Re: Public vs Private Fingerprint
Hi Damien, > Actually there's no such thing as a private key fingerprint. > Fingerprints are only calculated on public keys. That was my conclusion after having searched a bit this morning, but I didn't notice it explicitly documented? -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Upgrading 2.0.20 to 2.2.24
Hi Felix, > gpg -e dest -r fe...@crowfix.com ... > gpg: encrypted with 2048-bit ELG key, ID 18DCDD20A3362105, created > -mm-dd > "Felix Finch (Scarecrow Repairman) " > gpg: decryption failed: No secret key The key for recipient fe...@crowfix.com that was used to encrypt is not on the machine that's decrypting. See the --list*keys options in gpg(1). --export and --import could also be useful. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Silencing MDC Warning with gnupg 2.2.8.
Hi Werner, > > remove the MDC warning from stderr, allowing the rest of stderr's > > content to pass? Downstream of this command is unhappy otherwise. > > Why do you need stderr at all? These are diagnositics for human > consumption. But stderr shouldn't be ignored. Perhaps something unexpected appears on it without affecting the exit status thus downstream of the program using gpg doesn't just ignore stderr; it expects it to be empty and checks it is. Now it's not and downstream shouldn't know about a gpg-specific stderr warning so I'll modify the script calling gpg to delete one instance of that warning from stderr. Thanks for confirming there's no other way. > > gpg(1) still documents --force-mdc and --disable-mdc, saying they're > > now no-ops, but --no-mdc-warning is undocumented despite still being > > accepted and also a no-op. This hampers investigating why > > There is no reason to document a dummy option which never affected the > behaviour of gpg. It clearly did affect the behaviour else I wouldn't have needed to use it, but I've raised the point so I'll let the matter rest, along with the NEWS error. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Silencing MDC Warning with gnupg 2.2.8.
Hi, With the arrival of gnupg 2.2.8-1 on Arch Linux this command applied to members of an archive of files on read-only media fails because they old enough not to have Modification Detection Codes. gpg -q --batch --no-mdc-warning -d --passphrase-fd 0 foo.gpg I see that --ignore-mdc-error downgrades the error to a warning allowing the decrypted content to appear on stdout, but unfortunately for me --no-mdc-warning is now a no-op and so doesn't work in concert with --ignore-mdc-error to silence the warning. It seems from skimming the source that my only option is to expect and remove the MDC warning from stderr, allowing the rest of stderr's content to pass? Downstream of this command is unhappy otherwise. gpg(1) still documents --force-mdc and --disable-mdc, saying they're now no-ops, but --no-mdc-warning is undocumented despite still being accepted and also a no-op. This hampers investigating why --no-mdc-warning isn't working. BTW, 2.2.8's `NEWS' has `--no-mdc-warn', but the option ends in `warning' and so my searches didn't find the news item. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OT: FAQ and GNU
Hi Mario, > > You snipped the bit where I said "Linux" has two meanings in the > > English language depending on context. > > In the previous message you said “"Linux" can be the kernel or a > distro.”. "Linux" can be the kernel or a distro. Context makes this clear in the majority of cases. Appending `kernel' or `distribution' in the odd remaining case is sufficient. > But this is outright incorrect (Linux is not a distribution). You cut the important part. > Thus I elided this part according to my practice of omitting > irrelevant text in a reply to keep the messages to a readable size. Or that contradicts your argument. > The name “Linux” was invented for the kernel for which Linus Torvalds > is known. Later, lazy people incorrecting began using the same word to > refer to basically any software bundle that include this kernel. No, not lazy people. English-speaking people. The language is constantly evolving, taking on foreign words, allowing its rules to adjust over time, assimilating... That's why it's on course to be the world's language, if it's not already. The bulk of people use "Linux" to mean both terms, in casual and formal speech and writing. You may as well try and insist we use "United States of America" all the time instead of "America"; context alone typically implies the intended meaning. > > Given your admirable, though misplaced, zeal, I doubt there's a > > considered argument to be had here. I should take my own advice! > Do not eat animals; respect them as you respect people. > https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan `Duck to go' is an unfortunate choice. :-) -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
Hi Mario, > Your argument is self-defeating. There is no reason to single Linux. > It is just another of thousands of programs without which a computer > would be useless exactly as the others you mentioned. You snipped the bit where I said "Linux" has two meanings in the English language depending on context. Given your admirable, though misplaced, zeal, I doubt there's a considered argument to be had here. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
Hi Mario, > the argument that GNU PG can be used on Linux Please note, it's "GnuPG". That's the project name. If you wish to acknowledge that it's a GNU project then it's GNU GnuPG. :-) -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: FAQ and GNU
Hi Robert, > A request has been made that each instance of "Linux" in the FAQ be > replaced with "GNU/Linux". I thought this zealotry had fizzled out about 2013. :-) > However, in order to make sure that the FAQ reflects the community's > wishes, I'm submitting the proposal here for community feedback. Those preferring GNU/Linux are more likely to reply. > If anyone has strong feelings on it one way or another, chime in. Do not change to using GNU/Linux. It's a purely political term; there is no case for technical accuracy. Alongside GNU programs I have Clang, musl C library, X Windows, KDE, Firefox, LibreOffice and many other non-GNU project, non-GNU licensed, parts. Singling out GNU for credit is unfair to those. "Linux" can be the kernel or a distro. Context makes this clear in the majority of cases. Appending `kernel' or `distribution' in the odd remaining case is sufficient. GNU/Linux is more awkward to read, and to verbalise in the mind. Using RMS's declaration of correction pronunciation, "GNU slash Linux" or "GNU plus Linux", makes this worse. (He argues, correctly, saying "GNU Linux" is wrong because it suggests Linux is a GNU project.) The term GNU/Linux is dying a natural death. Do not resuscitate. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Simple program to get sha256 hash
Hi Paolo, > $ gcc -o ssha ./hash.cpp -lgcrypt > $ ./ssha blablabla > a6898dd93b4c6a87e978aea8547fdc3901b7b94d96636e03d5a6194f4491c571 You're feeding it nine bytes here. > $ sha256sum <<< 'blablabla' > a5edca3a5b8fb54ae61d236a5274626ba6a38781573e02202000158faa707191 - And ten bytes here. $ wc -c <
Re: powertop(8) Points at gpg-agent.
Hi Werner,
> > I wonder if aiming for dead on the second is a good idea. If
> > everything did that then there might silence until the next second
> > boundary, but many cores would wake up to work for a short time.
>
> I had the same concern but the folks who suggested that said that this
> is the best strategy for short term jobs. Apparently cron et all work
> the same.
Here on Arch Linux, /usr/bin/crond is owned by cronie 1.5.1-1, and it
sleeps for 60 s exactly, slowly creeping forwards. The sleep is
sometimes interrupted by SIGCHLD, but that's very soon after it's
started and the 59.xxx s remaining that its told is left becomes another
60 s sleep.
$ sudo -i strace -tt -e nanosleep -p `pidof crond`
strace: Process 303 attached
16:09:01.325441 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:10:01.326133 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:11:01.326724 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:12:01.327254 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:13:01.327842 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:14:01.328426 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:15:01.329013 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:16:01.329637 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:17:01.330289 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:18:01.330832 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:19:01.331389 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:20:01.332925 nanosleep({tv_sec=60, tv_nsec=0}, {tv_sec=59,
tv_nsec=732892671}) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
16:20:01.600374 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED,
si_pid=27903, si_uid=0, si_status=0, si_utime=1, si_stime=0} ---
16:20:01.600779 nanosleep({tv_sec=60, tv_nsec=0}, 0x7fff5d22ac50) = 0
16:21:01.601394 nanosleep({tv_sec=60, tv_nsec=0},
Any thoughts on my other points in the earlier email
https://lists.gnupg.org/pipermail/gnupg-users/2017-February/057745.html
that talks about avoiding some of the wake ups altogether?
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: powertop(8) Points at gpg-agent.
Hi, I wrote: > > Note that gpg-agent makes sure that the tick happens on the full > > second > > Noted. Though those `-tt' times from strace above have it creeping > forward, off the second? I wonder if aiming for dead on the second is a good idea. If everything did that then there might silence until the next second boundary, but many cores would wake up to work for a short time. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: powertop(8) Points at gpg-agent.
Hi Werner,
> > the forking of two siblings to have a `GETINFO pid' chat every
> > minute.
>
> What you see are not new processes but merely two threads every
> minute.
Yes, sorry, I saw the clone(2) and translated to fork.
> --disable-check-own-socket can be used to disable this feature.
Thanks. In Arch's 2.1.18-1's agent/gpg-agent.c's handle_connections(),
I see
if (disable_check_own_socket)
my_inotify_fd = -1;
else if ((err = gnupg_inotify_watch_socket (&my_inotify_fd, socket_name)))
and my_inotify_fd is used with select(2). Does the per minute sibling
thread chat still need to occur in that case?
> > # define TIMERTICK_INTERVAL (2)
>
> I have not changed that interval because it is useful when you are
> using smartcards. What is does is to check the aliveness of scdaemon
> by doing a waitpid (pid, NULL, WNOHANG)).
I don't see a system call with strace for that waitpid though?
$ strace -tt -f gpg-agent --daemon
...
13:29:23.845564 inotify_init() = 7
13:29:23.845704 inotify_add_watch(7, "/run/user/1000/gnupg",
IN_DELETE|IN_DELETE_SELF|IN_EXCL_UNLINK) = 1
13:29:23.845955 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=1,
tv_nsec=98782}, {[], 8}) = 0 (Timeout)
13:29:25.848353 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2,
tv_nsec=30747}, {[], 8}) = 0 (Timeout)
13:29:27.850760 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2,
tv_nsec=1343}, {[], 8}) = 0 (Timeout)
13:29:29.853172 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2,
tv_nsec=1218}, {[], 8}) = 0 (Timeout)
13:29:31.855622 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2,
tv_nsec=1263}, {[], 8}) = 0 (Timeout)
13:29:33.858052 pselect6(8, [3 4 5 6 7], NULL, NULL, {tv_sec=2,
tv_nsec=1409}, {[], 8}) = 0 (Timeout)
Does --disable-scdaemon mean the check isn't needed and select(2) can
stretch to the next longer timeout?
Either way, if the waitpid(WNOHANG) really is happening and strace isn't
showing it, then could a thread not be dedicated to a hanging waitpid(),
with it sending a message on a file descriptor back to the main thread's
select()?
> Not really resource intensive.
No, I agree the work done isn't heavy; it's the regular periodic
short-term wake-up that's a bit of a pain.
> Note that gpg-agent makes sure that the tick happens on the full
> second
Noted. Though those `-tt' times from strace above have it creeping
forward, off the second?
--
Cheers, Ralph.
https://plus.google.com/+RalphCorderoy
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
powertop(8) Points at gpg-agent.
Hi, gnupg 2.1.18-1 on Arch Linux. I noticed powertop ranking the gpg-agents, one per user, quite highly, and their impact is multiplied by their number. strace(1) showed the two-second select(2) timing out with no syscalls in between, and the forking of two siblings to have a `GETINFO pid' chat every minute. Hans-Christoph Steiner noticed back in 2012, and Werner pointed the relevant #defines. https://lists.gnupg.org/pipermail/gnupg-devel/2012-March/026589.html # define TIMERTICK_INTERVAL (2) # define CHECK_OWN_SOCKET_INTERVAL (60) #endif There's a few relevant patches by Daniel Kahn Gillmor, e.g. cancelling the socket check if inotify(7) can be used. https://lists.gnupg.org/pipermail/gnupg-devel/2016-November/032012.html Are there any plans to make gpg-agent consume less background resources? It remains running here when a user logs out. Is that common? A variety of users logging in over time divides TIMERTICK_INTERVAL quite a bit. -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Used to Lookup Symmetric Passphrase.
Hi, I wrote: > What's the key being used to look up the symmetric passphrase? Is it > something random stored in *.gpg and thus survives the rename? So I used `gpg --debug-level guru -d foo.gpg' and see the GET_PASSPHRASE --data --repeat=0 -- S08635B195E745ED6 X X Enter+passphrase%0A and from that found the code that shows S086... is eight bytes of random salt used for the symmetric encryption. > How can I list these in the manner of -k and -K? That question remains. Also, say I have three files symmetrically encrypted at different times with the same passphrase. I'd like the salt used on encryption to be the same for all three so I can decrypt them as needed but only tell gpg-agent the passphrase once. I'm guessing this can't currently be done and would welcome education on why not. :-) -- Cheers, Ralph. https://plus.google.com/+RalphCorderoy ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Key Used to Lookup Symmetric Passphrase.
Hi, I'm using gnupg 2.1.18-1 on Arch Linux. `gpg -c foo' asks for a passphrase. I enter `p-foo' twice. For file bar it's `p-bar'. `gpg -d foo.gpg' doesn't prompt, which is good, getting the passphrase from the agent. Ditto bar.gpg. If I rename foo.gpg to xyzzy.gpg it still doesn't prompt, finding the correct passphrase. What's the key being used to look up the symmetric passphrase? Is it something random stored in *.gpg and thus survives the rename? How can I list these in the manner of -k and -K? Very happy to read documentation on it, but haven't spotted anything so far. Cheers, Ralph. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
