Re: Announcing paperbackup.py to backup keys as QR codes on paper

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Gerd-- On Tue 2017-02-21 09:34:17 -0500, Gerd v. Egidy wrote: > I'd like to announce a program I wrote to backup GnuPG and SSH keys as > qrcodes on paper: > > paperbackup.py > https://github.com/intra2net/paperbackup > > This is designed as

Re: GnuPG2.1 is using the wrong signing subkey

On Tue 2017-02-21 16:27:55 -0500, Will Dixon (Clemsonopoly94) wrote: > So I am having an issue signing documents with gpg2.1. Every time I try and > sign something, I get: > > λ dixonwille [~] → gpg2 --detach-sign Images/EinsteinWP.jpg > gpg: using "0xEC933DA229123788" as default secret key for

Re: Problems with cert validation via CRL

Hello, again, David Gray wrote: > dave@dave-VirtualBox:~/.gnupg/crls.d$ dirmngr --debug-all --fetch-crl > http://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl Reading the code of dirmngr, I think that --fetch-crl (or dirmngr-client --load-crl)

GnuPG2.1 is using the wrong signing subkey

So I am having an issue signing documents with gpg2.1. Every time I try and sign something, I get: λ dixonwille [~] → gpg2 --detach-sign Images/EinsteinWP.jpg gpg: using "0xEC933DA229123788" as default secret key for signing gpg: signing failed: No secret key gpg: signing failed: No secret key

No such file or directory error with gpgme

I am trying to setup a signed apt repository. When I run reprepro, it is failing with error $ reprepro includedeb xenial /tmp/mod-pagespeed-stable_current_amd64.deb Exporting indices... gpgme gave error Pinentry:32849: No such file or directory ERROR: Could not finish exporting 'xenial'! I

Re: Problems with cert validation via CRL

Thanks, Peter! According to the documentation the trusted certainty need to be in a folder named "trusted-certs" in the home directory. I don't believe I've copied them there manually, so if it hasn't happened automatically that could very well be the issue. I'm at work but once I get home

Announcing paperbackup.py to backup keys as QR codes on paper

Hi, I'd like to announce a program I wrote to backup GnuPG and SSH keys as qrcodes on paper: paperbackup.py https://github.com/intra2net/paperbackup This is designed as fallback if all your regular backups failed to restore or were lost. Usage is like this: gpg2 --armor --export "User

Re: GPG, subkeys smartcard and computer

On 21/02/17 15:23, Peter Lebbing wrote: > On 21/02/17 16:19, Andrew Gallagher wrote: >> And this is the main reason I started running my own keyserver - by >> refreshing your monkeysphere-host keyring, you are leaking to the >> keyserver which user credentials have login access to your system. :-)

Re: Problems with cert validation via CRL

On 21/02/17 13:20, David Gray wrote: > I'm no expert, but when I look at the debug info (attached to > original email), it appears that gpgsm is able to get the crl that my > cert points to but it may be having trouble parsing it. Reading that part made me think it couldn't find the issuer of the

Re: GPG, subkeys smartcard and computer

On 21/02/17 16:19, Andrew Gallagher wrote: > And this is the main reason I started running my own keyserver - by > refreshing your monkeysphere-host keyring, you are leaking to the > keyserver which user credentials have login access to your system. :-) But if an attacker can cut off your SSH

Re: GPG, subkeys smartcard and computer

On 21/02/17 15:58, Kristian Fiskerstrand wrote: > Keep in mind, the keyring in the scope of monkeysphere is normally one > keyblock :) But yeah, the crontab frequency will depend a bit on system. Not for multi-user systems with many accounts; it would only be the case for personal servers. Is a

Re: GPG, subkeys smartcard and computer

On 21/02/17 15:17, Peter Lebbing wrote: > On 21/02/17 15:58, Kristian Fiskerstrand wrote: >> Keep in mind, the keyring in the scope of monkeysphere is normally one >> keyblock :) But yeah, the crontab frequency will depend a bit on system. > > Not for multi-user systems with many accounts; it

Re: GPG, subkeys smartcard and computer

On 02/21/2017 03:15 PM, Peter Lebbing wrote: > If Kristian Fiskerstrand says it's okay for SSH servers to refresh their > keyring every 20 or 30 minutes from the public keyserver netowrk, then I > guess it really is :-). I had estimated it as inappropriate. Keep in mind, the keyring in the scope

Re: Problems with cert validation via CRL

Thank you for your response! I do have the trustlist.txt file on both computers - it was automatically populated with the root cert by pin entry when I imported my certificate on both machines, and it includes the "relax" keyword on both computers. There are 3 cents total in my hierarchy -

Re: GPG, subkeys smartcard and computer

On 21 Feb 2017, at 13:37, Kristian Fiskerstrand wrote: >> On 02/21/2017 02:21 PM, Peter Lebbing wrote: >> Revoking the old A key and creating a new one needs to happen on the >> system you have the primary key on, so you need to subsequently roll out

Re: GPG, subkeys smartcard and computer

On 21/02/17 14:37, Kristian Fiskerstrand wrote: > Who said anything about creating a new one in this part of the process? Since I assumed you were siting behind a trusted machine with your primary key installed when you revoke, it made no sense to me to just revoke the key and not create a new

Re: GPG, subkeys smartcard and computer

On 02/21/2017 02:21 PM, Peter Lebbing wrote: > Revoking the old A key and creating a new one needs to happen on the > system you have the primary key on, so you need to subsequently roll out Who said anything about creating a new one in this part of the process? each device has separate A subkeys

Re: GPG, subkeys smartcard and computer

On 20/02/17 22:51, Kristian Fiskerstrand wrote: > Revocation of the specific subkey is automatically picked up by all > systems due to automatic refresh of the public key on regular intervals, > without losing access to the system from non-compromised devices. Revoking the old A key and creating

Re: powertop(8) Points at gpg-agent.

Hi, I wrote: > > Note that gpg-agent makes sure that the tick happens on the full > > second > > Noted. Though those `-tt' times from strace above have it creeping > forward, off the second? I wonder if aiming for dead on the second is a good idea. If everything did that then there might