Re: PGP Desktop and GPG
Cool, thanks everyone! Regards, Bruce >>> John Clizbe <[EMAIL PROTECTED]> 15/03/2007 4:10 p.m. >>> Bruce Cowin wrote: > If I have generated a key using PGP Desktop, would I be able to import and > use that key with GnuPG? Our subscription to PGP Desktop is about to expire > and it > says the functionality will be reduced to that of PGP Freeware. All we do with > it is encrypt files (not emails), so I think this is ok. I'm not sure if the > PGP > Desktop gui interface will stop working or not, so thought we could use GnuPG > and Gpg4Win which we currently use on another project to replace PGP Desktop. The PGP GUI in freeware mode should continue working. The paid elements include the email plugins and PGPdisk. It is fairly easy to import your entire keyring set to GnuPG gpg --import \path\to\secring.skr gpg --import \path\to\pubring.pkr The above works at this time (PGP 9.x and GnuPG 1.4). It will quire possibly change at some future date. The canonical method is to export the keys from PGP and import them into GnuPG. Adding '--import-options import-local-sigs' to the command line will import local signatures. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?"/ "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Desktop and GPG
On Thu, Mar 15, 2007 at 02:28:31PM +1300, Bruce Cowin wrote: > Thanks David. But if I'm only encrypting files for others (and not > decrypting any), then I only need to export their public key, right? > My private key doesn't come into it, does it? That's correct. Most people do need to decrypt stuff sent to them, and so they'd need a private key. If you are strictly encrypting to others, then all you need is their public key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG, how to set the passphrase as parameter in comment line
Hi, >You have a few choices: >1) remove the passphrase from the private key >2) pass the passphrase to gpg using the --passphase-fd option >3) supply the passphrase using the --pasephrase-file option >4) supply the passphrase using the --passphrase option 5) use GPGME library I think this is the best way to "automate". I built dll, but cannot post "howto" yet, sorry. I found, 1: to send passphrase in passphrase_cb, must not "write" to fd, use "_gpgme_io_write" 2: GPGME has some memory leak, need to free some object debug_lock, notify_table_lock, reader_table_lock, writer_table_lock, ... ...and so on -- HIRA, Shuichi Atlas Information Service Inc. IT Development Room [EMAIL PROTECTED] ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Desktop and GPG
Thanks David. But if I'm only encrypting files for others (and not decrypting any), then I only need to export their public key, right? My private key doesn't come into it, does it? Thanks again. Regards, Bruce >>> David Shaw <[EMAIL PROTECTED]> 15/03/2007 2:00 p.m. >>> On Thu, Mar 15, 2007 at 10:45:27AM +1300, Bruce Cowin wrote: > If I have generated a key using PGP Desktop, would I be able to > import and use that key with GnuPG? Our subscription to PGP Desktop > is about to expire and it says the functionality will be reduced to > that of PGP Freeware. All we do with it is encrypt files (not > emails), so I think this is ok. I'm not sure if the PGP Desktop gui > interface will stop working or not, so thought we could use GnuPG > and Gpg4Win which we currently use on another project to replace PGP > Desktop. The short answer is yes, any key you generate with a roughly recent PGP Desktop can be used with GnuPG, and vice versa. Just export it from one (remember to export the secret key too) and import it into the other. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: PGP Desktop and GPG
On Thu, Mar 15, 2007 at 10:45:27AM +1300, Bruce Cowin wrote: > If I have generated a key using PGP Desktop, would I be able to > import and use that key with GnuPG? Our subscription to PGP Desktop > is about to expire and it says the functionality will be reduced to > that of PGP Freeware. All we do with it is encrypt files (not > emails), so I think this is ok. I'm not sure if the PGP Desktop gui > interface will stop working or not, so thought we could use GnuPG > and Gpg4Win which we currently use on another project to replace PGP > Desktop. The short answer is yes, any key you generate with a roughly recent PGP Desktop can be used with GnuPG, and vice versa. Just export it from one (remember to export the secret key too) and import it into the other. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Cardreader Pinpad only on linux ?
Hi, this community is one of the best, I've ever seen. Now, I've a little question: Is the smartcard-reader-pinpad function only available under linux-system or should this work under windows ? I'm using a SCM-Card-Reader: Chipdrive Pinpad 532. The cardreader works perfectly with gpg, just the pinpad is unused. Thanks a lot! Bye, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP Desktop & GnuPG
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Bruce Cowin wrote: > If I have generated a key using PGP Desktop, would I be able to import and use that key with GnuPG? Our subscription to PGP Desktop is about to expire and it says the functionality will be reduced to that of PGP Freeware. All we do with it is encrypt files (not emails), so I think this is ok. I'm not sure if the PGP Desktop gui interface will stop working or not, so thought we could use GnuPG and Gpg4Win which we currently use on another project to replace PGP Desktop. > > Thanks for any help. I was unable to 'trim' this Reply cause You have a word wrap issue. However; for what You are doing, the Freeware version should perform just Fine. Answer to Main Question; YES, You can Import your PGP Keyrings into GnuPG. Fact of the matter; I know several individuals using *one* Keyring for both PGP & GPG. Personally, I prefer GnuPG over PGP for several reasons; the most primary being that I find more functionality in GnuPG. HTH! JOHN 8-) Timestamp: Wednesday 14 Mar 2007, 18:59 --400 (Eastern Daylight Time) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8-svn4459: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJF+H5OAAoJEBCGy9eAtCsPnzwH/2jdPMkNNuHjtWBiQ1HkDki8 4S2sfMCJGbZfeObM5+sEaA2/520mXrVcrXD1W7kkhqz/gV9D1X0dPkJFblo3LMHk MiA2ttEvoN+gQlHLbbaEVLB+oO5F0Hy7oCe05Tgh+BxeasIJ4OQkGBWudQZzdx25 nAki/itIgLoHrRhqJ6NZMKM5QRsHV0uittbfJq4b2Er9FVUwbZTJCNlAvCTtyngM vG+tVqanDX59azz/f8h1sTr6b72umT/pFr1cwvxW81Ye9MpqhfBnD+PmnIbVoYBI XDyWGjdbK73eKY2zUAK+Su5ut/PFXsfaJdT2OoeOqRIu2gT/E4i+VEV4Cs4mlOo= =7s6U -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
PGP Desktop and GPG
If I have generated a key using PGP Desktop, would I be able to import and use that key with GnuPG? Our subscription to PGP Desktop is about to expire and it says the functionality will be reduced to that of PGP Freeware. All we do with it is encrypt files (not emails), so I think this is ok. I'm not sure if the PGP Desktop gui interface will stop working or not, so thought we could use GnuPG and Gpg4Win which we currently use on another project to replace PGP Desktop. Thanks for any help. Regards, Bruce ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, Mar 14, 2007 at 06:42:48PM +0100, Werner Koch wrote: > On Wed, 14 Mar 2007 18:06, [EMAIL PROTECTED] said: > > revision control system changes the content of the files it will > > invalidate the signature. I've read opinions that keyword expansion is deprecated, and seeing things like: $MBSDlabs: portmk/bsd.ocaml.mk,v 1.18 2006/08/06 18:47:23 stas Exp $ $FreeBSD: ports/Mk/bsd.ocaml.mk,v 1.1 2007/03/14 04:05:25 linimon Exp $ makes me tend to agree. While this shows the origin of the file in multiple repositories, does it really help the upstream author when merging patches from downstream? Also, CVS (and probably other systems) doesn't update keywords until after a checkin+checkout cycle, so any signatures you [re]generate before the next checkout will be[come] broken. Thus, using keyword expansion means you have to trust the server to give back your files with hopefully only the keywords modified before you can [re-]sign them. Of course, this requires two checkins and is particularly noticeable (i.e., ugly) and even more problematic (i.e., "The sigs are broken in -r5, get -r6.") on newer systems with atomic commits that would otherwise prevent this (keyword-expansion-race) problem. > FWIW, I use this with some files and Subversion: > > # Note: The subversion copy of this file carries a gpg:signature > # property with its OpenPGP signature. Check this signature before > # adding entries: > # f=foo; svn pg gpg:signature $f | gpg --verify - $f > # to create a new signature: > # f=foo; gpg -sba $f && svn ps gpg:signature -F $f.asc $f Finally! :) But (for those who may be unaware), unfortunately this will allow valid sigs from _any key_ you happen to have in _any of the keyrings_ GPG accesses during this step. Now seems like a good time to ask for an option like: --require-sig-from [ ...] to make sure sigs are only from particular signers. As an add-on to the FreeBSD ports system, I've already had to employ --status-fd to make sure I get a signature from an expected signer: ===> Verifying PGP signature gnupg-1.4.7.tar.bz2.sig gpg: assuming signed data in `/usr/ports/distfiles//gnupg-1.4.7.tar.bz2' gpg: Signature made Mon Mar 5 04:54:17 2007 EST using RSA key ID 1CE0C630 gpg: please do a --check-trustdb gpg: Good signature from "Werner Koch (dist sig) <[EMAIL PROTECTED]>" Primary key fingerprint: 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630 gpg: binary signature, digest algorithm SHA1 ===> Valid sig. from expected ID 0x7B96D396E6471601754BE4DB53B620D01CE0C630. versus a key ID that differs even by only one bit: ===> Verifying PGP signature gnupg-1.4.7.tar.bz2.sig gpg: assuming signed data in `/usr/ports/distfiles//gnupg-1.4.7.tar.bz2' gpg: Signature made Mon Mar 5 04:54:17 2007 EST using RSA key ID 1CE0C630 gpg: please do a --check-trustdb gpg: Good signature from "Werner Koch (dist sig) <[EMAIL PROTECTED]>" Primary key fingerprint: 7B96 D396 E647 1601 754B E4DB 53B6 20D0 1CE0 C630 gpg: binary signature, digest algorithm SHA1 => error: File wasn't signed by ID 0x7B96D396E6471601754BE4DB53B620D01CE0C631. => error: Make sure sigs. from ID 0x7B96D396E6471601754BE4DB53B620D01CE0C630 => error: are legitimate before adjusting FP_SIG_000 in Makefile.csig *** Error code 1 or several expected signers: ===> Verifying PGP signature subversion-1.4.3.tar.bz2.asc gpg: armor header: Version: GnuPG v1.4.5 (Cygwin) gpg: armor header: Version: GnuPG v1.4.3 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.5 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux) gpg: armor header: Version: GnuPG v1.4.6 (Darwin) gpg: assuming signed data in `/usr/ports/distfiles/subversion/subversion-1.4.3.tar.bz2' [snip] ===> Valid sig. from expected ID 0x03341CF464A23E9416E76B1EA1FCE25133D38008 23885E64C64E981E4884834D7C535299C0F2C580 332480DA0F8CA37DAEE6D0840B03AE6E4E24517C 3C016F2B764621BB549C66B516A96495E2226795 AAFF6033364F02BB1239907567D9B249674F05E0. (As implemented, this requires at least one VALIDSIG from every fingerprint in the list.) NB: This facilitates [re]fetching the key(s) in advance of the signature check to help catch any revocations _and_ removes the need to --[l]sign keys to "memorize" them as "expected" signers and/or to juggle keyrings, esp. with gpgv. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? [EMAIL PROTECTED] _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 pgpGXUVk6xNCI.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Enabling GPGRelay passphrase prompt on e-mail startup
GPGRelay works great in our current 15 user setup. However, some of my users miss the opportunity to enter in their GPGRelay passphrase when their mail client first notifies them to enter in their passphrase upon receipt of encrypted mail. If they don't see that they need to enter in their passphrase, then after about 30 seconds GPGRelay times out and relays the e-mail in it's encrypted for into their inbox. While this isn't the end of the world since they can still copy the body of the e-mail to the clipboard, decrypt it and then past the decrypted contents into Notepad or something similar, we're hoping that we can find a way to make GPGRelay prompt for the passphrase immediately upon startup or when their mail client first checks e-mail so they have some consistency. As it is now, the users may not get prompted to enter in their password until some random time in the middle of the day when they first receive some encrypted e-mail. Does anyone know how to modify when GPGRelay can prompt for the passphrase to force it to prompt upon initial startup or upon initial receipt of email? For full disclosure, all the clients are running on Windows 2000/XP, Outlook 2003 as the mail client, GPG client 1.4.1 and GPGRelay 0.959. Thanks so much! -- View this message in context: http://www.nabble.com/Enabling-GPGRelay-passphrase-prompt-on-e-mail-startup-tf3396593.html#a9456583 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, 14 Mar 2007 18:06, [EMAIL PROTECTED] said: > revision control system changes the content of the files it will > invalidate the signature. FWIW, I use this with some files and Subversion: # Note: The subversion copy of this file carries a gpg:signature # property with its OpenPGP signature. Check this signature before # adding entries: # f=foo; svn pg gpg:signature $f | gpg --verify - $f # to create a new signature: # f=foo; gpg -sba $f && svn ps gpg:signature -F $f.asc $f Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent: Different TTLs for different keys
I had a workaround in mind that involved using multiple homedirs (one in ~/.gnupg and the other in ~/.backup-system2/crypto/gnupg) and then spinning up one gpg-agent for each, using the first one's GPG_AGENT_INFO in the normal shells and the other in the backup scripts only. To get the passphrase cached the first time, I'd steal this page from Gentoo's keychain script: # The alternate GPG_AGENT_INFO and GNUPGHOME have already been imported echo | gpg --use-agent --no-tty --sign --local-user backup \ -o - >/dev/null 2>&1 I'll be working on that. In the meantime, it would be kind of a nice option, and I don't think it's quite as complex as the issue you mentioned (though I could be wrong). Thanks PSM Werner Koch wrote: > On Wed, 14 Mar 2007 15:09, [EMAIL PROTECTED] said: > >> I want to set gpg-agent to handle both, but the TTL on the e-mail key >> should be 5 minutes and the TTL on the backup key should be indefinite >> (I should only have to enter it every time I boot). Is there a way to >> do this? > > No. Or not yet. It is related to https://bugs.g10code.com/gnupg/issue672. > > > > Shalom-Salam, > >Werner > signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GNUPG, how to set the passphrase as parameter in comment line
You have a few choices: 1) remove the passphrase from the private key 2) pass the passphrase to gpg using the --passphase-fd option 3) supply the passphrase using the --pasephrase-file option 4) supply the passphrase using the --passphrase option On Mar 14, 2007, at 1:04 AM, aloha wrote: Hi all, I m new in this forum and new in GnuPG. I m now writing a program which need to encrypt the outputted csv with GnuPG. I've wrote a batch file in windows xp to execute the gnu to encrypt, everything goes fine. But when the gnu start to encrypt, it will as me to input the passphrase. How to "automate" this? Does gnupg provide a parameter which allow use to input the passphrase that user doesn't need to input everytime? thanks a lot Aloha -- View this message in context: http://www.nabble.com/GNUPG%2C-how-to- set-the-passphrase-as-parameter-in-comment-line- tf3400686.html#a9469929 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
On Wed, 14 Mar 2007 18:02, [EMAIL PROTECTED] said: > two factors it's really just way better to --detach-sign the code. I 100% agree. The problem with non-detached signatuires is that it is very hard to know what you exactly signed. Having two files makes it obvious what is the signature and what is the signed data. And there is no need to change the data in any way. Shalom-Salam, Werner p.s. In this regard PGP/MIME message (not using the combined option) are also better and any other way to sign mails. That is also why you should never use the inline PDF signatures - a separate signature file is far better. Only XML signatures are worde than inline PDF signatures. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm doesn't recognize certs are related to secret keys)
On Wed, 14 Mar 2007 15:12, [EMAIL PROTECTED] said: > I realize now this one was an RTFM. Problem was, I expected this > information in man gpgsm, not man gpg-agent... Yeah, I should really write the setup chapter for the manual. Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent: Different TTLs for different keys
On Wed, 14 Mar 2007 15:09, [EMAIL PROTECTED] said: > I want to set gpg-agent to handle both, but the TTL on the e-mail key > should be 5 minutes and the TTL on the backup key should be indefinite > (I should only have to enter it every time I boot). Is there a way to > do this? No. Or not yet. It is related to https://bugs.g10code.com/gnupg/issue672. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GNUPG, how to set the passphrase as parameter in comment line
Hi all, I m new in this forum and new in GnuPG. I m now writing a program which need to encrypt the outputted csv with GnuPG. I've wrote a batch file in windows xp to execute the gnu to encrypt, everything goes fine. But when the gnu start to encrypt, it will as me to input the passphrase. How to "automate" this? Does gnupg provide a parameter which allow use to input the passphrase that user doesn't need to input everytime? thanks a lot Aloha -- View this message in context: http://www.nabble.com/GNUPG%2C-how-to-set-the-passphrase-as-parameter-in-comment-line-tf3400686.html#a9469929 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
In this case a detached signature would be your best bet. You would check the detached sig in with the source code. When the source is checked out, you could then validate that the source has not changed since it was signed. Be careful, though, if you use any embedded keywords with your revision control system ($Id$, et al). If the revision control system changes the content of the files it will invalidate the signature. -Joe On Mar 12, 2007, at 7:02 PM, Nathan Smith wrote: Does anyone know if there's a solution to signing source code (using gpg), in a way which will still allow the source code to function. For example for a Java file if the GPG signature code be placed within the comments embedded within the Java source (ie /* */ ), of within XML comments (ie ) for an XML file. We are trying to impliment a source signing policy at our company, where a developers source code is signed before it is checked into our source control system. But of course, the source must still be able to compile, and signing must not effect the functionality of the source. Thanks.. Nate -- View this message in context: http://www.nabble.com/signing-source- code-with-gpg-tf3393462.html#a9447180 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: signing source code with gpg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 There are certainly some hacks you could try out, but they would be somewhat error-prone. The easiest and most secure way to go about this would probably be to --detach-sign instead of doing a cleartext signature. If you require a cleartext signature, reconsider your design. If you still require a cleartext signature, _reconsider your design_. If you _still_ require a cleartext signature, here's something that would clearsign a (slightly modified) Java file and still compile: echo "/*" > startcomment.tmp echo "*/" > endcomment.tmp cat endcomment.tmp HelloWorld.java startcomment.tmp | \ gpg --not-dash-escaped --no-escape-from-lines --clearsign | \ cat startcomment.tmp - endcomment.tmp > HelloWorld.signed.java The signed part itself is not valid Java, but the result of the message after signing is. If you were to actually use this, anyone who verifies your code will be required to make sure nothing substantive occurs before or after the signed part (i.e., nothing before the start line except /* and nothing after the end line except */); it would be easy to sneak in some bad code. Additionally, your verifiers would need GnuPG to verify since the NotDashEscaped extension is included. Between these two factors it's really just way better to --detach-sign the code. HTH PSM Nathan Smith wrote: > Does anyone know if there's a solution to signing source code (using gpg), in > a way which will still allow the source code to function. For example for a > Java file if the GPG signature code be placed within the comments embedded > within the Java source (ie /* */ ), of within XML comments (ie ) > for an XML file. We are trying to impliment a source signing policy at our > company, where a developers source code is signed before it is checked into > our source control system. But of course, the source must still be able to > compile, and signing must not effect the functionality of the source. > Thanks.. Nate -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+CqVei6R+3iF2vwRCu8eAJ4syVjBDxg/QHlSUiUAF/oI6gpwfgCeKbhl v3wwib/RPRWchIT7BUEn7Xk= =RJd8 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
signing source code with gpg
Does anyone know if there's a solution to signing source code (using gpg), in a way which will still allow the source code to function. For example for a Java file if the GPG signature code be placed within the comments embedded within the Java source (ie /* */ ), of within XML comments (ie ) for an XML file. We are trying to impliment a source signing policy at our company, where a developers source code is signed before it is checked into our source control system. But of course, the source must still be able to compile, and signing must not effect the functionality of the source. Thanks.. Nate -- View this message in context: http://www.nabble.com/signing-source-code-with-gpg-tf3393462.html#a9447180 Sent from the GnuPG - User mailing list archive at Nabble.com. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpgsm doesn't recognize certs are related to secret keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I've extracted some Thawte and CAcert keys and certs from my browser and imported them into gpgsm. ls -l ~/.gnupg/private-keys-v1.d/ lists the three private keys that I imported, and all of the corresponding certs show up in --list-keys: $ gpgsm --list-keys psmay /home/psmay/.gnupg/pubring.kbx - Serial number: 067A86EB7BA000EF5E6F6341D8070D7E Issuer: /CN=Thawte Personal Freemail Issuing CA/O=Thawte Consulting (Pty) Ltd./C=ZA Subject: /CN=Peter Samuel May/[EMAIL PROTECTED]/GN=Peter Samuel/SN=May aka: [EMAIL PROTECTED] validity: 2006-10-09 18:39:01 through 2007-10-09 18:39:01 key type: 2048 bit RSA fingerprint: 96:D2:E8:44:1D:7B:31:8B:C8:CC:07:ED:E3:A0:C2:73:41:A3:56:E9 Serial number: 02C4AD Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/[EMAIL PROTECTED] Subject: /[EMAIL PROTECTED]/[EMAIL PROTECTED] aka: [EMAIL PROTECTED] aka: [EMAIL PROTECTED] validity: 2006-10-12 14:24:50 through 2007-10-12 14:24:50 key type: 2048 bit RSA fingerprint: 43:F3:E6:0B:1B:25:4E:BA:3A:69:DA:56:8E:F8:35:08:CD:4B:A7:52 Serial number: 02C5B0 Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/[EMAIL PROTECTED] Subject: /CN=Peter Samuel May/[EMAIL PROTECTED]/[EMAIL PROTECTED] aka: [EMAIL PROTECTED] aka: [EMAIL PROTECTED] validity: 2006-10-13 05:52:09 through 2007-10-13 05:52:09 key type: 2048 bit RSA fingerprint: 26:D3:A8:D9:00:F0:C9:A1:AE:38:3C:25:39:C0:D6:31:29:95:44:F8 (The CAs' certs also show up when I don't qualify this with my name.) However, it doesn't seem to realize that it has the secret keys for these certs: $ gpgsm --list-secret-keys /home/dro/.gnupg/pubring.kbx - $ And since it doesn't, I also can't use the private keys: $ gpgsm --local-user 26:D3:A8:D9:00:F0:C9:A1:AE:38:3C:25:39:C0:D6:31:29:95:44:F8 --sign somefile gpgsm: can't sign using `26:D3:A8:D9:00:F0:C9:A1:AE:38:3C:25:39:C0:D6:31:29:95:44:F8': No secret key Anyone have any ideas? Thanks PSM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9ttMei6R+3iF2vwRCpSmAKCtzXFUV7aTvcX2ARdKrx356EYJwwCfdjNg UG4JdsPUQkIkEBBaA/jZxfA= =peA+ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm doesn't recognize certs are related to secret keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Neglected to mention that the aforementioned problem was in gpgsm from gnupg-2.0.3, with it and its four dependencies at latest release versions, freshly compiled this weekend. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF9t5cei6R+3iF2vwRCt0vAKCtl9qzxozXH46TWEmjc9gzi7PgbwCfaffS sx50+75QbrRIJpH5ZTghTmc= =M0Hf -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent: Different TTLs for different keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 In the stupid gpg-agent tricks department: Say I have two signing keys. One of them signs e-mails and one of them is used by an automated backup process; admittedly not as trustworthy (which is why I don't want to use my e-mail key) but better than nothing if my access control holds up otherwise. I want to set gpg-agent to handle both, but the TTL on the e-mail key should be 5 minutes and the TTL on the backup key should be indefinite (I should only have to enter it every time I boot). Is there a way to do this? Thanks PSM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+AILei6R+3iF2vwRCmBxAKCmd1MZfmVmC/4wEuV4QFNxgXxyJQCghnIM zkuPXK7azzq5OVXQkgSH0t8= =K1xt -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm doesn't recognize certs are related to secret keys)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > * Is there a user trustlist.txt that can be used instead, or do I need > to edit trustlist.txt as root every time a change needs to be made? I realize now this one was an RTFM. Problem was, I expected this information in man gpgsm, not man gpg-agent... Thanks PSM -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+ALPei6R+3iF2vwRCggiAKCjuXNNBJ7J9jccgqoBY8VkkQwJbACfdh+m ONgbmeE0StEwXHk159R0YDQ= =kbMU -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm doesn't recognize certs are related to secret keys)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On the one hand, yes, it was a gpg-agent problem. It turned out that seahorse-daemon was running and screwing up the whole thing. - --list-secret-keys started working once I unset GPG_AGENT_INFO. It still complained that there was no gpg-agent running, though. Does gpgsm require a gpg-agent running? I don't recall gpg2 requiring it. Anyway, I got a gpg-agent up and running and tried again. This is what happened: $ gpgsm --sign somefile dirmngr[4522]: error opening `/home/psmay/.gnupg/dirmngr_ldapservers.conf': No such file or directory dirmngr[4522]: permanently loaded certificates: 0 dirmngr[4522]: runtime cached certificates: 0 dirmngr[4522]: no CRL available for issuer id dirmngr[4522]: crl_fetch via issuer failed: Configuration error dirmngr[4522]: command ISVALID failed: Configuration error gpgsm: certificate #/CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA gpgsm: checking the CRL failed: Configuration error gpgsm: error creating signature: Configuration error I figured that this was a sign that I should disable some checking--it's my own private key, so there shouldn't be any trust issues, right? So I tried this: $ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile gpgsm: no key usage specified - assuming all usages gpgsm: no key usage specified - assuming all usages gpgsm: certificate is good gpgsm: certificate is good gpgsm: checking the trust list failed: No such file or directory gpgsm: error creating signature: No such file or directory The agent log says this: 2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 started gpg-agent[5376.7] DBG: -> OK Pleased to meet you gpg-agent[5376.7] DBG: <- RESET gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION display=:0.0 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION ttyname=/dev/pts/0 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION ttytype=xterm gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- OPTION lc-messages=en_US.UTF-8 gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- HAVEKEY gpg-agent[5376.7] DBG: -> OK gpg-agent[5376.7] DBG: <- ISTRUSTED 2007-03-14 09:21:28 gpg-agent[5376] error opening `/usr/local/etc/gnupg/trustlist.txt': No such file or directory 2007-03-14 09:21:28 gpg-agent[5376] error reading list of trusted root certificates 2007-03-14 09:21:28 gpg-agent[5376] command is_trusted failed: No such file or directory gpg-agent[5376.7] DBG: -> ERR 67141713 No such file or directory gpg-agent[5376.7] DBG: <- [EOF] 2007-03-14 09:21:28 gpg-agent[5376] handler 0x808c820 for fd 7 terminated Not knowing what to put in trustlist.txt, I gave it a touch just to see what would happen. $ gpgsm --verbose --disable-crl-checks --disable-ocsp --sign somefile gpgsm: no key usage specified - assuming all usages gpgsm: no key usage specified - assuming all usages gpgsm: certificate is good gpgsm: certificate is good gpgsm: root certificate is not marked trusted gpgsm: fingerprint=20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 gpgsm: DBG: BEGIN Certificate `issuer': gpgsm: DBG: serial: 00 gpgsm: DBG: notBefore: 1996-01-01 00:00:00 gpgsm: DBG:notAfter: 2020-12-31 23:59:59 gpgsm: DBG: issuer: 1.2.840.113549.1.9.1=#,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA gpgsm: DBG: subject: 1.2.840.113549.1.9.1=#,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA gpgsm: DBG: hash algo: 1.2.840.113549.1.1.4 gpgsm: DBG: SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 gpgsm: DBG: END Certificate gpgsm: after checking the fingerprint, you may want to add it manually to the list of trusted certificates. gpgsm: interactive marking as trusted not enabled in gpg-agent gpgsm: error creating signature: Not trusted I added that fingerprint as a line to trustlist.txt, fixed the gpg-agent config (apparently it didn't have a default pinentry), restarted gpg-agent (kill -HUP pid didn't do the trick), and suddenly everything worked. All this said, here are my questions: * Why does gpgsm do all of this trust checking just to use a private key? Why don't private keys already have (the S/MIME equivalent to) ultimate trust? * Why didn't I already have a trustlist.txt? Shouldn't the source install process at least touch the file? * Is gpg-agent actually necessary for all this? What's wrong with accepting my passphrase at the console if it's not running? (All right, I've already gathered that gpg-agent does way more than password caching, in which case the real question is, why is so much of this functionality in gpg-agent instead of gpgsm?) * Is there a user trustlist.txt that can be used instead, or do I need to edit trustlist
Re: GnuPG incompatible with windows-vista ?
On Wed, Mar 14, 2007 at 09:05:28AM +0100, Werner Koch wrote: > On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said: > > > If anyone is building on Vista (or building elsewhere but using it on > > Vista), try this patch. > > I have build a version with that patch. The upx packed gpg.exe binary > is available at: > > ftp://ftp.g10code.com/g10code/scratch/gpg.exe > > $ sha1sum gpg.exe > 9dbde44dc9275e2b4918839c7a789040dda0a64b gpg.exe Thanks for building this. It looks good, so I'll commit the patch for the next releases. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG incompatible with windows-vista ?
Hi, > ftp://ftp.g10code.com/g10code/scratch/gpg.exe > > $ sha1sum gpg.exe > 9dbde44dc9275e2b4918839c7a789040dda0a64b gpg.exe it seems, it works perfect! Thanks a lot! Bye, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG incompatible with windows-vista ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Werner Koch wrote: > On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said: > >> If anyone is building on Vista (or building elsewhere but using it on >> Vista), try this patch. > > I have build a version with that patch. The upx packed gpg.exe binary > is available at: > > ftp://ftp.g10code.com/g10code/scratch/gpg.exe > > $ sha1sum gpg.exe > 9dbde44dc9275e2b4918839c7a789040dda0a64b gpg.exe I happen to have a Vista installation. I tried to download and upload keys from hkp servers -- the patched version of gpg is working fine here :-) - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRfezZ3cOpHodsOiwAQJXngf/V3QLMugZvIPLNSfhcO8iCnqcsirak5XI gRkYLhiJ7YLM19Acw3GjkPtVzgXwC0NmD5Txki++0bQ0723bgBKQC+bdEEHxwziC K32bHQ9SDsnZl6bRvMU+19g/7UPG7wvltoZBwNtphppq9FwVKg4ab2WrqE4HyvuZ SX6Zb9EN6FCTUnKNPkGJ+pPupYdYUSwnt5WBTo/pMB+NZWcxt34T9X0F9yAUb1Q2 l3sEA88XJD9/G0dJQn3xSi9x4Au9nHQqofdBW4vgtSdmBnOYsivAVpkICtnmrjK5 2xg5l4Do/SrWlwF/4l+vT/jHbGeEU8HEhykFIoCLPmPA0CWnDX6vpA== =V+C2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinpad problem with SCM SPR532
On Wed, 14 Mar 2007 02:26, [EMAIL PROTECTED] said: > I recently bought an SCM SPR532 for testing purposes, and "gpg > --card-status" works (without pcscd running), but when pinentry asks me > to enter the PIN on the pinpad (tested with decryption, signing, and > verify pin) it gives the following error in the log file of scdaemon, in I can confirm that there is a regression. Currently checking what I did wrong. Shalom-Salam, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinpad problem with SCM SPR532
Hi, It does not seem to be a regression. After connecting the reader and running scdaemon as: gpg-agent --daemon sh gpgsm --edit-key I entered the command "verify" and got the same error as you. ThenI stopped scdaemon (exit from the shell) and run the same comamnds again. Now it works. However the right LED (enter pin) keeps lit after the PIN has been entered. Thus there is something wrong with the internal state of the reader. I can't recall whether I noticed that in the past. This needs further investigation. As a workaround I would kill scdaemon so that gpg-agent starts a new one - which should then work as described above. [tracked as bug 773] Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpgsm doesn't recognize certs are related to secret keys
On Tue, 13 Mar 2007 23:41, [EMAIL PROTECTED] said: > > $ gpgsm --list-secret-keys > /home/psmay/.gnupg/pubring.kbx > > $ There might be a problem with the gpg-agent. Make sure that gpg-agent is running and add verbose debug 1024 log-file /for/bar/agent.log to gpg-agent.conf. Give a running gpg-agent a HUP or start it again. You may also use gpg-agent --daemon sh and do your test within this shell. You should see lines like DBG: <- HAVEKEY D6B7B913F20010E8A68DC14B7B72C296C79C773A DBG: -> ERR 67108881 No secret key DBG: <- HAVEKEY 0DEB2ED35B879151B1EDA067B0F290116C7915EB DBG: -> OK No OK lines? Run gpgsm --dump-keys which will show you the keygrip. The keygrip is what you see in the gpg-agent requests and they are also the basenames of the files below private-keys-v1.d/ Salam-Shalom, Werner ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GnuPG incompatible with windows-vista ?
On Wed, 14 Mar 2007 03:41, [EMAIL PROTECTED] said: > If anyone is building on Vista (or building elsewhere but using it on > Vista), try this patch. I have build a version with that patch. The upx packed gpg.exe binary is available at: ftp://ftp.g10code.com/g10code/scratch/gpg.exe $ sha1sum gpg.exe 9dbde44dc9275e2b4918839c7a789040dda0a64b gpg.exe Shalom-Salam, Werner pgpPLHYVnkbNz.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users