Re: gpg2 says No Secret Key, gpg1.x says there is
On Sat, 8 May 2010 21:14, please.p...@publicly.invalid said: for some time gpg2 from subversion has been giving me grief, claiming there was no secret key, while gpg1.xxx says there is: This is the development version and you can't expect that it will work. In particular we are doing lots of internal changes and it will take some more weeks until it stabilizes again. Maybe even months. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compile PTH on AIX
On Tue, 11 May 2010 14:15, beppeco...@yahoo.it said: checking for PTH - version = 1.3.7... yes checking whether PTH installation is sane... no Please look into config.log and locate the above is sane check. It shows the actual test program run etc. Paste this part of config.log into a mail. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: upgrading from 1.4.7 to 2.0.14
On Fri, 28 May 2010 13:18, matthew...@aol.com said: I would like to know where one can get gpg 2.0.14 complied for windows? http://www.gpg4win.org Please wait until Sunday - I am currently preparing a new release. The included GnuPG version is 2.0.14 with a couple of fixes to make it close to 2.0.15. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Encrypted Directory
On Thu, 27 May 2010 00:08, m_d_berger_1...@yahoo.com said: Also, AFAICT, truecrypt, luks, FreeOTFE do not have public key encryption, which I would prefer. GnuPG 2.1 will come with g13 which is a public key encryption frontend to user filesystems. As of now we support Encfs but it is easy to add other file systems. Encfs has been ported to Windows, thus it will be possible to do this there as well. Smartcards are supported automagically. It is all work in progress and not yet ready for production use. Things we need to do: * Add other crypto file systems. * Add the code to manage the encryption, so that it is possible to change the keys or add more keys (even symmetric ones). * Port to Windows. * Improve the GPGME interface (we already have a mount/umount API, though). * Push some minor encfs changes to upstream. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smartcard PIN change via card reader keypad?
On Mon, 7 Jun 2010 12:48, mailinglis...@hauke-laging.de said: When I use the keys on the card then gpg always asks me to use the reader keypad. Do you have a special configuration so that it does this for changing the PIN, too? Changing the pin via the keypad is not implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keyserver spam example
On Fri, 11 Jun 2010 02:16, expires2...@ymail.com said: delete them if they don't. Or one message to everybody with a customised subject line for each. Alternatively, those of us who are That is a good idea. I was thinking of bisecting the mailing list to make sure that test mails receive the culprit as actual mailing list posts. But lets try the simple solution first. fed up with the messages could simply filter them out ourselves. (-; That is actually much easier. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Test mail to arch...@mail-archive.com
Hi! One of the subscribers to this list created a mail forward to an automated ticketing system which responds to the the poster. The owner of the ticketing system at secure.mpcustomer.com does not respond to any of our queries to send us more information on the mails triggering the posting. Thus we need to send these test mails in the hope to figure out the culprit. Sorry for the inconvenience, Werner
Re: Crypto Stick released!
On Thu, 3 Jun 2010 16:58, jroll...@finestructure.net said: regards to the Crypto Stick? Is that something that can be patched, or is it a limitation of the communication protocol? Right that is a limitation of an internal communication protocol. Not hard to change but there are more important things to be done. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
FYI: About my test mails
Hi, a few hours ago I sent test mails to each subscribed user. The mails should look like regular mailing list mail but with your address also in the subject. This is a try to figure out who forwards postings to an automated systems which in turn spams the original poster. Please ignore these mails - there is no need to respond. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FYI: About my test mails
On Fri, 11 Jun 2010 12:15, w...@gnupg.org said: the subject. This is a try to figure out who forwards postings to an automated systems which in turn spams the original poster. The culprit was supp...@resell.biz - I unsubscribed this address and banned it from further subscriptions. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FYI: About my test mails
On Fri, 11 Jun 2010 23:57, benja...@py-soft.co.uk said: Did alava...@gmail.com ever get removed? See http://lists.gnupg.org/pipermail/gnupg-users/2010-May/038724.html I can see no evidence that this address is abusing this ML. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr
On Mon, 14 Jun 2010 07:06, do...@dougbarton.us said: Working on updating gnupg in FreeBSD and ran into a problem. GnuPG 2.0.15 requires libassuan 2.0.0, but to build the gpgsm module it requires dirmngr, which requires libassuan 1.x. My understanding is Oppps. I though I released a new dirmngr version - hmmm that was only a release candidate. I try to get it out today. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libassuan dependency mismatch with gnupg 2.0.15 and dirmngr
Hi, I just released dirmngr 1.1.0 which requires libassuan 2.0. Let me know if you have any problems, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto refresh-keys
On Mon, 14 Jun 2010 18:50, d...@fifthhorseman.net said: here's a proposal: gpg could keep track of the last time it refreshed any given key from a public keyserver. when the user tries to use that That is one of the reasons why we should move away from the pubring.gpg format. The new keybox format allows to store such meta data. I hope to finish the migration of secret keys to gpg-agent in a few weeks. After that has been done gpg can move to the keybox format. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gnupg-users Digest, Vol 81, Issue 19
On Wed, 16 Jun 2010 04:06, alava...@gmail.com said: But shall do so now, to ensure I am not offending you or others. But at present I see no reply-to addresses in my headers. That was not the problem. The owner of supp...@resell.biz uses procmail/formail or similar to redirect certain incoming mails to the ticket system and someone subscribed this address to gnupg-users and a couple of other mailing lists. I don't know why Ben assumed that you did this; analyzing mail programs is not easy and can easily lead to false claims. Sorry for that. No action required by you. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compile PTH on AIX
On Tue, 18 May 2010 08:57, beppeco...@yahoo.it said: We understand that the problem is about FDSETSIZE. PTH has been configured and compiled --with-fdsetsize=8192 Which should have installed a pth.h file with the test #if defined(FD_SETSIZE) #if FD_SETSIZE 8192 #error FD_SETSIZE is larger than what GNU Pth can handle. #endif #endif I assume that your system picked up the old pth.h header and not the one from the newly compiled pth. However gnupg-2 doesn't recognize this option: configure: WARNING: unrecognized options: --with-fdsetsize Not relevant. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compile PTH on AIX
On Wed, 16 Jun 2010 14:39, beppeco...@yahoo.it said: /* check if the user requests a bigger FD_SETSIZE . #if defined(FD_SETSIZE) . The next 2 is more important; the one below /usr/local should have a #if FD_SETSIZE 8192 No? Then you did not install pth properly or gpg does not use the corresponding libpth.so Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openpgp to sexp conversion ..
On Tue, 22 Jun 2010 02:34, r...@sixdemonbag.org said: Explain 'sexp', please? When I hear someone talk about sexps, I think they're talking about LISP S-expressions. I don't know if that's what you have in mind. This is likely about the S-expression format as used with spki. Libgcrypt uses them to represent public key data. See http://people.csail.mit.edu/rivest/sexp.html Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: openpgp to sexp conversion ..
On Tue, 22 Jun 2010 02:34, r...@sixdemonbag.org said: My name is Kahnan and I am looking to convert openpgp keys in to sexp including key data .. [I have not seen Kahnan mail (maybe spam filter issue). ] The GnuPG SVN trunk has a lot of code to do the conversion. For example: gnupg/g10/pkglue.c gnupg/common/sexputil.c Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: upgrading from 1.4.7 to 2.0.14
On Thu, 24 Jun 2010 01:17, emylists...@gmail.com said: should we uninstall 1.4.7 prior to upgrading to 2.0.xx or does the win-installer take care of that. It is suggested that you uninstall first. gpg4win 2 tries to take care of it but it might fail. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key gen batch operations
On Tue, 29 Jun 2010 00:31, m...@simplercomputing.net said: Anyone know if it's possible to generate a subkey for signing purposes via batch operations or a script? I can't seem to find anything that references a way to do that. No. You need to employ the --command-fd/status-fd mechanism to control GPG for this task. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to sign a remote repository, i.e. forward agent
Carsten Aulbert carsten.aulb...@aei.mpg.de writes: Now the notorious question: Does anyone know how to forward the agent's socket to the remote machine? I've briefly tried socat (remote unix socket to tcp It does not help you. gpg currently uses the agent only for passphrase caching and not for secret key processing. 2.1 changes this but import and export of secret keys is not yet implemented - thus it works only for new keys. The problem with forwarding the socket is a different one. In theory you could modify the PG-agent code to listen on a local TCP server and use an implemented hack in libassuan to connect via TCP. The use ssh to tunnel the connection. The security problem here is that anyone may connect to a local socket. Under Windows we use such a system but send and except a magic cookie to authenticate the connection. Using a smartcard may make things easier - tunneling a smartcard is possible and there is still some cruft in the code for remote smartcard access. I even have a project to do this all via an ssh connection - but I am sure that these bits are pretty rotten. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Help with batch mode delete of keys
Leslie Mitchell l.mitch...@heywood.co.uk writes: gpg: can't do this in batch mode gpg: (unless you specify the key by fingerprint) My question is how do I specify a fingerprint Please have a look in the manual, there is a chapter titled How to Specify a User Id. The man page has this info as well. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using S/MIME encryption with self-signed certificates
On Fri, 2 Jul 2010 13:21, fwei...@bfk.de said: Is it possible to use gpgsm to encrypt data for a self-signed X.509 certificate? Right now, the program bails out with issuer certificate is not marked as a CA, and I would like to work around that, preferably without running a full CA. Add the keyword relax to ~/.gnupg/trustlist.txt and give the agent a HUP (or run gpgconf --reload gpg-agent). Example line: 1122334455667788990011223344556677889900 S relax Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Using gpg2 without pinentry?
On Sat, 3 Jul 2010 05:33, do...@dougbarton.us said: What's needed for this case is a way to tell gpg2 emulate gpg 1.x behavior and prompt for the password in line. I haven't looked at the internals in detail so I have no idea how difficult this would be. The That is not easy but doable; see below. Assuming that Alpine is a curses application you may use the curses pinentry (If DISPLAY is not set, the standard pinentries fall back to curses). This might overwrite the Alpine screen, thus after the filter has been run, you should restore the screen (ctrl-L). If this is not possible you may make use of the shell's suspend feature. Using screen(1) and pinning the pinentry to one screen is another option. You may write a pinentry which loops back to Alpine or your script. To support this GnuPG provides the envvar PINENTRY_USER_DATA which you may set to an arbitrary string and evaluate in your loopback-pinentry. Your pinentry would then use a fifo or another mechanism to ask the originating process to enter a passpharse and return that one back to your loopback-pinentry and in turn to gpg-agent. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgcrypt 1.4.6 released
Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.4.6. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.4.6: * New variants of the TIGER algorithm. * New cipher algorithm mode for AES-WRAP. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html. On the primary server the source file and its digital signature is: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.bz2 (1125k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.gz (1391k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.6.tar.gz.sig Alternativley you may upgrade version 1.4.5 using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.5-1.4.6.diff.bz2 (16k) The SHA-1 checksums are: 445b9e158aaf91e24eae3d1040c6213e9d9f5ba6 libgcrypt-1.4.6.tar.bz2 dbe3fee0a9eea8128a1e47c973e0f432a62bfaa2 libgcrypt-1.4.6.tar.gz 9361c5ee7861548a4822e58baba95c81ec878384 libgcrypt-1.4.5-1.4.6.diff.bz2 For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. Note that this version is from the stable branch; the current development version is available at svn://cvs.gnupg.org/libgcrypt/trunk . Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], order extensions or support or more general by donating money to the Free Software movement (e.g. http://www.fsfe.org/donate/). Commercial support contracts for Libgcrypt are available [3], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html. [2] Note that copyright assignments to the FSF are required. [3] See the service directory at http://www.gnupg.org/service.html. -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 Hüttenstr. 61 Geschäftsführung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 pgpdL8guAUNpp.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 2.0.16 released
Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.16. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.10) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL version 3). GnuPG-2 works best on GNU/Linux or *BSD systems. What's New === * If the agent's --use-standard-socket option is active, all tools try to start and daemonize the agent on the fly. In the past this was only supported on W32; on non-W32 systems the new configure option --use-standard-socket may now be used to use this feature by default. * The gpg-agent commands KILLAGENT and RELOADAGENT are now available on all platforms. * Minor bug fixes. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.16 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/gnupg/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the FTP server and its mirrors you should find the following files in the gnupg/ directory: gnupg-2.0.16.tar.bz2 (3910k) gnupg-2.0.16.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.15-2.0.16.diff.bz2 (51k) A patch file to upgrade a 2.0.15 GnuPG source tree. This patch does not include updates of the language files. Note, that we don't distribute gzip compressed tarballs for GnuPG-2. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.16.tar.bz2 you would use this command: gpg --verify gnupg-2.0.16.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.16.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.16.tar.bz2 and check that the output matches the first line from the following list: e7eb4f60026884bd90803b531472bc518804b95d gnupg-2.0.16.tar.bz2 be77c0ba597b9ad9e38941e85ba1750890067227 gnupg-2.0.15-2.0.16.diff.bz2 Internationalization GnuPG comes with support for 27 languages. Due to a lot of new and changed strings many translations are not entirely complete. Jedi, Maxim Britov, Jaime Suárez and Nilgün Belma Bugüner have been kind enough to go over their translations and thus the Chinese, German, Russian, Spanish, and Turkish translations are pretty much complete. Documentation = We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing
Re: [Announce] GnuPG 2.0.16 released
On Wed, 21 Jul 2010 00:31, jcr...@gmail.com said: - option --use-standard-socket may now be used to use this feature by + option --enable-standard-socket may now be used to use this feature by Thanks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG seems broken on FC13 after upgrade.
On Wed, 21 Jul 2010 16:33, ds...@jabberwocky.com said: Fedora 13 removed 'gnupg' (i.e. gnupg 1.4.x) and caused the 'gnupg2' (i.e. gnupg 2.x) package to replace it. This breaks all sorts of scripts and things that were written to use 1.4.x. FWIW, the new 2.0.16 may help to mitigate this problem if the --use-standard-socket option is used. The agent will then be started if needed. You can't use this feature if your home directory is NFS mounted or you are not using X. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Security Alert for GnuPG 2.0 - Realloc bug in GPGSM
Realloc Bug with X.509 certificates in GnuPG == 2010-07-23 Summary === While trying to import a server certificate for a CDN service, a segv bug was found in GnuPG's GPGSM tool. It is likely that this bug is exploitable by sending a special crafted signed message and having a user verify the signature. [ Please do not send private mail in response to this message. The mailing list gnupg-devel is the best place to discuss this problem (please subscribe first so you don't need moderator approval [1]). ] Impact == All applications using GnuPG's GPGSM tool to process S/MIME messages or manage X.509 certificates are affected. The bug exists in all versions of GnuPG including the recently released GnuPG 2.0.16. GPG (i.e. OpenPGP) is NOT affected. GnuPG 1.x is NOT affected because it does not come with the GPGSM tool. An exploit is not yet known but it can't be ruled out for sure that the problem has not already been identified by some dark forces. Description === Importing a certificate with more than 98 Subject Alternate Names [2] via GPGSM's import command or implicitly while verifying a signature causes GPGSM to reallocate an array with the names. The bug is that the reallocation code misses assigning the reallocated array to the old array variable and thus the old and freed array will be used. Usually this leads to a segv. It might be possible to use one of the techniques to exploit assignments to malloced and freed memory. Such an exploit won't be easy to write because the attack vector must fit into a valid ASN.1 DER encoded DN. To further complicate the task, that DN is not used directly but after a transformation to RFC-2253 format. Solution Apply the following patch. The patch is required for all GnuPG versions 2.0.17. It applies to 2.0.16 but should apply to many older versions as well. --- kbx/keybox-blob.c (revision 5367) +++ kbx/keybox-blob.c (working copy) @@ -898,6 +898,7 @@ rc = gpg_error_from_syserror (); goto leave; } + names = tmp; } names[blob-nuids++] = p; if (!i (p=x509_email_kludge (p))) Support === g10 Code GmbH [3], a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. Support contracts or other financial backing will greatly help us to improve the quality of GnuPG. Thanks == Peter Gutmann for his A mighty fortress is our PKI mail to the cryptography ML which contained a pointer to a certificate to exhibit the problem. This bug was created, found and fixed by Werner Koch. [1] See http://lists.gnupg.org/mailman/listinfo/gnupg-devel [2] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/trunk/tests/samplekeys/cert-with-117-akas.pem [3] See http://www.gnupg.org/service.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpwKRloYykj3.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 SSH SmartCard Private Key Auth
The problem though is when I'm trying to get SSH to work with it. It wont authenticate. Does ssh-add -l sdhow the key? 2010-07-23 20:01:57 gpg-agent[1315] gpg-agent (GnuPG) 2.0.13 started It would better to try 2.0.16 becuase that is the one I can test. 2010-07-23 20:03:38 gpg-agent[1315] failed to build S-Exp (off=0): Bad character in S-expression Somewhere in agent/findkey.c - you need to debug it. Tracing which files gpg-agent opens might help - it will be one below private-keys-v1.d. Look at that file using /usr/local/libexec/gpg-protect-tools FILE Does it parse cleanly? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SHA2 digest, V2 smartcard and gpg-agent problem
Stanislav Sidorenko stanis...@sidorenko.biz writes: I've made a quickdirty fix that enables using SHA256 instead of RIPEMD160. hashalgo == GCRY_MD_SHA256? --hash=sha256 : , Okay. I just fixed that and gnupg 1 will now allow all hash algorithms. Note that this change is only required if you use gpg 1 with gpg-agent. In general it is better to use gpg2 - we keep gpg mainly for server operations and then it uses the integrated card stuff - without scdaemon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: verifying hashes with Gnupg
On Wed, 21 Jul 2010 16:52, ved...@nym.hush.com said: windows command line doesn't recognize it (without cygwin) The gpg4win SVN has a sha1sum, sha256sum and md5sum complete with check option and proper filename special character escaping. It will be part of all future gpg4win releases. It is one simple source file. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 SSH SmartCard Private Key Auth
On Sat, 24 Jul 2010 15:09, frankste...@gmail.com said: gpg-protect-tool: invalid S-Expression in E1771DB82D9516EE5866A3E617AE04ACE36B3574.key' (off=0): Unexpected reserved punctuation in S-expression There is somewthing wrong ;-). You need to look at the file to see what the problem is. Or step with the debug through it to see which parts gives the error messages. The problem is that it contains your private key (passphrase protected) and tus should not be send around. Any special characters in the ssh key comment? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --batch --yes --edit-key trust
On Mon, 26 Jul 2010 10:01, m...@proseconsulting.co.uk said: gpg --fingerprint --list-keys $1 |\ $AWK -v tmpfile=$TMPFILE -v trustlevel=$2 ' Please use --with-colons for all scripts. The standard output is only for humans. Something like gpg --with-colons --with-fingerprint --list-keys $1 |\ $AWK -F: -v tmpfile=$TMPFILE -v trustlevel=$2 ' $1 == fpr { fpr=$10 } should do the job. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: file contained no OpenPGPdata
On Tue, 27 Jul 2010 18:33, stargr...@stargrave.org said: successfully used. GnuPG supports many other various ciphers such as CAMELIA, Blowfish, Twofish, AES. You should recompile it with the needed ones. In fact the standard demands a preference system where your key declares what algorithms you support. 3DES is the last resport algorithm and as such always available. IDEA for example is an optional algorithm. An implementation which uses an algorithm not given in the preferences of the key is not standard conform. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] Security Alert for GnuPG 2.0 - Realloc bug in GPGSM
Hi, some more inforrmation about this bug On Fri, 23 Jul 2010 14:36, w...@gnupg.org said: bug was found in GnuPG's GPGSM tool. It is likely that this bug is exploitable by sending a special crafted signed message and having a On a first view this might actually happen. However, after some thinking or well, taking a shower in the morning, I come to the conclusion that writing an exploit for this bug is a too hard problem for an entity of the Deep Though designed computer. Here is what happens: 1. We parse each subjectAltName and convert it into a plain C string. This string is allocated on the heap and the address of that string (a pointer) is stored in an array. 2. That array has initially been allocated with space for 100 entries. The first two entries are used for the issuer and subject name and subjectAltNames are stored following them. 3. If the parser (step 1) wants to store the 99th subjectAltName string, the code detects that the array is full and uses realloc to reallocate the array with space for 100 more entries. The 99th pointer is then stored in the next slot of the reallocated array. 4. The bug is that we did not complete the reallocation but continued to use the old array and may now write out of bounds. Two cases may happen: The realloc function is able to extend the array, in which case no harm is done because the missing assignment of the new array would have been superfluous as it the same address. The more likely case is that realloc allocates a new memory block, copies the old array to the new array and frees the old array. 5. Thus when writing the 99th subjectAltName string we write into freed space, which is a no-no. We even write out of bounds in the freed space, so all kind of harm may happen. This is always a severe bug which is likey to be expoitable. Now, why do I think this is not exploitable: It is the simple fact that the attacker can't control the value which is written into the freed memory block. The value we are writing comes from our own malloc which at that point is working as expected because the entire heap has not yet been damaged (modulo other bugs in the code of course). Now the heap is corrupted and all future calls mallocs or free may to weird things. Usually you will see a segv then. To exploit it, an attacker needs to hope that an overwrite (using a malloc returned pointer) does harmful things but doesn't stop the execution and continues to parse his certificate. One of the next subjectAltName need to overwrite a function and set it to (already existing) code which does the actual attack. You may prove me wrong, but I dount that anyone will spend time on finding such an exploit. It would be much faster to look for other, not yet known, bugs. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG seems broken on FC13 after upgrade.
On Wed, 21 Jul 2010 00:15, jjpe...@water.com said: trying to figure out what happened. If the interface is being changed in this manner than it would seem that simple code to check for a responding X-server or if the X-server connection is denied, it would fall back to curses style windows. That is a good suggestion. We currently only look on the presence of the DISPLAY envvar but don't do any test: /* Simple test to check whether DISPLAY is set or the option --display was given. Used to decide whether the GUI or curses should be initialized. */ int pinentry_have_display (int argc, char **argv) { #ifndef HAVE_W32CE_SYSTEM const char *s; s = getenv (DISPLAY); if (s *s) return 1; #endif for (; argc; argc--, argv++) if (!strcmp (*argv, --display)) return 1; return 0; } If someone can come up with a simple test to check the presence of an X server, it should be easy to include it. Note that we don't use Xlib directly but GTk+ or Qt. I don't know whether gtk_init returns an error and we would be able fallback to the curses implementation then. Anyone care to test this? (pinentry/gtk+-2/pinentry-gtk-2.c)/ Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Importing/Merging (secret) subkey into existing secret key
On Sun, 1 Aug 2010 11:34, mailinglis...@hauke-laging.de said: be changed in 2.1 which will solve this kind of problem. But for 2.0.x this will not be changed. We won't change it for 1.4 either. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
On Wed, 11 Aug 2010 09:47, rich...@r-selected.de said: However, GnuPG only recognizes the 1st reader: If you enter scd help getinfo you can see this in the scdameon log file: : chan_10 - # reader_list - Return a list of detected card readers. Does : chan_10 - # currently only work with the internal CCID driver. Thus it does not work with pcscd. To convince pcscd to use the second reader you need to use the reader-port REINER SCT CyberJack pp_a or a bit more of the string shown by opensc-tool. I am not sure how it formats the reader description. Scdaemon compares the reader-port against the reader description as returned by pcsc_list_reader. The problem with pcsc is that we need a wrapper on most system and this wrapper does not return the list of readers. We have plans to drop this wrapper in 2.1. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Decryption Error
On Fri, 13 Aug 2010 03:17, r...@sixdemonbag.org said: received no response. I wish I had answers for you. All I can do instead is tell you your best bet will probably involve writing JNI wrappers for GPGME. Isn't http://github.com/smartrevolution/gnupg-for-java that what he needs? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg for windows mobile 6.5 smartphone
On Wed, 11 Aug 2010 18:18, timbern...@gmail.com said: i have recently bought a samsung omnia 2 smartphone with windows mobile 6.5 as the OS. There is some hope for you. Meanwhile the entire GnuPG-2 system has been ported to that OS. Our target device is the HTC touch pro 2 but I don't think that we use any HTC specific API. See http://saegewerk.intevation.de/wince-packager/index.html which also has a link to an installer. Well this is only command line and thus not very useful unless you succeed installing sshd on the device (we have a package for that as well somewhere, can't remember the URL, though) and then use putty for Wince to get a terminal. Writing a simple application to encrypt the clipboard should not be very hard if you are used to native Windows programming. GPGME is fully ported and takes care of invoking the required GnuPG modules. There are some little things missing: For example we can't easily import an OpenPGP key - that is something I am going to implement next week. Dirmngr needs to be started manually - that should me fixed by Monday/ The final plan is to have KDEPIM running on the box. We are currently shrinking the KDE code and working on tricks to stuff all the code into the interesting virtual memory architecture. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Accessing the 2nd card reader
On Thu, 12 Aug 2010 09:41, simon.rich...@hogyros.de said: Can the system be adapted to scan all readers when looking for a specific card, and to rescan for new readers when it prompted the user to insert a card? Yeah those cards with readers are a real problem. We need to do something about it. I am still using my old card - as soon as I move to a new card with an USB stick reader I need to solve it ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: libkleo.dll can't load within TheBat! or be registered
On Sun, 15 Aug 2010 01:25, emylists...@gmail.com said: gpg4win seems to work fine except when trying to load up kleopatra.exe from within TheBat! ///[error msg]/ kleopatra.exe - Unable to Locate Component Please check the source code to see what is going wrong. Ooops - No source code? - Then please ask the makers of The Bat. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Importing subkeys from smartcard
On Tue, 17 Aug 2010 11:31, j...@seiken.de said: to import my public key from a keyserver. But if done so gnupg doesn't recognize the private subkeys stored on the smartcard. How do I tell gnupg where it should look for the private subkeys? Insert the smartcard and run gpg --card-staus (--card-edit) again. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card - general error unblocking PIN
On Wed, 25 Aug 2010 21:47, ti...@xroot.org said: GnuPG is version 1.4.9 and I'm using the second version of the card. 1.4.9 does not support this card. Upgrade to 1.4.10. One thing I also noticed is that the PIN retry counter has the following values: 3 0 3 There is no PIN2 anymore thus we don't have a retry counter for it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Redirecting STDIN
On Sun, 29 Aug 2010 22:40, jpboa...@yahoo.com said: This problem exists with gpg and with the older pgp 2.x. I'd like to solve it by redirecting STDIN because pgp 2.x doesn't implement the options that you specify. Use --batch i you don't want to be asked. For automating GPG processing you need to look into --command-fd and --status-fd or better use gpgme. GPG has nothing in common with PGP - it is an entrely different software. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: problem with static libgpg-error 1.9 on MinGW
On Mon, 30 Aug 2010 20:28, mabr...@mabrand.nl said: I have been working on updating from libgpg-error-1.8 to libgpg-error-1.9 in mingw-cross-env. Mingw-cross-env is a cross Actually you may only build libgpg-error with a cross compiler; in particular mingw32 (but not using that newer (Debian) gcc-mingw32 thingie, which is broken) building environment for MinGW. One of its features is that it builds static versions of all its libraries. I am not sure whether building libgpg-error as static library works. It uses thread local storage and is thus better initialized using dllmain(). ./autogen.sh --build-w32 --enable-static might build the static lib - I can't test right now. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scdaemon loses connection when I unplug/replug a crypto-stick
On Wed, 8 Sep 2010 01:21, k...@grant-olson.net said: I imagine that the cryptostick is a little unique in this regard. Most Not really, I have an USB stick size card reader and thus the same problem. Anyone know of an easy way for me to fix this? No. I know how to fix that but it needs some code rewrite. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why do smart cards have a 'sex' option?
On Wed, 1 Sep 2010 11:17, pe...@digitalbrains.com said: My guess is it is to address the user correctly in dialogs, in some languages. The sex of the person addressed might determine the grammatical gender of words used in dialogs. I've forgotten which languages have this feature, but I'm Right, this is a ISO standard field for smart cards. The name and its uncommon encoding is another example for an ISO standard field. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
1.4.11 release candidate (was: Overflow bug in bzip2)
Hi, The Windows installer version of GnuPG 1.4 uses a statically linked bzip library. Thus the bzip2 bug affects this version. We have not done a gnupg 1.4 release for more than a year. I believe it is best to first do a release candidate. There a couple of bug fixes collected over the last year to go into 1.4.11, but nothing really important. However to build the 1.4 windows installer we better use the new source along with an updated bzip. Here we go: GnuPG 1.4.11 release candidate 1 is availabale at ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.11rc1.tar.bz2 (3360k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.11rc1.tar.bz2.sig and the Windows installer with the updated bzip2 at: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-w32cli-1.4.11rc1.exe (1607k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-w32cli-1.4.11rc1.exe.sig SHA-1 checksums are: 56a9da797bf17f6447f1243ac682d4e7b91e24f0 gnupg-1.4.11rc1.tar.bz2 c6f421a7874c734d1d66bd756d1a5ee3cd5a44ee gnupg-w32cli-1.4.11rc1.exe Please check it out and report problems to this list. Note that translations are not completely up to date. We are also preparing a new version of Gpg4win; this may take a couple of days. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.11 release candidate
On Thu, 23 Sep 2010 14:20, war_is_pe...@privatdemail.net said: While you're at it, you might want to update zlib to version 1.2.5 - looking at the source, it seems that the currently used version is 1.1.4. I see no reason for such an update. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.11 release candidate
On Thu, 23 Sep 2010 20:59, li...@michel-messerschmidt.de said: On Thu, Sep 23, 2010 at 08:26:19PM +0200, Werner Koch wrote: On Thu, 23 Sep 2010 14:20, war_is_pe...@privatdemail.net said: While you're at it, you might want to update zlib to version 1.2.5 - looking at the source, it seems that the currently used version is 1.1.4. I see no reason for such an update. CVE-2003-0107 ? That is about a buffer overflow in gzprintf - we don't use those high level functions. Actually the included zlib code is stripped down to the bare minimum. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import key to smart cards
On Tue, 5 Oct 2010 13:18, kolad...@web.de said: My question is: How can I import a (sec-pub-)key which was generated on a crypto stick (containing an integrated smart card) into another crypto stick? A crypto stick like: The whole point of generating keys on a smartcard is that it is impossible to get it back out of the card - you may only use the generated key with certain command provided by the smartcard. And thus you can't import it to another smartcard. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Tue, 12 Oct 2010 04:44, d...@fifthhorseman.net said: (e.g. one process can send a simulated mouseclick to another process pretty easily) but that doesn't mean no one is running with a The standard pinentry grabs mouse and keyboard and thus we should be protected against this kind of attack. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Tue, 12 Oct 2010 09:05, d...@fifthhorseman.net said: the kbd and mouse events. It doesn't prevent synthesized events from triggering those inputs (e.g. clicking OK on a button). You are right. However it is the only protection we can use on X; it might be helpful in some cases, but as you showed not in this one. Anyway, if you are already have these permissions you can attack the keys with all kind of simple tricks. Thus it is mood. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Tue, 12 Oct 2010 11:10, mailinglis...@hauke-laging.de said: There are ways to prevent this. E.g. I protect important and hardly ever changed files like ~/.gnupg/options with root priviledge (chattr immutable on It doesn't help - you need to protect gpg.conf and gpg.conf-2 and gpg.conf-2.0 and so on. BTW, ~/.gnupg/options is deprecated for ages. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Wed, 13 Oct 2010 17:51, d...@fifthhorseman.net said: If i run the agent locally, and forward access to it to a constrained account, then the constrained account (which is talking to the agent) *does not* have the ability to simulate such X11 events. You mean to a different X server? For example from a nested one to the main X server? Then why do you want to have this yes/no prompt, the other X server has no access to the pinentry. I doubt that it is possible to have a restricted account running on the same X server. requires, say, an ACPI event, or a special keypress (not an X11 event) from a designated hardware button. in that case, malicious code with access to the X11 session could detect that a prompt had been made, and If there is malicious code running on your machine with access to resources under your control, I can only say: game over. No external button will help you here. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Thu, 14 Oct 2010 20:03, sascha-ml-reply-to-201...@silbe.org said: One instance where the proposed mechanism (in conjunction with the new version of gpg-agent that will handle the secret keys itself) would be Just for the records: This is no new mechanism of the agent. It is in use for about 8 years now. The change is that GPG uses this mechanism now, in the past only GPGSM and the the ssh-agent support in gpg-agent used it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confirmation for cached passphrases useful?
On Fri, 15 Oct 2010 12:55, mailinglis...@hauke-laging.de said: Following your pessimistic attitude there would hardly be any reason not to work as root. Nope. Not working under root is important to keep the system stable and provide access restrictions to the non-malicious users. OTOH, it is hard enough to close all remotely exploitable bugs. Given the constant proliferation of local privilege escalation bugs, it seems to me not possible for the majority of systems to keep them *all* closed. Look only on how many admins are proud of their system's uptimes and check for example the list of severe Linux bugs. If you want to protect your keys, use a smartcard or a second box acting similar to a smartcard. Nevertheless, the confirmation prompt for a cached passphrase is not entirely unfounded given that we have quite some feature in gpg-agent which are more questionable (e.g. the whole passphrase quality checking stuff). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 1.4.11 released
Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.11. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, samrtcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build and also better portable. In contrast to GnuPG-2 (e.g version 2.0.16) it comes with no support for S/MIME or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New === * Bug fixes and portability changes. * Minor changes for better interoperability with GnuPG-2. Getting the Software Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 1.4.11 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-1.4.11.tar.bz2 (3327k) gnupg-1.4.11.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-1.4.11.tar.gz (4603k) gnupg-1.4.11.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.4.10-1.4.11.diff.bz2 (205k) A patch file to upgrade a 1.4.10 GnuPG source tree. This patch does not include updates of the language files. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: gnupg-w32cli-1.4.11.exe (1588k) gnupg-w32cli-1.4.11.exe.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. This is a command line only version; the source files are the same as given above. Note, that this is a minimal installer and unless you are just in need for the gpg binary, you are better off using the full featured installer at http://www.gpg4win.org . Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.11.tar.bz2 you would use this command: gpg --verify gnupg-1.4.11.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.11.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.11.tar.bz2 and check that the output matches the first line from the following list: 78e22f5cca88514ee71034aafff539c33f3c6676 gnupg-1.4.11.tar.bz2 bffb0c60b2e702980f7148ee3a060f29adc82331 gnupg-1.4.11.tar.gz 631b5129f918b7d30247ade8bcc27908951eaea0 gnupg-w32cli-1.4.11.exe f17729146c18d9288005ac0d93489c333c729345 gnupg-1.4.10-1.4.11.diff.bz2 Internationalization GnuPG comes with support for 28 languages. Due to a lot of new and changed strings some translations are not entirely complete. The Chinese (Simple and Traditional), Czech, Dutch, French, German, Norwegian, Polish, Romanian, Russian, Spanish, Swedish and Turkish translations are close to be complete. Support === Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, order extensions or support or more general by donating money to the Free Software
Re: [Announce] GnuPG 1.4.11 released
On Mon, 18 Oct 2010 18:36, jhar...@widomaker.com said: The .exe is there and matches the SHA-1, but the .sig isn't there: Ooops. Forgot to upload that one - fixed. Sorry. the .tar.bz2{,.sig} files yet. Ever consider publishing a .torrent with web-based seeds? http://mktorrent.sourceforge.net/ should make Actually, our FTP server would not have a problem to serve all requests. The mirrors are more a historics thing but more an more folks wan't to mirror (I recently added a rel=nofollow in case some of them intent to bump up their page rank). I should change the wording of the announcement. Thanks for the hint of the mktorrent; maybe I can add this to our webpage anyway. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is there a maximum length for an OpenPGP UID?
On Fri, 22 Oct 2010 02:29, expires2...@ymail.com said: Does it matter how many characters are for real name, comment, email address, or is it just a limit to the total length? The limit is on the total length: /* Cap the size of a user ID at 2k: a value absurdly large enough that there is no sane user ID string (which is printable text as of RFC2440bis) that won't fit in it, but yet small enough to avoid allocation problems. A large pktlen may not be allocatable, and a very large pktlen could actually cause our allocation to wrap around in xmalloc to a small number. */ If you create a new user ID which is longer than the limit and you try to use the key you will get an invalid packet error message. There are no checks on the maximum length while creating a user id. Other implementations of OpenPGP may have different or no such constraints. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgkey2ssh
On Fri, 22 Oct 2010 03:58, aaron.topo...@gmail.com said: First, there is _ZERO_ documentation for this binary. No manual, no info page, nothing under /usr/share/doc/, segfaults pasing -h or --help. Ah well, it should be removed from the package. It used to be a kind of debug tool but I never used it in all these years. The plan was to replace it with a special export option: gpg2 --export-options export-sexp-format --export-secret-key KEYID but that has never been fully implemented. The forthcoming GnuPG 2.1 makes it obsolete. of me. Correct me if I'm wrong, but I should be able to add this identity to the running SSH agent through ssh-add, no? Here's the No. It the other way around. The whole point of the ssh support is to replace ssh-agent: gpg-agent if started with the option --enable-ssh-support implements the ssh-agent-protocol and thus works with ssh and ssh-add. With a running gpg-agent you can do ssh-add and gpg-agent imports the key into its own private key database. After you have done that you may remove the private keys from .ssh/. IF you later run ssh-add -l it will show you the ssh keys gpg-agent knows about. To better control this you may use the ~/.gnupg/sshcontrol file: `sshcontrol' This file is used when support for the secure shell agent protocol has been enabled (*note option --enable-ssh-support::). Only keys present in this file are used in the SSH protocol. You should backup this file. The `ssh-add' tool may be used to add new entries to this file; you may also add them manually. Comment lines, indicated by a leading hash mark, as well as empty lines are ignored. An entry starts with optional whitespace, followed by the keygrip of the key given as 40 hex digits, optionally followed by the caching TTL in seconds and another optional field for arbitrary flags. A non-zero TTL overrides the global default as set by `--default-cache-ttl-ssh'. The keygrip may be prefixed with a `!' to disable an entry entry. The following example lists exactly one key. Note that keys available through a OpenPGP smartcard in the active smartcard reader are implicitly added to this list; i.e. there is no need to list them. # Key added on 2005-02-25 15:08:29 5A6592BF45DC73BD876874A28FD4639282E29B52 0 If you want to use an existing gpg key with ssh you need a way to put it into gpg-agent. If you use smartcards then there is no need for this because gpg-agent does that of its own. *GnuPG 2.1* will make it really easy to use an existing key for ssh: $ gpg2 --with-keygrip -K CD8687F6 sec 1024D/CD8687F6 2006-01-17 Keygrip = 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C uid Heinrich Heine heinri...@duesseldorf.de ssb 1024g/4ECFEF6F 2006-01-17 Keygrip = 654EFA6F19DF08ABFEB88092BC4867D4C5A95460 Now you only need to put a line 21EB68B1FFA01EF777E2D0B1A92A2276D82C2F1C 0 into sshcontrol and gpg-agent offers the primary key CD8687F6 to ssh if it asks for a list private key (check with ssh-add -l). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Security considerations: CAST-128
On Thu, 21 Oct 2010 18:41, danthe...@gmail.com said: I'm not sure how computationally feasible they are. According to the paper, successful attacks were conducted on a 4 and 6 round version of CAST-128. You can mount attacks on all algorithms if you reduce the number of rounds. In particular if you reduce them from 16 to 4. Without having read the paper I am pretty sure that an attack on a reduced round version of CAST has has no practical consequence. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: card inactive
On Sun, 24 Oct 2010 20:40, osa...@gnu.org said: I wonder if it's the smartcard reader (SCR335) or the smartcard itself. It pretty much looks like the card is broken. If you have a chance to try the card on another reader, please do that to be sure that there is no other problem. Ask the FSFE folks for a replacement. You may also try a different card - a bancking card for example. The PowerOn command needs to succeed on any smartcard. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgkey2ssh
On Fri, 22 Oct 2010 18:04, ha...@hawkesnest.net said: Why does it not do this on its own for non-smartcard authentication keys? Shouldn’t they already be in gpg-agent? gpg-agent does not known about GPG or OpenPGP or X/509. Thus there is no chance it may known about an key stored in GPG's keyrings. You could script something to automagically add all OpenPGP keys flagged as authentication key into gpg-agent for ssh's use. However you don't want that: The ssh-agent protocol iterates over all keys the agent returns and tries them all in turn (over the network). Thus with tens of keys it takes really long to setup an ssh connection. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.1 beta released
Hello! We just released the first *beta version* of GnuPG 2.1. It has been released to give you the opportunity to check out the new features. It is marked as a beta versions and the plan is to release a couple more betas in the next months before we can declare 2.1.0 stable enough for general use. In any case the 2.1 series won't replace the 2.0 series. If you need stable and fully maintained version of GnuPG, you should in general use 2.0.x or even 1.4.x. Eventually we will release 2.2 as the new stable version but that may take some time. Noteworthy changes in version 2.1.0beta1 * GPG does not anymore use secring.gpg but delegates all secret key operations to gpg-agent. The import command moves secret keys to the agent. * The OpenPGP import command is now able to merge secret keys. * The G13 tool for disk encryption key management has been added. * If the agent's --use-standard-socket option is active, all tools try to start and daemonize the agent on the fly. In the past this was only supported on W32; on non-W32 systems the new configure option --disable-standard-socket may now be used to disable this new default. * Dirmngr is now a part of this package. Dirmngr is now also expected to run as a system service and the configuration directories are changed to the GnuPG name space. * Removed GPG options: --export-options: export-secret-subkey-passwd --simple-sk-checksum * New GPG options: --try-secret-key * Support DNS lookups for SRV, PKA and CERT on W32. * The default for --include-cert is now to include all certificates in the chain except for the root certificate. * Numerical values may now be used as an alternative to the debug-level keywords. * New GPGSM option --ignore-cert-extension. * Support for Windows CE. * Given sufficient permissions Dirmngr is started automagically. * Bug fixes. Migration from 1.4 or 2.0 = The major change in 2.1 is that gpg-agent now takes care of the OpenPGP secret keys (those managed by GPG). The former secring.gpg will not be used anymore. Newly generated keys are generated and stored in the agent's key store (~/.gnupg/private-keys-v1.d/). To migrate your existing keys to the agent you should run this command gpg2 --import ~/.gnupg/secring.gpg The agent will you ask for the passphrase of each key. You may use the Cancel button of the Pinentry to skip importing this key. If you want to stop the import process and you use one of the latest pinentries, you should close the pinentry window instead of hitting the cancel button. Secret keys already imported are skipped by the import command. It is advisable to keep the secring.gpg for use with older versions of GPG. Note that gpg-agent now uses a fixed socket by default. All tools will start the gpg-agent as needed. In general there is no more need to set the GPG_AGENT_INFO environment variable. The SSH_AUTH_SOCK environment variable should be set to a fixed value. GPG's smartcard commands --card-edit and --card-status as well as the card related sub-commands of --edit-key are not yet supported. However, signing and decryption with a smartcard does work. The Dirmngr is now part of GnuPG proper. Thus there is no more need to install the separate dirmngr package. The directroy layout of Dirmngr changed to make use of the GnuPG directories; for example you use /etc/gnupg/trusted-certs and /var/lib/gnupg/extra-certs. Dirmngr needs to be started as a system daemon. Getting the Software GnuPG 2.1 is available at ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/gnupg/unstable/gnupg-2.1.0beta1.tar.bz2.sig and soon on all mirrors http://www.gnupg.org/mirrors.html. Note, that GnuPG is not available at ftp.gnu.org. Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * You are expected to have a trusted version of GnuPG installed, thus you may simply check the supplied signature. For example to check the signature of the file gnupg-2.1.0.tar.bz2 you would use this command: gpg --verify gnupg-2.1.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a key server like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you
Re: Help with the --batch option...
On Tue, 26 Oct 2010 22:30, dkara...@tc3health.com said: We are running GPG 1.2.0 in production. We use it to decrypt all the That one is an 8 years old version and this 1.2 series entered end of life status 5 years ago. 1 - What do I need to do with gpg 1.4.11 so that it will decrypt pgp files in batch mode. With hundreds of files coming in daily it is just From the command lines you posted 1.2. was not able to do this either. It might be that we chnaged something related to batch processing but that was a bug fix then. so I don't know what was done with 1.2.0 to make it work fine with the --batch option. Either no passpharse was set for the key or the option --passphrase-fd was used. What you can do is to remove the passphrase from the key or use one of the options: --passphrase-fd, --passphrase-file or --passphrase. 2 - What fix was applied to 1.4.11 that solved the issue I am having in 1.2.0, and is there an option I could pass to GNUPG 1.2.0 that would correct or work around the issue? Too many changes over the years too quickly answer this. Likey candidates are: 2010-06-18 * parse-packet.c (skip_packet, parse_gpg_control): Take care of premature EOFs. Backport from trunk. 2009-05-05 * parse-packet.c (parse): Remove special treatment for compressed new style packets. Fixes bug#931. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fix for GnuPG 1.4.11 on MIPS using gcc
Hi, While building GnuPG 1.4.11 on MIPS a build problem was encountred. Please try the patch below which should fix the problem. Salam-Shalom, Werner 2010-10-28 Werner Koch w...@g10code.com * longlong.h: Revert last two changes and replace by code from libgcrypt 1.4.6. --- mpi/longlong.h (revision 5466) +++ mpi/longlong.h (working copy) @@ -710,12 +710,13 @@ ** MIPS * ***/ #if defined (__mips__) W_TYPE_SIZE == 32 -#if __GNUC__ 4 || ( __GNUC__ == 4 __GNUC_MINOR__ = 4 ) -#define umul_ppmm(w1, w0, u, v) \ +#if (__GNUC__ = 5) || (__GNUC__ == 4 __GNUC_MINOR__ = 4) +#define umul_ppmm(w1, w0, u, v) \ do { \ -UDItype __ll = (UDItype)(u) * (v); \ -w1 = __ll 32;\ -w0 = __ll; \ +UDItype _r; \ +_r = (UDItype) u * v; \ +(w1) = _r 32;\ +(w0) = (USItype) _r;\ } while (0) #elif __GNUC__ 2 || __GNUC_MINOR__ = 7 #define umul_ppmm(w1, w0, u, v) \ @@ -742,14 +743,15 @@ ** MIPS/64 ** ***/ #if (defined (__mips) __mips = 3) W_TYPE_SIZE == 64 -# if __GNUC__ 4 || ( __GNUC__ == 4 __GNUC_MINOR__ = 4 ) +# if (__GNUC__ = 5) || (__GNUC__ == 4 __GNUC_MINOR__ = 4) + typedef unsigned int UTItype __attribute__ ((mode (TI))); # define umul_ppmm(w1, w0, u, v) \ - do { \ - typedef unsigned int __ll_UTItype __attribute__((mode(TI))); \ - __ll_UTItype __ll = (__ll_UTItype)(u) * (v); \ - w1 = __ll 64; \ - w0 = __ll; \ - } while (0) + do { \ +UTItype _r; \ +_r = (UTItype) u * v; \ +(w1) = _r 64;\ +(w0) = (UDItype) _r;\ + } while (0) # elif if __GNUC__ 2 || __GNUC_MINOR__ = 7 # define umul_ppmm(w1, w0, u, v) \ __asm__ (dmultu %2,%3\ -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.1.0beta1 - Smartcard Support?
On Sun, 31 Oct 2010 19:20, jcr...@gmail.com said: Is it typical for smartcard support not to be in beta versions? From the announcement: GPG's smartcard commands --card-edit and --card-status as well as the card related sub-commands of --edit-key are not yet supported. However, signing and decryption with a smartcard does work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Please remove pgp.mit.edu from keys.gnupg.net
On Mon, 1 Nov 2010 00:24, d...@fifthhorseman.net said: I recommend you remove pgp.mit.edu (18.9.60.141) from the keys.gnupg.net DNS round robin until the server begins re-syncing properly with the global pool. Done. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 2.1.0beta1 - Smartcard Support?
On Tue, 2 Nov 2010 03:51, jcr...@gmail.com said: However, things seem not to be working with subkeys. I'm getting Need the secret key to do this or no default secret key for a many That is quite possible. I only did a brief test which showed that I was abale to sign packages. Most smart card related code has been disabled becuase it needs to be changed (the code assumes a local secring.gpg). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fw: compile errors
On Tue, 2 Nov 2010 15:12, dcent...@ydl.net said: Thanks for your response Heinz. However the latest version of libassuan was compiled first and installed (as per instructions provided in the compilation procedure of gnupg 2.0.16) before compiling gnupg 2.0.16. See here: In any case, GnuPG would error out during configure if there is no suitable libassuan installed. It does not run real test programs, though. I think I've got to recompile gnupg so that it refers to the location where libassuan is found. Check which libassuan-config you are using. And you may need to run ldconfig, etc.; see the noisy messages during make install of libassuan. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinpad on Cyberjack
On Thu, 4 Nov 2010 20:27, georgschm...@gmx.at said: It has been reported in the past, that the pinpad on the Cyberjack didn't work with gpg2 and I was wondering whether that still was the case or whether with the new drivers it should be OK now. Or is there an option, which tells the program that the PIN is expected from the pinpad and not the keyboard? The PINpad only works with the internal CCID driver. And with that each tested driver needs to be enabled. See scd/ccid-driver.c. There is no support for PINpads when using pcscd. We could add it but I prefer the internal driver which works very well with my readers. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing usage flags on a primary key
On Tue, 9 Nov 2010 22:41, d...@fifthhorseman.net said: Basically, i'm asking about creating a new self-sig packet with a modified key usage flags subpacket on a key that i control. How would i do that with GnuPG? That is not supported by an option. You need to change the code. I would try to do update the keyflags in build_sig_subpkt_from_sig () while runnning the --edit-edit command primary. There are probably a lot of side effects and thus this can only be used as a on-time hack. I only had a quick look at the code, thus you may encounter other problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 2.1 beta released
On Wed, 10 Nov 2010 09:23, u...@unixuser.org said: I couldn't find --annotate option in EncFS versions from 1.4 to 1.7.3. Do I need some patch to EncFS for G13? My fault. I thought it has been merged already. Let me please look into this; it is quit esome time since I hacked this stuff. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
EncFS patch (was: GnuPG 2.1 beta released)
Hi, find below a pacth agains EncFS 1.5.2 - this is the one I used for testing. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. 2009-10-14 Werner Koch w...@gnupg.org * encfs/main.cpp (processArgs): Add option --annotate. (EncFS_Args, processArgs): Support annotate option. (main): Print status messages. * encfs/FileUtils.h (EncFS_Opts): Add field ANNOTATE. * encfs/FileUtils.cpp (userAllowMkdir): Add arg PROMPTNO. (createV6Config): Add arg ANNOTATE. (initFS): Pass it down. * encfs/encfsctl.cpp (cmd_export): Adjust call to userAllowMkdir. (do_chpasswd): Add arg ANNOTATE. (chpasswd, chpasswdAutomaticly): Pass false for ANNOTATE. * encfs/SSL_Cipher.cpp (TimedPBKDF2, newKey): Solve build problems by using const_cast for SALT. Suggested by Valient. diff -urp encfs-1.5.2.orig/encfs/FileUtils.cpp encfs-1.5.2/encfs/FileUtils.cpp --- encfs-1.5.2.orig/encfs/FileUtils.cpp2008-09-10 07:53:58.0 +0200 +++ encfs-1.5.2/encfs/FileUtils.cpp 2009-10-12 19:29:12.0 +0200 @@ -280,13 +280,24 @@ std::string parentDirectory( const std:: return path.substr(0, last); } -bool userAllowMkdir( const char *path, mode_t mode ) +bool userAllowMkdir(int promptno, const char *path, mode_t mode ) { // TODO: can we internationalize the y/n names? Seems strange to prompt in // their own language but then have to respond 'y' or 'n'. // xgroup(setup) cerr autosprintf( _(The directory \%s\ does not exist. Should it be created? (y,n) ), path ); char answer[10]; +switch (promptno) +{ + case 1: +cerr endl $PROMPT$ create_root_dir endl; +break; + case 2: +cerr endl $PROMPT$ create_mount_point endl; +break; + default: +break; +} fgets( answer, sizeof(answer), stdin ); if(toupper(answer[0]) == 'Y') @@ -934,7 +945,7 @@ bool selectZeroBlockPassThrough() RootPtr createV6Config( EncFS_Context *ctx, const std::string rootDir, bool enableIdleTracking, bool forceDecode, const std::string passwordProgram, - bool useStdin, bool reverseEncryption ) +bool useStdin, bool annotate, bool reverseEncryption ) { RootPtr rootInfo; @@ -949,7 +960,10 @@ RootPtr createV6Config( EncFS_Context *c enter \p\ for pre-configured paranoia mode,\n anything else, or an empty line will select standard mode.\n ? ); - + +if (annotate) + cerr $PROMPT$ config_option endl; + char answer[10] = {0}; fgets( answer, sizeof(answer), stdin ); cout \n; @@ -1135,7 +1149,11 @@ RootPtr createV6Config( EncFS_Context *c CipherKey userKey; rDebug( useStdin: %i, useStdin ); if(useStdin) +{ +if (annotate) + cerr $PROMPT$ new_passwd endl; userKey = config.getUserKey( useStdin ); +} else if(!passwordProgram.empty()) userKey = config.getUserKey( passwordProgram, rootDir ); else @@ -1585,6 +1603,8 @@ RootPtr initFS( EncFS_Context *ctx, cons if(opts-passwordProgram.empty()) { rDebug( useStdin: %i, opts-useStdin ); +if (opts-annotate) + cerr $PROMPT$ passwd endl; userKey = config.getUserKey( opts-useStdin ); } else userKey = config.getUserKey( opts-passwordProgram, opts-rootDir ); @@ -1649,7 +1669,7 @@ RootPtr initFS( EncFS_Context *ctx, cons // creating a new encrypted filesystem rootInfo = createV6Config( ctx, opts-rootDir, opts-idleTracking, opts-forceDecode, opts-passwordProgram, opts-useStdin, - opts-reverseEncryption ); +opts-annotate, opts-reverseEncryption ); } } diff -urp encfs-1.5.2.orig/encfs/FileUtils.h encfs-1.5.2/encfs/FileUtils.h --- encfs-1.5.2.orig/encfs/FileUtils.h 2008-08-23 23:48:12.0 +0200 +++ encfs-1.5.2/encfs/FileUtils.h 2009-10-12 19:29:55.0 +0200 @@ -35,8 +35,9 @@ const char *lastPathElement( const char std::string parentDirectory( const std::string path ); // ask the user for permission to create the directory. If they say ok, then -// do it and return true. -bool userAllowMkdir( const char *dirPath, mode_t mode ); +// do it and return true. If PROMPTNO is 1 show a prompt asking for +// the root directory, if 2 ask for the mount point. +bool userAllowMkdir(int promptno, const char *dirPath, mode_t mode ); enum ConfigType { @@ -155,6 +156,7 @@ struct EncFS_Opts std::string passwordProgram; // path to password program (or empty) bool useStdin; // read password from stdin rather then prompting +bool annotate; // print annotation lines prompt to stderr. bool ownerCreate; // set owner of new files to caller @@ -167,6 +169,7 @@ struct EncFS_Opts
Re: Can't suppress quot;good signaturequot; status message
On Wed, 10 Nov 2010 15:16, s...@pobox.com said: is there a --status-fd flag, there is a --logger-fd flag. I don't know what the difference between emitting a status message --status-fd N gives the file descriptor to write status messages like [GNUPG:] GOODSIG 53B620D01CE0C630 Werner Koch (dist sig) dd...@gnu.org [GNUPG:] TRUST_ULTIMATE which are to be used by all automated systems (e.g. scripts). IF you don't use this option no status lines are emitted at all. All other output is for humans; it may be redirected to a file descriptor other than 2 using --logger-fd M. This is slighly different from re-directing stderr directly because it works only on the internal log functions and is used for all output which might be useful to see in log files. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Import .p12 key file
On Wed, 10 Nov 2010 18:37, r...@sixdemonbag.org said: Recent versions of GnuPG support S/MIME, which *may* use PKCS-12. (I Well for 7 years or so ;-) don't recall offhand for a fact: I just have a vague impression they do... or maybe it's PKCS-7 I'm thinking of.) PKCS#12 is a bunch of convoluted binary data which is even by ASN.1 standards a nightmare to parse. Despite that these blobs are used to transfer private X.509 keys. GPGSM (GPG's S/MIME cousin) supports it. PKCS#7 (or in modern speak CMS) is the core of S/MIME but, as you pointed out, it is not related to OpenPGP. OpenPGP uses a well defined and easy to parse format for key and data exchange and not any ASN.1 BER and DER mess. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: EncFS patch
On Thu, 11 Nov 2010 03:24, u...@unixuser.org said: Thanks. It now basically works (I used encfs-1.7.3_annotate.diff you posted to gnupg-devel), though the usage was a bit unclear to me :) Well the documentation is non existent. However gpgme already supports it. Which does not mean that that documentation is in anyway better: /* The container is automatically unmounted when the context is reset or destroyed. Transmission errors are returned directly, operational errors are returned in OP_ERR. */ gpgme_error_t gpgme_op_vfs_mount (gpgme_ctx_t ctx, const char *container_file, const char *mount_dir, unsigned int flags, gpgme_error_t *op_err); gpgme_error_t gpgme_op_vfs_create (gpgme_ctx_t ctx, gpgme_key_t recp[], const char *container_file, unsigned int flags, gpgme_error_t *op_err); Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --verify detached signature from two file descriptors?
On Fri, 12 Nov 2010 05:19, d...@fifthhorseman.net said: i'd like to use gpg to verify a detached signature, but for various reasons i don't want to put either part (the body or the signature) in the filesystem (i have the data queued in two otherwise anonymous file descriptors). No problem. GPGME does it this way. The trick is the option --enable-special-filenames and to pass the fd in this format -N. gpg --enable-special-filenames --verify --batch -5 -6 Assuming you have them in fds 5 and 6. Using GPGME is of course easier because it has this secret knowledge ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4Win 2.0.4 with GnuPG 1.4.11??
On Thu, 18 Nov 2010 17:59, r...@sixdemonbag.org said: Not true. For instance, WinZip is a 32-bit application, yet it integrates just fine into the context sensitive menu. In this case it is not an explorere extension. An explorer extensions needs to be a 64 bit DLL. Of course using an external program works. The explorer extension has the advantage of a closer integration. Gpg4win's GpgEX explorereextension requires two GnuPG related DLL and we can't easily change them to 64 bit. Eventually this will be done. For the time being, I suggest the use of GPA. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg --verify detached signature from two file descriptors?
On Thu, 18 Nov 2010 18:10, d...@fifthhorseman.net said: 0 d...@pip:/tmp/cdtemp.VsWK6o$ gpg --enable-special-filenames --verify --batch '-4' '-3' 3test 4test.asc gpg: Invalid option -4 2 d...@pip:/tmp/cdtemp.VsWK6o$ What am i doing wrong? i'm using gnupg 1.4.11 from debian experimental The usual options vs. file name problem. Add the option stopper: gpg --enable-special-filenames --verify \ --batch -- '-4' '-3' 3test 4test.asc Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where is the webpage for GpgEx?
On Thu, 18 Nov 2010 15:24, bo.bergl...@gmail.com said: There seems to be no *separate* installer for GpgEx available, the only way to get it is to also have GnuPG 2.0.14 forced on me. :( Why? Because you can't use it without GnuPG. You even can't use it without Kleopatra or GPA. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Where is the webpage for GpgEx?
On Fri, 19 Nov 2010 11:39, bo.bergl...@gmail.com said: Couldn't the installer then sense that GnuPG is installed already and then offer not to install yet another copy of GnuPG??? There should be only one copy of GnuPG on a system. If you install a second one it is up to you to fix problems. The only recommended way to install GnuPG on a desktop Windows box is to use the gpg4win installer. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Gpg4Win 2.0.4 with GnuPG 1.4.11??
On Fri, 19 Nov 2010 11:34, bo.bergl...@gmail.com said: But this is a *source* download, how do I get a binary to install in Windows7?? see doc/README.W32. For your convience I yank it here: How to build GnuPG from the source: === Until recently all official GnuPG versions have been build using the Mingw32/CPD kit as available at ftp://ftp.gnupg.org/people/werner/cpd/mingw32-cpd-0.3.2.tar.gz . However, for maintenance reasons we switched to Debian's mingw32 cross compiler package and that is now the recommended way of building GnuPG for W32 platforms. It might be possible to build it nativly on a W32 platform but this is not supported. Please don't file any bug reports if it does not build with any other system than the recommended one. According to the conditions of the GNU General Public License you either got the source files with this package, a written offer to send you the source on demand or the source is available at the same site you downloaded the binary package. If you downloaded the package from the official GnuPG site or one of its mirrors, the corresponding source tarball is available in the sibling directory named gnupg. The source used to build all versions is always the same and the version numbers should match. If the version number of the binary package has a letter suffix, you will find a patch file installed in the Src directory with the changes relative to the generic version. The source is distributed as a BZIP2 or GZIP compressed tar archive. See the instructions in file README on how to check the integrity of that file. Wir a properly setup build environment, you unpack the tarball change to the created directory and run $ ./autogen.sh --build-w32 $ make $ cp g10/gpg*.exe /some_windows_drive/ Building a version with the installer is a bit more complex and basically works by creating a top directory, unpacking in that top directory, switching to the gnupg-1.x.y directory, running ./autogen.sh --build-w32 and make, switching back to the top directory, running a mkdir dist-w32; mkdir iconv, copying the required iconv files (iconv.dll, README.iconv, COPYING.LIB) into the iconv directory, running gnupg-1.x.y/scripts/mk-w32-dist and voila, the installer package will be available in the dist-w32 directory. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust level for validating signature with gpgme
On Tue, 23 Nov 2010 14:53, al...@archlinux.org said: validity of the key. I am currently testing: (gpgme_verify_result_t-summary GPGME_SIGSUM_VALID) Is that the correct approach? That's fine. However if a key expired you won't get VALID. An expired key does not mean that the signature is not valid. Are more relaxed check is to check for the GPGME_SIGSUM_GREEN. To check what's wrong you should manually verify the signature: gpg --verify --status-fd 2 -v foo.gpg Gpgme watches the [GNUPG:] lines to get its idea of the signature status. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenVPN with OpenPGP card
On Wed, 24 Nov 2010 07:34, l...@gmx.at said: However I find that OpenVPN does not have support for the card yet. :/ So I am forced to use scute, a PKCS #11 implementation for the OpenPGP card. Now my question is: would this work? Has anybody tried this successfully? It may not work instantly but fixing it is not a big problem. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: trust level for validating signature with gpgme
On Wed, 24 Nov 2010 02:31, al...@archlinux.org said: 1) I would have expected the trust level to be something like TRUST_FULL rather than TRUST_UNDEFINED. Is this because I have no signatures on that key or more specifically because I have no ultimately trusted key in the keyring signing that key? Signing the key is required to tell gpg that you trust the key. You may use the lsign command to do this only locally and not to announce it to the world. You also need to have a trust anchor; i.e. a key that is ultimately trusted. Check also the option --trusted-key. 2) It appears that getting GPGME_SIGSUM_VALID value requires the trust level to be defined. How can I just check whether the signature is valid regardless of the trust in the key used to sign it? You mean to compare the signature against a known valid key, right? I suggest to compare the fingerprint of the signing key (member FPR in the result struct) against a list of valid fingerprints you keep in your application. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG 4 Win
On Thu, 25 Nov 2010 01:32, free10...@gmail.com said: No. GPGSM is for CMS and S/MIME; GnuPG is for OpenPGP and PGP/MIME. No. GPGSM is for CMS and S/MIME; GPG is for OpenPGP and PGP/MIME. GnuPG is the entire system which provides tools for S/MIME (GPGSM), OpenPGP (GPG) as well as some other tools (e.g. Secure Shell Agent). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenVPN with OpenPGP card
On Fri, 26 Nov 2010 05:26, l...@gmx.at said: This is great news. How do you know this? Are you affiliated with scute? Check the ChangeLog; you should find mail addresses of my company. Marcus Brinkmann did most of the work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPF Crypto Stick vs OpenPGP Card
On Fri, 3 Dec 2010 03:52, l...@gmx.at said: Even with PIN-pad on a compromised computer you still have no guarantee WHAT you are signing. Right. My opinion is that if the computer is compromised you are lost anyway. However your key won't become compromised and by plugin the smartcard in only if needed you limit the time frame for malicious use of your key. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPF Crypto Stick vs OpenPGP Card
On Fri, 3 Dec 2010 13:21, mailinglis...@hauke-laging.de said: A first improvement would be to show the hash to be signed. Of course, you That does not help. Even if you would be able to compare it with the hash displayed on the host box, you gain nothing: Any malware which foist you a different file for signing won't have a problem to display you the same hash value on the host and and the pinpad. The whole problem of a secure signing device is a problem of the data formats you want to sign. With any of todays en vogue data formats, you need a lot of code on your secure signing device (e.g. a pinpad) to render it for display. This increases the complexity to a level where it will be possible to exploit bugs in those OpenOffice or PDF viewers. In addition those formats have other intrinsic problems which make them a bad choice to be signed in a secure way. What might work are JPEGs - but who wants to sign a JPEG file and have recipients work with an image of your text? Plain text may work, though. For a long text it won't work either, because nobody is going to proofread a text on some small display before signing it. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Protecting IDs at a key signing party
On Wed, 8 Dec 2010 23:35, mailinglis...@hauke-laging.de said: aren't any IETF notations yet. I suggest a standard for at least these pieces of information: - key owner has been personally known for x years - frequent contact with the key owner for x years [many more] It is very unlikely that OpenPGP will ever adopt such standards. There is an unspoken policy that we don't define policies but merely provide a framework so others can implement something on top of it. If we would start to adopt any such policies we would soon end up in the X.509 mud. The signature classes 0x10 to 0x13 are for a reason not very strictly defined. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple subkeys and key transition
On Fri, 10 Dec 2010 05:32, r...@sixdemonbag.org said: Sooner or later you *will* have a key compromise event, you *will* need to revoke keys in a hurry and you *will* need to find some way to Unless you use an offline primary key which should not suffer from a key compromise unless you are directly targeted by nightly visits to your home . If one of your subkeys gets compromised, revoking and creating a new subkey is then really easy. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: multiple subkeys and key transition
On Thu, 9 Dec 2010 19:01, d...@fifthhorseman.net said: This discussion currently seems to be idle, so i would not wait on it. We need to get the discussion going again, certainly. The understanding of the WG is that we want to wait for the outcome of the SHA-3 contest before we change anything in OpenPGP. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Best Practices
On Mon, 13 Dec 2010 01:27, ds...@jabberwocky.com said: The fix in OpenPGP is to hash the contents of the secret key, so any tampering is evident. FWIW: We verify a signature immediatley after its creation which also thwarts this attack. I am also skeptical of this. I strongly doubt that new fingerprints can be achieved without going to a V5 key format. There are just too many interoperability gotchas with an upgraded V4. We might be able Switching to V5 will be a lot of work in GnuPG because under the hood we need to replace a lot of data structures which use a 160 bit hash. It will eventually be done but before we do that we need SHA-3; lets talk about this in 2 years. Recall that the rush towards SHA-256 is due to collisions on SHA-1 expected in the near future. There are no signs at all that we will have a pre-image attack on SHA-1 any time soon [1]. Shalom-Salam, Werner [1] #include famous-last-words.h -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg-2.0.16 problems when runing MAKE !!! H-E-L-P !!!
On Fri, 31 Dec 2010 02:17, mel.gor...@wellnow.com said: I've spent all week trying to get either gnupg-2.0.16 or gnupg-2.0.15 to make on my systemno luck. I have googled the problem, and tried every suggestion...no luck. I have no time to look into this. You may try a VPATH build: tar xjvf gnupg-n.m.p.tar.bz2 mkdir gnupg-n.m.p-build cd gnupg-n.m.p-build ../gnupg-n.m.p/configure make Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Having trouble getting GPG to accept input from a pinpad
On Mon, 3 Jan 2011 11:25, li...@michel-messerschmidt.de said: Have you tried it with gnupg 2.0.x ? IIRC you need at least 2.0.12 for the SPR-532 pinpad and gnupg-agent should be running. .. and do not run pcscd - only the GnuPG internal driver works with the pinpad. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users