Verifying Signatures using Libgcrypt
With the help of the gcrypt manual, I'm able to build programs that can verify detached signatures. Specifically using the "gcry_pk_verify" API. However, how to verify and extract the content from a compressed+wrapped signature created by the gpg utility's "--sign" command? Subin Sebastian http://xtel.in +91-944-6475-826 ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent SSH agent returned incorrect signature type
* Sebastian Wiesinger [2019-11-05 17:49]: > Hi, > > I'm using gpg-agent with the key stored on a Yubikey for ssh pubkey > authentication. Since upgrading server systems to Debian 10 I get the > following > error when logging in: > > agent key RSA SHA256:[keyhash] returned incorrect signature type It seems this might be fixed in gnupg 2.2.6. It was reported here: T3880 "gpg-agent's ssh-agent does not handle flags in signing requests properly" https://dev.gnupg.org/T3880 Can't test right now because I would need a newer agent. Regards Sebastian -- GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent SSH agent returned incorrect signature type
* GnuPG Users [2019-11-05 20:56]: > On Tue, 5 Nov 2019 17:49, Sebastian Wiesinger said: > > > debug3: sign_and_send_pubkey: signing using rsa-sha2-512 > > AFAICS that method is not supported. We support "ssh-rsa" and > "ssh-rsa-cert-...@openssh.com" but not this method. However, I do not > have the debug out of gpg-agent so I can't tell for sure. Please put [..] > Anyway, I would suggest to use an EC algorithm; they are much faster. > The Yubikey only supports the NIST curves and thus ecdsa-sha2-nistp256 > or ecdsa-sha2-nistp521 would be approriate. Hi Werner, I've attached a redacted version of the log to this mail. If you need something in the clear let me know. In regard to the algorithm, I'm not sure where I would change that. This seems to be something SSH does on its own... Regards Sebastian -- GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant 2019-11-06 09:28:15 gpg-agent[6246] ssh handler 0x7f4a71188700 for fd 10 started 2019-11-06 09:28:15 gpg-agent[6246] ssh request handler for request_identities (11) started 2019-11-06 09:28:15 gpg-agent[6246] new connection to SCdaemon established (reusing) 2019-11-06 09:28:15 gpg-agent[6246] ssh request handler for request_identities (11) ready 2019-11-06 09:28:15 gpg-agent[6246] ssh request handler for sign_request (13) started 2019-11-06 09:28:15 gpg-agent[6246] DBG: detected card with S/N DXX 2019-11-06 09:28:15 gpg-agent[6246] DBG: encoded hash: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 2019-11-06 09:28:16 gpg-agent[6246] DBG: PKCS#1 block type 1 encoded data:+ \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: xx 2019-11-06 09:28:16 gpg-agent[6246] DBG: rsa_verify data:+ \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: \ 2019-11-06 09:28:16 gpg-agent[6246] DBG: xx
gpg-agent SSH agent returned incorrect signature type
Hi, I'm using gpg-agent with the key stored on a Yubikey for ssh pubkey authentication. Since upgrading server systems to Debian 10 I get the following error when logging in: agent key RSA SHA256:[keyhash] returned incorrect signature type Login succeeds but the error is displayed on every new connection. There is not much information about this, except that it seems the error is caused by the agent signing the key with a different hash algorithm: debug1: Server accepts key: cardno:000233441461 RSA SHA256:[keyhash] agent debug3: sign_and_send_pubkey: RSA SHA256:[keyhash] debug3: sign_and_send_pubkey: signing using rsa-sha2-512 agent key RSA SHA256:[keyhash] returned incorrect signature type debug3: sign_and_send_pubkey: signing using ssh-rsa My question is, is this a problem with gpg-agent or is the Yubikey just not able to sign the key with the requested sha2-512 algo? Regards Sebastian -- GPG Key: 0x58A2D94A93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Repo with test cases for covert content attacks
Am 12.08.19 um 17:47 schrieb Stefan Claas via Gnupg-users: > Sebastian Schinzel wrote: > >> Dear all, >> >> Jens Müller just gave a talk at DEFCON about Covert Content Attacks >> against S/MIME and OpenPGP encryption and digital signatures in the >> email context. He just published the PoC emails that he used in the talk >> and they might be useful for further testing. >> >> https://github.com/RUB-NDS/Covert-Content-Attacks >> >> This is the paper describing the attacks from April 2019: >> >> https://arxiv.org/abs/1904.07550 > > Thanks for the info. I do no longer use a GPG plug-in MUA > combination, but are these 'Johnny you are fired' issues > already been resolved? I must admit I am a bit out of the > loop. Those are two different papers. 1. The 'Jonny, you are fired' paper solely dealt with signature spoofing and the repo is here: https://github.com/RUB-NDS/Johnny-You-Are-Fired 2. The paper mentioned in the thread above is 'Re: What's Up Johnny? -- Covert Content Attacks on Email End-to-End Encryption' and it contains some leftover attack cases that didn't make it into the Efail paper. It aims at exfiltrating the plaintext of encrypted mails, but with some degree of user interaction, e.g. replying to a malicious email. Lots of test cases and I am not aware of any current list of what MUA fixed which issue (correctly or incorrectly). Best, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Repo with test cases for covert content attacks
Dear all, Jens Müller just gave a talk at DEFCON about Covert Content Attacks against S/MIME and OpenPGP encryption and digital signatures in the email context. He just published the PoC emails that he used in the talk and they might be useful for further testing. https://github.com/RUB-NDS/Covert-Content-Attacks This is the paper describing the attacks from April 2019: https://arxiv.org/abs/1904.07550 Best, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry does not show "please insert smartcard" dialog
* Sebastian Wiesinger [2018-07-31 18:24]: > > There is no card reader available, when yubikey is not plugged in. I > > use the smartcard with a external reader. I also do not see this dialof > > when the Reader is not connected. > > > > I think, there is a dependence to a connected reader to schow this > > dialog. > > I don't think this is the reason because the same setup works under > OSX. And after upgrading to Xubuntu 18.04 it started working again... no idea what the problem was in the end. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinentry does not show "please insert smartcard" dialog
* GnuPG Users [2018-06-30 13:22]: > > What doesn't work is the "please insert smartcard" dialog when the > > key > > is not plugged in. I manually added the correct keygrip to the > > sshcontrol file but this does not work. On my MacOS the same config > > does display the "insert smartcard" dialog. > > > > Any idea why it doesn't work on my Linux system or how to find out? I > > already tried multiple debug options but no helpful info showed up in > > the logs. > > There is no card reader available, when yubikey is not plugged in. I > use the smartcard with a external reader. I also do not see this dialof > when the Reader is not connected. > > I think, there is a dependence to a connected reader to schow this > dialog. I don't think this is the reason because the same setup works under OSX. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Pinentry does not show "please insert smartcard" dialog
Hello, I'm using pinentry (GTK2) on my Xubuntu. My authentication key is saved on a Yubikey4. Pinentry does work when the key is inserted and displays the PIN entry dialog just fine. What doesn't work is the "please insert smartcard" dialog when the key is not plugged in. I manually added the correct keygrip to the sshcontrol file but this does not work. On my MacOS the same config does display the "insert smartcard" dialog. Any idea why it doesn't work on my Linux system or how to find out? I already tried multiple debug options but no helpful info showed up in the logs. Version: Xubuntu 17.10 ii pinentry-gtk2 1.0.0-2 amd64 $ gpg --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.8 Kind Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Backchannels via OCSP and CRL in S/MIME (Was: efail is imho only a html rendering bug)
Am 06.06.2018 um 20:19 schrieb Werner Koch: > Thanks for responding. However, my question was related to the claims > in the paper about using CRL and OCSP as back channels. This created the > impression that, for example, the certificates included in an encrypted > CMS object could be modified in a way that, say, the DP could be change > in the same was a a HTML img tag or to confuse the MIME parser. Table 5 shows that CRL and OCSP work as a backchannel in some clients, see I_1, I_2, I_3 in the PKI column. It is unclear if they can be used to exfiltrate plaintext in reality because changing them should break the signature. The caIssuer field (intermediate certificates) seems more appropriate for plaintext exfiltration. See the discussion in section 6.2. Note that we didn't analyze X.509v3 extensions for further backchannels. Again, whether CRL/OCSP/caIssuer can or cannot be used for plaintext exfiltration doesn't affect the overall security of S/MIME much. The central flaw remains malleable encryption. Best, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: efail is imho only a html rendering bug
Am 06.06.2018 um 10:04 schrieb Werner Koch: > On Mon, 21 May 2018 19:11, r...@sixdemonbag.org said: > >> Efail is not just an HTML rendering bug. It includes very real >> attacks against S/MIME as it's used by thousands of corporations. > > I have not yet seen any hints on how a back-channel within the S/MIME > protocol can work. There are claims that this can be done with CRLs and > OCSP but that all requires substantial implementaion bugs in the S/MIME > engines. The paper presents only vague ideas. Did I miss something? A backchannel in a technology is not a vulnerability per se. At its core, the Efail CBC/CFB gadget attack modifies a ciphertext in a way that it *exfiltrates its own plaintext* when opened. The paper shows that this is practical for HTML email clients. The generic concept of the CBC/CFB gadget attack, however, is neither limited to HTML, nor to emails. It is plausible to transform the attack to other data formats supporting backchannels. It's up to the creativity of the attacker to come up with other scenarios. Adam Langley touched another scenario already in 2014: https://www.imperialviolet.org/2014/06/27/streamingencryption.html The central flaws for CBC/CFB gadgets to work are (a) missing authenticated encryption in S/MIME and (b) not properly enforced integrity protection in OpenPGP. We won't fix malleable encryption by tinkering with HTML, x509 and MIME parsers. Best, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Efail or OpenPGP is safer than S/MIME
r...@sixdemonbag.org (Robert J. Hansen) writes: >>> We hesitate to require the MDC also for old algorithms (3DES, CAST5> >>> because a lot of data has been encrypted using them in the first >>> years of OpenPGP. >> So if someone sends me a 3DES-encrypted mail it won't check the MDC? >> Doesn't gpg still support reading 3DES? > Let's try it and find out. :) > ... Yep, GnuPG will warn you the message was not integrity protected. > Your email client should see this warning and refuse to render the message. I notice that the command currently succeeds, albeit with a warning. Would it make sense to have GnuPG return a non-zero exit code in case some MUA does not parse these warnings, or in case it does parse them but proceeds to use the result? Alternatively, perhaps invoking gpg for decryption could honor some command-line switch or gpg.conf option to turn some or all warnings into hard errors. Kind regards, SR ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What causes this bad signature
* gnupgpacker [2015-11-15 10:39]: > Hi, > > there is a German government service that signs PGP keys?? > > What's the way to get it signed? Which institution? It's here: https://pgp.governikus-eid.de/pgp/ But as you can see the signature is not working. And the signature for my @gnupg.net UID didn't arrive at all. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What causes this bad signature
* da...@gbenet.com [2015-11-15 03:06]: > You can only use this signature for signing (not encrypting) and for > certification. Bad? > There appears to be nothing bad about this public key - why would you get 16 > people to sign > a key if you were not going to communicate with them? Hello, my key is not bad, the signature by 0x5E5CCCB4A4BF43D7 is bad. The question is why. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
What causes this bad signature
Hello, for fun I tried a German government (or public-private partnership) service that signs your PGP key if your name on a uid matches the electronic data on your ID card (Neuer Personalausweis, nPA). I tried this and got my signed key back. I tried to import it into my keyring and imagine my surprise when it didn't show up. Reason being: I have "import-options import-clean" set and the signature is somehow bad. Is there a way to see why the signature is bad? If I decide to let them know that their service fails I would like to be able to tell them what they did wrong. My key is 0x58A2D94A93A0B9CE and their signature comes from 0x5E5CCCB4A4BF43D7: pub 2048R/0x58A2D94A93A0B9CE 2009-08-11 uid [ultimate] Sebastian Wiesinger sig!3 P0x58A2D94A93A0B9CE 2015-03-27 never Sebastian Wiesinger sig-3 1 0x5E5CCCB4A4BF43D7 2015-11-14 never Governikus OpenPGP Signaturservice (Neuer Personalausweis) I attached the signed key for your interest. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -BEGIN PGP PUBLIC KEY BLOCK- Version: BCPG v1.51 mQENBEqBllMBCAD32fe447us8uLI13cnGkbPwizfxt5opcqaZYYt0BU4yHEONItL W021JK4BxSbPkOMUN7DWComy3mK5NWcQu3BepcRI9wD/l+01tjN3nH+nEZzYkO63 LbjApUlqJwovln+O1pcHBF9lSj4vDtkAa64EQ6c2oVGMTmjEqgwy6LRrR7pf6hmy hUJpvd5F4BecVZTOMbeNadYEuIN4PmC7MqpZdpaKAZ0efRjH96P3GyNEFEJLzNOC PxpYfKcEV3/vbK42Nsf7wZJtxEHXBJnWUH7Ewgo4bEg7TWwNsfsUD4UPrZnesRAC iv8X8Lu6+Xwh3mGvJYQVOpfQRdgS7Vs1rJLHABEBAAG0K1NlYmFzdGlhbiBXaWVz aW5nZXIgPHNlYmFzdGlhbkBrYXJvdHRlLm9yZz6JAWcEEwECAFEpGmh0dHBzOi8v d3d3Lmthcm90dGUub3JnL3BncC1wb2xpY3kuc2h0bWwCGwMGCwkIBwMCBxUKCQgL AwIFFgIDAQACHgECF4ACGQEFAlUV6PYACgkQWKLZSpOguc7O+QgAx9JS1IQoVoRp 3AD077o/cfmvudlP1Gj4gbruICeNfaOYoSIjW5uEG8n9YJwe9TsxsQhXE3TTKYB2 FaiWXhQQPle9LGj7/8/ixBJCkueD8pYepHH7Pra0y/obROSwDI+SEjwXtUZZ/a1b 2EOYWgm1yfIXYVFYwPhxYvFIt1sCTvDYFN2U9cbciXZ4TdRcRGdEMbAa71aKNYQQ Ych9cxcLMJkLm3/P9jwTJC6tXCBTRNRZBJ0SM3XnOi3T6f+cBurvo6I1z9dKwkZ1 5UKOyEfAw/db1mklRwCOIel144fVARGU05pAv/LGkmJrJU7qk51M5/TEbLYDinYu VmSDUZW4wIhwBBMRAgAwBQJKgZiaKRpodHRwczovL3d3dy5rYXJvdHRlLm9yZy9w Z3AtcG9saWN5LnNodG1sAAoJEBtgNPR2t58gWHsAn3damhwjmzWyRaHAvfV+jk5W 3v0IAJ9+Mv3DuRJfSh0jKunsP5oVw/2AIokBHAQTAQIABgUCSoJ4LQAKCRBZluk8 EY1oCJlWB/9V9b+w1SR+TWgiVDsR7hL1OtCrY2QI5ozWn8ZBb0qU2p1eQO7sWJ8W 225NIKPIpkd2OInBK9T8HAWv9PwNfwNGXbakFk04ng9+sxwfLXASwByek+PFaNlq sLA0buGZzyfGbs6mVaAF6uBSIb0QXVyFJ7aBiQJR0+uWjLD8glivYmatfH5v9xN/ 5OrKrlkQboCqUAGfc4RmmBWQhKPH5W3jm2jIFnAikJcDm+pR7qXvy/X0eIrLRfVj 2zt4He5l6wVAFFaw1X1dGziI+idKa30Pvn26Wh90/75ckwosyEcmxfdnloyMC6RY d/OquAzMaP1U5lm2MRpdyzZ2blQkGaf/iJwEEAECAAYFAkqzZA4ACgkQxOtrl0pn ggmpaQP9HP2ugAgaIwGqBNS9zktGcy1xCJ2b9Z1CZKm4WrDEwa4YI/C5yVzk5U3O X1pJDQhhr0BgH//VSYRF5g2BNxOmEyksFCbYo1nLD+mezHMHhvw+85JB6DrZPKQx 4frBHyG1gBVP+73VO2C7ZYSvgHSry59CE9PueDnJjInDnKqOcxWIRgQQEQIABgUC SrOc0wAKCRAIP1h/MP6Y6MHZAKDx5PjB6DC3l28Xswrl2eW+i9LWrgCdE1fSLbhe Xor4bwfauZUN8V18l/6IRgQQEQIABgUCSrOpqgAKCRCTUNZUduD9JEo2AJ94Xqps sBqIwYG0WaWdMmCBjz5Y+ACgxEidmhHoZrTFkjpjs8Zn4ajvfQCIRgQQEQIABgUC SrQKhQAKCRCAVDiX2/0r+VD1AJ9HvgToljbJNZ362ZY0dwyGZ7ZiUACeNhR+I9y8 f1eapWeXP/74sIkT/0WIRgQSEQIABgUCSrSE+gAKCRCO+R71kVI8PUcbAJ9cqXAn JmjxxpeBinwIXBMkUdjKoACeMVqIDOgQ8ei/23LDlcAdpdTuj7KIRgQQEQIABgUC SraDxQAKCRDcaLNyDB5Rm2RlAJ9/ZVdthYwd0V8FpznUQj/YU7noHgCeKjU/SxyD D5EcaPErBoWEoi6v5aeIRgQQEQIABgUCSraYnQAKCRAiS2X22/0bg0CkAJ9hW8Dl 9HWWyrlVDmvy2FfVsmGbcwCfU1rId/WMm7XJrUVPuV5h9EEKqxqIRgQQEQIABgUC SraZoAAKCRDWaU/WzTDil+qLAKCsP00/PD2govwM9oYrVsRGre/9hwCg0wvTwjBj Co+NYPlsrfI/+hq8i4mIRgQQEQIABgUCSrONXwAKCRB30d815/klJW2IAKCGrBXx /NmExU2Ya0T+xUaVTSCMYgCgnNKI/dL5zQrR/4LOgsv0uYtrvjeIRgQQEQIABgUC SsDxPgAKCRDpENBFMY4o7phZAKCHE9acDHiOXjPKko3UIjk1tzbP5ACff2mqE5db hYfwYzg5nbTrwKyu7ZuIRgQSEQIABgUCStmHmgAKCRA/aDjU1k1ynjwjAJ97ojgA MOOMvDYJdrIhvhidkDbNLACeP8ryVUGcEaMtK2zY5FN06Vbcj2eInAQQAQIABgUC Sxe+MAAKCRCpLgbjZVFJdS9PA/9yPn5pON9tjOZSsoqpXUX7d7q69bX5W7Rt5WOJ VtvS+ULJi1QKdzHhqsjQDrIv7HCQZ6SHtR+0EjQgufykQfrKoedZrshoZaYt353+ 2o4++RrxgLTOamc+x2RiBRG5XsKRXV4npIubVpmEiuXAFfrxHrQXIXLQieCP5RTC Hsxp6IkCHAQTAQIABgUCTH0RYAAKCRDULGmODHBaFb9JD/0QoOh8BV887Tvh5L5A VuuuShUyMUY7PMLOnFV72PeiHzkCLvEa+1c2ovMTnIDzJkJ1yf6aOgxILsi+/Ks+ 9kKTY4hIyLU4charHYPaQcOQgXrpj0LbF9NcYSMDVA60XMPltTUstiI+mew9yWwC Y39PC3Sn6wPLZsSQVf+gQgDIjPHLSCE235mHjIgkxf0uwbjSkE62HqPw+GJhM3Nn iGIj6lHdziev17jB7pSZ6hvg8T/bJtelty2QGau6wV4ANWC1L58B6rPVMM+Iwy2H oe83IqXpr/2GBKBvCbGRRdAehbCo5ww/wQ0YsKx2tX2QGyJHYdAST5VJgwIE6v00 baf88pUn2H44f8Zx6jhPHRRIjTHpZm9G4VcNMXronvzh8ODGK0NP2AmizK4XT/79 jkBrEuPo/tr3IIJlDi49GPjbBNBqYAofno2UjFQawkXlS5D20Oh2yOnogNjr/1IM JB5My6Mcs97tVGk0hJITUxuVGX/8T9UvKlCTD8KJ28tC+/rCTYILR3FkVCYR1j6G QDZVSobLXr/sZbIiwnKlQt2zVCYcASiIqPJbg/FxEPQHdmmWyESGj9JN/6fCxJcK 2KXUABntWwde+OHg0b8wIF33929GJNUhfFTSC2EiMSFNlV+zXGTWCOrobrh2nIYy HerngQ5ICLbk3SewPWZcQldB1ohGBBIRAgAGBQJMfQnHAAoJEGIhe6FARUfu45AA n1dusMPPylCQ+BsfJ3Yt+RExE1qsA
Installing gpg2/commads?
Hello, are there some commands for installing the gnupg-w32-2.1.x_.exe (like -silent or -no_registry)? Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
AW: [Announce] GnuPG 1.4.18 released
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hello, WinPT works also with GnuPG 1.4.18 very well. But occasionally WinPT reacts to a faulty configuration of GnuPG with a cold, however. Regards Sebastian > -Ursprüngliche Nachricht- > Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag von > Reinhard Irmer > Gesendet: Dienstag, 1. Juli 2014 13:58 > An: gnupg-users@gnupg.org > Cc: gnupg...@gnupg.org > Betreff: AW: [Announce] GnuPG 1.4.18 released > > > -Ursprüngliche Nachricht- > > Von: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] Im Auftrag > von > > Werner Koch > > Gesendet: Montag, 30. Juni 2014 20:37 > > An: gnupg-annou...@gnupg.org; info-...@gnu.org > > Betreff: [Announce] GnuPG 1.4.18 released > > > > Hello! > > Hello Werner, > > > We are pleased to announce the availability of a new stable GnuPG-1 > > release: Version 1.4.18. > > Installing gnupg-w32cli-1.4.18.exe on winXP works, but starting wpt.exe > after installation, the monitor shows "Schlüsselcache internal error". > Then rightclick on wptbutton/über(about) in the quickstartlist shows > the right versionnumbers of wpt an gnupg. But clicking > "Schlüsselverwaltung" a bugmessage arrives like this. Look here: > http://666kb.com/i/cpp0j83n5s33h1doq.jpg > I restarted the system but no solution. So I went back to 1.4.17 :-( > > -- > regards > Reinhard > > --- on OUTLOOK 2007 --- > > > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -BEGIN PGP SIGNATURE- Version: GnuPG v1 - GPGrelay v0.962 iD8DBQFTxGN3oNLoClWVo8MRA0MfAKCVLauqGzhrfyNda0uMP0YFO6a5UgCeLZKL U/RkYcnNRX2xyp5TWJtFbOE= =MQMh -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
password cache Windows 7
hello, i use Gpg4win with Thunderbird and Enigmail on a windows 7. In Thunderbird if i want to decrypt a mail i put the pass-phrase in the opening window and i can decrypt the mail. Than i have the option that the program forget the pass-phrase. But it's says that this makes a external gpg-agent. When i close Thunderbird and reopen it the i mustn't type my pass-phrase to decrypt e-mails. Also if i wait about 10 or 20 minutes. How can i control the gpg-agent? I want that the agent forget the pass-phrase after 5 minutes. Thank you ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: howto secure older keys after the recent attacks
* Sebastian Wiesinger [2009-09-10 18:01]: > Hi, > > regarding this, the Simtec Entropy Key http://www.entropykey.co.uk/ is > available for sale online since a few days ago. This is an USB > hardware entropy generator. Perhaps this would be something to > consider in your tests regarding quality and speed of entropy > generation. I'm sorry, somehow I mixed up this thread with one on gnupg-devel. Nevertheless the key is a nice piece of hardware. Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: howto secure older keys after the recent attacks
* Philippe Cerfon [2009-09-10 14:03]: > I'd have some additional poor men's questions ;-)... > - When creating a new key,.. it uses the entropy, right? So is there > some way to improve this entropy? Perhaps not using Linux but instead > OpenBSD which might have a better PRNG (don't know if this is actually > the case ;) ) or use a specific Linux kernel version where a newer and > better PRNG was added? Hi, regarding this, the Simtec Entropy Key http://www.entropykey.co.uk/ is available for sale online since a few days ago. This is an USB hardware entropy generator. Perhaps this would be something to consider in your tests regarding quality and speed of entropy generation. Kind Regards, Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Setting up SKS Keyserver
Hi, I'm thinking about setting up an SKS Keyserver. My question is, is there some sort of mailinglist or something where this is ontopic? As I understand I would also be in need of some "gossip" partners. Is http://www.nongnu.org/sks/ the software I want to use or is there something else? The Documentation Wiki for sks seems to be offline... Any pointers in the right direction would be appreciated. Kind Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
still: signature digest conflict in message
Unfortunately it does not help (Thank you however Werner). I inserted the option in "additional options for GnuPG in the Enigmail GUI. The command line now reads: gpg.exe --charset utf8 --allow-multiple-messages --batch --no-tty --status-fd 2 --verify Still there is the same message: gpg: Signature made 03/30/07 18:25:23 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error I'd be glad to get a hint... Dominik Werner Koch schrieb: > On Wed, 4 Apr 2007 16:06, [EMAIL PROTECTED] said: > >> unfortunately I have problems verifying some signed Mails using GPG for >> Windows and Enigmail with Thunderbird. The problem only affects the >> "Reverify Your Email Address"-mails from the PGP Global Directory. The > > Such a case has been reported rcently and it turned out that PGP creates > invalid OpenPGP messages. Due to some stronger checks we employ now gpg > reveals this problem. > > --allow-multiple-messages > > should do as a workaround. Not tested, though. > > > Shalom-Salam, > >Werner > > -- PGP: 0x9BE1FDBA : CD6D 383B BE31 29BF 221D F78D 76AC 3F2A 9BE1 FDBA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
signature digest conflict in message
Hello, unfortunately I have problems verifying some signed Mails using GPG for Windows and Enigmail with Thunderbird. The problem only affects the "Reverify Your Email Address"-mails from the PGP Global Directory. The error message reads: C:\\Programme\\GNU\\GnuPG\\gpg.exe --charset utf8 --status-fd 1 --batch --no-tty --status-fd 2 --verify gpg: Signature made 03/30/07 11:33:09 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error Can somebody help me on this. I didn't manage to find a solution on the web. Thanks, Dominik. -- PGP: 0x9BE1FDBA : CD6D 383B BE31 29BF 221D F78D 76AC 3F2A 9BE1 FDBA ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
HowTo make a donation to gpg...
Hi, I'm really exaltet about gpg and want to support the project with a little donation. I think, if I can't help to develop such a good project, the team should get a little bit support. The most OS-projects are better than commercial products. A donation is the least, that I (and other users) can do. On the gpg-website I've searched for a paypal-donation button or something else... Nothing. I think, the gpg-team should install a possibility for this on the website. Bye, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Restore Smart-Card-Manuel
Hi, since 2 years, I'm using pgp. It's very nice. Today I've got 2 pgp-smartcards. The frist one works very good. Everything works good. Now, I want to test, what happens when I lost this card or it's broken. I've both cards, the public key and an .pgp-file. I searched google for over 2 hours, but I only found an entry in this lists. But the user did not complete the restore. (http://marc.theaimsgroup.com/?l=gnupg-users&m=115027667302076&w=2) Is here any expert than can post a step-by-step guide to get my backup-card working ? This restore-procedure should be published on any smartcard-howto. Thanks from Germany Bye, Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pgp.sig as an attachment
Hello, I am using GnuPG with Apple Mail and the GPGMail plugin. When I sign a message, the mail is sent with the attached file pgp.sig. However, I would prefer to have the signature inside the message and not in an attachment. How would I do this? Thanks Sebastian ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Speed of trustdb update?
* David Shaw <[EMAIL PROTECTED]> [2006-05-08 17:44]: > > The system is a AMD K6 with 350MHz, perhaps it's just too slow? Any > > ideas how to speed up the trustdb check would be appreciated. > > What version of GnuPG are you using? 1.4.3 gpg (GnuPG) 1.4.3 Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Speed of trustdb update?
Hi, I'm using gnupg quite a lot and after importing ~100 keys from a keysigning party, the trustdb updates got painfully slow: $ time gpg --check-trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 124 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 124 signed: 37 trust: 113-, 0q, 0n, 3m, 8f, 0u gpg: depth: 2 valid: 9 signed: 11 trust: 5-, 3q, 0n, 0m, 1f, 0u gpg: next trustdb check due at 2006-06-25 real0m54.860s user0m42.880s sys 0m1.710s As you see it takes almost am minute to update everything. Is there a way to make that process quicker? I already do --rebuild-keydb-caches every night but it doesn't help very much. The only solution right now is to disable the automatic trustdb-checks and update it in the middle of the night. The system is a AMD K6 with 350MHz, perhaps it's just too slow? Any ideas how to speed up the trustdb check would be appreciated. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Is there any GnuPG version which works with Windows Mobile 5.0?
___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GPG 1.4.2 and Aladdin eToken Pro
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello GnuPG Users!!! Works GnuPG with this hardware token. I try to find some solutions to make this two things working but without success. Is there some manual to connect this two parts. I use Windows XP sp2. I want to change my PGP to GnuPG but I have only this little problem. OK now info: Z:\GnuPG>gpg --card-status gpg: detected reader `AKS ifdh 0' gpg: detected reader `AKS ifdh 1' gpg: pcsc_connect failed: sharing violation (0x801b) gpg: card reader not available gpg: OpenPGP card not available: błąd ogólny - -- Thanks and best regards, Sebastian Murawski -BEGIN PGP SIGNATURE- Version: PGP SDK 3.5.2 Comment: "" iQCVAwUBQ6Mgs/UyV2U0pGyNAQLFGQP/fhIj4H6ar6j0F43QbxxDTQq/TZ11j67r 7qtEHosa4q5ck4QeF11r2v5wy545573adRvnP86iWpowHE6GsdNcLjGmuMVAd3XX B1net/kO92WpxglgEn4aLV6QnYwqeMGXTGtz6fMPYucADpgbULN6NFWXxHoncpT6 cIxyaTDiMtU= =8LjS -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Solved: gpg: [don't know]: invalid packet (ctb=2d)
Dear Listers, I solved my problem (see at the bottom). But first the SUM of the answers I got: No answers, nor reactions oder hints :( The solution was: I had to delete the .gnupg-directory in my home directory. It seems like I copied old settings from Debian to Ubuntu taht caused the troubles. Cheers. Seb Am Samstag 03 Dezember 2005 18:56 schrieb Sebastian Hofer: > Dear Listers, > > I am a plain user of gnupg and new to this list. SO I would like to greet > you first. > > Now the problem: I found some discussions about the "invalid packet > (ctb=2d)" thing but none of it helped me. > > I have been running gpg with the same keys since 2003. I started to use > them on SuSE 7 and Win2K. Then I moved to Debian without a problem. Now I > had a disc crash recently and switched to ubuntu. When I try to import or > use my old keys I get this: > > ---snip > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_get_keyblock failed: eof > gpg: [don't know]: invalid packet (ctb=2d) > gpg: /home/seb/.gnupg/pubring.gpg: copy to > `/home/seb/.gnupg/pubring.gpg.tmp' failed: invalid packet > gpg: error writing keyring `/home/seb/.gnupg/pubring.gpg': invalid packet > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_search failed: invalid packet > gpg: key 09D50FE7: public key "[User ID not found]" imported > gpg: [don't know]: invalid packet (ctb=2d) > gpg: keydb_search failed: invalid packet > [GNUPG:] IMPORTED 0C1E3D6C09D50FE7 [?] > [GNUPG:] IMPORT_OK 1 CF32CCC3BD5E61F3E8722A9D0C1E3D6C09D50FE7 > gpg: [don't know]: invalid packet (ctb=2d) > gpg: error reading `/home/seb/.gnupg/secring.gpg': invalid packet > gpg: import from `/home/seb/.gnupg/secring.gpg' failed: invalid packet > gpg: Total number processed: 0 > gpg: imported: 1 > [GNUPG:] IMPORT_RES 0 0 1 0 0 0 0 0 0 0 0 0 0 0 > ---snap > > The keys where transfered from my external HD (backup) with all the other > stuff in my home directory. > Some weeks ago I tried import a copy the keys I still had on a W2K machine > at work. Same error. > Today I thought I will use the weekend to fix the problem. One of my > guesses is that there are conflicts between my new ubuntu and the old stuff > I got from my backup done on Debian Sarge?!? So I wanted to erase gpg > completly and then reinstall it. But there are billions of dependencies ... > What should I do? > > Thanks in advance and cheers, > Seb > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: [don't know]: invalid packet (ctb=2d)
Dear Listers, I am a plain user of gnupg and new to this list. SO I would like to greet you first. Now the problem: I found some discussions about the "invalid packet (ctb=2d)" thing but none of it helped me. I have been running gpg with the same keys since 2003. I started to use them on SuSE 7 and Win2K. Then I moved to Debian without a problem. Now I had a disc crash recently and switched to ubuntu. When I try to import or use my old keys I get this: ---snip gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_get_keyblock failed: eof gpg: [don't know]: invalid packet (ctb=2d) gpg: /home/seb/.gnupg/pubring.gpg: copy to `/home/seb/.gnupg/pubring.gpg.tmp' failed: invalid packet gpg: error writing keyring `/home/seb/.gnupg/pubring.gpg': invalid packet gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search failed: invalid packet gpg: key 09D50FE7: public key "[User ID not found]" imported gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search failed: invalid packet [GNUPG:] IMPORTED 0C1E3D6C09D50FE7 [?] [GNUPG:] IMPORT_OK 1 CF32CCC3BD5E61F3E8722A9D0C1E3D6C09D50FE7 gpg: [don't know]: invalid packet (ctb=2d) gpg: error reading `/home/seb/.gnupg/secring.gpg': invalid packet gpg: import from `/home/seb/.gnupg/secring.gpg' failed: invalid packet gpg: Total number processed: 0 gpg: imported: 1 [GNUPG:] IMPORT_RES 0 0 1 0 0 0 0 0 0 0 0 0 0 0 ---snap The keys where transfered from my external HD (backup) with all the other stuff in my home directory. Some weeks ago I tried import a copy the keys I still had on a W2K machine at work. Same error. Today I thought I will use the weekend to fix the problem. One of my guesses is that there are conflicts between my new ubuntu and the old stuff I got from my backup done on Debian Sarge?!? So I wanted to erase gpg completly and then reinstall it. But there are billions of dependencies ... What should I do? Thanks in advance and cheers, Seb ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users