Re: Aw: Re: SmartCard v2.1 : factory reset fails

[NIIBE Yutaka]

Hello,

Fib Moro  wrote:
> I start gpg in "--edit-key" mode.
> Then I select a subkey I want to move to the card by issuing command "key 1".
> After the "keytocard" command it asks me where to store the key for which I 
> choose option 1 signature key.
> It then prompts me for the privat key passphrase which I enter successfully.
> Now it asks me for AdminPIN. Again with default value "123456789" I get the 
> message "gpg: KEYTOCARD failed: Bad secret key"
> Also the same issue occurs if I set the AdminPIN manually beforehand.
> _
>
> gpg> key 1
> ...
> gpg> keytocard
> Please select where to store the key:
>(1) Signature key
>(3) Authentication key
> Your selection? 1
> gpg: KEYTOCARD failed: Bad secret key
> __

Let us show more info about your key.  I'm afraid your key size
is not the one OpenPGP card supports.  I tested RSA-2048 with
OpenPGP card version 2.1, it works fine for me.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Should we trust "MyMail-crypt for Gmail" Chrome extension?

[Wolf]

Hi,

I know nothing about the extension but would like to react to this:

On , ankostis wrote:
> This extension is the only alternative to use GPG with gmail in
> corporate environments where SMTP ports are blocked (unless we
> consider as an "alternative" to manually clear-signing each message
> text to be sent with cmd-line).

You can always combine virtual box, openvpn and stunnel to achieve
traffic indistinguishable from https (as long as your stunnel endpoint
listens on 443). No one blocks https these days.

W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Aw: Re: Re: SmartCard v2.1 : factory reset fails

[Fib Moro]

Hello,

> 
> Let us fix a thing one by one.  First, the Reset Code handling.
> 

ok, let's do that.

> For my OpenPGP card 2.1, the Admin PIN is "12345678" (no 9).
> I can successfuly set the Reset Code.
> 
> I confirmed that with wrong Admin PIN, I got the message "Error setting
> the Reset Code: Bad PIN".
> 
> Please test with 12345678.
> -- 
>

You are correct. I can confirm setting the Reset Code works now. 

Awaiting further instructions. ;-)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Should we trust "MyMail-crypt for Gmail" Chrome extension?

[Daniel Kahn Gillmor]

On Wed 2017-02-15 07:48:57 -0500, ankostis wrote (about "MyMail-crypt
for Gmail"):
> I'm wondering whether this open-source Chrome-extension for GPG on GMail[1]
> is to be trusted; I mean, not to call home with my secret-key and passphrase.

I've never heard of it.  Mailvelope is what i've heard people recommend
for the use case you describe.

--dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Problems with GPGME1.8 and Python 3.5 bindings

[Jean-François Schaff]

Hi,

Thanks for your advice, I could fix that and use the lib from Python.

Do you know if there is any plan to better document the python bindings in
the GPGME doc? I may be able to help with that if needed.

Cheers
Jean-François Schaff

2017-02-13 11:46 GMT+01:00 Justus Winter :

> Hi :)
>
> Jean-François Schaff  writes:
>
> > I'm new to gpg, and trying to use the Python bindings included in
> > PGPME. I'm using Ubuntu 16.04 LTS.
> >
> > I have done the following things:
> ...
> > - compiled and installed gpgme-1.8.0
> >
> > Everything seems to build and install as expected, but when I finally
> > try to use the python package (import gpg) I get the following error:
> >
> > (venv) jfs@Danube-linux:~/webdev/mms$ python
> > Python 3.5.2 (default, Nov 17 2016, 17:05:23)
> > [GCC 5.4.0 20160609] on linux
> > Type "help", "copyright", "credits" or "license" for more information.
>  import gpg
> > Traceback (most recent call last):
> ...
> > ImportError: /home/jfs/webdev/mms/venv/local/lib/python3.5/site-
> packages/gpg/_gpgme.cpython-35m-x86_64-linux-gnu.so:
> > symbol gpgme_pubkey_algo_string, version GPGME_1.1 not defined in file
> > libgpgme.so.11 with link time reference
>
> gpgme_pubkey_algo_string is new in GPGME 1.7.  This suggests that the
> version 1.8 that you built is not picked up.  How you resolve that is
> really up to you and your needs.  You could for example add the
> $your_install_prefix/lib to LD_LIBRARY_PATH in your bin/activate script.
>
>
> Cheers,
> Justus
>
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Daniel Kahn Gillmor]

On Wed 2017-02-15 11:54:51 -0500, Teemu Likonen wrote:
> That makes things very simple, in a way. I use "trust-model direct" and
> do some checking in web pages or check consistent use of signatures. If
> the key seems ok I'll "--edit-key", type "trust" and assign marginal or
> full trust for that key. That's it. And because I have no use for other
> people's signatures I also have "keyserver-options import-clean" so my
> keyring remains small.

right, so your use of "trust-model direct" switches the meaning of the
"trust" flag from its usual "ownertrust" semantics to be what we'd
normally call "validity".

Note also that when you mark a key itself as "trusted" in this way,
you're asking GnuPG to treat *all* user IDs on it as valid.

So if the keyholder updates their key at some point in the future to add
a new User ID, your GnuPG installation is going to blindly accept that
User ID as legitimate.

Please see A405E58AB3725B396ED1B85C1318EFAC5FBBDBCE as an example of
this kind of thing.  The keyholder cheekily added a new User ID "Satoshi
Nakamoto (www.bitcoin.org) " after his OpenPGP
certificate was created.  I have met the keyholder, and i do not believe
he is actually Satoshi Nakamoto ;)

> When Debian 9 is released, with GnuPG 2.1, I'll try "trust-model
> tofu+pgp" (trust on first use plus web of trust). It seems useful too.

please be aware that if you switch from "trust-model direct" to
"trust-model tofu+pgp", then your previous assignments of "trust" will
transform into indications of "ownertrust".  So someone whose OpenPGP
certificate you previously meant to indicate was valid can now certify
*other* OpenPGP certificates, and the pgp trust model will accept those
certificates as correct :(

Transitioning between trust models without overhauling the ownertrust db
is not a workflow that seems particularly well-supported, unfortunately.

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG homedir path length limit

[Daniel Kahn Gillmor]

On Wed 2017-02-15 12:12:23 -0500, Daniel Kahn Gillmor wrote:
> Why does this need to be created manually?  Why not try to create it if
> possible the first time there's a chance to use it, no matter what?
 […]
> What does GnuPG gain from having a known failure mode that requires a
> manual fix?

So one possible issue with my proposal is that by requiring explicit use
of --create-socketdir you remind the user that they're also responsible
for figuring out when to --remove-socketdir.

However, that shouldn't be necessary either.  If gpg-agent or dirmngr
terminates knowing that they should remove their own sockets, they can
do that and then just rmdir(2) on the ephemeral directory path.

If rmdir returns ENOTEMPTY, that's fine -- presumably some other daemon
is also using that path.  if it returns successfully, then the directory
is cleaned up, as it should be.

In --supervised mode, the deamons should not be responsible for removing
any sockets, so they would also not be responsible for cleaning up the
parent directory either.

does this make sense?  Are there any downsides that i'm missing?

   --dkg

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG homedir path length limit

[Daniel Kahn Gillmor]

Hi all--

sorry for the late followup on this thread:

On Mon 2017-01-16 14:16:28 -0500, Werner Koch wrote:
> On Sun, 15 Jan 2017 00:39, gn...@jelmail.com said:
>> Just experimenting in a sandbox homedir, I noticed that the homedir path
>> needs to be below a certain size.
>
> That is because on most Unix systems the file name for local socket is
> limited in size.  Local sockets are used for communication between the
> components (e.g. gpg and gpg-agent).
>
>
> The suggested solution is to create the socket in the /var/run
> directory:  Make sure that 
>
>   /var/run/user/$(id -u)
>
> exists before starting gpg or gpg-agent the socket will be created
> there.  Only is you use a non-default home directory (GNUPGHOME) you
> need to manually create a sub-directory by using
>
>   export GNUPGHOME=/foo/bar
>   gpgconf --create-socketdir

Why does this need to be created manually?  Why not try to create it if
possible the first time there's a chance to use it, no matter what?

or, if "no matter what" is too aggressive, why not at least try to
create the ephemeral it if it's clear that the non-ephemeral location is
longer than the max socket length?

I personally like the simplicity and uniformity of "if /run/user/$(id
-u)/ exists and is writable, then we will use it for the socketdir."

What does GnuPG gain from having a known failure mode that requires a
manual fix?

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Adam Sherman]

On 2017-02-15 10:33 AM, Kristian Fiskerstrand wrote:
>> How do you do that? Is there a type of sub-key you use?
>>
> No, just a completely separated primary key with C capability, no
> subkeys and is never published anywhere, rotated regularly to issue
> lsigns for short term use

Ah, that makes sense. Thanks.

A.

-- 
Adam Sherman 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Teemu Likonen]

Didrik Nordström [2017-02-14 19:02:08-08] wrote:

> How do you handle key management? Let's say you just want to send a
> signed and encrypted email once to someone who announced their pubkey
> over https? What type of trust would you assign?

I don't personally know anybody who uses gpg. Even if I will meet
someone it's unlikely that signing keys will make me part of any web. So
web of trust is useless for me.

That makes things very simple, in a way. I use "trust-model direct" and
do some checking in web pages or check consistent use of signatures. If
the key seems ok I'll "--edit-key", type "trust" and assign marginal or
full trust for that key. That's it. And because I have no use for other
people's signatures I also have "keyserver-options import-clean" so my
keyring remains small.

When Debian 9 is released, with GnuPG 2.1, I'll try "trust-model
tofu+pgp" (trust on first use plus web of trust). It seems useful too.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Kristian Fiskerstrand]

On 02/15/2017 03:27 PM, Adam Sherman wrote:
> On 2017-02-15 06:51 AM, Kristian Fiskerstrand wrote:
>>> Do I need access to my master key in order to expand my web of
>>> trust? This seems like quite a restriction.
>> Yes, although you can generate a local CA key to use for this purpose
>> for short term validity considerations used for local signatures.
> 
> How do you do that? Is there a type of sub-key you use?
> 

No, just a completely separated primary key with C capability, no
subkeys and is never published anywhere, rotated regularly to issue
lsigns for short term use


-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Adam Sherman]

On 2017-02-15 06:51 AM, Kristian Fiskerstrand wrote:
>> Do I need access to my master key in order to expand my web of
>> trust? This seems like quite a restriction.
> Yes, although you can generate a local CA key to use for this purpose
> for short term validity considerations used for local signatures.

How do you do that? Is there a type of sub-key you use?

A.


-- 
Adam Sherman 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Should we trust "MyMail-crypt for Gmail" Chrome extension?

[ankostis]

Hi,

I'm wondering whether this open-source Chrome-extension for GPG on GMail[1]
is to be trusted; I mean, not to call home with my secret-key and passphrase.

I searched through the mailing-list archives and found only one
reference from 2014:
https://lists.gnupg.org/pipermail/gnupg-users/2014-April.txt

This extension is the only alternative to use GPG with gmail in
corporate environments where SMTP ports are blocked (unless we
consider as an "alternative" to manually clear-signing each message
text to be sent with cmd-line).

With kind regards,
  Kostis

[1] 
https://chrome.google.com/webstore/detail/mymail-crypt-for-gmail/jcaobjhdnlpmopmjhijplpjhlplfkhba

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Hybrid keysigning party, your opinion?

[Lachlan Gunn]

Hello,

Le 2016-12-05 à 00:03, Peter Lebbing a écrit :
> I am asking for your thoughts on a variant of the organization of the
> keysigning party. I'll explain my reasoning and intentions, and I would
> like to know if you think I forgot to think of something important. Is
> there a way a malicious party could get people to sign the wrong UID,
> because I didn't think of that way? I'm not interested in ways people
> could cheat at the usual "informal" keysigning party model, with
> exchanging paper keyslips. This is because this would be my fallback
> model, if the proposed model doesn't work out. So I'm only interested in
> cases where the proposed model introduces extra issues compared to the
> informal exchanging keyslips model.


Given the discussion on the list before, now that CCC has come and gone
I'm curious as to how well this worked.  Is it an innovation worth
perpetuating?

Thanks,
Lachlan



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Peter Lebbing]

On 15/02/17 13:34, Peter Lebbing wrote:
> I've written a bit about ownertrust for the keysigning party we held
> last December:

Additionally, this topic is also briefly covered in the FAQ[1], which is
an up-to-date and maintained piece of documentation. The

The GNU Privacy Handbook[2] also contains interesting information, but
it hasn't been updated for a long while. It contains some outdated stuff
that makes me hesitate to actually recommend it, but the Web of Trust is
still the same.

Peter.

[1] 
[2] 

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Peter Lebbing]

On 15/02/17 04:02, Didrik Nordström wrote:
> I wanted to send an email to a new contact (a bug report to a software
> project) so I added the public key and assigned it "Fully trusted" (4).

In addition to Kristian's answer, let me clarify:

"Ownertrust" is your assessment of how much you want to trust
certifications *done* by this person. So if this person A signed the key
of a person B, it determines whether this makes key B valid for you. It
does not relate to the validity of the key of person A!

I've written a bit about ownertrust for the keysigning party we held
last December:



In particular, the first section is relevant.

> Does this have to do with me not having signed the key? If I assigned it
> "Ultimate trust" (5) the warning disappeared.

"Ultimate trust" is the odd one out and is generally only used for your
own keys. This makes the key valid even without a signature.

> So.. Do I need access to my master key in order to expand my web of
> trust? This seems like quite a restriction.

You could also perhaps take a look at TOFU rather than the Web of Trust.
You do need GnuPG 2.1 for that.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Expanding web-of-trust with subkey

[Kristian Fiskerstrand]

On 02/15/2017 04:02 AM, Didrik Nordström wrote:

> 
> So.. Do I need access to my master key in order to expand my web of
> trust? This seems like quite a restriction.

Yes, although you can generate a local CA key to use for this purpose
for short term validity considerations used for local signatures.

For the visible WoT (i.e one others can use in their determination),
having this limited is a very good thing. And it is one of the
constructs that makes it possible to rotate subkeys due to compromise
(e.g loss of a smartcard) without needing to revoke the full primary key.

> 
> How do you handle key management? Let's say you just want to send a
> signed and encrypted email once to someone who announced their pubkey
> over https? What type of trust would you assign?

no trust, that goes to the ability to verify third parties. Local CA and
local (non-exportable) signature

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Expanding web-of-trust with subkey

[Didrik Nordström]

Hi, I am new to using PGP in general, but fairly confident in the
cryptographic primitives and the overall concepts. I have issued a master
key on cold storage, and subkeys on my primary machine (one with encryption
and one with signing privileges).

I wanted to send an email to a new contact (a bug report to a software
project) so I added the public key and assigned it "Fully trusted" (4).

Then I ran `gpg2 -esa -r ` and gpg tells me:
*It is NOT certain that the key belongs to the person named in the user
ID.  If you *really* know what you are doing, you may answer the next
question with yes.*

Does this have to do with me not having signed the key? If I assigned it
"Ultimate trust" (5) the warning disappeared.

I tried signing the key:
*Really sign? (y/N) y*
*gpg: signing failed: No secret key*
*gpg: signing failed: No secret key*

It took me quite a while to figure out that I can't sign someones key with
a master key. (Maybe the error message can be improved?)

So.. Do I need access to my master key in order to expand my web of trust?
This seems like quite a restriction.

How do you handle key management? Let's say you just want to send a signed
and encrypted email once to someone who announced their pubkey over https?
What type of trust would you assign?

Best, Didrik
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: send-keys does not update my key

[Marko Bauhardt]

> On 14 Feb 2017, at 19:53, Kristian Fiskerstrand 
>  wrote:
> 
> Trust level is not a property of the public key, it is stored out of
> band (in the local trustdb)


Ah ok. Thanks.


Marko

---

Marko Bauhardt
https://keybase.io/mbauhardt

GPG Key ID: 53192101
GPG Fingerprint: DC0F E851 82A3 72E3 7FE1  ACDB 970C FD47 5319 2101



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Aw: Re: SmartCard v2.1 : factory reset fails

[NIIBE Yutaka]

Hello, again,

I found a bug in GnuPG 2.1.18 for factory-reset command handling (it's
not in 2.1.17 or older), I fixed it today.

Then, I tested my OpenPGP card 2.1.

Let us fix a thing one by one.  First, the Reset Code handling.

Fib Moro  wrote:
> It doesn't even get to the point where it prompts me for the Reset Code:
>
> Here is what I do:
>
> When try to set the reset code via "passwd => 4" it prompts me for the 
> AdminPIN.
> I enter the default AdminPIN value of "123456789" and get the message "Error 
> setting the Reset Code: Bad PIN"
> I'm 100% sure I entered AdminPIN correctly.

For my OpenPGP card 2.1, the Admin PIN is "12345678" (no 9).
I can successfuly set the Reset Code.

I confirmed that with wrong Admin PIN, I got the message "Error setting
the Reset Code: Bad PIN".

Please test with 12345678.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Questions about --throw-keyids

[Werner Koch]

On Wed, 15 Feb 2017 00:31, d...@fifthhorseman.net said:

> afaict, GnuPG only supports (1) at the moment (this is probably OK).

There is a plan to add a rewrite feature to gpg so that for example you
can easily add an archiving key to a message.  But that is something we
need to shift to 2.3.

> However, gpg is a tool that's used not only in e-mail contexts, so it
> does still need to support the --throw-keyids option, since non-email

Sure.  Fully agree.  And we also need to improve the handling of
wildcard keyids.  In particular with several smartcards this is pretty
annoying.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgptE0I8xgMnH.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users