Re: Failed to use GPG key for SSH
* 2023-07-11 22:28:36-0500, Caleb Herbert wrote: > But lately, I haven't been able to use SSH. > sec# rsa3072 2023-06-29 [SC] > 631CC434A56B5CBDFF21234697643795FA3E4BCE > uid [ultimate] Caleb Herbert > ssb# rsa3072 2023-06-29 [E] > ssb# rsa2048 2023-06-29 [A] Secret keys are missing from this keyring, tells the "#" mark. Text "sec#" means that the primary secret key is missing and "ssb#" tells the same about secret subkeys. Those should read as "sec" and "ssb", without the "#" mark, or "sec>" or "ssb>" if the key data is actually on a smart card. -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Subkeys renewing/expiring strategy
* 2022-10-11 17:23:49+0200, nect via Gnupg-users wrote: > Since I was struggling to choose a strategy for expiring/renewing my > subkeys [...] We should ask why do you want to expire (and rotate) your subkeys? Maybe you have good reasons but I'll remind of the basic question: why not use the default simple strategy? Keep secret keys secret so there is no need to rotate (sub)keys. Subkeys don't need expiry date at all. The primary key should (!) have expiry date which is updated as needed. That's it. No? -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Backup of GPG private keys?
* 2022-01-26 08:15:30+, Mogens Jensen via Gnupg-users wrote: > As of GnuPG (LTS) version 2.2.33, what is the recommended way to backup > your GPG private keys on a Linux system? > > 1. Backing up the entire ~./gnupg directory? Yes. Just normal backup is good and often enough. Just store the backups at least as safe as your ~/.gnupg directory. Very old backups may not be fully compatible with newer versions of GnuPG. Although GnuPG may have some automatic mechanism to convert from older file formats. > 2. Exporting only the keys? The OpenPGP export format is good too because it does not depend on the current file format. The export format should be compatible with almost any OpenPGP implementation. If you backup important long-term keys outside your normal computers I suggest using the export format: "gpg --export-secret-keys". -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Having two versions of GPG on Linux causes problem
* 2022-01-07 13:45:09+0800, foods.bolds wrote: > I installed two versions of GnuPG on Ubuntu using two package > managers. > It seems that GPG 2.3 invoked the old version of gpg-agent residing in > /usr/bin. I cannot delete the old gpg because it is a dependency of > other software. Probably there is a systemd unit gpg-agent.socket which listens to connections on a socket and starts unit gpg-agent.service which starts /usr/bin/gpg-agent. If that is the case you can override the .service unit. Write a .conf file which overrides just the ExecStart= and ExecReload= settings, like this: # /etc/systemd/user/gpg-agent.service.d/my.conf # or maybe: # ~/.config/systemd/user/gpg-agent.service.d/my.conf [Service] ExecStart=/usr/local/bin/gpg-agent --supervised ExecReload=/usr/local/bin/gpgconf --reload gpg-agent Then: systemctl --user stop gpg-agent.service systemctl --user daemon-reload -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: User id's without person's name, only email
* 2021-11-18 13:22:52+1100, raf via Gnupg-users wrote: > Real names aren't that useful. They're hardly unique, > even/especially within a single family. That continues the technical or nerdy point of view. "Real names are not unique. Therefore they are not (that) useful." Sometimes crypto nerds seem to say that if everything is not perfect then all is lost. In practice, real names are very useful for humans. But another thing is that two separate things probably shouldn't be in the same technical information field. Currently we could do this: pub ed25519 2021-11-07 [C] [expires: 2023-11-07] [Not really my key, so fingerprint removed.] uid [...] Teemu Likonen uid [...] uid [...] uid [...] Then other people could more carefully certify different information in user id's. -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: User id's without person's name, only email
* 2021-11-16 17:06:02+, Andrew Gallagher via Gnupg-users wrote: > The "Real Name" and "Comment" portions of the userID are mere > conventions and, if you have an address book, entirely redundant. Thanks. That is rather technical point of view and correct in that sense. In my opinion it is a bit too nerdy because real names are convenient for other people. For example, I have to address books: 1. Actual address books for people, their home addresses, phone numbers and emails. None of these people have OpenPGP key. 2. Second "address book" is my OpenPGP keyring. It groups persons' names, their email and other key data. If many keys don't have name in their user id it could be inconvenience. Computer programs can find keys but often we need also manual "gpg -k" etc. Real names help there. (I understand that some people need to protect their identity and use some random strings in user id's. That is completely different from usual public communication.) But this is nothing important. Key's owner decides. -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
User id's without person's name, only email
I have seen a couple of new OpenPGP keys which have only email addresses as user id's. No person's name at all. I also noticed that Notmuch Emacs email client was changed in recent months so that it shows only signer's email when the signature is verified with a valid key, even if key's user id's have person's name. Am I seeing a starting trend here? Do some people think that it is better practice to have only have email address as user id? What might be their reason? Or maybe it's not a trend and doesn't mean anything. I got curious anyway. Add your speculation. :-) -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are the file in ~/.gnupg ?
* 2021-10-29 16:04:11+0200, Romain LT via Gnupg-users wrote: > tofu.db > is an sqlite database and mean Trust On First Use. But what does > it means and what does it contains ? tofu.db contains a log for every signature and encryption by/for every key and email address. This means in human language: "I have verified this signature made by this key and email address at that time." (time of the signature and time of verification are recorded) "I have encrypted for this key and email at that time." GnuPG can tell some of that information in techical form: gpg --list-keys --with-colons --with-tofu-info In SQL terms the tofu.db database has this schema: $ sqlite3 ~/.gnupg/tofu.db .schema CREATE TABLE version (version INTEGER); CREATE TABLE bindings (oid INTEGER PRIMARY KEY AUTOINCREMENT, fingerprint TEXT, email TEXT, user_id TEXT, time INTEGER, policy INTEGER CHECK (policy in (1, 2, 3, 4, 5)), conflict STRING, effective_policy INTEGER DEFAULT 0 CHECK (effective_policy in (0, 1, 2, 3, 4, 5)), unique (fingerprint, email)); CREATE TABLE sqlite_sequence(name,seq); CREATE TABLE signatures (binding INTEGER NOT NULL, sig_digest TEXT, origin TEXT, sig_time INTEGER, time INTEGER, primary key (binding, sig_digest, origin)); CREATE TABLE encryptions (binding INTEGER NOT NULL, time INTEGER); CREATE INDEX bindings_fingerprint_email on bindings (fingerprint, email); CREATE INDEX bindings_email on bindings (email); CREATE INDEX encryptions_binding on encryptions (binding); CREATE TABLE ultimately_trusted_keys (keyid); -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: A key doesn't get imported from one of the keyservers
* 2021-08-03 11:34:13+0300, Yuri Kanivetsky via Gnupg-users wrote: > $ gpg --keyserver keys.openpgp.org --recv-keys > 409B6B1796C275462A1703113804BB82D39DC0E3 > gpg: key 3804BB82D39DC0E3: no user ID > gpg: Total number processed: 1 > > Is something wrong with the key that resides on keys.openpgp.org? Are > the keys that are one these 3 keyservers the same? Server keys.openpgp.org is different from SKS keyservers. Read more about it here: https://keys.openpgp.org/about -- /// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Show that an encrypted message was signed, without decrypting it
* 2020-10-11 22:47:01+02, Neal H. Walfield wrote: > On Sun, 11 Oct 2020 11:02:00 +0200, > Teemu Likonen wrote: >> It seems that there is a visible signature packet in encrypted and >> signed messages. See the output of this command: >> >> echo message | gpg --encrypt --sign --default-recipient-self | \ >> gpg --list-packets > > The signature information is normally (that is, when doing sign then > encrypt) completely encapsulated by the encryption container. What I > think you are seeing is gpg caching something. If you replace 'gpg > --list-packets' with 'pgpdump', then you probably won't see any > signature information. Thank you. I was surprised to see all the packets listed with "gpg --list-packets" but trusted its output. It seems that my "gpg --list-packets" command (see above) decrypts the message using the cached secret key and then shows all the packets. As you said "pgpdump" don't show any signature information. There is just a public key encrypted session key packet and a symmetrically encrypted message packet. -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Show that an encrypted message was signed, without decrypting it
* 2020-10-11 02:40:28+02, Stefan Claas wrote: > I was reading old GnuPG threads were people were asking if it's > possible to extract a signature from an encrypted message. It seems that there is a visible signature packet in encrypted and signed messages. See the output of this command: echo message | gpg --encrypt --sign --default-recipient-self | \ gpg --list-packets -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keyoxide.org - new service for GnuPG users
* 2020-08-07 15:21:44+02, Stefan Claas wrote: > just discovered this new service: > > https://keyoxide.org/ I think you should have written more content in your message: a description of the service and perhaps some own thoughts about it. Anyway. Keyoxide uses OpenPGP keys' certificate notations to prove that certain social media profile or web site belongs to the key's owner. That is interesting because there are no Keyoxide profiles at all. When opening a (pseudo) profile the service just searches for an OpenPGP key, checks if it has certain type of notations (URL) and goes to find the following string from the URL: [Verifying my OpenPGP key: openpgp4fpr:FINGERPRINT] "FINGERPRINT" is OpenPGP key fingerprint. So the "profile" is managed entirely within OpenPGP key and those external social media profiles. -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Verify PGP signed email on the command line
* 2020-07-19T03:18:35Z, JACOB EDWARDS WIESE wrote: > Today I tried using GPG (2.2.21) to verify a pgp signed email > that I sent to myself from the new ThunderBird 78.0. GPG said > it did not recognize the format which seems to be multi-part mime. > The command I used: gpg.exe --verify PGPtest-0.eml The MIME must be decoded first but gpg doesn't do that. It is email client's job to extract the MIME part that was signed and the signature itself. Those two are sent to "gpg --verify". -- /// Teemu Likonen - .-.. http://www.iki.fi/tlikonen/ // OpenPGP: 4E1055DC84E9DFF613D78557719D69D324539450 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Bulk removal of expired keys
je...@seibercom.net [2020-02-24T07:44:10-05] wrote: > Is there any similar program for use on a FreeBSD based OS? My primary > goal is to remove all expired keys and refresh the remaining ones if > necessary. For the primary goal of removing expired keys: gpg --list-keys --with-colons | awk -F: ' $1 == "pub" && $2 == "e" {expired = 1} $1 == "fpr" && expired == 1 {print $10; expired = 0}' | \ xargs echo gpg --batch --yes --delete-keys Remove the "echo" when you are sure. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ: seeking consensus
Robert J. Hansen [2019-10-17T15:18:07-04] wrote: > 1. How should we handle the SKS keyserver attacks? > > One school of thought says "SKS is tremendously diminished as a > resource, because using it can wedge older GnuPG installations and we > can't make people upgrade. We should recommend people use other methods > than SKS." If you think this is correct, please let me know what you > think the alternate method should be. > > Another says, "with a recent GnuPG release SKS may be used productively > and we should keep the current advice." > > Is there another solution I'm overlooking? Please don't think I'm > limiting the discussion to just those two. If you've got a third way > (or a fourth, or a fifth) I'd love to hear them. I think the FAQ should briefly discuss the attack and weaknesses of SKS keyservers. The FAQ could then say that with GnuPG version user is quite safe. Then mention that there is also alternative, keys.openpgp.org, with different features. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Future OpenPGP Support in Thunderbird
Philipp Klaus Krause [2019-10-08T15:34:28+02] wrote: > It would be really nice, if Thunderbird could add an option to use the > gpg key storage instead of its own, [...] I agree with that even though I have never really used Thunderbird. But using a custom key storage and implementation (or do they use Sequoia PGP library?) is an interesting choice in the world of Unix-like systems. It's pretty much the normal way elsewhere, though. PGP and GnuPG and the related communities have tried really hard to build a system based on person's long-term identity keys. All that web of trust thing relies on keys that are used relatively long time. But as we know this doesn't work for most people. People are really bad at maintaining long-term identity keys. I think this is the most important reason why other software just auto-generate "device keys" or "application keys" and exchange them. They just forget about the identity part and keys' usage in the long term. Change your phone or just reinstall the application and you'll have new keys. Keys come and go and it's perfectly normal. Thunderbird seems to be going to that direction and it is probably a good thing. From the mindset of crypto nerds (like us) or Unixy tool box this can be a barrier, obviously. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Automatically delete old keys from servers
Daniel Bossert [2019-09-17T15:12:09+02] wrote: > On the key servers are many old keys lying around which aren't valid > anymore. > > Could you implement a function on the servers which delete keys after > let's say one year automatically,reminding the user via email one > month ahead to reupload the keys? That is the very purpose of invalid (revoked, expired) keys in the server: tell people that the keys are invalid and not to be used. If the keys were removed from servers (which won't happen) it would be more difficult to share that important information. A reminder email doesn't sound like a good idea: a key might be revoked or expired because the owner's email address is no longer valid. The server can't know if user wants to update key's expiration date or if the key is expired or revoked for good. keys.openpgp.org is different from usual SKS keyservers so there might be different policies. My views in above paragraphs are about SKS keyservers. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: allow-non-selfsigned-uid issue with key from keys.openpgp.org that contains no identity information
Daniel Kahn Gillmor via Gnupg-users [2019-08-01T09:27:45-04] wrote: > Here's one use case (i've got others if you want): > > * You have my OpenPGP certificate (with userid with e-mail address), >but it is not published in full publicly because i do not want people >to be able to find anything related to my e-mail address online. > > * It has an encryption-capable subkey "X" that expires in 1 year, which >i use to be able to have deletable messages. I will destroy the >secret component when X expires. > > * As the year draws to a close, i create a new subkey "Y" and i attach >it to my OpenPGP certificate, and i push the updated certificate to >an abuse-resistant keystore (like keys.openpgp.org), again declining >to allow it to publish my e-mail address. > > * After the expiration of "X", you want to send me an encrypted mail >(as is your habit when mailing me). You follow best practices and >refresh your keyring (fetching certificate updates by primary key >fingerprint) from a public, abuse-resistant keystore. Does your >OpenPGP implementation learn about "Y" when it pulls in the update? >It should. To me this sounds very relevant use case and adds one more feature to the general OpenPGP system. I hope future implementations support exporting and importing (merging) also partial key block data. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: revoke last valid user ID
i...@zeromail.org [2019-07-22T23:40:42+02] wrote: > Thanks, that sounds possible. But I wonder, if there is a reason GnuPG > won't let me revoke it directly - and if so, if that reasoning is > strong enough to not even have a way to override it. Since I have keys > with all user IDs revoked and I only ever used GnuPG, it seems I was > able to do that once. Maybe you have previously revoked the whole key. Such key is shown with all its user IDs revoked. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: WKD auto-key-retrieve method
Stefan Claas via Gnupg-users [2019-07-14T14:17:55+03] wrote: > Teemu Likonen wrote: >> I think you should add "--sender email@address" option so that your >> signatures have information for WKD auto-key-retrieve method (and >> also for TOFU statistics). > Thanks for the info, did not know this. Now WKD lookup worked automatically when my mail client tried to verify your signature. It seems that you added --sender somewhere. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
WKD auto-key-retrieve method
Stefan Claas via Gnupg-users [2019-07-14T06:55:53+02] wrote: > My key is available via WKD or Hagrid. I think you should add "--sender email@address" option so that your signatures have information for WKD auto-key-retrieve method (and also for TOFU statistics). It is probably mail user agent's job to add "--sender" but maybe it is also fine to have that in gpg.conf file. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: wrong gpg-agent version running?
Matthias Herrmann via Gnupg-users [2019-07-11T16:49:29+02] wrote: > I created the .d directory and only overwrote ExecStart and ExecReload > as you suggested. Just remembered that there is also dirmngr.service for which you probably want to the same thing as for gpg-agent.service. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: wrong gpg-agent version running?
Michael Kesper [2019-07-11T17:15:19+02] wrote: > I'd consider it a bug if updating a package does not trigger reloading > all necessary services. We have not been discussing about Debian package upgrade. This message thread is about additional local installation (/usr/local) which is outside of Debian's package system. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: wrong gpg-agent version running?
Michael Kesper [2019-07-11T16:45:06+02] wrote: > Did anyone open a bug with Debian (best with proposing a fix)? What bug? We have not seen a bug in this message thread. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: wrong gpg-agent version running?
Matthias Herrmann [2019-07-11T16:16:29+02] wrote: > I edited /usr/lib/systemd/user/gpg-agent.service directly and changed > the ExecStart and ExecReload paths. It is not a good idea to edit that file directly; it's not a configuration file. In systemd you should make your own changes in /etc/systemd/. I quote systemd.unit man page: Example 2. Overriding vendor settings There are two methods of overriding vendor settings in unit files: copying the unit file from /lib/systemd/system to /etc/systemd/system and modifying the chosen settings. Alternatively, one can create a directory named unit.d/ within /etc/systemd/system and place a drop-in file name.conf there that only changes the specific settings one is interested in. Note that multiple such drop-in files are read if present, processed in lexicographic order of their filename. The advantage of the first method is that one easily overrides the complete unit, the vendor unit is not parsed at all anymore. It has the disadvantage that improvements to the unit file by the vendor are not automatically incorporated on updates. The advantage of the second method is that one only overrides the settings one specifically wants, where updates to the unit by the vendor automatically apply. This has the disadvantage that some future updates by the vendor might be incompatible with the local changes. So in your case the first method (as descibed in the above quote) is to copy file /usr/lib/systemd/user/gpg-agent.service to /etc/systemd/user/gpg-agent.service and then edit the latter. The former is not used anymore because the /etc version overrides it completely. The second method is to override only parts of it by creating a "drop-in" /etc/systemd/user/gpg-agent.service.d/my.conf and define just the [Service] section and the settings one want's to override: [Service] ExecStart= ExecStart=/usr/local/bin/gpg-agent --supervised ExecReload= ExecReload=/usr/local/bin/gpgconf --reload gpg-agent The empty ExecStart= and ExecReload= reset all possible previous settings. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: wrong gpg-agent version running?
Matthias Herrmann [2019-07-11T01:33:43+02] wrote: > I've recently upgraded to Debian buster, and then upgraded gpg by > downloading and installing the new version 2.2.17. > Now, I get this warning: > >> gpg: WARNING: server 'gpg-agent' is older than us (2.2.12 < 2.2.17) > I don't know why the "wrong" agent gets started, can you please help > me? I believe it's because there is gpg-agent.socket unit which activates gpg-agent.service which has the path /usr/bin/gpg-agent. To override that create a unit "drop-in" file: # Filename: # ~/.config/systemd/user/gpg-agent.service.d/my.conf # or # /etc/systemd/user/gpg-agent.service.d/my.conf [Service] ExecStart=/usr/local/bin/gpg-agent --supervised ExecReload=/usr/local/bin/gpgconf --reload gpg-agent Test if it's found with "systemctl --user cat gpg-agent.service". Maybe also "killall gpg-agent" if you have something left from your previous settings. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to delete flooded key
Patrick Brunschwig [2019-07-10T10:23:50+02] wrote: > First users ask for support on getting rid of the keys flooded with > signatures. There is no need to get rid of the itself key, just the key signatures which are the "flood". The commands are --edit-key and then "clean" or "minimize". It is a good idea to also set that operation to guard the gate: keyserver-options import-clean That and other protective settings are enabled by default in GnuPG 2.2.17. "[Announce] GnuPG 2.2.17 released to mitigate attacks on keyservers" https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062323.html -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Testing WKD setup?
David Bürgin via Gnupg-users [2019-07-06T18:57:24+02] wrote: > I have implemented WKD for my domain, but now I don’t know an easy way > of testing it … is there a service or similar where I can check if > this email address is properly WKD-enabled? Can't answer to those questions but I got your key via WKD and with the kye verified your email. So, this test was success. -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: SKS and GnuPG related issues and possible workarounds
Konstantin Boyandin via Gnupg-users [2019-07-05T20:45:59-04:00] wrote: > ATM, none of systems I use GnuPG in has been hit with the signature > flood disaster. If I might miss that point - is it possible to get, > somehow, the list of flooded keys IDs (if anyone keeps the stats)? I don't maintain a list and such a list can be always outdated anyway. Better option is to set protective settings right now in gpg.conf file. keyserver-options import-clean # maybe also: import-options import-clean With option "import-clean" key import operations accept only key signatures from already known keys. With poisoned keys the import operation can take time but at least your local keyring is protected from importing them. The gpg(1) manual page for version 2.1.18 (Debian) is misleading, though. import-clean After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit- key command "clean" after import. Defaults to no. It says "After import" but according to Werner Koch[1] it actually strips unknown key signatures _before_ importing them to the local keyring. The manual also says that "This option is the same as running the --edit-key command 'clean' after import." This is also wrong or misleading because it may lead user thinking that in import oprations first all keys and key signatures are imported to local keyring and then they are cleaned. - 1. https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062239.html -- /// OpenPGP key: 4E1055DC84E9DFF613D78557719D69D324539450 // https://keys.openpgp.org/search?q=tliko...@iki.fi / https://keybase.io/tlikonen https://github.com/tlikonen signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keyserver-options: self-sigs-only, import-clean, import-minimal
Steffen Nurpmeso [2019-07-03 17:08:32+02:00] wrote: > My question: is there any better way than a shell script over > --list-keys --with-colon | grep ^pub | ...etc... to "minimize" keys in > my keyring (with gpg1)? It seems that there is no better way than scripting it. My "--edit-key + clean" script is below. It can be changed to "minimize". #!/bin/sh gpg --batch --with-colons --list-keys | awk -F: ' $1 == "pub" {pub = 1} pub == 1 && $1 == "fpr" {printf "%s clean save\n", $10; pub = 0}' | \ xargs -n3 -- gpg --batch --no-auto-check-trustdb --edit-key signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keyserver-options: self-sigs-only, import-clean, import-minimal
Werner Koch [2019-07-03 12:04:55+02:00] wrote: > On Wed, 3 Jul 2019 10:38, tliko...@iki.fi said: >> I think everyone would prefer that import-clean would do all the >> checking and cleaning before importing certificates to the local >> keyring. The same thing with import-minimal. > > It does this. However for 150k signatures it even takes quite some > time to check whether the key does not exist locally so that the > signature won't be imported. Good. So in principle it works well. Thanks you. I downloaded (--receive-key) a poisoned key into an empty keyring using two different keyserver-options. The duration was practically the same. import-clean: 1 min 28 s import-minimal: 1 min 25 s I would expect import-minimal be much faster or actually both quite fast as my test keyring was empty on both tries. Anyway, it works and those options seem to protect keyring from getting poisonous certificates. There is the DOS aspect of course as it takes quite long. The same --receive-key without any keyserver-options hits gpg's limits at 26 seconds: gpg: key [...]: 4 duplicate signatures removed gpg: key [...]: 54614 signatures not checked due to missing keys gpg: key [...]: 4 signatures reordered gpg: error writing keyring '[...]/pubring.kbx': Provided object is too large gpg: key [...]: public key "[User ID not found]" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: not imported: 1 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: keyserver-options: self-sigs-only, import-clean, import-minimal
Werner Koch via Gnupg-users [2019-07-03 08:57:55+02:00] wrote: > On Tue, 2 Jul 2019 11:00, d...@fifthhorseman.net said: >> But "clean-then-import" is clearly a preferable approach to any of the >> workarounds described so far. > > --import-options import-clean does exactly this. Daniel basically said that "first clean then import [to local keyring]" and you confirmed that import-clean does exactly this. But then... > import-clean does this: > >After import, compact (remove all signatures except the >self-signature) ...here you and the manual say that "first import [to local keyring] then clean". So there are conflicting messages. Which of the two happens? I think everyone would prefer that import-clean would do all the checking and cleaning before importing certificates to the local keyring. The same thing with import-minimal. -- /// Teemu Likonen <https://keybase.io/tlikonen> // // PGP: 4E1055DC84E9DFF613D78557719D69D324539450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
keyserver-options: self-sigs-only, import-clean, import-minimal
Werner Koch [2019-07-01 18:26:20+02:00] wrote: > As stop-gap solution the next gpg release sports a --keyserver-options > self-sigs-only to allow importing of spammed keys. Why not make "import-clean" and "import-minimal" strip key signatures before importing a key? That would make "import-minimal" behave like this new "self-sigs-only" and there would be no need for yet another option. Who needs both "import-minimal" and "self-sigs-only"? My opinion: make "keyserver-options import-clean" the default and make it internally never import any unknown signatures. -- /// Teemu Likonen <https://github.com/tlikonen> // // PGP: 4E1055DC84E9DFF613D78557719D69D324539450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New keyserver at keys.openpgp.org - what's your take?
Wiktor Kwapisiewicz [2019-06-14 11:59:16+02] wrote: > Storing endless amounts of data without any kind of verification was a > bad idea. Maybe SKS was designed in good old times when no-one would > try to take advantage of it but in 2019 validating e-mail address is > bare minimum a service such as this should do. > > The current shortcoming is stripping third-party signatures. So Web of > Trust wouldn't work (for good reasons described in the FAQ [0]). For > some people this may be surprising. It may turn out to be a good choice to leave other people's certificates (third-party signatures) out. It seems to solve the storage abuse problem and probably doesn't harm too much communities who need web of trust. Generally web of trust works only in tight communities who can really verify each other's keys. Such communities can easily distribute their keys through their web site or other common resources. For larger audience it's probably enough to have an easy and automatic key discovery and key update service, such as this keys.openpgp.org seems to be. I think. -- /// Teemu Likonen <https://github.com/tlikonen> // // PGP: 4E1055DC84E9DFF613D78557719D69D324539450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: New keyserver at keys.openpgp.org - what's your take?
Oscar Carlsson via Gnupg-users [2019-06-14 10:12:51+02] wrote: > I'm generally curious on your opinions on the latest new keyserver, > this time running a new software than the normal keyservers. > > They seem to have a different model which minimize the amount of > information available, to be compliant with GDPR and friends. Do you > think there are any downsides to this? You should have added a link to information about this "latest new keyserver" and its "different model" which you are referring to. Well, here: https://keys.openpgp.org/about/news#2019-06-12-launch -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Default trust-model TOFU
Werner Koch [2019-03-08 09:15:43+01] wrote: > If you plan to take part in that nerdy key signing game, [...] Maybe you refer only to key signing parties as nerdy things but I think the whole social web of trust concept is very nerdy. It's useless for most people and I'd say that TOFU model would be better default. Do you have plans for that, to set the default trust model to "tofu" or "tofu+pgp"? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Two utilities: gpg-tofu and gpg-graph
Teemu Likonen [2019-02-17 08:23:38+02] wrote: > I have made two utilities to help my usage of gpg. [...] > gpg-tofu > gpg-graph I moved these utilities to a new combined repository: https://github.com/tlikonen/gpg-utilities There is also a new tool gpg-cert-path which find the shortest certification distance between two keys. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Two utilities: gpg-tofu and gpg-graph
Hello! I have made two utilities to help my usage of gpg. I think the functionality of one of them should be part of gpg. gpg-tofu https://github.com/tlikonen/gpg-tofu This program parses "gpg --batch --no-tty --with-tofu-info --with-colons --list-keys -- [...]" output and displays human readable TOFU statistics. An example: $ gpg-tofu tliko...@iki.fi 4E1055DC84E9DFF613D78557719D69D324539450 [ultimate] Teemu Likonen TOFU validity: (4/4) a lot of history for trust, TOFU policy: good 428 signatures in 1 year 252 days, first: 2017-06-09 11:28:16, last: 2019-02-16 19:36:03 404 encryptions in 1 year 244 days, first: 2017-06-15 14:41:30, last: 2019-02-14 19:25:41 [...] In my opinion "gpg --with-tofu-info --list-keys" etc. (without --with-colons) should display similar human readable TOFU info. Please make my tool obsolete. :-) gpg-graph - https://github.com/tlikonen/gpg-graph This program parses "gpg --batch --no-tty --with-colons --check-signatures -- [...]" and prints graph data for Graphviz for drawing nice web of trust graphs. $ gpg-graph [key1 ...] | dot -Tpng >wot-dot.png $ gpg-graph [key1 ...] | neato -Tpng >wot-neato.png $ gpg-graph [key1 ...] | sfdp -Tpng >wot-sfdp.png I have seen one similar tool before (packaged in Debian) but it was broken by design because it tries to parse the human readable output of "gpg --check-signatures". It didn't work with the default --list-options of gpg 2.1. Obviously it should parse machine readable --with-colons output which my version does. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keysigning party: after the event challenges
André Ockers [2019-02-09 09:06:43+01] wrote: > $ gpg --fingerprint <599C62A291810408> > bash: syntax error near unexpected symbol 'newline' Your Bash shell uses characters "<" and ">" for input and output redirection. Remove those characters: gpg --fingerprint 599C62A291810408 -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Key storage
justina colmena via Gnupg-users [2018-12-31 12:06:39-09] wrote: > And now the *secret* keys are going in "~/.gnupg/pubring.gpg" with the > false implication by its name that the file contains only public keys > which need not be so carefully guarded against disclosure. Secret keys are in directory ~/.gnupg/private-keys-v1.d and each master key and subkey is in separate file named by key's keygrip (see "gpg -K --with-keygrip"). -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Utilizing facts of homedir organization
Andrew Gallagher [2018-11-10 01:18:30Z] wrote: > I’ve found parcimonie to be useful. > > https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ I found Parcimonie too bloated and complicated. I don't think it is a good idea to use a daemon for this purpose. So, like probably many others, I wrote a Bash script that refreshes just one random key and remembers it. Next time it refreshes again a random key from what is left. After all keys have been refreshed it starts the round again. I run the script through systemd's user timer. The script gpg-refresh, as I call it, is small so I will attach it to this message. Hopefully it will come through. It is written completely by me and I place it in the public domain so anybody is free to do anything they wish with it. #!/bin/bash # Author: Teemu Likonen # PGP: 4E1055DC84E9DFF613D78557719D69D324539450 # This program is placed in the public domain. [ "$FLOCKER" != "$0" ] && exec env FLOCKER="$0" flock "$0" "$0" "$@" program=$(basename -- "$0") gpg_dir=${GNUPGHOME:-$HOME/.gnupg} if [[ ! -d $gpg_dir ]]; then echo "The gpg directory $gpg_dir does not exist." exit 1 fi umask 077 reset_jobfile() { date +start=%s >"$jobfile" printf '\n' >>"$jobfile" } jobfile=$gpg_dir/gpg-refresh-job [[ -e $jobfile ]] || reset_jobfile all_keys=( $(gpg --batch --list-keys --with-colons | awk -F: ' $1 == "pub" {pub = 1} pub == 1 && $1 == "fpr" {print $10; pub = 0} ') ) if (( ${#all_keys[@]} == 0 )); then echo "No keys found in the keyring." exit 0 fi refreshed_keys=( $(sed -e '0,/^$/d' "$jobfile") ) keys=(); i=0 for key in "${all_keys[@]}"; do for refreshed in "${refreshed_keys[@]}"; do [[ "$key" == "$refreshed" ]] && continue 2 done keys[i++]=$key done if (( ${#keys[@]} == 0 )); then echo "All keys refreshed. Starting the round again." reset_jobfile keys=( "${all_keys[@]}" ) fi keys_left=${#keys[@]} status_file=$(mktemp /tmp/"$program".XX) || exit 1 n=$(shuf --head-count=1 --input-range=0-$(( ${#keys[@]} - 1 ))) key=${keys[n]} echo "Refreshing key $key" gpg --batch --status-file "$status_file" --refresh-keys -- "$key" import_ok= next_key= print_status_file= reset_dirmngr= while read -r line; do line=${line#'[GNUPG:] '} case "$line" in IMPORT_OK*) next_key=1 import_ok=1 ;; WARNING*) next_key=1 print_status_file=1 ;; FAILURE*) line=${line#*' '*' '} line=${line%_*} case "$line" in # No data 167772218) next_key=1 ;; # Server indicated a failure 219) reset_dirmngr=1 ;; # No keyserver available 167772346) reset_dirmngr=1 ;; # Connection closed in DNS 167772876) reset_dirmngr=1 ;; # No dirmngr # 33554524 esac ;; KEYEXPIRED*) next_key=1 ;; esac done <"$status_file" if (( next_key )); then printf '%s\n' "$key" >>"$jobfile" keys_left=$(( keys_left - 1 )) fi if (( ! import_ok || print_status_file )); then cat -- "$status_file" fi if (( reset_dirmngr )); then echo "Killing dirmngr; it will be restarted next time." gpgconf --kill dirmngr fi rm -f -- "$status_file" start=$(sed -En -e '0,/$^/s/^start=(.+)$/\1/p' "$jobfile") days=$(( ( $(date +%s) - start ) / 3600 / 24 )) printf "Keys total: %d, left: %d (started %d days ago)\n" \ "${#all_keys[@]}" "$keys_left" "$days" exit 0 -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Practical use of gpgsm for verifying emails
Jens Lechtenboerger [2018-04-30 08:19:39+02] wrote: > You don’t. You should not trust them if you don’t know anything about > them. > Personally, I try to verify CAs’ fingerprints. Afterwards, I express > my “trust” in other people’s choices of CAs when verifying their > signatures (so, pretend “Yes” when asked about trust) but prefer > OpenPGP over S/MIME whenever possible. As I requested a practical discussion I thought that there is some sort of "practical trust" when verifying S/MIME messages like there usually is for the web. For example I can point my web browser to my bank's web site or your blog at fsfe.org and there is a friendly green lock symbol in the browser. We normal people think that "this web site is safe" without checking any fingerprints. Some people even know that the browser automatically trusts certain authorities to make valid certificates so that it's really my bank or fsfe.org. Somebody chose that trust for us because we normal people can't judge. So I thought that gpgsm would be the same: some root CA's would be automatically valid and trusted to certify others and gpgsm would just work like web browsers. I guess not. It forces me to judge and since I can't judge CA's gpgsm is probably quite useless. I'm not complaining about gpgsm. It's just that for a moment I thought it would be like web browsers but for email. OpenPGP is probably better for email because it's easier to track and judge individuals separately with TOFU or web of trust model and assign ownertrust. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Practical use of gpgsm for verifying emails
I read email with Gnus (Emacs) and from time to time someone has signed his mail with S/MIME (X.509) system. My Gnus tries to verify signatures automatically and it works nicely with PGP/MIME but S/MIME is more difficult. When verifying an S/MIME message gpgsm (I think) asks whether I ultimately trust some certificate authority to certify others and then asks me to verify that a displayed fingerprint belongs to the authority. How do I know? (So far I have pressed the "Cancel" button.) I went to the certificate authority's web page but couldn't find fingerprints. That's not how CA system usually works anyway. Usually we are not supposed to go searching the internet. Usually some experts have taught web browsers or operating systems to automatically trust certain authorities. So signature verification is transparent. Any suggestions or information for practically managing S/MIME messages? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG is not working because of gpg.conf
Werner Koch [2018-03-05 13:24:28+01] wrote: > gpg searches for its configurarion file in this order (I use 1.4.23 as > example): > > gpg.conf-1.4.23 > gpg.conf-1.4 > gpg.conf-1 > gpg.conf That feature is not documented in 2.1.18 but it seems to work. (I tried "gpg.conf-2.1".) -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG is not working because of gpg.conf
Werner Koch [2018-03-06 09:53:01+01] wrote: > Note that there is another compatibility feature which can be used to > ignore errors due to new options. For example: > > ignore-invalid-option foo bar > verbose > foo > This feature is available since 1.4.13 and 2.0.20 . The feature is not documented in 2.1.18. Is it documented in newer versions? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Why Operating Systems don't always upgrade GnuPG
Daniel Kahn Gillmor [2018-02-20 21:35:12-08] wrote: > Anyway, here's one concrete example (hinted at above) of a > programmatic gap that is much easier to achieve by mucking around with > the internal state rather than by the programmatic interface: > > * I want to introduce a new signing-capable subkey, and i want to >distribute it widely, but i don't want to start signing with it just >yet. It seems to me that there is an easy gpg.conf solution: default-key FINGERPRINT! See the ! character which forces exactly that (sub)key for signing. Use that option to select your old signing (sub)key. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Keys clean of all signatures except those made by others I trust
FuzzyDrawrings via Gnupg-users [2018-01-23 02:41:45-05] wrote: > Say I import Bob's key with "--recv-key" from some keyserver. Bob's > public key has been signed by a lot of non-serious User ID's and spam. > However Bob's key may have been signed by Alice (whose public-key I > have in my keyring). > > I would like to clean the key of the spam signatures while preserving > any signatures made by Alice (or anyone else I have trusted on my > keyring). Does there exist a command/option to accomplish this in > gpg2? For one key: "--edit-key" and "clean". To make it automatic for all import operations you can use options in gpg.conf file: import-options import-clean keyserver-options import-clean I like clean export too, so: import-options import-clean export-options export-clean keyserver-options import-clean,export-clean -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: key distribution/verification/update mechanisms other than keyservers
Werner Koch [2018-01-17 09:58:21+01] wrote: >>> (c) rejected all third-party certifications -- so data attached to >>> a given primary key is only accepted when certified by that primary >>> key. > This can help to avoid DoS attacks. I would love to see that to get my > key down to a reasonable size. Not quite related but... I tend to think that on client side it would be good idea to "clean" by default. (I like to do that.) keyserver-options import-clean,export-clean -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Import keys from .gnupg folder
Michael Singh [2018-01-05 22:39:42-08] wrote: > I was a bit ignorant to the nuances of importing/exporting GPG keys, and > as a result I simply copied the.gnupg folder from my home directory and > wiped my hard drive. Is it possible to import these keys on another > installation from this folder? The public key is on a public key-server, > and I have the private keys in the folder. > > The version of GPG on RHEL7.4 is 2.0.22, while Arch happens to be on > 2.2.4-1. Would this be problematic? Gpg 2.0 uses secring.gpg file for its secret keyring. Gpg 2.1 uses private-keys-v1.d directory for secret keyring but 2.1 automatically converts the old secring.gpg to the new format. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
TOFU's encryption counter is not updated (a bug?)
I have sent several encrypted emails to a friend and I'm using Gnus as my email program. I'm using "trust-model tofu" but it seems that TOFU's encryption counter is not incremented for the recipient's key. I queried the TOFU info with a command like this: gpg --list-keys --with-tofu-info --with-colons KEY | \ awk -F: '$1 == "tfs" {print $5}' To me this is looking very much like bug. I'm using GnuPG 2.1.18-8~deb9u1 (Debian 9). -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-retrieve usefulness/annoyance
Teemu Likonen [2017-10-05 20:17:51+03] wrote: > Werner Koch [2017-10-05 09:00:18+02] wrote: >> I have exactly the same problem but I do it anwyat - there is not >> much we can do about it. The default timeout for such lookups are 2 >> seconds. You can lower this to one second using >> >> connect-quick-timeout 1 >> >> in dirmngr.conf. > > Thanks. That helps noticeably. And yes, I use auto-key-retrieve > anyway. It's a nice feature. I have sometimes persuaded people to > upload their key to the server pool. Unfortunately "--refresh-key" doesn't work well with "connect-quick-timeout 1" anymore, at least not through Tor network. It seems that the timeout is too short. I'm back to the default settings and the long delays when the key is not on servers. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: auto-key-retrieve usefulness/annoyance
Werner Koch [2017-10-05 09:00:18+02] wrote: > I have exactly the same problem but I do it anwyat - there is not much > we can do about it. The default timeout for such lookups are 2 seconds. > You can lower this to one second using > > connect-quick-timeout 1 > > in dirmngr.conf. Thanks. That helps noticeably. And yes, I use auto-key-retrieve anyway. It's a nice feature. I have sometimes persuaded people to upload their key to the server pool. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
auto-key-retrieve usefulness/annoyance
A three-part recipe for small annoyance: 1. "auto-key-retrieve" in gpg.conf 2. Automatic signature verification in email client. 3. The email I'm about to read was signed by a key that's not on keyservers. The result: There's a delay of several seconds every time I open the message and in the end my email client (Gnus) says: [[PGP Signed Part:No public key for B47D162E09E21476 created at 2017-10-04T11:13:25+0300 using RSA]] :-) -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: TOFU db corruption detected
MFPA [2017-08-05 15:56:02+01] wrote: > How do I "rebuild" the TOFU database to get rid of the corruption? Before the developers give you more educated answers I'll point out that the tofu database is a regular Sqlite database file. So you can do: $ sqlite3 ~/.gnupg/tofu.db and then execute any SQL commands. Interesting SQL command could be "vacuum" which, in Sqlite, basically dumps the the database as SQL text commands, then deletes the database and finally reads the SQL dump again. If you want to try that, make a copy of your tofu.db file first. Then start Sqlite like the example line above and: sqlite> vacuum; https://www.sqlite.org/lang_vacuum.html -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are TOFU statistics used for validity or conflict resolution?
Neal H. Walfield [2017-06-23 11:14:31+02] wrote: > At Thu, 22 Jun 2017 20:32:48 +0300, Teemu Likonen wrote: >> Then let's say I have a key which has been used to verify hundred or >> so signatures. In --status-fd's TOFU_STATS it gets higher >> value, say 4. Then the keyring gets a new key with conflicting email >> address. Does gpg again set both keys (user ids) to tofu's "ask" mode >> or does this higher number of good verifications automatically keep >> the first key in "auto" mode and only the new key is set to "ask" >> mode? > > No, both keys are set to ask. The key with a lot of observed > signatures could be bad. This could occur, if there is a MitM, but the > MitM has a small lapse, because, perhaps, you've used an unintercepted > network path to retreive the "new" signature & key. Thanks. So here's how my thinking has been as a tofu newbie. 1. I assumed that the first key with particular email address would be automatically valid forever. Only new keys would go to "ask" mode on conflicts. That was my interpretation of "trust of first use". Well, I was wrong. 2. New hypothesis: There needs to be enough history on verifying or encryption before the key is assumed automatically valid on conflicts. Then only new keys would go to "ask" mode on conflicts. I was wrong again. I don't know whether my thinking is common but perhaps it would be helpful if gpg's man page made clear that on conflict situation both keys go to "ask" mode. A quote from my gpg 2.1.18 manual: --trust-model pgp|classic|tofu|tofu+pgp|direct|always|auto [...] tofu TOFU stands for Trust On First Use. In this trust model, the first time a key is seen, it is memorized. If later another key is seen with a user id with the same email address, a warning is displayed indicating that there is a conflict and that the key might be a forgery and an attempt at a man-in-the-middle attack. From that part I got the idea of getting warning only from new conflicting keys. The first one would be trusted. The man page doesn't say so but it was my interpretation. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Are TOFU statistics used for validity or conflict resolution?
Teemu Likonen [2017-06-22 09:42:50+03] wrote: > Does the SUMMARY field's value (0-4) have effect on how key's validity > is calculated or how TOFU conflicts are resolved or presented to a > user? I didn't get answers yet but I'll speculate a bit on the subject. This is all about "trust-model tofu" and assume that I have _not_ set "--tofu-policy" manually. Let's say that I have a key which has been used to verify a couple of signatures. Then there comes another key with conflicting email address. It seems that tofu goes to "ask" mode for _both_ keys (user ids). User needs to decide and set the tofu policy for both. Then let's say I have a key which has been used to verify hundred or so signatures. In --status-fd's TOFU_STATS it gets higher value, say 4. Then the keyring gets a new key with conflicting email address. Does gpg again set both keys (user ids) to tofu's "ask" mode or does this higher number of good verifications automatically keep the first key in "auto" mode and only the new key is set to "ask" mode? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key corruption: duplicate signatures and usage flags
Justus Winter [2017-06-21 15:10:52+02] wrote: > martin f krafft <madd...@madduck.net> writes: >> x-hkp://pool.sks-keyservers.net > > Here ^ is the keyserver url. >> gpg> save >> Preferred keyserver: Preferred keyserver: Preferred keyserver: Preferred >> keyserver: Preferred keyserver: Preferred keyserver: Preferred keyserver: % > > And these are the labels for these urls. This was a cosmetic problem > that I just fixed. There is similar cosmetic problem with --update-trustdb: [...] No trust value assigned to: pub rsa4096 -XX-XX [SC] [...] Primary key fingerprint: [...] Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully s = skip this key q = quit Your decision? 4 gpg: depth: 4 valid: 17 signed: 13 trust: 0-, 0q, 0n, 3m, 14f, 0u gpg: next trustdb check due at 2017-09-09 And when the whole session is over gpg prints fingerprints of _all_ keys that got their ownertrust updated. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Are TOFU statistics used for validity or conflict resolution?
Are TOFU statistics used for key's validity calculations or TOFU conflict resolution? Some background: The TOFU system keeps statistics about key's use. I'll quote some lines from the DETAILS document. About --with-colons --witt-tofu-info --list-keys: *** TFS - TOFU statistics This field may follows a UID record to convey information about the TOFU database. The information is similar to a TOFU_STATS status line. - Field 2 :: tfs record version (must be 1) - Field 3 :: validity - A number with validity code. - Field 4 :: signcount - The number of signatures seen. - Field 5 :: encrcount - The number of encryptions done. - Field 6 :: policy - A string with the policy - Field 7 :: signture-first-seen - a timestamp or 0 if not known. - Field 8 :: signature-most-recent-seen - a timestamp or 0 if not known. - Field 9 :: encryption-first-done - a timestamp or 0 if not known. - Field 10 :: encryption-most-recent-done - a timestamp or 0 if not known. About --status-fd output's TOFU_STATS: *** TOFU_STATS Statistics for the current user id. The are the usual space delimited arguments. Here we have too many of them to fit on one printed line and thus they are given on 3 printed lines: : : [ [ : [ [ Values for SUMMARY are: - 0 :: attention, an interaction with the user is required (conflict) - 1 :: key with no verification/encryption history - 2 :: key with little history - 3 :: key with enough history for basic trust - 4 :: key with a lot of history It _seems_ to me that - Field 3 :: validity - A number with validity code. is the same thing as SUMMARY in TOFU_STATS. Am I right? And here's my question again: Does the SUMMARY field's value (0-4) have effect on how key's validity is calculated or how TOFU conflicts are resolved or presented to a user? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Revoking a certificate (--edit-key + revsig)
Daniel Kahn Gillmor [2017-06-21 14:03:00-04] wrote: > in the abstract: > > * i learned via some channel i consider trustworthy that this key isn't >appropriate for use with this User ID any more. > > more concretely: > > * "I had lunch with Sarah and she told me she'd lost access to her >secret key and didn't have a revocation certificate available." > Does this make sense? Sure, thanks. This is what I thought. In the past I revoked one of my certificates because the key's owner no longer remembered the password and essentially had lost control of the key. Back then I didn't think of the semantics of revsig that much but it seemed the right thing to do. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key corruption: duplicate signatures and usage flags
martin f. krafft [2017-06-21 11:03:40+02] wrote: > 24 duplicate signatures removed > > That's a bit weird. Where do these come from? I've seen the message with other keys too, just after --edit-key. The number of duplicate signatures varies. Next --refresh-keys command downloads the signatures back. I tried your key and got the same results. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Revoking a certificate (--edit-key + revsig)
My question is simple (kind of): In what situations would you revoke a certificate that you have made on someone else's key? (Technically: --edit-key + revsig.) Background concepts: When we sign a key (--edit-key + sign) we certify a particular user id, the link between the user id and person (or sometimes group) identity. Something like that. It's difficult to put this concrete enough but abstract enough to cover all cases but you know what I mean. But what would you say about conceptual meaning of revoking such certificate (--edit-key + revsig)? Maybe the link between the key or a particular user id and the actual person or group identity has been cut: person lost his secret key or just password and can't control the key anymore. So maybe by revsig a person gives a signal that he knows the link has been broken and tell people to not rely on his certificate anymore. Am I right? -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: modern GnuPG verify signatures
Stefan Claas [2017-06-15 18:59:41+02] wrote: > I clearsign a text file and verify it and modern GnuPG shows me this: > > gpg --verify my_message.txt > gpg: Signature made Do 15 Jun 18:31:05 2017 CEST > gpg:using RSA key 2BAF85F9281ABD543823C7C5981EB7C382EC52B4 > gpg: Good signature from "Stefan Claas <stefan.cl...@posteo.de>" [ultimate] > > A friend just recently posted a message in a Usenet Group and i get this: > > gpg --verify m123.eml > gpg: Signature made Xx 00 Jun 00:00:00 2017 CEST > gpg:using RSA key > gpg: Good signature from "xx x <...@example.com>" [full] > gpg: xxx...@example.com: Verified 4 signatures in the past 7 days. > Encrypted 0 messages. Perhaps it can be seen as bug that there is the full fingerprint in some places and long key id in other places. I'm guessing that there are different code paths internally: In the first example the trust level is calculated from web of trust (own key, ultimate trust). In the second example there's also tofu trust model involved because it shows statistics for verifying and encryption. But those who know the code can answer. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG card && using the backup secret key
Matthias Apitz [2017-06-13 12:51:01+02] wrote: > $ gpg2 --edit-key sk_61F1ECB625C9A6C3.gpg Command --edit-key edits a key in your keyring. I'd guess that you want to import keys: gpg2 --import sk_61F1ECB625C9A6C3.gpg Then you can edit them with --edit-key. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: changing the passphrase of the secret key stored in the GnuPG card
Matthias Apitz [2017-06-11 20:07:12+02] wrote: > How could I change the passphrase I have entered while generating the > keys on the GnuPG card? I tried with no success: > > $ LANG=C gpg2 --edit-key Matthias passwd "gpg2 --edit-key" is for normal keyrings. Your key is on the card so you edit the card with "gpg2 --card-edit" and then change card's password(s) with "admin" > "passwd". -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Trouble installing Version 2.1 on Debian Jessie
Rex Kneisley [2017-04-29 21:03:14-07] wrote: > I'm trying to install version 2.1 the "Debian way". > sudo apt install -t experimental gnupg2 gnupg-agent dirmngr gpgsm > gpgv2 scdaemon > The following packages have unmet dependencies: I suggest using "testing" instead of "experimental" because testing is the direct upgrade path from stable. Actually I'm not brave enough to try even that (i.e., mixing stable and testing) but I'll give a direct answer to your question anyway. So, in your problem the package manager prefers the stable (jessie) repository and tries to load some libraries from there. However, your experimental gnupg packages require versions that are not in the stable. Possible solutions: - Add those unmet dependencies to your "apt install -t experimental" command line. - Use "aptitude" command and its dependency solver interactively. It suggests different solutions. Choose the one that suggest loading all necessary packages from the experimental repository. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart card
Wouter Verhelst [2017-04-08 10:16:36+02] wrote: > Smartcards are a pain in the ass. [...] If your laptop doesn't have a > builtin cardreader, you also need to fish the reader from your > backpack or wherever, etc. But Nitrokey, Yubikey and maybe some other smart "keys" are actually handy. Using them don't cause pain in any part of my body. https://www.nitrokey.com/ https://www.yubico.com/ -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Smart card
Will Senn [2017-04-04 00:19:11-05] wrote: > On 4/3/17 11:48 PM, Doug Barton wrote: >> What's your threat model? > > [...] I do not really know what I need vs what I think I need. In my > uneducated state, I think I want to be as secure as possible [...] Considering possible threats is useful or even extremely important but here's another point of view. Perhaps it can be just "I'm interested in security technology and want to study smart cards. Thus, I'll buy one and learn how it works. Maybe it will turn out useful or even necessary." -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: From Masterkey to subkey
Werner Koch [2017-03-07 19:21:25+01] wrote: > On Tue, 7 Mar 2017 09:40, billdanger...@gmail.com said: >> Is there a way (even if hacking gpg code is needed), to change those >> subkey flags ? > > With 2.1 it is easy: > > gpg --edit-key THEKEY > gpg> key N > gpg> change-usage > > and follow the prompt. Interesting. It seems that the feature is not documented. I tested version 2.1.18 in Debian testing and neither the man page nor --edit-key's "help" command tells anything about the feature. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expanding web-of-trust with subkey
Daniel Kahn Gillmor [2017-02-15 13:46:13-05] wrote: > right, so your use of "trust-model direct" switches the meaning of the > "trust" flag from its usual "ownertrust" semantics to be what we'd > normally call "validity". > > Note also that when you mark a key itself as "trusted" in this way, > you're asking GnuPG to treat *all* user IDs on it as valid. > So if the keyholder updates their key at some point in the future to > add a new User ID, your GnuPG installation is going to blindly accept > that User ID as legitimate. Yes. I have also considered (and used a little) local signatures for the same use case: local-sign a key after checking it on a web page or in a tofu-like manner. Local signature can obviously validate only selected user ids but so far I've concluded that signatures are too strong statement for not really checked "seems ok" keys. I know that there are certification levels (like "--default-cert-level 1") but it's just simpler to use "trust-model direct" and define the level directly. Changing the decision later is also easier. > please be aware that if you switch from "trust-model direct" to > "trust-model tofu+pgp", then your previous assignments of "trust" will > transform into indications of "ownertrust". That has been my assumption. Thanks for verifying. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Expanding web-of-trust with subkey
Didrik Nordström [2017-02-14 19:02:08-08] wrote: > How do you handle key management? Let's say you just want to send a > signed and encrypted email once to someone who announced their pubkey > over https? What type of trust would you assign? I don't personally know anybody who uses gpg. Even if I will meet someone it's unlikely that signing keys will make me part of any web. So web of trust is useless for me. That makes things very simple, in a way. I use "trust-model direct" and do some checking in web pages or check consistent use of signatures. If the key seems ok I'll "--edit-key", type "trust" and assign marginal or full trust for that key. That's it. And because I have no use for other people's signatures I also have "keyserver-options import-clean" so my keyring remains small. When Debian 9 is released, with GnuPG 2.1, I'll try "trust-model tofu+pgp" (trust on first use plus web of trust). It seems useful too. -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Alternatives for Omnikey
gnupg-users dirk [2017-01-06 10:06:40+01] wrote: > I was under the impression the OmniKey 3121 is a real reader since it > is on the how to [1]. > > What would be a good alternative bevore I buy another bad one. I don't know about official recommendations but I have Yubikey 4¹ and Nitrokey Pro² and they work fine. Software packages scdaemon and pcscd (libccid 1.4.20) are needed but otherwise the keys work out-of-the-box in Debian GNU/Linux 8 (Jessie). 1. https://www.yubico.com/products/yubikey-hardware/ 2. https://shop.nitrokey.com/shop -- /// Teemu Likonen - .-.. <https://keybase.io/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What is pubring.kbx?
Lou Wynn [2016-12-09 23:11:18-08] wrote: > ~/.gnupg/pubring.kbx > The public keyring using a different format. This file is sharred with > gpgsm. You should backup this file. Indeed. I recently verified someones S/MIME message. Man page of gpgsm(1) 2.0.26 says: pubring.kbx This a database file storing the certificates as well as meta information. For debugging purposes the tool kbxutil may be used to show the internal structure of this file. You should backup this file. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
What is pubring.kbx?
I just noticed that a couple of days ago a new file ~/.gnupg/pubring.kbx had appeared (or last modified). Who made it and what is it for? I'm using GnuPG 2.0.26 and its manual doesn't seem to tell anything about this file. Obviously I have ~/.gnupg/pubring.gpg too. $ gpg2 --no-default-keyring --keyring ~/.gnupg/pubring.kbx --list-keys gpg: [don't know]: invalid packet (ctb=00) gpg: keydb_search_first failed: Invalid packet -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: An attempt at backporting 2.1.16 from Debian sid to Debian jessie
Peter Lebbing [2016-12-08 18:12:50+01] wrote: > I forked the Debian git repo for GnuPG 2.1 [1], and had a go at what > was primarily the reversal of the changes introduced by 2.1.11-7+exp1. > You can find the result at GitLab at [2]. Thanks. I'm not brave enough to try it yet. I wonder what is the status of official backport. There's a Debian bug report about that: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822974 Quote 2016-10-06: It'll happen soon, i promise :) --dkg -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is --export-ssh-key functionality possible with GnuPG 2.0?
Stephan Beck [2016-11-24 16:51:00Z] wrote: > A1) Install the monkeysphere package (1) that includes openpgp2ssh tool > A2) Export the secret subkey you'd like to use for ssh authentication > purposes and pipe it through openpgp2ssh > gpg2 --export-secret-subkeys \ > --export-options export-reset-subkey-passwd [keyID!] | \ > openpgp2ssh [keyID] > gpg-auth-keyfile Not too pretty but it works. Thank you. Since it creates a separate key which is not tied to my secring.gpg the case left me wondering what will happen when I upgrade to gpg 2.1 in the future. I mean I'll run gpg 2.1 someday and it will convert my secring.gpg to some KEYGRIP.key files, including my A-capable key. Will the authentication key be the same and technically compatible with the key that I just created with openpgp2ssh and ssh-add commands? Just wondering. It's not that important. Some manual work is probably necessary anyway at the first upgrade. -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is --export-ssh-key functionality possible with GnuPG 2.0?
Peter Lebbing [2016-11-24 16:04:42+01] wrote: > On 24/11/16 15:27, Teemu Likonen wrote: >> Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be >> told to export ssh public keys? > > I think 2.0 also supported: > > $ ssh-add -L > > to list all SSH keys known to the agent. ssh-add is part of the > openssh-client package. That works if the key is already known to the gpg-agent but it seems that gpg 2.0 has also a problem in making A-capable keys known to ssh agent protocol. I believe that file ~/.gnupg/sshcontrol should contain key's keygrip but how do I get the keygrip when there's no --with-keygrip option in 2.0? -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is --export-ssh-key functionality possible with GnuPG 2.0?
Keys with authentication capability can be used with ssh, and GnuPG 2.1's command --export-ssh-key will export the ssh public key. Right? Unfortunately I have GnuPG 2.0.26 (as packaged in Debian 8). Can it be told to export ssh public keys? -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Confusing options for --tofu-(default-)policy=
First a quote from the gpg 2.1.15 man page: --trust-model pgp|classic|tofu|tofu+pgp|direct|always|auto [...] In the TOFU model, policies are associated with bindings between keys and email addresses (which are extracted from user ids and normalized). There are five policies, which can be set manually using the --tofu-policy option. The default policy can be set using the --tofu-default- policy policy. The TOFU policies are: auto, good, unknown, bad and ask. The auto policy is used by default (unless overridden by --tofu-default-policy) and marks a binding as marginally trusted. The good, unknown and bad policies mark a binding as fully trusted, as having unknown trust or as having trust never, respectively. [...] So there's a mapping from tofu policy to trust: auto=marginal, good=fully, unknown=unknown, bad=never. But why use different names? Why not use the same names for tofu policy and trust? -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to prevent emacs from unencrypting my files
John Helly [2016-02-23 18:27:51-10] wrote: > I've just discovered that emacs can unencrypt my *.gpg files without > prompting for a password. IMHO this largely negates the purpose of > encrypting files in case I lose my laptop. Emacs can cache passphrases and expire them automatically. The related configuration variables have changed quite recently but check these: password-cache password-cache-expiry mml2015-cache-passphrase mml2015-passphrase-cache-expiry mml-secure-cache-passphrase mml-secure-passphrase-cache-expiry -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Documentation format
Robert J. Hansen [2016-02-06 23:59:23-05] wrote: > LaTeX way predates UTF-8 and requires that foreign symbols be composed > using TeX escape sequences. With \usepackage{fontspec} (etc.) and "xelatex" compiler you can use UTF-8 and Opentype fonts. No special composing for characters. See the fontspec package fro more info: <http://ctan.org/pkg/fontspec>. They should be included in any Texlive distribution. -- /// Teemu Likonen - .-.. <https://github.com/tlikonen> // // PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 /// signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users