[Announce] Libgcrypt 1.5.0 released
Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.5.0. This is the new stable version of Libgcrypt and upward compatible with the 1.4 series. The 1.4 series will enter end of life state on 2012-12-31. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes between version 1.4.6 and 1.5.0: * New function gcry_kdf_derive implementing OpenPGP S2K algorithms and PBKDF2. * Support for WindowsCE. * Support for ECDH. * Support for OAEP and PSS methods as described by RFC-3447. * Fixed PKCS v1.5 code to always return the leading zero. * New format specifiers %M and %u for gcry_sexp_build. * Support opaque MPIs with %m and %M in gcry_sexp_build. * New functions gcry_pk_get_curve and gcry_pk_get_param to map ECC parameters to a curve name and to retrieve parameter values. * gcry_mpi_cmp applied to opaque values has a defined semantic now. * Uses the Intel AES-NI instructions if available. * The use of the deprecated Alternative Public Key Interface (gcry_ac_*) will now print compile time warnings. * *The module register subsystem has been deprecated.* This subsystem is not flexible enough and would always require ABI changes to extend the internal interfaces. It will eventually be removed. Please contact us on the gcrypt-devel mailing list to discuss whether you really need this feature or how it can be replaced by an internal plugin mechanism. * CTR mode may now be used with data chunks of arbitrary length. * Interface changes relative to the 1.4.6 release: GCRY_PK_ECDH NEW. gcry_pk_get_curve NEW. gcry_pk_get_param NEW. GCRYCTL_DISABLE_HWFNEW. gcry_kdf_deriveNEW. gcry_pk_encryptEXTENDED: Support OAEP. gcry_pk_decryptEXTENDED: Support OAEP. gcry_pk_sign EXTENDED: Support PSS. gcry_pk_verify EXTENDED: Support PSS. gcry_sexp_buildEXTENDED: Add format specifiers M and u. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source file and its digital signatures is: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2 (1400k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.gz (1698k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.0.tar.gz.sig Due to a lot of changes regarding white spaces we don't provide a patch file against 1.4.6. The SHA-1 checksums are: e6508315b76eaf3d0df453f67371b106654bd4fe libgcrypt-1.5.0.tar.gz 3e776d44375dc1a710560b98ae8437d5da6e32cf libgcrypt-1.5.0.tar.bz2 For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], order extensions or support or more general by donating money to the Free Software movement [3]. Commercial support contracts for Libgcrypt are available [4], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html. [2] Note that copyright assignments to the FSF are required. [3] For example see http://fsfe.org/donate/. [4] See the service directory at http://gnupg.org/service.html. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpaFdfqAikpl.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Change key prefs; few questions
On Mon, 4 Jul 2011 05:01, ds...@jabberwocky.com said: figures out how many iterations it can do in 1/10 of a second (which always results in a value higher than 65536 these days), and uses that. I believe that the newer GPG (2.x) has some support for this design, but I don't recall offhand if it is using it fully yet. We We have it working since 2.0.15 and gpg2 uses it. It would be easy to backport it to 1.4 and use it if use-agent is used (look for agent_get_s2k_count). We need to use a persistent process (like the agent) to do the calibration so that it does not take too long. You may use gpg-connect-agent 'getinfo s2k_count' /bye to see the number of iterations. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keygrip
On Fri, 8 Jul 2011 00:06, li...@meumonus.com said: I'm trying to use the gpg-preset-passphrase command and it keeps failing. My thought is I'm not getting the keygrip correct. How do I discover the keygrip for a public certificate? With the stable 2.0 version of GnuPG the keygrip is only used for X.509; thus you may use $ gpgsm --with-keygrip -k foo Which displays the keygrip below the fingerprint line. With GnuPG-2 the keygrip is also used with gpg2; thus $ gpg --with-keygrip -k foo Another way is to somhow figure out the respective file in ~/.gnupg/private-keys-v1.d - the name of the file is the keygrip plus the suffix .key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Check that s2k-count has changed
On Fri, 8 Jul 2011 22:54, li...@chrispoole.com said: I don't know if this would be of any real use (perhaps just for those that are pretty sure of the slowest machine they'll be decrypting their private key on), but a function to calculate how many rounds it takes to run for x.y seconds would be useful. KeePass, for example, See gnupg/agent/protect.c:calibrate_s2k_count . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Assertion failure from gnupg with enigmail 1.2
On Tue, 12 Jul 2011 23:59, do...@dougbarton.us said: It works, does it seem like the right thing to do? Yes, this patch is correct. I was not aware that FreeBSD jumped to Libgcrypt 1.5.0 so fast ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BUG 1253 hace 8 horas *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop chatting diegoas
On Wed, 13 Jul 2011 14:49, roland.lor...@commerzbank.com said: make[1]: *** No rule to make target `../cipher/libcipher.a', needed by `gpgsplit'. Stop. I could not resolve the problem by using a current gnu make instead of the Solaris make. The problem is stated as solved in your tasklist, but unfortunately I cannot look into the solution. Right, there is a request on the mailing list but no follow-up. This is usually a dependency problem; to work around it you may try cd cipher make cd ../tools make cd .. (Please see also http://gnupg.org/service.html). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secring and dropbox
On Wed, 20 Jul 2011 03:25, r...@sixdemonbag.org said: I'm presenting the script here in case someone else finds it useful, but really, it's embarrassingly simple. gpg --gen-random --armor 1 16 Might even be a bit simpler ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm and OCSP problems
Hi, can you please try the attached patch for GnuPG? I checked that it applies against a vanilla 2.0.17 but I have not done any tests. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. x Description: Binary data ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where are those stubs..
On Wed, 20 Jul 2011 21:48, pe...@digitalbrains.com said: AFAIK, you need to get the public key imported in GnuPG before you do --card-status. So you first download your own public key from a keyserver or a website or a USB stick, you don't get it from the smartcard. Only when GnuPG already has the public key, will it create the secret key stubs when it sees your smartcard. Right. This is also the reason why we have the URL field on the card. For example on my card: URL of public key : finger:w...@g10code.com Now if I run gpg --card-edit I just need to enter fetch and gpg will fetch the key from that URL. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent automatically use passphrase for signing subkey?
On Sat, 23 Jul 2011 16:30, kloec...@kde.org said: to use the cache for signing but not for decryption), so why not add another option like --share-signing-and-decryption-cache? (I guess, if I really wanted this I should provide a patch. :-) ) Actually an option is not even required. When importing a secret key in 2.1 we try to use the same passphrase before assuming they are different. However this requires that we add a bit of extra code - I think it can be done easily but there are more important tasks right now. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcards and readers
On Sun, 24 Jul 2011 23:57, r...@sixdemonbag.org said: If anyone has any *direct experience* (not I heard from my friend's I use an SCR3310 which I glued to my monitor. In general I would recommend SCM readers because their chip uses TPDU mode and thus we have greater flexibility when it comes to Extended Length APDUs. Further SCM offered me samples and assigned me an application engineer. I have currently none with a pinpad in use, the SPR 532 used to work very well however it has rubber style pinpad which I don't like. Thus I once switched to a KAAN Advanced which is nice from a mechanical POV. The KAAN has problems with 2k keys and the vendor does not like to work with free software projects. Gemalto readers are said to work well and they seem to be a bit cheaper than others. I have a PCMCIA one here but only tested it once. Avoid all readers with an Omnikey chip - they only work under Windows with 2k key cards. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
On Mon, 25 Jul 2011 12:21, gn...@lists.grepular.com said: adversary, and the key isn't encrypted on the smart card. Then they can just read it off, if they get hold of it. In that circumstance, you That might be true with the v1 card which used a pretty old chip. The v2 card uses a modern chip and card OS and thus the effort to read off the key wouldn't be worth what you will gain from it. As it is not possible to secretly read out the key you will almost always have the opportunity to revoke the key before a damage is possible. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why doesn't gpg ask me for my password when decrypting (symmetric encryption)?
On Tue, 26 Jul 2011 06:26, andrewinfo...@gmail.com said: When encrypting with --symmetric, I would expect to get asked for the password when decrypting but I am never prompted... why? Run gpgconf --reload gpg-agent before decryption to clear the passphrase cache. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
On Tue, 26 Jul 2011 14:41, h...@qbs.com.pl said: The key is also useful for decrypting past communication... Well, you should have a backup of the decryption key. It is cheaper to steal that backup than to crack the card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
On Tue, 26 Jul 2011 18:07, j-...@ottosson.nu said: Even worse though, as I recall from the time when I worked with IBM crypto processors like 4758 etc, a lot of the people inside the (somewhat introvert) banking community working with security, had no clue and actually believed that Part of the problem was that many developers over there had an RPG and COBOL background and were forced to write security software based on a lower system layer they didn't really understood. as long as there is no bugs in the on-board OS.. If however it gets stolen by skilled advisaries, one should regard the keys as compromised, generate revocation certificates and new keys. [As usually it depends on your threat model.] If there is enough money to gain from breaking a card someone will do it. See the French 384 bit RSA cards or master key systems like (old) pay TV cards. With modern personalized cards you can't get enough in return for an individual card break and thus it is easier to use much simpler techniques like faked cameras and keyboards or pinhole cameras. That can be done in batch mode for many cards and it is easy to retrain non-geeky crooks to help setting up such a mafia business. Of course I am talking about mass-market smartcards and not about specialized security systems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On Thu, 28 Jul 2011 08:29, k...@grant-olson.net said: attacker could have forged both. They could in other circumstances as well, but it's less likely for someone to forge both a public key on the keyservers (or your personal website, or your business card, etc), and a signature on a forged email. They need to compromise two lines of defense. Why? Sending a key to a keyserver is cheap. The validity of the key needs to be established by different means; for example using the WoT. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard durability?
On Thu, 28 Jul 2011 05:56, r...@sixdemonbag.org said: Are there any particular problems the durability of a smartcard, particularly an OpenPGP card? Are there any damage concerns from wallet It is not different than with any other chip card. If you immerse the card into water only the contacts my corrode. Use an eraser to clean them. If you bend the card to strong the chip may get an microfissure and stop working. I have several chip cards in my purse for may years now without any problems. Granted most money cards still use the magstripe but at least my OpenPGP card and my RFID based season ticket are chip-only cards. As an alternative you may use an ID-000 (GSM card size) card along with an USB reader and put it on your key ring. I had one on mine for at least 4 years and it surived summer, winter, snow and sun without any problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How secure are smartcards?
On Fri, 29 Jul 2011 11:58, rich...@r-selected.de said: 100.000 as a one-time investment for breaking into an unlimited number of OpenPGP smart cards? If I were a government, I would definitely buy Whatever the number is, it is for each break and you have only a certain probability so successfully read out the key. That is why I wrote unless a master key scheme is used - something which is stupid for almost all systems. And well, you need to get your hands on the card first. Hence, one has to assume it's safer to use encrypted harddrives for key storage than a smartcard if one wants to protect their data from Nope. It is is easy to write a trojan to send the passphrase key back to an attacker or store it somewhere on the box (e.g. RTC chip, battery charging logic) so you can use it once you get physical control over the box. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extract numbers from a key
On Tue, 2 Aug 2011 20:10, tigresetdrag...@yahoo.fr said: I would like to know an easy way to get numbers used in a key. For example, in a RSA key, N and e (used like this: message^e modulus N) Import the key and then: $ gpg --list-keys --with-key-data KEYID In the output look for pkd records: If field 1 has the tag pkd, a listing looks like this: pkd:0:1024:B665B1435F4C2 FF26ABB: ! ! !-- the value ! !-- for information: number of bits in the value !- index (eg. DSA goes from 0 to 3: p,q,g,y) The entire format is decribed in doc/DETAILS. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.0.18 released
during build time and put a set use_crypt_gpgme in ~/.muttrc to enable S/MIME support along with the reworked OpenPGP support. Support === Please consult the archive of the gnupg-users mailing list before reporting a bug http://gnupg.org/documentation/mailing-lists.html. We suggest to send bug reports for a new release to this list in favor of filing a bug at http://bugs.gnupg.org. We also have a dedicated service directory at: http://www.gnupg.org/service.html Maintaining and improving GnuPG is costly. For more than 10 years now, g10 Code, a German company owned and headed by GnuPG's principal author Werner Koch, is bearing the majority of these costs. To help them carry on this work, they need your support. Please consider to visit the GnuPG donation page at: http://g10code.com/gnupg-donation.html Thanks == We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpNUJcLEwoM4.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extract numbers from a key
On Thu, 4 Aug 2011 19:23, tigresetdrag...@yahoo.fr said: cipher/rsa.c and I found that d is evaluated to match e*d mod f = 1 , with f = phi/gcd((p-1),(q-1)) . Why is it coded like that ? Is it safe ? Using the universal exponent of n (lambda, in the code denoted as f) has the advantages that d will be smaller. And thus decryption will be faster. It is more a theoretical advantages because we choose p and q at random and thus lambda won't be much smaller than phi. Yes, it is secure. IIRC, X9.31 even requires that. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.18 released
On Thu, 4 Aug 2011 23:36, thaj...@gmail.com said: any version of the 2.x branch. I do not need GPG4WIN and can not understand why the same thing has not been compiled like the version 1.x branch. Gpg4win is the official binary distribution of GnuPG. Use the light installer and you are done. It is far too much work to have a ultralight installer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 01:49, l...@debethencourt.com said: luisbg@atlas ~ $ gpg --card-status gpg: selecting openpgp failed: Unsupported certificate What kind of reader are you using? luisbg@atlas ~ $ gpg-agent --server gpg-connect-agent Now that is a strange command. The gpg-connect-agent argument is simply ignored. What you do is sto start a new gpg-agent in --server mode, that is without it listening on a socket but connected to the tty. You should first start gpg-agent after checking that no other one is running. For testing I do it this way $ gpg-agent --daemon sh This creates a new shell and if you terminate this shell (exit) the gpg-agent will terminate as well after a few seconds. Then use $ gpg-connect-agent SCD SERIALNO BYE or $ gpg-connect-agent 'SCD SERIALNO' /bye or to get all info from the card $ gpg-connect-agent 'scd learn --force' /bye My guess at your problem is that there is another gpg-agent running which has the scdaemon open. The one you started under root? To debug this you should put these lines into scdaemon.conf log-file /foo/bar/scd.log debug 2049 debug-ccid-driver verbose Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.18 released
On Thu, 4 Aug 2011 23:32, do...@dougbarton.us said: comments/questions. First, would it be possible to have a run-time option not to display the fingerprints? I think it's an interesting idea, but not particularly useful to me as I don't already have them memorized. :) No. The fingerprint is required for the confirm option (ssh-add -c or the confirm flag in sshcontrol) because ssh-agent displays the same information. The other question is about the display of the path to the key (which for me actually is relevant since it tells me what password I need to type). I have several keys, and so far for one it displays the path in the ()s, but for one of my others it does not. How would I debug this? Ssh-add should send the comment from the key via the ssh-agent-protocol. However for PEM encoded keys is uses the filename instead. I am not sure why it does that: prv = key_load_private_pem(fd, KEY_UNSPEC, passphrase, NULL); /* use the filename as a comment for PEM */ if (commentp prv) *commentp = xstrdup(filename); You may change the comment by editing the corresponding file in /gnupg/private-keys-v1.d/ like this: $ /usr/local/libexec/gpg-protect-tool \ 8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8.key (protected-private-key (dsa ...] (protected-at 20110720T142801) ) (comment foo_dsa) ) save the output to a file and change the value of the comment field. It is best to put the value into quotes (comment this is my comment). The save the output under the same name. It doesn't matter that it is now in advanced representation. However if you would like to store it in canonical format, you may pipe it through $ /usr/local/libexec/gpg-protect-tool --canonical So now, how to find the name of the file. The name is the so-called keygrip and not the fingerprint. To translate them you may look at a listing of all files in private-keys-v1.d: $ gpg-connect-agent 'keyinfo --list --ssh-fpr' /bye [...] S KEYINFO 8147AB71CC2CB61C56A3E3F9C9F0A2A656B38AF8 \ D - - - P 2d:b1:70:1a:04:9e:41:a3:ce:27:a5:c7:22:fe:3a:a3 [...] OK [I used the backslash to split the long line just for this mail] You see a lot of these lines. The important information is the 7th field after KEYINFO; it is the ssh fingerprint. You may simply grep for it. The 1st field is the keygrip. Append a .key and you have the filename you are looking for. Note that with 2.0.18 you will see a '-' instead of the 'P' flag. To see the help string for the keyinfo command you may use $ gpg-connect-agent 'help keyinfo' /bye Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Fri, 5 Aug 2011 10:31, l...@debethencourt.com said: Missed this question the first time around... It is a SCM Microsystems SCR 335 Well that one works. It even works fine with the scdaemon internal driver, thus try after stopping pcscd. When I do it as you say I get: gpg-connect-agent 'scd learn --force' /bye ERR 103 unknown command I always get that 'unknown command' error in all the variatons you explained. Please run gpg-connect-agent 'getinfo version' /bye and gpg-connect-agent 'scd getinfo version' /bye I've created this conf file both in my home and root's. Well under ~/.gnupg/ of course. When I run gpg --card-status as my user, there is no file created. Is this really gpg2 (check using gpg --version). But when I run it in root it does create this file. That smells like a file permission problem. Is this confirmation that when running as root scdaemon is being spawned but when running as user it can't use scdaemon? No. I can paste the content of that log file if you want it. Asking before doing so since it's a bit lengthy. Please send by private mail. Note that this may reveal PINs if you entered one. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Sat, 6 Aug 2011 19:46, l...@debethencourt.com said: gpg-connect-agent 'getinfo version' /bye ERR 100 not implemented You are running a *very* old version of gpg-agent ( 2.0.5) - or something hijacked the connection to gpg-agent (seehorse? gnome-keyring?) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with GPG
On Mon, 8 Aug 2011 14:58, lists.gnupg-us...@duinheks.nl said: #!/bin/sh echo | /usr/bin/gpg --batch --sign --armour --clearsig --passphrase-fd 0 $1 You should better use gpg --batch --sign --armour --clearsig --passphrase-fd 0 --yes -o $1.asc $1 to avoid the mv. Even better use gpg-agent. echo xxx | /usr/bin/gpg --batch --sign --armour --clearsig --passphrase-fd test -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 gpg: pkglue.c:41: mpi_from_sexp: Assertion `data' failed. Aborted Please show us the output of /usr/bin/gpg --version Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card only available to root user
On Mon, 8 Aug 2011 18:05, l...@debethencourt.com said: this is very strange, that shows it as 2.0.17, but it still says that 'getinfo version' is not implemented. One if these GNOME tools is intercepting the connection and acts as a MITM between gpg-connect-agent and gpg-agent. Check the owner of the socket decribed by $GPG_AGENT_INFO and if used the socket ~/.gnupg/S.gpg-agent . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Problems with gnome-keyring et al. (was: Card only available to root user)
On Tue, 9 Aug 2011 02:44, l...@debethencourt.com said: So it looks like GNOME's ssh-agent is interfering. How can I avoid this? Tell them that they should not interfere with GnuPG. If you put a line use-standard-socket into ~/.gnupg/gpg-agent.conf and stop starting gpg-agent in the xsession etc., all tools requiring gpg-agent will start gpg-agent on the fly. There is even no more need for the GPG_AGENT_INFO envvar; I even explicitly unset this variable in my profile. Thus the only envvar you need is GPG_TTY. If you want to use gpg-agent as ssh-agent you should also put a line enable-ssh-support into ~/.gnupg/gpg-agent.conf and put into your profile unset SSH_AGENT_PID SSH_AUTH_SOCK=${HOME}/.gnupg/S.gpg-agent.ssh export SSH_AUTH_SOCK Now you only need to make sure that gpg-agent is started before you use ssh. This is because ssh has no way to start gpg-agent on the fly; I do this with a simple gpg-connect-agent /bye If you want to check whether gpg-agent is _configured_ to use the standard socket, you may call gpg-agent --use-standard-socket-p This is actually what all GnuPG tools do to see whether they may start gpg-agent on the fly. The standard socket makes things easier and hopefully harder for gnome-keyring to interfere with it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Working with a system-shared keyring
On Fri, 10 Jun 2011 20:43, do...@dougbarton.us said: But fixes a lot of problems. The keyring is a database and if we distribute this database to several files without a way to sync them; this leads to problems. You may have not been affected by such problems but only due to the way you use gpg. Can you elaborate on those problems? I can think of several examples of databases whose contents are stored in multiple files without any difficulty, so I'm curious. But in those cases the files are either under the control of the database or partitioned using a well defined scheme. With the --keyring option this is different: You may add several keyrings to GnuPG and remove them later. There is no way GPG can tell whether there are duplicates or which instances of a duplicated entry it needs to update. Sure, we could make this working but I it will get really complex. Thus it is far easier to have one file or set of files which are under the sole control of GPG. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card Reader on Cherry Keyboard (omnikey) with OpenPGP Smart Card
On Tue, 9 Aug 2011 12:04, oleksandr.shney...@obviously-nice.de said: I have issues using OpenPGP smart cards from kernel concepts with omnikey card reader integrated in Cherry keyboard (Cherry XX44 USB keyboard) Omnikey based readers don't work with that card because the readers don't support Extended Length APDUs. Well, under Windows they work because their driver uses undocumented tricks to do it. I tried to the same in GnuPG's internal driver but that is not really reliable. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Card Reader on Cherry Keyboard (omnikey) with OpenPGP Smart Card
On Tue, 9 Aug 2011 16:28, oleksandr.shney...@obviously-nice.de said: Actually, I only need, that ssh authentication works with that cards and omnikey card readers. How do you think, is there are a chances, that it'll be work soon? Should I try to use pc/sc driver? The pc/sc driver won't work; thus better stop pcscd. The internal driver often works; it usually does not work for key generation. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem with GPG
On Tue, 9 Aug 2011 13:34, lists.gnupg-us...@duinheks.nl said: gpg (GnuPG) 2.0.18 libgcrypt 1.5.0 Okay, I only asked to make sure that we are really using the right version. It would be helpful if you could change this function in gnupg/g10/pkglue.c: static gcry_mpi_t mpi_from_sexp (gcry_sexp_t sexp, const char * item) { gcry_sexp_t list; gcry_mpi_t data; list = gcry_sexp_find_token (sexp, item, 0); assert (list); data = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); assert (data); gcry_sexp_release (list); return data; } to static gcry_mpi_t mpi_from_sexp (gcry_sexp_t sexp, const char * item) { gcry_sexp_t list; gcry_mpi_t data; list = gcry_sexp_find_token (sexp, item, 0); assert (list); data = gcry_sexp_nth_mpi (list, 1, GCRYMPI_FMT_USG); if (!data) gcry_sexp_dump (list); assert (data); gcry_sexp_release (list); return data; } That is, insert the two extra lines and run again; you should notice some debug output right before the assertion failure. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card CHV* failed: general error
On Tue, 9 Aug 2011 22:31, gn...@lists.grepular.com said: gpg: verify CHV1 failed: general error gpg: signing failed: general error gpg: [stdin]: clearsign failed: general error I suggest that you use gpg2 and not gpg. You should also update GnuPG to at least 2.0.17. 2.0.14 is quite problematic because it has a regression which may lead to unaccessible keys created with that version. However, I don't think that is the cause of the problem. Let's debug it. Please put the lines verbose debug 2048 log-file /foo/scdaemon.log into ~/.gnupg/scdaemon.conf and kill a running scdaemon. Then run your signing command again. In the log file you should find output similar to this: scdaemon[17805]: DBG: send apdu: c=00 i=20 p1=00 p2=81 lc=6 le=-1 em=0 scdaemon[17805]: DBG: raw apdu: 00 20 00 81 06 3x 3x 3x 3x 3x 3x This is a command as send to the card. The c=00 i=20 indicates the verify command which fails for you. If it works the next line would be a scdaemon[17805]: DBG: response: sw=9000 datalen=0 However your SW will be different. What is it? In this example above I redacted the actual pin using an 'x'. You should do the same if you want to mail the log snippet: Look at the raw apdu: 00 20 00 81 06 3x 3x 3x 3x 3x 3x ! ! ! ! ! !~~~! The PIN in hex format (redacted) ! ! ! ! !--- The length of the PIN ! ! ! !-- Parameter P2 ! ! !- Parameter P1 ! !-Instruction byte !Class byte However, most important to see is the status word (sw) which is the response of the card. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card CHV* failed: general error
On Wed, 10 Aug 2011 11:23, gn...@lists.grepular.com said: 2011-08-10 10:16:02 scdaemon[5153] DBG: response: sw=6581 datalen=0 Ooops, SW_EEPROM_FAILURE = 0x6581, it may be that you had no luck and got a faulty chip. Contact the supplier for a replacement. Or did you run a series of automated tests and the eeprom wore out? EEPROMs usually allow only for something in the range of 1 write cycles. How many verify operations did you run on the card? A verify needs to write to the eeprom to decrement the bad pin counter before the verification and increment it later (so that you can't mount power glitch attacks). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to validate encryption
On Thu, 11 Aug 2011 15:47, amarjeet.ya...@gs.com said: We have requirement where we would like to check for encrypted file its valid or not before decrypting it. You mean whether it has been tampered with? You can't do that without decrypting it. GPG checks that the decrypted file is valid - usually by checking the signature but if it is not signed gpg checks the MDC (modification check code - a kind of checksum). Of course you could use a detached signature (or a hash digest of the file convoyed via a second channel) to detect modification before processing the file. However the entire file needs to be processed in any case. Thus if modifications are rare it would take longer to check the file first and then do the encryption which does yet another check. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how can i generate a keypair without reading anwsers from stdin?
On Fri, 12 Aug 2011 08:41, zxq_yx_...@163.com said: I want to write all the answers in a file and then let gpg read the answer from the file in batch mode. What the format of the file should be? Any help? See the chapter Unattended GPG key generation in the manual, for example online at http://gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secure PIN entry
On Thu, 11 Aug 2011 23:00, jer...@jeromebaum.com said: Can I get the secure PIN entry (using built-in pin-pad) working for this reader? For my homebanking software (i.e. HBCI card), it works with CTAPI but now PC/SC. What settings can I fiddle with, and what log/debug output is relevant? No, it is not implemented for PC/SC - only if use the internal driver which is not available under Windows. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secure PIN entry
On Fri, 12 Aug 2011 17:30, jer...@jeromebaum.com said: How much work is it to implement this -- either by using the internal With all testing I estimated 2 days. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how can i generate a keypair without reading anwsers from stdin?
On Fri, 12 Aug 2011 12:40, li...@binarywings.net said: You can simply write the answers down like you would in an interactive session with gpg. Then feed this file with `gpg --gen-key ... file` *Don't do this* ! The interface presented there is for humans only and may change at any time. In fact, it depends on certain options and has changed several times in the past. gpg just reads from standard input. There is no difference between a user pressing return and a newline character in a text file. There is one: gpg reads directly from the TTY unless you use --batch. This allows the use of readline features and to disable echo during passphrase entry. Please use a parameter file as described in the manual. This is a well defined interface and the way to control key generation. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Working with a system-shared keyring
On Thu, 18 Aug 2011 10:41, sat...@pgpru.com said: Same here. Maybe i'm missing something, but it seems without the ability to have multiple keyrings in GPG configuration one will lose an ability to use detached subkeys (or actually any private keys) stored on a I am using offline key parts for a long time and iirc, I even implemeented that. With 2.1 it is even much easier - there is no more secring.gpg. All secret keys are stored as separate files in .gnupg/private-key-v1.d. If you want to take a key offline, you only need to remove that. It is way easier than what we have now. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Location of GnuPG 1.4.11 Windows binary
On Mon, 22 Aug 2011 04:54, markr-gn...@signal100.com said: If anyone from GnuPG is reading this, please don't stop building (and providing links to) Windows binaries for GnuPG 1.x. I'm sure I can't be I deliberately removed the link. For those who really really need 1.4 for Windows, they should just read the announcement to see where you can find a binary. After all it has been there for more than a decade and the README files on the FTP server tell that as well. New users on Windows shall not use 1.4 thus it is not anymore linked from the web page. Whether there will be future 1.4 binaries has not yet been decided. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 11:07, y...@yyy.id.lv said: How to verify if a certificate (in keyring) is valid? gpgsm -k --with-validation USERID without USERID all certifciates are validated. In case you want to skip CRL checks, add the option --disable-crl-checks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Mon, 22 Aug 2011 15:27, dpmc...@gmail.com said: extremely shortsighted. Any password management program like Keepass makes transfer via the clipboard easy and relatively safe (clearing it after 10 seconds), so that doesn't sound like the safety of no passphrase at all. You may not understand for what the passphrase in GPG is used: It is a fail-stop mechanism to mitigate the compromise of a secret key. In that it is similar to the master passphrases of all these password managers. Anyway, if you want to enable cut+paste just go ahead and implement it in a pinentry version (to be exact, disable the the secure text entry widget). Please don't ask me to do that: I consider it as false security. BTW, pinentry is a separate package from GnuPG and easy to hack. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 15:27, y...@yyy.id.lv said: This certificate does not have BasicConstraints, maybe this is a cause of error? Quite likely. That is required for CA certifciates. Is it possible to override check for BasicConstraints? Is it a bug? Try adding the relax keyword to the entry in ~/.gnuypg/trustlist.txt . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trying to convert from PGP on XP to a GUI on Win 7
On Mon, 22 Aug 2011 00:10, marshallabr...@comcast.net said: encrypted file using gpg2.exe. There didn't seem to be a GUI. Reading thru the manual, I see that there is supposed to be an extension/plug-in on the Windows Explorer menu for GpgEX, but I don't see it. What should I do? If you are using a 64 bit Windows7 you are out of luck. We have not yet ported GpgEx. If you are using older 64 bit Windows version you have the option to install a 32 bit version of the explorer. Please do that and you will be able to use GpgEX. You might need to re0install Gpg4win - I am not sure. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which release should we be using?
On Tue, 23 Aug 2011 03:47, papill...@gmail.com said: stored in a Keepass database that resides in a TrueCrypt container. It's protected well. My actual key is protected by a 62 character passphrase ... as long as the box is pwoered down. Hard disk encryption does not help if the box is up and you are attacked by malware. that I'd like to cut and paste into GPG. Considering all of that, I think it's a bit extreme to say cutting and pasting a passphrase from Spying on X windows is pretty easy and thus Pinentry tries to make it harder. If you store your passphrase elsewhere; feed it directly to gpg-agent (gpg-preset-passphrase or a custom pinentry) without that manual c+p. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Mon, 22 Aug 2011 18:05, y...@yyy.id.lv said: So, order of certificate hashes, relative of certificate order in keyring, is critically important? No. You need to make sure to not use lines of more than ~255 characters. Check that your editor didn't reflow a comment block or similar. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: supersede key on key-server
On Mon, 22 Aug 2011 18:44, mike_ac...@charter.net said: result of a search... it would need to first search for the key by whatever search text was provided, and then search for hits on the fingerprint... if there is a revoke cert then you want to return that. Keyservers store one copy of a key. A revocation certifciate is nothing but another copy of the key with an recocation signature. The keyserver merges both of them to one key (in OpenPGP parlance a keyblock). A basic keyblock looks like this: Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 etc. Now a minimal revocation certificate for the entire key is Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. After import, a keyserver of gpg will merge them to this: Primary_key Recovation-signature -- actually a self-signature bound to Primary-Key ewith a special attribute. User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 Keyservers deliver that Keyblock. It doesn't matter whether you ask for the keyid or fingerprint of the primary key or of one of the Sub-Keys - you will always get the above keyblock back. GPG check all self-signatures and revocation-signatures and acts upon them. You may also revoke just one user Id using this revocation certifciate Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 After merging this is Primary_key User-Id-1 Self-signature -- to bind Primary Key to User-Id-1 Revocation-Signature -- revoking User-Id-1 User-Id-2 Self-signature -- to bind Primary Key to User-Id-2 Sub-Key-1 Self-signature -- to bind Orimary key to Sub-Key-1 and GPG would mark User-Id-1 as revoked but still allow the use of the key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm certificate validity
On Tue, 23 Aug 2011 09:39, y...@yyy.id.lv said: For some certificates gpgsm asks during import, whether to trust them (and if confirmed, add entry to trustlist.txt automatically). Is it possible to make gpgsm to ask whether to trust it, for any certificate? It does that for all proper certificates. We can't handle all kinds of bogus root certificates; there is a reason why PKIX demands certain certificate attributes. Actually we do handle another kind of those certs: For qualified signatures, some countries issue root certificates which would not pass the usual checks - thus if such a root certificate is listed in the qualified.txt file, we do the relaxed checking but OTOH annoy you with additional prompts. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On Mon, 22 Aug 2011 09:06, do...@dougbarton.us said: Any suggestions on how I can debug why gpgme is not recognizing that there is a signature in the message? That is not enough information to help you. To look at what gpgme is doing you may set an envvar before starting claws like here: GPGME_DEBUG=5:/foo/bar/gpgme.log claws-mail A debug level of 5 yields a lot of output. Have a look into the log file. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme problem with claws mail
On Tue, 23 Aug 2011 11:09, do...@dougbarton.us said: Awesome, thanks! The problem turned out to be the fingerprint option in Right, fingerprint is a command and may thus not be combined with other commands. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard PIN may be shorter than passphrase?
On Tue, 23 Aug 2011 15:12, da...@systemoverlord.com said: Would it be reasonable to say that you may use a significantly smaller PIN for your smartcard than would be required of a passphrase, since the smartcard locks itself after 3 tries? Yes. It is up to 6 tries because an attacker may also try to open the card using the admin PIN. Since I don't use a reader with a pinpad, I must type my PIN in, and thus have about 8 alpha-numeric characters for my regular PIN. (The Better use only digits - if you need to use a keypad you can't do that instantly. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Conflicting commands error?
On Tue, 23 Aug 2011 15:51, michaelquig...@theway.org said: gpg --batch --armor -keyring /Publib/.../ARP_pubring.gpg This is the same as -k -e -y -r -i -n -g - thus you are asking for a key lising and encryption ... - Use two dashes. Back to the fingerprint problem: For historic reasons --fingerprint acts as a command if no other command has been given but similar to --with-fingerprint if a command has been given. Thus it works if you put it into gpg.conf and use an explicit command. However if you want to use gpg's default operation (decrypt/verify) it will instead to a key listing with fingerprints. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: invalid item `BZIP2' in preference string
On Thu, 25 Aug 2011 17:22, la...@thehaverkamps.net said: I compiled both the stock 1.4.11 the Ubuntu 1.4.10. Both ways I get gpg: invalid item `BZIP2' in preference string You build gpg without bzip2 support. Install the libbz2-dev before configuring. changing from 4096 to 8192 bit) DON'T. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keys over 4096-bits
On Fri, 26 Aug 2011 11:00, b...@adversary.org said: I understand the reasons for this, but is there any reason for not using an 8kb (or larger) master/certification key with more normal subkeys (e.g. a 2048-bit signing subkey and a 4096-bit encryption Actually the primary keys are the most worry some. I have a one 8k key in my keyring and checking the key signatures made but that key takes a noticeable time. Imagine everyone would use such keys and also consider that nowadays more and more low-processing power devices are used. Such keys are at best a political statement and a good laugh for some NSA folks. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keys over 4096-bits
On Fri, 26 Aug 2011 15:56, joh...@vulcan.xs4all.nl said: Does that mean we can expect GnuPG versions for mobile systems? I can't wait to install a Symbian or Android port. Kmail (Kontact Touch) runs on the N900 (Linux based) and the HTC Touch pro 2 (WindowsMobile 6.5). With full GnuPG crypto support of course. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple Keyrings WAS Signing multiple keys
On Sat, 27 Aug 2011 00:46, sand...@crustytoothpaste.net said: dpkg-source would lose the ability to verify packages before unpacking them. apt's archive verification would break. That doesn't include Wrong. It uses gpgv which is a verification only tool; is uses a list of trusted keys (i.e. the debian keyring). That is the simplest and most straightforward way for verification. I actually developed it for debian. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Understanding --status-fd output
On Wed, 24 Aug 2011 19:58, bj...@cam.ac.uk said: signatures on Git tags. Git runs gpg internally, and I can manipulate its environment to point GNUPGHOME at somewhere with an options file containing a status-fd option so I can get machine-readable output. This is good, but I'm having some trouble Please consider to use gpgme. It takes care of all the fairy details. 1: Is the signature cryptographically valid (i.e. does it match the signed data and the purported key)? Right. 2: What UIDs are associated with that key? No. You can't tell which UID made the signature. This signature is made by a key and the key have have several associated UIDs. 3: Can we form a chain of trust from an ultimately-trusted key to that UID/key relation? Or in short: Is the key valid. 4: Does that UID name the person whom we expected to be signing this message? Obvioulsy the person in front of the display has to decide this. As far as I can tell, GOODSIG corresponds to steps 1 and 2 above -- it indicates that we've found a key in the keyring and the signature matches it. TRUST_* corresponds to step 3, and obviously it's my job to deal with step 4. The problem I've got is to understand how the Right. UID in GOODSIG relates to the trust in TRUST_*. As far as I can tell from my testing, GOODSIG always includes the primary UID of the key, The UID is merely a hint. You may better use the VALIDSIG status line which gives more detailed information. the key in question has _a_ valid UID. Is this correct? So if I want to know which of the UIDs on the key are trusted, I have to resort to --list-keys --with-colons or similar? Right. You need to do a key listing for that. Thus the fingerprint printed with VALIDSIG comes handy. See gpgme/src/verify.c implements what we know about the gpg output; use it as an example. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Understanding --status-fd output
On Mon, 29 Aug 2011 12:24, expires2...@ymail.com said: Does it make any difference to the --status-fd output if you include verbose up to three times in the options file? It should not make any difference. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Tue, 30 Aug 2011 17:54, rich...@r-selected.de said: a) I've bought two OpenPGP smartcards (v2). Their overprint says they support RSA with up to 3072 bit. In the GnuPG 2.0.18 release notes one change was to Allow generation of card keys up to 4096 bit. Does that apply to the OpenPGP v2 card? Yes. b) As far as I know, the cards can only store subkeys, i.e. no primary key. That way, only decryption, singing and authenticaion will be possible. If I want to sign other keys, will I have to keep the primary key somewhere safe off-card? The default is to create a complete new key. c) For convenience, I bought two cards which are supposed to store the same keys. I want to carry one card around with me every day for You need to create the keys off-card and then export them to the card. keytocard in the --edit-key menu is what you want. problem is that the keytocard command can only be issued once, since it deletes the key from the computer. To copy the keys to both cards, Don't run save after keytocard and the key should stay on the disk. keytocard, restore the backup, insert card #2, issue keytocard again. Will that cause any problems in later GnuPG use as the cards' IDs are Possible. It will be easy to disable the check or - if the second card is used as a backup - to generate a new key -stub with the new serial number. It is not cryptographically locked. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Tue, 30 Aug 2011 20:58, k...@grant-olson.net said: tried to use two cards with the same key. gpg really wants you to have one card tied to one set of keys per computer. 2.1 will make this much simpler by separating the key material (or the key stub) from the actual keyblock/certificate. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Tue, 30 Aug 2011 20:49, da...@systemoverlord.com said: No, the OpenPGP v2 card can only handle up to RSA-3072. Presumably OpenPGP v2 card is just a spec; you need to look at the specific implementation which most likely will be the Zeitcontrol card. That card support up to 4096 bits. Right, we printed 3072 on the back matter but only to tell people that GnuPG does not support more than 3072 bit with this card. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Migrating to Smartcards
On Tue, 30 Aug 2011 20:40, go...@fsfe.org said: AFAIR, 3072 bit keys have to be generated on the card. If you use off-card generation, you are limited to 2048 bits. Really? That would be a bug. In case it really does not work the workaround is to first create a key with 3072 bits on the card and then overwrite it by importing a 3072 bit key. The background is that we need to switch the card into an n-bit mode before we generate or import a key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption error
On Sat, 3 Sep 2011 09:22, m.aflakpar...@ut.ac.ir said: Now, for decrypting 70195_B11_WTCCCT444825.CEL.gz.gpg, I opended Kleopatra window and clicked on File option then clicked on Decrypte/Verify files and then I entered my file's path then Decrypt/Verify window is opened and I checked on the second choice Input file is an archive.., after clicking on Decrypt/Verify bottom I enter A plain *.gz file (which is the result of decrypting *.gz.gpg) is not an archive. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card issues
On Fri, 9 Sep 2011 00:14, djpeterrobert...@gmail.com said: david@david-desktop-debian:/$ gpg-agent --use-standard-socket To start the agent you need to add the --daemon argument. For testing you may use this: gpg-agent --use-standard --daemon sh which opens a new shell and sets up everything. You need to make sure that no other agent is running and controlling the card. You should also unset the GPG_AGENT_INFO ebvar which might have been set by another script. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // link no longer on gnupg site?
On Tue, 13 Sep 2011 16:41, ved...@nym.hush.com said: Is there going to be a a windows binary for future builds of the gnupg 1.x branch? I am not sure whether it is worth my time to build future 1.4 binaries; there are only a very few use cases very it does make sense - if there is one at all (Anyone still using NT 3.5 or so?). In particular the collected donations of exactly 1 Euro received in the 6 weeks since we have a donation button is not encouraging me to work on a special binary release for an OS and GnuPG version I have no need for. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Adding Parameters to a Public Key
On Tue, 13 Sep 2011 23:41, melvincarva...@gmail.com said: Is this kind of tagging extra data onto a public key allowed, or is it possible to break things? You may put any kind of data after the -END line. It is not part of OpenPGP specs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Fri, 16 Sep 2011 21:42, joh...@vulcan.xs4all.nl said: OK, then what about a direct link to the version of the installer still present on ftp.gnupg.org? It was removed on purpose. We - and this includes Enigmail developers - want users to use the modern version. Those how have a valid reason to continue use of 1.4 know what an ftp server is and there first reaction will anyway be lftp ftp.gnupg.org cd to GnuPG (or gcrypt), read README and immediatley notice binary/ Compiled versions for MS Windows. If they don't find this, I doubt that they have any need for 1.4. 1.4 is not aimed for desktop users but for vintage Unix versions and maybe for servers. Admins should still kknow that tehre is a thing called ftp. Unlikely, since tyhe Windows executable file format contains a timestamp within the binary. And cpp may also insert timestamps into the source code. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.0.18/GOG4Win
On Sat, 17 Sep 2011 16:29, matthew...@aol.com said: Any idea when 2.0.18 will available via GPG4Win? No concrete plans. 2.0.18 has no useful changes for Windows anyway. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
Hi, there is a thing for Windows called System Services for Unix (SFU). It is a modern POSIX implementation on top of the NT kernel but very different to the old we-need-to-be-compliant-to-gov-ITBs Posix subsystem. Did anyone ever tried to build a GnuPG on it? AFAICS this would use MSC but on a native Windows supported POSIX platform. Cygwin is based on on the Win32 API (which is the common API used on top the NT kernel) and thus has some problems with complete integration into the system. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Mon, 19 Sep 2011 23:28, jpcli...@tx.rr.com said: Many tools such as autoconf have to be installed from the Interix community site. To build gnupg you don't need autoconf. A bare bones development system is always sufficient. autoconf is only used to create the configure script which is then ioncluded in the tarball. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Tue, 20 Sep 2011 19:28, avi.w...@gmail.com said: What about us windows users who do not have GPG installed on our desktops, but our secure USB sticks. 1.4.11 works very nicely as a stand-alone (or in my case, with GPGShell). I'm afraid that 2.+ would not work properly when installed to an encrypted There is no such thing as a secure USB stick to run programs from. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: windows binary for gnupg 1.4.11 // compilation instructions posted
On Tue, 20 Sep 2011 22:48, r...@sixdemonbag.org said: If I determine that my work PC and my home PC are both trusted systems, and I have a single USB stick containing my GnuPG installation and keyrings that I want to use on both, then I don't see the risk so long as that USB stick is never plugged into an untrusted machine. That is right. However you would only keep your data on the stick and not the programs. All systems these day have a package management system, and those are better at program updates than doing it manually. My point was that people very often talk about encrypted super secure USB sticks which they put it into an arbitrary computer and believe that the data and programs magically work secure this way. They don't consider that a foreign CPU is seeing everything they stored on the stick. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Posting rules for the gnupg-devel@ mailing list
On Wed, 21 Sep 2011 10:40, l...@pca.it said: the log above. The problem is that there is no sign of my email above, not even the in-moderation notification. I will try to re-send it... Sending such notification back to the spammers is not a good idea. You either have to wait - or better - subscribe to the ML. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Posting rules for the gnupg-devel@ mailing list
On Mon, 26 Sep 2011 14:33, l...@pca.it said: 1) I would be interested to know how many spam emails passes greylisting. Way too many. 2) given the fact that there is no SMTP error message and no notification, there is no way for the sender to know what happened with her/his email, which is a bit unfair. Posting are also distributed to the poster. 3) not having notifications also means that you can not cancel your email, which could result in duplicate posts. You can't do that anyway. Really, I do not have any problem with waiting (if I know that I have to), but the above seems overcomplicated. We have a pretty good track record regarding spam and thus I see no reason to change the subscribe-only policy. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Posting rules for the gnupg-devel@ mailing list
On Tue, 27 Sep 2011 09:39, l...@pca.it said: Please Cc: me, I am not subscribed to the list. Set your MFT header properly and MUAs will CC you. And this happens way too late: it is more than a week now since my first attempt to post to gnupg-devel@ and still I do not have any news of If you have such problems with it - and you are the first one in ~13 years to insist that is a problem - then simply subscribe. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: restoring SmartCard key with off-card copy
On Mon, 26 Sep 2011 23:11, achim.cl...@cloer.de said: we are planing to deploy PGP in our team with Smartcards. I assume you mean GnuPG, which has - like PGP - an implementaion of the OpenPGP standard. During generating the keys, the pgp card is also generating a off-card copy. But we fail to import this backup into OpenPGP. The error ...into GPG ;-) message is User-ID is missing. But the User-ID was given during To restore a key you need to use gpg's edit-key command. That requires that you pass it a key-id or a user-id. You should give the key-id which was stored on the card. Note that the public key as well as the secret-key stub are not stored on the card. The backup file only contains the parts of the key which will be stored on the card. After the --edit-key prompt is shown, enter the command bkuptocard and follow the instructions. If you don't have the public key available, you may give any other key-id to enter the key-edit menu. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: restoring SmartCard key with off-card copy
On Wed, 28 Sep 2011 12:09, achim.cl...@cloer.com said: Is there any possibility to import the off-card-backup into a normal keyring in GPG without using a SmartCard? There is no feature for it. You may use gpgsplit to manually construct a key from such a backup. You need to take the keybinding signature etc from the matching public key. I have not tried, it though. If you look on the backup file using gpg --list-packets wyou will see that it is a standard secret key packets - but just that packet without any self-signatures or user-ids. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Looking for 3G smartphone partner and cooperator
On Wed, 28 Sep 2011 21:08, thaj...@gmail.com said: Nothing but a spammer. Get off the list or whomever controls the list should ban this fool for good. Not subscribed, thus probably accidently approved. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg2 Install on Solaris 10 Problem.
On Wed, 28 Sep 2011 22:35, hipaaw...@yahoo.com said: ftp://ftp.gnu.org/gnu/make/ There should be no need for GNU make, a standard make is sufficient. You need to build in the right order: 1. Build and install pth 2. Build and install libgpg-error 3. Build and install libgcrypt 4. Build and install libassuan 5. Build and install libksba 6. Build gnupg 7. Most likely you want to install gnupg now The install steps for the libraries are important. A library needs to be installed so that the next build is able to detect it. Pinentry is no hard dependency, you may build it before or after gnupg. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: rfc 4880 // armor headers and footers
On Tue, 4 Oct 2011 00:01, ved...@nym.hush.com said: BEGIN PGP MESSAGE, PART X/Y GnuPG does not support this PART stuff. Neither does it support the Charset armor header. The rationale for not supporting this misfeatures is that it tries to mimic a part of MIME which is more suitable for this task. Further it is not possible to support this because there is no defined order in which the parts will arrive and thus one-pass processing won't work. If you want it, write a tool to re-assemble the parts. I strongly suggest not to use it at all but resort to a proper MUA or a standalone MIME tool. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use terminal to change mac-cache-ttl
On Thu, 6 Oct 2011 20:20, r...@sixdemonbag.org said: The good news is that I've put together a small Python script that will (hopefully) make things a little easier on you. Give me a day or two to I suggest that you use gpgconf to change configuration options. We designed this tool to allow easy changing of configuration options using a GUI or by scripts. As part of GnuPG it has intimate knowledge of the options and takes care not to break things. It is being used for years by Kleopatra and GPA for preference settings and to dynamically create configuration dialogs. http://gnupg.org/documentation/manuals/gnupg/gpgconf.html Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: card error message in .gpg-agent.log
On Thu, 6 Oct 2011 16:18, splu...@gmail.com said: 2011-10-05 17:15:25 gpg-agent[2694] gpg-agent (GnuPG) 2.0.18 started 2011-10-05 17:21:36 gpg-agent[2694] error getting default authentication keyID of card: Card error Gpg-agent checks whether a smartcard which features an authentication key to be used by ssh is available. Such a smartcard based authentication key is used by gpg-agent to authenticate an ssh session without the need to first import the ssh key. What is causing these, and how to solve that? Thanks. Ignore this diagnostic if you don't have a suitable smartcard (e.g. an OpenPGP or Belgian eID card). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a way to browse the GPG web of trust?
On Fri, 7 Oct 2011 11:51, aaron.topo...@gmail.com said: gpg --list-sigs --keyring ~/.gnupg/pubring.gpg | sig2dot ~/.gnupg/pubring.dot 2 ~/.gnupg/pubring.error.txt Why at all does this tool use the human readable format? I don't get it. We have a machine readable format which is guaranteed to be stable and much easier to parse. The --with-colons option was introduced with versions 0.2.12 before April 1998. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key selection in batch decryptions
On Mon, 10 Oct 2011 23:18, jw72...@verizon.net said: keys in turn. Is there a way to tell gpg to use just one of the keys if any? I have tried specifying this as one of the options -u userID, but it No there is no way to do this. The best suggestion for all automated systems is not to use a passphrase. If you really want a passphrase and you require full control over it you have three choices: - Write your own pinentry and send CANCEL back until the desired passphrase is requested. Then send the right passphrase. - Write a simple pinentry to always send a CANCEL back (GnuPG 2.1 will have an option to emulate this). The use gpg-preset-passphrase to seed gpg-agent with the desired passphrase. - Use --status-fd/--command-fd. These options allow you to pass a passphrase to gpg entirely under script control. They work even with GnuPG 1.4. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use a GnuPG card on multiple computers?
On Tue, 11 Oct 2011 09:37, urs.hunke...@epfl.ch said: gpg to use the card to encrypt my messages. How can I add such stubs to my keyring on a different computer to point to existing keys on my card without having to regenerate the keys (which would render the You insert the card on that other box and enter $ gpg2 --card-edit this creates the stub. To retrieve the public key you may now enter: gpg/card fetch this uses the URL field of the card to retrieve the key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
On Tue, 11 Oct 2011 13:55, pje...@gmail.com said: Other problem I've noticed when I signed file in non-batch mode is that I’ve specified to use SHA512 for second signature. You didn't. What you did is to specify an S2K hash algorithm which is used to turn passphrases into keys. Further it is not possible to change the algorithms for each key. You may be better off not to tinker around with algorithm options if you don't have a close understanding of how they work. GnuPG has sensible defaults and a preference system to select algorithms. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg version 2.0.17 with libgcrypt 1.4.6
On Tue, 11 Oct 2011 17:35, michael.b.ba...@citi.com said: Another developer and I have downloaded and compiled and built the versions of gpg listed. I have generated the keys successfully and when I try running gpg as a test to encrypt a file I am getting bus errors. I have started the agent a Please let us known what OS and what CPU you are using. To track down such a bus error we need a stack backtrace. If you run gpg under a debugger the debugger should break at the bus error and allow you to generate a backtrace (when using gdb you would enter bt full and then info registers). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPGME and Windows Server 2003/2008
On Sun, 16 Oct 2011 02:51, mwink...@compass-analytics.com said: * GPG 1.1.4 Do you mean GnuPG 1.4.11 or GPGME 1.1.4? The latter is quite old and the NEWS file shows that 1.1.5 and 1.1.6 both had fixes for Windows. The current version is 1.3.0; a binary for Windows of that versions (or a slightly newer one) comes as part of gpg4win.org (it is sufficient to download gpg4win-light-2.1.0). Our application is using a single thread for the decryption. We are dynamically linking to the libpgme-11.dll using LoadLibrary(). Please link directly against libgpgme. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private key protection
On Tue, 18 Oct 2011 15:05, r...@sixdemonbag.org said: No, it's still a single file (pubring.gpg, for instance, is the public keyring). I just can't promise that it's still a raw stream of RFC4880 octets. It still is for the public keys. 2.1 changes the format of the secring (well, dropped it entirely and stores only the needed bits elesewhere). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 15:30, jer...@jeromebaum.com said: In fact to my knowledge outside of webmail and inside private email (so drop companies, universities, schools) it's usual to configure your own MUA, with the help of instructions from your ISP. Well, so we need to convince them to change those instructions. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private key protection
On Tue, 18 Oct 2011 15:19, r...@sixdemonbag.org said: Arguably we should be using 'certificate' to describe keys, but We tried that in the Gpg4win manuals. However it turned out that this term as other problems when used with OpenPGP keys (ah well, keyblocks). honestly, that's a losing battle: the community's inertia on the subject of 'key' is immense. Right. There is a public key and there is a private (aka secret) key. How they are made up is a technical detail. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 16:30, pe...@digitalbrains.com said: Because it is the e-mail address of the recipient you look up; that's all the data you have in this scenario. Thus, for me you would look up a key corresponding to user peter at the domain digitalbrains.com. The only logical Right. That is the whole point. We want to make keys invisible. You can't explain easily why you need a separate public key if you already have an email address. Thus from the user's point of view the email address is the public key. digitalbrains.com, which is under control of the e-mail provider. ISP here means e-mail provider, by the way, perhaps that is the confusion. Unless I'm the one Sure, email provider. However for most users this is identical to the ISP: First of all they need a connection to the Internet. Unless you spend a lot of money for the connections you will get an email address along with your user identification for DSL access. The email provider sets up something like /etc/aliases for the mail address and some of them also enter records into their zone file with the mailbox name for anti-spam protocols. They need to enter yet another record into a zone file to allow a key lookup by the assigned mail address. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 15:42, mw...@iupui.edu said: To be secure without being involved in the process is an unreasonable expectation which can never be met. We need to teach our kids to expect to protect themselves online the same way we teach them to look We did this for about 15 years - without any success. If you look at some of the studies you will see that you can't teach that stuff to non-techies - sometimes not even to engineers. Let's compare it using an example from the not too far past: It has been claimed that most VCRs used to blink 12:00 but nevertheless they were sold and did what they should do: tape movies. This is similar to mail: Everyone is able to send and receive mail but most are not able to (set the VCR timer|encrypt the mails). Newer features in VCRs set the clock automatically and make the timer setting task much easier in the user interface (e.g. by selecting the title of the movie you want to tape from a electronic program magazine). This user experience is what we need to aim for. both ways before crossing the street. Probably at the same age. That is easy because we have learned over thousands of years to use our senses to be safe. Our senses for those small electrons are not as matured as the the others. Why should they - we know about them only for maybe 300 years. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Tue, 18 Oct 2011 16:35, jer...@jeromebaum.com said: operations will be the most important part to making that work, and the ISPs don't have to help out there (modulo webmail which isn't even end-point). Even webmail. It is easy to write a browser extension to do the crypto stuff. Installing browser extensions is even easier than installing most other software. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Thu, 20 Oct 2011 05:30, lists-gnupg...@lina.inka.de said: the lowest efford are discovery via personal web pages like doing XDR or maybe webfinger. Most users wont be able to have special RRs - not even Most users don't have personal web pages. So what now? Well many users have a facebook page - but this would make facebook mandatory and we woold need support from them (at least to guarantee that they don't break any assumptions). Not much different to work with ISPs. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Wed, 19 Oct 2011 22:10, kloec...@kde.org said: What NEW standard are you talking about? Werner wants to use OpenPGP. and S/MIME! We actually don't care. For certain MUAs it is much simpler to implement something on top of S/MIME than to trying to get OpenPGP support. The actual protocol in use does not matter to the user (only to use experts). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: The problem is motivational
On Thu, 20 Oct 2011 07:39, makro...@gmail.com said: Interesting. However, the problem of widening email encryption practice is not technical, it is motivational. Right and that is why it encryption must be the default. On the other hand, I keep wondering: why are we (and we obviously are, witness this paper and the initiative behind it) so motivated to spread the gospel of e-mail encryption among those that completely lack the motivation for it? Because we, who care about privacy, are affected by those who don't care. Too much confidential stuff (e.g. medical records) is mailed around in the clear despite that there are strong regulations that this is verboten. Virtually everyone is ignoring these privacy policies because they have no chance to apply them. It is just too hard to get it done. People want fast information and many learned how to use mail. But they can't manage to do all this crypto voodoo - if they at all know how to do it and that there is such a thing. We need to make it easier - even for the facebook crowd. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: STEED - Usable end-to-end encryption
On Fri, 21 Oct 2011 01:46, marcus.brinkm...@ruhr-uni-bochum.de said: not ask for data that is not available for whatever reason. I think your interpretation of the regulations in that area is overly pessimistic, but I could be wrong. Maybe you can verify this? Actually the German Federal commissioner for data protection demands the use of strong encryption. According to him the message-escrow-able de-mail.de law and services are not suitable for private messages. [1] Salam-Shalom, Werner [1] In German: http://www.bfdi.bund.de/DE/Oeffentlichkeitsarbeit/Pressemitteilungen/2011/12_InkrafttretenDEMailGesetz.html?nn=408908 -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users