Re: keys require a user-id

On 15.05.2020 16:43, Andrew Gallagher wrote: > The inputs to the WoT are the signatures and the ownertrust values, and > the outputs are UID validities. "Key validity" is neither an input nor a > meaningful output of the system. Key validity directly influences the "WARNING: This key is not

Re: keys require a user-id

On 15.05.2020 15:21, Andrew Gallagher wrote: > Ownertrust is per-key, but validity is per-UID. Andrew there are two validity values: $ gpg --edit-key andrewg pub rsa4096/FB73E21AF1163937 created: 2013-07-02 expires: 2021-01-07 usage: SCA --> trust: unknown validity: marginal

Re: keys require a user-id

Hi Ingo, On 15.05.2020 14:35, Ingo Klöcker wrote: > Because in GnuPG the validity of keys is bound to validity and owner trust of > UIDs. No UID -> invalid key. Why do you want to be able to import a key in > GnuPG that would be utterly unusable? AFAIK key validity and owner trust are per key

Re: Checking multiple smart cards before asking for one

Hi Valentin, I believe this will work seamlessly in GnuPG 2.3. You can track this ticket: https://dev.gnupg.org/T4695 Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org

Re: monkeysign removal from bullseye

Hi Andrew, On 22.03.2020 19:01, Andrew Gallagher wrote: Come back to me when there is a fully scriptable interface to gpg. Monkeysign abstracted away a*LOT* of that pain. Actually newer GnuPG already has a lot of interesting options. For key signing automation the most interesting one is

Re: What are some threats against which OpenPGP smartcards are useful?

Hi Christoph, There is one feature of smartcards that's hard to reproduce otherwise: once you pull the smartcard out of the port the attacker can't use it. If they steal your private keys they can do as they please with it (until you revoke keys and users refresh your key... that can take

Re: Different key pare for e-mail and signing code

Hi John, On 04.01.2020 09:53, john doe wrote: My goal is to sign code and sign/encrypt e-mail but I'm not sure what's the best way forward: - One key pare for e-mail (sign/encrypt) and an other key pare for signing code - Finding a way to do what I want with only one key pare (multiple signing

Re: Partial/fragmented decryption keys

Hi, I recall from the early days of PGP that there was a way to create a corporate key, fragmented into a certain number of potions, which would require some quorum to be able to perform decryption. I pored over the GnuPG documentation but could not find an equivalent. Perhaps I?m just

Re: Slightly OT - mobile OpenPGP usage

Hi Chris, On 27.08.2019 17:52, Chris Narkiewicz via Gnupg-users wrote: On 26/08/2019 19:47, Wiktor Kwapisiewicz via Gnupg-users wrote: If one sets URL field on the token then just plugging the token when OpenKeychain is opened is enough to get the key ready-to-use. Can you explain what kind

Re: Slightly OT - mobile OpenPGP usage

On 26.08.2019 19:37, Andrew Gallagher wrote: Tangentially related - I've seen docs recommending having your portable keychain have a subkey for signing, and that keychain to lack the master secret key entirely ( and putting that one in an undisclosed secure location), with a different

Re: Storing custom signed data in the key

Hi Tomasz, what would be the most "canonical" way to store arbitrary, signed data along the gpg key? And then: what is the programmatic way of extracting said data? (...) sig!3N KEYID 2019-08-17 User Example Signature notation: pub@signify=SIGNIFYKEY Does it make sense? Is it a

Re: "There's always light..........."

On 16.08.2019 11:38, john doe wrote: A better comment would be the URL where to download your public key. Even better would be using "--sig-keyserver-url" to embed the URL in an appropriate packet. Details here: https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html

Re: revoke last valid user ID

On 22.07.2019 19:28, ilf wrote: Is there a way to override this limitation? I'd try adding one dummy User ID, revoke the rest, then delete that dummy User ID before it gets sent to the keyserver. I guess you don't want to revoke the entire key... Kind regards, Wiktor

Re: Essay on PGP as it is used today

On 22.07.2019 11:26, Procopius via Gnupg-users wrote: I searched and determined the author is unknown from from what I could see. The author is Thomas H. Ptacek, here's contact info: https://news.ycombinator.com/user?id=tptacek FWIW he's known for criticizing crypto that he thinks is

Re: [Sks-devel] Fwd [from schleuder dev team]: Signature-flooded keys: current situation and mitigation

Hi Andrew, On 18.07.2019 19:35, Andrew Gallagher wrote: A key owner can (preferably automatically) create a “self-identity” on her primary key consisting of a well-known string that contains no personal information. To avoid breaking legacy search-by-id systems this string should be unique

Re: WKD: Publishing a key for multiple user IDs

On 16.07.2019 12:16, Werner Koch via Gnupg-users wrote: So if I have two email addresses/user IDs m...@my.org and m...@my.org associated with the same key, I cannot just export the key and publish it, right? I have to somehow publish two different ‘stripped’ public Sight. GnuPG handles this

Arch Linux impacted by new defaults in 2.2.17

Hello, I just saw the following bug reported in Arch Linux repos: https://bugs.archlinux.org/task/63147 with the title "[gnupg] 2.2.17 release is broken by design and breaks pacman". It appears Arch's packages use Web of Trust for introducing new developers by adding 3 signatures out of 5

Re: WKD: mutt integration status (was: WKD documentation)

On 10.07.2019 13:35, Bernhard Reiter wrote: Am Mittwoch 10 Juli 2019 10:53:17 schrieb Wiktor Kwapisiewicz via Gnupg-users: If you convince Mutt community that WKD is a good idea I can prepare the patch for you. As I'm not on the mutt development channels, I'd prefer if someone else would do

Re: WKD: mutt integration status (was: WKD documentation)

Hi Bernhard, On 10.07.2019 10:38, Bernhard Reiter wrote: Am Dienstag 09 Juli 2019 20:51:41 schrieb Wiktor Kwapisiewicz via Gnupg-users: Sure, take a look at the thread starting here: http://lists.mutt.org/pipermail/mutt-dev/Week-of-Mon-20180702/000157.html (The patch is not there but it's

Re: WKD: more organisations using it (Re: WKD documentation)

On 10.07.2019 10:22, Bernhard Reiter wrote: You can also add Debian there and occrp.org (although the latter doesn't have policy file :(). do you have something that can be publically referred to, or a contact person I could ask that they are fine being listed in the wiki? If you see the

Re: WKD documentation (Re: Testing WKD setup?)

Hi Bernhard, On 09.07.2019 16:47, Bernhard Reiter wrote: Once upon a time I mailed random PGP-using people asking if they'd consider setting it up and the feedback has been overwhelmingly positive. Cool, if you receive answer, please help us to keep the list of supporting organisations

Re: WKD documentation (Re: Testing WKD setup?)

Hi Bernhard, On 09.07.2019 15:02, Bernhard Reiter wrote: Note that on Wiktor's page a few details are missing: * policy file is needed * directory listing strongly recommend to be off * minimum version of gpg that has --with-wkd (some versions don't). Policy file is checked during WKD

Re: SKS and GnuPG related issues and possible workarounds

On 05.07.2019 11:26, Peter Lebbing wrote: PS: Before you blame archive.org: they respect robots exclusions and wishes from individual site owners. It was keybase.io which allowed it in the first place, although it may or may not have been a conscious decision on their part. To be honest I'd

Re: SKS and GnuPG related issues and possible workarounds

On 03.07.2019 17:33, Stefan Claas via Gnupg-users wrote: Regarding my keybase presence, I can immediately close down my account and my data and the data from my followers is removed, cool eh? I did a small experiment and it seems that your data is permanently preserved in sigchains of all

Re: Your Thoughts

On 03.07.2019 20:30, Alyssa Ross wrote: Oh, interesting. Thank you for showing this to me. I had it in my head that a "weak" signature would count as a marginal in the web of trust, but I suppose I was wrong about that. In that case, I agree that ask-cert-level doesn't make sense as a default.

Re: SKS and GnuPG related issues and possible workarounds

On 03.07.2019 11:06, Robert J. Hansen wrote: Those two account for literally 99% of all use cases. The vast majority of OpenPGP is to verify package signatures; for the small fraction that use it for email, Enigmail is the most dominant choice, with GpgOL a close second. Yes. It seems distros

Re: distributing pubkeys: autocrypt, hagrid, WKD

Hi Konstantin, On 02.07.2019 21:40, Konstantin Ryabitsev wrote: Most subkey changes that I am aware of are not due to people's old subkeys expiring, but because they add new ones for reasons like migrating between smartcard solutions or just being nerdy and picking a new ECC-based subkey.

Re: New keyserver at keys.openpgp.org - what's your take?

On 01.07.2019 14:36, Andrew Gallagher wrote: OpenPGP already has the "keyserver" field which is rarely used. It is supposedly a hint to clients to tell them to prefer a particular keyserver, but it could also be used as a hint to the keyservers themselves, to tell them where the master copy of

Re: Your Thoughts

On 01.07.2019 23:08, Juergen Bruckner via Gnupg-users wrote: Well that not pretty "in the wild" but its pretty new: The Austrian Parliament and some parts of the Austria Government have released a website [1] where the PGP-Keys of Members of the Parliament and other people in the government are

Re: Your Thoughts

On 02.07.2019 00:58, Alyssa Ross wrote: For example, why isn't ask-cert-level a default? For an alternative view on ask-cert-level see also: https://debian-administration.org/users/dkg/weblog/98 I do agree that no two people use gpg in the same way. Kind regards, Wiktor --

Re: SKS Keyserver Network Under Attack

Hi Alyssa, On 02.07.2019 00:43, Alyssa Ross wrote: The impression I got was that they're very optimistic about their ability to handle traffic to their server -- they were happy to have a distro make the switch, and will be changing the defaults in Enigmail and OpenKeychain very soon, as I

Re: New keyserver at keys.openpgp.org - what's your take?

Hi Konstantin, On Fri Jun 14, 2019 at 11:19 AM Konstantin Ryabitsev wrote: > 1. implement the regular --send-key --recv-key api This is already implemented. > 2. when accepting a --send-key, check to make sure at least one of the > uid's matches an allow-list of identities (for example, from a

Re: New keyserver at keys.openpgp.org - what's your take?

Hi Oscar, On 14.06.2019 10:12, Oscar Carlsson via Gnupg-users wrote: I'm generally curious on your opinions on the latest new keyserver, this time running a new software than the normal keyservers. It's definitely faster and more responsive. That was my personal pain point when interacting

Re: Adding notations with quick commands

Hi Markus, On 09.06.2019 14:16, Markus Reichelt wrote: in a similar fashion to what --quick-* commands already do for other actions (e.g. --quick-add-uid). --set-notation maybe? Yes, but as far as I understand --set-notation is only a modifier that needs to be used with another command

Re: ProtonMail and Anonymity

Hi Kirill, On 09.06.2019 08:57, Kirill Peskov wrote: It uses OpenPGP protocol, but quite a twisted way. And they're not OpenPGP-compliant, because they're not able to encrypt mails leaving their domain. What do you mean by that? There is an option to add OpenPGP key of a "foreign" contact

Adding notations with quick commands

Hello, Is there a way to add notation to own key's User IDs with a quick command? I'm looking for an alternative to this set of actions: 1. gpg --edit-key $KEY 2. notation 3. x...@example.com=test 4. save in a similar fashion to what --quick-* commands already do for other actions (e.g.

Re: A question about WKD

On 01.01.2019 13:19, Stefan Claas wrote: > Hi Wiktor and all, > > since my current WKD key is a temporary key i would like to know > for best practice the following: > > In a couple of days i will receive my Kanguru Defender 3000 USB stick > and then i will create a new key pair and put it on

Re: NIST 800-57 compatible unattended encryption?

Hello, > On Wed, Jan 02, 2019 at 04:02:03PM +1100, gn...@raf.org wrote: >> For some dumb reason I think I was hoping that the RSA >> algorithm wasn't really used to encrypt all the data. I >> thought it was probably used to encrypt a per-file >> randomly-generated symmetric key which was then

Re: A question about WKD

On 29.12.2018 20:50, Stefan Claas wrote: >> I did a small proof-of-concept checker for small deployments, that you may >> find >> useful: https://metacode.biz/openpgp/web-key-directory > That is very interesting! I checked Werner's, yours and my key. > > With yours everything is fine, with

Re: A question about WKD

On 29.12.2018 15:48, Stefan Claas wrote: > Hi all, > > is it also possible to add manually more pub keys to WKD > or do i have to install WKS for that purpose? > > I ask, because in case i like to add more users to my > mail server. Just create more files in .well-known/openpgpkey/hu directory.

Re: A question about WKD

On 26.12.2018 10:39, Stefan Claas wrote: > Hi all, > > hope you all had a nice Christmas! > > I have set up WKD on my VPS, in order to learn more about it and get now > the following error: > > gpg --encrypt -r s...@300baud.de OpenSSL.txt > gpg: error retrieving 's...@300baud.de' via WKD: Not

Re: Keyring management with multiple smart cards

On 17.12.2018 03:28, Louis Opter wrote: > Where is the procedure to remove shadow files documented? I found this to be > confusing to do, hence why I favored different subkeys for different > smartcards. Uhm, this is kind of internal GnuPG details so I guess it's not documented anywhere. But

Re: Keyring management with multiple smart cards

Hi Louis, I have a very similar setup. After working with several different options and encountering the same problems as you have (GPG does not encrypt to all encryption subkeys, not possible to have the same subkeys on different smartcards) I observed the following facts: 1. I use one

Re: Keyserver access changes in GnuPG

On 12.12.2018 22:35, Andrew Luke Nesbit wrote: > My subkeys expired on Monday, 10/12/2018. I've updated my subkeys with > a new expiration date (in one year). I'm considering NOT uploading the > new public keys to the keyservers. Rather, I will distribute them using > other channels, such as

Re: Setup encrypted email

On 12.12.2018 13:29, Nikos - FlexIT wrote: > Hello > >   > > Can I setup encrypted emails completely free with gpg? I am using Microsoft > outlook 2016. > > Can you please inform me how I can do it? Hi Nicos, Check out Gpg4Win and one of its components: GpgOL - an add-in for Outlook:

Keyserver access changes in GnuPG

Hello all, I recently saw a message from one of Fedora's maintainers: > Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also > dropping keyserver support at Werner's suggestion since upstream plans to > disable that soon. Source:

Re: Smart cards

On 11.12.2018 19:11, Damien Goutte-Gattat via Gnupg-users wrote: > On Tue, Dec 11, 2018 at 12:35:57PM +0100, Alessandro Vesely wrote: >> Is it possible to get OpenPGP functionality on one of those >> contactless cards? > > I know of at least one NFC-enabled OpenPGP card, the "Fidesmo > Card" [1].

Re: Garbled data in keyservers

On 10.12.2018 17:32, Stefan Claas wrote: > Yes, it seems it would be a good start. However, if unwanted data can then be > still > submitted remains to bee seen, because what if anonymous email services would > use > DKIM too? Well it depends on the implementation. In current keyserver model

Re: Garbled data in keyservers

Hi, I use an address I control, but the email was not even sent so I guess the error happened before the key hit the network. Kind regards, Wiktor Dnia December 10, 2018 2:56:54 PM UTC, Damien Goutte-Gattat napisał(a): >On Mon, Dec 10, 2018 at 02:25:08PM +0100, Wiktor Kwapisiewicz

Re: Garbled data in keyservers

On 09.12.2018 20:48, Stefan Claas wrote: > Mind you in the 90's PGP key servers accepted also email and Usenet > submissions, if i remember correctly. The keyword was then simple > the word "add" in the subject line of an email. > > That's an interesting

Re: Garbled data in keyservers

On 09.12.2018 20:03, Stefan Claas wrote: > To bad that Werner's WKD is not widely adopted from email > service providers... Just for the record but it is adopted by e-mail service providers that are interested in OpenPGP (like ProtonMail and Posteo.de, see https://wiki.gnupg.org/WKD). As for

Re: Garbled data in keyservers

>> But that "little program" would have to download the entire dump and >> provide search feature itself, making it non-trivial for most users. > I don't think so... > > https://github.com/yakamok/keyserver-fs Yes: > WARNING: this may break easily and is intended for use only on linux >

Re: Garbled data in keyservers

On 06.12.2018 10:24, Stefan Claas wrote: > As long as we have the option to add additional UID's to a key my > thinking was, after reading the links from Yegor, that one appends > arbitrary data to a key and provides a link, at some other place, to > that key, in the form of

Re: Garbled data in keyservers

Hi Claudio, You may find these SKS issues relevant: https://bitbucket.org/skskeyserver/sks-keyserver/issues/41 https://bitbucket.org/skskeyserver/sks-keyserver/issues/57 https://bitbucket.org/skskeyserver/sks-keyserver/issues/60 I'm not able to comment on the specifics of search implementation

Re: WoT question - policy

On 16.11.2018 00:40, Dirk Gottschalk via Gnupg-users wrote: > There's documentation about the trustdb. I read it a while ago, but not > entirely. You can also set the amount of needed signatures for the > trust calculations and so on. Then comes the trust deepness into play. > I also have to read

Re: WoT question - policy

On 13.11.2018 17:54, Stefan Claas wrote: > Hi all, > > i thought about creating a key certification policy, for my key, > and like to know your opinions. > > > > I have read in the past several policies, but i like to avoid > id-card / online

Re: GPG on Android

Hi, > On Monday 5 November 2018 at 7:59:05 AM, in > , Wiktor > Kwapisiewicz via Gnupg-users wrote:- > > >>> Could a pincard be connected via micro USB? And >>> made to work? > > Or by NFC. For example, [0] > > [0] <https://www.grepular.com/An

Re: Support for RSA keys > 4096 bits

Hi Nicolas, There is also this site that may be of interest: https://www.keylength.com/ As for your question, actually that was answered in GnuPG FAQ: https://www.gnupg.org/faq/gnupg-faq.html#default_rsa2048 Kind regards, Wiktor On 07.11.2018 07:53, Nicholas Papadonis wrote: > For those

Re: encrypt linux backup folder using gpg

On 06.11.2018 10:42, Francesco Ariis wrote: > Hello Kaushal, > > On Tue, Nov 06, 2018 at 11:25:47AM +0530, Kaushal Shriyan wrote: >> I am using CentOS 7.5 Linux OS in my setup. I have compressed a folder >> using tar utility tar czvf backupfolder.tar.gz backupfolder. Is there a way >> to encrypt

Re: OpenPGP key verification + legal framework

On 05.11.2018 21:37, Viktor wrote: >> Sending an encrypted e-mail additionally verifies that the user controls >> the key in question. > > But you can easily send email with any address in 'from' field. > It does not mean you really control this email address. Maybe there is a small

Re: OpenPGP key verification + legal framework

On 05.11.2018 20:28, Viktor wrote: > > We use the rule, that userID should contain user's fist and last name > exactly as in passport, and only one email - the same as used for login. > So we can verify it's really your email. Have you considered an alternative approach to email verification?

Re: OpenPGP key verification + legal framework

On 05.11.2018 15:21, Viktor wrote: > Dear All, > > (...) > > I would be very interested to hear feedback, criticism and suggestions > on our project. And also to establish contacts with people interested in > cooperation. Looks interesting. But the language on the registration dialog [0] seems a

Re: GPG on Android

On 03.11.2018 19:13, Juergen BRUCKNER wrote: > Hello Masha, > (...) > You need to install the additional Flipdog CryptoPlugin[3] on your > device, where you import and manage the keys. > You have to create the keys for example on a desktop computer and import > it to your android device and into

Re: GPG on Android

On 04.11.2018 22:55, Roland wrote: > Hello list, > > I share the wish for encrypted email on Android, but I am afraid of > storing a secret key on my android phone. (theft, hacking, loss, etc) > > How do you feel about that? > > Could a pincard be connected via micro USB? And made to work?

Re: GPG on Android

On 03.11.2018 17:04, Yagthara Aghhay-Boor wrote: > Hello Group, > > I'm very new to GPG and email encryption and looking for a app to use > gpg and signed email on my android devices. > Can you recommend me a email app to use with pgp on Android? Hi, I recommend using OpenKeychain [0] with

Re: Slightly OT - i need the proper wording for a signed document

On 02.11.2018 15:35, Dirk Gottschalk wrote: > I prefer GPG. And no, GPG does not lack timestamping, a timestamp is > included in every signature. Signature creation date is not the same as timestamping. As for why you may consider the problem of validating signatures made by revoked keys. Without

Re: Slightly OT - i need the proper wording for a signed document

On 02.11.2018 10:53, Stefan Claas wrote: > Simply one can use a time stamping service, based on blockchain > technology. I can then time stamp the .pdf. and put also a > statement in the .pdf that the file is timestamped and don't must > worry in the future if one MITM would try (and why?) to

Re: Slightly OT - i need the proper wording for a signed document

On 01.11.2018 11:19, stefan.cl...@posteo.de wrote: > And this is the problem i have since 1994/95... For me signatures > made with PGP / GnuPG have no weight, for several reasons, except > those made from Governikus and maybe CT Magazine signed keys. I, for one, like the OpenPGP's approach of

Re: --refresh-keys for WKD

On 22.10.2018 17:40, Werner Koch wrote: > BTW, the recent GPA release uses the above command line when you give a > mail address in the Server->Retrieve_key dialog. Is there a small bug in recent GPA (0.10.0)? I looked up: "test-...@metacode.biz" and got "No keys were found" but when I clicked

Re: --refresh-keys for WKD

Hello, > I recently experimented with key distribution via WKD. Is there an > equivalent to `--refresh-keys` for key servers? How do I fetch key > updates (signatures, revocations, ...) via WKD? If the key was fetched via WKD and it is expired it will be refreshed using WKD too (see:

Re: Question about specifics of --locate-key option

Thank you Werner, "--debug lookup" output is a lot more verbose. The output is a lot different in both cases, in this case it detects MAIL: $ gpg --debug lookup --locate-key "" gpg: enabled debug flags: lookup gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: MAIL: ''

Re: Question about specifics of --locate-key option

Oh, I forgot to mention that this is the commit adding "<" and ">" to Evolution: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/5d8b92c622f6927b253762ff9310479dd3ac627d And the commit message: > Enclose email addresses in brackets to ensure an exact > match, as per the gpg man

Question about specifics of --locate-key option

Hello, I have a question about specifics of --locate-key option, that is how does it decide which lookup mechanism will additionally be called if a local key is not present. A little bit of context - I was checking how Evolution works with GnuPG and whether it would locate key through WKD if

Re: Decryption troubles

Hello, There are two encryption keys as far as I can see (more complete key in attachment). Probably one of them was added but the secret key has been lost (during migration? I don't know). I've suggested checking which one works for them and revoking the other, and then publishing the key to

Re: Get notation value through --with-colons interface

On 09.10.2018 15:08, Andre Heinecke wrote: > gpg --with-colons --list-options show-sig-subpackets=\"20,26\" \ > --list-sigs 6C8857E0D8E8F074 Wow, that was exactly what I needed! Thank you Andre! For the record, once I knew it I found some resources about the format:

Get notation value through --with-colons interface

Hello, I'm wondering if there is a way to programmatically access notations on self-certifications? I see them through --list-options show-notations: gpg --list-options show-notations --list-sigs 6C8857E0D8E8F074 | grep notation but adding --with-colons to that command unfortunately filters

Re: Where to put "export-pka" output in DNS?

Hi Kees, > I want to make use of PKA, I saw a few blogs [1] where they did this in > TXT DNS records. However, this seems to not work anymore. When I issue > `gpg2 --export-options export-pka --export $keyid` I get an output. But > it's unclear where I should put this output in DNS. A TXT record?

Re: [INTERNET] Re: converting gpg files into PEM and certification change confusion

Hi Jen, On 27.09.2018 22:43, Mead, Jennifer wrote: > Hi Wiktor, > > On this page https://developers.yubico.com/yubikey-val/Installation.html > > Step 7 > You will need to place the private key in > /etc/ssl/private/api.example.com-key.pem and the certificate chain in >

Re: converting gpg files into PEM and certification change confusion

Hi Jen, Could you provide links to the documentation that mentions the "certificate chain"? I went through these docs but didn't find the exact match: https://developers.yubico.com/yubikey-val/ https://developers.yubico.com/yubikey-ksm/ PEM format contains X.509 certificates, as used by TLS and

Re: Monitoring queries to gpg-agent?

> This is reminding me of a message Werner wrote[1] last year that > pinentry will show some context of the reason it is prompting. So this > functionality might be in the works. I assume you are prompted by a > pinentry to push the button? I'm using a similar setup. Pinentry only appears when

Re: Monitoring queries to gpg-agent?

> This is reminding me of a message Werner wrote[1] last year that > pinentry will show some context of the reason it is prompting. So this > functionality might be in the works. I assume you are prompted by a > pinentry to push the button? I'm using a similar setup. Pinentry only appears when

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

On 24.09.2018 02:09, Andrew Luke Nesbit wrote: > This is using the contents of `~/.gnupg/private-keys-v1.d/` as an API. > If this is *not* part of the API, then what *is* the official > recommendation for generating subkeys? I'm not in a position to suggest "official" recommendations but one

Re: Subkeys

Hi Roland, I don't know if you have some specific questions but the Debian wiki page about Subkeys is nice: https://wiki.debian.org/Subkeys tl;dr version is primary/subkey setup lets you have your primary key completely offline and use subkeys for daily work. If something bad happens to a subkey

Re: Gnupg-users Digest, Vol 180, Issue 3

On 04.09.2018 10:29, Roland Siemons (P) wrote: > Remains: > How can I see what is on the smartcard? gpg --card-status > How can I copy files to the smartcard? You can't copy generic files, smartcard contains only private keys (gpg --edit-key X, keytocard) and a small amount of data objects (gpg

Re: Timestamping signed documents or detached signature files

Thank you very much for the additional infos and links, i will read them all. Oh, I forgot to mention that timestamping using blockchains is actually very easy, for example I timestamped my key's fingerprint:

Re: Timestamping signed documents or detached signature files

Hi Stefan, > Maybe you find this little info useful too, because i have not seen > this topic discussed here yet. I'm aware that there is or was an > old Timestamping Service in England available, but i thought > that the blockchain is cool. Yep, this is definitely cool. I don't know if you've

Re: Using gnupg to crypt credentials used by application to access a database server

If you use a smartcard there is a hack in scdaemon which allows to work without a PIN. Another alternative to an unlocked smartcard would be to use the TPM as the key would be non-exportable and bound to just one machine. There was a series of patches to add TPM keys support but I don't know

Re: Verifying signatures with critical notations

Is it possible? Yes. Please create a feature request at dev.gnupg.org The FR has been created: https://dev.gnupg.org/T4060 Thank you! Kind regards, Wiktor -- https://metacode.biz/@wiktor signature.asc Description: OpenPGP digital signature

Verifying signatures with critical notations

Hello, Is it possible to verify a signature with critical notations that I recognize? I created the signature with: echo x | gpg --sign --sig-notation !t...@metacode.biz=node-1 > f.sig Now when I pass this file to gpgme_op_verify I get only summary GPGME_SIGSUM_RED and status

Re: Choice of ECC curve on usb token

Hi Damien, I was referring to the discussion around RSA vs. ECC in https://crypto.stackexchange.com/questions/60392/choice-of-ecc-curve-on-usb-token/60394#60394 I read several texts of people preferring RSA over ECC. That's an excellent answer, thanks for posting this! I've came up with the

Re: gpg show default / effective options

Wow, that is exactly what I needed. I will walk through them soon and report any problems directly to you. Thanks Werner! Kind regards, Wiktor W dniu 26.06.2018 o 21:04, Werner Koch pisze: On Tue, 26 Jun 2018 12:31, gnupg-users@gnupg.org said: Is it possible to print default or effective

gpg show default / effective options

Hello, Is it possible to print default or effective options used by GnuPG? I'm in the process of slimming down gpg.conf and see that many options are either redundant (because gpg uses them by default) or no-ops. I would like to see which options are used to safely remove obsolete settings.