
> 
> With yours everything is fine, with Werner's there is one issue and
> with mine the same issue as with Werner's and also it says with my key that
> it is ASCII armored, which is not the case because i exported as binary.

Ha, I didn't emphasize the "proof of concept" enough :)

Thanks for the "test samples", I'll use them to improve the tool!

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-29 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 29.12.2018 15:48, Stefan Claas wrote:
> Hi all,
> 
> is it also possible to add manually more pub keys to WKD
> or do i have to install WKS for that purpose?
> 
> I ask, because in case i like to add more users to my
> mail server.

Just create more files in .well-known/openpgpkey/hu directory.

I didn't follow how you set it up initially but you can grab the file name
(hash) using this command:

$ gpg --with-wkd -k KEY

Substitute KEY with key ID or an email, etc.

For example  for me it prints the following line of hash:

gebusffkx9g581i6ch4t3ewgwd6dc...@metacode.biz

If you export binary key to .well-known/openpgpkey/hu and name it
"gebusffkx9g581i6ch4t3ewgwd6dctmp" (no quotes, no extension, just like that)
then it would work.

WKS is not needed. Actually WKS is only when you want users to manage their keys
using their e-mail client. I know other people that manage WKD differently, e.g.
Gentoo has a strict set of known keys and they update their WKD directory with a
cron job (so developers update the key on keyservers and WKD is automatically
refreshed).

I did a small proof-of-concept checker for small deployments, that you may find
useful: https://metacode.biz/openpgp/web-key-directory

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-29 Thread Stefan Claas 

Am 27.12.18 um 23:43 schrieb Stefan Claas:


However, it would be nice to know why GnuPG told me
that the certs are not trusted. I googled for that but could
not find anything.

Regards
Stefan



Hi all,

is it also possible to add manually more pub keys to WKD
or do i have to install WKS for that purpose?

I ask, because in case i like to add more users to my
mail server.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Stefan Claas 


On Thu, 27 Dec 2018 20:48:09 +0100, Wiktor Kwapisiewicz wrote:

> It works "on my end" too (GnuPG 2.2.12 on Linux).  

That is good to know!
 
> Did you try fetching some "well-known" WKD people? E.g.:
> 
> $ gpg --auto-key-locate clear,wkd,nodefault --locate-key w...@gnupg.org  

No, i did not.

> There is also "--debug lookup" flag, and "-vvv":
> 
> $ gpg -vvv --debug lookup --auto-key-locate clear,wkd,nodefault --locate-key 
> EMAIL  

Thanks for the info. Should this happen again i will try that.

> Do you have anything "exotic" in .gnupg/gpg.conf?  

No, actually not.

I downloading GPGTools and extracted the binaries and no luck.

Then i build from source, which compiled fine and it worked with
old agents from MacPorts, which i still have installed. But i did
not liked that combination. So i tried to set it up that way that
it does not use the MacPorts agents, but it failed.

Finally i decided to update MacPorts and now i am using
GnuPG 2.2.10, which is the latest there.

With The MacPorts version everything works as expected.

However, it would be nice to know why GnuPG told me
that the certs are not trusted. I googled for that but could
not find anything.

Regards
Stefan 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Wiktor Kwapisiewicz via Gnupg-users 
On 26.12.2018 10:39, Stefan Claas wrote:
> Hi all,
> 
> hope you all had a nice Christmas!
> 
> I have set up WKD on my VPS, in order to learn more about it and get now
> the following error:
> 
> gpg --encrypt -r s...@300baud.de OpenSSL.txt
> gpg: error retrieving 's...@300baud.de' via WKD: Not trusted
> gpg: s...@300baud.de: skipped: Not trusted
> gpg: OpenSSL.txt: encryption failed: Not trusted
> 
> I assume that dirmngr is downloading my cert and thinks it
> is not trusted. However, my site uses a popular Comodo cert.
> 
> Any ideas what is going on here and how to fix this?

It works "on my end" too (GnuPG 2.2.12 on Linux).

Did you try fetching some "well-known" WKD people? E.g.:

$ gpg --auto-key-locate clear,wkd,nodefault --locate-key w...@gnupg.org

My first guess would also be a bad certificate bundle but when I try using "bad"
domains from this list https://badssl.com the error is:

gpg: error retrieving 't...@expired.badssl.com' via WKD: General error
gpg: error reading key: General error

Rather than "not trusted" (maybe you could try experimenting with these domains
to see if the error is different).

There is also "--debug lookup" flag, and "-vvv":

$ gpg -vvv --debug lookup --auto-key-locate clear,wkd,nodefault --locate-key 
EMAIL

Maybe that'd print something useful?

Do you have anything "exotic" in .gnupg/gpg.conf?

Kind regards,
Wiktor

-- 
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Stefan Claas 
On Thu, 27 Dec 2018 18:19:11 +0100, Stefan Claas wrote:
> On Thu, 27 Dec 2018 16:01:52 +0100, Stefan Claas wrote:
> 
> > As a test i also created a blank .gnupg folder and tried to encrypt but it 
> > still
> > say not trusted. I run out of ideas now and i will contact Patrick 
> > Brunschwig
> > and wait what he says, because he is the maintainer of the SourceForge
> > binary.  
> 
> O.k. i received a reply from Patrick. So as understood he uses the original
> code from GnuPG. So it looks to me that one under Linux oder when using
> his version must properly configure GnuPG, in order that this works.

I received a second reply and it works for him. He gave me also an advice
but it still does not work for me, strange.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Stefan Claas 
On Thu, 27 Dec 2018 16:01:52 +0100, Stefan Claas wrote:

> As a test i also created a blank .gnupg folder and tried to encrypt but it 
> still
> say not trusted. I run out of ideas now and i will contact Patrick Brunschwig
> and wait what he says, because he is the maintainer of the SourceForge
> binary.

O.k. i received a reply from Patrick. So as understood he uses the original
code from GnuPG. So it looks to me that one under Linux oder when using
his version must properly configure GnuPG, in order that this works.

gpg4win does not need this and as two GPGTools Mac users have told me it
works for them too.

What to do... Should i switch then back to GPGTools or is someone here so kind
and tell me the required steps for an actual 2.2.12 Linux version configuration,
so that i can try it out with the Patrick's version?

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Stefan Claas 
On Thu, 27 Dec 2018 10:35:22 +0100, Alessandro Vesely wrote:
> On Wed 26/Dec/2018 22:59:19 +0100 Stefan Claas wrote:
> >   
> >> You seem to have already solved that:  
> > 
> > May i ask you what version of GnuPG you are using and what OS?  
> 
> Sure:
> ale@pcale:~/tmp$ uname -a
> Linux pcale 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 
> GNU/Linux
> ale@pcale:~/tmp$ 
> ale@pcale:~/tmp$ gpg2 --version
> gpg (GnuPG) 2.1.18
> libgcrypt 1.7.6-beta
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later 
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Home: /home/ale/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2

Thanks!

> I see no SRV record from here, and I don't need one since 300baud.de resolves 
> correctly.

host -t srv _openpgpkey._tcp.300baud.de
_openpgpkey._tcp.300baud.de has SRV record 10 100 443 300baud.de.

> > I then tried again with the macOS version, which is 2.2.12 and it
> > did not worked again. :-(  
> 
> 
> Couldn't that be something with your CA bundle?  What do you get if you try 
> and download your keys with curl, e.g.:
> curl -o /dev/null -v 
> https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
> ?

Mmhh, good question... when downloading it says 
CAfile: /Users/sac/anaconda2/ssl/cacert.pem CApath: none, but i can download 
without a problem:

curl -o /dev/null -v 
https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying 167.99.129.126...
* TCP_NODELAY set
* Connected to 300baud.de (167.99.129.126) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /Users/sac/anaconda2/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0 00 00 0  0  0 --:--:--  0:00:01 --:--:-- 0* 
TLSv1.2 (IN), TLS handshake, Server
hello (2): { [113 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5662 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=300baud.de
*  start date: Dec 23 00:00:00 2018 GMT
*  expire date: Dec 23 23:59:59 2019 GMT
*  subjectAltName: host "300baud.de" matched cert's "300baud.de"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; 
CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET /.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33 HTTP/1.1
> Host: 300baud.de
> User-Agent: curl/7.62.0
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Thu, 27 Dec 2018 14:47:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Tue, 25 Dec 2018 17:27:21 GMT
< ETag: "1f4-57ddc06a6a77b"
< Accept-Ranges: bytes
< Content-Length: 500
< Content-Language: de
< 
{ [5 bytes data]
100   500  100   5000 0396  0  0:00:01  0:00:01 --:--:--   396
* Connection #0 to host 300baud.de left intact

As a test i also created a blank .gnupg folder and tried to encrypt but it still
say not trusted. I run out of ideas now and i will contact Patrick Brunschwig
and wait what he says, because he is the maintainer of the SourceForge
binary.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-27 Thread Alessandro Vesely 
On Wed 26/Dec/2018 22:59:19 +0100 Stefan Claas wrote:
> 
>> You seem to have already solved that:
> 
> May i ask you what version of GnuPG you are using and what OS?

Sure:
ale@pcale:~/tmp$ uname -a
Linux pcale 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
ale@pcale:~/tmp$ 
ale@pcale:~/tmp$ gpg2 --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/ale/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


> I ask, because i tried also the following with gpg4win earlier today
> and it sayd in German no data found. Then i set up an SRV record
> on my VPS for WKD and i was able to download the the pub key
> via gpg -er s...@300.baud.de file.txt The Windows version is
> GnuPG 2.2.11


I see no SRV record from here, and I don't need one since 300baud.de resolves 
correctly.

ale@pcale:~/tmp$ dig @ns1.digitalocean.com _https._tcp.300baud.de srv
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 21947
;; Flags: qr aa rd; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0

;; QUESTION SECTION:
;; _https._tcp.300baud.de.  IN  SRV

;; AUTHORITY SECTION:
300baud.de. 1800IN  SOA ns1.digitalocean.com. 
hostmaster.300baud.de. 1545858070 10800 3600 604800 1800

;; Received 107 B
;; Time 2018-12-27 10:23:39 CET
;; From 173.245.58.51@53(UDP) in 49.1 ms


> I then tried again with the macOS version, which is 2.2.12 and it
> did not worked again. :-(


Couldn't that be something with your CA bundle?  What do you get if you try and 
download your keys with curl, e.g.:
curl -o /dev/null -v 
https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
?

Best
Ale






signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-26 Thread Stefan Claas 
On Wed, 26 Dec 2018 14:35:28 +0100, Alessandro Vesely wrote:

> You seem to have already solved that:

May i ask you what version of GnuPG you are using and what OS?

I ask, because i tried also the following with gpg4win earlier today
and it sayd in German no data found. Then i set up an SRV record
on my VPS for WKD and i was able to download the the pub key
via gpg -er s...@300.baud.de file.txt The Windows version is
GnuPG 2.2.11

I then tried again with the macOS version, which is 2.2.12 and it
did not worked again. :-(

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-26 Thread Stefan Claas 
On Wed, 26 Dec 2018 14:35:28 +0100, Alessandro Vesely wrote:

> And, using the attached script:
> 
> ale@pcale:~/tmp$ testwkd.sh s...@300baud.de
> gpg: keybox '/tmp/user/1000/tmp.EDqjfCCXPH/pubring.kbx' created
> gpg: /tmp/user/1000/tmp.EDqjfCCXPH/trustdb.gpg: trustdb created
> gpg: using pgp trust model
> gpg: error retrieving 's...@300baud.de' via None: No public key
> gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
> gpg: waiting for the dirmngr to come up ... (5s)
> gpg: connection to the dirmngr established
> gpg: pub  ed25519/9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 
> gpg: key 9A234E0B0E1F1FE8: public key "Stefan Claas " 
> imported
> gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
> gpg: waiting for the agent to come up ... (5s)
> gpg: connection to agent established
> gpg: Total number processed: 1
> gpg:   imported: 1
> gpg: auto-key-locate found fingerprint 
> EC15C644C35948FCB47E15899A234E0B0E1F1FE8
> gpg: automatically retrieved 's...@300baud.de' via WKD
> pub   ed25519 2018-12-25 [SC]
>   EC15C644C35948FCB47E15899A234E0B0E1F1FE8
> uid   [ unknown] Stefan Claas 
> sub   cv25519 2018-12-25 [E]
> 
> gpg: using pgp trust model
> /tmp/user/1000/tmp.EDqjfCCXPH/pubring.kbx
> -
> pub   ed25519 2018-12-25 [SC]
>   EC15C644C35948FCB47E15899A234E0B0E1F1FE8
> uid   [ unknown] Stefan Claas 
> sig!3   P9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 
> sub   cv25519 2018-12-25 [E]
> sig!P9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 
> 
> gpg: 2 good signatures

Thanks for testing!

So it works for you and probably others too, but not for me. :-(

./testwkd.sh s...@300baud.de
gpg: keybox 
'/var/folders/hf/wc4hsm4n53523ym60s065zv0gn/T/tmp.iKVxe7r2/pubring.kbx' 
created
gpg: /var/folders/hf/wc4hsm4n53523ym60s065zv0gn/T/tmp.iKVxe7r2/trustdb.gpg: 
trustdb created
gpg: using pgp trust model
gpg: error retrieving 's...@300baud.de' via None: No public key
gpg: no running Dirmngr - starting '/usr/local/gnupg-2.2/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: error retrieving 's...@300baud.de' via WKD: Not trusted
gpg: error reading key: Not trusted
gpg: using pgp trust model

I am using the latest GnuPG version for macOS from SourceForge.

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

2018-12-26 Thread Alessandro Vesely 
On Wed 26/Dec/2018 10:39:39 +0100 Stefan Claas wrote:
> 
> I have set up WKD on my VPS, in order to learn more about it and get now
> the following error:
> 
> gpg --encrypt -r s...@300baud.de OpenSSL.txt
> gpg: error retrieving 's...@300baud.de' via WKD: Not trusted

You seem to have already solved that:
ale@pcale:~/tmp$ curl -o /dev/null -v 
https://300baud.de/.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying 167.99.129.126...
* TCP_NODELAY set
* Connected to 300baud.de (167.99.129.126) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [113 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5662 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=300baud.de
*  start date: Dec 23 00:00:00 2018 GMT
*  expire date: Dec 23 23:59:59 2019 GMT
*  subjectAltName: host "300baud.de" matched cert's "300baud.de"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; 
CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
} [5 bytes data]
> GET /.well-known/openpgpkey/hu/ywwzopgqx5kmisb8r18gq68h13jwdg33 HTTP/1.1
> Host: 300baud.de
> User-Agent: curl/7.52.1
> Accept: */*
> 
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Wed, 26 Dec 2018 13:33:07 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Tue, 25 Dec 2018 17:27:21 GMT
< ETag: "1f4-57ddc06a6a77b"
< Accept-Ranges: bytes
< Content-Length: 500
< Content-Language: de
< 
{ [5 bytes data]
* Curl_http_done: called premature == 0
100   500  100   5000 0   7025  0 --:--:-- --:--:-- --:--:--  7042
* Connection #0 to host 300baud.de left intact

And, using the attached script:

ale@pcale:~/tmp$ testwkd.sh s...@300baud.de
gpg: keybox '/tmp/user/1000/tmp.EDqjfCCXPH/pubring.kbx' created
gpg: /tmp/user/1000/tmp.EDqjfCCXPH/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: error retrieving 's...@300baud.de' via None: No public key
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to the dirmngr established
gpg: pub  ed25519/9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 
gpg: key 9A234E0B0E1F1FE8: public key "Stefan Claas " imported
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to agent established
gpg: Total number processed: 1
gpg:   imported: 1
gpg: auto-key-locate found fingerprint EC15C644C35948FCB47E15899A234E0B0E1F1FE8
gpg: automatically retrieved 's...@300baud.de' via WKD
pub   ed25519 2018-12-25 [SC]
  EC15C644C35948FCB47E15899A234E0B0E1F1FE8
uid   [ unknown] Stefan Claas 
sub   cv25519 2018-12-25 [E]

gpg: using pgp trust model
/tmp/user/1000/tmp.EDqjfCCXPH/pubring.kbx
-
pub   ed25519 2018-12-25 [SC]
  EC15C644C35948FCB47E15899A234E0B0E1F1FE8
uid   [ unknown] Stefan Claas 
sig!3   P9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 
sub   cv25519 2018-12-25 [E]
sig!P9A234E0B0E1F1FE8 2018-12-25  Stefan Claas 

gpg: 2 good signatures




Best
Ale



testwkd.sh
Description: application/shellscript


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users