Re: Error importing fetching key from wkd

[Dirk Gottschalk via Gnupg-users]

Hello Todd.

Am Samstag, dem 28.05.2022 um 16:14 -0400 schrieb Todd Zullinger via
Gnupg-users:
> Hi,
> 
> Werner Koch via Gnupg-users wrote:
> > On Wed, 25 May 2022 22:58, Dirk Gottschalk said:

[...]
> 

> > Note the Brainpool curves.  Seems that Redhat still patches them
> > out of
> > libgcrypt.
> 
> The question of whether these curves can be kept in Fedora
> was brought up on the fedora-legal list some time ago.  The
> most recent status update¹ from Fedora Project Leader
> Matthew Miller on January 28, 2022 says:
> 
>     So, these things move slowly, but this _is_ being
>     worked on. I'll let you know when I can.
> 
> That sounds midly hopeful.  With luck, the curves will be
> cleared for inclusion (at least eventually, even it not
> terribly soon).

A workaround for this is to download the SRPM, remove the line '--
disable-brainpool' and rebuild the package. 

Regards,
Dirk

-- 
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06


GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Dirk Gottschalk via Gnupg-users]

Hello Werner.

Am Samstag, dem 28.05.2022 um 20:29 +0200 schrieb Werner Koch:
> On Wed, 25 May 2022 22:58, Dirk Gottschalk said:
> 
> > $ gpg --with-colons --list-config curve
> > cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;se
> > cp25
> > 6k1
> 
> This should read
> 
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brai
> npoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
> 
> Note the Brainpool curves.  Seems that Redhat still patches them out
> of
> libgcrypt.

Yes, they really do '--disable-brainpool' in the .spec file. Thank you
very much for this hint.

I did a custom Rebuild of the package after modifying the .spec and now
everything woks as expected.


Kind regards,
Dirk

-- 
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06


GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Error importing fetching key from wkd

[Dirk Gottschalk via Gnupg-users]

Hello.

IO tried to fetch a key from WKD, in this case the key of Werner Koch.
Everytime I try this I get the following error:

---
$ LANG=C gpg -v --locate-key w...@gnupg.org 
gpg: pub  ed25519/63113AE866587D0A 2018-09-28  w...@gnupg.org
gpg: error writing keyring '/home/dgottschalk/.gnupg/pubring.kbx':
Unknown elliptic curve
gpg: error reading '[stream]': Unknown elliptic curve
gpg: Total number processed: 0
gpg: error retrieving 'w...@gnupg.org' via WKD: Unknown elliptic curve
gpg: error retrieving 'w...@gnupg.org' via DANE: No name
gpg: error retrieving 'w...@gnupg.org' via ?: No name
gpg: Total number processed: 0
gpg: auto-key-locate found fingerprint
A4D94E92B0986AB5EE9DCD755DE249965B0358A2
gpg: error retrieving 'w...@gnupg.org' via DNS CERT: No public key
gpg: data source: https://keys.openpgp.org:443
gpg: error retrieving 'w...@gnupg.org' via keyserver: No data
gpg: error reading key: No data
---

Any hints what happens there?

This also happens when I use an empty Keybox with this commnd:
$ gpg -v --no-default-keyring --keyring=test/keyring.kbx --locate-key
w...@gnupg.org 

My GnuPG-Version knows ed25519 as you can see below:
---
$ gpg --with-colons --list-config curve
cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
6k1
---

My GPG-Version:
---
$ gpg --version --no-greeting 
gpg (GnuPG) 2.3.6
libgcrypt 1.10.1-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/dgottschalk/.gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
   CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2
---

Thank you in Advance.

Kind Regards,
Dirk

-- 
Dirk Gottschalk

GPG key Fingerprint: 7C5B 9D53 EED5 C7B3 A291 D5AA 086B 3660 27E3 5D06
Keyoxide: https://keyoxide.org/7C5B9D53EED5C7B3A291D5AA086B366027E35D06


GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Five volunteers needed (EU only please)

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Montag, den 05.10.2020, 17:37 +0200 schrieb Stefan Claas:
> Hi all,
> 
> while I did some JAB-Code experiments with MMS, to send GnuPG
> messages with a dumb
> phone, I came up now with a new idea. :-)
> 
> For that I need five people who are willing to share with me their
> postal address.
> You can send me your address GnuPG encrypted. I will not store your
> address on my
> computer and will delete your email, once I received it.
> 
> My new idea is to send encrypted postcards or letters, with an NFC
> tag attached,
> containing a GnuPG clearsigned test message. I like to see if the
> postcards will
> arrive in proper condition, so that the NFC tags are still readable.
> [...]

For this test I would suggest to not use NFC stickers or anything like
that. I would suggest using plastic cards with embedded NFC Tags.

The reason for my suggestion. I'm working at a company which creates
and sells solutions for european transportation and logistics
companies. We use NFC tags for a drivers license check. These are
stickers on the drivers license card to check if it is available.
Removing them from the card destroys them. We now had multiple times
the problem that those stickers were dead on arrival. We did a fw tests
ans saw that the problem occurs only after the tags were on the postal
way. Perhaps some strong magnetic fields in the postal systems, or
anything like that.

Now as we send and receive those tags in boxes, we didn't have Problems
anymore.

Cards never had this problem, as far as I can tell.

The Tags should have enough memory to take encrypted messages. I think
at least 12k. The more memory, the longer can the message be.

Another benefit of using plastic cards instead of sticker tags is: They
are reusable.

Kind regards,
Dirk

-- 
Dirk Gottschalk

GPG key Fingerprint: C8F4 4499 861E D5B7 66FC  18F5 8E34 AF58 6574 32C8
Keyoxide: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fresh certificate marked as expired / messed-up certificate chain pulling expired root cert in gpgsm

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Donnerstag, den 18.07.2019, 18:33 +0200 schrieb Dr. Thomas Orgis:
> Certified by
>ID: 0x61A8CF44
>Issuer: /CN=Deutsche Telekom Root CA 2/OU=T-TeleSec Trust
> Center/O=Deutsche Telekom AG/C=DE
>   Subject: /CN=T-TeleSec GlobalRoot Class 2/OU=T-Systems Trust
> Center/O=T-Systems Enterprise Services GmbH/C=DE
>  validity: 2016-04-25 09:01:39 through 2019-07-09 23:59:59
>  chain length: unlimited
> Certified by
>ID: 0x8CDE37BF
>Issuer: /CN=Deutsche Telekom Root CA 2/OU=T-TeleSec Trust
> Center/O=Deutsche Telekom AG/C=DE
>   Subject: /CN=Deutsche Telekom Root CA 2/OU=T-TeleSec Trust
> Center/O=Deutsche Telekom AG/C=DE
>  validity: 1999-07-09 12:11:00 through 2019-07-09 23:59:00
>  chain length: 5

This is the issue here. These two certs of DTAG (Telekom) are exired
and that's the reason why gpgsm is complaining correctly.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent systemd user service [was: Re: GnuPG and SSH_AUTH_SOCK value]

[Dirk Gottschalk via Gnupg-users]

Am Mittwoch, den 26.06.2019, 07:47 +0200 schrieb Matthias Apitz:
> El día martes, junio 25, 2019 a las 11:12:43a. m. -0400, Daniel Kahn
> Gillmor escribió:

> > On Tue 2019-06-25 13:07:03 +0200, Dirk Gottschalk via Gnupg-users
> > wrote:
> > > This is my $HOME/.config/systemd/user/gpg-agent.service:

> > If you're using gpg-agent as a systemd user service, please use the
> > systemd unit files (.service and .socket definitions) that ship
> > with
> > GnuPG itself.
> > 
> > ...

> Thanks for all the helping hands and hints about systemd(8), but
> FreeBSD
> normally does not run/use this. AFAIK, there is not even an official
> port of it in the FreeBSD's ports collection.

I'm sorry, I overread that you are asking about FreeBSD. I had just
Linux in mind. Did't want to steal your time.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[Dirk Gottschalk via Gnupg-users]

Hello Vicent.

I read your explainations and will shorten them up to the points I want
to reply to.

Am Donnerstag, den 27.06.2019, 03:18 +0200 schrieb Vincent Breitmoser
via Gnupg-users:

> > (2) ‘processing’ means any operation or set of operations which is
> > performed
> > on personal data or on sets of personal data, whether or not by
> > automated
> > means, such as collection, recording, organisation, structuring,
> > storage,
> > adaptation or alteration, retrieval, consultation, use, disclosure
> > by
> > transmission, dissemination or otherwise making available,
> > alignment or
> > combination, restriction, erasure or destruction;

> This is most certainly what we are doing.

> So assuming that e-mail addresses are personal data, and we process
> this data, there is an (exhaustive!) list of possible situations in
> which we are lawfully allowed to do so, two of which can potentially
> apply. Article 6:

> > 1. Processing shall be lawful only if and to the extent that at
> > least one of the following applies:

> > (a) the data subject has given consent to the processing of his or
> > her
> >personal data for one or more specific purposes;

> > (...)

> > (e) processing is necessary for the performance of a task carried
> > out in the public interest (...);

> The first is clear - if we have consent, we're good. The second
> *could* possibly be argued, but I have a hard time believing the
> haphazard handling of e-mail addresses on traditional keyservers
> serves the public interest. Even if we did assume this, there is the 

As one of the lawyers I work for told me, the consent could be
implicated by the users upload, therefor there must be the mechanism
that users can only upload their own keys, so consent is guaranteed.

> "right to object", which allows data subjects to object to the use of
> their data. Article 21:

> > 1. The data subject shall have the right to object, (...) to
> > processing of personal data concerning him or her which is based on
> > point (e) or (f) of Article 6(1), (...). The controller shall no
> > longer process the personal data unless the controller demonstrates
> > compelling legitimate grounds for the processing which override the
> > interests, rights and freedoms of the data subject (...).

> All in all, I find it pretty clear that GDPR does apply to processing
> of e-mail addresses on public keyservers. There are various nuanced
> conclusions one may draw, for example "it applies, but you probably
> won't get sued, so just keep on running them pool servers". It is
> unclear to me how one could look at this and conclude that keyservers
> aren't affected by GDPR.

The User knows how and why the data is processed, if he uploads his key
to the server. A deletion has to be possible by the regulation, SKS
lacks this mechanism. I haven't tested the new server yet, but I'm
planning to do this in the next day. As far as I read, deletion is
possible there.


> > and the, say, German implementation

> GDPR is a [regulation], not a [directive]. As such, it is an
> immediately enforcable law that does not require a per-country
> implementation to be effective.

Yes and no. The EU construct is a little bit strange in this manner,
but GDPR was transferred into german law by the renewal of the BDSG
last year.

> > along with relevant commentary to show why this is a legal
> > requirement.

> I'm aware of work on this by folks with legal background, but due to
> funny academic publishing culture I'm not at liberty to
> share. Hopefully something will be available to the public soon.

Oh yes, academic publishing culture is indeed a little strange. 

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent systemd user service [was: Re: GnuPG and SSH_AUTH_SOCK value]

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Dienstag, den 25.06.2019, 11:12 -0400 schrieb Daniel Kahn Gillmor:
> On Tue 2019-06-25 13:07:03 +0200, Dirk Gottschalk via Gnupg-users
> wrote:
> > This is my $HOME/.config/systemd/user/gpg-agent.service:

> If you're using gpg-agent as a systemd user service, please use the
> systemd unit files (.service and .socket definitions) that ship with
> GnuPG itself.

Sorry, I didn't even know there are such files. I just used the
packages from Fedora and didn't look deeper into the packages. Thanks
for your Comment.


> If the standard upstream service doesn't work for you for some
> reason, please explain why it doesn't work for you, and report it as
> a bug so that we can fix it for everyone.

I'll test them this evening, thanks againm.


> While you're of course free to use custom variants like this for
> yourself, please don't recommend that other people use them, because
> it makes it much more difficult for the GnuPG project to support
> other users.

I didn't know about them and have not seen thgem in the source tree.
Pure blindness I think.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Dienstag, den 25.06.2019, 17:54 +0200 schrieb Vincent Breitmoser:
> > The Upload should be restricted to the key owner in some way.

> We restrict upload of user ids to the owner of the user id,
> identified by email verification. Non-identity data (subkeys,
> revocations, ...) can be freely distributed, but only with a verified
> self-signature.

That's what I had in mind.

> Is there any other mechanism you can come up with to allow upload by
> the owner of some key data or email addresses, but not others?

Additionally some kind of authentication mechanism would be required to
avoid fake uploads like just a faked sender address. I implicated this
wordless. Other mechanisms could be possible but I don't have any
special thoughts regarding this at the moment.


> > I didn't consider it until you mentioned ist. A good idea, thanks.

> Great! I've been getting generally positive feedback about this idea,
> perhaps we should look into that more seriously.

Yes, I agree.


> > Theres simply one point: "If you do not want your email to be
> > public, don't upload your key to a server."

> What if I upload your key to a server though? Keep in mind this is
> not just a "nice to have", it is a legal requirement.

This would not be poissible with an authentication mechanism. See
above. Only the owner should be able to modify his key or make
ammendements. Probably except for revocations, in somne cases.

> > In my opinion, the UID is essential for the Keys, except of M2M
> > Usage.
> > (...)
> > No. But if I want to sent you an email and want to encrypt it on a
> > machine with an empty keystore, shouldn't I be able to fetch your
> > key
> > by Address?

> Of course! And we do support that, given consent from the owner of an
> address. Without that, only non-identity data (still enough for M2M)
> is distributed.

M2M keys don't need a UID at all. I made such keys für my automatic
backups and for some of the telematics solutions I work on. We use them
only to encrypt, sign and send tachograph data files which are sent to
our customers by email, for example.


> > It could be realized by exact match

> This is exactly what we do. :)

So you support key search, this is a good point. And it ind of changes
my opinion about the new servers. I didn't have the time to dig deeper
into this new server and my opinion is based upon the things I read on
the list. So this discussion is really helpful.

Just the point of a centralized server is a thing that is not good in
my opinion, but there should and will be a way to implement a
distributed system into this project. A synchronizatio´n mechanism has
to be well overthought, that's one point, but technically there are
some ways to implement a secure and stable mechanism to achieve
distribution. This is a point which should be considered.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[Dirk Gottschalk via Gnupg-users]

Am Dienstag, den 25.06.2019, 16:30 +0200 schrieb Vincent Breitmoser:
> > Hi @ll.

> Hi Dirk,

> thanks for your thoughts!

> > I don't think it's such a good idea to drop Signatures on keys.

> As mentioned in our FAQ, the reason we don't support those is that
> with the SKS model, anyone can attach arbitrary data to others'
> keys.  It's hard to overstate how problematic that is. I can just add
> a megabyte or fifty of data to your key.

The Upload should be restricted to the key owner in some way. That
would mitigate this Problem and it should help against a key mess up I
made a short while ago. 

> There are solutions that still allow for some of the TPS-based use
> cases, but until there is at least some agreement on how to proceed,
> we decided against supporting them.

TPS? Okay, it's warm and I don't get this. But yes, a minimal agreement
about the procedures would at least be neccessary.


> Free distribution of arbitrary TPSes is quite simply not a viable
> model for any keyserver. The discussion shouldn't be about liking or
> disliking them, it should be about what alternatives could be.

That's right. As told, SKS is far away from perfect and your solution
goes the right way. Nothing prevents the implementation of, let's say
key signatures in further versions or different versions to be used in
environments on an in house server.


> I see from your signing policy that you do a caff-style workflow.
> Have you considered the option to have keys cross-sign third party
> signatures for publication? It's a very slight switch in tooling if
> we assume a caff workflow, but that way each key remains in control
> of the public version of itself.

I didn't consider it until you mentioned ist. A good idea, thanks.


> > Also the centralized Approach is a no go in my opinion.

> The open federation model of SKS means all email addresses are
> enumeratable. That's a privacy no-go in my opinion, which people have
> gotten surprisingly used to in this community.

Isn't verifying the origination of an Email, including the address, one
of the PGP approaches? Theres simply one point: "If you do not want
your email to be public, don't upload your key to a server."

If I didn't want my address to be known by others, I shouldn't post to
an open ML. Same thing in my opinion.


> I can imagine a closed federation model, where we have a handful of
> operators but still don't need to have personal information of our
> users in the open.

In my opinion, the UID is essential for the Keys, except of M2M Usage.


> Maybe we'll move in that direction once the dust has settled a bit.
> The keyserver ecosystem has been stagnant in more than a decade, so..
> one step after another.

Yes, the key servers (SKS) have come of age and some things weren't "on
the radar screen" of it's developers for various reasons.


> > Even removing the ability to search for keys by UID is a thing I
> > don't like.

> Why not? Do you think "find all Dirks on the keyserver" is a valid
> use case that should be supported?

No. But if I want to sent you an email and want to encrypt it on a
machine with an empty keystore, shouldn't I be able to fetch your key
by Address? It could be realized by exact match of the email address
instead of spitting everything out that comes near to the requested
string.

Just my 2 cents and I am open to discuss benefits and downsides.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: New keyserver at keys.openpgp.org - what's your take?

[Dirk Gottschalk via Gnupg-users]

Hi @ll.

Am Freitag, den 14.06.2019, 10:12 +0200 schrieb Oscar Carlsson via
Gnupg-users:
> Hi,

> I'm generally curious on your opinions on the latest new keyserver,
> this 
> time running a new software than the normal keyservers.

> They seem to have a different model which minimize the amount of 
> information available, to be compliant with GDPR and friends. Do you 
> think there are any downsides to this?

Unfortunately I promised to Werner to not get political anymore about
the EU and GDPR thingies.

To the Server you're Mentioning:

I don't think it's such a good idea to drop Signatures on keys.
Validating the KEys and it's packet would mitigate many of the SKS
issues. But some people and solutions rely on the signatures.

Okay, running an in house keyserver might be an option for this
situations.

Also the centralized Approach is a no go in my opinion.

Reading this thread, I feel like I've done a time travel, back to the
times where people distributed their keys over the usenet due to the
lack of keyserver dunctionality. Keyservers like the desribed one is
less than useless in my opinion.

Even removing the ability to search for keys by UID is a thing I don't
like. But that's the GDPR panic. Yes, I know, no politics from the
angry guy. ^^

So, it's pretty hot here. Werner must have turned on the Heater. I'll
be quite now. :D

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG and SSH_AUTH_SOCK value

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Sonntag, den 23.06.2019, 10:21 + schrieb Matthias Apitz:
> El día sábado, junio 22, 2019 a las 09:47:12a. m. +0200, Werner Koch
> via Gnupg-users escribió:
> 
> > That seems to be deep in the innards of KDE's X startup or Wayland
> > or
> > Systemd configuration.  I try to avoid all this and use the old
> > fashioned but easy to debug ~/.xsession
> 
> I'm used to use 'startx' and ~/.xinitrc to bring up Xorg+KDE:
> 
> $ cat ~/.xinitrc
> 
> # set SSH_AUTH_SOCK
> #
> unset SSH_AGENT_PID
> unset SSH_AUTH_SOCK
> SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)";
> export SSH_AUTH_SOCK
> echo SSH_AUTH_SOCK: $SSH_AUTH_SOCK  >> /tmp/xinit 
> #
> setxkbmap de,us -option terminate:ctrl_alt_bksp
> xrandr --output default --mode 1366x768
> /usr/local/bin/xbindkeys
> exec ck-launch-session startkde
> 
> The idea is to set env var SSH_AUTH_SOCK correctly for all the
> xterm/urxvt
> processes "below" KDE. But, before the start of KDE (last line) the
> SSH_AUTH_SOCK is still 
> /home/guru/.gnupg-ccid/S.gpg-agent.ssh
> and later when KDE is up the 'gpgconf --list-dirs agent-ssh-socket'
> returns /var/run/user/1001/gnupg/d.m4rfaasqebhjmgto9ddm6m7y/S.gpg-
> agent.ssh
> i.e. the env var SSH_AUTH_SOCK is set wrong and I have to reset it
> in any terminal.

I am not running KDE, but Gnome. For my case I have a SystemD user
service which starts a gpg-agent instance in background and sets the
environment variables for the user on login. Originally I found this
solution on the internet and I adapted it for my usecase with a few
modifications.

GPG doesn't start the agent becuse there is already a running instance
and the authentication socket is available. SSH authentication, gpg and
all other things work just fine.

If this is what you want to achieve and if you want to have a look at
this, tell me and I'll send you the needed Files.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac




signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG and SSH_AUTH_SOCK value

[Dirk Gottschalk via Gnupg-users]

Hi.

Additionally to my previous reply:

This is my $HOME/.config/systemd/user/gpg-agent.service:
---
[Unit]
Description=GnuPG Agent
IgnoreOnIsolate=true

[Service]
Type=forking
Environment=SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh
ExecStart=/usr/bin/gpg-agent --homedir %h/.gnupg --enable-ssh-support
--daemon
ExecStartPost=/usr/bin/systemctl --user set-environment
SSH_AUTH_SOCK=${SSH_AUTH_SOCK}

[Install]
WantedBy=default.target
---

There one could add the home directory for GnuPG, if needed.

Regards,
Dirk

-- 
Dirk Gottschalk

GPG: 4278 1FCA 035A 9A63 4166  CE11 7544 0AD9 4996 F380
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Identifying one of multiple authentication subkeys

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Samstag, den 16.03.2019, 11:11 +0100 schrieb Peter Lebbing:
> (By the way, as you can see in the ssh-keygen output, my key actually
> has a comment field in the gpg-agent. It was imported from an on-disk
> OpenSSH file, that's where it came from. I don't know a way to have a
> comment field for a key generated with gpg, although I could probably
> hack it in in the private key store. Let's not do that.)

In the output from --export-ssh-key is also a comment field. This
fieldd, in my case shows: openpgp:0xF852DAEE

This should be enough to identify the key. It is the short ID of the
referred authentication subkey.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: 4AAB BDA8 C34D 3037 DA6B  7DF9 BB6A A254 DF10 8952
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg > addphoto

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Donnerstag, den 10.01.2019, 19:33 +0100 schrieb Stefan Claas:
> On Thu, 10 Jan 2019 18:38:36 +0100, 
> dirk.gottschalk1...@googlemail.com wrote:

> Hi Dirk,

> > Am Donnerstag, den 10.01.2019, 16:23 +0100 schrieb Stefan Claas:
> > And this prevents also prevents an unintended DoS which means a
> > very big key by mistake. It's okay to allow the generation of
> > everything a user wants, especially in open source software where
> > everybody can change the values. A hard limit would make no sense
> > at all.

> Just wondering, have you ever used other (more modern) open source
> crypto software, which have hard limits and still get's the job done?

Yes, there sure is, but, as long as the tool is open source and anybody
who wants to change the limit to his own, such limits are useless.

Regarding to this, the Parameter is applied to avoid reading  larger
Packets than 16M for importing and so on, on the client side. So, if a
'bad guy' alters his version of GPG in a way to create such abusive
keys, the other users with an unaltered version should not get into
trouble with such a key.

Okay, it's quite possible to set this read limit down to, let's say,
8M, but I think 16M is a good limit to avoid hanging and other side
effects with a way to large key.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG: Bad Passphrase (try 2 of 3)

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Montag, den 07.01.2019, 13:53 +0100 schrieb Matthias Apitz:
> Hello,
> 
> I've GnuPG 2.1.12 on my mobile device (without any OpenPGP card) and
> generated there a new secret key to encrypt credentials I'm using on
> this device. I was a bit surprised reading (after entering a bas
> passphrase for testing):
> 
> Note: This is not with the PIN of an OpenPGP-card. What would happen
> exactly after the 3rd bad value? Destroy of the key or my device? :-)

Nothing happens, the running process will just be aborted after the
third try.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature proposal - image encryption

[Dirk Gottschalk via Gnupg-users]

Am Sonntag, den 06.01.2019, 23:42 +0100 schrieb Stefan Claas:
> On Sun, 06 Jan 2019 23:19:24 +0100, Dirk Gottschalk wrote:

> Hi Dirk,

> > > GnuPG is world standard for email and probably file encryption,
> > > so
> > > why not for image encryption too? :-)  
> > > At least it would not hurt to have such feature in GnuPG. ;-)  

> > Except for the weeks, months, or years, which were needed to
> > firstly implement the JPeg format, for example and the other ten
> > millions of picture formats out there in the world. ;)

> PNG is imho the current standard for Internet usage. Jpeg with its
> compression artifacts and other formats are also mentioned as not
> recommended to use with ImageMagick encryption.

Yes, I read it earlier. But, the picture formats have to be inplemented
anyways. and GPG is not intended to do this kind of file processing.

By the way, AFAIT it was you who said, GPG has to much functions and
options. ^^

Just kidding.


> > I see what you mean regarding to promotion and so on. But, under
> > the
> > line, it's not worth the trouble. ^^

> Well, it is Werner's baby, so not my job to decide. It was only a
> proposal and not meant as a must have request. 

Yes, it is Werners, and the rest of the core teams, decision. But this
does not keep us away from discussing such things.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature proposal - image encryption

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 06.01.2019, 23:12 +0100 schrieb Stefan Claas:
> On Sun, 06 Jan 2019 22:13:50 +0100, Dirk Gottschalk wrote:

> Hi Dirk,

> > I don't think GPG should start to mangle with other data formats.
> > ImageMagick does the trick. Why should we invent the wheel a second
> > time?

> My thinking is that people using security tools like GnuPG might
> not trust tools from graphic tools programmers. And the second
> thought is in case GnuPG would allow this people like us could
> promote GnuPG for that in Computer Graphics communities and
> in other places, which are much bigger than encryption communities.

So, just encrypt a file the usual way with GPG. ^^

I see, what you're talking about. It's the Embedding into websites,
what IM mentions. But, why should somebody distrust the aes
implementation of an open source tool? Everybody can read the source,
if he wants. I believe they just use one of the crypto-libraries
available, like libcrypt, or libgcrypt, for example.


> GnuPG is world standard for email and probably file encryption, so
> why not for image encryption too? :-)

> At least it would not hurt to have such feature in GnuPG. ;-)

Except for the weeks, months, or years, which were needed to firstly
implement the JPeg format, for example and the other ten millions of
picture formats out there in the world. ;)

I see what you mean regarding to promotion and so on. But, under the
line, it's not worth the trouble. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Feature proposal - image encryption

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Sonntag, den 06.01.2019, 12:33 +0100 schrieb Stefan Claas:
> On Sun, 6 Jan 2019 11:11:42 +0100, Stefan Claas wrote:
> > Hi Werner and all,
> > 
> > while looking for solutions to encrypt images, so that
> > they are still viewable, i thought why not asking if such
> > a feature could be implemented in the future in GnuPG.
> > 
> > Here is a sample image, encrypted with the free Software
> > ImageMagick, using the AES Cipher.
> > 
> > https://postimg.cc/LJt8NRW2
> 
> And while thinking about a compromised Computer...
> 
> Maybe it would be also very nice if the Pinentry program
> would allow in the future also mouse input via an additional
> virtual keyboard, like for example the software for the
> Kanguru Defender 3000 USB stick has. Thus in case of such
> a scenario one would simply draw a message, in let's say
> the free Gimp software, encrypt the image and voilá a secret
> message could still be created and send, imho.

A virtual keyboard does not mitigate the vulnerability to key loggers
or similar sniffing technologies. One could still be able to observe
the data exchange between processes as long they are not isolated.

I don't think GPG should start to mangle with other data formats.
ImageMagick does the trick. Why should we invent the wheel a second
time?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP card: how to lock the card again so that PIN is required

[Dirk Gottschalk via Gnupg-users]

Hello Matthias.

Am Dienstag, den 01.01.2019, 08:36 +0100 schrieb Matthias Apitz:
> Hello,

> This is with gnupg-2.2.12 and pcsc-lite-1.8.23. After an update of
> the System (FreeBSD CURRENT) the /usr/local/sbin/pcscd does no work
> anymore with the OpenPGP card (HID Global OMNIKEY 6121 Smart Card
> Reader) after withdraw and re-insert. It works fine after boot, I
> have to enter the PIN to unlock the card and all tested functions are
> working.

Did you check the config for pcscd? Probably it was overwrittenby the
update process.


> I have to investigate this further or change the 'scdaemon' to let it
> directly access the OpenPGP bypassing the 'pcscd' (comments on this
> are welcome).

You can use the internal ccid-reader of scdaemon. This should work with
the OmniKey readers, AFAIK. You have to disable PC/SC, oherwise this
won't work.


> How can I meanwhile 'reset' the OpenPGP card so that on next request
> for the secrets (decrypt, signing, ssh) the PIN is requested?

For the signature PIN just enable the forcepin option as admin with
--card-edit. The for the other functions you need to power cycle the
card, easiest done by removal and re-insertion.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A question about WKD

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Dienstag, den 01.01.2019, 13:19 +0100 schrieb Stefan Claas:
> On Sat, 29 Dec 2018 20:18:54 +0100, Wiktor Kwapisiewicz via Gnupg-
> users wrote:
> > On 29.12.2018 15:48, Stefan Claas wrote:
> > > Hi all,

> > Just create more files in .well-known/openpgpkey/hu directory.

> since my current WKD key is a temporary key i would like to know
> for best practice the following:

> In a couple of days i will receive my Kanguru Defender 3000 USB stick
> and then i will create a new key pair and put it on the stick, along
> with other things. This key will then also be signed by Governikus.

> Because WKD currently does not cover revocation certs i would like
> to know how to continue. Should i upload then my revoked temp
> key to SKS or should i simply replace the keys. If possible i would
> like to avoid SKS usage in the future.

> Does GnuPG detects when i use a new WKD pub key, once i signed
> a new message?

I would at least publicate the revocation via the SKS servers.

GPG searches all keys on the SKS-Servers, regardless of their origin.
So during a refresh the revocation is added to the keyring, AFAIK.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg - difference --encrypt-to and --recipient

[Dirk Gottschalk via Gnupg-users]

Hello Damien.

Am Montag, den 31.12.2018, 12:45 + schrieb Damien Goutte-Gattat:
> On Mon, Dec 31, 2018 at 07:17:21AM +0100, Dirk Gottschalk via Gnupg-
> users wrote:
> > Yes, that's correct. Anyways, I prefer using the --hidden-recipient 
> > for this purpose. That prevents the disclosure of the communication
> > paths with pure GPG-Packet analysis.

> You do realize that, in the case of e-mail, the communication paths
> are already disclosed by the SMTP protocol (command "RCPT TO") and
> the mail headers ("From", "To", and the like), which both are outside
> the scope of OpenPGP protection?

Yes, sure I do. But referencing the command line options, I thought he
was speaking about encryption of files. In this case, it could be of
(even if small) benefits to avoid the disclosure of the path.


> Using --hidden-recipient only protects against an hypothetic attacker
> who is somehow only able to obtain the email body (the OpenPGP
> message itself) without the surrounding metadata.

That's correct. As told, I was talking about encrypted files. If you
upload en encrypted file to a cloud service, for example, it could be a
good idea to encrypt only to hidden recipients. Security my obscurity
is not everytime a bad thing. ;)

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg - difference --encrypt-to and --recipient

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Sonntag, den 30.12.2018, 22:40 +0100 schrieb Stefan Claas:
> On Sun, 30 Dec 2018 18:05:37 +0100, Gernot Pokorny wrote:
> Hi,
> 
> > What is the difference between --encrypt-to and --recipient and
> > what are the advantages and disadvantages of using one over the
> > other, which one should you use for encrypting your own files and
> > what does the following mean?

> > --encrypt-to ... The key specified by name is used only when there
> > are other recipients given by the user or by use of the option
> > recipient. ...

> Simply said you put encrypt-to, with your key-id, in your gpg.conf
> and when you do a gpg --recipient yourfriend it encrypts to your
> friend and also to you.

Yes, that's correct. Anyways, I prefer using the --hidden-recipient for
this purpose. That prevents the disclosure of the communication paths
with pure GPG-Packet analysis.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 16.12.2018, 22:06 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 20:34:55 +0100, Dirk Gottschalk wrote:
> > Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> > > My proposal could be run also in parallel. I think it would be
> > > only a weekend job for a programmer to modify the server code,
> > > so that it accepts only incoming and verified email and not web
> > > or GnuPG via Tor submissions.  
> > A weekend job... Muhahahahahahaha, you don't do much programming,
> > don't you? One would have to write an email bot, change the
> > keyserver code to no longer accept submissions via HKP, then it
> > would be neccessary do disable HKP for upload in GnuPG to avoid
> > broken Clients and so on.

> While testing today how to make someones pub key non-importable,non-
> receivable, with an evil version of GnuPG, I am wondering about the
> following:

> Is it not possible that for pub key submissions GnuPG could be
> installed on key servers to check if the key material is valid, prior
> keys got added?

This would be possible for sure. Most Servers I know run on Linux, GPG
should be installed anyways. The simpliest way would be to store the
key temporarily, try to import it into a dummy keyring and check the
success/failure of the import. On Success use the key, on failure
reject it.

> My test today showed me that it looks like that GnuPG is not used on
> key servers.

That's true. I also don't know a server doing it this way, but it would
be possible without the need to break the actual HKP.


> In case if there would be email submissions possible, in the future,
> i think it could work something like this: Install postfix and
> procmail, while procmail would pipe that message to gnupg for
> verification of valid key data, prior the pub key gets added to the
> pool.

This would be possible, too.
Years ago there was an email submission possibility. Some mail clients
even had a menu item to add the ascii armoured key into the mail body.
But, this functions have gone years ago. I think nobody really used it,
so it was abandonned.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Private Keys on Card Not Loaded

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Freitag, den 14.12.2018, 13:26 +0200 schrieb Robert Gabriel:
> Hi,
> 
> I have created a master key along with a subkey for authenticating
> and a subkey for signing.
> 
> I copied the subkeys to my smartcard (Nitrokey Pro 2) using gpg2 --
> edit-key 93DA8C1D and did not enter save thereafter, but deleted them
> manually using gpg2 --card-edit.
> 
> I deleted the master private key.
> gpg2 -K no private keys are visible.
> 
> What have I missed? I read online the stubs are generated
> automatically with the above command.

Did you import the public keys? Are they in the key-Ring? If not, than
you should do it, or the keys won't be recocnized.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 09.12.2018, 21:13 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 20:55:36 +0100, Dirk Gottschalk wrote:
> 
> Hello Dirk,
> 
> > That I mentioned in the other reply I have sent a few seconds ago.
> > 
> > > right? A key which would bear a CA sig would imho not have such
> > > additional and funny UID's or sigs, because it would make the key
> > > owner look a bit stupid, i would say.  
> > 
> > No. The signatures on a key are nor related to each other. A funni
> > signature could be backdated before the signature by the CA were
> > made.
> > Who's the stupid now, in the eyes of the user seeing this? ^^
> 
> Do you really think a user with a CA sig would do that, with my
> proposals i have made?

Yes, for sure. With a backdated signature the CA could be blamed in the
eyes of some not so firm users. Even if it's only for this purpose.

First the UID problem should be fixed and then a similar mechanism for
the signatures could be introduces. This would fix the well known
problems and no CA would be needed. That is unrelated to the CA's for
"assurance" which are not a really bad idea, but it has nothing to do
with the flaws in the key servers and even wouÄt be a fix for this.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Sonntag, den 09.12.2018, 19:38 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> wrote:
> > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> >  wrote::
> > > Get a sig from a CA and then upload your key via email.
> > >  
> > That's a bit steep, and was never the original goal of PGP or GPG.

> No, in 2018 i think it is not. CA's can be run by non-profit
> organizations like EFF etc., which i believe a lot of people trust.

> Then don't forget all the worldwide assurers from CAcert.org.

> > If the goal is to eliminate the bulk of bad keys and junk from key
> > servers, an account creation with basic email verification for
> > adding or removing keys should suffice.

> I don't think so. Create an anon account at ProtonMail via Tor for
> example and then do "funny stuff" with those keys.

There is always a way to abuse things. And a plausibility check on UIDs
would remove the possibility for abusive data encoding in these. I
think that would be a starting point.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Am Sonntag, den 09.12.2018, 20:03 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:38:31 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> > wrote:
> > > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> > >  wrote::  
> > > > Get a sig from a CA and then upload your key via email.
> > > >
> > > That's a bit steep, and was never the original goal of PGP or
> > > GPG.  

> > No, in 2018 i think it is not. CA's can be run by non-profit
> > organizations like EFF etc., which i believe a lot of people trust.

> > Then don't forget all the worldwide assurers from CAcert.org.

> > > If the goal is to eliminate the bulk of bad keys and junk from
> > > key
> > > servers, an account creation with basic email verification for
> > > adding or removing keys should suffice.  

> > I don't think so. Create an anon account at ProtonMail via Tor for
> > example and then do "funny stuff" with those keys.

> My proposal could be run also in parallel. I think it would be
> only a weekend job for a programmer to modify the server code,
> so that it accepts only incoming and verified email and not web
> or GnuPG via Tor submissions.

That's also what GPG is made for. Privacy. So TOR usage is quite okay.
The Idea with an email bot instead of a HKP for upload is something
that could be taken into consideration to validate sender and key, I
agree.

A weekend job... Muhahahahahahaha, you don't do much programming, don't
you? One would have to write an email bot, change the keyserver code to
no longer accept submissions via HKP, then it would be neccessary do
disable HKP for upload in GnuPG to avoid broken Clients and so on.

> People can then still use the old key servers (until they may become
> obsolete...) or use keybase.

Keybase is an option, yes., And the Keyservers could be fixed. HKP for
retrieval is very comfortable and there is no need to disable also the
retrieval.

> To bad that Werner's WKD is not widely adopted from email
> service providers...

WKD is a good thing, but has not yet widely spread. I think one oif the
problems is the small amount of users demanding it.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 09.12.2018, 19:38 +0100 schrieb Stefan Claas:
> On Sun, 09 Dec 2018 08:23:03 -0900, justina colmena via Gnupg-users
> wrote:
> > On December 9, 2018 7:54:01 AM EST, Stefan Claas
> >  wrote::
> > > Get a sig from a CA and then upload your key via email.
> > >  
> > That's a bit steep, and was never the original goal of PGP or GPG.

> No, in 2018 i think it is not. CA's can be run by non-profit
> organizations like EFF etc., which i believe a lot of people trust.

> Then don't forget all the worldwide assurers from CAcert.org.
> 
> > If the goal is to eliminate the bulk of bad keys and junk from key
> > servers, an account creation with basic email verification for
> > adding
> > or removing keys should suffice.

> I don't think so. Create an anon account at ProtonMail via Tor for
> example and then do "funny stuff" with those keys.

Nah, the server code has just to be modified, then a plausibility check
could be established if the UID is a valid one, or an abusive. This
would disable abusive UIDs with malicious data.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Am Sonntag, den 09.12.2018, 19:54 +0100 schrieb Stefan Claas:
> On Sun, 9 Dec 2018 19:51:37 +0100, Stefan Claas wrote:
> > On Sun, 09 Dec 2018 18:24:38 +0100, Dirk Gottschalk wrote:
>  
> Hi Dirk,
> > > Get a sig from a CA and then upload your key via email.
> > > Then the key servers do something like a gpg --check-sigs
> > > to see if a key bears a valid CA sig and if it is found in their
> > > index the key will be added to the network, once the submitted
> > > UID matches with the email address header. So no cryptographic
> > > verification is imho needed. This would also eliminate, i think,
> > > > that someone else can upload someone else's pub key.
> > > 
> > > And who decides which CA ist trustworthy and which is not? The
> > > problem ist, like in the X.509 land, that it depends on an
> > > initial
> > > trust to one or more central authorities. Who decides whom one
> > > can
> > > trust.  

> If trusted organizations like EFF etc. would run a CA...

> > > And further, why should anyone run something like a ca CA for
> > > free.  
 
> Nobody said that it should be free.

That's a point one would have to discuss. A small one time fee would be
okay, but not to much, ore we are at the same point like in X.509 land
and nobody wants to invest, except for real good reasons.


> > > And then again the question, who decides who get's the nedded
> > > trust?  

> I have learned in the past the phrase "trust nobody" when it comes
> to IoT. That means also I don't have to trust GnuPG users, for
> example... ;-)

Exactly this is the point where the key signatures get in place. You
can decide whom you trust, or not, and how far your trust goes.
Than you can see, if somebody you don't know yet is trusted by a user
you trust. Then the trustdb comes into place. Exactly this is how PGP
works. PGP is not a replacement for the X.509 infrastructure like it is
used in companies or other organizations. And even there often PGP is
enough, at least for Email signature or encryption.

I'm still not sure what you're trying to achieve. A Replacement for
X.509?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hello Justina

Am Sonntag, den 09.12.2018, 08:23 -0900 schrieb justina colmena via
Gnupg-users:
> On December 9, 2018 7:54:01 AM EST, Stefan Claas <
> stefan.cl...@posteo.de> wrote::
> > Get a sig from a CA and then upload your key via email.
> > 
> That's a bit steep, and was never the original goal of PGP or GPG.

Correct.


> If the goal is to eliminate the bulk of bad keys and junk from key
> servers, an account creation with basic email verification for adding
> or removing keys should suffice.

That's something I thought about, too.


> Let's be honest: no one really wants an infrastructure of legally
> valid or enforceable GPG signatures, either. It's a technical
> verification that something is very unlikely to be altered if the
> signature is valid. Any particular overriding legal significance
> beyond that is unnecessary.

Legal significcance is one point and it's to complicated in many
countries.


> Don't overdo it, please. PGP key servers are not supposed to be
> "authoritative." They are a convenience to extend an informal web of
> trust. Let's resist that German urge toward authoritarianism and
> absolutism, shall we?

Yeah, RIGHT! As a German I say, this urge in Germany and even in Europe
is totally silly at all. They are making an A 380 out of a duck, so to
say. Or like we call it in germany: "eine Mücke zu einem Elefanten
machen".


> Bosses and bullies do not help with privacy, personal digital
> signatures, or cryptography for personal use. The CA stuff is mostly
> for business, not personal. The adversaries in that case are
> pickpockets and credit card skimmers, not major governments and
> political enemies.

Right, but, to be honest, in some cases a GPG signature should be even
enough to prove the origin in a legal way. Some countries accept this
already, but not in silly old europe. Okay, EU sucks, but that's
another topic.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Garbled data in keyservers

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Sonntag, den 09.12.2018, 13:54 +0100 schrieb Stefan Claas:
> On Thu, 06 Dec 2018 15:22:14 +0100, Werner Koch wrote:
> 
> > > That's right, but my thought is / was someone can (ab)use key
> > > servers as data storage / retrieval system and then only provides
> > > the key id  
> > 
> > As it has been commeted, there are easier ways to do that.

> I have read also the threads at sks devel ML and my suggestions
> would be that we need more international CA's to get rid of all
> the problems, the key server network has.

> People should think about the following:

> Get a sig from a CA and then upload your key via email.
> Then the key servers do something like a gpg --check-sigs
> to see if a key bears a valid CA sig and if it is found in their
> index the key will be added to the network, once the submitted
> UID matches with the email address header. So no cryptographic
> verification is imho needed. This would also eliminate, i think,
> that someone else can upload someone else's pub key.

And who decides which CA ist trustworthy and which is not? The problem
ist, like in the X.509 land, that it depends on an initial trust to one
or more central authorities. Who decides whom one can trust.

And further, why should anyone run something like a ca CA for free.
Sure, CAcert does it. But that's the onlöy organisation I know who does
this.

And then again the question, who decides who get's the nedded trust?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error after secret key list.

[Dirk Gottschalk via Gnupg-users]

Hi.


Am Freitag, den 23.11.2018, 20:36 +0100 schrieb Werner Koch:
> On Fri, 23 Nov 2018 18:56, dirk.gottschalk1...@googlemail.com said:
> 
> > I saw the Listing in the debugging log. I tried this also.
> > gpg -k does not show this message, but two messages regarding two
> > keys,
> 
> Hmmm, not easy to debug by mail.
> 
> > gpg: bad data signature from key 2894CD20EE47166D: Wrong key usage
> > (0x19, 0x2)
> 
> That is bug we introduced in 2.2.10 or so which was fixed in
> 2.2.11.  It
> is just wrong diagnostic.
> 
> > Could this be the reason for this error message?
> 
> No.

Thanks to all for your help.

Just to update you: I solved the problem by exporting the public
keyring into a file, deleting pubring.kbx and re-importing the entire
keyring.

Not to mention that the problem fixed itself automagically. GnuPG
reported one key less as imported than the keyring contained and the
"dead bird" has been gone.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error after secret key list.

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Freitag, den 23.11.2018, 16:41 +0100 schrieb Werner Koch:
> On Thu, 22 Nov 2018 16:38, gnupg-users@gnupg.org said:

> > After listing the keys, gpg reports: gpg: error computing keygrip

> Looks like you have a garbled key or one with an unknown encryption
> algorithm.  Not easy to pinpoint because that diagnostics comes from
> the deep innards of gpg.

> Do you see any error if you run gpg -k ?  The secret key listing does
> internally a listing of each public key and looks for a macthing
> secret key.

I saw the Listing in the debugging log. I tried this also.
gpg -k does not show this message, but two messages regarding two keys,
one from a person who is known as Werner Koch. Does anyone know this
guy? ;)

These are the messages I get:

gpg: bad data signature from key 2894CD20EE47166D: Wrong key usage
(0x19, 0x2)
gpg: bad data signature from key A588F0D2ABD0CAF6: Wrong key usage
(0x19, 0x8)

I'm not gonna say you messed up your keys. I think, my .kbx is some
kind of messed up. Or did you do nasty things to your key, for testing
purposes? I don't think so.

Could this be the reason for this error message?

I'll delete your key and the other one from my key ring and re-import
it from the servers. Probably this solves the problem.

Deleting the keys re-importing them didn't solve the problem.

Any hints?

Thanks for your help.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error after secret key list.

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Donnerstag, den 22.11.2018, 17:22 +0100 schrieb Stefan Claas:
> On Thu, 22 Nov 2018 16:38:39 +0100, Dirk Gottschalk via Gnupg-users
> wrote:

> Hi Dirk,

> > Since today, I get a strange error at the end of the secret key
> > list
> > (gpg -K).
> > 
> > After listing the keys, gpg reports: gpg: error computing keygrip
> > 
> > Everything seems to work right.
> > 
> > Unfortunately it does not tell me which key causes the error.

> Maybe gpg -K -vvv tells you a little bit more (hopefully).

Guess what I tried at first. :D

No information in there. :(

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Error after secret key list.

[Dirk Gottschalk via Gnupg-users]

Hello.

Since today, I get a strange error at the end of the secret key list
(gpg -K).

After listing the keys, gpg reports: gpg: error computing keygrip

Everything seems to work right.

Unfortunately it does not tell me which key causes the error.

Any hints what went wrong or how i can go for hinting the praobaly
damaged key?

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: key server query tool

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Sonntag, den 18.11.2018, 17:41 +0100 schrieb Stefan Claas:
> Hi all,
> 
> while i do respect the privacy of people, i was wondering,
> since i see the public key server network as a public data
> base containing full names and who signed who's public
> key, if there is a tool available (source code preferably
> written in Golang) which allows a user to connect to
> a key server and do a query in a form that it spits out
> all the data where a name or key id appears.
> 
> The idea behind this is that i can see if for example
> Mallory signed someone else's public, with my key
> after it got compromised and i am not aware of it.
> 
> I know that there are projects running which show
> the strong set etc. but i like only see simple
> data like my name or my key id/fp on someone
> else's public key.

Only the UID's and Key-ID's can be queried from the Servers, not the
Data from the signatures, for example. AFAIK.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Donnerstag, den 15.11.2018, 23:41 +0100 schrieb Stefan Claas:
> On Thu, 15 Nov 2018 22:54:01 +0100, Dirk Gottschalk wrote:

> Hi Dirk,
 
> > Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:
> > > I disagree, with my humble approach imho third parties do not
> > > know
> > > that people are my real friends, colleagues, or that i belong to
> > > a
> > > certain group.  
> > 
> > The implication matters. For example: If you sign a three keys of,
> > let's assume kidnappers, with level 3. I guess, police won't read
> > and
> > understand your policy first, you'll get a little trouble for sure.
> > Okay, that is a bad example. But, the diagram will result in level
> > 3
> > Relations, what can lead to assumptions somebody does not want or
> > intent.
> 
> You make a very important point, which i thought also about and
> that is my little approach for covering my a*#. I would strongly
> assume that law enforcement would also check a sig0 user,
> regardless of policy or not, if something happens to a key owner,
> or if i sign with sig0 a key on a key signing party, where i also
> don't know that the person who attended is a good or bad person with
> a real or fake id. I am totally unable to distinguish  between a real
> or fake id nor do i know if a person is good or bad if i would attend
> such a key signing party.

That was a bad example. But you see what I meant. Signature levels
imply in some cases the assumption that it is related to the relation
of people whether it's right or wrong.


> > > I am no expert, but i like to know from my example (because i
> > > don't
> > > understand this) how could i trust this internal computation,
> > > when
> > > it is only visible to me and not to third parties?  

> > It is based on your trust into the signers. There is a chain in
> > trust dependencies for the trustdb. The levels full, marginal and
> > so on lead to basical calculations in how reliable a key is, which
> > is indirectly signed by trusted keys. I did not dig deeper into the
> > GPG internals for this system, but I've already seen it works well,
> > at least for me.

> Like i said in my previous reply i have to study this in more depth.

There's documentation about the trustdb. I read it a while ago, but not
entirely. You can also set the amount of needed signatures for the
trust calculations and so on. Then comes the trust deepness into play.
I also have to read further because I want to "abuse" GnuPG for an
email controlled bot system inside a bigger company as part of the
security concept. The commands shall be encrypted and signed and some
function should be usable by "unknown" users with the needed trust
level and so on.


Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:
> On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users
> wrote:
> 
> > > When i first learned about PGP in 94/95 i also thought why should
> > > people sign each other's key for a WoT and why do we need a
> > > global WoT and what is it good for.  
> > 
> > This should be obvious.
> 
> Please elborate a little bit more, because new user or old farts like
> me maybe do not understand what's it's purpose, i.e to publicity
> state to the whole world (thanks to key servers) that people use PGP
> or GnuPG?

The intention of the WOT is to create trust chains. This implies a
chain of signatures, quantity of signatures is not really important,
IMHO.


> > > With my humble approach i like to be honest, in that form, that i
> > > did my best for certifying someones key which might be useful for
> > > someone else, entering the WoT, without letting third parties
> > > know   that i know a person personally, or have a longtime online
> > > friendship etc. or that i belong to a certain group of people.  

> > With differing signature levels you surely do let people know that
> > kind of data. There are even small tools available, which produces
> > a diagram of relations between people/keys from their signatures,
> > including the signature level data. This can be done via
> > recursively fetching the keys from a key server.

> I disagree, with my humble approach imho third parties do not know
> that people are my real friends, colleagues, or that i belong to a
> certain group.

The implication matters. For example: If you sign a three keys of,
let's assume kidnappers, with level 3. I guess, police won't read and
understand your policy first, you'll get a little trouble for sure.
Okay, that is a bad example. But, the diagram will result in level 3
Relations, what can lead to assumptions somebody does not want or
intent.


> > > With the sig0 approach i have the following problem: I could
> > > create a couple of fake keybase accounts, for example, give each
> > > other a sig0 and then what is this good for if i follow the
> > > advise from the blog and what trust should a third party gain
> > > from this many sig0 on such a key?   

> > You can sign sig0 without havin any trouble of this kind. That's
> > the
> > reason why we have the trustdb since GnuPG 2.?. It depends on the
> > internal set trust and gpg computes the calculated trust level for
> > the
> > key in question.

> I am no expert, but i like to know from my example (because i don't
> understand this) how could i trust this internal computation, when it
> is only visible to me and not to third parties?

It is based on your trust into the signers. There is a chain in trust
dependencies for the trustdb. The levels full, marginal and so on lead
to basical calculations in how reliable a key is, which is indirectly
signed by trusted keys. I did not dig deeper into the GPG internals for
this system, but I've already seen it works well, at least for me.


> > I do use singanture levels as well, but I am thinking about this
> > practice for a while now. Even giving a sig3 changes nothing, if I
> > assigned just a marginal in the trustdb. The Chain is relevant, not
> > the level you assigned.

> If people read between the lines, so to speak, when reading my
> policy they would hopefully help to strengthen the WoT in that
> they could adopt it or improve it and sign each others key that
> way to build a stronger chain. Or i am to naive and blue eyed?

I see what you are trying to approach.


> I mean, what would have people to loose or give up when using my
> approach? Combining a classical verification method with modern
> technology is for me a good thing and i believe for honest people
> too.

I don't say your approach is bad.

> I bet if Werner, for example, would do the same, his letterbox would
> be filled imeadetily... :-)

> O.k the one thing that may be a bit difficult today is to actually
> write a postcard and go to the post office, in surveilled Internet
> age, where Facebook and WhatsApp etc. rules. :-)

Indeed. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: WoT question - policy

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Dienstag, den 13.11.2018, 22:36 +0100 schrieb Stefan Claas:
> On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> > On 13.11.2018 17:54, Stefan Claas wrote:
> > > Hi all,

> > > i thought about creating a key certification policy, for my key,
> > > and like to know your opinions. 

> > > 

> > > I have read in the past several policies, but i like to avoid
> > > id-card / online video/chat etc. because i am not able
> > > to distinguish between a real or a fake id, when doing so.

> > > Therefore i thought to use a postcard/letter method.

> > > Any critics are very welcome!  
> > 
> > Sounds interesting, would the post office check the ID of the
> > person
> > claiming the letter?

> Well, i assume that the good old postman, delivering mail to your
> house, is still around... :-) If i would send as some form of a
> registered letter than i would say yes.

Oh yes, wait a minite, mistper postman. *sing*
 

> > It reminds me of someone's method that utilized small bank
> > transfers (I can't find the source though :( ).

> I also thought about PayPal etc., but decided against it after
> receiving an advice.
 
> > Why not issue generic certifications instead of sig2 and sig3?
> > There
> > are some arguments against them:
> > https://debian-administration.org/users/dkg/weblog/98

> Yes, i remember this blog post and thought about this as well.

> I like to point out that i remember RSA encryption, before PGP was
> available and there was no WoT, so only people who knew each other
> communicated that way.

RSA is not restricted to communication. It's primary intention was, and
is, encryption of any type of data.


> When i first learned about PGP in 94/95 i also thought why should
> people sign each other's key for a WoT and why do we need a global
> WoT and what is it good for.

This should be obvious.


> With my humble approach i like to be honest, in that form, that i did
> my best for certifying someones key which might be useful for someone
> else, entering the WoT, without letting third parties know   that i
> know a person personally, or have a longtime online friendship etc.
> or that i belong to a certain group of people.

With differing signature levels you surely do let people know that kind
of data. There are even small tools available, which produces a diagram
of relations between people/keys from their signatures, including the
signature level data. This can be done via recursively fetching the
keys from a key server.

Using just sig0 reduces the usability of the data because you can not
differ the strength of the relation, at least.


> With the postal approach the requester does not need to send his
> address in encrypted form in case my computer would be compromised.
> When someone request a signature i don't keep records on my computer
> later. I only keep the postcard as souvenir.

A compromised computer is not the real deal at all in this question.

> With the sig0 approach i have the following problem: I could create
> a couple of fake keybase accounts, for example, give each other
> a sig0 and then what is this good for if i follow the advise from
> the blog and what trust should a third party gain from this many sig0
> on such a key? 

You can sign sig0 without havin any trouble of this kind. That's the
reason why we have the trustdb since GnuPG 2.?. It depends on the
internal set trust and gpg computes the calculated trust level for the
key in question.

I do use singanture levels as well, but I am thinking about this
practice for a while now. Even giving a sig3 changes nothing, if I
assigned just a marginal in the trustdb. The Chain is relevant, not the
level you assigned.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Samstag, den 10.11.2018, 00:41 +0100 schrieb Stefan Claas:

> Thanks too, Dirk,

> i already made a refresh.

Yeah, I read it right after I sent my Email.

I suggest using a Cron job, or a SystemD timer and service to do a
refresh on a regular base.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Utilizing facts of homedir organization (was: Exact definition of token S/N field for --with-colons)

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Freitag, den 09.11.2018, 16:18 +0100 schrieb Stefan Claas:
> On Fri, 9 Nov 2018 16:12:19 +0100, Peter Lebbing wrote:
> 
> [snip]
> 
> I get a valid signature but key has expired message, when
> reading your posting.
> 
> Regards
> Stefan

Peters key is valid. Probably you have to refresh it or you are running
into an issue I had a while ago with my keyring. Try to delete and re-
import his key. In my case something with the pubring.kbx went wrong.
In my case some of the keys were considered invalid without a
reproducable reason.

Regards,
Dirk

PS: My system makes a nightly key refresh. Probably the expiry date was
changed shortly.

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP key verification + legal framework

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Montag, den 05.11.2018, 21:47 +0200 schrieb Viktor:
> 
> And we actually not sign keys. From two reasons:
> a. If you automatically trust the signing key, compromising the
> signing key breaks the entire system. b. In many countries,
> generating or signing cryptographic keys requires a license. We
> create a system that should work the same way and legally 
> in all countries. And we do not sign key certificates. We only attach
> to  them information about the owner of the key, which the user
> manually  checks before adding this certificate to his list of
> trusted certificates.

In the EU the use of "qualified" signature is mandatory if it comes to
legal issues. Between private companies it is okay to just use OpenPGP,
but, if it comes to legal issues, one party could deny the validity of
the signature because it is not accepted as a legal signature format,
at least in Germany.

We have the "qualified signature problem" here. In my Opinion a bad
solution, but, the EU is known to make more Bullsh*t as reasonable
things.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Wiktor.

Am Freitag, den 02.11.2018, 17:17 +0100 schrieb Wiktor Kwapisiewicz:
> On 02.11.2018 15:35, Dirk Gottschalk wrote:
> > I prefer GPG. And no, GPG does not lack timestamping, a timestamp
> > is
> > included in every signature.

> Signature creation date is not the same as timestamping. As for why
> you may consider the problem of validating signatures made by revoked
> keys. Without timestamping this kind of signature is inherently
> insecure (as the compromised key could be used by the attacker to
> created a backdated signature).

Yeah, I see what you mean. Right, that was out oif my sight.

> For example Authenticode uses timestamping [0] so that old signatures
> can still be considered valid even when the key expires or is revoked
> later.

> Adding something comparable to OpenPGP was discussed [1] on OpenPGP
> ML recently and previously [2].

Thanks for the information.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Juegen.

Am Freitag, den 02.11.2018, 18:27 +0100 schrieb Juergen BRUCKNER:
> Hello Dirk,
> Am 02.11.18 um 15:20 schrieb Dirk Gottschalk via Gnupg-users:
> > You mean, you "tampered" with the file and the signature is still
> > valid? Are you sure? Then Adome does sometging really bad, IMHO.
> > 
> > Such a signature should ensure that the file is unmodified
> > completely.
> > otherwise somebody can modify it in a way that could be used as a
> > backdoor to the signature, at least in theory.
> That is correct, that a signature is valid if there is added a
> timestamp
> AFTER sign the document. Very simplified it uses the same method for
> timestamping as for signing, and it is a kind of 2nd signature on the
> same document. the document is NOT altered or manipulated.

Okay, you're right. When I sign AND timestamp a Document with
LibreOffice, then I'am asked 2 times for my Card-Pin. Seems like the
document is signed first an then the Timestamp. I never gave attention
to this, but your explaination seems to clear up with this phenomenom.

Regards.
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Wiktor.

Am Donnerstag, den 01.11.2018, 20:14 +0100 schrieb Wiktor Kwapisiewicz:
> On 01.11.2018 11:19, stefan.cl...@posteo.de wrote:

> Do you mean X.509 is technically good or just more widely supported
> in software than OpenPGP? For me there are only few cases where X.509
> infrastructure has something that OpenPGP lacks (e.g. timestamping).

I prefer GPG. And no, GPG does not lack timestamping, a timestamp is
included in every signature.

X.509 is more widely spread. I think this is the only reason that it is
preferred by some users. I would like to see GPG to be more widely
used. For me, x.509 is not more trustworthy than GPG, I trust this
system and the signed certificate less in many cases.

The signature regulations in the EU are not the best. In the US, I
read, ebven PGP is approved in some states. They use it even vor notary
approvals. We had a thread describing this a few months ago.

The only thing is, that GPG can not do inline signing of PDFs. This
would be a nice feature, but, AFAIK the standard for PDF doesn't leave
us this option.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:
> 
> Hi Wiktor,
> 
> thanks a lot! Now this is awesome... i just timestamped my already
> signed .pdf with Adobe Reader DC and this does not invalidate my
> qualified signature, when saving the document again! :-) I must admit
> i did  not know this.

You mean, you "tampered" with the file and the signature is still
valid? Are you sure? Then Adome does sometging really bad, IMHO.

Such a signature should ensure that the file is unmodified completely.
otherwise somebody can modify it in a way that could be used as a
backdoor to the signature, at least in theory.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hi guys.

Am Freitag, den 02.11.2018, 12:53 +0100 schrieb Stefan Claas:
> On Fri, 2 Nov 2018 12:20:43 +0100, Wiktor Kwapisiewicz wrote:
> > On 02.11.2018 10:53, Stefan Claas wrote:
> > > Simply one can use a time stamping service, based on blockchain
> > > technology. I can then time stamp the .pdf. and put also a
> > > statement in the .pdf that the file is timestamped and don't must
> > > worry in the future if one MITM would try (and why?) to alter my
> > > documents.  
> > 
> > PDFs can be also timestamped when signing with standard RFC 3161
> > [0]
> > timestamping service.
> > 
> > Here's one example:
> > 
> > https://support.globalsign.com/customer/en/portal/articles/2361790-add-timestamp-server---adobe-acrobat
> > 
> > But there are numerous free RFC 3161 timestamping services.
> > 
> > Of course that's not the same as blockchain, but it's already
> > supported by numerous tools (like Adobe Acrobat).
> > [0]: https://tools.ietf.org/html/rfc3161
> 
> Hi Wiktor,
> 
> thanks a lot! Now this is awesome... i just timestamped my already
> signed .pdf with Adobe Reader DC and this does not invalidate my
> qualified signature, when saving the document again! :-) I must admit
> i did  not know this.

freetsa offers a free timestamping service based on blockchain
technology, AFAIK. I use it myself to stamp PDFs. The free service
offers 10 timestamps per day what should be enough for normal usage.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hi Stefan.

Am Donnerstag, den 01.11.2018, 18:49 +0100 schrieb Stefan Claas:
> On Thu, 1 Nov 2018 17:42:41 +0100, Stefan Claas wrote:

> I am also *very much* interested what infos users in the U.S.,
> Canada,
> U.K. and Ireland, for example, see (is the certificate Info displayed
> in
> English?) when verifying my document with Adobe Reader DC!

It depends on their locale. The object descriptors would be shown in
the set language for the locale. The values are shown as they are set
in the certificate.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

hi Stefan.

Am Donnerstag, den 01.11.2018, 11:19 +0100 schrieb
stefan.cl...@posteo.de:
> Hi Dirk,

> > To answer your question, even if the answer is not what you
> > expected:

> I  expected something like this... ;-)
> 
> > I don't think this would change anything on the reputation on your
> > key.
> > I even don't think there is any good reason for the EU-Regulation
> > at
> > all. There is much taste of "get the citizens money for everything"
> > in
> > it. ^^

> I personally like that we have such EU regulation. And i understand
> that it costs money to build and maintain such infrastructure.

The Problem is the implication of trust in governmental organizations
per se in this case. But, far from this, there are other signature
providers who are trusted per default. AFAIK, Governikus is not listed
in the standard CA packs, yet.


> > The trust level for a key depends on the trust to the signature
> > which
> > are made for your key. There is no valid reason to trust
> > "Governikus"
> > or "D-Trust (Bundesdruckerei)" by default at all, especially for
> > people
> > in foreign countries. Even I don't do this.

> And this is the problem i have since 1994/95... For me signatures
> made with PGP / GnuPG have no weight, for several reasons, except
> those made from Governikus and maybe CT Magazine signed keys.

Okay, that's yout thing. BUT, you may habe verified some of the signers
keys at your own, this would be the same as checking against Governikus
,for example.

> Why? Can i, for example, trust fan signatures made by users on
> someones key which bears several hundred sigs and the key holder
> does not sign the signers keys? No, of course not. Call me stupid
> but even if Governikus would be run by the BND or NSA etc. i would
> trust the validity of such signed keys more than a signed key from
> "somebody" signed by other people i do not know. Due to the procedure
> Governikus uses i can be personally rest assured that the key belongs
> to the person which the key data states. The only thing GnuPG offers
> me with  signatures, not made with Governikus signed keys, is that if
> someone has tampered with a document the "signature" would be then no
> longer valid.

This is also the case with the PGP standard.


> Here is a little example, of a .pdf i have signed with my qualified 
> signature:
> 
> https://keybase.pub/stefan_claas/docs/greetings.pdf

> Linux users can verify my qualified signature here:

> https://ec.europa.eu/cefdigital/DSS/webapp-demo

> macOS oder Windows users can use the free Adobe Reader DC
> to do he same.

Libreoffice can verify the signature also and some other tools.


> At list of TSP's (Trust Service Provider) can be seen here:
> https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html
 
This is the real problem I have with the EU regulations. There are
regulations out there which are much better and have not such expensive
certification costs to become "qualified".

I would consider a x.509 cert as valid and trustworthy which is signed
by one of the well known CAs whith "extended verification". But that's
another discussion.


> I think PGP users should be more open to current available and
> accepted standards when it comes to digital signatures.

This isn't the Problem at alöl. X.509 is a really good standard. I use
it mysqld really often for signing PDFs or some other things. 


> > Best thing is to verify a key personally.

> Yes, in case of PGP / GnuPG when using the classical WoT procedure.

That's what i meant.

[...]

> Thanks, much appreciated! I really like to see some more examples
> from native English speakers living in the U.S.

Godd idea. I found some Policies regarding PGP, but nothing like you
want to do. But I only did a quick search.


> I would like to omit the creation procedure or how the signing
> procedure works, because imho people from the PGP ecosystem
> should accept in the future qualified X.509 signatures.

Not the whole procedure. But you should explain that this ist a
trustworthy signature provider sind Governikus is not yet listed as a
standard root CA.

To state it clear. x.509 is a good standard and a good procedure. I
only think the "qualified" overrated in some situations. The
"qualified" is only really relevant in juristic context in Germany or
in EU. And even then there are some exclamations where other rules
override this. I had a lawsuit one year ago that showed this clearly.

The combination of OpenPGP-Card and x.509 is, that should be said,
really a goof thing. I'm running my a CA for my customers and me, for
internal purposes, which means for data exchange between different
software and so on, and the keys are derived from PGP keys on Card.
GPGSM is a really nice solutions for such CSRs.I t only lacks the
ability of creating CRLs, otherwise it could be used as a CA too.

Okay, now I drifted completely off of your topic. I'm Sorry.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: 

Re: Slightly OT - i need the proper wording for a signed document

[Dirk Gottschalk via Gnupg-users]

Hello Stefan.

Am Mittwoch, den 31.10.2018, 18:59 +0100 schrieb Stefan Claas:
> On Wed, 31 Oct 2018 18:53:33 +0100, Stefan Claas wrote:
> > Hi all,
> > 
> > i hope this is not to much off-topic...
> > 
> > I recently signed up for the new Service of Germany's
> > Bundesdruckerei*, to obtain a *qualified* X.509 Certificate,
> > which is complaint with the EU's eIDAS regulation.
> 
> Oh... sorry i mean  *compliant* of course!

Compliant to... ^^

To answer your question, even if the answer is not what you expected:

I don't think this would change anything on the reputation on your key.
I even don't think there is any good reason for the EU-Regulation at
all. There is much taste of "get the citizens money for everything" in
it. ^^

The trust level for a key depends on the trust to the signature which
are made for your key. There is no valid reason to trust "Governikus"
or "D-Trust (Bundesdruckerei)" by default at all, especially for people
in foreign countries. Even I don't do this.

Best thing is to verify a key personally.

I would create a file which describes how your key was verified before
signing and the data FPR and UID of your gnupg key, sign this with your
x.509 and create a detached signature with gnupg. Needles to say that
you should use the key mentioned in the PDF.

The wording should not be difficult itself. Something like:

The OpenPGP key

key data

is signed by Governikus.


 ... signed by ...


And so on.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: revocation troubles & smartcard troubles

[Dirk Gottschalk via Gnupg-users]

As long as you did not publish reports revocation, delete the key and re-import 
it without the revocation cert. 

Am 3. September 2018 17:03:19 MESZ schrieb "Roland Siemons (P)" 
:
>Dear GnuPG,
>
>I am already using GnuPG for a long time. But try to improve my
>understanding of and working with it.
>I became a member of Free Software Foundation Europe, and got a
>smartcard. I wanted to use it.
>
>And that is where the trouble started:
>I intended to copy all my personal keys to the smart card.
>In Kleopatra, I selected "Tools/Manage smartcards"
>Then I selected "Import a certificate from a file", and selected files
>from my laptop.
>I was under the impression that I was copying files to the smartcard.
>By doing so, I not only selected my private key but also my revocation
>key (because, why should I enable a thief of my laptop to revoke my
>key?).
>And then it appeared that I had revoked my entire key pair. Unintended!
>Apparently, under smartcard management, I was not at all copying files
>to the smartcard. Apparently, I was doing something else. Did I at all
>copy files to the smartcard?
>
>Questions:
>Can I UNrevoke that key?
>How can I see what is on the smartcard?
>How can I copy files to the smartcard?
>
>I studied the GnuPG Smartcard How-To
>(www.gnupg.org/howtos/card-howto/en/smartcard-howto.html), but that is
>entirely linux oriented.
>I am working on a win7 system.
>
>Can anyone help me further?
>
>Thanks!
>
>Roland

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Communication with card reader encrypted?

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Samstag, den 25.08.2018, 21:25 +0200 schrieb Felix E. Klee:
> When I decrypt a file using an OpenPGP card, is the communication
> between a USB card reader and the GnuPG daemon encrypted? Or: Is the
> decrypted session key sent unencrypted through the cable?

This is a really interesting question. But, does this really matter got
an USB device? If there is a program on your computer, which interceps
the communication, the security of you system is already broken. So the
decrypted file itself could/would be read by a third party. The session
key is, in this moment, the least problematic thing on your system.

But, regardless of this, it is an interesting question.

Werner, please tell us. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Dirk Gottschalk via Gnupg-users]

Am Mittwoch, den 22.08.2018, 13:21 +0200 schrieb Felix E. Klee:
> On Wed, Aug 22, 2018 at 1:08 PM, Dirk Gottschalk
>  wrote:
> > There's nothing what should "bug" you.
> 
> Well if I call `g10/gpg` in the build, I get a big fat warning:
> 
> gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
> gpg: It is only intended for test purposes and should NOT be
> gpg: used in a production environment or with production keys!
> 
> *Shouldn’t that bug me?*

This depends on the source of your source version. If it is from a
release tarball, this shouldn't bother you.

I only get this warning if I have compiled from the GIT repository.

> That being said:
> 
>   * The `agent/gpg-agent` does not output the warning.
> 
>   * As said in my original post, I am only interested in the agent.
> It
> is compatible with the `gpg` provided with Termux.

I don't know if it is possible to compile only the agent. 

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Android/Termux: How to build gpg-agent without maintainer mode?

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Mittwoch, den 22.08.2018, 11:07 +0200 schrieb Felix E. Klee:
> I managed to get `gpg-agent` run with USB smart card support under
> Android/Termux:
> 
> https://gist.github.com/feklee/92f76d2c8a7cabc477360d82b5305c19
> 
> What bugs me is that I had to compile in maintainer mode: Now I get
> warnings that the software should not used be used with production
> keys.
> 
> Maintainer mode is in fact suggested by `autogen.sh`:
> [...snipped...]

Maintainer mode is needed, especially in a fresh copy of the source. In
case of GnuPG, maintainer mode invokes some functions and does some
work which is needed to compile GnuPG. There's nothing what should
"bug" you.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Mittwoch, den 08.08.2018, 00:03 -0400 schrieb Yu:
> WOW! That works.
> 
> To document this, if anyone ever run into this situation:
> 
> > sec#  rsa4096/0xC9E7221DAFCE6539  created: 2018-08-07  expires:
> > never
> 
> This is the key I need to delete from the card/yubikey.
> 
> 1. gpg --delete-key 0xC9E7221DAFCE6539
> 
> 2. gpg --card-status should return NONE and  gpg --list-keys would
> return
> gpg: no ultimately trusted keys found
> 
> 3. pull out the card
> 
> 4. run gpg --import PUBLIC_KEY_FILE
> 
> 5. insert the card
> 
> 6. gpg --card-status
> 
> 7. now try to encrypt and decrypt (you will be prompted to enter your
> PIN
> to unlock your card).
> 
> Thank you Dirk!

You're welcome.

This is, AFAIK, also somewhere deep inside the docs.

Just to make things clear. The user information, UID and so on, is in
the public part of the key, AFAIK. This means, to map the secret key to
it's ither data, you must have the public key in your keyring. The --
card-status reads the information oin the card and maps the key to the
public part using the Fingerprint, I think.

In my case, when I use one of my cards, where the fetch URL is not set,
I download the keys from the keyserver with "--recv-keys" and then I
read the card with "--card-status". But in general, I prefer the way
using the fetch URL. It's faster to make "--card-edit" and just use
fetch. This comines both funcrions.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu:
> Hi Dirk

> Thank you very much. I just want to make sure I am doing the right
> thing,
> so please excuse me if I am asking too much.

> > You should delete the complete secret key set from you keyring. 
> Then
> > import the PUBLIC keys for the card keys and then do a gpg --card-
> > status.
> > 
> > 
> 
> Do I just call "gpg delete-secret-key ID" for each key ID listed in
> the
> --list-secret-keys output?

You have just to delete the keys, which are stored on the card.
Deleteing the master key of them also deletes the sub keys.


> > If you set a fetch URL, you could also make --card-edit and issue a
> > fetch command.
> > 
> 
> I have not :/

That's no problem at all. Then you have to imnport the public key of
the card key BEFORE you insert the card and make --card-status. Only
then the card is recognised and the stubs are generated automatically.

If the public keys are not in your public keyring, the card keys are
ignored.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: decryption failed: No secret key

[Dirk Gottschalk via Gnupg-users]

Hello John.

Am Dienstag, den 07.08.2018, 16:27 -0400 schrieb Yu:
> Hi
> 
> I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have
> the
> master key and subkeys. So my authentication key, encryption key, and
> signing key should be totally fine.
> 
> John-Wong:tmp jwong$ gpg --list-secret-keys
> /Users/jwong/.gnupg/pubring.kbx
> ---
> sec#  rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC]
>   Key fingerprint = 463F FBF9 0399 725F 240E  7A11 C9E7 221D AFCE
> 6539
> uid   [ultimate] John Wong 
> ssb#  rsa4096/0xF7254D474BF6AD14 2018-08-07 [S]
> ssb#  rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E]
> ssb>  rsa4096/0x676CA8641A239FE2 2018-08-07 [SA]
> 

The # indicates, that the Keys are not available in the keyring.

> I am confused why I get this message:
> 
> gpg: decryption failed: No secret key

> I tried gpg --import but still doesn't help.
> 
> John-Wong:~ jwong$ gpg --import mastersub.key
> gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed
> gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-
> status
> gpg: key 0xC9E7221DAFCE6539: secret key imported
> gpg: Total number processed: 1
> gpg:  unchanged: 1
> gpg:   secret keys read:
> 
> 
> Does anyone have any ideas for why this is happening? Thank you very
> much.
> This has been bothering me for few days now.

You should delete the complete secret key set from you keyring. Then
import the PUBLIC keys for the card keys and then do a gpg --card-
status.

Importing stubs is completely senseless, in my eyes.

If you set a fetch URL, you could also make --card-edit and issue a
fetch command.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: cannot decrypt file symmetric encrypted

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Donnerstag, den 02.08.2018, 14:11 +0200 schrieb Stefano
Tranquillini:
> Hi all,
> last year I encrypted some files, today i tried to decrypt them but
> the
> decryption fails

> stefano@~/Downloads/words$ gpg -d words.1.gpg
> gpg: AES256 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: decryption failed: Bad session key

> can it be the difference between 1.4 (i guess in july 2017 that was)
> and
> the current one

I don't now if there's any difference in symmetric encryption between
1.4.X and 2.2.X.

> stefano@~/Downloads/words$ gpg --version
> gpg (GnuPG/MacGPG2) 2.2.8
> libgcrypt 1.8.3

> what can I do?
> (i'm on a mac)

You could download and build the legacy version of GPG and give it a
try.

Are you sure you used the correct passphrase to decrypt?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Dirk Gottschalk via Gnupg-users]

Hi,

Am Mittwoch, den 01.08.2018, 18:06 +0200 schrieb Peter Lebbing:
> On 01/08/18 17:41, Dirk Gottschalk via Gnupg-users wrote:
> > Is it possible to encrypt an external USB drive in LUKS format with
> > an
> > OpenPGP smartcard?
> 
> On a system with systemd: no, I don't think this can be done. Systemd
> doesn't want to implement cryptsetup keyscripts, and those would be
> needed.
> 
> On a different system: it depends. What system are we talking about?
> :-)

I am using Fedora and it uses SystemD. On the other hanjd, the HDD is
mounted when plugged in via GVFS and Gnome asks for the passphrase or
reads it from gnome's keyring. Coult this be raplaces by the smartcard
to use the gpg key in some way?

I tried to use g13 with dm-crypt, but this seems not to work on Frdora
for an unknown reason.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Encrypt USB-HDD with LUKS using OpenPGP smartcard?

[Dirk Gottschalk via Gnupg-users]

Hi.

Is it possible to encrypt an external USB drive in LUKS format with an
OpenPGP smartcard? The device is, until now, only passphrase encrypted
and mounted on detect.

Would it be possible to let gpg ask for the PIN of the card, it it's in
locket state?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac



signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Dirk Gottschalk via Gnupg-users]

Hello Again. :-D

Am Montag, den 30.07.2018, 12:18 +0200 schrieb Felix E. Klee:

To compare the output of your packet analysis, I encrypted a file for
myself and got this result with --list-packets:

$ gpg -v --list-packets WoV-Logs.7z.gpg
gpg: Öffentlicher Schlüssel ist CAE07B251AE3F69E
gpg: der Unterschlüssel CAE07B251AE3F69E wird anstelle des
Hauptschlüssels 40810B181ED8E838 verwendet
gpg: der Unterschlüssel CAE07B251AE3F69E wird anstelle des
Hauptschlüssels 40810B181ED8E838 verwendet
gpg: verschlüsselt mit 4096-Bit RSA Schlüssel, ID CAE07B251AE3F69E,
erzeugt 2018-03-01
  "Dirk Gottschalk "
gpg: AES256 verschlüsselte Daten
# off=0 ctb=85 tag=1 hlen=3 plen=524
:pubkey enc packet: version 3, algo 1, keyid CAE07B251AE3F69E
data: [irrelevant hex data snipped]
# off=527 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
:encrypted data packet:
length: unknown
mdc_method: 2
# off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=2
# off=550 ctb=90 tag=4 hlen=2 plen=13
:onepass_sig packet: keyid 40810B181ED8E838
version 3, sigclass 0x00, digest 10, pubkey 1, last=1
# off=565 ctb=ae tag=11 hlen=5 plen=191470
:literal data packet:
mode b (62), created 1532964524, name="WoV-Logs.7z",
raw data: 191453 bytes
# off=192040 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 40810B181ED8E838
version 4, created 1532964524, md5len 0, sigclass 0x00
digest algo 10, begin of digest e0 4e
hashed subpkt 33 len 21 (issuer fpr v4
DDCBAF8E0132AA5420ABB86440810B181ED8E838)
hashed subpkt 2 len 4 (sig created 2018-07-30)
subpkt 16 len 8 (issuer key ID 40810B181ED8E838)
data: [irrelevant hex data snipped]

The signature key is only mentioned in the signature packet, but not in
combination with the en-/decryption. I really think this is an enQsig
issue and should be filed as a bug report to it's developers.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: 
https://github.com/Dirk1980ac id="-x-evo-selection-start-marker">


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Montag, den 30.07.2018, 12:18 +0200 schrieb Felix E. Klee:
> Zum Vergleich eine Datei, die ich selbst für mich verschlüsselt habe,
> und die ich erfolgreich entschlüsseln kann:
> 
> >gpg --list-packets foo.gpg
> gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94,
> created 2
> 016-12-17
>   "Felix E. Klee "
> # off=0 ctb=85 tag=1 hlen=3 plen=524
> :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
> data: [4094 bits]
> # off=527 ctb=d2 tag=18 hlen=2 plen=76 new-ctb
> :encrypted data packet:
> length: 76
> mdc_method: 2
> # off=548 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
> :compressed packet: algo=2
> # off=550 ctb=cb tag=11 hlen=2 plen=23 new-ctb
> :literal data packet:
> mode b (62), created 1532945681, name="",
> raw data: 17 bytes

As a dirty workaroung you could generate a dedicated key without
subkeys with the capabilities set to [SCE] and try this key, which
should work. This will not fix the Issue per se, but should get your
decryption working while you try to solve the main problem. I don't npw
how important the data exchange in your case is.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: 
https://github.com/Dirk1980ac id="-x-evo-selection-start-marker">


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Montag, den 30.07.2018, 11:26 +0200 schrieb Felix E. Klee:
> On Sun, Jul 29, 2018 at 11:37 PM, Dirk Gottschalk via Gnupg-users
>  wrote:
> > > My encryption key is the sub key 04FDF78D1679DD94. The private
> > > key is
> > > on a smart card. […]
> > 
> > Does this key work as expected in other programs, MUAs for example?
> 
> I use it daily for encryption/decryption of documents, though only
> with
> GnuPG.
> 
> > I didn't test it mysqlf, but exporting a only a sub key should be
> > no
> > problem.
> 
> *But how?*
> 
> Your suggestion doesn’t seem to work:
> 
> >gpg --export 04FDF78D1679DD94 | gpg --keyid-format long
> gpg: WARNING: no command supplied.  Trying to guess what you mean
> ..

Try "gpg --key-id-long -a --export 04FDF78D1679DD94". But, I just
tested it and it unfortunately seems to export the whole key bundle.
I'll look deeper into this.


> > Have you tried to inspect the packets in the file with
> > "--list-packets"?
> 
> Here you go (again my encryption key is `04FDF78D1679DD94`):
> 
> >gpg --list-packets encrypted.asc
> # off=0 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
> :pubkey enc packet: version 3, algo 1, keyid BEF6EFD38FE8DCA0
> data: [4096 bits]
> # off=527 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
> :pubkey enc packet: version 3, algo 1, keyid 04FDF78D1679DD94
> data: [4095 bits]
> # off=1054 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
> :pubkey enc packet: version 3, algo 1, keyid 92663E7CA68E4EC6
> data: [4096 bits]
> # off=1581 ctb=c1 tag=1 hlen=3 plen=524 new-ctb
> :pubkey enc packet: version 3, algo 1, keyid 9D8C454A43A6D2DE
> data: [4094 bits]
> gpg: encrypted with RSA key, ID 9D8C454A43A6D2DE
> gpg: encrypted with RSA key, ID 92663E7CA68E4EC6
> gpg: encrypted with 4096-bit RSA key, ID 04FDF78D1679DD94,
> created 2
> 016-12-17
>   "Felix E. Klee "
> gpg: public key decryption failed: Missing item in object
> gpg: encrypted with 4096-bit RSA key, ID BEF6EFD38FE8DCA0,
> created 2
> 016-12-17
>   "Felix E. Klee "
> gpg: public key decryption failed: Invalid ID
> gpg: decryption failed: No secret key
> # off=2108 ctb=d2 tag=18 hlen=3 plen=1718 new-ctb
> :encrypted data packet:
> length: 1718
> mdc_method: 2
> 
> I wonder what “Missing item in object” means.

The file seems to be encrypted (also) for the correct subkey. I wonder
about the signature key being mentioned in the first encrypted package
line, but I didn't test if this is normal.

Probably enQsig does not format the OpenPGP packet correctly. Missing
object is an error message that I've never seen before.

Your key bundle ist okay, otherwise you should habe the same problems
with other encrypted files.

The last packet mentions your signature key as used for encryption,
this is an error for sure. Invalid ID means that the key with this ID
does nor have the capabelity to encrypt or decrypt, which is correct.
In this case you really have no secret key to decrypt the file.

EnQsif seems really to mess up the encryption thing for unknown
reasons. I'll check for a way to eyport a public subkey. This schould
work because exporting a secret subkey is also possible.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: 
https://github.com/Dirk1980ac id="-x-evo-selection-start-marker">


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Cannot decrypt file encrypted with enQsig

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Freitag, den 27.07.2018, 16:49 +0200 schrieb Felix E. Klee:
> From what I can tell, the file has been encrypted with four keys. My
> encryption key is the sub key 04FDF78D1679DD94. The private key is on
> a smart card. As you can see, decryption fails with an error message:
> “gpg: public key decryption failed: Missing item in object”

Does this key work as expected in other programs, MUAs for example?

> *What does the error message mean? Why does encryption fail?*

> I wonder if perhaps enQsig cannot properly deal with encryption sub
> keys:

> *Would it be possible to extract the public encryption sub key?* (to
> only provide that to the sender)

IIRC, a "gpg --export " should do exactly this. I didn't
test it mysqlf, but exporting a only a sub key should be no problem.

> I am using Gpg4win 3.1.2 on Windows 7x64. If more information is
> needed,
> then I am happy to provide it!

Could you provide an example file with this error, in best case
generated from the Sender?

Have you tried to inspect the packets in the file with
"--list-packets"?

This would show the key IDs which were used to encrypt, probably enQsig
really uses the wrong key to encrypt. Your primary key will fail then
when it's not capable to encrypt, which is the default.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350


signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Empty keyring after upgrade to Ubuntu 18.04 :/

[Dirk Gottschalk via Gnupg-users]

You could just import the old GPG files with appropriate options. I did this a 
while ago as my kbx got damaged when I had a hdd failure. 

Am 27. Juli 2018 06:50:59 MESZ schrieb fe...@crowfix.com:
>I ran into a similar problem a few months ago, upgrading from a much
>older gentoo system with 1.something.  I don't know what specific
>action fixed it, but after a couple of cycles of restoring the original
>and trying different commands, it suuddenly migrated correctly.  Memory
>says the first couple of attempts, I tried to do something which would
>have to do the migration first, and it worked when I restored the
>original and did just the migration by itself.  But I didn't take
>enough notes to figure it out after it started working.

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpg2 --refresh-keys does not talk to dirmngr?

[Dirk Gottschalk via Gnupg-users]

Hello.

I have set up a local proxy server with a squid/privoxy/TOR chain and
set it up in dirmngr.conf. Now, after deleting the keyserver line from
gpg.conf, I found out that gpg2 seems not to talk to dirmngr when using
gpg2 --refresh keys.

Is there something I have to set up in one of the configs, especially
gpg.conf and gpg-agent.conf?

All the docs tell that dirmngr should be used automatically, if I read
them right.

Thanks vor your Patience.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: dirmngr cygwin resolv.conf

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Freitag, den 29.06.2018, 16:30 +0900 schrieb NIIBE Yutaka:
> john doe  wrote:
> > Now, the next step is to configure dirmngr to do the same!:
> > 
> > dirmngr.conf:
> > 
> > use-tor
> > http-proxy socks5://localhost:9150
> 
> Only "use-tor" is needed, then, dirmngr connects to localhost:9150
> for Tor.

I'm running a local server with a Squid/privoxy/TOR chain. This works
fine for keyserver and crl queries, but only for this. Is there any way
 to tell dirmngr on my workstation to use the socks port of TOR on my
server, which I configured to listen also on the NIC.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm 2 valid certificates

[Dirk Gottschalk via Gnupg-users]

You can set a default certificate in gpgsm.conf,which will be used, when no 
cert is specified by the calling Software.

Thunderbird should ask you, at least once, which Cert should be used, I think. 

Am 7. Juni 2018 10:48:14 MESZ schrieb Uwe Brauer :
>Hi
>
>I now posses 2 valid X509 certifcates for the same email address. In
>thunderbird I can import them both and select which I want to use.
>
>I hesitate to import the second one to gpgsm since it is not clear to
>me
>which will then be chosen by gnus/emacs/epa.
>
>I will also ask in the emacs mailing list
>
>Thanks
>
>Uwe Brauer 
>
>___
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Duplicate personal key in keyring

[Dirk Gottschalk via Gnupg-users]

Hello Justin.

Am Montag, den 21.05.2018, 11:25 -0500 schrieb Justin Hibbits:
> Through some unknown series of events, I now have two copies of my
> personal gpg key in my keyring.  I double-checked to see if GPG is
> seeing the same key in two keyrings (maybe reading a backup), but
> both
> keys are being read from the same keyring.

> This leads me to two questions:

> 1) How could this happen in the first place?

I had a similar problem a while ago. In my case the key database was
corrupted. 


> 2) How can I fix this, short of generating a new key and revoking the
> existing key?

In my case I exported the public and the private keys of my own keys,
then exported the complete public key ring, both ascii armored.

Then I simply deleted the key database file(s) and re-imported the
exports.

GPG imports keys only once, so the duplicates should vanish when re-
importing.

> I've tried backing up the keyring and deleting one copy, but it
> deleted both copies.  I searched online for anyone else who had a
> similar issue, and came up empty, except for one person who was
> seeing the same key from two files.

Did you make an ascii armored export, or what kind of Backup do you
mean?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: A postmortem on Efail

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Sonntag, den 20.05.2018, 02:26 -0400 schrieb Robert J. Hansen:
> Writing just for myself -- not for GnuPG and not for Enigmail and
> definitely not for my employer -- I put together a postmortem on
> Efail.
> You may find it worth reading.  You may also not.  Your mileage will
> probably vary.  :)
> 
> https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08

Thank you for this real good post. You have some real good arguments.

I use GnuPG for many, many years now and for all purposes it is usable
for. Encrypting/Signinmg files, emails, backups, and, as you wrote, it
is used to check packages for my distribution (Fedora). And I even
"abuse" GnuPG to do things, which are not part of the "official" use
cases, but it works even in this cases.

I think the backwards compatiblity should be broken to improve things.
It would be possible to implement something like --legacy to re-enable
the old functionality. This could also be implemented in email clients
and plug-ins like enigmail as a checkbox.

Increment your numnber of natively OpenPGP supporting email clients
from zero to one. Evolution has this implemented. At least as an
interface to gnupg-agent.

Okay, I should say I am one of the very few users, which are using
GnuPG on a regular basis for many use cases. I even have a few
Smartcards with keys and so on. And I would like to help improving
things, if help is welcome. 

Again, thank you for posting this statement, it wasw really nice to
read.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: smartcards and GPGME

[Dirk Gottschalk via Gnupg-users]

Hello Jacob.

Am Sonntag, den 13.05.2018, 18:26 -0400 schrieb Jacob Adams:
> Hello all,
> 
> As part of a program I'm writing this summer for GSoC, I'd like to be
> able to both move gpg private keys to a smartcard and generate keys
> on
> the smartcard from an application. While this can be done from gpg,
> it
> doesn't look like I can do so from GPGME or any other wrappers that
> exist. Have I missed something or is this simply not possible yet?

GPGsm does not do anything with GPG keys directly. The Keys it creates
are stored inside GPGsm and are derived from GPG keys, AFAIU.

For your purpose you have to use the GPGme library.


> While I could wrap this functionality of gpg, I'd really prefer not
> to
> and I'd rather not drop the user to a gpg prompt if I don't have to.

GPGme does what you are trying to do, without prompting, except for
cases where PIN or password are required. This events are handled by
gpg-agent.

GPGsm is for managing X.509 certificates. I'm not sure if it can handle
moved keys. It should, if it interaqcts with gpg-agent. That's
something I'm not really sure of.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Where to send a "patch" to scute.

[Dirk Gottschalk via Gnupg-users]

Hi.

I use scute to sign my documents in LibreOffice and I was in need to be
able to use a cert based upon my signature key.

So I changed scute tu build 2 shared objects. The usual  scute.so,
which uses the authentication key, and scutrsig.so, which uses the
signature key, for use with LibreOffice.

Where shoult I send this a suggested feature? Is somebody interested in
this out there?

I append my patch to this mail, if somebody is interested in this
"feature". There are only a few really small modigications, but it
works fine for me.

By the way, I forked the GitHub mirror of scute and made the changes
there. The appendet file is the output of "git diff" relative to the
latest commit in the official repository.

My repository can be found at: https://github.com/Dirk1980ac/scute

Regards,
Dirk

PS: The changes were made in some kind of dirty way, because I was in a
hurry to get this working. If somebody has suggestions to make this in
a cleaner way, feel free to comment.

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350diff --git a/.gitignore b/.gitignore
index 5074f03..25638a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ m4/Makefile.in
 obj/
 src/Makefile.in
 tests/Makefile.in
+.buildconfig
diff --git a/README b/README
index 4cd9a12..669e71d 100644
--- a/README
+++ b/README
@@ -1,3 +1,19 @@
+This is a slightly modified versiong of scute.
+
+This modifies version generates two shared objects.
+
+The standard scute.so uses Key 3 on card (authentication key.
+
+scutesig.so uses the signature key. It can be used with Libreoffice to sign
+documents with a certificate based upon the signature key, or even to sign mail
+with this certificate in thunderbird.
+
+The modifications were made by:
+Dirk Gottschalk 
+
+Original README below
+=
+
 Scute
 =
 
diff --git a/build.sh b/build.sh
new file mode 100755
index 000..bcece67
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,3 @@
+#/bin/sh
+./configure --libdir=/usr/lib64/scute-sig --prefix=/ --enable-silent-rules --enable-sigkey --enable-maintainer-mode
+make
diff --git a/configure.ac b/configure.ac
index 3615a49..6a69871 100644
--- a/configure.ac
+++ b/configure.ac
@@ -67,7 +67,7 @@ AC_INIT([mym4_package],[mym4_version], [https://bugs.gnupg.org])
 #
 LIBSCUTE_LT_CURRENT=0
 LIBSCUTE_LT_AGE=0
-LIBSCUTE_LT_REVISION=3
+LIBSCUTE_LT_REVISION=4
 
 # Version numbers reported by the PKCS #11 module to its users.
 VERSION_MAJOR=1
@@ -313,6 +313,8 @@ else
 fi
 AM_CONDITIONAL(HAVE_GPGSM, test "$GPGSM" != "no")
 
+AS_IF([test "x$enable_sigkey" = "xyes"], [])
+AM_CONDITIONAL([ENABLE_SIGKEY], [test "$enable_sigkey" = "yes"])
 
 dnl Check for GPGSM version requirement.
 GPGSM_VERSION=unknown
diff --git a/src/Makefile.am b/src/Makefile.am
index 9ceef93..ea3cf9f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -60,6 +60,35 @@ sources = cryptoki.h pkcs11.h debug.c debug.h settings.h support.h	\
 	p11-verifyrecover.c p11-verifyrecoverinit.c p11-verifyupdate.c	\
 	p11-waitforslotevent.c p11-wrapkey.c sexp-parse.h
 
+sigsources = cryptoki.h pkcs11.h debug.c debug.h settings.h support.h	\
+	locking.h locking.c error-mapping.h error-mapping.c		\
+	get-path.c agent.h agent.c	\
+	slots.h slots-sig.c table.h table.c\
+	cert.h cert-gpgsm.c cert-object.c gpgsm.h gpgsm.c		\
+	p11-cancelfunction.c p11-closeallsessions.c p11-closesession.c	\
+	p11-copyobject.c p11-createobject.c p11-decrypt.c		\
+	p11-decryptdigestupdate.c p11-decryptfinal.c p11-decryptinit.c	\
+	p11-decryptupdate.c p11-decryptverifyupdate.c p11-derivekey.c	\
+	p11-destroyobject.c p11-digest.c p11-digestencryptupdate.c	\
+	p11-digestfinal.c p11-digestinit.c p11-digestkey.c		\
+	p11-digestupdate.c p11-encrypt.c p11-encryptfinal.c		\
+	p11-encryptinit.c p11-encryptupdate.c p11-finalize.c		\
+	p11-findobjects.c p11-findobjectsfinal.c p11-findobjectsinit.c	\
+	p11-generatekey.c p11-generatekeypair.c p11-generaterandom.c	\
+	p11-getattributevalue.c p11-getfunctionlist.c			\
+	p11-getfunctionstatus.c p11-getinfo.c p11-getmechanisminfo.c	\
+	p11-getmechanismlist.c p11-getobjectsize.c			\
+	p11-getoperationstate.c p11-getsessioninfo.c p11-getslotinfo.c	\
+	p11-getslotlist.c p11-gettokeninfo.c p11-initialize.c		\
+	p11-initpin.c p11-inittoken.c p11-login.c p11-logout.c		\
+	p11-opensession.c p11-seedrandom.c p11-setattributevalue.c	\
+	p11-setoperationstate.c p11-setpin.c p11-sign.c			\
+	p11-signencryptupdate.c p11-signfinal.c	p11-signinit.c		\
+	p11-signrecover.c p11-signrecoverinit.c	p11-signupdate.c	\
+	p11-unwrapkey.c p11-verify.c p11-verifyfinal.c p11-verifyinit.c	\
+	p11-verifyrecover.c p11-verifyrecoverinit.c p11-verifyupdate.c	\
+	p11-waitforslotevent.c p11-wrapkey.c sexp-parse.h
+
 
 if HAVE_LD_VERSION_SCRIPT
 scute_version_script_cmd = -Wl,--version-script=$(srcdir)/libscute.vers
@@ -68,7 +97,8 @@ scute_version_script_cmd =
 endif
 
 
-lib_LTLIBRARIES = scute.la
+lib_LTLIBRARIES = scute.la scutesig.la
+
 
 if 

Wrong Keygrip (gpg2 --card-status --with-keygrip)

[Dirk Gottschalk via Gnupg-users]

Hi,

gpg outputs the wrhon keygrip with --card-edit --with-keygrip. The
output is:

Signature key : DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
  created : 2018-03-01 13:46:51
  keygrip : 5707164106D237EB453D5359F9D319955BAA33A2
Encryption key: 092D 9CEB 9D34 B154 E0FC  5761 CAE0 7B25 1AE3 F69E
  created : 2018-03-01 13:46:51
  keygrip : A3B4BF3DA9F46E9BCC5687A7E59680A8B008DA8E
Authentication key: B982 A7AC F65C FBBB 1E7B  2B05 774B 4700 4B02 B274
  created : 2018-03-01 13:47:25
  keygrip : A3B4BF3DA9F46E9BCC5687A7E59680A8B008DA8E

As you see, it returns the same grip for enc. and auth. key. This is
wrong and "gpg2 -K --with-keygrip" returns the correct Keygrips.

My gpg version is 2.2.6

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors while creating an g13 encrypted container.

[Dirk Gottschalk via Gnupg-users]

Am Freitag, den 13.04.2018, 11:40 +0200 schrieb Werner Koch:
> On Fri, 13 Apr 2018 03:49, gnupg-users@gnupg.org said:
> 
> > There is neither a command or package named userv, nor a script
> > called
> > 'gnupg-g13-syshelp' in the repositories. The binary g13-syshelp is
> > available.

>   apt-get install userv

In my case it is dnf, but this tool is not available at all in the
repos.


> Frankly, I wonder why that immense useful tool is not part of the
> base
> distribution.

I think it should be available and a dependency for gnupg2 in this
case. Okay, then I'll search for userv and built it myself. And I'll
file a bug report against the gnupg2 rpm package for the not working
feature.

Thanks for your Help.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors while creating an g13 encrypted container.

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Donnerstag, den 12.04.2018, 21:08 +0200 schrieb Werner Koch:
> On Thu, 12 Apr 2018 17:16, gnupg-users@gnupg.org said:

> > g13: running '/usr/bin/encfs' in the background

> IIRC, the author of encfs said that it should not anymore be used.
> Given that, I have not tested encfs based container in a long
> time.  I
> use dm-crypt containers instead.

Oh, good to know.

So I tested it with dm-crypt and got another error:

---
$ g13 -r 764C2156D8AC31D0 --type dm-crypt --create container.g13 
g13: can't connect to 'g13-syshelp': IPC "connect" Aufruf
fehlgeschlagen G13
g13: (is userv and its gnupg-g13-syshelp script installed?)
g13: error creating a new container: IPC "connect" Aufruf
fehlgeschlagen 
---

GnuPG 2 is installed with all dependencies. Installed versions:

---
# dnf list "gnupg2*"
Installierte Pakete
gnupg2.x86_64  2.2.5-1.fc27  
gnupg2-smime.x86_64 2.2.5-1.fc27
---

There is neither a command or package named userv, nor a script called
'gnupg-g13-syshelp' in the repositories. The binary g13-syshelp is
available.

Has anybody some suggestions? or should I file a bug report against the
RPM package?

Thanks.

Regards,
Dirk



-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Errors while creating an g13 encrypted container.

[Dirk Gottschalk via Gnupg-users]

Hello,

we are trying to exchange files in encrypted containers. But when I
create such a container, g13 throws the following errors:

$ g13 -r 764C2156D8AC31D0 --create container.g13 
g13: DBG: used keyblob size is 61
g13: running '/usr/bin/encfs' in the background
g13: DBG: starting runner thread
g13: got prompt 'create_root_dir'
g13: DBG: sending command  -->y<--
g13: got prompt 'create_mount_point'
g13: DBG: sending command  -->y<--
g13: got prompt 'config_option'
g13: DBG: sending command  --><--
g13: got prompt 'new_passwd'
g13: got status 'fuse_main_start'
g13: DBG: runner thread noticed cancel flag
g13: DBG: runner thread closed status fp
g13: DBG: runner thread waiting ...
g13: Fehler bei Ausführung von `encfs-1': beendet
g13: running 'encfs-1' failed (exitcode=-1): Allgemeiner Fehler
g13: DBG: runner thread waiting finished
g13: DBG: runner thread releasing runner ...
g13: failed to remove mount with rid 1 from mtab: Nicht gefunden
g13: DBG: runner thread runner released
g13: g13 (GnuPG) 2.2.5 angehalten

Am I doing something wrong in the creation command?

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Again: Writing DER certificates to ZeitControl Cards

[Dirk Gottschalk via Gnupg-users]

HI.

Am Montag, den 02.04.2018, 13:43 +0100 schrieb Damien Goutte-Gattat via
Gnupg-users:

> $ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP'
> S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0

> The value you are interested in is "mcl3". In this example, it says
> that 
> the Yubikey NEO allows for a 1216-bytes certificate.

Thanks for your advice. The Output of the command for my card tells
that a cert can have up to 2048 bytes which is 2kB. The file I want to
store is about 1.8kB so this seems not to be the problem.

By the way, I am using a ReinerSCT CyberJack RFID Standard via PCSCd.
Perhaps this is the source of my problems. Unfortunately I didn't get
the internal CCID driver to work with this reader. I have to check if
it is compiled in in my distributions package and if it even would work
with my reader.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Feature wishlist. ;)

[Dirk Gottschalk via Gnupg-users]

Hi.

Here comes my list of "nice to have" functions for future versions.

- Full CA functionality in GPGsm, incl. CRLs and extended attributes
  for signed certificates

- A free cup of coffee, every time GPG tells a function may take a
  while

- A Medal of honor after 1.000 signatures.

- And, last, but not least, a complete manual.

Okay, only the first and the last ones are realistic. But, don't take
me all of my dreams. :-D

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Again: Writing DER certificates to ZeitControl Cards

[Dirk Gottschalk via Gnupg-users]

Hello.

I asked this Question a while ago, but unfortunately didn't get any
response. So, I ask again and I'm in hope that somebody here knows any
Answer to this. I just want to know if the cards do not support it, or
is somebething wrong with my setup?

I'm trying to import certificates in DER format to Zeitcontrol OpenPGP-
Cards (v2.1 and v3.3) and get this error message:

gpg/card> writecert 3 < cert.der
gpg: error writing certificate to card: Kartenfehler

The last word says "card error".

Are these cards not capable of getting certs written on, or am I
missing something?

The Admin-Pin is correct, so this could not be the problem.

By the way, I'm using a ReinerSCT CyberJack RFID standard via PCSCd.
Anything works well, except of writing x509 certificates in DER format
to the card.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Is signing a file with multiple keys possible

[Dirk Gottschalk via Gnupg-users]

Hello Phil.

Am Freitag, den 23.03.2018, 20:44 -0400 schrieb Phil Pennock:
> On 2018-03-24 at 00:31 +0100, Dirk Gottschalk via Gnupg-users wrote:
> > Is it possible to sign a file with multiple keys?
> 
> Yes.  Slightly lower-level operations than normal signing, but not by
> much, you just need to know about enarmor/dearmor and how signatures
> are
> put together.
> ...

Thank you very much. It's like cahining up PEM Certs in OpenSSL. Why
didn'z I even think about this? The Format is so similar.

Thanks,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Writing DER certificates to Zeitcontrol Cards

[Dirk Gottschalk via Gnupg-users]

Hello.

Yes, it's me again with another question.

I'm trying to import certificates in DER format to Zeitcontrol OpenPGP-
Cards (v2.1 and v3.3) and get this error message:

gpg/card> writecert 3 < cert.der
gpg: error writing certificate to card: Kartenfehler

The last word says "card error".

Are these cards not capable of getting certs written on, or am I missing 
something?

The Admin-Pin is correct, so this could not be the problem.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Is signing a file with multiple keys possible

[Dirk Gottschalk via Gnupg-users]

Hello.

Is it possible to sign a file with multiple keys?

For Example: John, Harry and Sally wrote a file, lets assume it is a
text file. Now all of them want to sign this file, so that when
verifying it, all three signatures are visible.

Is this possible?

I tried with --clearsign, but that doesn't work, because the former
signatures are disabled by the latest signing process.

Is there any way to add a signature instead of overriding the former
Signature?

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: OpenPGP-Card v3.3 - ECC Curve25519 supported?

[Dirk Gottschalk via Gnupg-users]

Hello.

I have one oif this new openPGP Cards v3.3 and yes, they are capable of
nist / brainpool only. curve25519 is not supported.

I use it only with RSA keys for compatiblity reasons. Not everybody
uses ECC capable versions of GnuPG or other compatible openPGP
software.

The card itself works well. I use it for various authentication,
signing and encryption purposes like Email, SSH and in combination with
gpgsm.

Regards,
Dirk


Am Montag, den 19.03.2018, 18:57 +0100 schrieb karel-...@tutanota.com:
> Hello!
> I have seen that the latest revision of OpenPGP-cards (3.3) supports
> ECC-keys and is available for sale.
> Does this also include curve25519 or "only" Brainpool and NIST?
> Thanks for enlightment!
> Karel
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part


smime.p7s
Description: S/MIME cryptographic signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Mittwoch, den 28.02.2018, 10:56 +0100 schrieb Thomas Jarosch:
> To me it seems it shows the 'keygrip' instead of the smartcard key
> IDs?

Yes, that's correct.


> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I think this is not neccessary, since you can see the keygrip using
"gpg2 -K --with-Keygrip".

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Removing expired keys

[Dirk Gottschalk via Gnupg-users]

Hello.

Am Samstag, den 24.02.2018, 07:20 -0500 schrieb Jerry:
> Kleopatra Version 3.0.2-gpg4win-3.0.3
> 
> Running the command from Kleopatra   Certificates> on a
> Windows 10 PRO amd64 machine, displays numerous expired certificates.
> The
> complete output is available here: https://seibercom.net/GPG-Expired-
> Keys.txt
> 
> Is there any command that I can run from either Kleopatra or the
> Windows'
> command line that will remove all of these expired certificates? I
> would
> really love to clean up system and removed expired or revoked
> certificates.

I run under Linux and have a shell script for this. AFAIK there is no
way to do this automatically from gpg itself.


> Also, how do I deal with "signatures not checked due to missing keys"
> warnings?

You could turn on automatic key retieval in gog.conf. add the following
to the keyserver-options parameter:

auto-key-retrieve

This will automatically download missing keys when you try to verify a
signature.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How can we utilize latest GPG from RPM repository?

[Dirk Gottschalk via Gnupg-users]

Hi.
Am Mittwoch, den 14.02.2018, 14:20 -0600 schrieb helices:
> CentOS 7 uses gnupg2 v2.0.22. EPEL doesn't have anything newer.

> We want to move to v2.2.x, and stay current, but we don't want to
> download
> source and compile for dozens of systems.

> We want all users to be using the same version all of the time.

> Please, advise. Thank you.

You could try to use the packages from Fedora. Actually they distribute
Version 2.2.4 for Fedora 27. In doubt it should be possible to rebuild
the source packages for CentOS.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't import public key

[Dirk Gottschalk via Gnupg-users]

Hi.

Are you sure it is a RSA key and noit an ECC key?

AFAIK is gpg < 2.X not capable of working with ECC keys.

Regards,
Dirk


Am Samstag, den 03.02.2018, 09:15 -0600 schrieb Pijus Kar:
> Hi,
> 
> We are using GnuPG 1.2.1 on AIX. We are trying to import a public key
> received from others which is generated on GnuPG v2.
> Will there be any problem importing the public key. While importing
> we are
> getting below error -
> 
> gpg: key 1D75115C: invalid self-signature on user id xxx xxx xxx
> gpg: key 1D75115C: invalid subkey binding
> gpg: key 1D75115C: no valid user IDs
> gpg: this may be caused by a missing self-signature
> 
> Is it something for the version incompatibility or in the key?
> 
> 
> Regards,
> Pijus
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users