Re: Card fails to decrypt using 4096-bit key
On Wed, 31 Oct 2012 16:17, cor...@corsac.net said: Signing using a 4096R key works just fine, but decryption using an 4096R encryption key doesn't, with the same error. This is using GnuPG v2.0.19 on Debian sid, with pcscd 1.8.6 (in case that matters). I fixed this yesterday for 2.0 and master. The log file will now also show a note if you try to decrypt using a key 2048 with one of the non-working cards. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Thu, 8 Nov 2012 09:37, melvincarva...@gmail.com said: Does anyone know if there's a safe way to recover my web of trust, or should I make an ultimately trusted key first, and start from scratch? ssh otherbox rm .gnupg/trustdb.gpg gpg --export-ownertrust | ssh otherbox gpg --import-ownertrust Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ownertrust level of imported secret keys
On Fri, 9 Nov 2012 19:33, mailinglis...@hauke-laging.de said: You have imported a secret key. It may be useful (probably if you are the only owner of this secret key) to set the trust level of this key to ultimate (see --edit key trust). That would be easy to implement for GUI frontends. Or even ask and do it. Better not, most people always answer yes. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: difference in validity states
On Fri, 9 Nov 2012 19:34, mailinglis...@hauke-laging.de said: n = The key is valid f = The key is fully valid What is the difference between the meaning of n and f? The first line has a bug, the second line is correct. Good catch. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Sat, 10 Nov 2012 20:33, melvincarva...@gmail.com said: gpg --import-ownertrust trustdb.gpg That does not work. --import-ownertrust expects the format as produced by --export-ownertrust. What you can do is to put trustdb.gpg into an empty directy and run the export command: cp trustdb.gpg YOURTMPDIR gpg --homedir YOURTMPDIR --export-ownertrust foo Then import foo. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Tue, 13 Nov 2012 15:40, melvincarva...@gmail.com said: So I assume when backing up a key you should always back up trustdb too? Yes. Actually eyerything in ~/.gnupg and below should be go into the backup. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 00:27, r...@sixdemonbag.org said: Including random_seed? I've always been under the impression that's a big no-no. Well, it is a backup and assumed to be used after a loss of data and not to replicate the data to several sites. random_seed is a cache file to speed up things. It is never used directly. For key generation we make sure that at least 300 fresh random bytes are mixed into the 600 bytes of the random pool (the state on which the RNG works). For session keys, we work on a random pool which has been initialized from the random_seed file. But we also mix some other state into it (from the fast entropy gatherer). Without a random_seed file, every use of session keys (i.e. a plain public key encryption) would require a lot of time to get entropy from the slow gatherer (usually /dev/random). That just takes too long and wastes precious entropy. Thus I consider it better to backup everything than to forget an important file. Backup's are always encrypted - aren't they? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 11:34, kue...@googlemail.com said: How do I decrypt my backup in case of a disaster, if the secret key is in the encrypted backup? You surely have your secret key somewhere on a CD or a printout (cf. paperkey), right? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: import trustdb.gpg or start from scratch?
On Wed, 14 Nov 2012 12:15, kristian.fiskerstr...@sumptuouscapital.com said: Is there any configuration option to force the use of /dev/random? I'm You mena, not to use the seed file? gpg --no-random-seed-file Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Debian64, gnupg-2.0.19, gpg-agent problems
On Fri, 23 Nov 2012 16:58, pe...@asgalon.net said: I am configuring a crypto-stick for use with 4096 bit RSA keys and have run into two problems that look as if they are related to gpg-agent. 4096 bit RSA OpenPGP smartcards do not yet work with released GnuPG versions. There is a reason why the cards have an imprint of 3072 ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Debian64, gnupg-2.0.19, gpg-agent problems
On Mon, 26 Nov 2012 12:56, pe...@asgalon.net said: with 3072 bit RSA keys with either gpg1 or gpg2? Or what type of keys would you recommend if I wanted to give someone with basic linux experience and a need for a reasonable level of communication privacy The answer is simple and been repeated here many times: Use the default values (as of now 2048 bit RSA). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE
On Wed, 28 Nov 2012 17:29, due...@gmail.com said: I downloaded GPG W32 1.0.6-2 on a Windows machine. This is a 11 years old version og GnuPG! You should not use it at all. The cuirrent version is 1.4.12 and a simple installer is available at ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.12.exe import: gpg --allow-secret-key-import secdretkey.txt --allow-secret-ket-import is only an option but not a command. Thus gpg will try to decrypt what is in secdretkey.txt - which is not possible - it will thus only show you the content of the file. Use gpg --allow-secret-key-import --import secdretkey.txt but please update to a modern and supported version first (then you don't need the --allow-secret-key-import anymore). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keypad support for PC/SC card readers?
On Sun, 2 Dec 2012 10:57, cry...@artemicode.de said: I suppose gnupg tries to detect whether a keypad is available. Is that logged? Which debugging level would be needed. 2.0.19 has support for keypads via PC/SC. Add this to ~/.gnupg/scdaemon.conf log-file /some/file debug 2048 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it safe to rename file.gpg to `md5sum file`?
On Wed, 5 Dec 2012 22:39, sben1...@yahoo.de said: If I wanted to have a fallback for loosing the mapping table, would there be a sane way to encrypt the filename with gpg? That way I could --set-filename string Use string as the filename which is stored inside messages. This overrides the default, which is to use the actual filename of the file being encrypted. If you want later want gpg to output to this file, you may use --use-embedded-filename --no-use-embedded-filename Try to create a file with a name as embedded in the data. This can be a dangerous option as it allows to overwrite files. Defaults to no. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WOT and Authentication Research
On Wed, 5 Dec 2012 23:15, pa...@cs.ucsb.edu said: And of course the last issue is finding a sane way for user's to store and use private keys. Hence the PSST project and the eventual idea of PSST? That used to be the working title for a free implementation of ssh back in 1997. iirc, I sent the first announcement of gpg to the psst mailing list. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[admin] Mailing lists outage notice
Hi, please be prepared that the mailing lists will be down for a few days due to a server upgrade. It would be too much work to move them temporary to another server. FTP will be down as well. The Web, Git, and the BTS should continue to work. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Same key on different smart cards
On Thu, 13 Dec 2012 08:43, ricu...@gmail.com said: (~/.gnupg/secring.gpg). Thus if I try to use the second card, I get an error telling me to insert the correct card. You need to delete the secret key stub and then gpg should be able to re-create it using the current card. I am not sure about the details because I am using 2.1 for a long time now. 2.1 works a bit different in this regard Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Elliptic curves in gnupg status?(ECC support)
On Mon, 17 Dec 2012 03:14, phonetree...@gmail.com said: Hey, I found the discussion in this newsgroup linked to below. It was last posted to in 2010. Looked like ECC support was coming, but as far as I can tell GPG doesn't support ECC yet. Is it on it's way? It is supported since 2.1.0beta2 (2011-03-08) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Elliptic curves in gnupg status?(ECC support)
On Tue, 18 Dec 2012 20:21, phonetree...@gmail.com said: I was not able to find anything in the manual about it though. I searched and searched for the details on how to get on with using it, $ gpg2 --expert --gen-key gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECDSA and ECDH (10) ECDSA (sign only) (11) ECDSA (set your own capabilities) Your selection? We have always used the expert switch to allow the use of new algorithms. The idea is that we first want to have a wide base of installed versions with support for a given algorithms, before we make a new algorithm visible to the non-experts. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GnuPG 1.4.13 released
/service.html The driving force behind the development of GnuPG is the company of its principal author, Werner Koch. Maintenance and improvement of GnuPG and related software take up a most of their resources. To allow them continue their work they ask to either purchase a support contract, engage them for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Thanks == We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, donating money, spreading the word, or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Werner and the other contributors) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp2CE8uOW3cM.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 1.4.13 released
On Fri, 21 Dec 2012 11:56, joh...@vulcan.xs4all.nl said: Indeed. Is the IDEA patent expired or so, that this algorithm is now included? * Patents on IDEA have expired: * Europe: EP0482154 on 2011-05-16, * Japan: JP3225440 on 2011-05-16, * U.S.: 5,214,703 on 2012-01-07. IDEA is now included to get rid of all the questions from folks either trying to decrypt old data or migrating keys from PGP to GnuPG. It is more or less a read-only algorithm, in that it won't go into the key preferences of new keys by default. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG 1.4.13 released
On Mon, 24 Dec 2012 12:47, expires2...@rocketmail.com said: Will you be including IDEA in the 2.x branch as well? Yes, if you use the development version of Libgcrypt. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ASCII armor plus? - a main reason I find I and some others do not use encryption is that the messages get garbled
On Tue, 25 Dec 2012 01:30, phonetree...@gmail.com said: The insertion of hard returns, blank lines, hyphens and so on is an issue I and others I have been trying to get to use encryption multiple times. It is one of the main reasons I don't use encryption Actually the OpenPGP armor format is pretty robust to the extend it can be. However, you are likely talking about mail. Here I can only suggest to use PGP/MIME - it is part of the MIME standard and should be supported by all sane mail clients. It is a *16 year* old standard and has been implemented even earlier. Thus instead of trying to come up with some changed ascii armor, it will be way better to use an established standard. If your mail software messes things up, you know what to fix. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ASCII armor plus?
On Wed, 26 Dec 2012 13:42, r...@sixdemonbag.org said: When the community's flagship mailing lists cannot reliably use PGP/MIME, I'm a little cautious about recommending PGP/MIME as a general-purpose, ready-for-the-end-user solution. It is a sad time for standards, I know. Let's get rid of them all and use FB or GM and we don't need to care about that all anymore. BTW, we have patches for Mailman to fix the problem in most cases but they never made it to upstream. The funny thing is that Outlook has become better in this regard over time. But Mailman: no useful archive, no proper MIME support, arghh. I am not sure whether this reflects badly on standard Python modules or at the diminishing use of mailing lists. Salam-Shalom, Werner p.s. I guess I better configure Gnus to include your PGP/MIME disclaimer automagically if RFC-3156 is mentioned :-) -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Problem with automated decryption of encrypted drafts? (Key unlocking popup nightmares)
On Wed, 2 Jan 2013 19:50, d...@fifthhorseman.net said: GnuPG 2.x, and there is nothing Enigmail could do about it. AFAIR there is an option in gpg-agent.conf to disable blocking the X session. It is called --no-grab. Do any gnupg contributors have suggestions about the fails to cache my 'cancels' concern Sini raised above? I'm not sure how the pieces could I am not sure what he means. However, recent GnuPG's and pinentries have a cancel-all feature: Either the pinentry features an appropriate button or you use the close-window button of the pinentry which also sends the cancel-all message. This is useful if gpg starts looking for --throw-keyid keys and you know that you don't have the key. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Paperkey 1.3
On Fri, 4 Jan 2013 15:27, joh...@vulcan.xs4all.nl said: CD/DVD-ROMs are going the way of the floppy disc; flash memory is much more reliable than either. Future support of USB ports or memory card FWIW: Some time ago I copied a bunch of ~25 years old 5.25 floppies to a disk. I had only problems with some of the very cheap or the dusted, wet and oiled ones stored for too many years in my non-heated garage. Nobody has experience with flash for more than a decade. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New packet headers and gpg
On Fri, 4 Jan 2013 17:34, singpol...@singpolyma.net said: headers. Such implementations' ouput can be read by gpg, but there's currently no way to convince gpg to talk to them :) I just checked the RFC and it says: If interoperability [with PGP 2] is not an issue, the new packet format is RECOMMENDED. Thus there is nothing in the standard which would speak against using the new headers. This can either be done using a new option or by using for example the existing compliance option --rfc4880. I don't assume that PGP 2 is still in use. With the recent addition of IDEA even decryption of old data can now be done with vanilla GPG. Shall we give this a test by using one of the compliance options and make the new headers the default in one or two years? Less code is always better. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg not working with RHEL 4
On Fri, 4 Jan 2013 18:34, apadmar...@prounlimited.com said: Can I go ahead and update gnupg from 1.2.6 to 1.4.5 on Red Hat Enterprise Linux AS release 4 (Nahant Update 5)? Is 1.4.5 compatible with this Linux version? I did not find any information regarding this compatibility. GnuPG is compatible with all Unix style operating systems inclduing Linux and RHEL [1]. You just need to build it yourself. And please use the latest versions (1.4.13). Shalom-Salam, Werner [1] And with VMS and Windows. However, you better get a prebuild version for these OSes. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Invalid packet error message
On Mon, 7 Jan 2013 22:14, bd9...@att.com said: gpg: [don't know]: invalid packet (ctb=70) Does anyone know what this means? I tried several Google searches but Your input data is corrupted. OpenPGP messages are constructed from several packets, each packets starts with a tag byte commonly called CTB indicating the type of the packet and how the length of the packet is specified. 0x70 is not a valid CTB, thus you see this message. A common cause for a corrupted message is the use of a non binary clean channel (e.g. using ftp without switching to binary mode). Mail software may also corrupt the message. Ask the sender of the message to encapsulate it in a ZIP or tar file and than unzip it before decrypting. If this works or you can't unzip it your transport channel is non 8 bit clean. A quick work around would be the use of the --armor or -a option. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: embedded public key in signature as in smime.
On Wed, 9 Jan 2013 15:35, o...@mat.ucm.es said: I started to use smime recently and besides its flaws I have to admit that the key interchange is easier (most likely be more insecure) With S/MIME you can send the keys because it is a centralized system and all trust comes the root certificate which has already need installed on the system. Actually sending the the certificate with the mail is required because there is no easy other way to retrieve a certificate. With OpenPGP we have it much easier and do not need to resort to that silliness of sending several K of certificates for a one liner. Sending the certificate is even bad because it implies that you never need to look out for revocations. The funny thing is that S/MIME looks online for revocations, but can't do so for certificates. Thus the argument of using a more secure offline connections is a bit flawed. BTW, if you are able to put the keyblock/certificate into the DNS, users have an easy way to get it. You may also configure your mail client to always attach the OpenPGP key, that makes it pretty clear and easy to send you (or Mallory) an encrypted reply. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Patch for using GPG on 64 bit Matching
On Wed, 23 Jan 2013 02:59, aokunl...@gmail.com said: We have 64-bit servers and I was wondering if there is a Patch to apply to gpg so it could run successfully on 64 bit. GnuPG definitely runs on 64 bit boxes. There is only a glitch for big-endian boxes. If nobody complains I plan to do a 1.4.15 soon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Patch for using GPG on 64 bit Matching
On Thu, 24 Jan 2013 13:05, joh...@vulcan.xs4all.nl said: Did I miss 1.4.14? You are right, the next version will be 1.4.14. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: 1.4.12 beta installer for Windows
On Fri, 1 Feb 2013 15:23, joh...@vulcan.xs4all.nl said: iconv.dll gpg works without that DLL; it only makes sure that i18n works correctly. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature request for future OpenPGP card: force PIN
On Fri, 8 Feb 2013 11:09, pe...@digitalbrains.com said: the same as for the signature key; both are a form of signatures. However, I'm not familiar with the rationale for adding the force signature PIN flag. That is simply a requirement due to the German law about qualified signatures. If someone wants to use the OpenPGP card specification to setup a qualified signature system, this feature is needed. This is not that I think this will ever be done, but back when we worked out the specs it seemed to be a good idea to have such a feature. In any case it is not a security measure because the host may simply cache the PIN and and silently do a verify command before each sign operation. To avoid that simple workaround, a pinpad reader which filters the VERIFY command would be needed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Feature request for future OpenPGP card: force PIN
On Fri, 8 Feb 2013 15:18, pe...@digitalbrains.com said: I have an SCM SPR 532 reader with pinpad; I thought the host could not get at the PIN when entered on the pinpad? The way I understood it, the host sends a That is right. However, if for other reasons the PIN is known to the host (used without pinpad, spyware utilizing the microphone or another side channel, bugged reader firmware), the host will be able to use the smartcard without you noticing it. See the various attacks on point of sale terminals for such attacks. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problem after going from gpg 1.2.6 to 1.4.5
On Thu, 14 Feb 2013 00:00, apadmar...@prounlimited.com said: However, with 1.4.5 we get an encrypted file everything in one line and gets cut at 80th char. With 1.2.6 we used to get an encrypted file in multiple lines with 80 chars per line and was able to see complete file. That pretty much looks like a post processing problem in your script. GPG's armor format does not output more than 64 characters per line. IT is possible that old versions uses up to 72 characters but definitely never more than 76 as per specs. BTW, you should also use --batch when invoking gpg from a script and take care to properly quote argumens, so that filenames with spaces work. With 1.4.5, how to get it in 80 char format per line? Right now we Why did you switch to a 6 year old version of GnuPG with 4 known CVE indetified bugs? cannot upgrade to beyond 1.4.5 because of consistency issues. Please explain. There is no incompatibility between 1.4.5 and later versions. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fw: GPG Decryption Issue
On Tue, 12 Feb 2013 09:27, kamalakanna...@tcs.com said: Currently we are using batch command as below to decrypt single files. gpg --batch --passphrase-file E:\Data\qfbi\Navtech\Working\passphrase.txt --output E:\Data\qfbi\Navtech\Working\NJS170203YBBNA.xml --decrypt E:\Data\qfbi\Navtech\Input\NJS170203YBBNA.gpg Example: gpg --batch --passphrase-file E:\Data\qfbi\Navtech\Working\passphrase.txt \ --yes --multifile --decrypt \ E:\Data\qfbi\Navtech\Input\NJS170203YBBNA.gpg \ E:\Data\qfbi\Navtech\Input\NJS170203YBBNB.gpg \ E:\Data\qfbi\Navtech\Input\NJS170203YBBNC.gpg or gpg --batch --passphrase-file E:\Data\qfbi\Navtech\Working\passphrase.txt \ --yes --multifile --decrypt FILE_WITH_FILENAMES Note that this will only work if the files are all encrypted to the same key. --yes is required to overwrite existing plaintext files and you can't use --output for obvious reasons. BTW, I am a bit disappointed because you already asked for paid support and we offered you to help you at 80EUR/h charged per 30min. You did not reply but tried your luck here; but well, today is I love free software day: http://ilovefs.org . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: default keyring file formats
On Wed, 20 Feb 2013 06:05, jw72...@verizon.net said: Hi, David. I appreciated your prompt reply. So with a concatenated keyring in the format foo.pub would I first use a command like the following one if I want to get the keys out of it in order to move No, please don't do that! The API to access the keyrings are the --import and --export commands. It might work now but may change at any time. It is not a good idea to suggest this use. For example the file ~/.gnupg/pubring.gpg and ~/.gnupg/secring.gpg use private extensions to the OpenPGP format. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation on symmetric key options for GPGME
On Thu, 21 Feb 2013 17:19, jtrei...@gmail.com said: own education, is it possible to force the use of AES (or any other cipher) using the GPGME library ? I don't see any parameters on the * Not directly. The usual advise I give is to set a different home directory (gpgme_set_engine_info) and put an appropriate gpg.conf file into this directory. There is also an API in GPGME which allows to modify certain settings in the configuration files; but this is just an easy way to edit the conf files. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: options files
On Thu, 21 Feb 2013 16:50, jw72...@verizon.net said: Can I get a link discussing one or more of a typical situations when options files are used? Thanks I have no link bu at least gpg.conf should always be used to set at least your own signing key and an --encrypt-to key. A keyserver entry is also useful. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key ordering choices
On Thu, 21 Feb 2013 16:50, jw72...@verizon.net said: The secret keys are listed from the keyring in my gpg homedir. When there are several secret keys, what is the ordering criteria used by gpg to No. Similar to files in a directory on Unix. gpg has no feature to sort them. If you want that, please use one of the GUI fronrends or write a script to do this (using the --with-colons format). the ordering? Also, if I wanted to have more than one keyring, and I were to name them, for example, secring1.gpg, secring2.gpg, would my ordering be respected by gpg in the display from such a command? Don't rely on such a behavior. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reliably determining that the agent is available and starting it if not
On Fri, 22 Feb 2013 01:21, cr...@2ndquadrant.com said: I expected it to be simple to make sure that the a GPG agent (either the gpg-agent program or something like Gnome's built-in agent) were Oh please don't use the latter, that is the cuase for a many problems. You may use gpg-connect-agent for this. Howeverm depending how GnuPG has been build gpg2 and gpg-connect-agent both start the agent if they need them. This is a far better way then the mess with the envvars. We have been doing that for Windows for many years without problems. On Unix you only don't want to do that if ~/.gnupg is remotely mounted on a filesystem that does not support local sockets. Now, how do you know whether gpg-agent will be started on demand? gpg also needs to know this and thus gpg-agent is able to tell you: if gpg-agent --use-standard-socket-p ; then echo gpg2 starts gpg-agent on demand fi This is neither reliable, clean, nor user-friendly. The only real solution would require that I patch gpg to fall back on the well known agent socket location if GPG_AGENT_INFO is unset but use-agent is Either set the default be using ./configure --enable-standard-socket make or at runtim put it into gpg-agent.conf echo use-standard-socket ~/.gnupg/gpg-agent.conf Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libassuan 2.1.0 released
Hello! I am pleased to announce version 2.1.0 of Libassuan. Libassuan is the IPC library used by GnuPG 2, GPGME, and a few other packages. This release adds support for the nPth thread library as used by the current development version of GnuPG. It also fixes some minor bugs and enables features on *BSD platforms. You may download the library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.1.0.tar.bz2 (525k) ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.1.0.tar.bz2.sig As an alternative you may use a patch file to upgrade the previous version of the library: ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.3-2.1.0.diff.bz2 (62k) SHA-1 checksums are: af114073610ce0b30961986c2741d5e7230c9880 libassuan-2.1.0.tar.bz2 627e8b7560f0137d4e3ed2c409b6d9cc3ceb5150 libassuan-2.0.3-2.1.0.diff.bz2 Noteworthy changes in version 2.1.0 (2013-02-22) * Support for the nPth library. * Add assuan_check_version and two version macros. * Interface changes relative to the 2.0.3 release: ~~ ASSUAN_SYSTEM_NPTH_IMPL NEW macro. ASSUAN_SYSTEM_NPTH NEW macro. __assuan_readNEW (private). __assuan_write NEW (private). __assuan_recvmsg NEW (private). __assuan_sendmsg NEW (private). __assuan_waitpid NEW (private). ASSUAN_VERSION NEW macro. ASSUAN_VERSION_NUMBERNEW macro. assuan_check_version NEW. ~~ Thanks to Ben Kibbey, W. Trevor King, and Marcus Brinkmann for their contributions. A listing with commercial support offers for GnuPG and related software is available at: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpG74A25iRUg.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgpg-error 1.11 released
Hi! I am pleased to announce version 1.11 of libgpg-error, a library for common error values and messages in GnuPG components. If you want to use this library for you own project, please chime in and gnupg-devel so that we can discuss whether it makes sense to add a new source identifier. This is a shared library so it can be updated independently of each individual component, while still allowing the use of new error values in inter-process communication. It may be found in the files ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.11.tar.bz2 (478k) ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.11.tar.bz2.sig or gzip compressed ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.11.tar.gz (624k) ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.11.tar.gz.sig or as a patch to upgrade from 1.10: ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.10-1.11.diff.bz2 (200k) It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should best be sent to: gnupg-de...@gnupg.org The sha1sum checksums for this distibution are be209b013652add5c7e2c473ea114f58203cc6cd libgpg-error-1.11.tar.bz2 db05ac4a29d3f92ae736da44f359b92b6af9f7ee libgpg-error-1.11.tar.gz 93b0cc74c21e6aa23863322ad7f32f1f4ae04e43 libgpg-error-1.10-1.11.diff.bz2 Noteworthy changes in version 1.11 (2013-02-25) --- * New error source GPG_ERR_SOURCE_ASSUAN for Libassuan related errors. * New macros GPG_ERROR_VERSION and GPG_ERROR_VERSION_NUMBER. New function gpg_error_check_version. * Interface changes relative to the 1.10 release: GPG_ERR_NO_KEYSERVER NEW. GPG_ERR_INV_CURVE NEW. GPG_ERR_UNKNOWN_CURVE NEW. GPG_ERR_DUP_KEY NEW. GPG_ERR_AMBIGUOUS NEW. GPG_ERR_SOURCE_ASSUAN NEW. gpg_error_check_version NEW. GPG_ERROR_VERSION NEW. GPG_ERROR_VERSION_NUMBER NEW. Thanks to all translators; this time in particular to Yuri Chornoivan and Felipe Castro for adding Ukranian and Esperanto translations. A listing with commercial support offers for GnuPG and related software is available at: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp8ageLvPbX9.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Revocation certificate creation (was: options files)
On Tue, 26 Feb 2013 01:25, cr...@2ndquadrant.com said: I really wish a 1y or 2y expiry was the default and that gpg prompted you to generate a revcert as part of key generation. I spend a lot of I wish I had done that right from the beginning. The reason why I did not was the fear that then the revocation certificate would be readily available on the disk and 3 things may happen: - The user accidentally imports that certificate and it would eventually end up on the keyservers. - Someone else gets access to the revocation certificate and sends it to the keyserver. - The disk crashed and the user has no backup. Reviewing this today I may say that the first could be mitigated by indenting the lines of the revocation certificate so that GPG would no be able to import it directly. The second is not a real issue. The third is probably the most likely threat; however, it would not be worse than not having a revocation certificate at all. Given that the default for smartcards is to store the backup on disk and ask the user to move it to a safer place, we might as well do something similar for revocation certificates. Comments? Regarding a default expiration date: It may be useful if GUIs would do this (as long as they also offer an option to prolong the expiration). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
On Tue, 26 Feb 2013 08:52, ni...@dest-unreach.be said: It does work from time to time, so when doing a manual --recv-key, I usually get the key within a few tries. But when using e.g. caff (which The problem is that this is a pool of servers and you don't know which one you are currently using. Thus it is only as reliable as the least reliable server in the pool. GnuPG 2.1 uses the Dirmngr to access the keyservers and being a daemon it is statefull and tracks which servers are reliable. Well, that is the plan and most code is there. However, it is not yet complete or sufficiently debugged. And while pgp.mit.edu might not be the best keyserver, it works... (from my experience at least). gpg.mit.edu is running SKS for quite some time now; thus I don't think that there is any reason to not use it. Except that if everyone is using this server it will turn slow again. Thus the advise not to use it might in the end be a Good Suggestion. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Questions about OpenPGP best practices
On Tue, 26 Feb 2013 11:19, pe...@digitalbrains.com said: In other words, trusting a certificate authority is currently an all-or-nothing thing where you now trust them to certify any SSL-protected service you connec Right, they are all implicitly cross-signed. In reality there is no security in the PKIX system at all. At least not if you want to use it on the public internet. The CA vendors don't sell security but act as information highwaymen. All the recently added browser features might be compared to laundries and milk bars as the tiny legal business arms of larger Chicago 1920ies entrepreneur groups ;-). While I appreciate the sks-keyservers folk, I would never install their CA as a system-wide CA. Actually, I already distrust proper CA's :). Thus, it won't harm you to add such a kind of Salvation Army CA. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
On Tue, 26 Feb 2013 12:45, o...@enigmail.net said: my vote: yes. Non-intrusive information about what next steps should be. When creating a key using Enigmail, it asks the user to save a rev cert. CLI should do the same. You mean printing a hint to create a recovation certificate would be enough? Similar like the Note that this key cannot be used for encryption. You may want to use the command --edit-key to generate a subkey for this purpose. you see if you don't use the defaults? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is the option for Use this key anyway? (y/N) y
On Tue, 26 Feb 2013 13:02, epk14octs...@gmail.com said: But I want to pass this y key in the above command can you please help me which option is exactly used to pass this y value in single command On the comamnd line or in a script? The option --batch disables the interactive mode and --yes answers yes. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revocation certificate creation
On Tue, 26 Feb 2013 15:16, mailinglis...@hauke-laging.de said: I am a big fan of hints, too. If these get improved / extended an option like --no-hints=all Well, we have the --expert option. If it is used we could assume that a hint is not required. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GPGME 1.4.0 released
Hello! I am pleased to announce version 1.4.0 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines as included in GnuPG easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management. Noteworthy changes in version 1.4.0 are: * New function gpgme_set_global_flag to help debugging on Android. * New function gpgme_io_writen as a convenience wrapper around gpgme_io_write. * New functions to support the pinentry mode feature of GnuPG 2.1. * New macro GPGME_VERSION_NUMBER to allow supporting different API versions without the need for a configure test. * Several improvements for gpgme-tool. * Better logging of the common invalid engine error code. * Support for FD passing is now enabled by default. The configure option --disable-fd-passing may be used to disable this. * Interface changes relative to the 1.3.1 release: ~~ GPGME_VERSION_NUMBER NEW. gpgme_io_writenNEW. gpgme_set_global_flag NEW. gpgme_set_pinentry_modeNEW. gpgme_get_pinentry_modeNEW. gpgme_pinentry_mode_t NEW. GPGME_PINENTRY_MODE_DEFAULTNEW. GPGME_PINENTRY_MODE_ASKNEW. GPGME_PINENTRY_MODE_CANCEL NEW. GPGME_PINENTRY_MODE_ERROR NEW. GPGME_PINENTRY_MODE_LOOPBACK NEW. You may download this library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0.tar.bz2 (935k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0.tar.bz2.sig GZIP compressed tarballs are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0.tar.gz (1183k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0.tar.gz.sig As an alternative you may use a patch file to upgrade the previous version of the library: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.2-1.4.0.diff.bz2 (255k) SHA-1 checksums are: 897e36c1d3f6595d69fb37c820aaa162daa0e369 gpgme-1.4.0.tar.bz2 d91fde8377cc7da7e8897fd1a2ed767bba6bf71d gpgme-1.4.0.tar.gz 215961b0780916612a9c08ef88f92e113a3e0b51 gpgme-1.3.2-1.4.0.diff.bz2 Thanks to W. Trevor King for his contributions to gpgme-tool and to all others who reported and fixed bugs and portability issues. A big THANK YOU goes to my former colleague Marcus Brinkmann: He maintained GPGME for more than a decade and helped to turn it into the standard API for GnuPG. Please send questions regarding the use of GPGME to the gnupg-devel mailing list: http://lists.gnupg.org/mailman/listinfo/gnupg-devel If you need commercial support, you may want to consult this listing: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpI0A1DHdaxU.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is the option for Use this key anyway? (y/N) y
On Wed, 27 Feb 2013 07:59, epk14octs...@gmail.com said: I have tried using the --batch--yes and could not be to get the exact --batch and --yes are separate options not one. Please see the man page for details. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: what is the option for Use this key anyway? (y/N) y
On Wed, 27 Feb 2013 11:31, epk14octs...@gmail.com said: [image: Inline image 1] Please don't send an image. Transscript the content. You may also copy and paste it from a Windows shell. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP for zLinux [full info]
On Fri, 1 Mar 2013 17:04, gcal...@br.ibm.com said: I have sent an email earlier requesting information about the best PGP version to install in a zLinux server. [This is the GnuPG mailing list and not a PGP list]. I don't know wether Symantex provides a version of PGG for this system. However, the standard GnuPG 1.4.x will build just fine on any Unix based system. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP for zLinux [full info]
On Sat, 2 Mar 2013 08:16, b...@adversary.org said: list. Since you have already received one reply to all from Werner, this has already happened. I apologize for having being tricked to do a drive by mailing to gnupg-announce. I need to add a check to reject accidental replies to that list. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: Signature made date time tamper resistant?
On Fri, 1 Mar 2013 22:47, adrela...@riseup.net said: Or in other words, is the date and time taken from the signers machine clock and signed with the signers private key? Yes. The time of the signature is taken from the hashed area of the signature packet, which means that this is part of the signed data. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG future timestamp checks and security
On Wed, 27 Feb 2013 17:01, casey.marsh...@gmail.com said: I'm considering ignoring the time checks (--ignore-time-conflict, --ignore-valid-from) due to clock drift being a common problem in my application. That is why we added these options. What was the motivation for adding the timestamp checks? Specifically, are there security implications to disabling them I should be concerned about? A bad timestamp may be a sign for some other bug on the sending site. whether it is a security problem, depends on the application. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Public Keys not showing up in Choose Recipients
On Tue, 5 Mar 2013 17:45, ivanbrod...@hotmail.com said: program, and this board is the only one I could find. Not that it matters to anyone here, but not resolving this problem in a timely fashion is going to cost me. There is an easy solution to your problem: Consult http://gnupg.org/service.html and pick a company to help you. Sent from my iPhone Your iPhone may want to consult http://www.netmeister.org/news/learn2quote.html . Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card reset procedure
On Wed, 27 Feb 2013 14:00, ni...@dest-unreach.be said: sending 4 VERIFY-commands with the same (wrong) PINcode. It next locks the Admin PIN using a similar procedure. Right. According to my understanding, this will ACTIVATE FILE, and next TERMINATE DF. While the spec seems to indicate the reverse should be done: You are right, I once messed it up somewhere but meahwhile my gpg-connect-agent script to reset the card is: /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 44 00 00 scd apdu 00 e6 00 00 /echo card has been reset to factory defaults Which is as it should be. Either way, the procedure (with first ACTIVATE and next TERMINATE) seems to work, I just don't understand how... That is a bug in the card. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: /etc/gnugpg.d/
On Thu, 7 Mar 2013 15:44, adrela...@riseup.net said: What about having /etc/gnugpg.d/ where you can drop configuration files just you can drop them into /etc/apt/apt.conf.d/? In general I consider those configuration directories a bad idea. They are nice at the first view because they make packaging easy but after all they are unreadable. Sure, for some applications they make sense (/etc/pam.d/) but definitely not for GnuPG. I also miss to understand how they would help to solve the OPs problem. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: placing trust in imported keys
On Sat, 9 Mar 2013 02:26, jw72...@verizon.net said: gpg: Total number processed: 1 gpg: imported: 1 That should be self-explaining. gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model This is the configuration of the WoT; see the man page for options to change it. gpg: depth: 0 valid: 8 signed: 25 trust: 0-, 0q, 0n, 0m, 0f, 8u gpg: depth: 1 valid: 25 signed: 1 trust: 0-, 4q, 0n, 20m, 1f, 0u You would need to look at the source. However, if you known the WoT well, you should be able to figure out what this is. For example at depth 0, you see 8 ultimately trusted keys. At the next level you obviously find no ultimately trusted keys but 20 marginal trusted and 1 fully trusted key. You should consider this a debugging output. gpg: next trustdb check due at 2013-12-31 The check run found that due to key or signature expiration a new trust check is due on that date. It is informational only, because that date is stored in the trustdb and a gpg --check-trustdb --batch before that date will conclude that this time it can be lazy and exit immediately. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg 2.0.19-r1 with libgcrypt 1.5.0-r2 -- Segmentation Fault
On Thu, 7 Mar 2013 23:48, robertkotz2...@u.northwestern.edu said: less identical to the one that seems to be broken. I'm running Sabayon, a Sorry, I don't know Sabayon is and a version 1.5.0-r1 is not an original GnuPG version. Thus the problem may be grounded in your system or the pacthed version of GnuPG or one of its libraries. To help you, we need to know a bit more, like what CPU you use and a stack backtrace. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key length for smart card key generation
On Fri, 1 Mar 2013 13:10, bra...@majic.rs said: Now to see if there's any way of using the OpenPGP card through PKCS#11 :) http://www.scute.org Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fix for smartcards on some newer linux distros
On Sun, 10 Mar 2013 01:10, k...@grant-olson.net said: P.S. Wonder if we can get a better error message since this really has nothing to do with unsupported certificates. Sorry, we can't do much here because gnome-keyring is hijacking the IPC between gpg and gpg-agent. The good news is that we have a tentative plan to allow gnome-keyring to drop its interference with gpg-agent. The main change we need to do is to perform a dummy pinentry call whenever we remove a passphrase from gpg-agent's cache. This way gnome-keyring can sync its own passphrase caching with the one done in gpg-agent. Thanks for writing about these problems. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enterprise Key Management?
On Sat, 16 Mar 2013 12:36, a...@guardianproject.info said: This seems like a better application of S/MIME as it, by design, is centralized in the manner you describe. Hwever, with S/MIME you can _only_ do a centralized key management. OpenPGP allows to implement an arbitrary key management policy. The OP mentioned signing subkeys. This could for example be used to allow several employees to sign data using the same key and the recipient will notice a valid signature with a published fingerprint from the company. A closer inspection would reveal which subkey has been used for signing and this can be used for internal audit processes (similar to the QA labels with an employer number on all kind of products). Revocation of a certain subkey would also be pretty easy. I assume this would easily scale to new dozen subkeys. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 and IDEA
On Tue, 19 Mar 2013 11:57, chal...@gmail.com said: wget ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2 That is a pretty old version. You should move to a decent one; at least 1.4.x or better the latest 1.5.1. There is no IDEA support there, regular support is only available in the forthcoming 1.6 (you might be able to backport from master to 1.5.1) Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] Libgcrypt 1.5.1 released
On Tue, 19 Mar 2013 00:08, ou...@sympatico.ca said: Some guidance on how to set up the HMAC256 self-checking correctly might be of assistance. hmac256 is built and installed, but it This is only used for FIPS validation, which has only be done for Linux based systems. If you want to play with it, the comment at the end of src/Makfile.am may be of help. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG2 and IDEA
On Tue, 19 Mar 2013 16:56, chal...@gmail.com said: I actually managed to compile just the module and load it dynamically in gpg: I doubt that. Looking at the 2.0 branch I see this in gpg.c: case oLoadExtension: /* Dummy so that gpg 1.4 conf files can work. Should eventually be removed. */ break; Sure that you are not using 1.4? In this case 1.4.13 already includes idea support. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GET_HIDDEN deprecated in gpgv2
On Thu, 21 Mar 2013 10:22, jaimefde...@gmail.com said: I don't understand, I thought that GPA used GPGME not command line, so I dont know how I should use command-fd. I want to avoid the use of pinentry or any other external graphical tool. It is not about the command line but by complying to the protocol required by command-fd/status-fd. The common way to implement this protocol is to emply a finite state machine. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On Mon, 25 Mar 2013 13:46, chal...@gmail.com said: is the IDEA algorithm licensed? Under which conditions am I allowed to use the idea extension in a commercial product? I assume your question is: Is the IDEA algorithm patented? It was patented and this was one or the main reasons to develop GnuPG as the free PGP replacement. Meanwhile the patent expired: * Patents on IDEA have expired: * Europe: EP0482154 on 2011-05-16, * Japan: JP3225440 on 2011-05-16, * U.S.: 5,214,703 on 2012-01-07. Thus if you have to decrypt old data you may now use a decent GnuPG versions to do that (1.4.13 or 2.x along an appropriate Libgcrypt version). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On Mon, 25 Mar 2013 16:00, chal...@gmail.com said: I have to use GnuPG 1.4.10 and a self compiled idea.c from here You better use 1.4.13. ftp://ftp.uwsg.indiana.edu/linux/gentoo/distfiles/idea.c.gz so the question is .. can I ship the idea shared object with my software? The idea.c contains the following comments. So if I understand it You need to provide the full source code and including that file. correctly, I just have to add this somewhere in the documentation of my software. You have to follow the conditions of the GPL; see the file COPYING in the GnuPG distribution. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: IDEA License
On Tue, 26 Mar 2013 01:38, j...@berklix.com said: So to wikipedia, after Japan I appended expired 2011-05-16 I could edit in an href'd citation to wikipedia, if URL known ? I don't know; the dates are by Ulrich Müller ulm at gentoo.org Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mail-Followup-To
On Wed, 27 Mar 2013 19:27, pe...@digitalbrains.com said: Whether you like the headers Bernstein created or not, it would seem Werner didn't want to be on the recipient list, which is why I brought it up The thing is that I put most mailing lists I am subscribed to on Gnu's message-subscribed-addresses list. This list takes care of maintaining a MFT header. Gnus will do that only if it can be sure that everyone agrees to this. Thus in most cases you will see an explicit CC anyway. MFT works only for those folks with full support of MFT and if they maintain their list of subscribed addresses well. Given that the bad habit of sending text+html alternative mails seems to be impossible to expunge [1]; I consider missing MFT handling a micro annoyance. I any case, I consider it a good idea to explicitly add a To: header to notify the addressee that this particular mail gains his attention. BTW, exmh is a nice MUA I used a long time ago and only stopped using it because back then a remote X connection was not really usable (and I didn't want to use plain mh). Shalom-Salam, Werner [1] If you often send mails to Outlook users, you may want to use the X-message-flag header to tell them about this problem. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Non-interactively create subkey?
On Thu, 28 Mar 2013 02:44, mailinglis...@hauke-laging.de said: echo addkey$'\n'8$'\n'e$'\n'q$'\n'2048$'\n'1y$'\n'save$'\n' | LC_ALL=C gpg --expert --batch --passphrase foo --command-fd 0 \ --edit-key $x_short_id Which only works with specific GPG versions; don't rely on that. The proper way to do this is a status-fd/command-fd driver handler. Or someone spends some time to extend the batch key generation to select an existing key and to only add subkey. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Mail-Followup-To
On Sat, 30 Mar 2013 03:20, j...@berklix.com said: A person at my site regularly uses an EXMH on a slow X display started from xdm, with AMD + NFS ~/mail/ on a faster server, works fine. Slow in the mid 90ies was an ISDN data rate and a high latency due to too many hops. It was barely impossible to have a stable X connection from an E1 in Frankfurt to my ISDN line in Düsseldorf. Switching to Mutt was much simpler; and it worked. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why does gpg use so much entropy from /dev/random?
On Sun, 31 Mar 2013 11:45, philip.g.pot...@gmail.com said: Can anyone shed any light on this? Why does GPG use more entropy than /dev/random says it should? Which /dev/random - there are hundreds of variants of that device all with other glitches. Thus GnuPG has always used /dev/random only as a source of entropy to seed its own RNG: This random number generator is loosely modelled after the one described in Peter Gutmann's paper: Software Generation of Practically Strong Random Numbers.@footnote{Also described in chapter 6 of his book Cryptographic Security Architecture, New York, 2004, ISBN 0-387-95387-6.} A pool of 600 bytes is used and mixed using the core RIPE-MD160 hash transform function. Several extra features are used to make the robust against a wide variety of attacks and to protect against failures of subsystems. The state of the generator may be saved to a file and initially seed form a file. Depending on how Libgcrypt was build the generator is able to select the best working entropy gathering module. It makes use of the slow and fast collection methods and requires the pool to initially seeded form the slow gatherer or a seed file. An entropy estimation is used to mix in enough data from the gather modules before returning the actual random output. Process fork detection and protection is implemented. GPG uses ~/.gnupg/random_seed but it needs to creater it first. For generating keys it also makes sure to put in a lot of new entropy just to be safe. Better be safe than sorry (cf. the recent NetBSD problem). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Create subkey that will expire in 10 hours
On Wed, 3 Apr 2013 18:54, di4...@nottheoilrig.com said: How can I create a new subkey that will expire in just 10 hours? When I'm prompted to specify how long the key should be valid I tried entering 10h or 0.42 but it complained that both are invalid. Enter seconds=36000 for 10 hours. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Create subkey that will expire in 10 hours
On Thu, 4 Apr 2013 12:44, pe...@digitalbrains.com said: of days, weeks, month or years. The special notation seconds=N is also allowed to directly give an Epoch value. Without a letter days are assumed. Note that there is Although I interpreted it to mean the number of seconds since the epoch. You are right, that the docs says seconds since Epoch. However, the ChangeLog from 2005-10-18 says: * keygen.c (parse_expire_string): Allow setting the expire interval using a seconds=n syntax. This is useful for debugging. So this is about an interval meaning time since creation as used by OpenPGP. That actually makes most sense for debugging. It is unfortunate that we use seconds=N in parse_creation_string meaning seconds since Epoch. I will fix the docs. Specifying the Epoch will anyway stop working in 2038 on many systems, thus it is probably not good to allow its use. If a fixed data is required, one may always specify something like 20130404T153012 for both, the creation date and the expire date. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme fails encrypting on 64bit debian
On Wed, 10 Apr 2013 10:54, simone.pagangr...@gmail.com said: gcc -m64 -D_FILE_OFFSET_BITS=64 -g test2.c -lgpgme -L/usr/lib/x86_64-linux-gnu -lgpg-error -o test2 Why do you want to tweak gcc options if you are anyway on a 64 bit system? Also they seem to be harmelss, hast gpgme been build with the same options? What does gpgme-config --cflags --libs tell you? // test program #include stdio.h /* printf*/ #include unistd.h /* write */ #include errno.h /* errno */ #include locale.h /* locale support*/ #include string.h /* string support*/ #include stdlib.h /* memory management */ gpgme.h ist missing but below you are using constants defined by gpgme.h. char *pDest = malloc(65536); (please always check for malloc error!) p = (char *) gpgme_check_version(NULL); printf(version=%s\n,p); Don't cast without a good reason. p = (char *) gpgme_get_protocol_name(GPGME_PROTOCOL_OpenPGP); printf(Protocol name: %s\n,p); Ditto. err = gpgme_ctx_set_engine_info (ceofcontext, GPGME_PROTOCOL_OpenPGP, enginfo-file_name,enginfo-home_dir); if(err != GPG_ERR_NO_ERROR) return 5; Try first without setting a non default engine info. To debug your problem, I suggest to run the program like this: GPGME_DEBUG=9:/tmp/gpgme.log: and check the log file. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpa reports error: Unsupported Protocol
On Wed, 10 Apr 2013 23:36, je...@seibercom.net said: GPA continually displays an error screen when I start it. The screen Does gpa --disable-x509 help? Do you have gpgsm installed (run: gpgsm --version)? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reading key capabilities information before importing a key
On Thu, 11 Apr 2013 00:28, mailinglis...@hauke-laging.de said: 2) You import the key but direct it to a different keyring, see --keyring --secret-keyring --primary-keyring --no-default-keyring You better use a temporary directory. This is far easier than to play with all the options and it allows you to use gpgme. Another option is to import the key and then delete it if you don't want it. However, we have a --merge-only option but not a --only-new-key-option. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpa reports error: Unsupported Protocol
On Thu, 11 Apr 2013 11:53, je...@seibercom.net said: Yes, that corrects the problem, but why. Shouldn't it work without that hack? Yes. Actually I recall hat I fixed a bug related to this some time ago, but this should be in the release. Do you have any X.509 keys? gpgsm should auto-import some on the first use. If nothing helps, you need to debug it using: GPGME_DEBUG=3:/tmp/foo/gpgme.log: gpa you may need to increase the log level up to 9 to see almost everything. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpa reports error: Unsupported Protocol
On Thu, 11 Apr 2013 14:42, je...@seibercom.net said: A copy of the gpgme.log file @ level #9 is available here: It seems that GPGME has not been build with support for GPGSM. The output of configure when building gpgme should tell you this. Please try the patch for GPA below. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From 1d0c51e92875e0548968c38cca8b65ef5559cbc0 Mon Sep 17 00:00:00 2001 From: Werner Koch w...@gnupg.org Date: Thu, 11 Apr 2013 21:16:15 +0200 Subject: [PATCH] Do not bail out if libgpgme has no support for GPGSM. * src/keytable.c (first_half_done_cb): Also check for a gpgme without support for GPGSM. --- src/keytable.c |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/src/keytable.c b/src/keytable.c index a8198df..9cc3024 100644 --- a/src/keytable.c +++ b/src/keytable.c @@ -210,9 +210,13 @@ first_half_done_cb (GpaContext *context, gpg_error_t err, if (keytable-first_half_err) gpa_gpgme_warning (keytable-first_half_err); - if (gpg_err_code (err) == GPG_ERR_INV_ENGINE + if ((gpg_err_code (err) == GPG_ERR_INV_ENGINE + || gpg_err_code (err) == GPG_ERR_UNSUPPORTED_PROTOCOL) gpg_err_source (err) == GPG_ERR_SOURCE_GPGME) { + if (gpg_err_code (err) == GPG_ERR_UNSUPPORTED_PROTOCOL) +g_message (Note: Please check libgpgme has + been build with support for GPGSM); gpa_window_error (_(It seems that GPGSM is not installed.\n\n Temporary disabling support for X.509.\n\n -- 1.7.7.1 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Reading key capabilities information before importing a key
On Fri, 12 Apr 2013 03:00, mailinglis...@hauke-laging.de said: That is an inconsistent explanation. If --list-packets can show data from signatures without checking the signatures then obviously --with-colons It does not show that. It dumps the packets. The key capabilities need to be computed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extracting the session key using gpme?
On Mon, 15 Apr 2013 20:01, _...@lvh.io said: I need to make many existing documents available to a new recipient by revealing the session key to them (in an encrypted message, of course). I Yeah, there is long standing request to add a feature to to that directly in gpg. gpgme. The documentation does not even appear to have the phrase session There won't be support for it in GPGME. Why should we make it easy to do key escrow. If we ever add a a re-encrypt feature to gpg, if would make sense to add this to GPGME as well. But please don't demand it for the --{show,override}-session-key options. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Extracting the session key using gpme?
On Wed, 17 Apr 2013 19:38, _...@lvh.io said: Or, perhaps more specifically: what I want isn't wrong, but the only way to accomplish it is using the gpg command line tool, there are good reasons for this, and I should just use the gpg command line tool? :) Exactly. gpg has 323 commands and options and some of them have sub-options. Mapping this all to GPGME is not be justified, given that GPGME stands for “GnuPG Made Easy”. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgme fails encrypting on 64bit debian
On Thu, 18 Apr 2013 09:33, simone.pagangr...@gmail.com said: from the debug info is that the encryption is successful but then there's an error right after(?). Thanks for your help, it's really appreciated! Here is the interesing part (I removed the hex parts): _gpgme_io_read (fd=0x4): enter: buffer=0xea2980, count=1024 _gpgme_io_read (fd=0x4): check: [...] [GNUPG:] INV_REC _gpgme_io_read (fd=0x4): check: [...] P 10 CD6029E7DD3 _gpgme_io_read (fd=0x4): check: [...] 4991240FCFEE7D94 _gpgme_io_read (fd=0x4): check: [...] 1FEB9C37DBF71. _gpgme_io_read (fd=0x4): leave: result=62 Or as one line: [GNUPG:] INV_RECP 10 CD6029E7DD34991240FCFEE7D941FEB9C37DBF71 Now if you look into GnuPG's doc/DETAILS: *** INV_RECP, INV_SGNR The two similar status codes: - INV_RECP reason requested_recipient - INV_SGNR reason requested_sender are issued for each unusable recipient/sender. The reasons codes currently in use are: - 0 :: No specific reason given - 1 :: Not Found - 2 :: Ambigious specification - 3 :: Wrong key usage - 4 :: Key revoked - 5 :: Key expired - 6 :: No CRL known - 7 :: CRL too old - 8 :: Policy mismatch - 9 :: Not a secret key - 10 :: Key not trusted - 11 :: Missing certificate - 12 :: Missing issuer certificate Thus the key CD6029E7DD34991240FCFEE7D941FEB9C37DBF71 is not trusted. You may either sign it locally using gpg, or use the encryption flags GPGME_ENCRYPT_ALWAYS_TRUST: flags = (GPGME_ENCRYPT_NO_ENCRYPT_TO | GPGME_ENCRYPT_ALWAYS_TRUST); err = gpgme_op_encrypt(ceofcontext, key, flags, source, dest); To avoid checking the debnug log each time, you may want to add code like: err = gpgme_op_encrypt (ctx, key, GPGME_ENCRYPT_ALWAYS_TRUST, in, out); fail_if_err (err); result = gpgme_op_encrypt_result (ctx); if (result-invalid_recipients) { fprintf (stderr, Invalid recipient encountered: %s\n, result-invalid_recipients-fpr); exit (1); } You may use gpgme_op_encrypt_result even if an error is return,ed but in this case you first need to check that the returned value is not NULL. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] Libgcrypt 1.5.2 released
Hello! The GNU project is pleased to announce the availability of Libgcrypt version 1.5.2. This is a maintenance release for the stable branch. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.5.2: * Added support for IDEA. * Made the Padlock code work again (regression since 1.5.0). * Fixed alignment problems for Serpent. * Fixed two bugs in ECC computations. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source file and its digital signatures is: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2 (1.5M) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.gz (1.8M) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.2.tar.gz.sig Alternativley you may upgrade version 1.5.1 using this patch file: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.5.1-1.5.2.diff.bz2 (12k) The SHA-1 checksums are: c9998383532ba3e8bcaf690f2f0d65e814b48d2f libgcrypt-1.5.2.tar.bz2 fb54bfea3e276a366009c5a6296eb83cf5e7c14b libgcrypt-1.5.2.tar.gz 086ac76cf91987f6872cc7d5d5d33c68967e libgcrypt-1.5.1-1.5.2.diff.bz2 For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. A listing with commercial support offers for Libgcrypt and related software is available at the GnuPG web site [2]. The driving force behind the development of Libgcrypt is my company g10 Code. Maintenance and improvement of Libgcrypt and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . [2] See http://www.gnupg.org/service.html -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpdDTcPla3Qy.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [OT] X.509 vs. OpenPGP (was: Please fix subscribe at ...)
On Fri, 19 Apr 2013 00:28, do...@dougbarton.us said: This whole thread is wildly off topic for this list. Can people please stop replying to it? Given that GnuPG provides a full X.509 managemnet tool, I don't consider this entirely off topic. However, I would appreciate if people strip the quotes, don't top post, and change the subject if it has changed. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
2.0.20 beta available
Hi, it is now more than a year since we released 2.0.19. Thus it is really time to get 2.0.20 out of the door. If you want to quickly try a beta you may use: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.20-beta118.tar.bz2 Please send bug reports only to the mailing list. Noteworthy changes in version 2.0.20 (unreleased) - * The hash algorithm is now printed for sig records in key listings. * Decryption using smartcards keys 3072 bit does not work. * New meta option ignore-invalid-option to allow using the same option file by other GnuPG versions. * [gpg] Skip invalid keyblock packets during import to avoid a DoS. * [gpg] Correctly handle ports from DNS SRV records. * [gpg-agent] Avoid tty corruption when killing pinentry. * [scdaemon] Rename option --disable-keypad to --disable-pinpad. * [scdaemon] Better support for CCID readers. Now, the internal CCID driver supports readers without the auto configuration feature. * [scdaemon] Add pinpad input for PC/SC, if your reader has pinpad and it supports variable length PIN input, and you specify --enable-pinpad-varlen option. * [scdaemon] New option --enable-pinpad-varlen. * [scdaemon] Install into libexecdir to avoid accidental execution from the command line. The code also builds for Windows and we plan to do a Gpg4win release soon after 2.0.20. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: random_seed - no locks available
On Mon, 29 Apr 2013 23:29, hhhob...@securemecca.net said: reading and it is non-blocking. Why it should be there at all when you are really locking nothing (len=0) is a bit of a mystery. The length was probably set from a file stat. len==0 means to keep a lock from the start position to the end of the file. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GPA 0.9.4 released
Hello! We are pleased to announce GPA version 0.9.4. GPA is a graphical frontend for the GNU Privacy Guard (GnuPG, http://www.gnupg.org). GPA can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys. You can find the release here: ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.4.tar.bz2 (713k) ftp://ftp.gnupg.org/gcrypt/gpa/gpa-0.9.4.tar.bz2.sig and soon on all ftp.gnupg.org mirrors. A binary version for Windows will soon be released as part of Gpg4win 2.1.1; see http://gpg4win.org. The SHA1 checksum for this release is: d4b22b6d1f0ce25244c5a001e3bcbc36aff13ecf gpa-0.9.4.tar.bz2 Noteworthy changes in version 0.9.4 (2013-05-01) * Added scrollbars to the verification result window. * Improved searching in the key listing. * Now uses the native theme under Windows. * The usual collecton of minor bug fixes. If you want to contribute to the development of GPA, please subscribe to the gnupg-devel mailing list [1] and read the file doc/HACKING. The driving force behind the development of GPA is my company g10 Code. Maintenance and improvement of GnuPG and related software, such as GPA, takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Many thanks to all who contributed to Libgcrypt development, be it bug fixes, code, documentation, testing or helping users. Shalom-Salam, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgpdIUQkYUFEP.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] GPGME 1.4.1 released
Hello! I am pleased to announce version 1.4.1 of GPGME. GnuPG Made Easy (GPGME) is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines as included in GnuPG easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management. Noteworthy changes in version 1.4.1 (2013-05-01) * Fixed reading of gpg.conf files with excessive use of the group option. This fixes problems using the settings dialog of GPA, Kleopatra and possible other GnuPG frontends. * Fixed building with the i686-w64-mingw32 toolchain. * Disabled FD passing by default for Apple. You may download this library and its OpenPGP signature from: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.bz2 (936k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.bz2.sig GZIP compressed tarballs are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.gz (1185k) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.1.tar.gz.sig As an alternative you may use a patch file to upgrade the previous version of the library: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.4.0-1.4.1.diff.bz2 (7k) SHA-1 checksums are: d6110763e7459214fd72705e87ebc682e3b5815e gpgme-1.4.1.tar.bz2 db5b2df70319d92711cb733ef3ee5258c14e7694 gpgme-1.4.1.tar.gz 4120127f68cfbab64f3447ec0dfa1f3484d3f693 gpgme-1.4.0-1.4.1.diff.bz2 Please send questions regarding the use of GPGME to the gnupg-devel mailing list: http://lists.gnupg.org/mailman/listinfo/gnupg-devel If you need commercial support, you may want to consult this listing: http://www.gnupg.org/service.html The driving force behind the development of the GnuPG system is my company g10 Code. Maintenance and improvement of GnuPG and related software takes up most of our resources. To allow us to continue our work on free software, we ask to either purchase a support contract, engage us for custom enhancements, or to donate money: http://g10code.com/gnupg-donation.html Happy hacking, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp1qjQxC5BLW.pgp Description: PGP signature ___ Gnupg-announce mailing list gnupg-annou...@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Confusion with signature digest type.
On Thu, 2 May 2013 06:48, r...@sixdemonbag.org said: thinking of these problems, and if-and-when Werner and g10 Code decide to shift the default behaviors I'm certain it will be towards a stronger hash algorithm. We always tried to make sure that new algorithms are deployed for a long time before we make them the default. The next big change will be the switch to ECC and we not even have a real GnuPG release with. I expect that in a few years we can/need to switch to ECC and with that the end of signing SHA-1 digests will have come. Given that you need to create a new key anyway, the hash algorithm will be a non-brainer then. The special cases which Daniel constructed are, well, special cases and not the common use of signatures. People designing such a system should really consult with an expert to come up with a proper plan on how to implement that system. And that plan should include a discussion of used algorithms and threat models. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] GPA 0.9.4 released
On Thu, 2 May 2013 00:56, ou...@interlog.com said: w - does the new GPA work with win7-64? Sure it has always worked with it. What does not work with 64 bit versions of Windows is GpgOL (Outlook plugin) [1] and GpgEX (Explorer plugin). If you encountered a problem with GPA in the 1.1.1-beta installer from last year: This was my fault: I forgot to port a patch for glib to the there included updated glib version. Salam-Shalom, Werner [1] It also does not work with any version of Outlook 2010. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Suggest please
On Fri, 3 May 2013 14:29, kibl...@gmail.com said: It is not appropriate for us to have several public-private-keys. Although I don't consider this a good idea: You may give a copy of the private key to all persons who need to decrypt the files. In general such a group owned private key is not a good idea but it is commonly done nevertheless. gpg --export-secret-key FINGERPRINT privatekey.gpg and gpg --import that privatekey.gpg on the machines which need to decrypt. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Web of Trust in Practical Usage
On Sun, 5 May 2013 08:43, ndk.cla...@gmail.com said: But since the slow part of key generation is the primes selection, you could speed it up just recycling primes from different keys. 2.1 already does something similar. Because the keys are generated by the gpg-agent daemon the prime cache in Libgcrypt is actually used: Libgcrypt first generates a pool of smaller primes and then tries permutations of them to find a suitable strong prime. The unused small pool primes are then put into a cache and used for the next prime generation. Anyway, with the move from RSA to ECC, we don't need the secret primes anymore. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Libgcrypt (hopefully not OT)
On Fri, 3 May 2013 23:27, robe...@broadcom.com said: I am using Libgcrypt 1.5.2 with gcc v 4.5.3 on Cygwin to use the MPI functions. Can you please provide some guidance on how to handle signed and negative MPIs? I cannot seem to get a negative MPI, which Negative numbers are supported by the MPI subsystem but a rarely used. There is a macro mpi_is_neg to test for it. We have no explict function to negate an MPI. You would need to resort to somthing like void make_negative (gcry_mpi_t value) { gcry_mpi_t zero = gcry_mpi_new (0); gcry_mpi_sub (value, zero, value); gcry_mpi_release (zero); } Not pretty elegant or fast given that it only needs to toggle a bit. For the use of some macros the sign bit is exposed, so you could use a bad hack to do it faster. As an alternative, Is it possible to use the ecc functions with a custom random number generator algorithm? Are you looking into deterministic DSA, similar to the draft-pornin-deterministic-dsa-01 I-D? We recently started a discussion on gcrypt-de...@gnupg.org about this. That ML would anyway be a better place for your questions. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How can I extract the --embedded-filename for scripting?
On Wed, 8 May 2013 13:36, pe...@digitalbrains.com said: couldn't use standard out. This is a crude way to get the status-fd stuff in a file as you mention: $ gpg --status-fd 3 --use-embedded-filename foo.gpg 3foo.status That is not crude but a standard Unix pattern. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 2.0.20 on osx
On Sat, 11 May 2013 20:05, so...@dersonic.org said: any suggestions? Yes, please apply the patch below. Seems nobody tried to build the beta on an Apple. Salam-Shalom, Werner From 8ddf604659b93754ffa6dea295678a8adc293f90 Mon Sep 17 00:00:00 2001 From: Werner Koch w...@gnupg.org Date: Thu, 25 Apr 2013 12:00:16 +0100 Subject: [PATCH] Fix syntax error for building on APPLE. * scd/pcsc-wrapper.c [__APPLE__]: Fix syntax error. -- For W32 and probably for Cygwin we don't need the wrapper, thus the problems does not exhibit itself. --- scd/pcsc-wrapper.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/scd/pcsc-wrapper.c b/scd/pcsc-wrapper.c index 7d9415a..f3d92ff 100644 --- a/scd/pcsc-wrapper.c +++ b/scd/pcsc-wrapper.c @@ -66,7 +66,7 @@ static int verbose; #if defined(__APPLE__) || defined(_WIN32) || defined(__CYGWIN__) -typedef unsinged int pcsc_dword_t; +typedef unsigned int pcsc_dword_t; #else typedef unsigned long pcsc_dword_t; #endif -- 1.7.7.1 -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users