9 [A]
Secret keys are missing from this keyring, tells the "#" mark. Text
"sec#" means that the primary secret key is missing and "ssb#" tells the
same about secret subkeys. Those should read as "sec" and "ssb", without
the "#" mark, or "
ot use
the default simple strategy?
Keep secret keys secret so there is no need to rotate (sub)keys. Subkeys
don't need expiry date at all. The primary key should (!) have expiry
date which is updated as needed. That's it. No?
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// O
because it does not depend on the
current file format. The export format should be compatible with almost
any OpenPGP implementation. If you backup important long-term keys
outside your normal computers I suggest using the export format: "gpg
--export-secret-keys".
--
/// Teemu Likonen
g-agent.service
systemctl --user daemon-reload
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://
-07 [C] [expires: 2023-11-07]
[Not really my key, so fingerprint removed.]
uid [...] Teemu Likonen
uid [...]
uid [...]
uid [...]
Then other people could more carefully certify different information in
user id's.
--
/// Teemu Liko
hat some people need to protect their identity and
use some random strings in user id's. That is completely different
from usual public communication.)
But this is nothing important. Key's owner decides.
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 6965F03973
have person's name.
Am I seeing a starting trend here? Do some people think that it is
better practice to have only have email address as user id? What might
be their reason? Or maybe it's not a trend and doesn't mean anything. I
got curious anyway. Add your speculation. :-)
--
/// Teemu Likonen
bindings (fingerprint, email);
CREATE INDEX bindings_email on bindings (email);
CREATE INDEX encryptions_binding on encryptions (binding);
CREATE TABLE ultimately_trusted_keys (keyid);
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719
e key that resides on keys.openpgp.org? Are
> the keys that are one these 3 keyservers the same?
Server keys.openpgp.org is different from SKS keyservers. Read more
about it here:
https://keys.openpgp.org/about
--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D
* 2020-10-11 22:47:01+02, Neal H. Walfield wrote:
> On Sun, 11 Oct 2020 11:02:00 +0200,
> Teemu Likonen wrote:
>> It seems that there is a visible signature packet in encrypted and
>> signed messages. See the output of this command:
>>
>> echo message |
ommand:
echo message | gpg --encrypt --sign --default-recipient-self | \
gpg --list-packets
--
/// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/
// OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450
signature.asc
Description: PGP signature
___
s to find the
following string from the URL:
[Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT]
"FINGERPRINT" is OpenPGP key fingerprint.
So the "profile" is managed entirely within OpenPGP key and those
external social media profiles.
--
/// Teemu Likonen - .-.. http://ww
rify PGPtest-0.eml
The MIME must be decoded first but gpg doesn't do that. It is email
client's job to extract the MIME part that was signed and the signature
itself. Those two are sent to "gpg --verify".
--
/// Teemu Likonen - .-.. http://www.iki.f
je...@seibercom.net [2020-02-24T07:44:10-05] wrote:
> Is there any similar program for use on a FreeBSD based OS? My primary
> goal is to remove all expired keys and refresh the remaining ones if
> necessary.
For the primary goal of removing expired keys:
gpg --list-keys --with-colons | awk
Robert J. Hansen [2019-10-17T15:18:07-04] wrote:
> 1. How should we handle the SKS keyserver attacks?
>
> One school of thought says "SKS is tremendously diminished as a
> resource, because using it can wedge older GnuPG installations and we
> can't make people upgrade. We should recommend
Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote:
> It would be really nice, if Thunderbird could add an option to use the
> gpg key storage instead of its own, [...]
I agree with that even though I have never really used Thunderbird.
But using a custom key storage and implementation (or do
Daniel Bossert [2019-09-17T15:12:09+02] wrote:
> On the key servers are many old keys lying around which aren't valid
> anymore.
>
> Could you implement a function on the servers which delete keys after
> let's say one year automatically,reminding the user via email one
> month ahead to reupload
Daniel Kahn Gillmor via Gnupg-users [2019-08-01T09:27:45-04] wrote:
> Here's one use case (i've got others if you want):
>
> * You have my OpenPGP certificate (with userid with e-mail address),
>but it is not published in full publicly because i do not want people
>to be able to find
i...@zeromail.org [2019-07-22T23:40:42+02] wrote:
> Thanks, that sounds possible. But I wonder, if there is a reason GnuPG
> won't let me revoke it directly - and if so, if that reasoning is
> strong enough to not even have a way to override it. Since I have keys
> with all user IDs revoked and I
Stefan Claas via Gnupg-users [2019-07-14T14:17:55+03] wrote:
> Teemu Likonen wrote:
>> I think you should add "--sender email@address" option so that your
>> signatures have information for WKD auto-key-retrieve method (and
>> also for TOFU statistics).
>
Stefan Claas via Gnupg-users [2019-07-14T06:55:53+02] wrote:
> My key is available via WKD or Hagrid.
I think you should add "--sender email@address" option so that your
signatures have information for WKD auto-key-retrieve method (and also
for TOFU statistics).
It is probably mail user agent's
Matthias Herrmann via Gnupg-users [2019-07-11T16:49:29+02] wrote:
> I created the .d directory and only overwrote ExecStart and ExecReload
> as you suggested.
Just remembered that there is also dirmngr.service for which you
probably want to the same thing as for gpg-agent.service.
--
///
Michael Kesper [2019-07-11T17:15:19+02] wrote:
> I'd consider it a bug if updating a package does not trigger reloading
> all necessary services.
We have not been discussing about Debian package upgrade. This message
thread is about additional local installation (/usr/local) which is
outside of
Michael Kesper [2019-07-11T16:45:06+02] wrote:
> Did anyone open a bug with Debian (best with proposing a fix)?
What bug? We have not seen a bug in this message thread.
--
/// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450
// https://keys.openpgp.org/search?q=tliko...@iki.fi
/
Matthias Herrmann [2019-07-11T16:16:29+02] wrote:
> I edited /usr/lib/systemd/user/gpg-agent.service directly and changed
> the ExecStart and ExecReload paths.
It is not a good idea to edit that file directly; it's not a
configuration file. In systemd you should make your own changes in
Matthias Herrmann [2019-07-11T01:33:43+02] wrote:
> I've recently upgraded to Debian buster, and then upgraded gpg by
> downloading and installing the new version 2.2.17.
> Now, I get this warning:
>
>> gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.17)
> I don't know why the
Patrick Brunschwig [2019-07-10T10:23:50+02] wrote:
> First users ask for support on getting rid of the keys flooded with
> signatures.
There is no need to get rid of the itself key, just the key signatures
which are the "flood". The commands are --edit-key and then "clean" or
"minimize". It is a
David Bürgin via Gnupg-users [2019-07-06T18:57:24+02] wrote:
> I have implemented WKD for my domain, but now I don’t know an easy way
> of testing it … is there a service or similar where I can check if
> this email address is properly WKD-enabled?
Can't answer to those questions but I got your
Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote:
> ATM, none of systems I use GnuPG in has been hit with the signature
> flood disaster. If I might miss that point - is it possible to get,
> somehow, the list of flooded keys IDs (if anyone keeps the stats)?
I don't maintain
Steffen Nurpmeso [2019-07-03 17:08:32+02:00] wrote:
> My question: is there any better way than a shell script over
> --list-keys --with-colon | grep ^pub | ...etc... to "minimize" keys in
> my keyring (with gpg1)?
It seems that there is no better way than scripting it. My "--edit-key +
clean"
Werner Koch [2019-07-03 12:04:55+02:00] wrote:
> On Wed, 3 Jul 2019 10:38, tliko...@iki.fi said:
>> I think everyone would prefer that import-clean would do all the
>> checking and cleaning before importing certificates to the local
>> keyring. The same thing with import-minimal.
>
> It does
e you and the manual say that "first import [to local keyring]
then clean".
So there are conflicting messages. Which of the two happens?
I think everyone would prefer that import-clean would do all the
checking and cleaning before importing certificates to the local
keyring. The
y? That would make "import-minimal" behave like
this new "self-sigs-only" and there would be no need for yet another
option. Who needs both "import-minimal" and "self-sigs-only"?
My opinion: make "keyserver-options import-clean" the default and ma
their web site or other common resources. For larger
audience it's probably enough to have an easy and automatic key
discovery and key update service, such as this keys.openpgp.org seems to
be. I think.
--
/// Teemu Likonen <https://github.com/tlikonen> //
// PGP: 4E1055DC84
ation available, to be compliant with GDPR and friends. Do you
> think there are any downsides to this?
You should have added a link to information about this "latest new
keyserver" and its "different model" which you are referring to. Well,
here:
https://keys.openpgp.org/about
uld be better default. Do you
have plans for that, to set the default trust model to "tofu" or
"tofu+pgp"?
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.a
Teemu Likonen [2019-02-17 08:23:38+02] wrote:
> I have made two utilities to help my usage of gpg. [...]
> gpg-tofu
> gpg-graph
I moved these utilities to a new combined repository:
https://github.com/tlikonen/gpg-utilities
There is also a new tool gpg-cert-path which find the
d displays human readable TOFU
statistics. An example:
$ gpg-tofu tliko...@iki.fi
4E1055DC84E9DFF613D78557719D69D324539450
[ultimate] Teemu Likonen
TOFU validity: (4/4) a lot of history for trust, TOFU policy: good
428 signatures in 1 year 252 days, first: 2017-06-09 11:28:16, last:
201
gpg --fingerprint 599C62A291810408
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
h
osure.
Secret keys are in directory ~/.gnupg/private-keys-v1.d and each master
key and subkey is in separate file named by key's keygrip (see "gpg -K
--with-keygrip").
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /
mall so I will attach it to
this message. Hopefully it will come through. It is written completely
by me and I place it in the public domain so anybody is free to do
anything they wish with it.
#!/bin/bash
# Author: Teemu Likonen
# PGP: 4E1055DC84E9DFF613D78557719D69D324539450
# This program
rately with TOFU or web of trust model and assign
ownertrust.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-u
ing S/MIME messages?
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http:/
I tried
"gpg.conf-2.1".)
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
ht
2.0.20 .
The feature is not documented in 2.1.18. Is it documented in newer
versions?
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
_
on to select your old signing (sub)key.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
nd "clean". To make it automatic for all
import operations you can use options in gpg.conf file:
import-options import-clean
keyserver-options import-clean
I like clean export too, so:
import-options import-clean
export-options export-clean
keyserver-options import-cl
see that to get my
> key down to a reasonable size.
Not quite related but... I tend to think that on client side it would be
good idea to "clean" by default. (I like to do that.)
keyserver-options import-clean,export-clean
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> /
vate-keys-v1.d directory for secret keyring but 2.1 automatically
converts the old secring.gpg to the new format.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.
-tofu-info --with-colons KEY | \
awk -F: '$1 == "tfs" {print $5}'
To me this is looking very much like bug. I'm using GnuPG
2.1.18-8~deb9u1 (Debian 9).
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 245
Teemu Likonen [2017-10-05 20:17:51+03] wrote:
> Werner Koch [2017-10-05 09:00:18+02] wrote:
>> I have exactly the same problem but I do it anwyat - there is not
>> much we can do about it. The default timeout for such lookups are 2
>> seconds. You can lower thi
dirmngr.conf.
Thanks. That helps noticeably. And yes, I use auto-key-retrieve anyway.
It's a nice feature. I have sometimes persuaded people to upload their
key to the server pool.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 24
he
message and in the end my email client (Gnus) says:
[[PGP Signed Part:No public key for B47D162E09E21476 created at
2017-10-04T11:13:25+0300 using RSA]]
:-)
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
Sqlite like the example line above and:
sqlite> vacuum;
https://www.sqlite.org/lang_vacuum.html
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signatur
Neal H. Walfield [2017-06-23 11:14:31+02] wrote:
> At Thu, 22 Jun 2017 20:32:48 +0300, Teemu Likonen wrote:
>> Then let's say I have a key which has been used to verify hundred or
>> so signatures. In --status-fd's TOFU_STATS it gets higher
>> value, say 4. Then the k
Teemu Likonen [2017-06-22 09:42:50+03] wrote:
> Does the SUMMARY field's value (0-4) have effect on how key's validity
> is calculated or how TOFU conflicts are resolved or presented to a
> user?
I didn't get answers yet but I'll speculate a bit on the subject. This
is all about &qu
ingerprints of _all_ keys
that got their ownertrust updated.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing
thing as SUMMARY in TOFU_STATS. Am I right?
And here's my question again: Does the SUMMARY field's value (0-4) have
effect on how key's validity is calculated or how TOFU conflicts are
resolved or presented to a user?
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP
t control of the key. Back then I didn't think of
the semantics of revsig that much but it seemed the right thing to do.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450
ignatures back.
I tried your key and got the same results.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-use
?
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/m
ong key id in other places.
I'm guessing that there are different code paths internally: In the
first example the trust level is calculated from web of trust (own key,
ultimate trust). In the second example there's also tofu trust model
involved because it shows statistics for verifying an
Matthias Apitz [2017-06-13 12:51:01+02] wrote:
> $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg
Command --edit-key edits a key in your keyring. I'd guess that you want
to import keys:
gpg2 --import sk_61F1ECB625C9A6C3.gpg
Then you can edit them with --edit-key.
--
/// Teemu Liko
n the card so you
edit the card with "gpg2 --card-edit" and then change card's password(s)
with "admin" > "passwd".
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D
its dependency solver interactively. It
suggests different solutions. Choose the one that suggest loading
all necessary packages from the experimental repository.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 855
tually
handy. Using them don't cause pain in any part of my body.
https://www.nitrokey.com/
https://www.yubico.com/
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
D
threats is useful or even extremely important but
here's another point of view. Perhaps it can be just "I'm interested in
security technology and want to study smart cards. Thus, I'll buy one
and learn how it works. Maybe it will turn out useful or even
necessary."
--
/// Teemu Likonen
g> key N
> gpg> change-usage
>
> and follow the prompt.
Interesting. It seems that the feature is not documented. I tested
version 2.1.18 in Debian testing and neither the man page nor
--edit-key's "help" command tells anything about the feature.
--
/// Teemu Likonen - .-..
if you switch from "trust-model direct" to
> "trust-model tofu+pgp", then your previous assignments of "trust" will
> transform into indications of "ownertrust".
That has been my assumption. Thanks for verifying.
--
/// Teemu
y "trust-model
tofu+pgp" (trust on first use plus web of trust). It seems useful too.
--
/// Teemu Likonen - .-.. <https://keybase.io/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Nitrokey Pro² and they work fine. Software packages scdaemon and pcscd
(libccid 1.4.20) are needed but otherwise the keys work out-of-the-box
in Debian GNU/Linux 8 (Jessie).
1. https://www.yubico.com/products/yubikey-hardware/
2. https://shop.nitrokey.com/shop
--
/// Teemu Likonen - .
Lou Wynn [2016-12-09 23:11:18-08] wrote:
> ~/.gnupg/pubring.kbx
> The public keyring using a different format. This file is sharred with
> gpgsm. You should backup this file.
Indeed. I recently verified someones S/MIME message. Man page of
gpgsm(1) 2.0.26 says:
pubring.kbx
This a
--keyring ~/.gnupg/pubring.kbx --list-keys
gpg: [don't know]: invalid packet (ctb=00)
gpg: keydb_search_first failed: Invalid packet
--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Descriptio
nder what is the status
of official backport. There's a Debian bug report about that:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822974
Quote 2016-10-06:
It'll happen soon, i promise :)
--dkg
--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10
nual work is probably
necessary anyway at the first upgrade.
--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.asc
Description: PGP signature
___
Gnupg-use
Peter Lebbing [2016-11-24 16:04:42+01] wrote:
> On 24/11/16 15:27, Teemu Likonen wrote:
>> Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be
>> told to export ssh public keys?
>
> I think 2.0 also supported:
>
> $ ssh-add -L
>
> to list all
Keys with authentication capability can be used with ssh, and GnuPG
2.1's command --export-ssh-key will export the ssh public key. Right?
Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be
told to export ssh public keys?
--
/// Teemu Likonen - .-.. <https://github.
tofu policy to trust: auto=marginal,
good=fully, unknown=unknown, bad=never. But why use different names? Why
not use the same names for tofu policy and trust?
--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 245
matically. The related
configuration variables have changed quite recently but check these:
password-cache
password-cache-expiry
mml2015-cache-passphrase
mml2015-passphrase-cache-expiry
mml-secure-cache-passphrase
mml-secure-passphrase-cache-expiry
--
/// Teemu Likonen - .-..
characters. See the
fontspec package fro more info: <http://ctan.org/pkg/fontspec>. They
should be included in any Texlive distribution.
--
/// Teemu Likonen - .-.. <https://github.com/tlikonen> //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///
signature.as
80 matches
Mail list logo