Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> On Fri,  5 Apr 2024 13:03, Todd Zullinger said:
> 
>> In such a case, it sounds like it may be reasonable to use
>> the normal socket?  Until the remote side is updated to
> 
> In fact, I also did this for some time but later came up with 
> 
>   CommitDate: Wed Oct 12 11:30:35 2022 +0200
> 
> agent: Introduce attribute "Remote-list" to KEYINFO.
> 
> * agent/command.c (do_one_keyinfo): Add arg list_mode.  Check
> attribute Remote-list.
> (cmd_keyinfo): Change semantics to return nothing in restricted list
> mode.
> 
> which is
> 
>   *** Remote-list
>   Allow to list the key with the KEYINFO command from a remote machine
>   via the extra socket.  A boolean value is expected; the default is
>   "no".  Note that KEYINFO will anyway provide information if the
>   keygrip is specified.
> 
> Not exactly your problem but somehow related.

Neat.  I have probably read agent/keyformat.txt before, but
not in a long time and I never had any reason to consider
editing the .key files.

This caused me to re-read the document and I'll likely add
an additional Token: line to note the two cards which hold a
new key (which I have yet to start using).  That should make
it easier to move between the cards, it sounds like.

In the process, I spotted a few minor typos and sent a patch
to gnupg-devel.

Thanks again, Werner!

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Bee via Gnupg-users wrote:
> In the mean time, you could put something along the lines of:
> 
> {CmdCalls ; } 2>&1 | grep -v -e "^gpg: problem with fast path key
> listing: Forbidden - ignored$" or something, to keep that output out
> of your stderr stream.

I think there's a downside to that (but I could always be
wrong).  Redirecting stderr to stdout would prevent mutt (or
whatever tool was using being used) from being be able to
display output only from stderr.  That is helpful when the
exit status is 0 but there were warnings, as in this case.

> If something else unexpected displays, you'll get more issues, but
> then you probably want to know if / when / should that happen.
> 
> If you add --quiet now, even when the change below happens later, your
> script above won't need to change again.

Indeed, if Werner weren't so quick, perhaps I would have
considered some sort of adjustment.  Though I try to use the
mutt's contrib/gpg.rc unaltered so I don't have to remember
to merge in fixes they make there.

This does remind me that I should re-evaluate using  gpgme
as the backend.  I don't recall why I disabled that now.  It
may have been for an issue which is long-since resolved. ;)

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi Werner,

Werner Koch via Gnupg-users wrote:
>> gpg: problem with fast path key listing: Forbidden - ignored
> 
> I'll suppress that message in --quiet mode for the next release.

Excellent, thanks!

> When doing a secret key listing (which happens with -K but also in
> --with-colons mode) gpg walks over all public keys and asks the agent
> for each key whether a corresponding secret key exists.  With many
> secret keys this is quite some overhead and thus gpg first tries to a
> get a listing of all secret keys (the keygrips) and later can do a fast
> memcmp instead of an IPC call.

In theory, would this not occur if I cleaned up the keyring
a bit.  I've got ~350 public keys.  Some are likely expired
or no longer useful.

This is without any sort of auto-key-locate enabled -- just
years or accumulating keys.  It doesn't _seem_ like that
many keys to have around...

> If you use the extra-socket certain operations are forbidden so that a
> rogue gpg version on the remote site won't be able to change passwords,
> export secret keys, or get a listing of all available secret keys.  This
> is why you see this diagnostic.

I manage the remote system and consider it reasonably
secure, to the extent any online system can be call
"secure."  It's not much less secure than the system from
which I am forwarding, other than that I'm not physically
beside it.

In such a case, it sounds like it may be reasonable to use
the normal socket?  Until the remote side is updated to
silence this via --quiet, at least.

I saw you pushed the change already, so I applied it to the
build on the remote host and can confirm it does the trick.

Thanks for the quick reply, fix, and additional details!

Cheers,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Agent forwarding issue

[Todd Zullinger via Gnupg-users]

Hi,

I have been working on setting up agent forwarding¹.

One issue which I have not yet found a solution for is that
gpg prints the following to stderr when performing actions
involving the agent:

gpg: problem with fast path key listing: Forbidden - ignored

Both hosts are running gnupg-2.4.5, based on the Fedora
packages.

With mutt, this causes the signing to pause after entering
the password, as stderr is not empty (I think this is the
reason, anyway).  Can this warning be avoided or silenced
(without directing stderr to /dev/null)?

I can't find much information about it, but it seems like
while this is something useful to note, after seeing it once
it is simply needless.

I believe this is because I've used the extra socket, which
seems like the proper thing to do with agent forwarding, but
perhaps isn't worth the hassle?  I'm not too eager to
forward the regular agent when I can use a more restricted
socket.

¹ https://wiki.gnupg.org/AgentForwarding

Thanks,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 32768-bit key

[Todd Zullinger via Gnupg-users]

Robert J. Hansen via Gnupg-users wrote:
>> I don't know that there's anything to file a bug about.  I
>> don't see any non-rsa4096 keys on the Tails website:
> 
> One of their certificates has a Curve-25519 subkey.  I wonder if that's what
> the original poster saw, and mistook it for being a 25,519-bit subkey.

Ahh, that's a very good guess. I missed that sub key while I
was skimming the list of keys.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: 32768-bit key

[Todd Zullinger via Gnupg-users]

Robert J. Hansen via Gnupg-users wrote:
>> The TailsOS team has a key that's wy over 16384-bit.
> 
> I suggest filing a bug report with them and asking them why they ignore the
> best practices of cryptography.

I don't know that there's anything to file a bug about.  I
don't see any non-rsa4096 keys on the Tails website:

https://tails.net/doc/about/openpgp_keys/

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

[Todd Zullinger via Gnupg-users]

Werner Koch via Gnupg-users wrote:
> On Fri, 28 Apr 2023 11:21, Todd Zullinger said:
> 
>> It seems neither of these files have not made it to the
>> server yet:
> 
> Sorry for that.  I have used a new build machine and obviously forgot
> one of the last steps. Most of the release process is scripted but the
> final upload needs to be done manually (after signing, copying to the
> internal archive, updating the repo, writing announcement and updating
> the web page).
> 
> Fixed after Bernhard called me at home.

Sorry it interrupted your weekend.  Thanks for the new
release and all of your work on GnuPG and OpenPGP. :)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [Announce] GnuPG 2.4.1 released

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> Getting the Software
> 
> 
> Please follow the instructions found at  or
> read on:
> 
> GnuPG may be downloaded from one of the GnuPG mirror sites or direct
> from its primary FTP server.  The list of mirrors can be found at
> .  Note that GnuPG is not
> available at ftp.gnu.org.
> 
> The GnuPG source code compressed using BZIP2 and its OpenPGP signature
> are available here:
> 
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2 (7169k)
>  https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig

It seems neither of these files have not made it to the
server yet:

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

$ curl -I https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.4.1.tar.bz2.sig
HTTP/1.1 404 Not Found
Date: Fri, 28 Apr 2023 15:19:07 GMT
Strict-Transport-Security: max-age=31536000
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=ISO-8859-1

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: can't handle public key algorithm 18

[Todd Zullinger via Gnupg-users]

Mike Schleif wrote:
> Yes, I see that.
> 
> However, our public key was generated by our GPG; and this file is
> encrypted with our public key, since there is NO missing "secret key" error.
> 
> Why, then, the subject error message?

Perhaps the file is signed by an ECDH key?  I can only
guess.

You might want to try the --list-packets option on the
encrypted message.  Adding -v (or -vv) when decrypting might
help show the issue.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg: can't handle public key algorithm 18

[Todd Zullinger via Gnupg-users]

Mike Schleif wrote:
> $ gpg --version
> gpg (GnuPG) 2.0.22
> libgcrypt 1.5.3
> 
> $ cat /etc/system-release
> CentOS Linux release 7.9.2009 (Core)

Algorithm 18 is ECDH, which is not supported by gpg on
CentOS 7.  You can confirm this in the Pubkey line of the
gpg --version output:

  $ gpg --version
  gpg (GnuPG) 2.0.22
  libgcrypt 1.5.3
  [...]

  Home: ~/.gnupg
  Supported algorithms:
  Pubkey: RSA, ?, ?, ELG, DSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

On a newer Fedora system, ECDH is present:

  $ gpg --version --no-copyright
  gpg (GnuPG) 2.4.0
  libgcrypt 1.10.1-unknown
  [...]

  Home: /home/user/.gnupg
  Supported algorithms:
  Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
  Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
  CAMELLIA128, CAMELLIA192, CAMELLIA256
  Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
  Compression: Uncompressed, ZIP, ZLIB, BZIP2

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Difference between versions--Question

[Todd Zullinger via Gnupg-users]

K S via Gnupg-users wrote:
> It would be helpful to know why I can't get compression in my build. I've
> tried to build from source three times now.
> 
> There are so many packages in Ubuntu with zip, zlib, and bzip2 in the name
> I can't begin to try them all. I've looked at config.log and it doesn't
> give much help.

The config.log should show some information about the
compression algorithms, likely found searching for "zip" in
the output.

Building from source does require a bit of familiarity with
the system on which you are building.  While you shouldn't
need to randomly try all the packages, knowing where to look
for ideas will help.

I don't use Ubuntu or Debian, but if I were trying to build
gnupg from source I'd start by looking at what build
dependencies are required by the system packages.

In the case of gnupg, you can see that in the debian/control
file:

https://salsa.debian.org/debian/gnupg2/-/blob/7f5e9b1b/debian/control#L9-43
https://git.launchpad.net/ubuntu/+source/gnupg2/tree/debian/control#n10

You can install those build dependencies via something like:

apt-get build-dep gnupg2

The debian/rules file is usually also interesting; seeing
what configure and make options are used can be helpful.

Some of the dependencies for the current gnupg may be newer
than what is required by the gnupg2 package in Ubuntu and/or
provided by the OS.  You may first need to build those newer
dependencies.

If so, you need to be careful not to interfere with the OS
libraries which are used by other packages on the system.
It can get "interesting" trying to update something which is
quite a core dependency of the operating system.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG 2.2.36 released

[Todd Zullinger via Gnupg-users]

Bernhard Reiter wrote:
> Am Montag 11 Juli 2022 14:50:24 schrieb Konstantin Ryabitsev via Gnupg-users:
>>> See https://dev.gnupg.org/T5949#159890 for why it doesn't work for you.
>>
>> Ah, okay, that's unfortunate. I guess I'll skip this release, since I can't
>> verify it without building gnupg from scratch (without verifying it first).
> 
> Maybe it helps to report the problem of missing crypto algorithms to your
> GNU/Linux distribution.

They aren't really missing but rather intentionally removed
due to legal issues on Fedora/Red Hat.  This came up not so
long ago:

https://lists.gnupg.org/pipermail/gnupg-users/2022-May/066054.html

With the current Fedora (36), it's possible to enable these
ciphers via '--with brainpool' when building the libgcrypt
srpm.

Hopefully the legal issues will be cleared sometime soon and
Fedora will stop stripping brainpool.

It's frustrating that the releases are signed with a cipher
that cannot be verified on a reasonably popular distro.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Konstantin Ryabitsev via Gnupg-users wrote:
> FYI, I also provide gnupg22-static and gnupg23-static packages that can be
> rebuilt and installed on RHEL 7+ (though I haven't tried on RHEL9):
> 
> https://copr.fedorainfracloud.org/coprs/icon/lfit/packages/
> 
> They install into /opt and can be used directly as /opt/gnupg22/bin/gpg (and
> others).

Thanks Konstantin!

On EL8/9, I needed to disable the debugsource packages for a
sucessful build:

%define _debugsource_template %{nil}

I only tested builds of gnupg23-static on EL8/9, but the
gnupg22-static package looks like it would need the same
treatment.

Of course, the difference in algorithm support between
upstream and EL8/9 is much smaller than it was on EL7.
(Here's to seeing the differences disappear entirely.)

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hello again,

I wrote:
> Dirk Gottschalk via Gnupg-users wrote:
>> A workaround for this is to download the SRPM, remove the
>> line '--disable-brainpool' and rebuild the package.
> 
> Ahh, excellent.  That's a relatively recent change.  It's
> available in the Fedora (and RHEL) libgcrypt-1.10 packages
> which I believe are only in the freshly released Fedora 36
> and RHEL 9.

For the future, you can now rebuild the libgcrypt rpm from
Fedora 36 with brainpool support without having to edit the
spec file manually¹.  You can pass `--with brainpool` to the
rpmbuild command, e.g.:

rpmbuild -rb --with brainbpool /path/to/libcgrypt.src.rpm

Hopefully that makes life just a little easier for folks
using Fedora who want or need brainpool support.

¹ https://src.fedoraproject.org/rpms/libgcrypt/c/6571417ff

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hi,

Dirk Gottschalk via Gnupg-users wrote:
> A workaround for this is to download the SRPM, remove the
> line '--disable-brainpool' and rebuild the package.

Ahh, excellent.  That's a relatively recent change.  It's
available in the Fedora (and RHEL) libgcrypt-1.10 packages
which I believe are only in the freshly released Fedora 36
and RHEL 9.

Previous releases contained a 'hobbled' libgcrypt tarball
where the brainpool curves were removed entirely.  (That's
the usual practice for items which cannot be included for
legal reasons.)

It's good to see things are moving in the right direction,
at least.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Error importing fetching key from wkd

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch via Gnupg-users wrote:
> On Wed, 25 May 2022 22:58, Dirk Gottschalk said:
> 
>> $ gpg --with-colons --list-config curve
>> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;secp25
>> 6k1
> 
> This should read
> 
> cfg:curve:cv25519;ed25519;cv448;ed448;nistp256;nistp384;nistp521;brainpoolP256r1;brainpoolP384r1;brainpoolP512r1;secp256k1
> 
> Note the Brainpool curves.  Seems that Redhat still patches them out of
> libgcrypt.

The question of whether these curves can be kept in Fedora
was brought up on the fedora-legal list some time ago.  The
most recent status update¹ from Fedora Project Leader
Matthew Miller on January 28, 2022 says:

So, these things move slowly, but this _is_ being
worked on. I'll let you know when I can.

That sounds midly hopeful.  With luck, the curves will be
cleared for inclusion (at least eventually, even it not
terribly soon).

¹ 
https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/message/3ESF4KDVMLQPZX4H2S4L7BP5BHJPMPMB/

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Odd error

[Todd Zullinger via Gnupg-users]

Hi,

Werner Koch wrote:
> I looked at the Fedora Libgcrypt source and noticed that they ship
> libgcrypt with the nistp192 and all brainpool curves removed.  I have
> not yet build this version but given that one of your keys has brainpool
> curves this might be the culprit.
> 
> I can understand that they remove nistp192 for security policy reasons.
> But I do not understand why the brainpool curves are removed.  The
> general statement in the spec file is that curves need to be removed due
> to patent rasons.  However, Brainpool curves are less prone to patent
> claims for fast multiplication than the NIST curves and we actually use
> the very same code for all those Weierstrass curves. 

FWIW, I noticed that someone recently asked about the status
of the ECC Brainpool curves on the Fedora Legal list:

https://lists.fedoraproject.org/archives/list/le...@lists.fedoraproject.org/thread/WUQNAB4EPWSJMMVECL2TZGKB5KIDESII/

With luck, a fresh review by the Red Hat legal folks will
result in those curves becoming accessible in the Fedora
libgcrypt packages.

Cheers,

-- 
Todd

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: setrlimit failure on aarch64 (was: Interesting failure on aarch64)

[Todd Zullinger via Gnupg-users]

Werner Koch via Gnupg-users wrote:
> On Fri, 20 Dec 2019 11:22, Konstantin Ryabitsev said:
> 
>> On x86_64 this succeeds, but when I tried building on aarch64, that step 
> [...]
>>   gpg: Fatal: can't disable core dumps: Operation not permitted
> 
> setrlimit returns an unexpected error code:
> 
> if (getrlimit (RLIMIT_CORE, ))
>   limit.rlim_max = 0;
> limit.rlim_cur = 0;
> if( !setrlimit (RLIMIT_CORE, ) )
>   return 0;
> if( errno != EINVAL && errno != ENOSYS )
>   log_fatal (_("can't disable core dumps: %s\n"), strerror(errno) );
> 
> This is the first time I see a report that EPERM is returned.

The getrlimit call also fails, according to strace:

getrlimit(RLIMIT_CORE, 0xeb2acf88)  = -1 EPERM (Operation not permitted)
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = -1 EPERM (Operation not 
permitted)

I don't have access to an aarch64 host running RHEL 7
directly, so my only testing is via the mock command from an
aarch74 Fedora 31 host.

Mock can use two styles of container, an old-style chroot or
new-style systemd-nspawn.  Using chroot succeeds, while
systemd-nspawn fails.

I tested with CAP_SYS_RESOURCE added to the capability list
in the systemd-nspawn call, without success.  From my
reading, that should work (thought shouldn't be needed as
we're not trying to raise the limit).

So it seems like a bug either in systemd-nspawn or a lower
level component like glibc or the kernel with RHEL 7 on
aarch64, as you suggested.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Interesting failure on aarch64

[Todd Zullinger via Gnupg-users]

Hi Konstantin,

Konstantin Ryabitsev wrote:
> I came across an interesting gpg failure while trying to build 
> git-2.24.1 RPM for Fedora COPR. As part of RPM build, the prep stage 
> attempts to verify the tarball signature using Junio's PGP key:
> 
>   %prep
>   # Verify GPG signatures
>   gpghome="$(mktemp -qd)" # Ensure we don't use any existing gpg keyrings
>   # Convert the ascii-armored key to binary
>   # (use --yes to ensure an existing dearmored key is overwritten)
>   gpg2 --homedir "$gpghome" --dearmor --quiet --yes %{SOURCE9}
>   xz -dc %{SOURCE0} | # Upstream signs the uncompressed tarballs
> gpgv2 --homedir "$gpghome" --quiet --keyring %{SOURCE9}.gpg 
> %{SOURCE1} -
>   rm -rf "$gpghome" # Cleanup tmp gpg home dir
> 
> On x86_64 this succeeds, but when I tried building on aarch64, that step 
> returned the following error:
> 
>   Building for target aarch64
>   Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.FYxOmt
>   + umask 022
>   + cd /builddir/build/BUILD
>   ++ mktemp -qd
>   + gpghome=/tmp/tmp.dndOuot6S2
>   + gpg2 --homedir /tmp/tmp.dndOuot6S2 --dearmor --quiet --yes 
> /builddir/build/SOURCES/gpgkey-junio.asc
>   gpg: Fatal: can't disable core dumps: Operation not permitted
>   error: Bad exit status from /var/tmp/rpm-tmp.FYxOmt (%prep)
[...]
> I'm curious what exactly is at fault here -- is there something in the 
> COPR build environment that causes this error, or is there something 
> that gnupg is not checking correctly?

I noticed this recently as well.  It only happens on EPEL-7
aarch64, which has gnupg2-2.0.22-5.el7_5.  Builds for EPEL-8
aarch64 work fine.

I've tested this on one of the Fedora package maintainer
aarch64 instances as well and it fails there too.  That
doesn't narrow it down much, other than likely ruling out
something specific to the COPR build environment.

It could still be a bug in gnupg-2.0.22, in the RHEL-7
packages (gnupg2 or otherwise), or when used with mock on
aarch64. For those unfamiliar, mock is a Fedora/EPEL rpm
build tool.

-- 
Todd


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keyserver access changes in GnuPG

[Todd Zullinger]

Wiktor Kwapisiewicz via Gnupg-users wrote:
> Hello all,
> 
> I recently saw a message from one of Fedora's maintainers:
> 
>> Coming soon to Fedora30 (rawhide), gnupg v1.4.x renamed to gnupg1. Also 
>> dropping keyserver support at Werner's suggestion since upstream plans to 
>> disable that soon.
> 
> Source: https://infosec.exchange/@bcl/101195051788828345
> 
> Does anyone know anything about dropping keyserver support in GnuPG? That 
> seems
> a little bit radical but maybe I've missed something...

This only applies to the gnupg-1.4.x packages in Fedora.

Fedora 30 will ship with gnupg-2.x as /usr/bin/gpg (with
keyserver support intact).

The packages from the 1.4.x branch will be installed as
/usr/bin/gpg1 for users who want to keep using it.  Dropping
the keyserver and photoviewer helpers is part of the next
planned release from the 1.4.x branch, which is being
tracked in https://dev.gnupg.org/T3443.

Hopefully that helps clarify things a bit and removes any
worries that Fedora is stripping keyserver support from the
default /usr/bin/gpg.

-- 
Todd
~~
You know an odd feeling?  Sitting on the toilet eating a chocolate
candy bar.
-- George Carlin, Napalm & Silly Putty



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Errors while creating an g13 encrypted container.

[Todd Zullinger]

Dirk Gottschalk via Gnupg-users wrote:
> Am Freitag, den 13.04.2018, 11:40 +0200 schrieb Werner Koch:
>> On Fri, 13 Apr 2018 03:49, gnupg-users@gnupg.org said:
>> 
>>> There is neither a command or package named userv, nor a script
>>> called
>>> 'gnupg-g13-syshelp' in the repositories. The binary g13-syshelp is
>>> available.
> 
>>   apt-get install userv
> 
> In my case it is dnf, but this tool is not available at all in the
> repos.

I don't see userv available for Arch, Gentoo, openSUSE, or
Slackware either.  It's a very old tool (not that this makes
it bad in any way) which hasn't seen updates in a decade or
so, it appears.

Has userv ever been widely packaged outside of Debian?

-- 
Todd
~~
There are no differences but differences of degree between different
degrees of difference and no difference.
-- William James, under nitrous oxide; 1882



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Will gpg 1.x remain supported for the foreseeable future?

[Todd Zullinger]

Dan Kegel wrote:
> - might save time and anguish if apt-key (and thus gpg[v]?) accepted
> armored keyrings even if filename ends in .gpg

I think that's https://dev.gnupg.org/T2290, in case you want
to follow it or submit a patch to implement it.  Werner did
provide some details about how it would ideally be done.

If I was more capable with C, I'd give it a try since I'd
like to see gpgv work with armored keyrings too.

-- 
Todd
~~
Progress isn't made by early risers. It's made by lazy men trying to
find easier ways to do something.
-- Robert Heinlein



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: fingerprint of key

[Todd Zullinger]

Daniel Kahn Gillmor wrote:

with more modern versions of gnupg, you can just use:

   gpg --with-fingerprint --import-options show-only --import < 
public-key-file.asc


FWIW, I've used "gpg --with-fingerprint public-key-file.asc" for what 
seems like years to do this sort of quick fingerprint check of keys. 
It's particularly handy with linux distribution package signing keys, 
which are typically not something I have any need to import to my 
keyring.


On a fedora-25 system:

   $ gpg --version
   gpg (GnuPG) 1.4.22

   $ gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub  4096R/FDB19C98 2016-03-31 Fedora 25 Primary (25) 

 Key fingerprint = C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98

   $ gpg2 --version
   gpg (GnuPG) 2.1.13

   $ gpg2 --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   pub   rsa4096 2016-03-31 [SCE]
 C437 DCCD 558A 66A3 7D6F  4372 4089 D8F2 FDB1 9C98
   uid   Fedora 25 Primary (25) 


I haven't looked at the documentation for --with-fingerprint in a 
while, but it does seem like it's at least leaving out some details 
regarding its use on key files which are not imported.


I have no idea whether those differences are intended and should 
simply be documented or it's considered a bug that --fingerprint and 
--with-fingerprint differ in handling unimported keys.


Also, both 2.1.13 on fedora 25 and 2.1.22 on fedora rawhide, the 
command above complains about the show-only option:


   $ gpg2 --version
   gpg (GnuPG) 2.1.22

   $ gpg2 --with-fingerprint --import-options show-only --import < 
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary
   gpg: unknown option 'show-only'
   gpg: invalid import options

Is there a typo in that command or is show-only not in the latest 
release of the 2.1 branch?


--
Todd
~~
The most overlooked advantage to owning a computer is that if they
foul up, there's no law against whacking them around a little.
   -- Eric Porterfield



signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't import valid GPG keys in Ubuntu

[Todd Zullinger]

Jim Dever wrote:
 I'm sure he meant to reply to the list.  Unfortunately this list
 doesn't generate a Reply-To back to the list so if one just hits
 Reply it goes back to the original sender and not to the list.
 I've been called on this before until I realized what was happening.

 If anyone on the list knows who to contact to get this fixed it
 would be greatly appreciated.  Or if I'm totally missing
 something... please tell me!

Any list configuration inquiries should be sent to the list owner.
The list owners are listed on the listinfo page, included in the
footer of each post.

That said, it's likely intentional that the list does not munge the
Reply-To header.  For much more than you may care to read, check out:

Reply-To Munging Considered Harmful
http://www.unicom.com/pw/reply-to-harmful.html

Reply-To Munging Considered Useful
http://www.metasystema.net/essays/reply-to.mhtml

And perhaps even:

Reply-To Munging Still Considered Harmful. Really.
http://woozle.org/~neale/papers/reply-to-still-harmful.html

It's sad that relatively few mail clients have proper list-reply
functionality.  But if you use one that does, it's easy to forget why
folks regularly ask for Reply-To munging. :)

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The sunshine bores the daylights out of me.
Chasing shadows moonlight mystery.



pgpOx2AdDQZZw.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Finding key ID of a keypair

[Todd Zullinger]

Dion Moult wrote:
 It's passphraseless, it's DSA, and that's pretty much all I know. I
 made it quite a long time ago, perhaps through ssh-keygen.

If you created the key with ssh-keygen, then it's an SSH key, not an
OpenPGP key.  The two systems, ssh and gpg, do not use the same key
formats.  For an ssh key, you can print out the key's fingerprint
using ssh-keygen -l -f /path/to/key

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only difference between a rut and a grave is the depth.



pgpnGlTE4nwn2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg vs. gnupg2

[Todd Zullinger]

Suno Ano wrote:
 - there is one utterly annoying fact with gpg2 which is the graphical
   windows which keep poping up http://i43.tinypic.com/154yb04.png How
   can I get rid of them and have the behavior of gpg which just stays
   in the shell?

You can use the curses pinentry program.  The prompt is due to gpg2
using gpg-agent.  In ~/.gnupg/gpg-agent.conf, add:

pinentry-program /usr/bin/pinentry-curses

You may also need to set GPG_TTY in your shell init file as well.  For
example, in ~/.bashrc:

export GPG_TTY=`tty`

Give info gnupg 'Invoking GPG-AGENT' a read.  I found that helpful a
while back.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
If at first you don't succeed, try management.



pgphkcn52BzW1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I.

[Todd Zullinger]

gerry_lowry (alliston ontario canada) wrote:
 The Internet took off when Microsoft, for better or worse, included
 and promoted Internet Explorer in Windows 95, thus beginning the so
 called browser wars.

That's quite arguable.  Why do you assume that MS introducing IE
*cause* the internet to take off instead of being their (delayed)
reaction to the internet taking off without them? :)

 I would be surprised and also happy to see Microsoft promote PGP/GPG
 technology.  I do not actually expect that to happen.  If it did, it
 would be good if Microsoft could stimulate PGP/GPG technology with
 more user friendliness since at the moment there's much to learn to
 understand and begin using PGP/GPG technology.

Not that I care whether MS uses, promotes, or maligns PGP/GnuPG, but:

https://www.microsoft.com/technet/security/bulletin/pgp.mspx

(Personally, I find that MS using PGP to sign their security notices
amusing.  That must be the most secure thing about their OS. :-)

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Truth is like a well-known whore.  Everybody knows her but it's
embarrassing to meet her in the street.
-- Wolfgang Borchert



pgp5MZw5SZbL1.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Setting up a new laptop - importing keyrings

[Todd Zullinger]

Anne Wilson wrote:
 I'm setting up a new netbook, and have copied into the .gnupg folder
 my keyrings and associated files from this laptop.  Kgpg lists the
 keys correctly, but all is not well.  When I try to set keys for
 signing and encryption I get the endless searching bar, as Chris
 described a few days ago.

I know nothing of Kpg, but perhaps we can determine whether the issue
is with gpg or Kgpg and that might narrow down where to look.

 I considered starting from an empty keyring and importing signatures
 as they arrive in kmail, but I think the problem is that I don't
 know how to get the secret key recognised.

Are your secret keys listed by gpg --list-secret-keys ?  If so, then
the problem isn't with the keyrings.  It could be with Kgpg or the
gpg-agent setup (IIRC, that was what the problem a few days ago was).

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
A hen is only an egg's way of making another egg.
-- Samuel Butler



pgprRr9gvvrsb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GNUPGHOME for Linux?

[Todd Zullinger]

Stefan X wrote:
 On Linux I would like to change the homedirectory from ~/.gnupg to
 /something/else.
 
 Defining GNUPGHOME has no effect on my Linux system while it worked
 on Windows. Does this option not exist in GnuPG for Linux? How to
 define something similar.

GNUPGHOME works fine on linux.  How are you setting it?  If your shell
is bash, then you should use something like:

export GNUPGHOME=/something/else

Put this in ~/.bash_profile so that it gets set whenever you login.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I am willing to make the mistakes if someone else is willing to learn
from them.



pgp7dzBu5dzEu.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Import Secret Key

[Todd Zullinger]

Thomas Chitwood wrote:
 I need to import an additional secret key to my keyring. I am
 running gpg 1.4.5. What is the command to do this? I thought it
 would be gpg --import-secret-keys key id, but that doesn't seen
 to work.

Two problems:

1) There is no --import-secret-keys option.  See the manpage for valid
commands.

2) How would specifying a key id for a key that hasn't been imported
yet work?  You can use a key id for keys already on your keyrings or
when searching public keyservers, but for importing, you need to pass
a path or the key data via standard input.

You just want to use gpg --import /path/to/secret-key as you would
for importing a public key.  You might also want to set the trust
level on the imported secret key (via gpg --edit-key $keyid trust).

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only difference between a rut and a grave is the depth.



pgpPWsrFAissd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Removing all installed versions of GNUPG

[Todd Zullinger]

giangios wrote:
 When I run the command: rpm -q gnupg, now doesn't show any gnupg
 installation, but I can use it.

Right -- rpm only knows about packages you add via rpm packages, not
about random things you compile from source.

 Now I need to point the distribution packages (CENTOS 4.2) to use
 the last (and unique) installed GNUPG.

You should be building a gnupg rpm.

 What shall I do? I am not very familiar to configure servers. :-/

The only sane advice would be to undo what you have done and not
attempt to replace core system components until you better understand
the system you are working with.

I would recommend reading up on building packages with rpm, if you
really feel that you must have a newer gnupg version installed in your
server(s).

A few places to start might be:

http://fedoraproject.org/wiki/Docs/Drafts/BuildingPackagesGuide
http://docs.fedoraproject.org/drafts/rpm-guide-en/
http://www.rpm.org/max-rpm-snapshot/

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Whenever you find yourself on the side of the majority, it is time to
pause and reflect.
-- Mark Twain



pgpUUfu8dtwhj.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpg-agent/ssh-add asking for passphrase at first usage

[Todd Zullinger]

Axel Thimm wrote:
 some years ago I did create a nice gpg-agent --enable-ssh-support
 setup that would register ssh keys with the agent, but the agent
 would only ask for the passphrase when ssh would try a connection.
 
 Now I upgraded my system and this doesn't work anymore.

What exactly doesn't work?  You don't get any password prompt for
either your ssh nor gpg keys?  Or you get the prompt for both now
instead of having your ssh key automatically added?  Or something else
entirely?

 Now my questions are:
[...]
 - *why* did it break with the update? The old system has gnupg 2.0.8
  and the new one 2.0.9. But the Changelog doesn't indicate anything
  that would make these two behave differently.

Is the new system running another agent, like the seahorse agent?  I
think that might be on by default now, and it provides similar
functionlity to gpg-agent and ssh-agent.  Maybe it's causing problems?

That's just my half-educated guess. ;)

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Conscience is what hurts when everything else feels so good.



pgpQtWZ1o6urS.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPH with PHP / install

[Todd Zullinger]

PeterM wrote:
 I need access to gpg with PHP through accounts on my server such as:
 /home/first_account/.gnupg
 /home/other_account/.gnupg
 
 through cPanel I can also install( have) public keys for each
 domain/account, but cannot access gpg in the server's root
 directory.
 
 Any advice will be greatly appreciated,

You want to use either the GNUPGHOME environment variable or --homedir
command line option to tell gpg where to look for it's files.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The only consistent feature in all of your dissatisfying relationships
is you.
-- Demotivators (www.despair.com)



pgpmzgplDcx0c.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: keypair to/from armor format

[Todd Zullinger]

Steven Woody wrote:
 I don't trust any electrical medium ( USB disk, DVD-R and so on ) as
 backup copy of my keypairs. I think I want hardcopy of my keys.  In
 the user manual, however, I learned how to export/import public keys
 ( in armor mode ). but I don't see how to do the same on the private
 key. Is it possible? Thanks.

For a hardcopy backup of your secret key, you might also find paperkey
(which David wrote) useful:

http://www.jabberwocky.com/software/paperkey/

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I do not pretend to know where many ignorant men are sure - that is
all that agnosticism means.
-- Clarence Darrow



pgp8NbV0zMPSa.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: IDEA

[Todd Zullinger]

McDougall, Marshall (STEM) wrote:
 Hi All.
 
 First postbe gentle :-}
 
 I have a RHEL server and I am having difficulty decrypting a pgp
 encrypted file.  Near as I can tell, I need the IDEA cipher.  
 
 [EMAIL PROTECTED] gpg --decrypt myfile.txt 
 gpg: protection algorithm 1 (IDEA) is not supported
 gpg: the IDEA cipher plugin is not present
 gpg: please see http://www.gnupg.org/why-not-idea.html for more
 information
 gpg: encrypted with 1024-bit RSA key, ID C0A298D3, created 2004-07-13
  one_of_my_keys
 gpg: public key decryption failed: unknown cipher algorithm
 gpg: decryption failed: secret key not available
 
 I roamed around the GNUPG site and found the idea.c.gz downloads, but
 the instructions allude to directories that don't exist on my server.
 Has anyone added IDEA to an existing canned redhat installation?  I am
 open to any suggestion.  Thanks.

You can rebuild the gnupg srpm and add idea.  A few small changes to
the spec file (like in the attached diff) should do what you want.

A better solution would be to have sender encrypt the file to you
using a cipher that you can use without any patents or other
encumbrances.  Does your key have a cipher pref for IDEA?  If so, you
should fix that so other people don't encrypt things to you that you
can't easily decrypt.  You can view your prefs with:

$ gpg --edit-key C0A298D3 showpref quit

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
I never met a morphosis I didn't like.

--- gnupg.spec~ 2007-03-01 07:47:37.0 -0500
+++ gnupg.spec  2008-01-23 14:40:16.0 -0500
@@ -1,12 +1,13 @@
 Summary: A GNU utility for secure communication and data storage.
 Name: gnupg
 Version: 1.4.5
-Release: 13
+Release: 13.1
 License: GPL
 Group: Applications/System
 Source0: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source1: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 Source2: gnupg-shm-coprocessing.expect
+Source3: ftp://ftp.gnupg.dk/pub/contrib-dk/idea.c.gz
 Patch0: gnupg-1.4.1-gcc.patch
 Patch1: gnupg-1.4.2-curl.patch
 Patch2: gnupg-1.4.5-CVE-2006-6169.patch
@@ -42,6 +43,7 @@
 %patch4 -p0 -b .CVE-2006-6235
 popd
 %patch5 -p2 -b .multiple-message
+gunzip -c %{SOURCE3}  cipher/idea.c
 autoreconf
 
 %build
@@ -109,6 +111,9 @@
 %{_mandir}/man7/*
 
 %changelog
+* Wed Jan 23 2008 Todd Zullinger [EMAIL PROTECTED] - 1.4.5-13.1
+- include the IDEA cipher
+
 * Thu Mar  1 2007 Nalin Dahyabhai [EMAIL PROTECTED] - 1.4.5-13
 - incorporate patch from Werner to work around clients which
   can't tell that multiple plain messages have been processed (#230457)


pgpR8n9YbbxWy.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG in Linux

[Todd Zullinger]

Charly Avital wrote:
 My question, please help: where, how can I find and open, actually
 open and edit as required, gpg.conf? A ls search in .gnupg lists
 'options'. I remember that gnupg.options was the ancestor of
 gpg.conf (probably before gnupg 1.2.*).

Just rename (mv) options to gpg.conf.  Even that isn't strictly
necessary AFAIK, as gpg will read the options file if no gpg.conf is
found.

 Sorry if the question seems [is] silly, but I have a block. I have
 tried to use pico (nano), but I don't seem to strike the right
 commands.

Does running nano ~/.gnupg/options fail in some way?

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Now, now my good man, this is no time for making enemies.
-- Voltaire, on his deathbed in response to a priest asking that
he renounce Satan.



pgpj4y5wBps8a.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to use GnuPG to generate sha512sum hash?

[Todd Zullinger]

Moses wrote:
 I want hash some strings by using GnuPG, I know GPG have hash
 function, but I can't find how to do it in the manuals or other
 documentations on the official website. What's parameters used by
 GPG for hash?
 
 Furthermore, I would like use sha-512 hash strings from standard
 input, rather than from files, is it possible? If not, is there any
 other app can do this for me?

Perhaps this:

echo some string | gpg --print-md SHA512

is what you're looking for?

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The best cure for insomnia is to get a lot of sleep.
-- W.C. Fields



pgpC3keMX14M2.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Questions about generating keys

[Todd Zullinger]

Oskar L. wrote:
 Name must be at least 5 characters long
 Why? There are probably many people who like to go only by their
 first name, and have a 3 or 4 character name.

It's generally considered useful to follow the typical format for a
user id (FirstName LastName [EMAIL PROTECTED]).  You are free to
ignore this and the --allow-freeform-uid option will bypass all checks
on the format of the user id.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
That men do not learn very much from the lessons of history is the
most important of all the lessons of history.
-- Aldous Huxley Collected Essays, 1959



pgpDhSSbChbb9.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: where i can download gpgsm?

[Todd Zullinger]

redstar wrote:
 thanks but where is official site of gpgsm downloads? its made by
 werner koch right or its debian application???

No, it's not a Debian app.

See http://www.gnupg.org/(en)/download/index.html

GnuPG 2.0

GnuPG 2.0 is the new modularized version of GnuPG supporting OpenPGP
and S/MIME

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
You can make it illegal, but you can't make it unpopular.
-- Anonymous



pgpORViW29hrs.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't generate new keys

[Todd Zullinger]

rocko wrote:
 When i try to make a new key i get the following error:
 gpg: no writable public keyring found: eof
 Key generation failed: eof
 I'm using Ubuntu 7.04 and logged on as regular user.
 I've generated a key before but i used: sudo gpg --gen-key
 that works fine.
 I just can't seem to do it as regular user.

I'd guess that the ownership/permissions on your ~/.gnupg dir and/or
keyring files are not correct.  Check that you own the directory and
the files in ~/.gnupg using ls -la ~/.gnupg (as a regular user).  It
should look something like this:

$ ls -la .gnupg/
total 88K
drwx--  2 user user 4.0K Apr  3 15:18 .
drwx-- 43 user user 4.0K Jun  3 20:34 ..
-rw---  1 user user 9.0K Dec  8 15:51 gpg.conf
-rw---  1 user user  11K Dec  8 16:02 pubring.gpg
-rw---  1 user user 9.7K Dec  8 15:56 pubring.gpg~
-rw---  1 user user  600 Dec  8 15:57 random_seed
-rw---  1 user user 1.3K Dec  8 15:52 secring.gpg
-rw---  1 user user 1.3K Dec  8 15:56 trustdb.gpg

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Subtlety is the art of saying what you think and getting out of the
way before it is understood.
-- Anonymous



pgpgeTg8UpUwD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Can't generate new keys

[Todd Zullinger]

rocko wrote:
 Your right it seems my permissions are wrong:
 [EMAIL PROTECTED]:~$ ls -la .gnupg/
 total 40
 drwx--  2 acidblue acidblue 4096 2007-06-03 15:42 .
 drwxr-xr-x 72 acidblue acidblue 4096 2007-06-03 17:59 ..
 -rw---  1 acidblue acidblue   28 2007-05-19 11:47 gpg.conf
 -rw---  1 root root 4203 2007-05-19 11:54 pubring.gpg
 -rw---  1 root root 4203 2007-05-19 11:54 pubring.gpg~
 -rw---  1 acidblue acidblue  600 2007-06-03 15:36 random_seed
 -rw---  1 root root 1313 2007-05-19 11:54 secring.gpg
 -rw---  1 root root 1280 2007-05-19 11:54 trustdb.gpg
 
 How do i change this?
 Can i simply 'sudo chmod' the files 
 or do i have to reinstall gpg?

chown is what you want.  Something like this should do the trick:

$ sudo chown -R acidblue. ~/.gnupg

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
If the world didn't suck, we'd all fall off.



pgpz6SfRiLNaD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Spurious warning when using pgp compatibility modes?

[Todd Zullinger]

Hi all,

With sig-keyserver-url $URL in gpg.conf:

$ gpg --pgp7 --detach-sign test

You need a passphrase to unlock the secret key for
[...]
gpg: can't put a preferred keyserver URL into v3 signatures

Now, I know that I can't do that but I don't want to be told about it
every time I sign something when I've explcitly enabled --pgp7.  Would
it be unreasonable to ignore preferred keyserver urls when pgp[67] are
used?

I've been using the attached patch (minus the pgp2 part which I just
added) for a while to do just this and I haven't noticed any problems.
(There may be cleaner ways to do this, but this was what I got working
without knowing the code too well. :)

If it's not appropriate to patch this out, is there a good way to
silence this without losing other info?  The --quiet option doesn't do
it.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
Hang in there, retirement is only thirty years away!

Index: g10/gpg.c
===
--- g10/gpg.c   (revision 4504)
+++ g10/gpg.c   (working copy)
@@ -2998,6 +2998,8 @@
xfree(s2k_digest_string);
s2k_digest_string = xstrdup(md5);
opt.compress_algo = COMPRESS_ALGO_ZIP;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
  }
   }
 else if(PGP6)
@@ -3005,12 +3007,16 @@
opt.escape_from=1;
opt.force_v3_sigs=1;
opt.ask_sig_expire=0;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
   }
 else if(PGP7)
   {
opt.escape_from=1;
opt.force_v3_sigs=1;
opt.ask_sig_expire=0;
+   free_strlist(opt.sig_keyserver_url);
+   opt.sig_keyserver_url=NULL;
   }
 else if(PGP8)
   {


pgpuhq7mUXP7L.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The Polish language in gnupg.spec is horrible

[Todd Zullinger]

Werner Koch wrote:
 we have this 
 
https://bugs.g10code.com/gnupg/issue676
 
 bug report in the tracker.  I'd appreciate if someone else speaking
 Polish can check the supplied patch
 
   https://bugs.g10code.com/gnupg/file84/corrected-polish.diff.gz

I can't help with the translation, but I do know that when creating
spec files for Fedora and Red Hat, the spec file is to be encoded in
either ascii or utf8.

(I'd add this to the bug directly, but it's early for me and I'm not
seeing any way to add a comment. :)

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Bureaucracy is the enemy of innovation.
-- Mark Shepherd, former President and CEO of Texas Instruments



pgpOJEnaRbC9T.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: The Polish language in gnupg.spec is horrible

[Todd Zullinger]

Werner Koch wrote:
 You need to create an account first.  Sorry for that but it avoids
 spam and helps to make people think before they use the tarcker as a
 help forum.  I add a comment.

Yeah, understandable.  I had created an account and still didn't see
any obvious way to add a comment.  I may just be incredibly dense
today. :)

As far as rpm goes, I'm pretty sure it will happily try to process a
spec file written in various encodings, but the results won't likely
be sane or consistent.  For Fedora, the ascii/utf8 requirement is a
sanity check for packagers so that if someone else edits a spec file
they can be assured that it is either ascii or utf8.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
User, n.: The word computer professionals use when they mean idiot.
-- Dave Barry



pgpxCC3ew1bwX.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG fails to verify clamav

[Todd Zullinger]

Roy Carin wrote:
 I downloaded clamav 0.90rc3 from
 http://sourceforge.net/project/showfiles.php?group_id=86638package_id=90197release_id=483125
 
 I want to verify the integrity of the downloaded file. When I do
 
 gpg --keyserver random.sks.keyserver.penguin.de --verify 
 clamav-0.90rc3.tar.gz.sig
 
 it fails, saying this:
 
 gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B
 gpg: Can't check signature: public key not found
 
 René Berber, in message
 http://article.gmane.org/gmane.comp.security.virus.clamav.user/24861/match=0+90rc3+sourceforge
   , says that my GPG installation is broken.
 
 Can anyone tell me how I can fix it?

I think that the problem may be that you don't have the key on your
keyring already and you don't have the auto-key-retrieve keyserver
option enabled (it's not enabled by default).  You can either enable
that option or import the key before verifying the signature (via a
keyserver webpage or using gpg --recv-key 985A444B).

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
What a terrible thing to have lost one's mind. Or not to have a mind
at all. How true that is.
-- Dan Quayle, speaking to the United Negro College Fund



pgpiI6nHdx2jQ.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

Werner Koch wrote:
 On Thu,  7 Dec 2006 05:37, [EMAIL PROTECTED] said:
 
 I don't recall seeing this before, but I don't use the info docs
 much, so maybe I've just missed it previously.  It seems that 1.4.6
 changed the texinfo file to use the dircategory GNU Utilities
 just as 2.0.1 does.  1.4.5 used GnuPG.  Without knowing much about
 how install-info
 
 That is quite possible.  I forgot to did this chnage in the release
 candidate and it was too late to do another one due to the security
 bug.

Yes, I can understand that there were far more important things to be
done.  Here's hoping you can take this weekend off and relax. :)

 If I'm doing something wrong or am incorrect in expecting that the
 info files should be parallel installable, let me know.  If not, would
 a proper fix be to use gpg2 as the entry for 2.0.1?
 
 I think so and will change it for the next release.

If it helps, attached a one line patch against current svn.  That
seems to be all that's needed to get both 1.4 and 2.0 installed
together happily.

Thanks again to you and the whole GnuPG team!

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
To tax and to please, no more than to love and be wise, is not given
to men.
-- Edmund Burke

Index: doc/gnupg.texi
===
--- doc/gnupg.texi  (revision 4372)
+++ doc/gnupg.texi  (working copy)
@@ -48,7 +48,7 @@
 
 @dircategory GNU Utilities
 @direntry
-* gpg: (gnupg).OpenPGP encryption and signing tool.
+* gpg2: (gnupg).   OpenPGP encryption and signing tool.
 * gpgsm: (gnupg).  S/MIME encryption and signing tool.
 @end direntry
 


pgpRCQVqLRW84.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signed patch against 2.0.1

[Todd Zullinger]

Werner Koch wrote:
 Here comes a signed patch against 2.0.1 for those who care to verify
 signatures ;-).

Thanks Werner.  Seems that the list archives scrub the attachment,
which makes it less useful than it'd be otherwise, 'cause you can't
point others to the signed patch.  If any of the list owners have some
free time I'd be happy to try to get that corrected or take it to the
mailman-users list for advice if need be.  (It seems that the content
filter settings for the list may be a little aggressive.)

BTW, I really like your Content-Type boundary string. :)

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Lack of money is the root of all evil.
-- George Bernard Shaw Man and Superman, 1903



pgpPBgw3tjWod.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: GnuPG 2.0.1 compile error

[Todd Zullinger]

David Shaw wrote:
 Ok.  The problem is simple: you don't have zlib installed, or at
 least don't have the zlib development package installed.  I'm not
 sure what it's called on Ubuntu, but there is probably some
 variation of zlib and some variation on zlib-devel.  You need
 zlib-devel.

It appears to be (the obviously named) zlib1g-dev. :)

Likewise, the bzip development package is named libbz2-dev.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Duct tape is like the Force. It has a light side, a dark side, and it
holds the universe together
-- Carl Zwanzig



pgpLTSOrg1doE.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

John Clizbe wrote:
 Sounds unreasonable to me. It's completely beyond our scope to
 implement.

That seems more like not feasible than unreasonable.  But the results
are the same. :-)

Thank you for the explanation.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
The American Republic will endure until the day Congress discovers
that it can bribe the public with the public's money.
-- Alexis De Tocqueville.



pgpnGAm8vs6jh.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

Eray Aslan wrote:
 I thought it was a mis-configuration on my part.

Nope.  As John pointed out this is simply not feasible to do from
within Enigmail based on the way it has to interact with Thunderbird.

 If you don't trust the IMAP server admins, then you should store
 your mail somewhere you do trust.
 
 Nope. I am the admin.

I'll assume that means you trust you.  ;-)

 If you are worried about someone cracking the server and getting at
 your sent messages then encryption on the server may be sufficient,
 but would involve either changes to you mail client or some other
 sort of access to your mailbox on the server.
 
 The servers in question already has encryption at the file system
 level with cryptsetupLUKS for Linux and truecrypt for windows boxes.
 But the trouble is these do not provide any defense against attacks
 through the network.  They will happily serve the emails thru the
 network to the appropriate user when asked.  FS encryption is only
 good at boot time.  Once the partition is mounted, you can access
 the data.

True.  An encrypted FS that's always mounted isn't too secure.

 I can give the end users a smartcard or a usb stick.  The objective
 is to provide a solution so that not even the admin can read the
 emails

Well, as I understand your original query, you're looking to get
security on the sent messages that are not encrypted to the recipient.
In that case, the message goes out via IMAP and SMTP on the server and
thus the admin could just grab a copy somewhere in that process.
That'd be a lot easier to do than trying to crack the gpg encrypted
message in your sent mailbox.

ISTM that the only good way for you to get the security you want in
this case is to send the mail encrypted in the first place.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Rupert!  I told you to watch the bags!  You were watching the boys
again weren't you!
-- Stewie Griffin



pgprVzBoQm0pY.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

Robert J. Hansen wrote:
 Todd Zullinger wrote:
 That seems more like not feasible than unreasonable.  But the
 results are the same. :-)
 
 Infeasible: we have the manpower, we have the tools, we have the
 talent, but the architecture is working against us in a big way.
 
 Unreasonable: our manpower is stretched so thin that all infeasible
 RFEs are unreasonable expectations of us.

I suppose that's one way to define the terms.  I was thinking that
unreasonable would be more aptly applied to a request that wasn't
grounded in any good reasoning.  Not feasible could be applied for
either lack of manpower or lack of an available set of hooks to
achieve the goal.

 As is unfortunately common with open-source projects, there's a
 major lack of manpower on Enigmail.  If you know Javascript and
 would like to get your hands dirty with Enigmail, why not volunteer
 over on the Enigmail list?  :)

While I think that the Enigmail team has done a really great job of
integrating OpenPGP into Thunderbird[1], I'm a happy Mutt user and not
looking to switch back to any graphical MUA. ;-)

I sincerely appreciate the efforts of all those folks that create the
tools so many of us use, from the kernel hackers working on low level
drivers for obscure funtions I will likely never understand, to David,
Werner, Timo and all the GnuPG developers/contributors, to Ingo, John,
Patrick and others who spend hours integrating those pieces into easy
to use graphical interfaces that I can teach a friend to use pretty
quickly.

[1] For Windows, Thunderbird with Enigmail is the only thing I'd
recommend to friends getting started.  For linux, it's either
Thunderbird/Enigmail or Kmail.  Both projects have done a lot to make
using PGP both seemless and secure.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
The chains of habit are too weak to be felt until they are too strong
to be broken
-- Samuel Johnson (1709-1784)



pgpzF1I6pZfTk.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

I was updating my system to 1.4.6 today and noticed the following in
the make install output (I've got 2.0.1 installed already):

install-info: menu item `gpg' already exists, for file `gnupg'

I don't recall seeing this before, but I don't use the info docs much,
so maybe I've just missed it previously.  It seems that 1.4.6 changed
the texinfo file to use the dircategory GNU Utilities just as 2.0.1
does.  1.4.5 used GnuPG.  Without knowing much about how install-info
works, I'm guessing that it's balking because both programs try to
create a gpg entry in the same info section.

If I'm looking to install both 1.4.6 and 2.0.1 simultaneously,
shouldn't the info pages for both versions be able to coexist?

If I'm doing something wrong or am incorrect in expecting that the
info files should be parallel installable, let me know.  If not, would
a proper fix be to use gpg2 as the entry for 2.0.1?

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
No oppression is so heavy or lasting as that which is inflicted by the
perversion and exorbitance of legal authority.
-- Joseph Addison



pgpzKcvT8nwVM.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Info doc conflict between 1.4.6 and 2.0.1?

[Todd Zullinger]

Charly Avital wrote:
 I am MacOS X user (10.4.6), unable till now to compile 2.0.1 (posted
 a few messages explaining why).
 If you are MacOS X user, could you please explain how you succeeded
 to compile 2.0.1. Thanks.

Sorry, I'm using linux.

-- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
It is impossible to enjoy idling thoroughly unless one has plenty of
work to do.
-- Jerome K. Jerome



pgpeT7d3729pq.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: encrypt the sent folder

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Eray Aslan wrote:
 Surely there must be a better way.  These all require admin access
 to the IMAP server.  The software already does what I want some of
 the time (when I send the recipient encrypted email).  I just want
 it to do it all the time.

This doesn't like an entirely unreasonable feature request to make of
Enigmail.  Perhaps you'd want to check in with the Enigmail folks to
see if the would consider adding such a feature?  It has some
potential to be useful but it might be icky to implement.

Obviously, if you send a message unencrypted but store it encrypted,
you won't really have an accurate record of your sent mail.  The
headers and MIME parts will be different.  Some people prefer that
what's in their sent mailbox be exactly equal to what was sent.
(Pedants. :)

I am curious though, what particular threats are you concerned about?
That might help shape what options would be best to take.

If you don't trust the IMAP server admins, then you should store your
mail somewhere you do trust.

If you are worried about someone cracking the server and getting at
your sent messages then encryption on the server may be sufficient,
but would involve either changes to you mail client or some other sort
of access to your mailbox on the server.

- -- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Oh, I feel so deliciously white trash!  Mommy, I want a mullet!
-- Stewie Griffin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6rc1 (GNU/Linux)

iQFDBAEBAgAtBQJFdfoRJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjIIcIAKIcq+3PoQ/WaEZ2MExTp2vimQ/ReNOpu/vB
BGYVylEg0yJ2mVRtodexGZ+GCSFxaQYmXqyS+5H93AbY7SlhKByRGkCi5caHOlLQ
aED3FL5SL8ANzXDWDDWABt9YL43+Rx/0/PM81X4m5ueLJUyBC0agtlxGWHlgzUha
t0ENzdf/DkjSOVxDvovoHcBmBBhwJMPlQvWd50l1MYbyFWamer3BDOZke1rVKS2p
0rDTvrWfMIqDKRR8Isbfj5LRIJ2ln99GdioDnKDvB24uzUFHWmCMSj6usFggqM09
EwX0sNAZoQ6DYqRNbMPiN1le2hACv0YJllatBYLZOPaiR0Zpjoc=
=JPs0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Logo ballot reminder

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wouter van Heyst wrote:
 It certainly was enough to make my brain register it as unreadable,
 I only went back to it when Warner mentioned the deadline again.
 Looking at it now I agree it is rather minimal as far as html goes,
 but it's still not something I'd willingly read as email (had to
 spawn a browser to look at it).

Egad, open a browser for that?  :)

I just have mutt dump html only messages through w3m -dump and display
the text.  That's after my other filters weed out the really obvious
trash and spam.  And then only for messages that are HTML only.  If
they are multipart alternative I prefer the text/plain part.

Until it was mentioned here I hadn't noticed that the message was HTML
only actually.

 The system was fairly easy to use, the hardest part was deciding how
 the various entries ranked :)

I'll second that.  :)

- -- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Statistics are like a lamp-post to a drunken man - more for leaning on
than illumination.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6rc1 (GNU/Linux)

iQFDBAEBAgAtBQJFb5zaJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzj3zcIAITZK+Yse2sJjXBcp4av4XK3aS/cOI1c5/Uc
BLRG4F7cYcJgbjQuVOpV70Ts07q5NSSsJ7fqfWDoRNP9nxpmKiSHQhbhq7q580GP
su4WI4cVpKcEH/fyfYi4PO8h0ZsYd963qGmdktLrBUBuAFuCnJstQ+4QHXpAOQGA
71VM58ldNJb7n8F8iYx8cCSYQkXOtLkjGuy9WEZtLSkEj15pnGBJBDn63zDWSc/s
TJ3x6f1gUQ6BTAlR+LgHShHcjULqESB70mHqsrUkvehaqyWp6xiuzVPRveDUBRrL
oy6qheye0mGEx6kIwrw6ShX1ysob1RMlSr6gHCKrT3CnlL8fXmY=
=26us
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: pgp.sig as an attachment

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian wrote:
 I am using GnuPG with Apple Mail and the GPGMail plugin.
 
 When I sign a message, the mail is sent with the attached file
 pgp.sig. However, I would prefer to have the signature inside the
 message and not in an attachment.
 
 How would I do this?

You need to tell GPGMail not to use PGP/MIME.  You can disable that by
default (in the prefs on the Composing tab).  Check the GPGMail docs
for details on this.  The GPGMail mailing list might be able to offer
more insights if you need them.

- -- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
Outside of a dog, a book is a man's best friend.  Inside of a dog,
it's too dark to read.
-- Groucho Marx

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJFMoJwJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjnqAIAJpYIVOH6Oc0a95ufeT80Tj8SK4bWm3I8CDd
P1dH1Fcp5hF5XiMZd/J8GKw6nqSjGja8pVfyCfP2k7kMlaojYw/ZSaWlkGAyAcri
K8WaFIDMJ6Ih6MrP2Qau9TG34WK4AEBC5Nq0A7c+OPovO0AYUQqiKXU5Cn6kNL/3
ksJL/HTXSpy3JzN8wSBD69ggPf3mhrsm2kHTILxMK9+Zq19/LuZoJnO9E7nruN+c
246QMC5Rz5rxekSGQc+NxP0WpuPQaL55Lz8wz72WfoHwAxRVQ9srbCY70HyZEWwS
wp3Zor2DagpGKexsJnmFNWByZyYJq4Qz5sttoFWT46pYP46ZY7s=
=lEy/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sig!3 entry vs sig! entry on certain GnuPG keys from the PuTTY software site

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alphax wrote:
 There is a default certification level option that can be used
 either on the command line or in a config file - normally GnuPG will
 ask you for the certification level when you sign a key, but the
 default /can/ be used if the right options are set, and /will/ be
 used at the time of key generation.

I believe you will not normally be asked for a cert-level, at least
not with most recent versions of gpg (I forget when that changed
exactly).  You must set ask-cert-level in your config or on the
command line to be prompted.

- -- 
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
==
What it means to take rights seriously is that one will honor them
even when there is a significant social cost in doing so.
-- Ronald Dworkin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJE7v24JhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjBxAH/3g+/Whk3cubupcbQPQ0uIa/NjwxZOH20ABZ
ZWyTR1++ZHJgNxyUcqN+MkeiVCtS3uieqEFfDV40v53aZE2flAr/gDZWcwG5Xlek
qWJOn9EnOzjsoHLVbWekBGA88IAx4X6yyBd5qvoEwYynkW/tIInNQqmtg1/HNYmI
IjJjtGrWSATEdJ5o4Ojmqmwz0R4vhpVVSfXXReQ42Fb03VXBgy6/soNjZzsUrza2
IrjTyW23+W0vfKbgEZTjrqG+Kdz5BXHfPlG4TRqwdGlRCJUT5Twzhv1NiXW1m3Q3
spnI8bm6SDWBXcLD51yFZ8bDkAObffpQ86XyrDWnz3YcYK48k4A=
=jwpd
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to verify the file was successfully encrypted...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jonathan Rockway wrote:
 BTW, why are you encrypting these files anyway?  If someone broke into 
 your computer they could just steal the crypto key too.

True, unless the private key isn't kept on the same machine.  Which
also would negate the ability to decrypt the file on the server to
verify that the encryption was successful. :)

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Those who have been intoxicated with power... can never willingly
abandon it.
-- Edmund Burke

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkS1SQQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1otkgCgnP7KTsByYiIOddJmAG7HNyB+JA4AniX2DvJw
d0uPX2K0oA+DO8iZ5K4x
=YnXM
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Atom Smasher wrote:
 pgp Key Signing Observations: Overlooked Social and Technical
 Considerations
 http://www.linuxsecurity.com/content/view/121645/49/
 
 there's a few sections in that article that might be of interest.

Indeed, thank you Atom!  I'll pass this link along for more
information after my short talk.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Politicians are the same all over. They promise to build bridges even
when there are no rivers.
-- Nikita Khrushchev

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSzxCQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ritwCeL/ePib2q8dHR4C97Y123fmAHj7cAn2O5jfDf
eOZHarR6d6HWF8qYfYp6
=X0Vq
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
 Try CA-Bot (http://cabot.alioth.debian.org/).

Thanks Ingo.

 I haven't used it myself because I'm using a self-written script for
 creating challenges with KMail.

Could you elaborate a little on the procedure you use to generate the
challenges?  I'd love to have some examples of how other folks do
things to present to my fellow LUG members.

 But I've been sent a few challenges generated by CA-Bot. Last time I
 received such a message, it said (at least IIRC) that CA-Bot
 couldn't handle signed and/or encrypted replies. So using CA-Bot you
 can only check whether the person you send the challenge to can
 decrypt the challenge, but you can't check whether he also controls
 the signing key.

That's unfortunate, since the signature is more important than the
decryption, AFAIAC.  I'll take a look and see if CA-bot can't be
useful as a starting point for some scripts of my own.

 Isn't it a good thing to send some random data to each UID on the
 key someone wishes you to sign and require that they send back that
 data signed by the key to prove they control both the key and the
 email address in the UID?
 
 Where control the email address is different from is the owner of
 the email address. Anybody between you and the owner of the email
 address can intercept the challenge, sign it and send it back to
 you.

Of course, but they can't sign it with the key I've been asked to sign
and which I verified from the key fingerprint and other owner details,
unless they are the proper owner of that key.

 This is especially a problem with email addresses which don't
 contain the name, but just some random alias, nickname or whatever.
 [EMAIL PROTECTED] could be anyone's email address.

Right.  But if we met in person and I showed you acceptable ID,
provided you with the key fingerprint and other key data, then
returned a challenge from you signed using the key matching the
fingerprint that you verified in our meeting, you know that I am in
control of the key and that I can get mail at [EMAIL PROTECTED]
Obviously, others can read mail there too and that's why I'm using GPG
to ensure that I'm the only one that will be able to decipher mail
sent to that address and generate verifiable email from that address.

Thanks,

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You will never find time for anything.  If you want time you must make
it.
-- Charles Buxton

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSudgomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhDQCg113UiRsz5aUYeNGvRWOQdOHRzT0AnAnXloPp
xhBU91pupwwlzXFTFOjm
=xk6i
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
 * Todd Zullinger [EMAIL PROTECTED] wrote:
 
 What I don't see in any of the links is more information about
 sending an email challenge before signing a key.  (My apologies if
 I'm overlooking it on your page or any of the others.)
 
 Before I used a protocol to signing keys where I sent out random
 strings as challenge response but it's not worth. There is no
 enhanced security and only more work for signer and signee. If
 you send the signed UIDs encrypted to each mail address separately
 it has the same effect in security because if the mail address
 bounces or the person behind the address doesn't have the private
 key your signed UIDs won't become publicly available.

But that does mean that you can't get a signed key to someone if the
key you've signed doesn't have any encryption capabilities, correct?
Unless, of course, you have told the signee that they must provide you
with a key which they wish to have the signed keys encrypted to.

Have you found in practice that you don't run into many sign-only
keys that you are asked to certify?

 There are some scripts around but don't use CA-Bot as Ingo
 suggested. As he has already said it has problems with so-called
 sign-only-keys and it sends out broken mails. caff, from the same
 author, handles these keys much better. It can be downloaded from
 the third link I mentioned. Besides it is already available in
 Debian and FreeBSD.

Thanks, I'll look closer at caff.  I didn't pull down the package and
play with it yet.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
You're not drunk if you can lie on the floor without holding on.
-- Dean Martin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSueUMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pmfwCg+sxhZadaXGAJYLU/7yBAT/1XIq0An2UnRecE
3bNFigiZqvEXMotWpR5z
=09Wl
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ingo Klöcker wrote:
 On Friday 07 July 2006 17:09, Todd Zullinger wrote:
[...]
 But that does mean that you can't get a signed key to someone if
 the key you've signed doesn't have any encryption capabilities,
 correct?
 
 That's obviously correct. In this case you could give the key owner
 a piece of paper with a random string and ask him to send it in a
 signed message to your email address. Then you know that he can use
 this key for signing messages. Obviously, you can't check the
 validity of the email addresses belonging to this key (unless he's
 got an encryption key you can use for checking the addresses).

Is it really necessary to encrypt the challenge?  If the key has
encryption capabilities, I would do so, but if it was a sign only key
and I could not do so, just what sort of attacks or weaknesses are
there in sending the challenge in the clear?  I've seen David Shaw
point out that it didn't gain you much.  I'm just trying to work
through the possible scenarios so I have them clear in my mind before
trying to present this to a larger group, who may well end up with
questions on this that I'd like to have better answers for than I do
now.

 Have you found in practice that you don't run into many sign-only
 keys that you are asked to certify?
 
 Among a few hundreds keys I've signed so far only a handful were
 sign-only or certification-only keys. I did simply sign them with a
 lower verification level.

Okay.  I would have guessed that you probably wouldn't run into
terribly many keys like this, but thank you for giving some practical
experience to support this.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
...unfortunately, we can't control the actions of everyone.
-- Bill Clinton, April 20, 1993

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSuwMcmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1ogLQCfdgI3cZPmG30R7Ho9S6wERT1Bf0MAoJnW40cG
UqfQ+iNwqQUwaDyhHVFH
=gsl0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi David,

David Shaw wrote:
 I've been away on vacation and only picked up this thread now.

Hope it was relaxing.  Welcome back seems like a negative thing to
say.  ;)

 This statement is not correct.  Back in the PGP 2.x days, this might
 have been true, but with OpenPGP, there is no particular requirement
 that the ability to sign and the ability to decrypt are connected.
 You can have a shared key with separate capabilities.
 
 Sending an signed key via encrypted mail does not ensure anything
 about the key owner.

Marcus and Ingo have very been helpful in providing pretty specific
procedures that they've used (and documented) for key signing.  I've
read with interest the comments that you've made over the years as the
topic of keysigning has come up and I'd be very appreciative if you
could share a basic outline of the procedure you take or recommend.

As I alluded to at the start of this thread, I've been volunteered to
give a talk on the process and reason behind key signing at an
upcoming meeting of my local LUG.  I've been trying to find as many
different peoples policies and procedures as I can prior to my
presentation to a) refresh my memory and b) prepare for potential
questions on why one might use a particular method.

I highly respect the methods you've outlined on this list and I think
the members of my local LUG could benefit greatly from being exposed
to the policy/procedure for handling keys the come across at a key
signing party.

Thanks much for your efforts on GnuPG.  Like OpenSSH, it's one of the
applications that I use every single day and would have a hard time
living without.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Life is the art of drawing without an eraser.
-- John Gardner

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSvRTwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oIFACg1o1VlJkJc3qnus5D24wxs1+c+nMAnif/DXQB
GM8hQmMqt6RFQ6AxQObg
=yZQj
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm putting together a short talk for my local LUG as we're planning
to have a keysigning party in the near future and some folks want to
hear more details so they'll understand better.

I was wondering if some folks here have detailed their challenge
policies and procedures and if you'd mind sharing them if you have?
Even handier would be some scripts to help in the automation of this
task.  ;)

In particular, I like how David Shaw has explained the pitfalls with
various approaches to doing the email challenge several times on the
list.  David, is your challenge policy something you've posted
anywhere?

Thanks in advance for any tips and pointers,

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Politics:  A strife of interests masquerading as a contest of
principles.  The conduct of public affairs for private advantage.
-- Ambrose Bierce

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkStWjImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rfhgCgppgUCneHGIDbicUjD6D2CObVB1wAoO4mITD/
rzoIwYVh4mlSML5fMhdx
=PKSA
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Keysigning challenge policies/procedures

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marcus Frings wrote:
 * Todd Zullinger [EMAIL PROTECTED] wrote:
 
 I was wondering if some folks here have detailed their challenge
 policies and procedures and if you'd mind sharing them if you have?
 Even handier would be some scripts to help in the automation of this
 task.  ;)
 
 http://www.sc-delphin-eschweiler.de/pgp/
 http://sion.quickie.net/keysigning.txt
 http://pgp-tools.alioth.debian.org/

Thank you Marcus.  I had actually found your page while doing some
research and read it.  Very nicely outlined.  Thank you for sharing it
with the world.

I believe that we will be using the method outlined in Len Sassaman's
and Phil Zimmermann's paper from above.  This too I had read while
researching this earlier.  (It's good to know I've run across some of
the same info you recommend. :)

What I don't see in any of the links is more information about sending
an email challenge before signing a key.  (My apologies if I'm
overlooking it on your page or any of the others.)

It's been discussed here before but I've not found any scripts or good
details that I could point my fellow LUG members toward.  Isn't it a
good thing to send some random data to each UID on the key someone
wishes you to sign and require that they send back that data signed by
the key to prove they control both the key and the email address in
the UID?

Many thanks for the helpful information,

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Money can't buy happiness, but it sure makes living in misery easier.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSt44gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qEygCbBVGaCdjOa7MJ9gjkdRphpmz/Rx8AoO7Fh4Zd
/pIdv/NHTQTTvue9nY2r
=O8C/
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: mime and pgp.asc

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

alifbaa wrote:
 I am currently using GPG 1.4.3 on my mac powerbook G4 OSX 10.4.6  I hope that
 this is the right forum to post this question, but when i send an email with
 attachment and encrypt and sign it, it converts the message into two
 attachments, one that says mime-attachment and one that says pgp.asc.  I
 don't want this.  I want it to encrypt and sign it and it have an encrypted
 message at the top and an encrypted attachment at the bottom.  I am
 currently sending these emails with the two attachments to a coworker with a
 PC that uses PGP and he cannot decrypt my emails.  Any help would be greatly
 appreciated.

It sounds like you are sending mail using the PGP/MIME format and your
coworker's mail client can't handle that.  What mail clients are you
and your recipient using?  What version of PGP is your coworker using?

Knowing that, someone here may be able to let you know what, if any,
settings scan be changed on either system to enable you to
communicate.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
What it means to take rights seriously is that one will honor them
even when there is a significant social cost in doing so.
-- Ronald Dworkin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSPAbomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rvIwCgtnOK0D6MSVwgGnopoaUHjSNLcd0AnArkRlBC
5ZazzBt0RhUjd9qLY4w5
=VR9o
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: sha2 utilities: Print or check SHA-2 digests

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

rmyster wrote:
 Yes, suse 10.1 with coreutils-5.93-20.  In the info manual, sha2 is
 mentioned under section 6.6 (sha2 utilities) and all it says is The
 usage and options of these commands are precisely the same as for
 `md5sum'.
 
 While this isn't a linux mailing list, md5sum is part of gnupg.

No, it's not.  md5sum is part of the coreutils package.  You're using
suse, which is an rpm based distro, so if I may extend the slightly
off-topic posts a little, here's a handy way for you to find out what
package a file belongs to:

$ rpm -qf /usr/bin/md5sum

On my FC5 system this returns coreutils-5.93-7.2.

 The closest other choice was the coreutils bug lists and this didn't
 seem like a bug related question.

How not?  If the docs state an application is available and it's not
it's a bug - either in the docs or in the packaging.  In any case, I
took a blind leap of faith and searched for the string sha2 on the
coreutils mailing list and the very first item returned[1] was titled:

Re: Not finding sha256sum

It's a documentation bug in coreutils.  Total time spent, 30 secs. :)

[1] http://lists.gnu.org/archive/html/bug-coreutils/2005-12/msg00170.html

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
A diplomat is a person who can tell you to go to Hell in such a way
that you actually look forward to the trip.
-- Anonymous

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSK+zkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pfBwCfQpESyyiX4VaoB3PxkUfu6tmgzHYAoMtHAQz9
86lV+58Vw46GWqxG5S0s
=BkqK
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

engage wrote:
 On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote:
engage wrote:
 Why is someone sending an encrypted message to this list?

It's not encrypted.  It's just signed and armored.

Doesn't your mail client automatically display this for you?
 
 No. I keep getting prompted for my passphrase for this message.
 Kmail.

Just hit enter.  There isn't any encryption, but the message is
armored and as others have pointed out, email software often just
assumes any pgp chunk that begins with BEGIN PGP MESSAGE is
encrypted and asks for a passphrase to pass on to gpg.  I've used mutt
with gpg-agent for years now and have grown accustomed to not having
that prompt unless a passphrase was truly required.  :)

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Be who you are and say what you feel because those who mind don't
matter and those who matter don't mind.
-- Dr Seuss, Oh the Places You'll Go

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSBIvkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1q4mwCgmNVQcxB4nbERt8ovWRTA8ZmBmMgAoJPpYPT5
H8TSvRoU+Nks86qDnpSS
=5G/L
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GnuPG asks for confirmation...

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Brown wrote:
 On Thu, Jun 01, 2006 at 10:59:54PM -0400, Todd Zullinger wrote:
 engage wrote:
 Why is someone sending an encrypted message to this list?
 
 It's not encrypted.  It's just signed and armored.
 
 Doesn't your mail client automatically display this for you?
 
 Many mail clients will assume that any GPG message is encrypted and
 prompt for a passphrase prior to invoking GPG.

I guess I just take it for granted because using mutt along with
gpg-agent, I don't get such a password request.  I'd be curious if
kmail would do the same if configured to use the gpg-agent.

Without the agent, mutt prompts as well.  It's just been a long long
time since I wasn't using gpg-agent. :)

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Nothing says, Obey me! like a bloody head on a fence post.
-- Stewie Griffin

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSAg2kmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qhxQCggs0wv8cejnK4Q4Wjdt632zMzX2UAoJz7rb3m
KbVGtmAeLGjkE//lkFuf
=gim2
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Signing vs. encrypting was: Cipher v public key.

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Janusz A. Urbanowicz wrote:
 gpg integrates better with autimation and I really doubt that there is
 current, supported PGP for anything else than windows and mac.

While I prefer gnupg to pgp myself, I did just happen to see a
reference to pgp command line today.  Here are the platforms it
supports:

 * Windows 2003
 * Windows XP SP1
 * Windows 2000 SP4
 * HP-UX 11i or above (PA-RISC only)
 * IBM AIX 5.2 or above
 * Red Hat Enterprise Linux 3.0 or above (x86 only)
 * Solaris 8 or above (SPARC only)
 * Mac OS X 10.3 or above

http://download.pgp.com/products/pdfs/PGP_CL902_DS_050825_F.pdf

Not a terribly small list, except when compared to what gnupg will run
on. :)

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
The man who is a pessimist before forty-eight knows too much; the man
who is an optimist after forty-eight knows too little.
-- Mark Twain

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR+t4gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1pPxgCg+sDnINDLpwKXpLkqVpXEEDV4CmcAoOlQxtEo
YKcINHqaop0I87a/Iy82
=jdsS
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to tell the gpg agent to forget a passphrase

[Todd Zullinger]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Olaf Gellert wrote:
 Hi,
 
 is there any documentation on the commands that the
 gpg agent understands?

info gnupg has documentation on gpg-agent.  I'm not sure if it has all
that you're looking for, but it should be a good start.

 I am usign gpg agent with Mozilla/Enigmail. This works
 fine. One thing that I am missing is how to tell the
 agent to forget the stored passphrases.

Send the agent a SIGHUP.  That will clear all stored passphrases.

 By the way: What does --enable-ssh- support do? Sounds
 like acting as a replacement for the ssh-agent?

It is.  The info page has an example for how to do this.

- -- 
ToddOpenPGP - KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
==
Every time I close the door on reality, it comes in through the
windows.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkQZmF0mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1o0vACggau2751AzNGMlB+YGceMqkM3vF0AoLK2t0L3
Qt+YR2fPe3qZ4o2GwqD+
=kD2L
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users