Re: WKD: conveying intent of encrypt-by-default?

On 2022-10-04 at 20:00 -0400, Daniel Kahn Gillmor wrote: > Autocrypt's focus is ubiquitous deployment of keying material (in the > form of OpenPGP certificates) so that people *can* encrypt when sending > mail. We found that one of the big risks is that a peer might > *automatically* encrypt when

WKD: conveying intent of encrypt-by-default?

Folks, I setup WKD for work a while back, to publish the PGP keys for those who had them. Then in November I removed the first key because it was causing Protonmail users to keep sending encrypted to the recipient and a lot of his communications turned out to be with Protonmail users. Now we've

Re: --auto-key-retrieve fails for some keys

On 2021-11-02 at 16:05 +0100, Tadeus Prastowo via Gnupg-users wrote: > The signature on a Linux kernel can be verified successfully using > `--auto-key-retrieve', but the signature on an Emacs cannot be > verified in the same manner because gpg is unable to retrieve the > needed public key

Re: trust-model and federated lookups

On 2021-10-25 at 15:12 +0200, Neal H. Walfield wrote: > This absolutely makes sense. One way to model this in the web of > trust is to imagine that you have a "WKD key," which you consider a > partially trusted introducer, and which certifies keys that you > retrieve via WKD. Practically, it's a

trust-model and federated lookups

Folks, When evaluating the trust we have in the identity attached to a key, I often see "WARNING: We have NO indication whether the key belongs to the person named as shown above"; at the same time, `--with-key-origin` for the very same key will show "origin=wkd". GnuPG uses the trust-model

Re: WKD docs on the wiki, restructuring. Feedback on forUsers page

On 2021-09-30 at 12:17 +, ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote: > Hmm, this is odd. I setup WKD as detailed on the > https://wiki.gnupg.org/WKDHosting (using the openpgpkey subdomain), currently > only for one address on my domain (s...@chiraag.me). Opening the file > directly in a web

Re: Why is --auto-key-locate only for encrypting?

On 2021-09-01 at 13:50 +0200, Ingo Klöcker wrote: > On Mittwoch, 1. September 2021 07:55:21 CEST raf via Gnupg-users wrote: > > Why is the --auto-key-locate only for encrypting (says > > the gpg(1) manpage)? Wouldn't it also be useful when > > receiving emails and verifying signatures? > >

Re: RSS/Atom for the GnuPG blog?

On 2021-01-22 at 18:10 +0100, Werner Koch via Gnupg-users wrote: > BTW, if you are just interested in updates to our software you can check > also https://versions.gnupg.org/swdb.lst for updates. Or watch the > source of this list, which is is in the gnupg-doc repo as swdb.mac. > > The tool

Re: RSS/Atom for the GnuPG blog?

On 2021-01-21 at 11:46 +0100, jman wrote: > There's no direct RSS/Atom feed (afaics). However the blog is a git > repository [0] with a RSS/Atom feed (there's a link at the bottom of the > page). As a workaround you subscribe to that feed (I didn't test it). I have tested it: I use Slack with the

Re: Avoid recipient-compatibility SHA1

On 2020-11-17 at 22:18 -0700, Mark wrote: > Not to ask a stupid question but how can you tell which algorithm your > keys are using and if using SHA1 update them to a more secure one? I have a better answer than my previous one, because the very next mailing-list I read has a post today from the

Re: Avoid recipient-compatibility SHA1

Signature Algorithm) Public-key size: 1024 bits Creation time: 2001-08-03 17:34:53 UTC UserID: Phil Pennock [censored email address in this list post] Invalid: Policy rejected non-revocation signature (PositiveCertification) because: SHA1 is not considere

Re: Avoid recipient-compatibility SHA1

On 2020-11-17 at 15:47 +, Stefan Claas wrote: >} Since 2005, SHA-1 has not been considered secure against well-funded >} opponents;[4] as of 2010 many organizations have recommended its >} replacement.[5][6][7] NIST formally deprecated use of SHA-1 in 2011 >} and disallowed its use for digital

Re: Avoid recipient-compatibility SHA1

On 2020-11-02 at 13:49 +0100, Werner Koch via Gnupg-users wrote: > On Fri, 30 Oct 2020 00:10, Phil Pennock said: > > recipient. That's fine. I'd rather create pressure for people to fix > > their systems to use modern cryptography than cater to their brokenness > > wi

Avoid recipient-compatibility SHA1

Folks, Normally everything I do with GnuPG is using SHA256 digests, and I normally keep "weak-digest SHA1" in my gpg.conf file. I just sent a message to N recipients, and I think one of them probably has some preference algorithm in their key details, because this one mail was signed using SHA1,

Re: Which keyserver

On 2020-09-19 at 11:44 +0100, MFPA via Gnupg-users wrote: > On Friday 18 September 2020 at 4:32:55 PM, in > , Phil > Pennock via Gnupg-users wrote:- > > > > keys.gnupg.net is a CNAME for > > hkps.pool.sks-keyservers.net -- which is > > now returning zero re

Re: Which keyserver

On 2020-09-18 at 15:04 +0200, accounts-gn...@holbrook.no wrote: > Is it possible to define multiple sources of keys with WKD, for example > with a dns TXT record? The use-case would be if the main server is down, > alternative places to get it. The SRV record approach had to be dropped because

Re: Which keyserver

On 2020-09-18 at 08:06 -0700, Mark wrote: > I use GPG4Win and I've noticed that "hkp://keys.gnupg.net" is not > working right. I was not getting any hits back when searching with > Kleopatra and then I tried to ping that server which returned host not > found. So I'm also interested if there is a

Re: Which keyserver

On 2020-09-18 at 10:08 +0200, Franck Routier (perso) wrote: > Le jeudi 17 septembre 2020 à 18:13 -0400, Phil Pennock via Gnupg-users > a écrit : > > If publishing keys, I do recommend setting up WKD for your > > domain, which helps a little. > > What

Re: Which keyserver

On 2020-09-17 at 22:57 +0200, Martin wrote: > Which keyserver do you recommend these days? For what purpose? For receiving updates to previously known keys, of people who care enough about their keys to distribute their keys across multiple keyservers instead of just going "I pushed it to the

Re: how to suppress new "insecure passphrase" warning

On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and >

Re: gpg-agent is older than us

On 2020-08-21 at 19:00 +, Ajax via Gnupg-users wrote: > On a Debian box, 'gpg -K' gives "server 'gpg-agent' is older than us > (2.2.12 < 2.2.21)". 2.2.21 was built using speedo in my home > directory populating ~/bin which appears at the head of $PATH. The > commands 'which gpg' and 'which

Re: WKD - .onion redirects mapping

On 2020-08-04 at 16:46 +0200, Werner Koch via Gnupg-users wrote: > Yes, privacy. But that is just a welcome side-effect. What we need is > that the domain is authenticated so that we can consider the key to be > valid at a certain level. I see no way how you can do this via an > anonymizer

WKD - .onion redirects mapping

Folks, Is there any facility in GnuPG, or any neat hacks which can be applied to current releases, to be able to remap WKD queries to go to specified .onion hosts? Eg, lists: openpgpkey.debian.org: http://habaivdfcyamjhkk.onion/ and indeed if I use `gpg

Re: Multiple UIDs or multiple master keys?

On 2020-07-14 at 00:48 +, Philihp Busby via Gnupg-users wrote: > 2: What benefits benefits are there to having separate master keys for >personal and professional use? Outside of not wanting the >identities linked, because I am not yet famous enough for that. When the day comes that I

Re: WKS server problems

On 2020-03-21 at 23:30 +, Andrew Gallagher wrote: > I'm trying to follow the WKS instructions from the wiki[1] on a remote > VM, but it hangs at the key generation stage: [...] > gpg (GnuPG) 2.2.4 Is this a newly created VM? Can you not use the opportunity of "nothing else on the system

Re: Re: Help me on this

On 2020-03-02 at 14:23 +, Gubba, Srikanth (HNI Corp) wrote: > Thank you for your response , please see this screen shot it has both keys. > I have imported secret key but still getting same error message , can you > please help on this. Oh, I didn't look closely enough at the error in the

Re: Help me on this

On 2020-02-28 at 22:31 +, Gubba, Srikanth (HNI Corp) via Gnupg-users wrote: > When I want to decryption for the encrypted file am getting below error > message : > gpg: using subkey 7E5B6A6AB3392A8D instead of primary key 1CC8C8AD84BF7E76 > gpg: encrypted with 2048-bit ELG key, ID

Re: How to create an authinfo.gpg encrypted file with a GitHub token

On 2020-02-26 at 00:18 +, John Stevenson wrote: > I would like to store a GitHub personal access token in a file called > ~/.authinfo.gpg so that the token is not stored unencrypted on my > computer. This file would be used by Emacs to talk to GitHub via its API. > > I have never used GnuPGP

Re: swdb.lst problem

On 2020-02-09 at 16:44 -0500, murphy via Gnupg-users wrote: > With a new version of raspbian out for the raspberry pi I'm having > trouble with a speedo compile of gnupg-2.2.19 with error messages: > Also when I try to download swdb.lst directly it fails with: > >

Re-sign subkey binding with changed digest?

So, this SHA-1 mess is "fun". To get a fresh self-sig user ID signature on the main key, I can do this: gpg --expert --cert-digest-algo SHA256 --sign-key ${KEYID:?} The `--expert` overrides the "already signed" safety check, letting you confirm that yes you really want this. Alas, it seems

Re: Reason string revocation

On 2019-12-26 at 23:06 +0100, Dirk-Willem van Gulik wrote: > Is there a flag that shows you the 'reason/explanation' string and cause > when examining a revocation msg with gpg2 ? > > It seems that both --import and a simple 'gpg2 revoc.asc' show you the key - > but not the rest of the info ? $

Re: Testing WKD setup?

On 2019-07-07 at 20:48 +0200, Wolfgang Traylor via Gnupg-users wrote: > > is there a service or similar where I can check if this email address is > > properly WKD-enabled? > > https://metacode.biz/openpgp/web-key-directory It's nice, but it also checks stuff which isn't per the spec, so gives

Re: New keyserver at keys.openpgp.org - what's your take?

On 2019-07-03 at 09:17 +0100, Andrew Gallagher wrote: > I didn't even know it supported finger URLs - handy to know! Opening a > finger port may be a step too far for the security-conscious though... Depends upon the implementation. I'm biased here, I wrote my own in Go back in 2016:

Re: New keyserver at keys.openpgp.org - what's your take?

On 2019-07-02 at 11:56 +0200, Wiktor Kwapisiewicz via Gnupg-users wrote: > On 01.07.2019 14:36, Andrew Gallagher wrote: > > OpenPGP already has the "keyserver" field which is rarely used. It is > > supposedly a hint to clients to tell them to prefer a particular > > keyserver, but it could also be

Re: Infinite loop?

On 2019-06-25 at 18:47 -0400, Daniel Kahn Gillmor via Gnupg-users wrote: > Interesting! my pubring.kbx is 147MiB, but GnuPG still should not run > forever when doing --list-keys. It takes 17s to complete the listing of > my pubring.kbx, as measured by "time gpg --list-keys > /dev/null" With

Re: Hostname of key server pool disappeared? hkps.pool.sks-keyservers.net

On 2019-03-18 at 23:09 +1000, Ted Cooper wrote: > If there is a more appropriate place to post this please do let me know. > Methods of contact and persons responsible for the sks-keyservers > infrastructure is not obvious. Onto the problem; The SKS Devel mailing-list is also used for Operations

Re: Several GnuPG instances, with their corresponding agents

On 2019-03-10 at 01:25 -0500, Konstantin Boyandin via Gnupg-users wrote: > I would like to use, whenever I like, manually builds (such as current > 2.2.13). > > Question: how do I keep several GnuPG versions installed, every version > with its own gpg-agent? After running ./configure [--args],

Re: Choice of ECC curve on usb token

On 2018-06-29 at 18:07 +0200, Damien Cassou wrote: > NIIBE Yutaka writes: > > Why not Curve25519, if you use ECC? > > I'm not sure I want ECC after reading this: > https://crypto.stackexchange.com/a/60394/60027 Curve25519 is not NIST ECC. It is ECC. "ECC" = "Elliptic Curve Cryptography", it

dirmngr Windows DNS resolution of pools (Re: Problem refreshing keys)

On 2018-06-14 at 06:24 -0400, Jerry wrote: > gpg-connect-agent --dirmngr "GETINFO version" /bye > gpg-connect-agent: no running Dirmngr - starting 'C:\Program Files > (x86)\Gpg4win\..\GnuPG\bin\dirmngr.exe' > gpg-connect-agent: waiting for the dirmngr to come up ... (5s) > gpg-connect-agent:

Re: Problem refreshing keys

On 2018-06-13 at 09:52 -0400, Jerry wrote: > On Wed, 13 Jun 2018 15:25:04 +0200, Werner Koch stated: > >The common problem on Windows: You can't use ' to quote; we Unix folks > >always forget about that. Use Bah, I just didn't know. :D I suspected though, which is why I mentioned typing

Re: Forward gpg-agent to container

On 2018-06-10 at 18:05 +0200, Benjamin Kircher wrote: > This gives me > > gpg: can't connect to the agent: IPC connect call failed > > from within the container. > > Command lines that led to this output are: > > $ docker run --volume $(gpgconf --list-dirs >

Re: Forward gpg-agent to container

On 2018-06-05 at 17:17 -0400, Phil Pennock wrote: > Shell 2: > $ docker run -it --rm -v /var/run/pdp.gnupg:/root/.gnupg/S.gpg-agent.ssh > alpine > / # chmod 0700 /root/.gnupg && chown root:root /root/.gnupg/S.gpg-agent > / # apk update && apk add --no-cache gnupg I

Re: Forward gpg-agent to container

On 2018-06-05 at 20:18 +0200, Peter Lebbing wrote: > Have you tried by hand whether the concept of communicating over a > socket to a container works at all? You could use socat to create a > socket and communicate, one socat on your host system and one inside the > container. > > I have no

Re: A Solution for Sending Messages Safely from EFAIL-safe Senders to EFAIL-unsafe Receivers

On 2018-05-22 at 19:35 -0700, Craig P Hicks wrote: > "A Solution for Sending Messages Safely from EFAIL-safe Senders to > EFAIL-unsafe Receivers" > > https://github.com/craigphicks/efail-safe-send-to-insec-recv/wiki There's an existing semi-standard for trying to improve email security by moving

Re: A postmortem on Efail

On 2018-05-20 at 02:26 -0400, Rob J Hansen wrote: > https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08 Excellent post. I favor breaking backwards compatibility and including in the shipped README a description of "The conditions under which we anticipate future backwards

Re: Is signing a file with multiple keys possible

On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote: > Is it possible to sign a file with multiple keys? Yes. Slightly lower-level operations than normal signing, but not by much, you just need to know about enarmor/dearmor and how signatures are put together. > For Example:

Re: GnuPG 2.2.4 on Windows - problems accessing some HKPS keyservers

On 2018-01-22 at 20:12 -0500, David Gray via Gnupg-users wrote: > I'm running GnuPG 2.2.4 on Windows. I'm able to successfully query the SKS > keyserver pool via HKPS (hkps://hkps.pool.sks-keyservers.net) with no > problems. I'm trying to query the hkps://keys.mailvelope.com keyserver, and > I'm

Re: failed to convert unprotected openpgp key: Checksum error

On 2018-01-19 at 19:57 +1100, Simon Kissane wrote: > However, when I try to decrypt data encrypted with the private key, I > get a "failed to convert unprotected openpgp key: Checksum error" Simpler check: % gpg --export-secret-key gpg: key 4252EB6983CE74C44F549B6F8666715904EE61F2: error

Re: is there a preferred order to building dependencies for gnupg2

On 2018-01-10 at 11:39 +, Damien Goutte-Gattat wrote: > On 01/10/2018 09:25 AM, Henry wrote: > > There are five libraries required to build gnupg2: libgpg-error, > > libgcrypt, libassuan, libksba and npth. > > > > Is there a preferred order in which they should be built? > > Libgpg-error

Re: Performance regression, 2.2.3/recent?

On 2017-12-04 at 18:20 +0900, NIIBE Yutaka wrote: > It seems that pubring.kbx is accessed recursively (something by depth 3, > by fd: 4, 7 and 10 (fd 3 is to check the file type, I guess)). > > Could you please try with --no-expensive-trust-checks option, if it > changes the behavior? Yes:

Performance regression, 2.2.3/recent?

Anyone else seeing major slowdowns with keyring dumping in recent GnuPG on Linux? I have a dump-state script used for monthly backups where after an hour, I gave up. The step is just: gpg --with-colons --with-fingerprint --with-subkey-fingerprint --with-secret --list-keys but pubring.kbx is

Re: Questions about particular use cases (integrity verification w/o private key, add E flag to primary key, import secp256k1 key)

On 2017-08-28 at 19:05 -0400, Rob J Hansen wrote: > > 1. Is it possible, when transporting a message from Alice to Bob, > > without holding any of their private keys, to do the following checks: > > - verify the integrity of the message and make sure it is sanitized and > > Bob can decrypt it with

Re: Obtaining sig2 and sig3 signatures

On 2017-05-30 at 21:25 +0200, Stefan Claas wrote: > Let's assume we would exchange signed emails (PGP/SMIME) would these proofs > be enough for you to warrant a sig2? And for a sig3 an additional video > conference? No. A public signature is an attestation to others of identity. If it's based

Re: Don't send encrypted messages to random users

On 2017-05-29 at 18:58 +, listo factor via Gnupg-users wrote: > This I find surprising: if one does not want receiving > encrypted messages from those that he does not have > existing relationship with, why does he publish his > public key on public keyservers? (1) Who says they published it?

Re: Stripping expired subkey during export?

On 2017-03-03 at 09:51 +0100, Werner Koch wrote: > Not cleaning expired subkeys is a good thing for secret key export, so > that you can keep on decyrpting old mails. Sure, but this is a non-secret export, for the versions for publication. > Exporting

Stripping expired subkey during export?

For certain exports of my PGP key, I want the key minimized and clean of cruft; while the public keyservers will reaccumulate all signatures, data-sources where "presence is trust" do not need everything else. Smaller keys for DNS records, certain authenticated databases, etc. I also recently

Real-world current impact of disabling SHA1

There are various claims going around about how GnuPG should be disabling SHA1 now; the competent cryptographers I know are pointing out that a collision is not a second pre-image, don't panic and cargo-cult (but also yes it's time and past time to be making sure we have a clear path away). I'm

Re: [Sks-devel] pool.sks-keyservers.net issues

-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Short version: bad interaction of GnuPG, cURL and Apache. Can probably be worked around in Apache config, can definitely be worked around in GnuPG code, should aim to get both done. On 2013-02-28 at 10:01 -0800, Doug Barton wrote:

Re: [Sks-devel] pool.sks-keyservers.net issues (was: Questions about OpenPGP best practices)

On 2013-02-27 at 10:57 +0100, Niels Laukens wrote: Apologies for cross-posting to both mailing lists, but since I got replies via both ways I feel this is the easiest way to sync them. Current status: Kristian and I have debugged and he found the core issue. If I load down my server, we can

Re: [Sks-devel] pool.sks-keyservers.net issues

On 2013-02-28 at 09:12 +0100, Niels Laukens wrote: On 2013-02-28 00:50, Phil Pennock wrote: The best fix is to use gpg with a real cURL library. I'm currently using a downloaded binary from gpgtools.org. I don't see libcurl in the list of shared objects used by the binary (otool -L, Mac's

Re: 1.4.12 beta installer for Windows

Veet Vivarto wrote: My friend and I, are working on a easy to use front-end for GPG for Windows and Mac. Veet, Know your competition; GPG Keychain Access exists for MacOSX, can be found at http://gpgtools.org/keychain.html and is part of GPGTools, which also provides Mail.app integration,

OT: PGP Keyservers Google+ Community

[ Somewhat, but not completely, off-topic. ] Hey, if anyone here cares about the sorts of people who care about PGP Keyservers, and if you use Google+, then there's now a G+ Community which will help you find others with tastes as strange as yours. ;) I've created PGP Keyservers, tagline Public

Re: [Sks-devel] SRV records and HKPS requests

On 2012-12-05 at 23:32 -0500, David Shaw wrote: It's working, it's just misleading since the SRV replacement happens after the debug logging so the actual URL that is hit is not the one that is being logged. If you look at netstat, you can see it's connecting to the right port. Sorry for the

Re: [Sks-devel] SRV records and HKPS requests

On 2012-12-02 at 23:46 -0500, David Shaw wrote: I tried talking to keytest.spodhuis.org to test, but all the ports returned in the SRV were not listening. Or at least, not listening to me ;) *blush* Fixed, sorry. -Phil ___ Gnupg-users mailing

Re: [Sks-devel] SRV records and HKPS requests

is http://keytest.spodhuis.org:11371/pks/lookup?op=getoptions=mrsearch=0x403043153903637F; * HTTP auth is null * HTTP method is GET gpg: key 0x403043153903637F: Phil Pennock phil.penn...@globnix.org not changed gpg: Total number processed: 1 gpg: unchanged: 1 8

Re: [Sks-devel] SRV records and HKPS requests

GnuPG folks (since this is cross-posted, if my mail makes it through): there is a bug in GnuPG's SRV handling, I've identified where I think it is, it's in the second block of text from me; the first part of this mail relates to SKS and some policy issues around the new keyserver pool

Re: [Sks-devel] SRV records and HKPS requests

On 2012-10-06 at 22:20 -0400, Phil Pennock wrote: So, there's a `port` and an `opt-port`; the SRV lookups set `opt-port` but not `port`, while the URL given to curl uses `port`. It seems like changing 537 to: port = opt-port = newport should fix it as a stop-gap. bugs.g10code.com

Re: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs)

On 2006-03-01 at 19:10 +0100, Sergi Blanch i Torné wrote: Ok, in this case (David correct me if i am wrong) it look like there was something broke in the pubring that was fixed when you ran '--update-trustdb' (over an unpatched binary). Makes sense, although I'm curious as to what, and how

Re: Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs)

On 2006-02-28 at 13:07 +0100, [EMAIL PROTECTED] wrote: Ok, now it works, but can you send me any information that could be interesting? For example how you create the 0xC9541FB2, It's a public key for someone else, imported with --recv-key, because it's in a trust path I need. I do have a

Ohhhh jeeee: ... this is a bug (getkey.c:2079:merge_selfsigs)

Is this a known issue, fixed in 1.4.3? There's nothing obviously dealing with it in URL:http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/cipher/ChangeLog?rev=4003view=markup % gpg --version gpg (GnuPG) 1.4.2.1-ecc0.1.6 [...] % gpg --list-sigs 0xC9541FB2 [...] gpg: O j: ... this is a bug