Re: Reply-default etiquette (was Re: KISS gpg)

[Joe]

On Sun, 3 Nov 2019 22:00:39 +0200
Andrei POPESCU  wrote:

> On Jo, 31 oct 19, 11:55:01, The Wanderer wrote:
> > 
> > (IMO the correct behavior should be chosen automatically by
> > "reply", and there should be separate "reply to sender", "reply to
> > all", and "reply to list" options in the client. I don't know of
> > anything which implements that, however.)  
> 
> I seem to recall Sylpheed and/or Claws Mail has this.
> 

Yes, it does. I read this on Claws, though I only ever use the default
Reply.

-- 
Joe

Re: Reply-default etiquette (was Re: KISS gpg)

[Andrei POPESCU]

On Jo, 31 oct 19, 11:55:01, The Wanderer wrote:
> 
> (IMO the correct behavior should be chosen automatically by "reply", and
> there should be separate "reply to sender", "reply to all", and "reply
> to list" options in the client. I don't know of anything which
> implements that, however.)

I seem to recall Sylpheed and/or Claws Mail has this.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser


signature.asc
Description: PGP signature

Re: KISS gpg

[Stefan Monnier]

>> AFAICT the sockets are not created in GNUPGHOME, so your "gpg with other
>> GNUPGHOME" will still talk to the same agent and confusion will ensue.
> yes seems the only way is true a different user, as it seems to be per
> design one user - one agent, which also makes sense as the agent is the
> interface to the private keys.

But that precludes the OP's use-case where a single user wants to manage
different installation of the same keys, some protected with a password
and some without (or with a different password).

I think it would make a lot of sense for the gpg agent to pay attention
to the gog client's homedir so as not to mix the data of one homedir
with that of another.

In any case, I think this should be on gpg's issue tracker.


Stefan

Re: KISS gpg

[mick crane]

On 2019-10-30 18:58, Nicolas George wrote:

Hi.

Is there somewhere in Debian a KISS version of GnuPG or something
compatible?

The current default version of GnuPG, since 2015, necessarily uses a
client-server agent to access the private keys. While it is convenient
and secure for everyday use, but for some tasks, the efforts it makes 
to

protect my files from myself prevent me from doing the tasks I want.

As a short-term solution, does anyone know how to add a pass phrase to 
a

private key while exporting it, without changing it on the storage?

Regards,


Excuse me for answering without really understanding the subject very 
well.
I think you can export the private key ascii armoured and then it is a 
text file

which presumably you can encrypt with some other program ?
I would have thought that if you add a passphrase ( if an option )to a 
private key after you generated

it then that and the original key would have different signatures ?

mick

--
Key ID4BFEBB31

Re: KISS gpg

[deloptes]

Stefan Monnier wrote:

> AFAICT the sockets are not created in GNUPGHOME, so your "gpg with other
> GNUPGHOME" will still talk to the same agent and confusion will ensue.

yes seems the only way is true a different user, as it seems to be per
design one user - one agent, which also makes sense as the agent is the
interface to the private keys.

Re: KISS gpg

[Stefan Monnier]

>> so even changing $HOME won't help and I don't see any envvar which
>> influences it.  I suggest you contact the GPG development folks (maybe
>> open an issue for it).
>
> Not sure - cause if you close gpg and agent etc. and set the GNUPGHOME and
> start again all the work will be done in the new GNUPGHOME. The sockets
> will be created when you start gpg.

AFAICT the sockets are not created in GNUPGHOME, so your "gpg with other
GNUPGHOME" will still talk to the same agent and confusion will ensue.


Stefan

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> The problem is to run instances of gpg simultaneously: one to access the
> key without any risk of modifying it, one to do the work.
> 

Looks like the only risk is you :)
How would you modify a key without wanting it?! 
As I mentioned before - to me it looks like your use case is invalid.

> Programs that make it hard to run several independent instances without
> a very very good user-visible reason are badly designed.

Unless it is desired to work the way it is - tell this to the gnupg
developers, they will enjoy it :), but as I mentioned before they are
pretty helpful and open for good ideas - who knows - perhaps they will
understand your need. I personally don't.

In fact you can run as many instances of gpg as you wish - only the agent
will be just one (started by the first instance) and it is good so - and
you understand now why, hopefully.

BTW there are many other programs - for example ssh, databases, apache
server etc., where you also can not run many instances ;-) - perhaps they
are also badly designed. 

regards

Re: [OT] Email signature double dash delimiters (Was: KISS gpg)

[Nicolas George]

Cindy Sue Causey (12019-10-31):
> Maybe it's only certain ones?

Or maybe the correct answer has already been given twice in this very
discussion:

https://lists.debian.org/debian-user/2019/10/msg01140.html
https://lists.debian.org/debian-user/2019/10/msg01152.html

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

[OT] Email signature double dash delimiters (Was: KISS gpg)

[Cindy Sue Causey]

On 10/31/19, Greg Wooledge  wrote:
> On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:
>> If you kill all agents to stop them interfering, then use the
>> - --homedir option of gpg with a copy of your files, I think you will
>> have what you need.
>
> Huh.  There's that "dash space dash dash" pattern again, from a completely
> different person this time.
>
> Is the mailing list software mangling people's posts (lines that begin
> with dash dash get an extra dash space prepended), or is there some
> common mail user agent in the wild that's doing this?
>
> --testing


Maybe it's only certain ones? Yours and deloptes' aren't doing that.
For a split second, I wondered if it was somehow tied to how double
dashes are used with signatures. Nope because it didn't do it to at
least the two of you in this thread.

Well, I say "nope", but it might still be one or more email clients
taking it upon themselves to make sure content in an email's body
stays put.

Related to it, I thought I had read that those signature dashes need a
space behind them. Quick search agrees without visiting any webpages
(again). The related phrase I'm seeing is "signature delimiter" in at
least one reference.

CSS/HTML comments work similar. If the space is in the wrong place,
the entire comment appears on a webpage and/or blows the coding apart.

Maybe someone's just manually making sure the double dashes don't futz
with *any* email clients? Sounds like something that might come to
mind to me if I had thought hard on it at some point. It looks like
there's no problem if there's no space in between the double dashes
and whatever flag's being discussed.. :)

Am now...

--also-testing

-- 
With some useless rhetoric..

-- 
And then some more useless rhetoric.. just to see what it does if
there is more than one set of what the client would see as delimiters.

Cindy ;)
-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* runs with birdseed *

Re: KISS gpg

[Nicolas George]

deloptes (12019-10-31):
> Not sure - cause if you close gpg and agent etc. and set the GNUPGHOME and
> start again all the work will be done in the new GNUPGHOME. The sockets
> will be created when you start gpg.
> 
> What is the problem with it? How do you expect the programs to exchange
> information?

The problem is to run instances of gpg simultaneously: one to access the
key without any risk of modifying it, one to do the work.

Programs that make it hard to run several independent instances without
a very very good user-visible reason are badly designed.

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[deloptes]

Stefan Monnier wrote:

> so even changing $HOME won't help and I don't see any envvar which
> influences it.  I suggest you contact the GPG development folks (maybe
> open an issue for it).

Not sure - cause if you close gpg and agent etc. and set the GNUPGHOME and
start again all the work will be done in the new GNUPGHOME. The sockets
will be created when you start gpg.

What is the problem with it? How do you expect the programs to exchange
information?

Re: KISS gpg

[Stefan Monnier]

>> So I think you're stuck with copying by hand the actual file that
>> holds the private key (somewhere in ~/.gnupg) if you want to "export"
>> it.  Once you've done that, you can put it in "another-dir" with
>> a similar structure and then use
>> 
>> gpg --homedir ../another-dir --change-passphrase
>> 
>> to change its passphrase.
>
> That would be the idea. And for that, I need a KISS gpg, because current
> gpg does not honor the homedir setting for private keys, because it uses
> the agent instead. This is exactly the problem.

Yuck!  Now I see what you mean.
Indeed, it seems to go through a socket placed in:

% gpgconf --list-dirs | grep agent
agent-ssh-socket:/run/user/20848/gnupg/S.gpg-agent.ssh
agent-extra-socket:/run/user/20848/gnupg/S.gpg-agent.extra
agent-browser-socket:/run/user/20848/gnupg/S.gpg-agent.browser
agent-socket:/run/user/20848/gnupg/S.gpg-agent
%

so even changing $HOME won't help and I don't see any envvar which
influences it.  I suggest you contact the GPG development folks (maybe
open an issue for it).


Stefan

Re: KISS gpg

[Curt]

On 2019-10-31, The Wanderer  wrote:
>
> (I do understand what you probably mean by the overall statement, of
> course, but linguistics is one of my interests and this has caught my
> attention.)
>

I believe the OP is French and means 'exigent' is the usual French sense of
the word---demanding, exacting in one's demands.



-- 
We do not remember what we might have been before birth. This, and only this,
gives hope of oblivion.--Insufficient!
William T. Vollmann, "Supernatural Axioms"

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> deloptes (12019-10-31):
>> again the homedir option is for the agent and not for gpg - and you
>> should setup your environment properly
> 
> Again, without perfect control and feedback, this is not acceptable.
>
What do you mean by control and feedback - have you seen the command
examples of gpg-agent? 

If I were you I would use the $GNUPGHOME variable.

Perhaps you should subscribe the gnupg developer list and lead the
discussion there. They are pretty friendly and helpful - were at least to
me.

regards

Re: Reply-default etiquette (was Re: KISS gpg)

[Nicolas George]

Gene Heskett (12019-10-31):
> And this is something that the kmail of yore, now forked to TDE, makes 
> simple. If you sort incoming mail to list yy in its own folder, then it 
> is sufficient to name that list in the folder definitions.  I've been 
> doing that for so long I'd consider any email agent that does not do 
> that, broken.

I consider a mailing-list that requires to do that or anything broken.

Do it if you want. It should not be necessary.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: Reply-default etiquette (was Re: KISS gpg)

[Gene Heskett]

On Thursday 31 October 2019 12:10:01 Nicolas George wrote:

> The Wanderer (12019-10-31):
> > IMO, the correct behavior should indeed be the same for lists as for
> > private mail: reply to the source from which you received the
> > message.
>
> ... and everybody who got it too.
>
> For example, if I reply to:
>
> # From: Colleague
> # To: Me
> # Cc: Boss
>
> it should be:
>
> # From: Me
> # To: Colleague
> # Cc: Boss
>
> > I am subscribed to dozens of mailing lists, and have been active on
> > most or all of them at various points in time. To get reply behavior
> > to be correct on all of them, I would need to set Reply-To to a
> > different value for each one.
>
> You do not need that because most mailing-list software does it for
> you: if you are subscribed to the mailing-list and there is no
> reply-to address in your mail, it sets it to the list.
>
> Debian is amongst the few mailing-lists that do not do that. This
> comes from the influence of the dogmatic people who wrote the infamous
> “"Reply-To" Munging Considered Harmful” document and designed a
> suboptimal solution instead.
>
> > I know of no way to get a mail client to automatically set Reply-To
> > differently depending on what message is being replied to
>
> Possible with Mutt:
>
> send-hook . "unmy_hdr Reply-To:"
> send-hook ~cdebian-u...@lists.debian.org my_hdr "Reply-To:
> debian-user@lists.debian.org"
>
> > It should not be the responsibility of every sender to contrive some
> > configuration to automatically set Reply-To (or other non-default)
> > headers correctly for every different mailing list.
>
> I agree with that. Unfortunately, the Debian mailing-list makes it
> necessary.
>
> Regards,

And this is something that the kmail of yore, now forked to TDE, makes 
simple. If you sort incoming mail to list yy in its own folder, then it 
is sufficient to name that list in the folder definitions.  I've been 
doing that for so long I'd consider any email agent that does not do 
that, broken.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Reply-default etiquette (was Re: KISS gpg)

[Nicolas George]

Andrew McGlashan (12019-11-01):
> Do you also have "ignore list-post:" in your muttrc ?

Of course not. What a strange question: the ignore directive is for
display, not for controlling the recipients.

In case you confused it with ignore_list_reply_to, look at the comment
on its side: "Press L for list replies": unacceptable, press the same
key for ALL replies.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: Reply-default etiquette (was Re: KISS gpg)

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 1/11/19 3:10 am, Nicolas George wrote:
> Possible with Mutt:
> 
> send-hook . "unmy_hdr Reply-To:" send-hook
> ~cdebian-u...@lists.debian.org my_hdr "Reply-To:
> debian-user@lists.debian.org"

Do you also have "ignore list-post:" in your muttrc ?

https://www.earth.li/~huggie/mutt/muttrc.html

http://www.mutt.org/doc/manual/#lists


A.

-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbsK1gAKCRCoFmvLt+/i
+wbBAQCJBat1kLtWoMudfQ38Guu1FOQAGpoo3BO/7IXhiQVPPgEAzavVLKdAk1MP
eL/3UvwKDHn55KxtoqD0WfIt/p4UtG4=
=oqru
-END PGP SIGNATURE-

Re: KISS gpg

[Nicolas George]

The Wanderer (12019-10-31):
> ...can you clarify what you mean by this term? The definition of
> "exigent" which I know of ("in need of immediate, urgent response, such
> that there is not time to delay", roughly speaking), and the one I find
> in gcide, doesn't seem to fit this context at all; "exigence" is
> obviously derived from "exigent", so I'm no better off there.
> 
> (I do understand what you probably mean by the overall statement, of
> course, but linguistics is one of my interests and this has caught my
> attention.)

I think the reply I just sent to your other mail covers that.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Nicolas George]

deloptes (12019-10-31):
> again the homedir option is for the agent and not for gpg - and you should
> setup your environment properly

Again, without perfect control and feedback, this is not acceptable.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: Reply-default etiquette (was Re: KISS gpg)

[Nicolas George]

The Wanderer (12019-10-31):
> IMO, the correct behavior should indeed be the same for lists as for
> private mail: reply to the source from which you received the message.

... and everybody who got it too.

For example, if I reply to:

# From: Colleague
# To: Me
# Cc: Boss

it should be:

# From: Me
# To: Colleague
# Cc: Boss

> I am subscribed to dozens of mailing lists, and have been active on most
> or all of them at various points in time. To get reply behavior to be
> correct on all of them, I would need to set Reply-To to a different
> value for each one.

You do not need that because most mailing-list software does it for you:
if you are subscribed to the mailing-list and there is no reply-to
address in your mail, it sets it to the list.

Debian is amongst the few mailing-lists that do not do that. This comes
from the influence of the dogmatic people who wrote the infamous
“"Reply-To" Munging Considered Harmful” document and designed a
suboptimal solution instead.

> I know of no way to get a mail client to automatically set Reply-To
> differently depending on what message is being replied to

Possible with Mutt:

send-hook . "unmy_hdr Reply-To:"
send-hook ~cdebian-u...@lists.debian.org my_hdr "Reply-To: 
debian-user@lists.debian.org"

> It should not be the responsibility of every sender to contrive some
> configuration to automatically set Reply-To (or other non-default)
> headers correctly for every different mailing list.

I agree with that. Unfortunately, the Debian mailing-list makes it
necessary.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[The Wanderer]

On 2019-10-31 at 12:01, Nicolas George wrote:

> Andrew McGlashan (12019-11-01):

>> I'm not manually adding any reply-to header, no-one else has a
>> problem with "List-Post:" header  
> 
> I will not discuss this further if your solution requires a
> different command for lists and individuals. Maybe no-one else has
> this level of exigence.
> 
> I am very exigent about the optimality of the software solution I
> use, I confess to that.

...can you clarify what you mean by this term? The definition of
"exigent" which I know of ("in need of immediate, urgent response, such
that there is not time to delay", roughly speaking), and the one I find
in gcide, doesn't seem to fit this context at all; "exigence" is
obviously derived from "exigent", so I'm no better off there.

(I do understand what you probably mean by the overall statement, of
course, but linguistics is one of my interests and this has caught my
attention.)

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> That would have worked with gpg < 2.1. With >= 2.1, it will ignore the
> homedir option and connect to an agent. Or re-start an agent, with or
> without the homedir option. I do not know what gpg does exactly, it does
> not tell me. For handling something as precious as a private key, this
> is unacceptable.
> 


again the homedir option is for the agent and not for gpg - and you should
setup your environment properly

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> No, if you have the file S.gpg-agent in the alternate --homedir with the
> right settings that point somewhere else for the socket, you can check
> it's existence before and after invoking with --homedir

Maybe. This is too uncertain and hackish, I do not want to trust it
with my private key.

> I'm not manually adding any reply-to header, no-one else has a problem
> with "List-Post:" header  

I will not discuss this further if your solution requires a different
command for lists and individuals. Maybe no-one else has this level of
exigence.

I am very exigent about the optimality of the software solution I use, I
confess to that.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[deloptes]

Greg Wooledge wrote:

> Huh.  There's that "dash space dash dash" pattern again, from a completely
> different person this time.
> 
> Is the mailing list software mangling people's posts (lines that begin
> with dash dash get an extra dash space prepended), or is there some
> common mail user agent in the wild that's doing this?


I doubt because my client does not display this first dash. It shows without
issue

Re: KISS gpg

[deloptes]

Erwan David wrote:

> The question was *which* product can be used.

I am not aware of such that runs under linux and I do not remember the time
I used pgp - but it was on company windows pc between 2002 - 2007.

So this topic is pointless - IMO there is no such tool for linux.

I also do not understand what is your problem with the agent.

You can not simply access others pgp private keys from lets say root - it
makes any encryption useless.

Login with the user that owns the key and do the work (if agent is
configured properly it will start on demand)

How comes that only you have a special use case that I do not understand?

I understand the question but not the usecase - perhaps the use case is
invalid, cause otherwise there would be a better solution for sure.

And regarding the export, if OP was reading the documentation, would
understand how to do it, but he refuses either to read or to understand
what is written there.

This specific use case is simple to test - keyword .gnupg/private-keys-v1.d

regards

Re: KISS gpg

[Andrew McGlashan]

On 1/11/19 2:51 am, Nicolas George wrote:
> Andrew McGlashan (12019-11-01):
>> reply-list works perfectly this end
> 
> reply-list requires paying attention to whether it is a list or a
> private e-mail. That would be acceptable, but since there is a solution
> that does not require that extra attention, an inferior solution should
> not be chosen.
> 
>> https://askubuntu.com/questions/777900/how-to-configure-gnupgs-s-gpg-agent-socket-location#860346
> 
> Requires changing files in the home directory, which makes it complex to
> have several instances simultaneously, and will not confirm what socket
> is used. Too fragile and uncertain.

No, if you have the file S.gpg-agent in the alternate --homedir with the
right settings that point somewhere else for the socket, you can check
it's existence before and after invoking with --homedir

I'm not manually adding any reply-to header, no-one else has a problem
with "List-Post:" header  


A.

Reply-default etiquette (was Re: KISS gpg)

[The Wanderer]

On 2019-10-31 at 11:36, Nicolas George wrote:

> Andrew McGlashan (12019-11-01):
> 
>> btw doesn't "reply list" work for you?  I get all list messages
>> okay.
> 
> If you do not want to be on copy, use the standard reply-to header
> to specify it, just like me. Senders should not be expected to do
> something special for normal answers, correct behaviour should be the
> default for lists as well as private mail; with reply-to correctly
> configured it is.

IMO, the correct behavior should indeed be the same for lists as for
private mail: reply to the source from which you received the message.

If you received it directly from the person who composed it, reply to
that person's address by default.

If you received it indirectly via a mailing list, reply to the mailing
list's address by default.


I am subscribed to dozens of mailing lists, and have been active on most
or all of them at various points in time. To get reply behavior to be
correct on all of them, I would need to set Reply-To to a different
value for each one.

I know of no way to get a mail client to automatically set Reply-To
differently depending on what message is being replied to; I could of
course contrive some method, although implementing such a method on any
particular mail client might be nontrivial, but it seems unreasonable to
expect people to do that. Expecting people to set those same headers
manually on every message seems even more unreasonable.

It should not be the responsibility of every sender to contrive some
configuration to automatically set Reply-To (or other non-default)
headers correctly for every different mailing list. If the responder's
mail client isn't intelligent enough to detect that it's replying to a
message which came from a mailing list and set the default To:
appropriately on that basis, then it should be the responder's
responsibility to do that manually - e.g. by clicking "reply to list"
rather than "reply" or "reply all".

(IMO the correct behavior should be chosen automatically by "reply", and
there should be separate "reply to sender", "reply to all", and "reply
to list" options in the client. I don't know of anything which
implements that, however.)

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> Emails of the list have a header
> 
>   List-Post: 
> 
> There should be no need for an extra reply-to header.

Already replied to this: a solution whose UI treats lists and individual
mails differently is optimal.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 1/11/19 2:36 am, Nicolas George wrote:
> Andrew McGlashan (12019-11-01):
>> btw doesn't "reply list" work for you?  I get all list messages
>> okay.
> 
> If you do not want to be on copy, use the standard reply-to header
> to specify it, just like me. Senders should not be expected to do
> something special for normal answers, correct behaviour should be
> the default for lists as well as private mail; with reply-to
> correctly configured it is.

Emails of the list have a header

  List-Post: 

There should be no need for an extra reply-to header.


A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbsDSQAKCRCoFmvLt+/i
+5z5AP0S0pQrfRlqtUiN8Tws41ISexndHZAt7DzXjy+3hftBfgD8DEHZ7eDDGp9S
ESMEx8Ua6AkdPXRdd8zfRXRzTn4ZAKU=
=jMN6
-END PGP SIGNATURE-

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> reply-list works perfectly this end

reply-list requires paying attention to whether it is a list or a
private e-mail. That would be acceptable, but since there is a solution
that does not require that extra attention, an inferior solution should
not be chosen.

> https://askubuntu.com/questions/777900/how-to-configure-gnupgs-s-gpg-agent-socket-location#860346

Requires changing files in the home directory, which makes it complex to
have several instances simultaneously, and will not confirm what socket
is used. Too fragile and uncertain.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Andrew McGlashan]

On 1/11/19 2:34 am, Nicolas George wrote:
> At the very least, to trust gpg with its agent, I would require options
> to explicitly set the path of the agent's socket and to print the path
> of the socket that was used.

reply-list works perfectly this end, forget what's in the headers for
reply-to -- if your MTA does reply-list, it should be good.

https://askubuntu.com/questions/777900/how-to-configure-gnupgs-s-gpg-agent-socket-location#860346

A.

Re: KISS gpg

[Eduardo M KALINOWSKI]

On qui, 31 out 2019, Greg Wooledge wrote:

On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:

If you kill all agents to stop them interfering, then use the
- --homedir option of gpg with a copy of your files, I think you will
have what you need.


Huh.  There's that "dash space dash dash" pattern again, from a completely
different person this time.

Is the mailing list software mangling people's posts (lines that begin
with dash dash get an extra dash space prepended), or is there some
common mail user agent in the wild that's doing this?


Neither, it's GPG that does that. It's some kind of escaping because  
of it's own lines (which start with --).

--
Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> btw doesn't "reply list" work for you?  I get all list messages okay.

If you do not want to be on copy, use the standard reply-to header to
specify it, just like me. Senders should not be expected to do something
special for normal answers, correct behaviour should be the default for
lists as well as private mail; with reply-to correctly configured it is.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> Okay, well if something is constantly using gpg, then it will restart
> as you use it by gpg.  I would stop it and see that it is stopped,
> then try with --homedir  it may restart the agent, but it /might/
> be for the new --homedir area.

I know all that. Please assume that I spent a significant amount of time
researching the question by myself before trying on this mailing-list on
the off-change that somebody might understand the question and know an
answer.

I have been trying to explain that I consider "it might" is unacceptable
for handling something as precious as a private key.

At the very least, to trust gpg with its agent, I would require options
to explicitly set the path of the agent's socket and to print the path
of the socket that was used.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 1/11/19 2:26 am, Nicolas George wrote:
> Andrew McGlashan (12019-11-01):
>> So, perhaps the agent is restarted by systemd -- perhaps you can 
>> disable it using systemctl commands to stop it restarting ...
>> then the agent might be better in /your/ control?
> 
> No, the agent is not restarted by systemd, it is restarted by gpg 
> itself.

btw doesn't "reply list" work for you?  I get all list messages okay.

A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbr+rAAKCRCoFmvLt+/i
+yAuAP9zNNbCFewNUqqrMsolMokXDJvDvKOAFmkB8D2qtWMpFQD+OPDtj3gaH1La
+Zh42mPK4K6MhWQENJBjRcSbLR1FYe8=
=TkEF
-END PGP SIGNATURE-

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 1/11/19 2:26 am, Nicolas George wrote:
> Andrew McGlashan (12019-11-01):
>> So, perhaps the agent is restarted by systemd -- perhaps you can 
>> disable it using systemctl commands to stop it restarting ...
>> then the agent might be better in /your/ control?
> 
> No, the agent is not restarted by systemd, it is restarted by gpg 
> itself.

Okay, well if something is constantly using gpg, then it will restart
as you use it by gpg.  I would stop it and see that it is stopped,
then try with --homedir  it may restart the agent, but it /might/
be for the new --homedir area.

A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbr9ygAKCRCoFmvLt+/i
+1NAAQDB5TnBOma+tkF+mlMLW+s8IqQK0QHB+SKoAKJuy/c1EgD/XdjYuCZZb5kc
Tp5Gxrf754OtWGotGWZHu0aOnILT+dM=
=F+rW
-END PGP SIGNATURE-

Re: KISS gpg

[Michael Howard]

On 31/10/2019 15:22, The Wanderer wrote:

On 2019-10-31 at 11:18, Greg Wooledge wrote:


On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:


If you kill all agents to stop them interfering, then use the
- --homedir option of gpg with a copy of your files, I think you will
have what you need.

Huh.  There's that "dash space dash dash" pattern again, from a completely
different person this time.

Is the mailing list software mangling people's posts (lines that begin
with dash dash get an extra dash space prepended), or is there some
common mail user agent in the wild that's doing this?

--testing

FWIW, I don't see that pattern in my local copy of the message you're
replying to; on my end, the line begins with '--homedir', sans quotes.

I also don't remember seeing it in the previous thread where this was
mentioned, except in quoted messages.

I'm guessing that something on *your* end is mangling this.


I see the extra dash here.

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> So, perhaps the agent is restarted by systemd -- perhaps you can
> disable it using systemctl commands to stop it restarting ...  then
> the agent might be better in /your/ control?

No, the agent is not restarted by systemd, it is restarted by gpg
itself.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 1/11/19 2:22 am, The Wanderer wrote:
> On 2019-10-31 at 11:18, Greg Wooledge wrote:
> 
>> On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan
>> wrote:
>> 
>>> If you kill all agents to stop them interfering, then use the -
>>> --homedir option of gpg with a copy of your files, I think you
>>> will have what you need.
>> 
>> Huh.  There's that "dash space dash dash" pattern again, from a
>> completely different person this time.
>> 
>> Is the mailing list software mangling people's posts (lines that
>> begin with dash dash get an extra dash space prepended), or is
>> there some common mail user agent in the wild that's doing this?

It is likely gpg, or rather enigmail on thunderbird that adjusts the
message for signing before sending.

A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbr9FwAKCRCoFmvLt+/i
+xVlAQCiGnrAT/zzpj7ITsRSZ02SglvcMet1/rCeNnvn14OPUwEAvkJajIhXHffP
hnhkiQaIFZ4Z/tUQeyDs+irrLOVznM8=
=No+j
-END PGP SIGNATURE-

Re: KISS gpg

[Nicolas George]

The Wanderer (12019-10-31):
> FWIW, I don't see that pattern in my local copy of the message you're
> replying to; on my end, the line begins with '--homedir', sans quotes.

Yet, is it there:

https://lists.debian.org/debian-user/2019/10/msg01136.html

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[The Wanderer]

On 2019-10-31 at 11:22, The Wanderer wrote:

> On 2019-10-31 at 11:18, Greg Wooledge wrote:
> 
>> On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:
>>
>>> If you kill all agents to stop them interfering, then use the
>>> - --homedir option of gpg with a copy of your files, I think you will
>>> have what you need.
>> 
>> Huh.  There's that "dash space dash dash" pattern again, from a completely
>> different person this time.
>> 
>> Is the mailing list software mangling people's posts (lines that begin
>> with dash dash get an extra dash space prepended), or is there some
>> common mail user agent in the wild that's doing this?
>> 
>> --testing
> 
> FWIW, I don't see that pattern in my local copy of the message you're
> replying to; on my end, the line begins with '--homedir', sans quotes.
> 
> I also don't remember seeing it in the previous thread where this was
> mentioned, except in quoted messages.
> 
> I'm guessing that something on *your* end is mangling this.

Okay, I was wrong. On my end, this is being *un*'mangle'd back into its
original form, by Enigmail - which, at least as I currently use it, is
partly a wrapper around gpg2.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: KISS gpg

[Greg Wooledge]

> > On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:
> >> If you kill all agents to stop them interfering, then use the
> >> - --homedir option of gpg with a copy of your files, I think you will
> >> have what you need.

> FWIW, I don't see that pattern in my local copy of the message you're
> replying to; on my end, the line begins with '--homedir', sans quotes.
> 
> I also don't remember seeing it in the previous thread where this was
> mentioned, except in quoted messages.
> 
> I'm guessing that something on *your* end is mangling this.

I see the extra dash+space on
 as well.

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

On 1/11/19 2:21 am, Nicolas George wrote:
> Andrew McGlashan (12019-11-01):
>> If I understand correctly, the agent is getting in your way.
>> 
>> Killing the agent /might/ be your answer:
> 
> Unfortunately no: using the agent is mandatory since 2.1: if I kill
> the agent, it comes back.

So, perhaps the agent is restarted by systemd -- perhaps you can
disable it using systemctl commands to stop it restarting ...  then
the agent might be better in /your/ control?

A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbr8tgAKCRCoFmvLt+/i
+2omAP98tLbgBTTchFMRiSGNdJNpPV6r4c2zo++u/Lpc+Zz+pwEAr3q8P74as1/y
YLziCwaisU9lL3GGmOQeN8WlBDvtD/4=
=9Ej5
-END PGP SIGNATURE-

Re: KISS gpg

[The Wanderer]

On 2019-10-31 at 11:18, Greg Wooledge wrote:

> On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:
>
>> If you kill all agents to stop them interfering, then use the
>> - --homedir option of gpg with a copy of your files, I think you will
>> have what you need.
> 
> Huh.  There's that "dash space dash dash" pattern again, from a completely
> different person this time.
> 
> Is the mailing list software mangling people's posts (lines that begin
> with dash dash get an extra dash space prepended), or is there some
> common mail user agent in the wild that's doing this?
> 
> --testing

FWIW, I don't see that pattern in my local copy of the message you're
replying to; on my end, the line begins with '--homedir', sans quotes.

I also don't remember seeing it in the previous thread where this was
mentioned, except in quoted messages.

I'm guessing that something on *your* end is mangling this.

-- 
   The Wanderer

The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore all
progress depends on the unreasonable man. -- George Bernard Shaw



signature.asc
Description: OpenPGP digital signature

Re: KISS gpg

[Nicolas George]

Greg Wooledge (12019-10-31):
> Huh.  There's that "dash space dash dash" pattern again, from a completely
> different person this time.
> 
> Is the mailing list software mangling people's posts (lines that begin
> with dash dash get an extra dash space prepended), or is there some
> common mail user agent in the wild that's doing this?

# ~ $ echo 'Hello\n-- dash dash --\nworld' | gpg --clearsign 
# gpg: using "CA4DC60C" as default secret key for signing
# -BEGIN PGP SIGNED MESSAGE-
# Hash: SHA512
# 
# Hello
# - -- dash dash --
# world
# gpg: signing failed: Operation cancelled

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Nicolas George]

Andrew McGlashan (12019-11-01):
> If I understand correctly, the agent is getting in your way.
> 
> Killing the agent /might/ be your answer:

Unfortunately no: using the agent is mandatory since 2.1: if I kill the
agent, it comes back.

> I think your private key has a pass phrase, but the agent is providing
> the answer without you needing to and that gives you the impression
> that it isn't protected.

No, in the particular issue I am having right now, the key has no pass
phrase, and I want to add one while exporting without ever touching the
original file.

> If it isn't gpg's agent that is getting in your way, it might be the
> gnome keyring daemon instead.

dpkg-query: no path found matching pattern /usr/bin/gnome-keyring-daemon

> If you kill all agents to stop them interfering, then use the
> - --homedir option of gpg with a copy of your files, I think you will
> have what you need.

That would have worked with gpg < 2.1. With >= 2.1, it will ignore the
homedir option and connect to an agent. Or re-start an agent, with or
without the homedir option. I do not know what gpg does exactly, it does
not tell me. For handling something as precious as a private key, this
is unacceptable.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Greg Wooledge]

On Fri, Nov 01, 2019 at 02:12:54AM +1100, Andrew McGlashan wrote:
> If you kill all agents to stop them interfering, then use the
> - --homedir option of gpg with a copy of your files, I think you will
> have what you need.

Huh.  There's that "dash space dash dash" pattern again, from a completely
different person this time.

Is the mailing list software mangling people's posts (lines that begin
with dash dash get an extra dash space prepended), or is there some
common mail user agent in the wild that's doing this?

--testing

Re: KISS gpg

[Andrew McGlashan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

On 31/10/19 5:58 am, Nicolas George wrote:
> Is there somewhere in Debian a KISS version of GnuPG or something 
> compatible?
> 
> The current default version of GnuPG, since 2015, necessarily uses
> a client-server agent to access the private keys. While it is
> convenient and secure for everyday use, but for some tasks, the
> efforts it makes to protect my files from myself prevent me from
> doing the tasks I want.
> 
> As a short-term solution, does anyone know how to add a pass phrase
> to a private key while exporting it, without changing it on the
> storage?

If I understand correctly, the agent is getting in your way.

Killing the agent /might/ be your answer:

   gpgconf --kill gpg-agent

I think your private key has a pass phrase, but the agent is providing
the answer without you needing to and that gives you the impression
that it isn't protected.

If it isn't gpg's agent that is getting in your way, it might be the
gnome keyring daemon instead.

   /usr/bin/gnome-keyring-daemon


Seahorse /may/ be useful too.

   /usr/bin/seahorse

If you kill all agents to stop them interfering, then use the
- --homedir option of gpg with a copy of your files, I think you will
have what you need.

Cheers
A.
-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXbr56wAKCRCoFmvLt+/i
+2g8APwKgzhZTT6NNnALl100R6OmEQVZrSuGtSSET3dN3Yn6/wD/Q90hiOx4+sB7
WbJ6ARpbR9xhiSqFGb+zzqPjq3JXjUQ=
=5Gnd
-END PGP SIGNATURE-

Re: KISS gpg

[Erwan David]

On Thu, Oct 31, 2019 at 03:35:41PM CET, deloptes  said:
> Nicolas George wrote:
> 
> > I can stop replying to you. But I can also hope that somebody will have
> > a relevant answer.
> > 
> > Sorry to not have been awed by gratefulness at your irrelevant answer.
> 
> I already said you can use another product.

The question was *which* product can be used.

-- 
Erwan

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> I can stop replying to you. But I can also hope that somebody will have
> a relevant answer.
> 
> Sorry to not have been awed by gratefulness at your irrelevant answer.

I already said you can use another product.

Re: KISS gpg

[Erwan David]

On Thu, Oct 31, 2019 at 03:14:26PM CET, Nicolas George  said:
> Erwan David (12019-10-31):
> > Replace gpg by openpgp client without agent in the question, do you
> > understand ?  Because gpg agent is linked to a session and you mlay
> > want to use oipenpgp encryption outside any session (eg for backups)
> 
> This is exactly what I am looking for, thanks. Can you point me to the
> package?
> 
> Regards,

Sorry, I understood the question, but do not have the answer (And I would be 
interessed also)




-- 
Erwan

Re: KISS gpg

[Nicolas George]

Erwan David (12019-10-31):
> Replace gpg by openpgp client without agent in the question, do you
> understand ?  Because gpg agent is linked to a session and you mlay
> want to use oipenpgp encryption outside any session (eg for backups)

This is exactly what I am looking for, thanks. Can you point me to the
package?

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Erwan David]

On Thu, Oct 31, 2019 at 03:01:51PM CET, deloptes  said:
> Nicolas George wrote:
> 
> > Which is exactly the question I asked. Again: if you do not understand
> > the question and cannot give a relevant answer…
> 
> Look, there is no answer for your dreams. Better wake up!

Replace gpg by openpgp client without agent in the question, do you
understand ?  Because gpg agent is linked to a session and you mlay
want to use oipenpgp encryption outside any session (eg for backups)


-- 
Erwan

Re: KISS gpg

[Nicolas George]

deloptes (12019-10-31):
> You can close the topic!

I can stop replying to you. But I can also hope that somebody will have
a relevant answer.

Sorry to not have been awed by gratefulness at your irrelevant answer.

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> Which is exactly the question I asked. Again: if you do not understand
> the question and cannot give a relevant answer…

Look, there is no answer for your dreams. Better wake up!

You can not access the private keys without agent. The agent is _part_ of
gnupg. This is for the sake of the security and integration AFAIK.

https://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html#Agent-Protocol

You can close the topic!

regards

Re: KISS gpg

[Nicolas George]

deloptes (12019-10-31):
> There is a reason for the agent. If you want gpg without an agent use
> another product.

Which is exactly the question I asked. Again: if you do not understand
the question and cannot give a relevant answer…

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> That would be the idea. And for that, I need a KISS gpg, because current
> gpg does not honor the homedir setting for private keys, because it uses
> the agent instead. This is exactly the problem.

There is a reason for the agent. If you want gpg without an agent use
another product.

I strongly suggest you read the docs and ask here after this. It is obvious
that you have not read a single one of them. The KISS comes after you
understood.

I sent already two links to the main document locations. Here once again for
example

https://gnupg.org/documentation/manuals/gnupg/Agent-Options.html#option-_002d_002doptions

--homedir dir

Set the name of the home directory to dir. If this option is not used,
the home directory defaults to ~/.gnupg. It is only recognized when given
on the command line. It also overrides any home directory stated through
the environment variable GNUPGHOME or (on Windows systems) by means of the
Registry entry HKCU\Software\GNU\GnuPG:HomeDir. 

Re: KISS gpg

[Nicolas George]

Stefan Monnier (12019-10-31):
> Not sure how the above relates to the following question, so maybe
> I misunderstand something.

If I can control exactly where GPG finds its files, I can copy the key
into a new directory and work from here, doing exactly what I want
without endangering the original.

> I'm not very knowledgeable in GPG, but AFAICT it only offers commands to
> export public keys, not private/secret keys.

   --export-secret-keys
   --export-secret-subkeys
  Same as --export, but exports the secret keys instead.  The  ex‐
  ported  keys are written to STDOUT or to the file given with op‐
  tion --output.

But if the key is unprotected in the keyring, then it is exported as
unprotected. I want to keep it unprotected in the keyring but export it
protected.

Also, if anybody is about to suggest to add a pass phrase in the
keyring, export, then remove the pass phrase, do not: I already thought
of this solution, but changing the original is an unacceptable risk.

>   So I think you're stuck
> with copying by hand the actual file that holds the private key
> (somewhere in ~/.gnupg) if you want to "export" it.  Once you've done
> that, you can put it in "another-dir" with a similar structure and then
> use
> 
> gpg --homedir ../another-dir --change-passphrase
> 
> to change its passphrase.

That would be the idea. And for that, I need a KISS gpg, because current
gpg does not honor the homedir setting for private keys, because it uses
the agent instead. This is exactly the problem.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[Stefan Monnier]

> The current default version of GnuPG, since 2015, necessarily uses a
> client-server agent to access the private keys. While it is convenient
> and secure for everyday use, but for some tasks, the efforts it makes to
> protect my files from myself prevent me from doing the tasks I want.

Not sure how the above relates to the following question, so maybe
I misunderstand something.

> As a short-term solution, does anyone know how to add a pass phrase to a
> private key while exporting it, without changing it on the storage?

I'm not very knowledgeable in GPG, but AFAICT it only offers commands to
export public keys, not private/secret keys.  So I think you're stuck
with copying by hand the actual file that holds the private key
(somewhere in ~/.gnupg) if you want to "export" it.  Once you've done
that, you can put it in "another-dir" with a similar structure and then
use

gpg --homedir ../another-dir --change-passphrase

to change its passphrase.


Stefan

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> If you do not understand the question, you can let somebody else answer.
> That saves your time and mine.

if you do not understand the answer read twice ;-) will save you time in
future and mine too

Re: KISS gpg

[Nicolas George]

deloptes (12019-10-30):
> the agent was always there - better do a proper setup and btw. what does it
> have to do with your files

> ???

If you do not understand the question, you can let somebody else answer.
That saves your time and mine.

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature

Re: KISS gpg

[deloptes]

Nicolas George wrote:

> Is there somewhere in Debian a KISS version of GnuPG or something
> compatible?
> 
> The current default version of GnuPG, since 2015, necessarily uses a
> client-server agent to access the private keys. While it is convenient
> and secure for everyday use, but for some tasks, the efforts it makes to
> protect my files from myself prevent me from doing the tasks I want.
> 

the agent was always there - better do a proper setup and btw. what does it
have to do with your files

> As a short-term solution, does anyone know how to add a pass phrase to a
> private key while exporting it, without changing it on the storage?

???
https://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.5

Finally you have to enter a password (actually passphrase would be more
appropriate, since blanks are allowed). This password is used to be able to
use the functionality which belongs to your secret key.

and
https://gnupg.org/gph/en/manual.html#AEN513

Protecting your private key

To help safeguard your key, GnuPG does not store your raw private key on
disk. Instead it encrypts it using a symmetric encryption algorithm. That
is why you need a passphrase to access the key. Thus there are two barriers
an attacker must cross to access your private key: (1) he must actually
acquire the key, and (2) he must get past the encryption.

KISS gpg

[Nicolas George]

Hi.

Is there somewhere in Debian a KISS version of GnuPG or something
compatible?

The current default version of GnuPG, since 2015, necessarily uses a
client-server agent to access the private keys. While it is convenient
and secure for everyday use, but for some tasks, the efforts it makes to
protect my files from myself prevent me from doing the tasks I want.

As a short-term solution, does anyone know how to add a pass phrase to a
private key while exporting it, without changing it on the storage?

Regards,

-- 
  Nicolas George


signature.asc
Description: PGP signature