Re: How do I flush a bad symmetric password from gpg-agent?
On Tue, 18 Aug 2009 20:28, do...@dougbarton.us said: Today I mis-typed a passphrase for a symmetrically encrypted file and was surprised to discover that gpg-agent had stored the bad passphrase and would not let me access the file. I have occasionally in the past This is a new and probably not too well tested feature. I'll check whey this is going wrong. Looking through the man page I don't see any way to flush the bad password from the agent. Killing and restarting works of course, but That is pretty easy: Give the gpg-agent a HUP (pkill -HUP gpg-agent) or better use gpgconf --reload gpg-agent which basically does the same. SIGHUP This signal flushes all cached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: quiet, verbose, debug, debug-all, debug-level, no-grab, pinentry-program, default-cache-ttl, max-cache-ttl, ignore-cache-for-signing, allow-mark-trusted and disable-scdaemon. scdaemon-program is also supported but due to the current implementation, which calls the scdaemon only once, it is not of much use unless you manually kill the scdaemon. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Practical Advice for those using AES256 cipher?
On Wed, 19 Aug 2009 15:28, kevhil...@gmail.com said: the article interesting (not sure if I understood a lot of the blog comments), is there any practical advice I should take away from it as it relates to GnuPG? Don't care about it. It is no threat to use AES 256 or AES 128. The remarkable gotcha is that the old wisdom that a longer key gives a stronger cipher is not necessarily true. I am sure others will start a new debate now what to do, but I consider such a debate more or less academic. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help with decrypting gpg file
On Tue, 25 Aug 2009 23:17, jb...@infimark.com said: By the way, I did use your recommended command string and got the same result. I suspect there is some kind of option that is required so that gpg knows that the output file should be created as an archive type file. No. gpg does not know anything about the structure of the data to encrypt. It encrypts and later decrypts the data verbatim. So your problem must be somewhere else. The above is not 100% correct: gpg looks into the data to see whether it is a zip or bzip compressed file and in that case disables its own (OpenPGP specified) compression. That compression is also 100 % transparent to the data; this feature is only used to save a bit of processing time if data is already compressed. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible bug: addkey can create certifying subkey
On Mon, 31 Aug 2009 19:24, j...@jameshoward.us said: I am not sure if this is a bug, but given the documentation it is not the expected behavior. I created new keys this weekend, due to a lost USB drive. Replicating it here, if you specify --expert and create a RSA subkey with all the options off, it will create a subkey with all the options, including certification turned on. Here's a slightly That is perfectly okay. If you want to set the key flag for certification on a subkey, gpg allows you to do so. The OpenPGP standard does not restrict this. Note that despite a subkey carrying this flag, OpenPGP (and thus gpg) will always use the primary key for certification of user-ids and other subkeys (binding signatures) and for certifying other keys (key signatures). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Possible bug: addkey can create certifying subkey
On Tue, 1 Sep 2009 20:57, ha...@hawkesnest.net said: I think it may still be a problem that attempting to turn off all the flags has the actual effect of turning them all on instead... That is per OpenPGP: Key flags are not required and thus lacking any key flags, we need to assume all capabilities. Of course it would be possible to add an empty list of key flags (in contrast to no list). IMHO this does not make any sense thus we don't create a key flags list at all if you reset all key flags. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Signing with a key on a smart card
On Wed, 2 Sep 2009 10:55, jerome.bl...@nerim.net said: anyone that could explain me how gpg chooses which secret key to use or how I could tell gpg which one to use ? Without an option, gpg uses the first available secret key for signing. This is usually not desired, thus you can use default-key in gpg.conf to select a different one. If you want to use another than the default key, you may give it on the command line with -u USERID. You may even give several -u options to sign the data with several keys. An OpenPGP keys consists of a primary key and optionally several subkeys. Gpg uses the latest subkey capable of signing to create a signature, if no such subkey is available, the primary key is used. This happens even if you speicify the keyid of a subkey. If you want to force the use of a specific signing subkey, you need use the ! suffix to the keyid. Example: pub 1024D/5B0358A2 created: 1999-03-15 expires: 2011-07-11 usage: SC sub 2048R/B604F148 created: 2004-03-21 expired: 2005-12-31 usage: E sub 2048R/C3680A6E created: 2006-01-01 expired: 2007-12-31 usage: E sub 1024D/3D52C282 created: 2007-12-31 expires: 2010-07-11 usage: S sub 2048R/F409CD54 created: 2007-12-31 expires: 2011-07-10 usage: E sub 2048R/12345678 created: 2009-06-30 expires: 2010-07-10 usage: S Using: -u 0x5B0358A2 == Subkey 0x12345678 is used. -u 0x12345678 == Subkey 0x12345678 is used. -u 0x3D52C282 == Subkey 0x12345678 is used. -u 0x3D52C282! == Subkey 0x3D52C282 is used. Due to the key expiration, this will chnage in one year to: -u 0x5B0358A2 == Primary key 0x5B0358A2 is used. -u 0x12345678 == Primary key 0x5B0358A2 is used. -u 0x3D52C282 == Primary key 0x5B0358A2 is used. -u 0x3D52C282! == Primary key 0x5B0358A2 is used. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 1.4.10 released
Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.10. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, samrtcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880 (the update of RFC-2440). Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build and also better portable. In contrast to GnuPG-2 (e.g version 2.0.12) it comes with no support for S/MIME or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.10 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.10.tar.bz2 (3331k) gnupg-1.4.10.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.10.tar.gz (4636k) gnupg-1.4.10.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.9-1.4.10.diff.bz2 (189k) A patch file to upgrade a 1.4.9 GnuPG source. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.10.exe (1531k) gnupg-w32cli-1.4.10.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.10.tar.bz2 you would use this command: gpg --verify gnupg-1.4.10.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.10.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.10.tar.bz2 and check that the output matches the second line from the following list: fd1b6a5f3b2dd836b598a1123ac257b8f105615d gnupg-1.4.10.tar.bz2 0db579b2dc202213424f55243906b71228dd18d1 gnupg-1.4.10.tar.gz 4a6b9f8b15d9849307a90f2b35bde8fd2d111331 gnupg-1.4.9-1.4.10.diff.bz2 c4383992b4815311e523d2f12684d47b7a552fca gnupg-w32cli-1.4.10.exe What's New === * 2048 bit RSA keys are now generated by default. The default hash algorithm preferences has changed to prefer SHA-256 over SHA-1. 2048 bit DSA keys are now generated to use a 256 bit hash algorithm * Support v2 OpenPGP cards. * The algorithm to compute the SIG_ID status has been changed to match the one from 2.0.10. * Improved file locking. Implemented it for W32. * Fixed a memory leak which made imports of many keys very slow. * Many smaller bug fixes. * Support for the Camellia cipher (RFC-5581). * Support for HKP keyservers over SSL (HKPS). Internationalization GnuPG comes with support for 28 languages. Due to a lot of new and changed strings some translations are not entirely complete. The Chinese (Simple and
Re: 1.4.10rc1 and v2 OpenPGP cards/3072 bit keys
On Sun, 30 Aug 2009 18:07, ds...@gefira.pl said: However, I cannot decrypt a message encrypted with a 3072b key, also generated on-card. I'm 100% sure I'm entering a correct PIN but still I can confirm that. It seems there are actually two problems: One bug in gpg and afaics a bug in the card. I track the problem at https://bugs.g10code.com/gnupg/issue1114 Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] W32 build of GnuPG 1.4.10 is broken
Hi, GnuPG 1.4.10 has been announced yesterday, including a binary for Microsoft windows: gnupg-w32cli-1.4.10.exe (1531k) gnupg-w32cli-1.4.10.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . c4383992b4815311e523d2f12684d47b7a552fca gnupg-w32cli-1.4.10.exe It has been reported that this build is proken. Output and input via the console prints weird characters and gpg may crash. We are investigating the problem now. The file has been removed from the main ftp server but it may still be available from mirror sites Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changes in 1.4.10
On Thu, 3 Sep 2009 08:36, hide...@gmail.com said: Doesn't this (C) 2008 supposed to say (C) 2009? Good catch but too late for 1.4.10. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Updated W32 build of GnuPG 1.4.10
Hi, the broken binary build of GnuPG 1.4.10 for Microsoft Windows has been fixed. The new installer has a new file name and includes a small source patch to document the applied fix. It can be downloaded from ftp://ftp.gnupg.org/gcrypt/binary/ gnupg-w32cli-1.4.10a.exe (1539k) gnupg-w32cli-1.4.10a.exe.sig The SHA-1 checksum is: eecf2ef835b77f2400f05115c5752a11bc37ecfc gnupg-w32cli-1.4.10a.exe Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. pgpJhrF7E28O0.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GnuPG 2.0.13 released
On Fri, 4 Sep 2009 20:11, h...@online.no said: Both 32 and 64 bit pth is installed, and pointing configure to the libs using --with-pth-prefix=PFX doesn't help either. The devolpment package is missing; i.e. the file pth.h . Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: BZIP2
On Fri, 4 Sep 2009 21:21, bark...@gmail.com said: What is the reason for the Windows build of 1.4.10 (both the pulled and fixed binaries) not supporting BZIP2? I was not aware that bzip was in gnupg-w32cli-1.4.9 . It is all a matter of the build environment; i.e. if the the bzib2 library was installed for Windows. I am on vacation for the next two weeks so there is no chance that you get a new official package until then. Anyway, I strongly suggest to use gpg4win: If you just need gpg, you may download ftp://ftp.gpg4win.org/gpg4win/gpg4win-light-2.0.0.exe ftp://ftp.gpg4win.org/gpg4win/gpg4win-light-2.0.0.exe.sig and select only the GnuPG component. This installs GnuPG 2.0.12 with enough patches to enable the new OpenPGP cards. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Yet another 1.4.10 build for Windows
Hi, I had some spare time while waiting for the server of the German tax administration to return our monthly declaration. The result is another build for Windows. Yes, again with BZIP2 support. ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.10b.exe ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.10b.exe.sig b86624303f2e29ade92dcfae672fe75ba9df3931 gnupg-w32cli-1.4.10b.exe Hope this helps. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. pgpRSy4M69uv2.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.0.12 on Windows
On Thu, 3 Sep 2009 11:23, bre...@sanders.org said: When compiling 2.0.12 on Windows with MinGW/MSYS there was a compilation error on scd/ccid-driver.c because ETIMEDOUT doesn't exist on Windows. You need all the patches as available in gpg4win. Or use 2.0.13. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP 2.0 and Hushmail keys
On Thu, 10 Sep 2009 18:53, mcs...@hotmail.com said: I am battling to understand this as I thought generating a key pair on the openPGP card itself was as secure as can be as your private key ONLY exists on the card itself and is not available anywhere else (ie: on your hard drive for export). If you look at the exported key you posted with gpg --list-packets yopu will get the listing below. I added a few comments: :secret key packet: version 4, algo 1, created 1252600418, expires 0 skey[0]: [1024 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00 The primary secret key stub. The line gnu-divert-to-card indicates that this is stub key. As you can see there are only two parameters: skey[0] and skey[1] - this makes up the public parts of the key. There is nothing secret with them. For a real secret key (and not just a stub) you would see more parameters (i.e. the secret parameters). :user ID packet: s...@test.com (TEST 003) s...@test.com :signature packet: algo 1, keyid 446D3054095646C6 version 4, created 1252600418, md5len 0, sigclass 0x13 digest algo 2, begin of digest 4d 4e hashed subpkt 2 len 4 (sig created 2009-09-10) hashed subpkt 27 len 1 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2) hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11) hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1) hashed subpkt 30 len 1 (features: 01) hashed subpkt 23 len 1 (key server preferences: 80) subpkt 16 len 8 (issuer key ID 446D3054095646C6) data: [1023 bits] :secret sub key packet: version 4, algo 1, created 1252600418, expires 0 skey[0]: [1024 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00 Same as with the primary key. :signature packet: algo 1, keyid 446D3054095646C6 version 4, created 1252600418, md5len 0, sigclass 0x18 digest algo 2, begin of digest a5 c8 hashed subpkt 2 len 4 (sig created 2009-09-10) hashed subpkt 27 len 1 (key flags: 20) subpkt 16 len 8 (issuer key ID 446D3054095646C6) data: [1014 bits] :secret sub key packet: version 4, algo 1, created 1252600418, expires 0 skey[0]: [1024 bits] skey[1]: [17 bits] gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0 serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00 Same as with the primary key. :signature packet: algo 1, keyid 446D3054095646C6 version 4, created 1252600418, md5len 0, sigclass 0x18 digest algo 2, begin of digest b9 15 hashed subpkt 2 len 4 (sig created 2009-09-10) hashed subpkt 27 len 1 (key flags: 0C) subpkt 16 len 8 (issuer key ID 446D3054095646C6) data: [1022 bits] Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Copy existing key to OpenPGP 2.0 card
On Thu, 10 Sep 2009 23:34, mcs...@hotmail.com said: What is the correct way to copy existing keys that exist onto an OpenPGP 2.0 card? I was trying this, is it correct: gpg --edit-key toggle keytocard select 1 key 1 keytocard select 2 q y Soemthing like this. You need to follow the prompts. If you don't know what to do at a certain prompt, use the default (i.e. hit Enter). Using a fixed list of commands does not work reliable. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Tue, 22 Sep 2009 16:26, bmea...@ieee.org said: Just a quick question on the --status-fd output from a --verify operation: if EXPSIG, EXPKEYSIG, or REVKEYSIG are given, could VALIDSIG or GOODSIG also show up? In other words, are these just for It depends. EXPKEYSIG for example may come in addition to VALIDSIG. VALIDSIG is the modern version of GOODSIG. Except for the description in doc/DETAILS we don't have a more specific description (it is on our task list, though). The best way to see what you can expect is to look at the gpgme code. gpgme/src/verify.c computes the validity of signatures. Processing the NEWSIG status line is in general a good idea so that you don't mix the status lines given for different signatures. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Tue, 22 Sep 2009 17:50, bmea...@ieee.org said: Thanks for the response. So EXPKEYSIG doesn't mean the key was expired when the signature was made, right? If that shows up along with It means that the key has expired by now. VALIDSIG, it's ok to trust the signature, correct? What about That is up to you. Usually you would show a message stating that the key used to create the message meanwhile expired. Whether you take the signature creation date into account and show a different message is up to you. If a signer wants to use an expired key for signing he may as well change the signature creation time. REVKEYSIG? If a key is revoked, is there an easy way to know if the signature was made prior to revocation, or would it be necessary to just compare the stamps on the signature and the revocation? There is no way becuase you don't know why the key was revoked. Sure the revocation signature allows to give a reason of revocation and you can take that in account, but if the key was compromised an attacker may also create a revocation with a different reasons (e.g. key superseded). You can't tell who did the revocation. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to have the same authentication key on several smartcard ?
On Wed, 23 Sep 2009 11:46, tux.tsn...@free.fr said: Is it possible to have the same authentication key on several smartcard ? Yes. You need to generate the key off-card and and then put it onto the card. Use gpg --edit-key and the subcommands genkey and keytocard for this. Is it possible to done an authentication key backup when it has been generated directly on a smartcard ? No. An on-card generated key can't be extracted from the card (except for the public part of course). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: choosing an encryption target from a User ID
On Wed, 23 Sep 2009 15:34, d...@fifthhorseman.net said: OK; if i'm proposing one specific alternative, it would be: Please keep in mind that using a user ID is just to help the user in the most common case. Any proper mail tool won't accept such a solution but either presenr the user a list of matching keys and let him select a key or auto select the key based on such information. If possible you should use the fingerprint to select a key. Thus I consider this a wish for a future version. Feel free to add such a request to the bug tracker. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Details of signature verification status-fd lines
On Wed, 23 Sep 2009 16:16, bmea...@ieee.org said: By the way, are there any python or PHP bindings for GPGME? Yes, there are several of them and we should really compile a list of them or actually add them to the distribution. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: choosing an encryption target from a User ID
On Wed, 23 Sep 2009 19:04, d...@fifthhorseman.net said: Has this been made this clear to collaborating MUA/plugin developers? I think the auto select a key step for MUAs or plugins is often implemented as let gpg pick the key based on the user ID. I added PGP/MIME crypto to several MUA and as far as I can remember I always used the approach to listy all keys and then select the bext matching one. Mutt used this even before gpg; in recent code bases grep for crypt_getkeybyaddr. I have not looked at the enigmail code but I recall that the first PGP/MIME implementation for Mozilla (~2000) worked as I described. Unfortunately they refused this code. https://bugs.g10code.com/gnupg/issue1143 Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two tidbits of potential interest
On Thu, 24 Sep 2009 21:13, marcio.barb...@gmail.com said: Is this a generic asymmetric premise? I mean: is it valid both to the (computational) Mathematics behind OpenPGP's and X.509's public keys' integers? Yes. All real world asymmetric algorithms are build on a hard so solve computional problem. Factoring is such a hard problem and the RSA algorithm is based on it. Another widely used hard problem is solving the discrete logarithm, the DSA and Elgamal algorithms are based on it. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to reset a smartcard ?
On Fri, 25 Sep 2009 10:33, tux.tsn...@free.fr said: No body has an idea to reset a smartcard as factory settings ? I think it is possible, but I don't know how to do that. If you have a version 2 card, this is possible. WARNING: Don't run the commands given below on version 1 cards - you will brick the card. 1. First you have to lock the PIN by decremeting the retry counters. I do it this way: $ gpg-connect-agent --hex scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 D[] 69 83 i. scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 82 i. OK scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 D[] 69 83 i. The status code 6983 says that the PIN is locked. I use a PIN of which is very likey invalid. 2. You terminate the card and activate it again: scd apdu 00 e6 00 00 D[] 90 00 .. OK scd apdu 00 44 00 00 D[] 90 00 .. OK bye OK closing connection Remove the card and insert it again. That's all. gpg --card-status shows a fresh card. To make things easier you may send the lines below as input to gpg-connect-agent (store them in a file and run gpg-connect-agent FILE). == /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo card has been reset to factory defaults = gpg-connect-agent has a complete scripting language, you may use it to write a more robust script with error checking etc. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Network Mounted Home Directory and removal of --passphrase option
On Fri, 18 Sep 2009 16:52, awing...@hotmail.com said: I am trying to upgrade to GPG2 and am having trouble, I think all stemming from the new user agent feature. My first question: is there a way to simply Well, it is available for 6 years and GnuPG 2.0 was released 3 years ago. Gpg-agent is not optional but a cornerstone of GnuPG-2. To let us help you fixing your installation, you should give us a bit more detailed information and exact error messages. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two tidbits of potential interest
On Fri, 25 Sep 2009 19:22, marcio.barb...@gmail.com said: And as a conclusion, Elgamal problems would be harder to solve. Is it correct? No; it is not sure that the discrete logarithm problem is harder to solve that the factoring problem. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
On Sun, 27 Sep 2009 09:38, tux.tsn...@free.fr said: Just for information, I wanted to known why you don't propose a full backup of the three keys (Sign, encryption and authentication) when keys are generated on-card. Because only encryption key is backupted, a good idea will be perhaps to add also authentication key in the backup. A lost of a signing or authentication key is usually not that problematic. You can simply create a new one and use it from then on. If you don't have access to the decryption key anymore you won't be able to decrypt any of the data you decrypted in the past to that key. Thus some kind of recovery is in most cases very useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why a full keys and sub keys backup are not proposed when keys and sub keys are done on-card ?
On Sun, 27 Sep 2009 20:59, tux.tsn...@free.fr said: Thanks for your answer, I'm agree with you for sign key, but for the authentication key, if it's used to ssh server connection on more than 100 servers for the user root for example, if you lost this key, you It is always a tradeoff between security and convenience. Most users don't have access to that many machines and thus it is easier to use a console login to replace the lost key than to have a backup somewhere floating around. It is anyway only the default and you can just replace the authentication key with an on-disk created one. Or manually initialize the card using keytocard. Another approach is to have a second card and also install its public key on the servers. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP-Card2.0 and Omnikey Cardman 3021?
On Wed, 30 Sep 2009 13:51, talm...@orange.zero.jp said: Has anyone gotten the Omnikey Cardman 3021 to work with the internal drivers? That one does not work reliable with 2048 bit keys. The Windows driver seems to have a workaround for it and I tried to come up with a similar workaround. However the protocol analysis I did is not complete and we often get out of sync. Avoid Omnikey or ask them to explain how to correctly switch and operation in TPDU mode. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH using OpenPGP card under Windows
On Mon, 5 Oct 2009 15:54, si...@josefsson.org said: There is a free smartcard-enabled Putty: http://www.joebar.ch/puttysc/ I had in mind to change putty to optionally support gpg-agent - much the same as we do under Unix. However I had not enough time to work on it. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SSH using OpenPGP card under Windows
On Mon, 5 Oct 2009 15:54, si...@josefsson.org said: But it requires a PKCS#11 module -- I see on scute.org that it is possible to build for Windows, but are there any pre-compiled binaries available? Scute is part of gpg4win 2.0. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Testing the exit status
On Fri, 9 Oct 2009 13:47, david.g...@turpin-distribution.com said: Does GPG return different status codes when it exits? I'm specifically looking for different types of error, such as file not found, key not found, invalid passphrase etc. This would not be reliable. There are just too many stati to map them to exit codes. What you need to do is to use the status lines (--status-fd N) - or just go with gpgme. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Testing the exit status
On Mon, 12 Oct 2009 11:29, david.g...@turpin-distribution.com said: Can you tell me what the numeric arguments are for status-fd? That is the file descriptor obn which output should happen. Usualy you woul use --status-fd 2 to output to stderr; however how can use arbitrary file descriptors. I've downloaded the source for GPG and looked at the doc/DETAILS file but on Windows this is unreadable. Read it in an editor (e.g. notepad). As with all code we use Unix line endings (LF) and not Windows line endings (CR,LF). Also it seems as if gpgme is not available for Windows, is this correct? It is available for Windows. Simply install gpg4win (the light version is sufficient) and you find the gpgme dll in the install directory. libgpgme-11.dll is the native one, libgpgme-glib-11.dll is the one to use with GLIB based software and libgpgme-qt-11.dll the one to use with QT based software. Note that the file gpgme-w32spawn.exe must be in the same directory as the DLL. The header file is identical for Unix and Windows, a manual is online at http://gnupg.org/documentation/manuals.en.html . I'm running GPG from a C# application using the Process class. If I understand There is a C# wrapper for GPGME as well, please use a search machine to locate it. correctly then you are suggesting I use status-fd to redirect to a file and then open this to interrogate the results. No, you need to use pipes for that. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Testing the exit status
On Mon, 12 Oct 2009 17:46, david.g...@turpin-distribution.com said: Thanks for the info. I'm still not clear on how to use the argument status-fd 2 Writing to a file descriptor is basic technique on almost all systems. You may want to consult the APUE [1] to see how it works. I originally opened the file doc/DETAILS with notepad but it was quite unreadable. I have no problems to read it; see below Shalom-Salam, Werner [1] http://bookzilla.de/shop/action/productDetails/6878129/w_richard_stevens_stephen_a_rago_advanced_programming_in_the_unix_environment_0321525949.html#produktbeschreibung doc/DETAILs: -*- text -*- Format of colon listings First an example: $ gpg --fixed-list-mode --with-colons --list-keys \ --with-fingerprint --with-fingerprint w...@gnupg.org pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC: fpr:ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013: uid:fWerner Koch w...@g10code.com: uid:fWerner Koch w...@gnupg.org: sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:e: fpr:CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1: sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:esc: fpr:AB059359A3B81F410FCFF97F5CE086B5B5A18FF4: The double --with-fingerprint prints the fingerprint for the subkeys too. --fixed-list-mode is the modern listing way printing dates in seconds since Epoch and does not merge the first userID with the pub record; gpg2 does this by default and the option is a dummy. 1. Field: Type of record pub = public key crt = X.509 certificate crs = X.509 certificate and private key available sub = subkey (secondary key) sec = secret key ssb = secret subkey (secondary key) uid = user id (only field 10 is used). uat = user attribute (same as user id except for field 10). sig = signature rev = revocation signature fpr = fingerprint: (fingerprint is in field 10) pkd = public key data (special field format, see below) grp = reserved for gpgsm rvk = revocation key tru = trust database information spk = signature subpacket 2. Field: A letter describing the calculated validity. This is a single letter, but be prepared that additional information may follow in some future versions. (not used for secret keys) o = Unknown (this key is new to the system) i = The key is invalid (e.g. due to a missing self-signature) d = The key has been disabled (deprecated - use the 'D' in field 12 instead) r = The key has been revoked e = The key has expired - = Unknown validity (i.e. no value assigned) q = Undefined validity '-' and 'q' may safely be treated as the same value for most purposes n = The key is valid m = The key is marginal valid. f = The key is fully valid u = The key is ultimately valid. This often means that the secret key is available, but any key may be marked as ultimately valid. If the validity information is given for a UID or UAT record, it describes the validity calculated based on this user ID. If given for a key record it describes the best validity taken from the best rated user ID. For X.509 certificates a 'u' is used for a trusted root certificate (i.e. for the trust anchor) and an 'f' for all other valid certificates. 3. Field: length of key in bits. 4. Field: Algorithm: 1 = RSA 16 = Elgamal (encrypt only) 17 = DSA (sometimes called DH, sign only) 20 = Elgamal (sign and encrypt - don't use them!) (for other id's see include/cipher.h) 5. Field: KeyID 6. Field: Creation Date (in UTC). For UID and UAT records, this is the self-signature date. Note that the date is usally printed in seconds since epoch, however, we are migrating to an ISO 8601 format (e.g. 19660205T091500). This is currently only relevant for X.509. A simple way to detect the new format is to scan for the 'T'. 7. Field: Key or user ID/user attribute expiration date or empty if none. 8. Field: Used for serial number in crt records (used to be the Local-ID). For UID and UAT records, this is a hash of the user ID contents used to represent that exact user ID. For trust signatures, this is the trust depth seperated by the trust value by a space. 9. Field: Ownertrust (primary
Re: A lot of questions about CERT, PKA and make-dns-cert
On Fri, 16 Oct 2009 05:27, ds...@jabberwocky.com said: Even if the documentation was better (and I agree, it is poorly documented), I don't think CERT or PKA would be a very widely used FWIW: At least for PKA that is my fault. I once wrote a paper for it in German and presented it at the GUUG house conference. Unfortunately I had no time to pursue the PKA idea further or to translate the paper. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Creating self-signed S/MIME certificate
On Fri, 16 Oct 2009 23:58, f...@novell.com said: I'm working on implementing S/MIME support in my GMime library and need to create a set of keys for some unit tests. Is there any way I can create some self-signed S/MIME certificates with gpgsm? Sorry, no. You need to use some CA software for that. I wish I would have the time to write thecode to generate at least self-signed certificates. I use tinyca for setting up test PKIs. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent unknown value for WHAT
On Tue, 20 Oct 2009 16:41, david.sav...@paremus.com said: I'm attempting to generate a 4096bit RSA key using gnupg 2.0.12 and gpg-agent 2.0.11 but I'm getting an error message prior to entering That does not work. You have to update gpg-agent. The conflict is an attempt to minimize such dependencies in the future. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg and smartcard - recovery issues
On Tue, 27 Oct 2009 10:49, lis...@nebelschwaden.de said: Scenario 1: I remove the card and try to decrypt a file. Decrypting still works without a card being inserted and the password instead of the PIN. Ok, That is because you copied the key to the card and the on-disk key is still available. Use gpg --delete-secret-key KEYID to remove the secret parts of the key. The run gpg --card-status so that gpg can create a secret key stub which is required to manage the card. Note that the card only stores the real parts of the key but not the OpenPGP key info: the certificate/keyblob (i.e. user IDs and self-signatures). That is for size reasons. The upshot is that you need to safe the public parts of the key somewhere - the card references them using the fingerprint which is stored on the card. it to be recreated, insert the card and try to decrypt the file. Gnupg complains about no valid OpenPGP Data found (translated from german). Run LANG=C gpg to get English messages. Now, what is really most important to me and what I would like to know: What to do / how to use the card on a virgin system? Import the public key and run gpg --card-status once. The URL field of the card along with the --edit-card fetch command are pretty useful here. Scenario 2: Virgin System again, I create the key on the card with the backup key written to disk. Now I have some cryptical_name.gpg file. All I have is the cryptical_name.gpg on some rescued USB stick. Just, how do I get this key back on my card please? Import the public key and run gpg --edit-key KEYID the enter the command bkuptocard. Last question: Is there any way, to the copy the key on the card to the drive? Or do a backup after generation? The whole point of using a smartcard is that this it is not possible. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: tools to test reader's keypad with GnuPG smartcard V2 ?
On Mon, 19 Oct 2009 20:55, tux.tsn...@free.fr said: Could you tell me if you've a debug tools to test reader's keypad with a GnuPG smartcard V2 ? No I don't have any special tools. I debugged it by changing ccid-driver.c. On a higher level there is gpg-connect-agent: SCD SERIALNO OK SCD APDU 00 20 xx xx xx xx xx and so on. Note very helpful I guess. Fortunately the v2 cards have a factory reset feature, thus you won't be able to brick the card. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Create extra keyring
On Mon, 2 Nov 2009 22:30, m...@thorsten-alge.de said: problem is, i dont know how to create an use the keyring but i also couldnt find anything in the FAQ/Doc/manual or anywhere else. Can anybody help? Import all keys and then: gpg --export KEYID1 KEYID2 KEYID3 ... keyring As long as you don't use the --armor flag you may also append to a keyring, thus you can do something like: : keyring FOO | xargs gpg --export keyring with FOO being a program to generate keyids. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
On Wed, 4 Nov 2009 15:28, r...@sixdemonbag.org said: It is likely not his fault. The last two times this has happened it's been because the GnuPG mailing list's server has run out of disk space. Exactly. The server gets wedged and begins to act out in this particular way. Mailman figures that it was not able to sent a message and retries it every hour. If Exim does not need to spool it, it sends it out to some sites but returns an error and Mailman does not know which messages have been delivered. Mailman then restarts from scratch the next hour. The deeper cause of this problem is that this Mailman does not log to the same partition as Exim and thus is not affexted by the disk full error. Right, I should do something about it. Unfortunately it always happens over the weekend or in the night. No 24/7 service for gnupg.org. Sorry, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FSFE Fellower Card + LUKS on Startup
On Tue, 3 Nov 2009 20:17, sn...@snope.org said: wiki: https://wiki.ubuntu.com/SmartCardLUKSDiskEncryption. However, in this HowTo, they use a MultiFlex Smartcard and load the key file on the card. In the startup process, the keyfile is read out and sent to LUKS. This step is really simple but how can this work with the gnupg smartcard? Our card has 4 simple PIN protected data fields which can be used for that. I think it is not fully documented how to access them. Here are some hints: If all 4 private DOs are set and you start gpg --card-edit, you will see Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 After entering the command verify, entering your PIN followed by list you get: Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 Private DO 3 .: This is private DO 3 After entering the command admin verify, entering your Admin PIN followed by list you get: Private DO 1 .: This is private DO 1 Private DO 2 .: This is private DO 2 Private DO 3 .: This is private DO 3 Private DO 4 .: This is private DO 4 Thus you can see that DO 1 and 2 are always readable; thus not usable for your application. DO3 is readabale after presenting the PIN and DO4 is reaabale after resentng the Admin PIN. Now let us change a DO: Command privatedo 1 Private DO data: Changed DO 1 You had to enter your PIN for that to work. With DO2 you need the Admin pin. Same goes for DO3 (PIN) and DO4 (Admin PIN). Thus for your application I suggest to use DO3. You may store up to 254 bytes there (some cards evenmore). You may also read data in from a file: Command privatedo 1 FILE To read this out and ask for a passphrase you need to write some code which runs gpg --command-fd N --with-colons --status-fd M --edit-card. An easier way to do this is to use gpg-agent or just scdaemon: $ gpg-connect-agent scd getattr PRIVATE-DO-1 S PRIVATE-DO-1 Changed+DO+1 OK If you would have asked for DO3 the Pinentry would have popped up and asked you for the PIN. With scdaemon you leave out the scd but you must be prepared to return the PIN on request (as reply to an INQUIRY line). I think it is not a problem to decrypt the key file in the startup process, isn't it!? Is it possible to access the card reader (omnikey 4040) and the smartcard via gpg from the initrd ram disk? Has anyone ever tried it in a I have not experience with initrd. Another option would be to wait a while and use the new g13 tool which is part of the new development branch of GnuPG. It is fully integrated into GnuPG and provides a platform independent replacement for LUKS. For now only Encfs is supported but the system is designed to support all kinds of backends (Even one on top of LUKS is possible). The advantage of G13 is that you use real public key cryptography and thus your actual private key never leaves the card - it is only used to encrypt the bulk encryption key(s). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-error.h possible(?) syntax error: #define GPG_ERR_SYSTEM_ERROR (1 15)
On Sun, 1 Nov 2009 11:04, hedgehogshia...@gmail.com said: It is not clear to me if this is an problem with gpg-error.h or swig. The same code with some context: typedef enum { GPG_ERR_NO_ERROR = 0, GPG_ERR_GENERAL = 1, [...] GPG_ERR_EOF = 16383, /* The following error codes are used to map system errors. */ #define GPG_ERR_SYSTEM_ERROR (1 15) GPG_ERR_E2BIG = GPG_ERR_SYSTEM_ERROR | 0, GPG_ERR_EACCES = GPG_ERR_SYSTEM_ERROR | 1, [...] /* This is one more than the largest allowed entry. */ GPG_ERR_CODE_DIM = 65536 } gpg_err_code_t; Swig seems to tumble over the #define preprocessor directive within a typedef for an enum. That is clearly a swig problem. To fix this you may run (a working) cpp over gpg-error.h and passing its output to swig. (cpp gpg-error.h gpg-error.i) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Finding key ID of a keypair
On Sun, 8 Nov 2009 17:19, d...@thinkmoult.com said: I've got myself a DSA keypair, just two files - one being the public key and the other being the private. I'm trying to find out the ID of that keypair. A mere gpg OURFILE will do Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: HELP - IMPORTANT - Signature check with libgpgme-11.dll
On Fri, 6 Nov 2009 13:51, p...@sevencs.com said: I need some help as soon as possible! If you in that urgent need for help you may want to check with a commercial support company or a freelancer. The GnuPG service directory at http://www.gnupg.org/service.html may be helpful. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Finding key ID of a keypair
On Mon, 9 Nov 2009 13:08, d...@thinkmoult.com said: localhost ~/.ssh # gpg myfile.key gpg: no valid OpenPGP data found. gpg: processing message failed: Unknown system error Probably not an OpenPGP key. You my try gpg --list-packets myfile.key to dump the packets, but this is unlikely to show something else than running just gpg on the file. Chech that the file is a proper OpePGP file and has been downloded correctly. Often FTP is not used coreclty and breaks binary files. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problems with gnupg2 and passphrase
On Mon, 9 Nov 2009 12:53, jmcn...@fh-eberswalde.de said: I'm using GnuPG 2.0.12 (GPG4Win) and have problems in decrypting multiple files with the same passphrase via command prompt. My old GnuPG Version 1.x.x commad was gpg2.exe --allow-multiple-messages --passphrase geheim --decrypt-files C:\Test\*.gpg First of all you should not use --allow-multiple-messages: @item --allow-multiple-messages @item --no-allow-multiple-messages Allow processing of multiple OpenPGP messages contained in a single file or stream. Some programs that call GPG are not prepared to deal with multiple messages being processed together, so this option defaults to no. Note that versions of GPG prior to 1.4.7 always allowed multiple messages. Warning: Do not use this option unless you need it as a temporary workaround! The command doesn't work anymore and I'm getting a popup window for entering my passphrase. I'm looking for a command that decrypts multiple files with the same passphrase without any additional ask windows. I already searched the manual but didn't found any helpful gpg2 requires the gpg-agent to handle the secret keys. The gpg-agent also caches passphrases, thus you need to enter them only once. Install gpg-agent properly so that gpg2 does not fall back to start gpg-agent for each operation which prohibits the caching. If you don't want a puinentry popup at all, you may seen the gpg-agent cahce with passphrases. See gpg-preset-passphrase for more info: SYNOPSIS gpg-preset-passphrase [options] [command] keygrip DESCRIPTION The gpg-preset-passphrase is a utility to seed the internal cache of a running gpg-agent with passphrases. It is mainly useful for unattended machines, where the usual pinentry tool may not be used and the passphrases for the to be used keys are given at machine startup. Passphrases set with this utility don't expire unless the --forget option is used to explicitly clear them from the cache --- or gpg-agent is either restarted or reloaded (by sending a SIGHUP to it). It is necessary to allow this passphrase presetting by starting gpg-agent with the --allow-preset-passphrase. gpg-preset-passphrase is invoked this way: gpg-preset-passphrase [options] [command] keygrip keygrip is a 40 character string of hexadecimal characters identifying the key for which the passphrase should be set or cleared. This keygrip is listed along with the key when running the command: gpgsm --dump-secret-keys. One of the following command options must be given: --preset Preset a passphrase. This is what you usually will use. gpg-preset-passphrase will then read the passphrase from stdin. [...] Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SmartCard...
On Wed, 18 Nov 2009 13:13, nils.faer...@kernelconcepts.de said: Errr... you need the OpenPGP smart card to us it with GnuPG as a key-storing smart card. This does not work just with any card ;) Actually the Belgian ID card will work with gpgsm and gpg-agent's Secure Shell support. The cards needs to have the extra certificates of course (iirc, they are optional but can be loaded to a plain id card). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Some questions regarding libgcrypt-config
Hi! On Sun, 29 Nov 2009 11:13:01 +0100, Werner Dittmann wrote: Message digest algorithms: crc md4 md5 rmd160 sha1 sha256 sha512 tiger whirlpool The names are actually those of the source files. Thus is it save to assume if SHA512 is avaliable then SHA384 is also available? Right, SHA384 is available if SHA512 is listed SHA224 is available if SHA256 is listed. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Playing with auto-key-locate
On Sun, 29 Nov 2009 12:10:35 +, Sean Rima s...@srima.ie wrote: I am playing with auto-key-locate (as per http://gushi.livejournal.com/524199.html) however this is under Vista. Does the Windows port not have pka lookup enabled during the build, I see ldap works but pka and cert don't That depends on the build. If you use GnuPG from Gpg4win this should work. I once ported the adns library for it and this port is included in gpg4win. The simple gnupg 1.4.x installer from ftp.gnupg.org may not support it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Evolution locks up when sending large pgp signed file
On Tue, 08 Dec 2009 21:53:24 -0600, Chris wrote: ago to Mandriva 2010, Evolution 2.28.1 and Gnome 2.28. When trying to send a signed message with a file over approximately 40k Evo will lockup and have to be killed. Not signing the message allows any size file to I am pretty sure that this is an Evo problem. However you may check whether there is a Pinentry somewhere hidden behind the Evo window. This is a new problem I have not yet investigated; see https://bugs.g10code.com/gnupg/issue1162. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Can't import valid GPG keys in Ubuntu
On Wed, 09 Dec 2009 23:20:03 -0500, Jim Dever wrote: Ok I'll bite. Which one does handle it properly? I did notice that Mutt, Gnus, Claws and probably others I have not used. At least all MUAs I have seen have a Reply to all or Group reply feature. doing a reply all on your message sent it back to the list. Reply All on most messages go back to the sender with a CC: to the list. Anyway I'll hush since this is off-topic. Thanks for the education! It is a matter of the original sender. If a Mail-Followup-To header is included conforming MUAs (Mail User Agents) will reply only to addresses listed there if the user is known to be subscribed to the list. If not they add them self to the MFT header. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgcrypt 1.4.5 released
Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.4.5. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.4.5: * Fixed minor memory leak in DSA key generation. * No more switching to FIPS mode if /proc/version is not readable. * Fixed a sigill during Padlock detection on old CPUs. * Fixed a hang on some W2000 machines. * Boosted SHA-512 performance by 30% on ia32 boxes and gcc 4.3; SHA-256 went up by 25%. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html. On the primary server the source file and its digital signature is: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5.tar.bz2 (1121k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5.tar.gz (1386k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5.tar.gz.sig Alternativley you may upgrade version 1.4.4 using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.4-1.4.5.diff.bz2 (93k) The SHA-1 checksums are: ef7ecbd3a03a7978094366bcd1257b3654608d28 libgcrypt-1.4.5.tar.bz2 8d83a60ca55f2ea40b5d5bc99463905b7a1dcb56 libgcrypt-1.4.5.tar.gz 5307e361da5232cd771c300adddc69e57f0e366d libgcrypt-1.4.4-1.4.5.diff.bz2 For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. Note that this version is from the stable branch; the current development version is available at svn://cvs.gnupg.org/libgcrypt/trunk . Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfe.org/donate/). Commercial support contracts for Libgcrypt are available [3], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html. [2] Note that copyright assignments to the FSF are required. [3] See the service directory at http://www.gnupg.org/service.html. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: --edit-key Information
On Mon, 14 Dec 2009 09:46:44 -0500 (EST), Gary Hanley wrote: Where do I find information about the D in 1024D and the g in 4096g? What are the other potential values? In the source ;-). gnupg/g10/keyid.c: int pubkey_letter( int algo ) { switch( algo ) { case PUBKEY_ALGO_RSA: return 'R' ; case PUBKEY_ALGO_RSA_E: return 'r' ; case PUBKEY_ALGO_RSA_S: return 's' ; case PUBKEY_ALGO_ELGAMAL_E: return 'g'; case PUBKEY_ALGO_ELGAMAL: return 'G' ; case PUBKEY_ALGO_DSA: return 'D' ; default: return '?'; } } 'G' is not anymore supported; it was used for sign+encrypt Elgamal. 'r' and 's' are also not used for new keys - they have been used in the past by a PGP variant. And although the answer may be obvious or intuitive, is there a source of information that describes the values of the usage: flags? I am not sure whether it is explicitly documented. In gnupg/doc/DETAILS you can find the assignments we have: 12. Field: Key capabilities: e = encrypt s = sign c = certify a = authentication A key may have any combination of them in any order. In addition to these letters, the primary key has uppercase versions of the letters to denote the _usable_ capabilities of the entire key, and a potential letter 'D' to indicate a disabled key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cache-timeout not working with smartcard
On Wed, 16 Dec 2009 16:27:29 +0100, Marco Steinacher wrote: option (scdaemon) seem to work. I have set all timeouts to very low values but the PIN is still cached forever (by the card?), as long as There is no cache for a PIN. A card is usually unlocked after the PIN as been given until the card is powered down. Thus is seems that there is a cache. You can power down the card using the option @item --card-timeout @var{n} @opindex card-timeout If @var{n} is not 0 and no client is actively using the card, the card will be powered down after @var{n} seconds. Powering down the card avoids a potential risk of damaging a card when used with certain cheap readers. This also allows non Scdaemon aware applications to access the card. The disadvantage of using a card timeout is that accessing the card takes longer and that the user needs to enter the PIN again after the next power up. Note that with the current version of Scdaemon the card is powered down immediately at the next timer tick for any value of @var{n} other than 0. Another thing, which is probably connected to the cache problem, is that I have to kill the scdaemon (with SIGKILL) after disconnecting and Better use gpgconf --reload scdaemon. I know about this probelm and it is really very annoying if you use one of these ID-000 USB reader sticks becuase with them you don't remove the card but the reader. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: cache-timeout not working with smartcard
On Thu, 17 Dec 2009 11:27:53 +0100, marco+gn...@websource.ch wrote: As I wrote in my posting I have tried to use this option but it does not work. I added 'card-timeout 15' to my scdaemon.conf and nothing happens 15 seconds after accessing the card. The card remains unlocked as long Actually it should release the card immediatley after use. It is only a boolean switch for now. I forgot to mention that this feature is only available with pcsc and not with the internal driver. 1. Couldn't gpg-agent reload scdaemon in the same way when default/max-cache-ttl is exceeded? This would provide the same functionality for unlocked smartcards as for cached passphrases, which would make sense since both are affected by the same security risk (agent hijacking). If you are talking about malware on your box, nothing will help you. You don't have any control anymore on your box. The only advantage you have is that the bot needs to wait until you enter the PIN the next time and then it can replay the PIN as needed. Oh, you are using a pinpad reader - well in this case the malware just et you sign something it is interested in and not what you assume. 2. Couldn't scdaemon be configured to also access the signature key on the card every time, even if only the authentication or encryption key is needed? Then, entering the PIN would be required also every time for e.g. ssh authentication (if the force-sig flag is set on the card). This would basically provide the same functionality as 'card-timeout 1' (provided that it works) without the trouble of powering down and up the Why would you want to do that? See above. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.0.14 released
Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.14. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.10) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New === * The default for --include-cert is now to include all certificates in the chain except for the root certificate. * Numerical values may now be used as an alternative to the debug-level keywords. * The GPGSM --audit-log feature is now more complete. * GPG now supports DNS lookups for SRV, PKA and CERT on W32. * New GPGSM option --ignore-cert-extension. * New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.14 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.14.tar.bz2 (3889k) gnupg-2.0.14.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.13-2.0.14.diff.bz2 (42k) A patch file to upgrade a 2.0.13 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.14.tar.bz2 you would use this command: gpg --verify gnupg-2.0.14.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.14.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.14.tar.bz2 and check that the output matches the first line from the following list: cc5e4637f37f5bc82b00c73fc094ddadb7401821 gnupg-2.0.14.tar.bz2 cad88a7f3653479df41ddb7956b9f8a0ff6f2185 gnupg-2.0.13-2.0.14.diff.bz2 Internationalization GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jedi, Maxim Britov, Jaime Suárez and Nilgün Belma Bugüner have been kind enough to go over their translations and thus the Chinese, German, Russian, Spanish, and Turkish translations are pretty much complete. Documentation = We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you
Re: Web of Trust itself is the problem
On Thu, 07 Jan 2010 09:36:26 +, makrober wrote: G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and I still believe that OpenPGP along with PGP 2.1 is the most used data protection scheme for plain data and email. We don't have any hard facts except for problem reports we have seen over more than a decade. There must be a reason why OpenPGP application are even sold for mainframes; they need to exchange data with Unix and PC users. On the other hand, WoT brings with it an immense problem for a large number of those that need to communicate in secrecy: it is providing an adversary with a traffic analysis tool that he can only wish for. To state - as those who promote the system in its That is simply not true. The only fact you can read from the WoT is that two person have met around some date. That is in most circumstances not a secret fact; you merely have to look at the list of attendees of conferences. The WoT can give you only a clue if you have only a few signatures on your key. You can get a better set of data for traffic analysis by monitoring the keyservers. However this has nothing to do with the WoT. Or - Web of Trust isn't the solution, Web of Trust is the problem. Consequently, a WoT improvement mechanism such as outlined in the presentation is, unfortunately, extremely unlikely to advance the adoption of g/pgp. Until recently almost every mail client simply ignored the key validity and encrypted anyway. Yes, that is not as one should do it but it shows that the WoT is not really used. The majority of people don't care. For example. my key is around for many years now and for quite some time it has been one of the top connected keys. Despite that I only recently could find a trust path to the keys used to sign the linux kernel. They Linux hackers obviously didn't care about getting involved into the WoT. (I am not sure whether this is pro or contra to your statement ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust itself is the problem
On Thu, 07 Jan 2010 10:50:35 -0600, Alex Mauer wrote: They’re only unknown the first time you contact them. It is useful to know that the second time you contact f...@example.com it’s the same party you contacted the first time. Or that the phishing email you MUA authors should really add a feature supporting this. In particular storing the fingerprint of a key in the address book. We are talking about this for years but to my knowledge it has never been implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use DINSIG SmartCard
On Mon, 4 Jan 2010 11:49:31 -0800 (PST), fava64 wrote: f...@desk:~$ gpg2 --card-status Application ID ...: FF7F00 gpg: this is a DINSIG compliant card gpg: not an OpenPGP card Right. You need to use gpgsm for the X.509 keys as used with these cards: gpgsm --learn-card to read the certificates from the card and from then on it should just work - well in theory. The current signature cards may not work anymore; for example TCOS 3 requires secure messaging which is not yet implemented. If you run into problems you could try this: $ gpg-connect-agent scd serialno dinsig scd learn --force and if should return some infos. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Import of old keys
On Sat, 09 Jan 2010 22:46:04 +0100, Bernhard wrote: May I ask another question: Which gnome/kde program let me generate smime keys? You can't. What you can do is to create a certificate signing request and send that to a CA to send you back a certificate. If you want a GUI tool to create a certificate signing request, you can use KDE's Kmail or Kleopatra. On the command line you can use gpgsm --gen-key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Use DINSIG SmartCard
On Sat, 9 Jan 2010 12:24:16 -0800 (PST), fava64 wrote: Does this mean it doesn't work or does this mean that I did not understand anything? That probably means that your card does not follow the DIN V 66291-1 (aka DINSIG) as implemented by scdaemon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: very short plaintexts symmetrically encrypted
On Mon, 11 Jan 2010 13:06:03 -0500, lists.gnupg-us...@mephisto.fastmail.net wrote: Forgive me, but how is a MitM attack possible against a symmetric cypher using a shared, secret key? For example by swapping messages. Two messages are sent on two out-of-band events one which says Yes and the other says No. If you can mount an active MitM attack you can revert the meaning. A MitM may also inject faults to make the received message look like a transmission error and thereby triggering another message. Right, you can counter such attacks by adding more information to the message. However, the original post was about two short messages. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problem importing key to card
On Tue, 12 Jan 2010 23:18:29 +0100, Stefan Xenon wrote: moo:~ tk$ gpg2 --edit-key F1AE8111 gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. Get a more recent version of GnuPG. Although the NEWS entry for 2.01.2 claims that the OpenPGP card is supported we had to add some other things later, like: 2009-07-09 Werner Koch w...@g10code.com * card-util.c (card_store_subkey): Do not restrict to 1024 bit keys. Print an error message on write errors. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing trust in GPGME
On Tue, 12 Jan 2010 23:41:52 +0100, Piotr Bratkowski wrote: I have this code. And when I see output owner_trust = 4, but in gpg from system I get 0. Do I need to somehow save this changes?? This is not directly supported by GPGME. You need to write an edit interactor to control the gpg --edit-key command. GPA has code which shows how to do it. while(!(err = gpgme_op_keylist_next (ctx,key))) { if(key-owner_trust==0) { key-owner_trust=GPGME_VALIDITY_FULL; fprintf(stderr,%i : Key owner= %s fingerprint= %s trust= %i\n,i,key-uids-name,key-subkeys-fpr,key-owner_trust); That is useless. You are changing a returned value for display. It does not make any sense to change it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Changing trust in GPGME
On Wed, 13 Jan 2010 10:49:03 +0100, Piotr Bratkowski wrote: What is GPA?? http://www.gnupg.org/related_software/gpa/ The GNU Privacy Assistant (GPA) is a graphical user interface for the GnuPG (GNU Privacy Guard). GPA utilizes GTK (the GIMP Tool Kit) and compiles for various platforms. Actually GPA was the first GUI frontend for GPG. The development site is at: http://wald.intevation.org/projects/gpa/ Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpeme_get_key returns a 'general error' after some time.
On Thu, 21 Jan 2010 11:43, f.schw...@chili-radiology.com said: I have some strange problems using gpg (1.4.9) resp. gpgme (1.1.4) and hope someone can help me. Please update gpgme to 1.2.0; there a couple of minor bug fixes. Further GPGME has far better trace support which greatly helps to track down such problems: Run your application like this $ GPGME_DEBUG=9:/foo/gpgme.log ./foo On windows it works similar; you just need to use set and replace the colon by a semicolon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg doesn't recognize card.
On Wed, 20 Jan 2010 17:11, taurus...@gmail.com said: Gpg does not recognize my fellowship card; ~ xxx$ gpg --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error Reader 01: Gemplus GemPC Twin 00 00 Is that a new OpenPGP card (2.0)? If so you are out of luck on Unix systems: The Gemplus readers are buggy (they don't support extended length APDUs). You may try to use the workaround which is in the internal CCID driver of scdaemon (stop pcscd and make sure that you have permissions to write to the usb port). This workaround sometimes work. BTW, it works on Windows because the gemplus driver seems to have a workaround for it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpeme_get_key returns a 'general error' after some time.
On Mon, 25 Jan 2010 10:10, f.schw...@chili-radiology.com said: thanks for the tip with debuglog but this is not practical in my case because 2 minutes after starting the application I already have over 1GB of logdata, and the error might occur only after a few hours runtime... Then you need to use finer grained debug control. Probably you need to modify something in gpgme. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Passphrase problem in gpgsm 2.0.14
Hi! While preparing a new release of Gpg4win we found a regression in GnuPG 2.0.14. The problem is due to this change: * New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. I don't know how it slipped through my tests, but somehow it happend. The bug occurs in all cases where gpg-agent creates a new protected key or changes the protection. For example: - You import a new private key with GPGSM from a PKCSC#12 file. - You change the passphrase of a X.509 key (gpgsm --passwd) - You create or import a new on-disk Secure Shell key. It does not affect keys or passphrases related to GPG (OpenPGP keys). The bug is that the new iteration count is not encoded in the file. Instead the old constant value of 65536 (encoded as 96) is written to the file. If you now try to use the key and enter the passphrase, gpg-agent uses the wrong iteration count from the file (65536) and thus can't unprotect the key. A patch against 2.0.14 is attached. It is possible to fixup the wrong iteration counts but before I add such a feature, I would like to know whether this is really needed. - If you imported a p12 file you may simply re-import that file after deleting the old file. To find the respective file with the private key, you use this command gpgsm --dump-cert KEYID | grep keygrip: The hex-string you see is the basename of private key. For example: $ gpgsm --dump-cert 0x036A1456 | grep keygrip: keygrip: 25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289 $ ls -l private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key You better delete this file before importing the p12 file again: $ rm private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key - If you changed the passphrase and you have a backup of the private key, it will be easier to use the backup. - If you did not changed the passphrase, you don't have any problem. - If there is no other way to restore it, please complain and I will write a tool to fixup the mess. I am sorry for the possible trouble. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. #! /bin/sh patch -p0 -f $* $0 exit $? agent/ 2010-01-26 Werner Koch w...@g10code.com * protect.c (do_encryption): Encode the s2kcount and do not use a static value of 96. --- agent/protect.c (revision 5231) +++ agent/protect.c (working copy) @@ -360,19 +360,25 @@ in canoncical format of course. We use asprintf and %n modifier and dummy values as placeholders. */ - p = xtryasprintf -((9:protected%d:%s((4:sha18:%n_8bytes_2:96)%d:%n%*s)%d:%n%*s), - (int)strlen (modestr), modestr, - saltpos, - blklen, ivpos, blklen, , - enclen, encpos, enclen, ); - if (!p) -{ - gpg_error_t tmperr = out_of_core (); - xfree (iv); - xfree (outbuf); - return tmperr; -} + { +char countbuf[35]; + +snprintf (countbuf, sizeof countbuf, %lu, get_standard_s2k_count ()); +p = xtryasprintf + ((9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s), + (int)strlen (modestr), modestr, + saltpos, + (unsigned int)strlen (countbuf), countbuf, + blklen, ivpos, blklen, , + enclen, encpos, enclen, ); +if (!p) + { +gpg_error_t tmperr = out_of_core (); +xfree (iv); +xfree (outbuf); +return tmperr; + } + } *resultlen = strlen (p); *result = (unsigned char*)p; memcpy (p+saltpos, iv+2*blklen, 8); pgpgkzVtzfpxh.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg doesn't recognize card.
On Fri, 29 Jan 2010 01:22, jcr...@gmail.com said: $ killall -u username scdaemon #usually has to be entered 2-3x to kill it FWIW, gpgconf --reload scdaemon does the same in a well defined manner. Shalom-Salam, Werner ps. Please do not use killall but pkill which is a well defined command. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win: running gpg-agent with SSH agent support?
On Fri, 29 Jan 2010 14:03, si...@josefsson.org said: I've installed GPG4Win and it recognizes my OpenPGP smartcards without problem (via a gpg-agent process which appears to be auto-started somehow?). However, I'd like to enable SSH agent support in gpg-agent Yes, we do this on Windows because we have a well known socket name there. It may actually happen that two agents are started which does not harm because the the unused agent detects this case and terminates itself after some time. too, so that Cygwin ssh can make use of it. Is this possible, if so how? It can't work out of the box because ssh needs to implement our local socket emulation (see libassuan/src/assuan-socket.c). It would be very useful if we could get support for this into putty. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win: running gpg-agent with SSH agent support?
On Mon, 1 Feb 2010 21:31, d...@prime.gushi.org said: On Mon, 1 Feb 2010, Werner Koch wrote: Yes, we do this on Windows because we have a well known socket name there. It may actually happen that two agents are started which does not harm because the the unused agent detects this case and terminates itself after some time. What's the socket location inder win32, if you don't mind me asking? On my system this is C:\Dokumente und Einstellungen\werner\Anwendungsdaten\gnupg\S.gpg-agent You can get all these values using: c:\Programme\GNU\GnuPGgpgconf --list-dirs sysconfdir:C%3a\Dokumente und Einstellunge[...]aten\GNU\etc\gnupg bindir:c%3a\Programme\GNU\GnuPG libexecdir:c%3a\Programme\GNU\GnuPG libdir:c%3a\Programme\GNU\GnuPG\lib\gnupg datadir:c%3a\Programme\GNU\GnuPG\share\gnupg localedir:c%3a\Programme\GNU\GnuPG\share\locale dirmngr-socket:C%3a\WINDOWS\S.dirmngr agent-socket:C%3a\Dokumente und Eins[...]gsdaten\gnupg\S.gpg-agent homedir:C%3a\Dokumente und Einstellungen\werner\Anwendungsdaten\gnupg This is a colon delimited and percent escaped output, thus the %3a for the colons in the filenames. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG4Win: running gpg-agent with SSH agent support?
On Tue, 2 Feb 2010 15:52, si...@josefsson.org said: Why can't gpg-agent implement the same protocol that ssh-agent does under Windows? I don't know how ssh-agent works unde Cygwin. It has been many years that I last looked at Cygwin. How to they emulate nix doman sockets? That is the crucial question. The ssh-agent under Cygwin appears to work in the same way it does on GNU/Linux, i.e., the ssh process looks for the environment variables that ssh-agent prints when started. I believe gpg-agent prints these environment variables. I can't check right now because I removed the current installation cause I am about to test a new gpg4win. However the crucial question is how the Unix domain sockets are implemented. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpeme_get_key returns a 'general error' after some time.
On Wed, 17 Feb 2010 09:48, f.schw...@chili-radiology.com said: I'm getting a fd 256 which seams to be the maximum of fds gpgme can handle. It might be some sort of design-issue in my software causing so many open fds, but I'd still like to overcome this fd Actually not, there is quite some software out which uses a lot of fds. On my system, the default number of FDs is 1024 (ulimit -n) and thus it coult happen here as well. We need to change the datatructure. the notify_table. So could I just increase the size of the notify_table without breaking things? Should pose no problem. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpeme_get_key returns a 'general error' after some time.
On Wed, 17 Feb 2010 19:31, w...@gnupg.org said: We need to change the datatructure. Done. However we need to write a test case for it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Release candidate for 2.0.15
Hi! I just prepared a release candidate for GnuPG 2.0.15. The goal of this release is to find out whether there are any severe build or runtime bugs. There are actually not may changes: * New command --passwd for GPG. * Fixes a regression in 2.0.14 which prevented unprotection of new or changed gpg-agent passphrases. * Make use of Libassuan 2.0 which is available as a DSO. as well as a couple of minor bug fixes and some changes to the German translation. The major point is the move to Libassuan 2.0. This is the first version of Libassuan which may be used as a shared library. We took this change to cleanup the API a bit with the drawback that some changes to the caller are required. To make development with Libassuan easier we need to get rid of Libassuan 1 which developer's package can't be installed side by side with Libassuan 2. Thus it is not easy to maintain software written with version 1 and 2 at the same time. With the 2.0.15 release we will have finished the migration of the GnuPG related tools to Libassuan 2. Please let us know if there are any problems building this release: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.15rc1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.15rc1.tar.bz2.sig Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpLLRcgV1NLj.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Shamir's Secret Sharing Scheme integration?
On Sun, 21 Feb 2010 14:40, rich.ged...@verizon.net said: Is there a utility that integrates gnupg with (Shamir's Secret Sharing Scheme)? And maybe using smartcards? If not has anyone seen a HowTo that shows how to integrate them? I don't know of a complete solution but Phil Sutter wrote his master thesis on this. See http://lists.gnupg.org/pipermail/gnupg-devel/2008-July/024506.html The code is at: http://nwl.cc/cgi-bin/git/gitweb.cgi?p=ssd.git;a=summary Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to decrypt signatures with gpgme?
On Thu, 25 Feb 2010 12:35, f.schw...@chili-radiology.com said: when I create a signature with gpg --sign, I'm able to use gpg --decrypt to get the plaintext from the signature. You might want to use: gpg --verify --output PAINTEXT.TXT SIGNED.GPG So is there a way to get the plaintext from the signature using gpgme? What about this: - Function: gpgme_error_t gpgme_op_verify (gpgme_ctx_t CTX, gpgme_data_t SIG, gpgme_data_t SIGNED_TEXT, gpgme_data_t PLAIN) The function `gpgme_op_verify' verifies that the signature in the data object SIG is a valid signature. If SIG is a detached signature, then the signed text should be provided in SIGNED_TEXT and PLAIN should be a null pointer. Otherwise, if SIG is a normal (or cleartext) signature, SIGNED_TEXT should be a null pointer and PLAIN should be a writable data object that will contain the plaintext after successful verification. [...] Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent rejects correct password for ssh keys
On Fri, 26 Feb 2010 17:20, vor...@ucw.cz said: The agent asks for a passphrase to decrypt the key. I type it again and, this is the problem, it says it is incorrect. I'm sure I typed it correctly (I tried Please see http://lists.gnupg.org/pipermail/gnupg-users/2010-January/038045.html Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mon, 1 Mar 2010 22:13, ds...@jabberwocky.com said: someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key. Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress warning about gpg-agent?
On Mon, 8 Mar 2010 01:43, power...@powerman.name said: I've a lot of projects (each has separate user account) which use gpg for encrypting daily backups (from cron) in this way: gpg --batch --cipher-algo AES256 -c --passphrase-file PASSFILE BACKUP.tar FWIW, You should use public key encryption instead of symmetric only encryption. This makes everything much easier. I don't like to run gpg-agent as a daemon on all these user accounts just to suppress this warning message (and there may be additional issues to make it accessible from cron scripts, too). A littel warning: gpg-agent is is a cornerstone of GnuPG-2. You can't do much without it. Today gpg2 might be usable without a running gpg-agent but with the current branch this will change: All secret key operations are then diverted to the agent. In your case the agent is required to return the S2K count. This values is computed only once because it takes some time can can't be done for each invcation. To avoid this you may try option --s2k-count N. You can get a suitable value for N on your machine by running the command gpg-connect-agent 'getinfo s2k_count' /bye Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress warning about gpg-agent?
On Mon, 8 Mar 2010 13:22, power...@powerman.name said: I don't think so. Every project encrypt it backups with different passwords (needed for security), and right now I can keep just several dozens of passwords, but with public keys I'll need to keep several dozens of .gnupg directories instead, which is harder to manage. You would use the same keyring for all users. The option --homedir might be useful for this. I wonder what is physical sense of this number? Is it safe to hardcode one number for all user accounts on same server (many servers)? It is a kind of iteration count for the passpharse; i.e. how often to hash the passphrase. This is to mitigate dictionary attacks. A fixed value is fine. P.S. But I still think much more clear solution is just add option to suppress warning message and let gpg start own copy of gpg-agent when it We could use --quiet to suppress this warning. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Release candidate for 2.0.15
On Thu, 18 Feb 2010 18:20, carlo.bra...@libero.it said: I tried to compile gnupg-2.0.15rc1 under mingw+msys. As you know we only support cross-building from a Unix platform. Everything worked fine except the compilation of scd/ccid-driver.c Well, the internal ccid-driver does not work wth Windows. I never tested libusb-win32 and I am not sure whetehr this is a good idea at all. Using the standard PC/SC has the advantage that it works with almost all readers. I have added a configure option to disable the ccid driver: ./configure --disable-ccid-driver Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.0.15 released
Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.15. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.10) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New === * New command --passwd for GPG. * Fixes a regression in 2.0.14 which prevented unprotection of new or changed gpg-agent passphrases. * Uses libassuan 2.0 which is available as a DSO. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.15 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.15.tar.bz2 (3884k) gnupg-2.0.15.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.14-2.0.15.diff.bz2 (40k) A patch file to upgrade a 2.0.14 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.15.tar.bz2 you would use this command: gpg --verify gnupg-2.0.15.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.14.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.15.tar.bz2 and check that the output matches the first line from the following list: 3596668fb9cc8ec0714463a5009f990fc23434b0 gnupg-2.0.15.tar.bz2 ed35765ae081706c8856fd491201f4f9576135fd gnupg-2.0.14-2.0.15.diff.bz2 Internationalization GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jedi, Maxim Britov, Jaime Suárez and Nilgün Belma Bugüner have been kind enough to go over their translations and thus the Chinese, German, Russian, Spanish, and Turkish translations are pretty much complete. Documentation = We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG-2. In fact
Release candidate for Dirmngr 1.1.0
Hi! To move forward with the migration to libassuan 2.0, I did a release candidate for Dirmngr: ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-1.1.0rc1.tar.bz2 (544k) ftp://ftp.gnupg.org/gcrypt/alpha/dirmngr/dirmngr-1.1.0rc1.tar.bz2.sig Changes are: * Fixed a resource problem with LDAP CRLs. * Fixed a bad EOF detection with HTTP CRLs. * Made dirmngr-client --url --load-crl URL work. * New option --ignore-cert-extension. And well, it requires libassuan-2. Please let us know if you notice any new problems. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Off-The-Record Email
On Thu, 11 Mar 2010 09:29, firasmr...@gmail.com said: Is there a way to be able to have off-the-record email conversations with GPG technology? It would definitely be a terrific thing. Email is I was pondering with the idea to use the WoT or an existsing OpenPGP key for fingerprint checking. No concrete design, though. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Restarting gpg-agent
On Mon, 15 Mar 2010 11:58, r...@ringlet.net said: # start gpg-agent if no running instance is found if test -z ${GPG_AGENT_INFO} || ! kill -0 `grep GPG_AGENT_INFO ${GA_INFO_FILE} | cut -d: -f 2 -` 2/dev/null; then In this way, you risk a false positive if gpg-agent has died (or not been started at all, but a .gpg-agent.info file has been left over) I have not follewed this thread. However the code above is far too complex. For years gpg-agent is able to test whether it is already running, just call gpg-agent and don't pass the --daemon option: $ gpg-agent gpg-agent: gpg-agent running and available $ echo $? 0 $ GPG_AGENT_INFO= gpg-agent gpg-agent: no gpg-agent running in this session $ echo $? 2 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg symmetric to Java JCA decryption
On Sun, 21 Mar 2010 22:09, webe...@gmail.com said: No, I don't need OpenPGP, just need symmetric encryption done by a standard command line Unix tool and decryption by means of the Java You still need to define which standard you want to use. The most popular encryption standards are 1. OpenPGP - A command line tool for this is gpg 2. CMS (aka PKCS#7) - A command line too for this is gpgsm. Guess I'll take openssl, looks like this works with Java: Openssl implements several sprotocols, you need to specify which protocol of openssl you use. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where to find g13?
On Wed, 17 Mar 2010 20:40, alava...@gmail.com said: Hello. Can someone please show me a link to download and install *G13*, the LUKS replacement? Alternatively, would you suggest an exit to the quagmire below... Extensive googling has not succeeded. This is in the development branch of GnuPG. As of now it only supports EncFS as a backend and thus you can't use it as a replacement. svn co svn://cvs.gnupg.org/gnupg/trunk Compiling gpgme 1.3.0 from source fails with a warning that g13 is not available. I cannot find a copy on my system or in its repositories. That is should be just a warning and gpgme should build fine. It is just a *configure* warning, so I can proceed to *make*, but then that then fails with error: assuan.h: No such file or directory Yeah, you need to install the development package for libassuan 2.0 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: secret keys are not imported
On Thu, 8 Apr 2010 02:31, mailinglis...@hauke-laging.de said: # LC_ALL=C gpg --import hauke__0xECCB5814.sec.asc gpg: key ECCB5814: already in secret keyring gpg: Total number processed: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1 This does not. Merging secret keys is not yet supported. Delete the secret keys on the target box first. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and ssh-keys not working anymore
On Fri, 16 Apr 2010 14:37, j...@seiken.de said: The passwords are enter correctly and the ssh public key was added to authorized_keys. I tried generating new ssh keys but the problem is always the You might be hampered a bug fixed in 2.0.15: * Fixes a regression in 2.0.14 which prevented unprotection of new or changed gpg-agent passphrases. It is possible to write a tool to fix such a bad passphrases. However there are only a very few reports and thus I believe it is easier to generate a new key instead. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and ssh-keys not working anymore
On Mon, 19 Apr 2010 09:20, j...@seiken.de said: The new ubuntu lucid which will be released in a few days and has a gpg-agent version of 2.0.14. Though gpg-agent is not the default ssh-agent this problem might cause trouble more in the next few months. Ubuntu should have patched 2.0.14. I posted a patch quite some time ago. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and ssh-keys not working anymore
On Mon, 19 Apr 2010 10:26, j...@seiken.de said: It would be pretty bad if ubuntu releases gnupg with this bug since lucid is a long term support release and gnupg might receive up to 5 years of reports of regarding this bug on their mailing lists. I posted the patch on January 26. Find it attached. Will you be so kind and forward it to the Ubuntu folks? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. #! /bin/sh patch -p0 -f $* $0 exit $? agent/ 2010-01-26 Werner Koch w...@g10code.com * protect.c (do_encryption): Encode the s2kcount and no not use a static value of 96. --- agent/protect.c (revision 5231) +++ agent/protect.c (working copy) @@ -360,19 +360,25 @@ in canoncical format of course. We use asprintf and %n modifier and dummy values as placeholders. */ - p = xtryasprintf -((9:protected%d:%s((4:sha18:%n_8bytes_2:96)%d:%n%*s)%d:%n%*s), - (int)strlen (modestr), modestr, - saltpos, - blklen, ivpos, blklen, , - enclen, encpos, enclen, ); - if (!p) -{ - gpg_error_t tmperr = out_of_core (); - xfree (iv); - xfree (outbuf); - return tmperr; -} + { +char countbuf[35]; + +snprintf (countbuf, sizeof countbuf, %lu, get_standard_s2k_count ()); +p = xtryasprintf + ((9:protected%d:%s((4:sha18:%n_8bytes_%u:%s)%d:%n%*s)%d:%n%*s), + (int)strlen (modestr), modestr, + saltpos, + (unsigned int)strlen (countbuf), countbuf, + blklen, ivpos, blklen, , + enclen, encpos, enclen, ); +if (!p) + { +gpg_error_t tmperr = out_of_core (); +xfree (iv); +xfree (outbuf); +return tmperr; + } + } *resultlen = strlen (p); *result = (unsigned char*)p; memcpy (p+saltpos, iv+2*blklen, 8); ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and ssh-keys not working anymore
On Tue, 20 Apr 2010 10:31, j...@seiken.de said: I filled a launchpad bug report for this problem and attached the patch. The report refers to the new ubuntu lucid release version of the gnupg. https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/567106 I don't know if the maintainer of the package is going to react and integrate the patch any time soon. I just checked Debian and noticed that they neither applied the patch. However I hope they will go with 2.0.15 anyway. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Elliptic curves in gnupg status?
On Sat, 24 Apr 2010 17:16, d...@fifthhorseman.net said: http://tools.ietf.org/html/draft-jivsov-openpgp-ecc Actually the working group informally agreed on this draft after we changed a few US centric things. It is just a matter of implementing it in GnuPG. Sergi started with that but I have seen fully working code so far. I spend most of the last week to remove the secring.gpg related code in gpg and move the secret key processing entirely to gpg-agent. It is far from being finished but it helps to integrate new algorithms more easily (we don't have to keep pubring and secring in sync). My idea of implementing ECC is to first work on the signing part (ECDSA) before moving to the encryption part with a later version. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crypto Stick released!
On Sat, 1 May 2010 01:54, j...@seiken.de said: an openpgp card version 2.0 which isn't supported by opensc yet. So you can't use opensc's firefox integration unless opensc releases an updated Checkout http://www.scute.org . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Crypto Stick released!
On Mon, 3 May 2010 12:22, j...@seiken.de said: selecting my key I always get this firefox error message sec_error_pkcs11_function_failed. Okay we need to check this. This should really work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compile PTH on AIX
On Tue, 4 May 2010 14:50, beppeco...@yahoo.it said: pth.h:93:2: error: #error FD_SETSIZE is larger than what GNU Pth can handle. I ran a simple utility check that says: FD_SETSIZE=65534 You may try to configure it this way: ./configure --with-fdsetsize=65536 Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users