Re: In case you use OpenPGP on a smartphone ...

On Thu, 20 Aug 2020 00:36, Johan Wevers said: > You mean like the conspiracy myth that the NSA was eavesdropping on > everyone, whether they were allowed to or not? Yes, that was not > supported by facts (before the Snowden revelations) so it must have been There have been technical facts around

Re: gpg-agent support for GNUPGHOME and systemd

Hi! On Wed, 19 Aug 2020 23:19, Ben Fiedler said: > % gpgconf --dry-run --create-socketdir > gpgconf: socketdir is '/run/user/1000/gnupg/d.6oynbz4mc38pz8n5gyedka7a' > gpgconf: non-default homedir > > This is pretty unexpected to me, why is this the case? And is there a > way to mitigate this

Re: Accidentally deleted ~/.gnupg/pubring.gpg

On Sun, 16 Aug 2020 04:33, renws said: > And I don't have any backup of my public key, so I would like to know > whether it's possible to decrypt my files (I've still got > ~/.gnupg/private-keys-v1.d, which I think stores my private key?). If you just want to decrypt your files, you can do this:

Re: WKD - .onion redirects mapping

On Mon, 27 Jul 2020 15:01, Phil Pennock said: > My understanding is that for .onion hostname services they already have > security equivalent to TLS providing privacy in their direct links onto Yes, privacy. But that is just a welcome side-effect. What we need is that the domain is

Re: WKD question

On Sun, 2 Aug 2020 07:38, Dmitry Alexandrov said: > I dunno why @w...@gnupg.org did that, but whatever his reasons were, the > fact that he was _able_ to do that, is exactly the key reason why I have a post-it on my CA laptop to add a signing subkey to my new key, I should really do that soon.

Re: "skipped: Unusable public key"

On Mon, 27 Jul 2020 15:52, Ayoub Misherghi said: > ayoub@vboxpwfl:~/testdir$ gpg -r sentry -e textfile > > gpg: sentry: skipped: Unusable public key > gpg: textfile: encryption failed: Unusable public key There is no key with a user id "sentry" which has a key capable of encryption ([E]). I

Re: question regarding using gpg to verify a file from a .sign file

On Fri, 24 Jul 2020 19:30, Semih Ozlem said: > when I run the command > > gpg --verify SHAxSUM.sign SHAxSUM > > I get the following message > > gpgv: unknown type of key resource 'trustedkeys.kbx' As you can see by the error message ("gpgv:...") you invoked the gpgv tool and not the gpg tool as

Re: Why is there no secret key?

On Sun, 26 Jul 2020 13:25, Ayoub Misherghi said: > I am not asked for pass phrase. Right; that is because: > # Lines uncommented in $HOME/.gnupg/gpg-agent.conf > log-file $HOME/gpg-log.txt > # The same thing happens when I comment this line out > allow-loopback-pinentry > > batch of the "batch"

Re: Passphrase Pop up

On Mon, 27 Jul 2020 02:41, Dmitry Alexandrov said: > GnuPG version 3 does not exist yet. The stable release is 2.2.21. The OP probably meant Gpg4win 3.1.12 which is our Windows installer featuring GnuPG 2.2.21, Kleoptra, and our Outlook plugin. Shalom-Salam, Werner -- Die Gedanken sind

Re: Newbie question.

On Sun, 26 Jul 2020 12:59, Ayoub Misherghi said: > The moderators on this list (I do not know who they are) have been > tyrannical excluding some of my posts; I am not bitter or resentful. I This mailing list is not moderated and thus your post are not excluded by any moderated. The only

Re: Is this supposed to happen?

On Fri, 17 Jul 2020 09:17, Ayoub Misherghi said: > Is this supposed to happen? Yes. As almost all Unix tools, gpg defaults to take input from stdin and writes output to stdout. Because you did not use --armor the output is binary and messes up your tty. The reason why already get some output

Re: Detached signature file.

On Thu, 16 Jul 2020 20:52, Ayoub Misherghi said: > Is it possible to add content to a detached signature file? You may add other detached signatures (for the same file) by simply concatenating them. See the attached script for an example. In case you meant whether you can add meta data, see the

Re: Multiple UIDs or multiple master keys?

On Wed, 15 Jul 2020 11:03, Ingo Klöcker said: > But it will create problems for people who want to send you encrypted > messages > because there's no way for them to know which of the encryption subkeys to > use. You may work around this by making sure that the non-personal encryption BTW, I

Re: Accidentally deleted ~/.gnupg/pubring.gpg

On Sat, 11 Jul 2020 13:33, MFPA said: > If the OP just wants to decrypt previously encrypted data, wouldn't > the options --try-secret-key or --try-all-secrets work in this > situation? Yes, I think this should work. Have not looked into it, though. Salam-Shalom, Werner -- Die

[Announce] GnuPG 2.2.21 released

more of these three keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG

Re: Decryption stalling after SIGINT

On Tue, 7 Jul 2020 18:05, Andrew Pennebaker said: > I am seeing some strange behavior with gpg --decrypt . I had to > lookup a password recently, and so naturally pressed Control+C to cancel > the prompt. However, when gpg terminated, it did not fully cleanup the This will terminate gpg and thus

Re: Accidentally deleted ~/.gnupg/pubring.gpg

On Tue, 7 Jul 2020 22:22, Stefan Claas said: > Mmmhhh, I was under the impression when he still has the secret key that > he exports his secret-key (makes a back-up, just in case) re-imports The gpg-agent does not store the OpenPGP secret keyblock. It fact that is only created when you run a

Re: gpg: keyserver refresh failed: No keyserver available

On Mon, 6 Jul 2020 09:11, Jerry said: > gpg2 --refresh-keys > gpg: enabled debug flags: memstat > gpg: refreshing 168 keys from hkp://pool.sks-keyservers.net > gpg: keyserver refresh failed: No keyserver available Please add in the error case always the --verbose option which may yield more

Re: Accidentally deleted ~/.gnupg/pubring.gpg

On Mon, 6 Jul 2020 09:58, renws said: > Thanks for your reply. However I've never uploaded the public key to > any keyservers, is it possible to recover the public key from the > private key (I still have ~/.gnupg/private-keys-v1.d)? If you really can't find a backup of the public key you can

[Announce] Libgcrypt 1.8.6 released

12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30] Key fingerprint = 031E C253 6E58 0D8E A286 A9F2 2071 B08A 33BD 3F06 NIIBE Yutaka (GnuPG Release Key) rsa3072 2017-03-17 [expires: 2027-03-15] K

Re: decrypt aes256 encrypted file without gpg-agent

On Tue, 30 Jun 2020 00:55, Johan Wevers said: >> Do not use 1.4 unless you have to decrypt old non-MDC protected data or >> data encrypted to a legacy v3 key. > > Do not break backwards compatibility if you want all people to upgrade. Do not update so that the bad guys can exploit your legacy

Re: decrypt aes256 encrypted file without gpg-agent

On Mon, 29 Jun 2020 13:07, vedaal said: > otherwise , just use GnuPG 1.4.x , and unless you ever need an Do not use 1.4 unless you have to decrypt old non-MDC protected data or data encrypted to a legacy v3 key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein

Re: decrypt aes256 encrypted file without gpg-agent

On Sun, 28 Jun 2020 16:24, Robert J. Hansen said: > GnuPG sees the symmetrically encrypted message and knows it needs to > recover/derive a key. It calls gpg-agent, which in turn calls pinentry. In addition gpg-agent also takes care of caching passphrases which makes even symmetrically

Re: decrypt aes256 encrypted file without gpg-agent

On Fri, 26 Jun 2020 09:33, Fourhundred Thecat said: > How can I decrypt it without using gpg agent ? You can't the agent is a cornerstone of gpg and is thus required. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP

Re: GnuPG for WIndows and key management files.

On Fri, 19 Jun 2020 13:43, Илья Пирогов said: > I am interested in the question of where to find the files > pubring.gpg, secring.gpg and randseed.bin in GnuPG for WIndows. Those files are not anymore used (see the otehr replies). However to figure out GnuPG's home directory you use the command

Re: Bug? Vulnerability? gpgme_op_verify_result() can be made to return a list of zero signatures

Hi! On Mon, 15 Jun 2020 12:36, Justin Steven said: > GPG_ERR_NO_ERROR but for gpgme_op_verify_result() to return a list of zero > signatures. This feels like an erroneous condition to me, and with libgpgme We already explained that this is a requirement for OpenPGP because OpenPGP allows to

On using --debug flags (was: gpg generate key is not finishing)

On Tue, 9 Jun 2020 09:47, Bernhard Reiter said: > GNUPGHOME=~/dot-gnupg-test2/ gpg -vvv --debug-all --quick-generate-key Pretty please do not use --debug-all. It is better to use dedicated debug flags to get useful logs and avoid leaking secrets. All GnuPG components support symbolic debug

Re: Standalone signature (0x02) ?

On Fri, 5 Jun 2020 14:14, Denis BEURIVE said: > *Is it possible to generate this kind of signature with GPG ?* No. > *What is this signature used for ?* I can't remember. I am pretty sure this has been discussed in the WG back in 1998 or so. If you are really interested you could dive into

Re: gpg generate key is not finishing

On Tue, 2 Jun 2020 13:59, Williams, Chad L said: > [cid:image002.jpg@01D638BC.16B954A0] [Which is a screenshot of the curses pinentry waiting for input.] If you want the volunteers here to help you, it is important that you write a proper bug report. This includes telling us the version of

Re: gpgAnon, draft 20150

On Fri, 29 May 2020 15:39, LisToFacTor said: > vaguely as "group policies". Other than that, the only substantial > change is the replacement of pgp 2.6.3ia-multi06 with gpg 1.4.10 You should not propose the use of 1.4 for any other use than decrypting old data. In particular not in a guide

Re: gpg generate key is not finishing

On Sat, 30 May 2020 14:51, Williams, Chad L said: > Attempting to generate a key on Solaris 10 server using the below command > > gpg --full-generate-key --pinentry-mode=loopback Do not use loopback unless you know what you are doing. Adding --verbose should give you some insight what goes

Re: Certified OpenPGP-encryption after release of Thunderbird 78

On Sun, 31 May 2020 12:35, Patrick Brunschwig said: > Let's first define Standard users. The majority of users who use > smartcards that *I* know are expert or power users. They can handle this. I have a different experience here and we are actually promoting the use of smartcards because they

Re: Certified OpenPGP-encryption after release of Thunderbird 78

On Sun, 31 May 2020 11:10, David Flory said: > How does one identify a v3 key? By trying to import it with gpg; you should get a hint that v3 keys are not anymore supported. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description:

Re: Certified OpenPGP-encryption after release of Thunderbird 78

On Fri, 29 May 2020 14:43, karel-v_g--- said: > But it's a pity that Thunderbird developed its own solution because of > licensing issues while we have a proven working solution with GnuPG... For the records: There is no licensing issue; it is just a Mozilla policy issue not to use or depend on

Re: libgcrypt: random source via library on Linux?

On Fri, 29 May 2020 17:54, Steffen Nurpmeso said: > Looking at the source it seems libgcrypt knows about the Linux > getrandom systemcall. Yet it does not seem to know about glibc's > getrandom library function. Which was not available back then when I implemented support for getrandom.

Re: Certified OpenPGP-encryption after release of Thunderbird 78

On Tue, 26 May 2020 12:27, karel-v_g--- said: > Because of this I have been using a combination of Thunderbird, > Enigmail and Gpg4Win, as the latter one is certified by German BSI. Well, it is not certified but approved to handle data at the EU RESTRICTED level (BSI-VSA-10400 and 10412). There

Re: libgcrypt: random source via library on Linux?

On Thu, 28 May 2020 14:43, Steffen Nurpmeso said: > ./configure \ > --prefix=/usr \ > --disable-padlock-support \ > --enable-static=yes > make > make DESTDIR=$PKG install That is pretty standard except for the --disable-padlock-support - why do you use this?

Re: libgcrypt: random source via library on Linux?

On Tue, 26 May 2020 15:35, Steffen Nurpmeso said: > Fatal: no entropy gathering module detected Which version of libgcrypt is that and what build options were used? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP

Re: Comparison of RSA vs elliptical keys

On Fri, 22 May 2020 15:08, MFPA said: > How would it be used only with ECC keys? The MUA doesn't know the > flavour of key/subkey. For sure the MUA knows your own key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP

Re: keys require a user-id

On Wed, 20 May 2020 15:16, Mark said: > It must be... With all the talk of "anonymous" keys I wanted to see if I > could create one with Kleopatra, especially since it says optional for > name. The name should indeed be optiona; If that has not been fixed in the latest version, please file a bug.

Re: keys require a user-id

On Wed, 20 May 2020 19:11, Stefan Claas said: > Curious as I am, did Mr Schönbohm never asked you why your public > keyblock is not signed by Governikus? I don't know a Mr. Schönbohm. I know Governikus and recently noticed that their software does not even support the recommended set of

Re: Comparison of RSA vs elliptical keys

On Wed, 20 May 2020 18:06, MFPA said: > Does (or will) --include-key-block have an argument that can be set to > tell it to only include ECC keyblocks, or to set a maximum keyblock No, it is better to let the caller (ee.g. the MUA) pass this option than to have it in a config file. (I initially

Re: FW: gpg-agent connection errors

On Fri, 22 May 2020 03:18, Ángel said: > how this AF_UNIX socket is actually implemented on Gpg4win (as a named > pipe, perhaps?), but your issues might be related to having it on a It is a regular file with a nonce and a port. The server listens on localhost:THATPORT for connections and checks

Re: keys require a user-id

On Tue, 19 May 2020 10:29, Robert J. Hansen said: > * PII-free UIDs are possible today Well, according to European law this is not that easy because a public key is in most cases an attribute which identifies a natural person. This is the same as with phone numbers and mail addresses. In

Re: keys require a user-id

On Mon, 18 May 2020 12:16, Robert J. Hansen said: > Centralized key management schemes are sometimes very useful. I fully agree and I personally known that this is a common use case. However, people requiring such a use case do not talk in the public about their specific infrastructure and are

Re: Help setting gpgsm to do LDAP lookup

On Sat, 16 May 2020 23:24, John Scott said: > Looking up recipients with both dirmngr-client and > gpgsm --verbose --list-external-keys [recipient] > are fruitless whether I drop the ads\ from my username or not. I've bumped > the > ldaptimeout to 25. Still both commands finish

Re: Comparison of RSA vs elliptical keys

On Sun, 17 May 2020 04:33, Ángel said: > In both cases, most of the signature space is taken by a hashed > subpacket of type 38. This value is not assigned, but looking at You are using --include-key-block; this is intended to be used by MUAs to send the encryption key along with a signature to

Re: keys require a user-id

On Sun, 17 May 2020 10:48, Vincent Breitmoser said: > 1. Without consent, we don't distribute email addresses. And by that changing the distributed system of keyservers into a centralized key database like PGP tried this with their Universal Server. Which unavoidable will change OpenPGP to a

Re: keys require a user-id

On Fri, 15 May 2020 14:35, Ingo Klöcker said: > UIDs. No UID -> invalid key. Why do you want to be able to import a key in > GnuPG that would be utterly unusable? FWIW, the expiration time of a key is also bound to the user-id as well as key preferences and all kind of other possiblke gadgets.

keys require a user-id (was: Comparison of RSA vs elliptical keys)

On Thu, 14 May 2020 23:01, Stefan Claas said: > you would consider including it in GnuPG too and reflecting it in the > respective RFC? The User-IDs are an integral part of OpenPGP and at the core of its design. All kind of important information is bound to the user ids and thus a key w/o a

Re: Comparison of RSA vs elliptical keys

On Wed, 13 May 2020 15:09, Stefan Claas said: > defaults to cv25519... (and does not need to generate a UID for privacy > reasons, simply fantastic!) And willfully violating the the standard. Not requiring a user id was bug in PGP 2 and fixed more than 25 years about with PGP 2.6.3in.

Re: Comparison of RSA vs elliptical keys

On Wed, 13 May 2020 10:54, Damien Goutte-Gattat said: > Not yet. Officially, only the NIST P-256, P-384, and P-521 curves are > part of the standard (since RFC 6637). The first mention of Curve RFC-6637 allows for arbitrary curves because curves are specified using an ASN.1 OID. So for example

Re: gpg-agent connection errors

On Tue, 5 May 2020 12:09, Kent A. Larsen said: > needed). Does gpg-agent auto-terminate after a certain period of > inactivity? No. Fruther, gpg-agent and all other background processes are always started on demand. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein

Re: Error running auto-key-locate wkd in Windows 10

On Thu, 26 Mar 2020 17:55, gus said: > gpg: error retrieving 'torbrow...@torproject.org' via WKD: Ricevuto > un > messaggio di avviso fatale > gpg: error reading key: Ricevuto un messaggio di avviso fatale That is: "Fatal alert message received" which comes from the TLS layer. To see the

Re: WKS server problems

On Mon, 23 Mar 2020 10:16, john doe said: > Thank you Werner, I wrapped the above as an one liner: This is even easier. $ mkdir -p /etc/gcrypt && echo only-urandom>/etc/gcrypt/random.conf The '#' lines are merely comments to show which other options are available. Shalom-Salam, Werner

Re: WKS server problems

On Sun, 22 Mar 2020 12:36, Andrew Gallagher said: > On 22/03/2020 05:38, john doe wrote: >> Do you have enough entropy on the VM? > > Argh, thank you. I thought I had enough entropy because monkeysphere > created its trust root without issue, but installing haveged did fix the > problem. You

[Announce] GnuPG 2.2.20 released

the long term keys of their respective owners. Current releases are signed by one or more of these three keys: rsa2048 2011-01-12 [expires: 2021-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2020-10-30]

Re: keys.openpgp.org not working on CentOS 7

On Fri, 20 Mar 2020 14:22, Andrew Gallagher said: > Even for keys with verified user-ids? I have no idea because I do not have such a key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature

Re: keys.openpgp.org not working on CentOS 7

On Fri, 20 Mar 2020 11:35, Andrew Gallagher said: > CentOS 7* uses gnupg v2.022, and it appears to be unusable with Hagrid. > Does anyone know what's going on here? GnuPG 2.0.22 was released in fall 2013(!) has since then received 8 updates and reached end-of-life at thend of 2017. The question

Re: How to use reprepro (or anything really) over ssh?

On Wed, 11 Mar 2020 10:07, Andrew Gallagher said: > The evidence would suggest that pinentry-gnome3 v1.1.0-2 on Debian > blindly uses `:0` no matter what parameters are passed. Oh pinentry-gnome - it is intertwined with the gnome-keyring stuff and does all kind of surprings things. Indeed, the

Re: ed448 support in gpg?

On Wed, 11 Mar 2020 13:30, Jonathan Cross said: > How will older clients deal with a certification signature from this > unrecognized algorithm? They want use them and print a '?' with --check-sigs. > Yes, I intend to do this with the subkeys (Curve25519) > Only the primary (certification key)

Re: How to use reprepro (or anything really) over ssh?

On Tue, 10 Mar 2020 15:59, Andrew Gallagher said: > reprepro uses gpgme, so it doesn't support `pinentry-mode loopback` (it > crashes if I try). And since I am normally logged in to my home machine, GPGME supports pinentry modes since 1.4.0 (release early 2013): 7.4.7 Pinentry Mode

Re: ed448 support in gpg?

On Tue, 10 Mar 2020 20:30, Jonathan Cross said: > Is ed448 available / in development? Will be part of 2.3. However, even then I do not suggest to create such a key because the majority of deployed software won't be able to use it. If you care about the secuity of your key use a smartcard.

Re: gpg --import-options import-drop-uids not available?

Hi! if you look at the commit gpg: New options import-drop-uids and export-drop-uids. [...] These options are required for experiments with changes to the keyserver infrastructure. you can see that they are used for experiments and part of the master branch. It is unlikley

Re: Help me on this

On Mon, 2 Mar 2020 12:59, Phil Pennock said: > On Unix, it's done with "pinentry", I don't know Windows so don't know > the details there. But hopefully this provides enough to point you in On Windows we can't make it 100% sure that the Pinentry pops up above the other windows. In some cases

Re: Encrypted GPG files

Hi! Thanks for your analysis; I have one additional comment: On Thu, 20 Feb 2020 23:28, Ángel said: > I suspect that the problem may not actually be the packet format, but > something else presented by the same client that is choosing new format > (e.g. it could be choosing IDEA as cipher).

Re: Building GnuPG for QNX 7

On Tue, 18 Feb 2020 20:19, Eric Linner said: > update files and decrypt them on the target system. However, I'm > having trouble building GnuPG for QNX 7. My development environment is > Windows 10 and the target is x86 running 64-bit QNX 7. QNX supposedly > has some support for cross compiling

Re: swdb.lst problem

On Sun, 9 Feb 2020 16:44, murphy said: > Also when I try to download swdb.lst directly it fails with: The certificate for version.gnupg.org expired. Actually it was renewed but due to a certificate update problem with another rarely used domain, pound was not restarted. I just fixed this all.

Re: Message Padding for GnuPG

On Tue, 21 Jan 2020 23:02, Stefan Claas said: > because 'gpg --list-packets' shows the original byte size of the unencrypted > message or file, including the original filename. --list-packets can't show the original filename because that info is encrypted. Note that --list-packets decrypts if

setrlimit failure on aarch64 (was: Interesting failure on aarch64)

On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said: > On x86_64 this succeeds, but when I tried building on aarch64, that step [...] > gpg: Fatal: can't disable core dumps: Operation not permitted setrlimit returns an unexpected error code: if (getrlimit (RLIMIT_CORE, ))

Re: Automatic encryption to several recipients

On Mon, 13 Jan 2020 08:16, mailing list said: > Something like > encrypt-to KEY1 > encrypt-to KEY2 > encrypt-to KEY3 Right. It works the same as --recipient and thus the argument to the option is the specification of a single key. Please use the fingerprint to specify the key. Using the keyid

Re: GnuPG website docs

On Fri, 10 Jan 2020 10:48, David Eisner said: > 1. I think there should be a notice near the top of > https://gnupg.org/documentation/howtos.html that says something like this: > "The mini HOWTO is out-of date and documents an older version of GnuPG. For > more up-to-date documentation, please

Re: Changes in GnuPG

On Thu, 9 Jan 2020 13:01, Mark said: > Thanks for the explantion of the new public key format. If I understand > it correctly, the old system was like a flat file an this new one is > more like an indexed database that allows faster lookups. Right. The keybox format includes meta data so that

Re: Re-sign subkey binding with changed digest?

On Wed, 8 Jan 2020 21:37, Andrew Gallagher said: > Have you tried changing the subkey expiry? Or does that reuse the same hash? That is what I would also suggest. The expire sub-command is useful for all such things. It should always use the current default digest algorithms. Regarding the

Re: Syncing GnuPG data between computers

On Tue, 31 Dec 2019 15:46, Steve McKown said: > The GnuPG configuration files are simple enough, but the database files > are another story I imagine. We have always used a platform independent on-disk format for all files. Thus copying the files between different platforms is no problem at all.

Re: Automatically generating subkey revocation certificates

On Thu, 26 Dec 2019 23:04, Dirk-Willem van Gulik said: > But this does not seem to happen when doing a --quick-add-key > subkey. Is this intentional ? Or is there a flag one can set ? Right. If you want to revoke a subkey we can assume that you still have access to the primary key and thus it

Re: Best way to get fingerprint programatically

On Wed, 18 Dec 2019 11:51, john doe said: > By any chance, could something like the following be implemented?: > > $ gpg -K --print-fingerprint-only test I doubt that this helps because the only way to get a single result is to use the fingerprint for . Thus a second info item would be required

Re: "--refresh-keys" not working.

On Wed, 18 Dec 2019 09:51, Gerard E. Seibert said: > gpg: mpi too large (28876 bits) > gpg: read_block: read error: Invalid packet One of the keys you imported is corrupt and thus rejected. The debug flags don't help here, it would be better to enable --verbose so that you can see which key was

Re: Best way to get fingerprint programatically

On Wed, 18 Dec 2019 08:19, john doe said: > In other words, why '--quick-set-expire' requires a fingerprint and does > not accept a . Only the fingerprint is a unique identifier for the keyblock (aka certificate, public key). Allowing a User-id would require extra code in gpg and by the caller

Re: gpg-agent relocation error

On Wed, 11 Dec 2019 23:24, Johan Wevers said: >> libassuan.so.0 is linked to libassuan.so.0.8.3. > > That's quite an ancient version, current version is 2.5.3. My first Nope. Assuming this is a standard Linux distor, this is the lates versions. The name of the libary includes the *SO version*

[Announce] GnuPG 2.2.19 released

tampered by malicious entities we provide signature files for all tarballs and binary versions. The keys are also signed by the long term keys of their respective owners. Current releases are signed by one or more of these four keys: rsa2048 2011-01-12 [expires: 2019-12-31] Key fingerprint = D869

Re: Moving sigs from Wins machine to FreeBSD

On Thu, 5 Dec 2019 16:02, Jerry said: > So Werner, if I am understanding you correctly, I can just copy the > C:\Users\gerar\AppData\Roaming\gnupg files over to the ~/.gnupg > directory and it will work. Sounds good. Thanks! Right. If you are deeply worried about security you may want to

Re: Moving sigs from Wins machine to FreeBSD

On Thu, 5 Dec 2019 14:10, Jerry said: > I have gpg4win installed on a Win 10 machine. I just installed > FreeBSD onto a new PC. I installed GNUPG 2.2.18 and would like to move > all of the signatures over to it from the Windows machine. Is that > possible and how would be the best way to go about

Re: multiple recipients encryption and decryption in gpgsm

On Thu, 28 Nov 2019 10:57, Yves T said: > 1. is B able to decrypt the file if he has not the secret key from A Yes. As long as the secret key (aka private key) is available Quick test: $ fortune | gpgsm -ev -r 0xE297583E -r 0xCA89261C >/tmp/testenc The first -r ist for s/n 1A02 and

[Announce] GnuPG 2.2.18 released

es: 2019-12-31] Key fingerprint = D869 2123 C406 5DEA 5E0F 3AB5 249B 39D2 4F25 E3B6 Werner Koch (dist sig) rsa2048 2014-10-29 [expires: 2019-12-31] Key fingerprint = 46CC 7308 65BB 5C78 EBAB ADCF 0437 6F3E E085 6959 David Shaw (GnuPG Release Signing Key) rsa2048 2014-10-29 [expires: 2

Re: gpg-agent, pinentry and Emacs

On Mon, 25 Nov 2019 08:44, Werner Koch said: > Thanks. I don't see that INSIDE_EMACS is propagated and I can duplicate My fault. We pass the the envvars to pinentry using setnev in an atfork handler. Thus we do not see them in the Assuan log. I added some logging to so that we can now

Re: gpg-agent, pinentry and Emacs

On Sat, 16 Nov 2019 18:22, Ralph Seichter said: > ipc". I added the latter, and the resulting log file is available via > https://seichter.de/aegi6bee9eShu/gpg-agent.log . Note that I killed Thanks. I don't see that INSIDE_EMACS is propagated and I can duplicate that problem here. I will look

Re: gpg-agent, pinentry and Emacs

On Fri, 15 Nov 2019 21:45, Ralph Seichter said: > gpg-agent[27187]: failed to read the secret key > gpg-agent[27187]: command 'PKDECRYPT' failed: Timeout You forgot to _add_ debug-pinentry debug ipc verbose to gpg-agent.conf. (The "debug ipc" is helpful because it shows what gpg is

Re: gpg-agent, pinentry and Emacs

On Thu, 14 Nov 2019 19:54, Ralph Seichter said: > $ cat /tmp/pinentry-wrapper.log > INSIDE_EMACS is '' Pinentry consideres that it is not run from Emacs and thus it does not forward requests to Emacs but uses the standard pinentry (or should return an error for pinentry-emacs). INSIDE_EMACS

Re: gpg-agent, pinentry and Emacs

On Wed, 13 Nov 2019 17:58, Ralph Seichter said: > I use the same GnuPG version, but the Emacs variable setting you > suggested makes no difference for me. That's Emacs version 26.3, > which I should have mentioned earlier. Yet another regression in Emacs? I am still cursing over 26. Fortunately

Re: gpg-agent SSH agent returned incorrect signature type

On Tue, 5 Nov 2019 17:49, Sebastian Wiesinger said: > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 AFAICS that method is not supported. We support "ssh-rsa" and "ssh-rsa-cert-...@openssh.com" but not this method. However, I do not have the debug out of gpg-agent so I can't tell

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 18:10, Tony Lane said: > was made with the unix philosophy in mind. Perhaps it would've been > better to write the gpg-agent as a shared library to be called by the > core instead. Well, we're probably too far down down the rabbit hole The process boundary has security

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 11:40, Robert J. Hansen said: > requirements. This could be as simple as, "we prohibit the use of 3DES, > but OpenPGP lists it as a MUST algorithm". It is even less technical see my other mail. FWIW, GnuPG knows all allowed algorithms for the VS-NfD use case and can be

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 12:39, Art Silva said: > What do they approve for securing data of higher security classifications? There is a public list at: Salam-Shalom, Werner --

Re: BSI withdraws approval of GnuPG (revisited after 3 month)

On Mon, 4 Nov 2019 08:58, karel-v_g--- said: > In a message to this list on August 8th Werner Koch said he is > permanent contact with BSI and the reason for the withdrawal is in the > OpenPGP part of GnuPG. Once again no further details were > provided. [4] We received a new app

Re: encrypt file in batch mode

On Mon, 4 Nov 2019 16:49, Fourhundred Thecat said: > Yes, that is exactly the problem. Why should simple operations require > gpg agent ? The manual has a chapter on the architecture, please read it to understand the design goals and how it was implemented nearly 20 years ago. > Imagine the

Re: encrypt file in batch mode

On Sun, 3 Nov 2019 08:31, Fourhundred Thecat said: > $ gpg --list-secret-keys > gpg: can't connect to the agent: No such file or directory > gpg: failed to start agent '/usr/bin/gpg-agent': No such file or directory Your system is not properly installed. It is missing the gpg-agent which is a

Re: How to decrypt a message while preserving the signature?

On Sun, 3 Nov 2019 10:15, Peter Lebbing said: >> --unwrap is not documented and has the minor problem that it also keeps the >> compression layer. However, gpgv groks that compression layer and works I'll document it for future releases. Salam-Shalom, Werner -- Die Gedanken sind frei.

Re: gpg-agent only checks for smartcard not for local keys

On Sat, 2 Nov 2019 12:20, Horst Skatmus said: > I do not understand how the gpg-agent determines where to look for the > private key (disk or smartcard) and where this is configured. I can switch > off the scdaemon via --disable-scdaemon but this has no effect. At the time you use ssh-add

Re: Question about symmetric AES cipher in GnuPG

On Wed, 30 Oct 2019 17:19, Brian Minton said: > My guess is, the gpg one also is doing MDC, so you'd have to add the > equivalent HMAC code to openssl, but that's just a complete guess.   The OpenPGP MDC is a SHA-1 hash appended to the plaintext and then encrypted along with the data. The usual

<    1   2   3   4   5   6   7   8   9   10   >